From 07a97ab94ad828c893f1943e7b52d1a2c82637c3 Mon Sep 17 00:00:00 2001 From: Marco Stronati Date: Fri, 4 May 2018 19:10:30 +0200 Subject: [PATCH] Vendors: add ocaml-hacl binding for HACL* crypto library --- vendors/ocaml-hacl/hacl.opam | 20 + vendors/ocaml-hacl/readme.md | 2 + vendors/ocaml-hacl/src/AEAD_Poly1305_64.c | 461 +++ vendors/ocaml-hacl/src/AEAD_Poly1305_64.h | 123 + vendors/ocaml-hacl/src/FStar.c | 281 ++ vendors/ocaml-hacl/src/FStar.h | 79 + vendors/ocaml-hacl/src/HACL.h | 41 + vendors/ocaml-hacl/src/Hacl_Chacha20.c | 283 ++ vendors/ocaml-hacl/src/Hacl_Chacha20.h | 95 + .../ocaml-hacl/src/Hacl_Chacha20Poly1305.c | 131 + .../ocaml-hacl/src/Hacl_Chacha20Poly1305.h | 80 + vendors/ocaml-hacl/src/Hacl_Curve25519.c | 837 +++++ vendors/ocaml-hacl/src/Hacl_Curve25519.h | 69 + vendors/ocaml-hacl/src/Hacl_Ed25519.c | 2828 +++++++++++++++++ vendors/ocaml-hacl/src/Hacl_Ed25519.h | 230 ++ vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.c | 377 +++ vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.h | 100 + vendors/ocaml-hacl/src/Hacl_Policies.c | 66 + vendors/ocaml-hacl/src/Hacl_Policies.h | 43 + vendors/ocaml-hacl/src/Hacl_Poly1305_32.c | 605 ++++ vendors/ocaml-hacl/src/Hacl_Poly1305_32.h | 120 + vendors/ocaml-hacl/src/Hacl_Poly1305_64.c | 511 +++ vendors/ocaml-hacl/src/Hacl_Poly1305_64.h | 116 + vendors/ocaml-hacl/src/Hacl_SHA2_256.c | 334 ++ vendors/ocaml-hacl/src/Hacl_SHA2_256.h | 99 + vendors/ocaml-hacl/src/Hacl_SHA2_384.c | 368 +++ vendors/ocaml-hacl/src/Hacl_SHA2_384.h | 101 + vendors/ocaml-hacl/src/Hacl_SHA2_512.c | 390 +++ vendors/ocaml-hacl/src/Hacl_SHA2_512.h | 129 + vendors/ocaml-hacl/src/Hacl_Salsa20.c | 385 +++ vendors/ocaml-hacl/src/Hacl_Salsa20.h | 84 + .../ocaml-hacl/src/Hacl_Unverified_Random.c | 104 + .../ocaml-hacl/src/Hacl_Unverified_Random.h | 43 + vendors/ocaml-hacl/src/NaCl.c | 463 +++ vendors/ocaml-hacl/src/NaCl.h | 156 + vendors/ocaml-hacl/src/hacl.ml | 392 +++ vendors/ocaml-hacl/src/hacl.mli | 181 ++ vendors/ocaml-hacl/src/hacl_stubs.c | 165 + vendors/ocaml-hacl/src/jbuild | 26 + vendors/ocaml-hacl/src/kremlib.c | 39 + vendors/ocaml-hacl/src/kremlib.h | 569 ++++ vendors/ocaml-hacl/src/kremlib_base.h | 181 ++ vendors/ocaml-hacl/test/jbuild | 14 + vendors/ocaml-hacl/test/test.ml | 165 + 44 files changed, 11886 insertions(+) create mode 100644 vendors/ocaml-hacl/hacl.opam create mode 100644 vendors/ocaml-hacl/readme.md create mode 100644 vendors/ocaml-hacl/src/AEAD_Poly1305_64.c create mode 100644 vendors/ocaml-hacl/src/AEAD_Poly1305_64.h create mode 100644 vendors/ocaml-hacl/src/FStar.c create mode 100644 vendors/ocaml-hacl/src/FStar.h create mode 100644 vendors/ocaml-hacl/src/HACL.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Chacha20.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Chacha20.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Curve25519.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Curve25519.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Ed25519.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Ed25519.h create mode 100644 vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.c create mode 100644 vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Policies.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Policies.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Poly1305_32.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Poly1305_32.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Poly1305_64.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Poly1305_64.h create mode 100644 vendors/ocaml-hacl/src/Hacl_SHA2_256.c create mode 100644 vendors/ocaml-hacl/src/Hacl_SHA2_256.h create mode 100644 vendors/ocaml-hacl/src/Hacl_SHA2_384.c create mode 100644 vendors/ocaml-hacl/src/Hacl_SHA2_384.h create mode 100644 vendors/ocaml-hacl/src/Hacl_SHA2_512.c create mode 100644 vendors/ocaml-hacl/src/Hacl_SHA2_512.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Salsa20.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Salsa20.h create mode 100644 vendors/ocaml-hacl/src/Hacl_Unverified_Random.c create mode 100644 vendors/ocaml-hacl/src/Hacl_Unverified_Random.h create mode 100644 vendors/ocaml-hacl/src/NaCl.c create mode 100644 vendors/ocaml-hacl/src/NaCl.h create mode 100644 vendors/ocaml-hacl/src/hacl.ml create mode 100644 vendors/ocaml-hacl/src/hacl.mli create mode 100644 vendors/ocaml-hacl/src/hacl_stubs.c create mode 100644 vendors/ocaml-hacl/src/jbuild create mode 100644 vendors/ocaml-hacl/src/kremlib.c create mode 100644 vendors/ocaml-hacl/src/kremlib.h create mode 100644 vendors/ocaml-hacl/src/kremlib_base.h create mode 100644 vendors/ocaml-hacl/test/jbuild create mode 100644 vendors/ocaml-hacl/test/test.ml diff --git a/vendors/ocaml-hacl/hacl.opam b/vendors/ocaml-hacl/hacl.opam new file mode 100644 index 000000000..6018e2c5c --- /dev/null +++ b/vendors/ocaml-hacl/hacl.opam @@ -0,0 +1,20 @@ +opam-version: "1.2" +name: "hacl" +version: "dev" +authors: [ "Vincent Bernardoff " "Marco Stronati " ] +maintainer: "Vincent Bernardoff " +homepage: "https://gitlab.com/tezos/tezos" +bug-reports: "https://gitlab.com/tezos/tezos/issues" +dev-repo: "https://gitlab.com/tezos/tezos.git" +license: "MIT" +depends: [ + "jbuilder" {build & >= "1.0+beta16"} + "bigstring" {>= "0.1.1"} + "ocplib-endian" {>= "1.0"} + "zarith" {>= "1.7"} + "alcotest" {test & >= "0.8.1"} + "hex" {test & >= "1.2.0"} +] +build: [ "jbuilder" "build" "-j" jobs "-p" name "@install" ] +build-test: [ "jbuilder" "runtest" "-p" name "-j" jobs ] +available: [ ocaml-version >= "4.02.0" ] diff --git a/vendors/ocaml-hacl/readme.md b/vendors/ocaml-hacl/readme.md new file mode 100644 index 000000000..120bafdf7 --- /dev/null +++ b/vendors/ocaml-hacl/readme.md @@ -0,0 +1,2 @@ +Tezos binding for Hacl* +https://github.com/mitls/hacl-star/tree/master/snapshots/tezos diff --git a/vendors/ocaml-hacl/src/AEAD_Poly1305_64.c b/vendors/ocaml-hacl/src/AEAD_Poly1305_64.c new file mode 100644 index 000000000..9ef06502b --- /dev/null +++ b/vendors/ocaml-hacl/src/AEAD_Poly1305_64.c @@ -0,0 +1,461 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "AEAD_Poly1305_64.h" + +inline static void Hacl_Bignum_Modulo_reduce(uint64_t *b) +{ + uint64_t b0 = b[0U]; + b[0U] = (b0 << (uint32_t)4U) + (b0 << (uint32_t)2U); +} + +inline static void Hacl_Bignum_Modulo_carry_top(uint64_t *b) +{ + uint64_t b2 = b[2U]; + uint64_t b0 = b[0U]; + uint64_t b2_42 = b2 >> (uint32_t)42U; + b[2U] = b2 & (uint64_t)0x3ffffffffffU; + b[0U] = (b2_42 << (uint32_t)2U) + b2_42 + b0; +} + +inline static void Hacl_Bignum_Modulo_carry_top_wide(FStar_UInt128_t *b) +{ + FStar_UInt128_t b2 = b[2U]; + FStar_UInt128_t b0 = b[0U]; + FStar_UInt128_t + b2_ = FStar_UInt128_logand(b2, FStar_UInt128_uint64_to_uint128((uint64_t)0x3ffffffffffU)); + uint64_t b2_42 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b2, (uint32_t)42U)); + FStar_UInt128_t + b0_ = FStar_UInt128_add(b0, FStar_UInt128_uint64_to_uint128((b2_42 << (uint32_t)2U) + b2_42)); + b[2U] = b2_; + b[0U] = b0_; +} + +inline static void +Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) + { + FStar_UInt128_t xi = input[i]; + output[i] = FStar_UInt128_uint128_to_uint64(xi); + } +} + +inline static void +Hacl_Bignum_Fproduct_sum_scalar_multiplication_( + FStar_UInt128_t *output, + uint64_t *input, + uint64_t s +) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) + { + FStar_UInt128_t xi = output[i]; + uint64_t yi = input[i]; + output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } +} + +inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint32_t ctr = i; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0xfffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)44U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } +} + +inline static void Hacl_Bignum_Fproduct_carry_limb_(uint64_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint32_t ctr = i; + uint64_t tctr = tmp[ctr]; + uint64_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = tctr & (uint64_t)0xfffffffffffU; + uint64_t c = tctr >> (uint32_t)44U; + tmp[ctr] = r0; + tmp[ctr + (uint32_t)1U] = tctrp1 + c; + } +} + +inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) +{ + uint64_t tmp = output[2U]; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint32_t ctr = (uint32_t)3U - i - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + output[0U] = tmp; + Hacl_Bignum_Modulo_reduce(output); +} + +static void +Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input2) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint64_t input2i = input2[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + uint32_t i = (uint32_t)2U; + uint64_t input2i = input2[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); +} + +inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2) +{ + uint64_t tmp[3U] = { 0U }; + memcpy(tmp, input, (uint32_t)3U * sizeof input[0U]); + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)3U); + FStar_UInt128_t t[3U]; + for (uint32_t _i = 0U; _i < (uint32_t)3U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); + Hacl_Bignum_Fproduct_carry_wide_(t); + Hacl_Bignum_Modulo_carry_top_wide(t); + Hacl_Bignum_Fproduct_copy_from_wide_(output, t); + uint64_t i0 = output[0U]; + uint64_t i1 = output[1U]; + uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)44U); + output[0U] = i0_; + output[1U] = i1_; +} + +inline static void +Hacl_Bignum_AddAndMultiply_add_and_multiply(uint64_t *acc, uint64_t *block, uint64_t *r) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) + { + uint64_t xi = acc[i]; + uint64_t yi = block[i]; + acc[i] = xi + yi; + } + Hacl_Bignum_Fmul_fmul(acc, acc, r); +} + +inline static void +Hacl_Impl_Poly1305_64_poly1305_update( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m +) +{ + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + uint64_t *acc = h; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + uint64_t *r3 = r; + uint64_t tmp[3U] = { 0U }; + FStar_UInt128_t m0 = load128_le(m); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U)); + tmp[0U] = r0; + tmp[1U] = r1; + tmp[2U] = r2; + uint64_t b2 = tmp[2U]; + uint64_t b2_ = (uint64_t)0x10000000000U | b2; + tmp[2U] = b2_; + Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r3); +} + +inline static void +Hacl_Impl_Poly1305_64_poly1305_process_last_block_( + uint8_t *block, + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t rem_ +) +{ + uint64_t tmp[3U] = { 0U }; + FStar_UInt128_t m0 = load128_le(block); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U)); + tmp[0U] = r0; + tmp[1U] = r1; + tmp[2U] = r2; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r); +} + +inline static void +Hacl_Impl_Poly1305_64_poly1305_process_last_block( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t rem_ +) +{ + uint8_t zero1 = (uint8_t)0U; + KRML_CHECK_SIZE(zero1, (uint32_t)16U); + uint8_t block[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + block[_i] = zero1; + uint32_t i0 = (uint32_t)rem_; + uint32_t i = (uint32_t)rem_; + memcpy(block, m, i * sizeof m[0U]); + block[i0] = (uint8_t)1U; + Hacl_Impl_Poly1305_64_poly1305_process_last_block_(block, st, m, rem_); +} + +static void Hacl_Impl_Poly1305_64_poly1305_last_pass(uint64_t *acc) +{ + Hacl_Bignum_Fproduct_carry_limb_(acc); + Hacl_Bignum_Modulo_carry_top(acc); + uint64_t a0 = acc[0U]; + uint64_t a10 = acc[1U]; + uint64_t a20 = acc[2U]; + uint64_t a0_ = a0 & (uint64_t)0xfffffffffffU; + uint64_t r0 = a0 >> (uint32_t)44U; + uint64_t a1_ = (a10 + r0) & (uint64_t)0xfffffffffffU; + uint64_t r1 = (a10 + r0) >> (uint32_t)44U; + uint64_t a2_ = a20 + r1; + acc[0U] = a0_; + acc[1U] = a1_; + acc[2U] = a2_; + Hacl_Bignum_Modulo_carry_top(acc); + uint64_t i0 = acc[0U]; + uint64_t i1 = acc[1U]; + uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)44U); + acc[0U] = i0_; + acc[1U] = i1_; + uint64_t a00 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t mask0 = FStar_UInt64_gte_mask(a00, (uint64_t)0xffffffffffbU); + uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0xfffffffffffU); + uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x3ffffffffffU); + uint64_t mask = (mask0 & mask1) & mask2; + uint64_t a0_0 = a00 - ((uint64_t)0xffffffffffbU & mask); + uint64_t a1_0 = a1 - ((uint64_t)0xfffffffffffU & mask); + uint64_t a2_0 = a2 - ((uint64_t)0x3ffffffffffU & mask); + acc[0U] = a0_0; + acc[1U] = a1_0; + acc[2U] = a2_0; +} + +static Hacl_Impl_Poly1305_64_State_poly1305_state +Hacl_Impl_Poly1305_64_mk_state(uint64_t *r, uint64_t *h) +{ + return ((Hacl_Impl_Poly1305_64_State_poly1305_state){ .r = r, .h = h }); +} + +static void +Hacl_Standalone_Poly1305_64_poly1305_blocks( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t len1 +) +{ + if (!(len1 == (uint64_t)0U)) + { + uint8_t *block = m; + uint8_t *tail1 = m + (uint32_t)16U; + Hacl_Impl_Poly1305_64_poly1305_update(st, block); + uint64_t len2 = len1 - (uint64_t)1U; + Hacl_Standalone_Poly1305_64_poly1305_blocks(st, tail1, len2); + } +} + +static void +Hacl_Standalone_Poly1305_64_poly1305_partial( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint64_t len1, + uint8_t *kr +) +{ + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + uint64_t *x0 = r; + FStar_UInt128_t k1 = load128_le(kr); + FStar_UInt128_t + k_clamped = + FStar_UInt128_logand(k1, + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU))); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(k_clamped) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t + r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)88U)); + x0[0U] = r0; + x0[1U] = r1; + x0[2U] = r2; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + uint64_t *x00 = h; + x00[0U] = (uint64_t)0U; + x00[1U] = (uint64_t)0U; + x00[2U] = (uint64_t)0U; + Hacl_Standalone_Poly1305_64_poly1305_blocks(st, input, len1); +} + +Prims_nat AEAD_Poly1305_64_seval(void *b) +{ + printf("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "noextract flag"); + exit(255U); +} + +Prims_int AEAD_Poly1305_64_selem(void *s) +{ + printf("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "noextract flag"); + exit(255U); +} + +Hacl_Impl_Poly1305_64_State_poly1305_state +AEAD_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc) +{ + return Hacl_Impl_Poly1305_64_mk_state(r, acc); +} + +uint32_t AEAD_Poly1305_64_mul_div_16(uint32_t len1) +{ + return (uint32_t)16U * (len1 >> (uint32_t)4U); +} + +void +AEAD_Poly1305_64_pad_last( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint32_t len1 +) +{ + uint8_t b[16U]; + if (!(len1 == (uint32_t)0U)) + { + memset(b, 0U, (uint32_t)16U * sizeof b[0U]); + memcpy(b, input, len1 * sizeof input[0U]); + uint8_t *b0 = b; + Hacl_Impl_Poly1305_64_poly1305_update(st, b0); + } +} + +void +AEAD_Poly1305_64_poly1305_blocks_init( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint32_t len1, + uint8_t *k1 +) +{ + uint32_t len_16 = len1 >> (uint32_t)4U; + uint32_t rem_16 = len1 & (uint32_t)15U; + uint8_t *kr = k1; + uint32_t len_ = (uint32_t)16U * (len1 >> (uint32_t)4U); + uint8_t *part_input = input; + uint8_t *last_block = input + len_; + Hacl_Standalone_Poly1305_64_poly1305_partial(st, part_input, (uint64_t)len_16, kr); + AEAD_Poly1305_64_pad_last(st, last_block, rem_16); +} + +void +AEAD_Poly1305_64_poly1305_blocks_continue( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint32_t len1 +) +{ + uint32_t len_16 = len1 >> (uint32_t)4U; + uint32_t rem_16 = len1 & (uint32_t)15U; + uint32_t len_ = (uint32_t)16U * (len1 >> (uint32_t)4U); + uint8_t *part_input = input; + uint8_t *last_block = input + len_; + Hacl_Standalone_Poly1305_64_poly1305_blocks(st, part_input, (uint64_t)len_16); + AEAD_Poly1305_64_pad_last(st, last_block, rem_16); +} + +void +AEAD_Poly1305_64_poly1305_blocks_finish_( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input +) +{ + Hacl_Impl_Poly1305_64_poly1305_update(st, input); + uint8_t *x2 = input + (uint32_t)16U; + if (!((uint64_t)0U == (uint64_t)0U)) + Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, x2, (uint64_t)0U); + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *h = scrut.h; + uint64_t *acc = h; + Hacl_Impl_Poly1305_64_poly1305_last_pass(acc); +} + +void +AEAD_Poly1305_64_poly1305_blocks_finish( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint8_t *mac, + uint8_t *key_s +) +{ + Hacl_Impl_Poly1305_64_poly1305_update(st, input); + uint8_t *x2 = input + (uint32_t)16U; + if (!((uint64_t)0U == (uint64_t)0U)) + Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, x2, (uint64_t)0U); + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *h = scrut.h; + uint64_t *acc = h; + Hacl_Impl_Poly1305_64_poly1305_last_pass(acc); + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h3 = scrut0.h; + uint64_t *acc0 = h3; + FStar_UInt128_t k_ = load128_le(key_s); + uint64_t h0 = acc0[0U]; + uint64_t h1 = acc0[1U]; + uint64_t h2 = acc0[2U]; + FStar_UInt128_t + acc_ = + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128(h2 + << (uint32_t)24U + | h1 >> (uint32_t)20U), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128(h1 << (uint32_t)44U | h0)); + FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); + store128_le(mac, mac_); +} + diff --git a/vendors/ocaml-hacl/src/AEAD_Poly1305_64.h b/vendors/ocaml-hacl/src/AEAD_Poly1305_64.h new file mode 100644 index 000000000..bcc850dcf --- /dev/null +++ b/vendors/ocaml-hacl/src/AEAD_Poly1305_64.h @@ -0,0 +1,123 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __AEAD_Poly1305_64_H +#define __AEAD_Poly1305_64_H + + + + + +typedef uint64_t Hacl_Bignum_Constants_limb; + +typedef FStar_UInt128_t Hacl_Bignum_Constants_wide; + +typedef FStar_UInt128_t Hacl_Bignum_Wide_t; + +typedef uint64_t Hacl_Bignum_Limb_t; + +typedef void *Hacl_Impl_Poly1305_64_State_log_t; + +typedef uint8_t *Hacl_Impl_Poly1305_64_State_uint8_p; + +typedef uint64_t *Hacl_Impl_Poly1305_64_State_bigint; + +typedef void *Hacl_Impl_Poly1305_64_State_seqelem; + +typedef uint64_t *Hacl_Impl_Poly1305_64_State_elemB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB_16; + +typedef struct +{ + uint64_t *r; + uint64_t *h; +} +Hacl_Impl_Poly1305_64_State_poly1305_state; + +typedef void *Hacl_Impl_Poly1305_64_log_t; + +typedef uint64_t *Hacl_Impl_Poly1305_64_bigint; + +typedef uint8_t *Hacl_Impl_Poly1305_64_uint8_p; + +typedef uint64_t *Hacl_Impl_Poly1305_64_elemB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_wordB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_wordB_16; + +typedef uint8_t *AEAD_Poly1305_64_uint8_p; + +typedef uint8_t *AEAD_Poly1305_64_key; + +Prims_nat AEAD_Poly1305_64_seval(void *b); + +Prims_int AEAD_Poly1305_64_selem(void *s); + +typedef Hacl_Impl_Poly1305_64_State_poly1305_state AEAD_Poly1305_64_state; + +Hacl_Impl_Poly1305_64_State_poly1305_state +AEAD_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc); + +uint32_t AEAD_Poly1305_64_mul_div_16(uint32_t len1); + +void +AEAD_Poly1305_64_pad_last( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint32_t len1 +); + +void +AEAD_Poly1305_64_poly1305_blocks_init( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint32_t len1, + uint8_t *k1 +); + +void +AEAD_Poly1305_64_poly1305_blocks_continue( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint32_t len1 +); + +void +AEAD_Poly1305_64_poly1305_blocks_finish_( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input +); + +void +AEAD_Poly1305_64_poly1305_blocks_finish( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint8_t *mac, + uint8_t *key_s +); +#endif diff --git a/vendors/ocaml-hacl/src/FStar.c b/vendors/ocaml-hacl/src/FStar.c new file mode 100644 index 000000000..8f2ff4b0c --- /dev/null +++ b/vendors/ocaml-hacl/src/FStar.c @@ -0,0 +1,281 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +/* This file was auto-generated by KreMLin! */ + +#include "FStar.h" + +static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) +{ + return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U; +} + +static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) +{ + return FStar_UInt128_constant_time_carry(a, b); +} + +FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return + ( + (FStar_UInt128_uint128){ + .low = a.low + b.low, + .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) + } + ); +} + +FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return + ( + (FStar_UInt128_uint128){ + .low = a.low + b.low, + .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) + } + ); +} + +FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return + ( + (FStar_UInt128_uint128){ + .low = a.low - b.low, + .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) + } + ); +} + +static FStar_UInt128_uint128 +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return + ( + (FStar_UInt128_uint128){ + .low = a.low - b.low, + .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) + } + ); +} + +FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return FStar_UInt128_sub_mod_impl(a, b); +} + +FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return ((FStar_UInt128_uint128){ .low = a.low & b.low, .high = a.high & b.high }); +} + +FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return ((FStar_UInt128_uint128){ .low = a.low ^ b.low, .high = a.high ^ b.high }); +} + +FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return ((FStar_UInt128_uint128){ .low = a.low | b.low, .high = a.high | b.high }); +} + +FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) +{ + return ((FStar_UInt128_uint128){ .low = ~a.low, .high = ~a.high }); +} + +static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; + +static uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) +{ + return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s)); +} + +static uint64_t FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) +{ + return FStar_UInt128_add_u64_shift_left(hi, lo, s); +} + +static FStar_UInt128_uint128 +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s == (uint32_t)0U) + return a; + else + return + ( + (FStar_UInt128_uint128){ + .low = a.low << s, + .high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) + } + ); +} + +static FStar_UInt128_uint128 +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) +{ + return + ((FStar_UInt128_uint128){ .low = (uint64_t)0U, .high = a.low << (s - FStar_UInt128_u32_64) }); +} + +FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s < FStar_UInt128_u32_64) + return FStar_UInt128_shift_left_small(a, s); + else + return FStar_UInt128_shift_left_large(a, s); +} + +static uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) +{ + return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s)); +} + +static uint64_t FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) +{ + return FStar_UInt128_add_u64_shift_right(hi, lo, s); +} + +static FStar_UInt128_uint128 +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s == (uint32_t)0U) + return a; + else + return + ( + (FStar_UInt128_uint128){ + .low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s), + .high = a.high >> s + } + ); +} + +static FStar_UInt128_uint128 +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) +{ + return + ((FStar_UInt128_uint128){ .low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0U }); +} + +FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s < FStar_UInt128_u32_64) + return FStar_UInt128_shift_right_small(a, s); + else + return FStar_UInt128_shift_right_large(a, s); +} + +FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return + ( + (FStar_UInt128_uint128){ + .low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high), + .high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high) + } + ); +} + +FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return + ( + (FStar_UInt128_uint128){ + .low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) + | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)), + .high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) + | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)) + } + ); +} + +FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) +{ + return ((FStar_UInt128_uint128){ .low = a, .high = (uint64_t)0U }); +} + +uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) +{ + return a.low; +} + +static uint64_t FStar_UInt128_u64_l32_mask = (uint64_t)0xffffffffU; + +static uint64_t FStar_UInt128_u64_mod_32(uint64_t a) +{ + return a & FStar_UInt128_u64_l32_mask; +} + +static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; + +static K___uint64_t_uint64_t_uint64_t_uint64_t +FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) +{ + return + ( + (K___uint64_t_uint64_t_uint64_t_uint64_t){ + .fst = FStar_UInt128_u64_mod_32(x), + .snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)), + .thd = x >> FStar_UInt128_u32_32, + .f3 = (x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32) + } + ); +} + +static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) +{ + return lo + (hi << FStar_UInt128_u32_32); +} + +static FStar_UInt128_uint128 FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y) +{ + K___uint64_t_uint64_t_uint64_t_uint64_t scrut = FStar_UInt128_mul_wide_impl_t_(x, y); + uint64_t u1 = scrut.fst; + uint64_t w3 = scrut.snd; + uint64_t x_ = scrut.thd; + uint64_t t_ = scrut.f3; + return + ( + (FStar_UInt128_uint128){ + .low = FStar_UInt128_u32_combine_(u1 + * (y >> FStar_UInt128_u32_32) + + FStar_UInt128_u64_mod_32(t_), + w3), + .high = x_ + * (y >> FStar_UInt128_u32_32) + + (t_ >> FStar_UInt128_u32_32) + + + ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) + >> FStar_UInt128_u32_32) + } + ); +} + +FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) +{ + return FStar_UInt128_mul_wide_impl(x, y); +} + diff --git a/vendors/ocaml-hacl/src/FStar.h b/vendors/ocaml-hacl/src/FStar.h new file mode 100644 index 000000000..6791a2d57 --- /dev/null +++ b/vendors/ocaml-hacl/src/FStar.h @@ -0,0 +1,79 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +/* This file was auto-generated by KreMLin! */ +#ifndef __FStar_H +#define __FStar_H + +#include "kremlib_base.h" + + +typedef struct +{ + uint64_t low; + uint64_t high; +} +FStar_UInt128_uint128; + +typedef FStar_UInt128_uint128 FStar_UInt128_t; + +extern void FStar_UInt128_constant_time_carry_ok(uint64_t x0, uint64_t x1); + +FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a); + +FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +typedef struct +{ + uint64_t fst; + uint64_t snd; + uint64_t thd; + uint64_t f3; +} +K___uint64_t_uint64_t_uint64_t_uint64_t; + +FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); +#endif diff --git a/vendors/ocaml-hacl/src/HACL.h b/vendors/ocaml-hacl/src/HACL.h new file mode 100644 index 000000000..29d9a3019 --- /dev/null +++ b/vendors/ocaml-hacl/src/HACL.h @@ -0,0 +1,41 @@ +/* MIT License + * + * Copyright (c) 2016-2018 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#ifndef __HACL_H +#define __HACL_H + +#include "Hacl_Unverified_Random.h" + +#include "NaCl.h" +#include "Hacl_Chacha20.h" +#include "Hacl_Curve25519.h" +#include "Hacl_Ed25519.h" +#include "Hacl_HMAC_SHA2_256.h" +#include "Hacl_Salsa20.h" +#include "Hacl_SHA2_256.h" +#include "Hacl_SHA2_384.h" +#include "Hacl_SHA2_512.h" +#include "Hacl_Policies.h" +#include "Hacl_Poly1305_32.h" +#include "Hacl_Poly1305_64.h" +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Chacha20.c b/vendors/ocaml-hacl/src/Hacl_Chacha20.c new file mode 100644 index 000000000..1ebe6bdd6 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Chacha20.c @@ -0,0 +1,283 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20.h" + +static void +Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)4U * i; + uint32_t inputi = load32_le(x0); + output[i] = inputi; + } +} + +static void +Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint32_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)4U * i; + store32_le(x0, hd1); + } +} + +inline static uint32_t Hacl_Impl_Chacha20_rotate_left(uint32_t a, uint32_t s) +{ + return a << s | a >> ((uint32_t)32U - s); +} + +inline static void +Hacl_Impl_Chacha20_quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + uint32_t sa = st[a]; + uint32_t sb0 = st[b]; + st[a] = sa + sb0; + uint32_t sd = st[d]; + uint32_t sa10 = st[a]; + uint32_t sda = sd ^ sa10; + st[d] = Hacl_Impl_Chacha20_rotate_left(sda, (uint32_t)16U); + uint32_t sa0 = st[c]; + uint32_t sb1 = st[d]; + st[c] = sa0 + sb1; + uint32_t sd0 = st[b]; + uint32_t sa11 = st[c]; + uint32_t sda0 = sd0 ^ sa11; + st[b] = Hacl_Impl_Chacha20_rotate_left(sda0, (uint32_t)12U); + uint32_t sa2 = st[a]; + uint32_t sb2 = st[b]; + st[a] = sa2 + sb2; + uint32_t sd1 = st[d]; + uint32_t sa12 = st[a]; + uint32_t sda1 = sd1 ^ sa12; + st[d] = Hacl_Impl_Chacha20_rotate_left(sda1, (uint32_t)8U); + uint32_t sa3 = st[c]; + uint32_t sb = st[d]; + st[c] = sa3 + sb; + uint32_t sd2 = st[b]; + uint32_t sa1 = st[c]; + uint32_t sda2 = sd2 ^ sa1; + st[b] = Hacl_Impl_Chacha20_rotate_left(sda2, (uint32_t)7U); +} + +inline static void Hacl_Impl_Chacha20_double_round(uint32_t *st) +{ + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U); + Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U); +} + +inline static void Hacl_Impl_Chacha20_rounds(uint32_t *st) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) + Hacl_Impl_Chacha20_double_round(st); +} + +inline static void Hacl_Impl_Chacha20_sum_states(uint32_t *st, uint32_t *st_) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint32_t xi = st[i]; + uint32_t yi = st_[i]; + st[i] = xi + yi; + } +} + +inline static void Hacl_Impl_Chacha20_copy_state(uint32_t *st, uint32_t *st_) +{ + memcpy(st, st_, (uint32_t)16U * sizeof st_[0U]); +} + +inline static void Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *st, uint32_t ctr) +{ + st[12U] = ctr; + Hacl_Impl_Chacha20_copy_state(k, st); + Hacl_Impl_Chacha20_rounds(k); + Hacl_Impl_Chacha20_sum_states(k, st); +} + +inline static void +Hacl_Impl_Chacha20_chacha20_block(uint8_t *stream_block, uint32_t *st, uint32_t ctr) +{ + uint32_t st_[16U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_core(st_, st, ctr); + Hacl_Lib_LoadStore32_uint32s_to_le_bytes(stream_block, st_, (uint32_t)16U); +} + +inline static void Hacl_Impl_Chacha20_init(uint32_t *st, uint8_t *k, uint8_t *n1) +{ + uint32_t *stcst = st; + uint32_t *stk = st + (uint32_t)4U; + uint32_t *stc = st + (uint32_t)12U; + uint32_t *stn = st + (uint32_t)13U; + stcst[0U] = (uint32_t)0x61707865U; + stcst[1U] = (uint32_t)0x3320646eU; + stcst[2U] = (uint32_t)0x79622d32U; + stcst[3U] = (uint32_t)0x6b206574U; + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stk, k, (uint32_t)8U); + stc[0U] = (uint32_t)0U; + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stn, n1, (uint32_t)3U); +} + +static void +Hacl_Impl_Chacha20_update(uint8_t *output, uint8_t *plain, uint32_t *st, uint32_t ctr) +{ + uint32_t b[48U] = { 0U }; + uint32_t *k = b; + uint32_t *ib = b + (uint32_t)16U; + uint32_t *ob = b + (uint32_t)32U; + Hacl_Impl_Chacha20_chacha20_core(k, st, ctr); + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint32_t xi = ib[i]; + uint32_t yi = k[i]; + ob[i] = xi ^ yi; + } + Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, ob, (uint32_t)16U); +} + +static void +Hacl_Impl_Chacha20_update_last( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint32_t *st, + uint32_t ctr +) +{ + uint8_t block[64U] = { 0U }; + Hacl_Impl_Chacha20_chacha20_block(block, st, ctr); + uint8_t *mask = block; + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t xi = plain[i]; + uint8_t yi = mask[i]; + output[i] = xi ^ yi; + } +} + +static void +Hacl_Impl_Chacha20_chacha20_counter_mode_blocks( + uint8_t *output, + uint8_t *plain, + uint32_t num_blocks, + uint32_t *st, + uint32_t ctr +) +{ + for (uint32_t i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U) + { + uint8_t *b = plain + (uint32_t)64U * i; + uint8_t *o = output + (uint32_t)64U * i; + Hacl_Impl_Chacha20_update(o, b, st, ctr + i); + } +} + +static void +Hacl_Impl_Chacha20_chacha20_counter_mode( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint32_t *st, + uint32_t ctr +) +{ + uint32_t blocks_len = len >> (uint32_t)6U; + uint32_t part_len = len & (uint32_t)0x3fU; + uint8_t *output_ = output; + uint8_t *plain_ = plain; + uint8_t *output__ = output + (uint32_t)64U * blocks_len; + uint8_t *plain__ = plain + (uint32_t)64U * blocks_len; + Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(output_, plain_, blocks_len, st, ctr); + if (part_len > (uint32_t)0U) + Hacl_Impl_Chacha20_update_last(output__, plain__, part_len, st, ctr + blocks_len); +} + +static void +Hacl_Impl_Chacha20_chacha20( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint8_t *k, + uint8_t *n1, + uint32_t ctr +) +{ + uint32_t buf[16U] = { 0U }; + uint32_t *st = buf; + Hacl_Impl_Chacha20_init(st, k, n1); + Hacl_Impl_Chacha20_chacha20_counter_mode(output, plain, len, st, ctr); +} + +void Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr) +{ + uint32_t buf[16U] = { 0U }; + uint32_t *st = buf; + Hacl_Impl_Chacha20_init(st, k, n1); + Hacl_Impl_Chacha20_chacha20_block(block, st, ctr); +} + +/* + This function implements Chacha20 + + val chacha20 : + output:uint8_p -> + plain:uint8_p{ disjoint output plain } -> + len:uint32_t{ v len = length output /\ v len = length plain } -> + key:uint8_p{ length key = 32 } -> + nonce:uint8_p{ length nonce = 12 } -> + ctr:uint32_t{ v ctr + length plain / 64 < pow2 32 } -> + Stack unit + (requires + fun h -> live h output /\ live h plain /\ live h nonce /\ live h key) + (ensures + fun h0 _ h1 -> + live h1 output /\ live h0 plain /\ modifies_1 output h0 h1 /\ + live h0 nonce /\ + live h0 key /\ + h1.[ output ] == + chacha20_encrypt_bytes h0.[ key ] h0.[ nonce ] (v ctr) h0.[ plain ]) +*/ +void +Hacl_Chacha20_chacha20( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint8_t *k, + uint8_t *n1, + uint32_t ctr +) +{ + Hacl_Impl_Chacha20_chacha20(output, plain, len, k, n1, ctr); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Chacha20.h b/vendors/ocaml-hacl/src/Hacl_Chacha20.h new file mode 100644 index 000000000..9cd669b4e --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Chacha20.h @@ -0,0 +1,95 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Chacha20_H +#define __Hacl_Chacha20_H + + + + + +typedef uint32_t Hacl_Impl_Xor_Lemmas_u32; + +typedef uint8_t Hacl_Impl_Xor_Lemmas_u8; + +typedef uint8_t *Hacl_Lib_LoadStore32_uint8_p; + +typedef uint32_t Hacl_Impl_Chacha20_u32; + +typedef uint32_t Hacl_Impl_Chacha20_h32; + +typedef uint8_t *Hacl_Impl_Chacha20_uint8_p; + +typedef uint32_t *Hacl_Impl_Chacha20_state; + +typedef uint32_t Hacl_Impl_Chacha20_idx; + +typedef struct +{ + void *k; + void *n; +} +Hacl_Impl_Chacha20_log_t_; + +typedef void *Hacl_Impl_Chacha20_log_t; + +typedef uint32_t Hacl_Lib_Create_h32; + +typedef uint8_t *Hacl_Chacha20_uint8_p; + +typedef uint32_t Hacl_Chacha20_uint32_t; + +void Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr); + +/* + This function implements Chacha20 + + val chacha20 : + output:uint8_p -> + plain:uint8_p{ disjoint output plain } -> + len:uint32_t{ v len = length output /\ v len = length plain } -> + key:uint8_p{ length key = 32 } -> + nonce:uint8_p{ length nonce = 12 } -> + ctr:uint32_t{ v ctr + length plain / 64 < pow2 32 } -> + Stack unit + (requires + fun h -> live h output /\ live h plain /\ live h nonce /\ live h key) + (ensures + fun h0 _ h1 -> + live h1 output /\ live h0 plain /\ modifies_1 output h0 h1 /\ + live h0 nonce /\ + live h0 key /\ + h1.[ output ] == + chacha20_encrypt_bytes h0.[ key ] h0.[ nonce ] (v ctr) h0.[ plain ]) +*/ +void +Hacl_Chacha20_chacha20( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint8_t *k, + uint8_t *n1, + uint32_t ctr +); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.c b/vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.c new file mode 100644 index 000000000..7b1ee3073 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.c @@ -0,0 +1,131 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Chacha20Poly1305.h" + +Prims_int Hacl_Chacha20Poly1305_noncelen = (krml_checked_int_t)12; + +Prims_int Hacl_Chacha20Poly1305_keylen = (krml_checked_int_t)32; + +Prims_int Hacl_Chacha20Poly1305_maclen = (krml_checked_int_t)16; + +static void +Hacl_Chacha20Poly1305_aead_encrypt_poly( + uint8_t *c, + uint32_t mlen, + uint8_t *mac, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *tmp +) +{ + uint8_t *b = tmp; + uint8_t *lb = tmp + (uint32_t)64U; + uint8_t *mk = b; + uint8_t *key_s = mk + (uint32_t)16U; + uint64_t tmp1[6U] = { 0U }; + Hacl_Impl_Poly1305_64_State_poly1305_state + st = AEAD_Poly1305_64_mk_state(tmp1, tmp1 + (uint32_t)3U); + (void)AEAD_Poly1305_64_poly1305_blocks_init(st, aad1, aadlen, mk); + (void)AEAD_Poly1305_64_poly1305_blocks_continue(st, c, mlen); + AEAD_Poly1305_64_poly1305_blocks_finish(st, lb, mac, key_s); +} + +void Hacl_Chacha20Poly1305_encode_length(uint8_t *lb, uint32_t aad_len, uint32_t mlen) +{ + store64_le(lb, (uint64_t)aad_len); + uint8_t *x0 = lb + (uint32_t)8U; + store64_le(x0, (uint64_t)mlen); +} + +uint32_t +Hacl_Chacha20Poly1305_aead_encrypt_( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint32_t mlen, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *k1, + uint8_t *n1 +) +{ + uint8_t tmp[80U] = { 0U }; + uint8_t *b = tmp; + uint8_t *lb = tmp + (uint32_t)64U; + Hacl_Chacha20Poly1305_encode_length(lb, aadlen, mlen); + Hacl_Chacha20_chacha20(c, m, mlen, k1, n1, (uint32_t)1U); + Hacl_Chacha20_chacha20_key_block(b, k1, n1, (uint32_t)0U); + Hacl_Chacha20Poly1305_aead_encrypt_poly(c, mlen, mac, aad1, aadlen, tmp); + return (uint32_t)0U; +} + +uint32_t +Hacl_Chacha20Poly1305_aead_encrypt( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint32_t mlen, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *k1, + uint8_t *n1 +) +{ + uint32_t z = Hacl_Chacha20Poly1305_aead_encrypt_(c, mac, m, mlen, aad1, aadlen, k1, n1); + return z; +} + +uint32_t +Hacl_Chacha20Poly1305_aead_decrypt( + uint8_t *m, + uint8_t *c, + uint32_t mlen, + uint8_t *mac, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *k1, + uint8_t *n1 +) +{ + uint8_t tmp[96U] = { 0U }; + uint8_t *b = tmp; + uint8_t *lb = tmp + (uint32_t)64U; + Hacl_Chacha20Poly1305_encode_length(lb, aadlen, mlen); + uint8_t *rmac = tmp + (uint32_t)80U; + Hacl_Chacha20_chacha20_key_block(b, k1, n1, (uint32_t)0U); + Hacl_Chacha20Poly1305_aead_encrypt_poly(c, mlen, rmac, aad1, aadlen, tmp); + uint8_t result = Hacl_Policies_cmp_bytes(mac, rmac, (uint32_t)16U); + uint8_t verify = result; + uint32_t res; + if (verify == (uint8_t)0U) + { + Hacl_Chacha20_chacha20(m, c, mlen, k1, n1, (uint32_t)1U); + res = (uint32_t)0U; + } + else + res = (uint32_t)1U; + return res; +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.h b/vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.h new file mode 100644 index 000000000..487acd399 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.h @@ -0,0 +1,80 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Chacha20Poly1305_H +#define __Hacl_Chacha20Poly1305_H + + +#include "Hacl_Policies.h" +#include "Hacl_Chacha20.h" +#include "AEAD_Poly1305_64.h" + +extern Prims_int Hacl_Chacha20Poly1305_noncelen; + +extern Prims_int Hacl_Chacha20Poly1305_keylen; + +extern Prims_int Hacl_Chacha20Poly1305_maclen; + +typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Chacha20Poly1305_state; + +typedef void *Hacl_Chacha20Poly1305_log_t; + +void Hacl_Chacha20Poly1305_encode_length(uint8_t *lb, uint32_t aad_len, uint32_t mlen); + +uint32_t +Hacl_Chacha20Poly1305_aead_encrypt_( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint32_t mlen, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *k1, + uint8_t *n1 +); + +uint32_t +Hacl_Chacha20Poly1305_aead_encrypt( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint32_t mlen, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *k1, + uint8_t *n1 +); + +uint32_t +Hacl_Chacha20Poly1305_aead_decrypt( + uint8_t *m, + uint8_t *c, + uint32_t mlen, + uint8_t *mac, + uint8_t *aad1, + uint32_t aadlen, + uint8_t *k1, + uint8_t *n1 +); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Curve25519.c b/vendors/ocaml-hacl/src/Hacl_Curve25519.c new file mode 100644 index 000000000..7709213d9 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Curve25519.c @@ -0,0 +1,837 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Curve25519.h" + +static void Hacl_Bignum_Modulo_carry_top(uint64_t *b) +{ + uint64_t b4 = b[4U]; + uint64_t b0 = b[0U]; + uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU; + uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U); + b[4U] = b4_; + b[0U] = b0_; +} + +inline static void +Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input) +{ + { + FStar_UInt128_t xi = input[0U]; + output[0U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[1U]; + output[1U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[2U]; + output[2U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[3U]; + output[3U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[4U]; + output[4U] = FStar_UInt128_uint128_to_uint64(xi); + } +} + +inline static void +Hacl_Bignum_Fproduct_sum_scalar_multiplication_( + FStar_UInt128_t *output, + uint64_t *input, + uint64_t s +) +{ + { + FStar_UInt128_t xi = output[0U]; + uint64_t yi = input[0U]; + output[0U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[1U]; + uint64_t yi = input[1U]; + output[1U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[2U]; + uint64_t yi = input[2U]; + output[2U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[3U]; + uint64_t yi = input[3U]; + output[3U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[4U]; + uint64_t yi = input[4U]; + output[4U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } +} + +inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp) +{ + { + uint32_t ctr = (uint32_t)0U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } + { + uint32_t ctr = (uint32_t)1U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } + { + uint32_t ctr = (uint32_t)2U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } + { + uint32_t ctr = (uint32_t)3U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } +} + +inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) +{ + uint64_t tmp = output[4U]; + { + uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + { + uint32_t ctr = (uint32_t)5U - (uint32_t)1U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + { + uint32_t ctr = (uint32_t)5U - (uint32_t)2U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + { + uint32_t ctr = (uint32_t)5U - (uint32_t)3U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + output[0U] = tmp; + uint64_t b0 = output[0U]; + output[0U] = (uint64_t)19U * b0; +} + +static void +Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21) +{ + { + uint64_t input2i = input21[0U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + { + uint64_t input2i = input21[1U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + { + uint64_t input2i = input21[2U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + { + uint64_t input2i = input21[3U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + uint32_t i = (uint32_t)4U; + uint64_t input2i = input21[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); +} + +inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21) +{ + uint64_t tmp[5U] = { 0U }; + memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t t[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21); + Hacl_Bignum_Fproduct_carry_wide_(t); + FStar_UInt128_t b4 = t[4U]; + FStar_UInt128_t b0 = t[0U]; + FStar_UInt128_t + b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); + FStar_UInt128_t + b0_ = + FStar_UInt128_add(b0, + FStar_UInt128_mul_wide((uint64_t)19U, + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); + t[4U] = b4_; + t[0U] = b0_; + Hacl_Bignum_Fproduct_copy_from_wide_(output, t); + uint64_t i0 = output[0U]; + uint64_t i1 = output[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + output[0U] = i0_; + output[1U] = i1_; +} + +inline static void Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_t *tmp, uint64_t *output) +{ + uint64_t r0 = output[0U]; + uint64_t r1 = output[1U]; + uint64_t r2 = output[2U]; + uint64_t r3 = output[3U]; + uint64_t r4 = output[4U]; + uint64_t d0 = r0 * (uint64_t)2U; + uint64_t d1 = r1 * (uint64_t)2U; + uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U; + uint64_t d419 = r4 * (uint64_t)19U; + uint64_t d4 = d419 * (uint64_t)2U; + FStar_UInt128_t + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0), + FStar_UInt128_mul_wide(d4, r1)), + FStar_UInt128_mul_wide(d2, r3)); + FStar_UInt128_t + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1), + FStar_UInt128_mul_wide(d4, r2)), + FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3)); + FStar_UInt128_t + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2), + FStar_UInt128_mul_wide(r1, r1)), + FStar_UInt128_mul_wide(d4, r3)); + FStar_UInt128_t + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3), + FStar_UInt128_mul_wide(d1, r2)), + FStar_UInt128_mul_wide(r4, d419)); + FStar_UInt128_t + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4), + FStar_UInt128_mul_wide(d1, r3)), + FStar_UInt128_mul_wide(r2, r2)); + tmp[0U] = s0; + tmp[1U] = s1; + tmp[2U] = s2; + tmp[3U] = s3; + tmp[4U] = s4; +} + +inline static void Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output) +{ + Hacl_Bignum_Fsquare_fsquare__(tmp, output); + Hacl_Bignum_Fproduct_carry_wide_(tmp); + FStar_UInt128_t b4 = tmp[4U]; + FStar_UInt128_t b0 = tmp[0U]; + FStar_UInt128_t + b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); + FStar_UInt128_t + b0_ = + FStar_UInt128_add(b0, + FStar_UInt128_mul_wide((uint64_t)19U, + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); + tmp[4U] = b4_; + tmp[0U] = b0_; + Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); + uint64_t i0 = output[0U]; + uint64_t i1 = output[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + output[0U] = i0_; + output[1U] = i1_; +} + +static void +Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1) +{ + Hacl_Bignum_Fsquare_fsquare_(tmp, input); + for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) + Hacl_Bignum_Fsquare_fsquare_(tmp, input); +} + +inline static void +Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1) +{ + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t t[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + memcpy(output, input, (uint32_t)5U * sizeof input[0U]); + Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); +} + +inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1) +{ + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t t[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); +} + +inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z) +{ + uint64_t buf[20U] = { 0U }; + uint64_t *a = buf; + uint64_t *t00 = buf + (uint32_t)5U; + uint64_t *b0 = buf + (uint32_t)10U; + Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U); + Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U); + Hacl_Bignum_Fmul_fmul(b0, t00, z); + Hacl_Bignum_Fmul_fmul(a, b0, a); + Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U); + Hacl_Bignum_Fmul_fmul(b0, t00, b0); + Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); + uint64_t *t01 = buf + (uint32_t)5U; + uint64_t *b1 = buf + (uint32_t)10U; + uint64_t *c0 = buf + (uint32_t)15U; + Hacl_Bignum_Fmul_fmul(b1, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); + Hacl_Bignum_Fmul_fmul(c0, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U); + Hacl_Bignum_Fmul_fmul(t01, t01, c0); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); + Hacl_Bignum_Fmul_fmul(b1, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); + uint64_t *a0 = buf; + uint64_t *t0 = buf + (uint32_t)5U; + uint64_t *b = buf + (uint32_t)10U; + uint64_t *c = buf + (uint32_t)15U; + Hacl_Bignum_Fmul_fmul(c, t0, b); + Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); + Hacl_Bignum_Fmul_fmul(t0, t0, c); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U); + Hacl_Bignum_Fmul_fmul(t0, t0, b); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U); + Hacl_Bignum_Fmul_fmul(out, t0, a0); +} + +inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b) +{ + { + uint64_t xi = a[0U]; + uint64_t yi = b[0U]; + a[0U] = xi + yi; + } + { + uint64_t xi = a[1U]; + uint64_t yi = b[1U]; + a[1U] = xi + yi; + } + { + uint64_t xi = a[2U]; + uint64_t yi = b[2U]; + a[2U] = xi + yi; + } + { + uint64_t xi = a[3U]; + uint64_t yi = b[3U]; + a[3U] = xi + yi; + } + { + uint64_t xi = a[4U]; + uint64_t yi = b[4U]; + a[4U] = xi + yi; + } +} + +inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[5U] = { 0U }; + memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]); + uint64_t b0 = tmp[0U]; + uint64_t b1 = tmp[1U]; + uint64_t b2 = tmp[2U]; + uint64_t b3 = tmp[3U]; + uint64_t b4 = tmp[4U]; + tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U; + tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U; + tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U; + tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U; + tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U; + { + uint64_t xi = a[0U]; + uint64_t yi = tmp[0U]; + a[0U] = yi - xi; + } + { + uint64_t xi = a[1U]; + uint64_t yi = tmp[1U]; + a[1U] = yi - xi; + } + { + uint64_t xi = a[2U]; + uint64_t yi = tmp[2U]; + a[2U] = yi - xi; + } + { + uint64_t xi = a[3U]; + uint64_t yi = tmp[3U]; + a[3U] = yi - xi; + } + { + uint64_t xi = a[4U]; + uint64_t yi = tmp[4U]; + a[4U] = yi - xi; + } +} + +inline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s) +{ + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + { + uint64_t xi = b[0U]; + tmp[0U] = FStar_UInt128_mul_wide(xi, s); + } + { + uint64_t xi = b[1U]; + tmp[1U] = FStar_UInt128_mul_wide(xi, s); + } + { + uint64_t xi = b[2U]; + tmp[2U] = FStar_UInt128_mul_wide(xi, s); + } + { + uint64_t xi = b[3U]; + tmp[3U] = FStar_UInt128_mul_wide(xi, s); + } + { + uint64_t xi = b[4U]; + tmp[4U] = FStar_UInt128_mul_wide(xi, s); + } + Hacl_Bignum_Fproduct_carry_wide_(tmp); + FStar_UInt128_t b4 = tmp[4U]; + FStar_UInt128_t b0 = tmp[0U]; + FStar_UInt128_t + b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); + FStar_UInt128_t + b0_ = + FStar_UInt128_add(b0, + FStar_UInt128_mul_wide((uint64_t)19U, + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); + tmp[4U] = b4_; + tmp[0U] = b0_; + Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); +} + +inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b) +{ + Hacl_Bignum_Fmul_fmul(output, a, b); +} + +inline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input) +{ + Hacl_Bignum_Crecip_crecip(output, input); +} + +static void +Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) +{ + uint32_t i = ctr - (uint32_t)1U; + uint64_t ai = a[i]; + uint64_t bi = b[i]; + uint64_t x = swap1 & (ai ^ bi); + uint64_t ai1 = ai ^ x; + uint64_t bi1 = bi ^ x; + a[i] = ai1; + b[i] = bi1; +} + +static void +Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr) +{ + if (!(ctr == (uint32_t)0U)) + { + Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr); + uint32_t i = ctr - (uint32_t)1U; + Hacl_EC_Point_swap_conditional_(a, b, swap1, i); + } +} + +static void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap) +{ + uint64_t swap1 = (uint64_t)0U - iswap; + Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U); + Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U); +} + +static void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input) +{ + memcpy(output, input, (uint32_t)5U * sizeof input[0U]); + memcpy(output + (uint32_t)5U, + input + (uint32_t)5U, + (uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]); +} + +static void +Hacl_EC_AddAndDouble_fmonty( + uint64_t *pp, + uint64_t *ppq, + uint64_t *p, + uint64_t *pq, + uint64_t *qmqp +) +{ + uint64_t *qx = qmqp; + uint64_t *x2 = pp; + uint64_t *z2 = pp + (uint32_t)5U; + uint64_t *x3 = ppq; + uint64_t *z3 = ppq + (uint32_t)5U; + uint64_t *x = p; + uint64_t *z = p + (uint32_t)5U; + uint64_t *xprime = pq; + uint64_t *zprime = pq + (uint32_t)5U; + uint64_t buf[40U] = { 0U }; + uint64_t *origx = buf; + uint64_t *origxprime = buf + (uint32_t)5U; + uint64_t *xxprime0 = buf + (uint32_t)25U; + uint64_t *zzprime0 = buf + (uint32_t)30U; + memcpy(origx, x, (uint32_t)5U * sizeof x[0U]); + Hacl_Bignum_fsum(x, z); + Hacl_Bignum_fdifference(z, origx); + memcpy(origxprime, xprime, (uint32_t)5U * sizeof xprime[0U]); + Hacl_Bignum_fsum(xprime, zprime); + Hacl_Bignum_fdifference(zprime, origxprime); + Hacl_Bignum_fmul(xxprime0, xprime, z); + Hacl_Bignum_fmul(zzprime0, x, zprime); + uint64_t *origxprime0 = buf + (uint32_t)5U; + uint64_t *xx0 = buf + (uint32_t)15U; + uint64_t *zz0 = buf + (uint32_t)20U; + uint64_t *xxprime = buf + (uint32_t)25U; + uint64_t *zzprime = buf + (uint32_t)30U; + uint64_t *zzzprime = buf + (uint32_t)35U; + memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]); + Hacl_Bignum_fsum(xxprime, zzprime); + Hacl_Bignum_fdifference(zzprime, origxprime0); + Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U); + Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U); + Hacl_Bignum_fmul(z3, zzzprime, qx); + Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U); + Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U); + uint64_t *zzz = buf + (uint32_t)10U; + uint64_t *xx = buf + (uint32_t)15U; + uint64_t *zz = buf + (uint32_t)20U; + Hacl_Bignum_fmul(x2, xx, zz); + Hacl_Bignum_fdifference(zz, xx); + uint64_t scalar = (uint64_t)121665U; + Hacl_Bignum_fscalar(zzz, zz, scalar); + Hacl_Bignum_fsum(zzz, xx); + Hacl_Bignum_fmul(z2, zzz, zz); +} + +static void +Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step( + uint64_t *nq, + uint64_t *nqpq, + uint64_t *nq2, + uint64_t *nqpq2, + uint64_t *q, + uint8_t byt +) +{ + uint64_t bit = (uint64_t)(byt >> (uint32_t)7U); + Hacl_EC_Point_swap_conditional(nq, nqpq, bit); + Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q); + uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U); + Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0); +} + +static void +Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step( + uint64_t *nq, + uint64_t *nqpq, + uint64_t *nq2, + uint64_t *nqpq2, + uint64_t *q, + uint8_t byt +) +{ + Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt); + uint8_t byt1 = byt << (uint32_t)1U; + Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1); +} + +static void +Hacl_EC_Ladder_SmallLoop_cmult_small_loop( + uint64_t *nq, + uint64_t *nqpq, + uint64_t *nq2, + uint64_t *nqpq2, + uint64_t *q, + uint8_t byt, + uint32_t i +) +{ + if (!(i == (uint32_t)0U)) + { + uint32_t i_ = i - (uint32_t)1U; + Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt); + uint8_t byt_ = byt << (uint32_t)2U; + Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_); + } +} + +static void +Hacl_EC_Ladder_BigLoop_cmult_big_loop( + uint8_t *n1, + uint64_t *nq, + uint64_t *nqpq, + uint64_t *nq2, + uint64_t *nqpq2, + uint64_t *q, + uint32_t i +) +{ + if (!(i == (uint32_t)0U)) + { + uint32_t i1 = i - (uint32_t)1U; + uint8_t byte = n1[i1]; + Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U); + Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1); + } +} + +static void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q) +{ + uint64_t point_buf[40U] = { 0U }; + uint64_t *nq = point_buf; + uint64_t *nqpq = point_buf + (uint32_t)10U; + uint64_t *nq2 = point_buf + (uint32_t)20U; + uint64_t *nqpq2 = point_buf + (uint32_t)30U; + Hacl_EC_Point_copy(nqpq, q); + nq[0U] = (uint64_t)1U; + Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U); + Hacl_EC_Point_copy(result, nq); +} + +static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input) +{ + uint64_t i0 = load64_le(input); + uint8_t *x00 = input + (uint32_t)6U; + uint64_t i1 = load64_le(x00); + uint8_t *x01 = input + (uint32_t)12U; + uint64_t i2 = load64_le(x01); + uint8_t *x02 = input + (uint32_t)19U; + uint64_t i3 = load64_le(x02); + uint8_t *x0 = input + (uint32_t)24U; + uint64_t i4 = load64_le(x0); + uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU; + uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU; + uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU; + uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU; + output[0U] = output0; + output[1U] = output1; + output[2U] = output2; + output[3U] = output3; + output[4U] = output4; +} + +static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input) +{ + uint64_t t0 = input[0U]; + uint64_t t1 = input[1U]; + uint64_t t2 = input[2U]; + uint64_t t3 = input[3U]; + uint64_t t4 = input[4U]; + uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); + uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; + uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); + uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; + uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); + uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; + uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); + uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; + input[0U] = t0_; + input[1U] = t1__; + input[2U] = t2__; + input[3U] = t3__; + input[4U] = t4_; +} + +static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input) +{ + Hacl_EC_Format_fcontract_first_carry_pass(input); + Hacl_Bignum_Modulo_carry_top(input); +} + +static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input) +{ + uint64_t t0 = input[0U]; + uint64_t t1 = input[1U]; + uint64_t t2 = input[2U]; + uint64_t t3 = input[3U]; + uint64_t t4 = input[4U]; + uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); + uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; + uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); + uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; + uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); + uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; + uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); + uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; + input[0U] = t0_; + input[1U] = t1__; + input[2U] = t2__; + input[3U] = t3__; + input[4U] = t4_; +} + +static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input) +{ + Hacl_EC_Format_fcontract_second_carry_pass(input); + Hacl_Bignum_Modulo_carry_top(input); + uint64_t i0 = input[0U]; + uint64_t i1 = input[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + input[0U] = i0_; + input[1U] = i1_; +} + +static void Hacl_EC_Format_fcontract_trim(uint64_t *input) +{ + uint64_t a0 = input[0U]; + uint64_t a1 = input[1U]; + uint64_t a2 = input[2U]; + uint64_t a3 = input[3U]; + uint64_t a4 = input[4U]; + uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU); + uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU); + uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU); + uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU); + uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; + uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask); + uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask); + uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask); + uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask); + uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask); + input[0U] = a0_; + input[1U] = a1_; + input[2U] = a2_; + input[3U] = a3_; + input[4U] = a4_; +} + +static void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input) +{ + uint64_t t0 = input[0U]; + uint64_t t1 = input[1U]; + uint64_t t2 = input[2U]; + uint64_t t3 = input[3U]; + uint64_t t4 = input[4U]; + uint64_t o0 = t1 << (uint32_t)51U | t0; + uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U; + uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U; + uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U; + uint8_t *b0 = output; + uint8_t *b1 = output + (uint32_t)8U; + uint8_t *b2 = output + (uint32_t)16U; + uint8_t *b3 = output + (uint32_t)24U; + store64_le(b0, o0); + store64_le(b1, o1); + store64_le(b2, o2); + store64_le(b3, o3); +} + +static void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input) +{ + Hacl_EC_Format_fcontract_first_carry_full(input); + Hacl_EC_Format_fcontract_second_carry_full(input); + Hacl_EC_Format_fcontract_trim(input); + Hacl_EC_Format_fcontract_store(output, input); +} + +static void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point) +{ + uint64_t *x = point; + uint64_t *z = point + (uint32_t)5U; + uint64_t buf[10U] = { 0U }; + uint64_t *zmone = buf; + uint64_t *sc = buf + (uint32_t)5U; + Hacl_Bignum_crecip(zmone, z); + Hacl_Bignum_fmul(sc, x, zmone); + Hacl_EC_Format_fcontract(scalar, sc); +} + +void Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint) +{ + uint64_t buf0[10U] = { 0U }; + uint64_t *x0 = buf0; + uint64_t *z = buf0 + (uint32_t)5U; + Hacl_EC_Format_fexpand(x0, basepoint); + z[0U] = (uint64_t)1U; + uint64_t *q = buf0; + uint8_t e[32U] = { 0U }; + memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]); + uint8_t e0 = e[0U]; + uint8_t e31 = e[31U]; + uint8_t e01 = e0 & (uint8_t)248U; + uint8_t e311 = e31 & (uint8_t)127U; + uint8_t e312 = e311 | (uint8_t)64U; + e[0U] = e01; + e[31U] = e312; + uint8_t *scalar = e; + uint64_t buf[15U] = { 0U }; + uint64_t *nq = buf; + uint64_t *x = nq; + x[0U] = (uint64_t)1U; + Hacl_EC_Ladder_cmult(nq, scalar, q); + Hacl_EC_Format_scalar_of_point(mypublic, nq); +} + +void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint) +{ + Hacl_EC_crypto_scalarmult(mypublic, secret, basepoint); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Curve25519.h b/vendors/ocaml-hacl/src/Hacl_Curve25519.h new file mode 100644 index 000000000..181c2e600 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Curve25519.h @@ -0,0 +1,69 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Curve25519_H +#define __Hacl_Curve25519_H + + + + + +typedef uint64_t Hacl_Bignum_Constants_limb; + +typedef FStar_UInt128_t Hacl_Bignum_Constants_wide; + +typedef uint64_t Hacl_Bignum_Parameters_limb; + +typedef FStar_UInt128_t Hacl_Bignum_Parameters_wide; + +typedef uint32_t Hacl_Bignum_Parameters_ctr; + +typedef uint64_t *Hacl_Bignum_Parameters_felem; + +typedef FStar_UInt128_t *Hacl_Bignum_Parameters_felem_wide; + +typedef void *Hacl_Bignum_Parameters_seqelem; + +typedef void *Hacl_Bignum_Parameters_seqelem_wide; + +typedef FStar_UInt128_t Hacl_Bignum_Wide_t; + +typedef uint64_t Hacl_Bignum_Limb_t; + +extern void Hacl_Bignum_lemma_diff(Prims_int x0, Prims_int x1, Prims_pos x2); + +typedef uint64_t *Hacl_EC_Point_point; + +typedef uint8_t *Hacl_EC_Ladder_SmallLoop_uint8_p; + +typedef uint8_t *Hacl_EC_Ladder_uint8_p; + +typedef uint8_t *Hacl_EC_Format_uint8_p; + +void Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint); + +typedef uint8_t *Hacl_Curve25519_uint8_p; + +void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Ed25519.c b/vendors/ocaml-hacl/src/Hacl_Ed25519.c new file mode 100644 index 000000000..a1f3aa286 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Ed25519.c @@ -0,0 +1,2828 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Ed25519.h" + +static void Hacl_Bignum_Modulo_carry_top(uint64_t *b) +{ + uint64_t b4 = b[4U]; + uint64_t b0 = b[0U]; + uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU; + uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U); + b[4U] = b4_; + b[0U] = b0_; +} + +inline static void +Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input) +{ + { + FStar_UInt128_t xi = input[0U]; + output[0U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[1U]; + output[1U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[2U]; + output[2U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[3U]; + output[3U] = FStar_UInt128_uint128_to_uint64(xi); + } + { + FStar_UInt128_t xi = input[4U]; + output[4U] = FStar_UInt128_uint128_to_uint64(xi); + } +} + +inline static void +Hacl_Bignum_Fproduct_sum_scalar_multiplication_( + FStar_UInt128_t *output, + uint64_t *input, + uint64_t s +) +{ + { + FStar_UInt128_t xi = output[0U]; + uint64_t yi = input[0U]; + output[0U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[1U]; + uint64_t yi = input[1U]; + output[1U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[2U]; + uint64_t yi = input[2U]; + output[2U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[3U]; + uint64_t yi = input[3U]; + output[3U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } + { + FStar_UInt128_t xi = output[4U]; + uint64_t yi = input[4U]; + output[4U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } +} + +inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp) +{ + { + uint32_t ctr = (uint32_t)0U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } + { + uint32_t ctr = (uint32_t)1U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } + { + uint32_t ctr = (uint32_t)2U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } + { + uint32_t ctr = (uint32_t)3U; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } +} + +inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) +{ + uint64_t tmp = output[4U]; + { + uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + { + uint32_t ctr = (uint32_t)5U - (uint32_t)1U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + { + uint32_t ctr = (uint32_t)5U - (uint32_t)2U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + { + uint32_t ctr = (uint32_t)5U - (uint32_t)3U - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + output[0U] = tmp; + uint64_t b0 = output[0U]; + output[0U] = (uint64_t)19U * b0; +} + +static void +Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21) +{ + { + uint64_t input2i = input21[0U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + { + uint64_t input2i = input21[1U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + { + uint64_t input2i = input21[2U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + { + uint64_t input2i = input21[3U]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + uint32_t i = (uint32_t)4U; + uint64_t input2i = input21[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); +} + +inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21) +{ + uint64_t tmp[5U] = { 0U }; + memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t t[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21); + Hacl_Bignum_Fproduct_carry_wide_(t); + FStar_UInt128_t b4 = t[4U]; + FStar_UInt128_t b0 = t[0U]; + FStar_UInt128_t + b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); + FStar_UInt128_t + b0_ = + FStar_UInt128_add(b0, + FStar_UInt128_mul_wide((uint64_t)19U, + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); + t[4U] = b4_; + t[0U] = b0_; + Hacl_Bignum_Fproduct_copy_from_wide_(output, t); + uint64_t i0 = output[0U]; + uint64_t i1 = output[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + output[0U] = i0_; + output[1U] = i1_; +} + +inline static void Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_t *tmp, uint64_t *output) +{ + uint64_t r0 = output[0U]; + uint64_t r1 = output[1U]; + uint64_t r2 = output[2U]; + uint64_t r3 = output[3U]; + uint64_t r4 = output[4U]; + uint64_t d0 = r0 * (uint64_t)2U; + uint64_t d1 = r1 * (uint64_t)2U; + uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U; + uint64_t d419 = r4 * (uint64_t)19U; + uint64_t d4 = d419 * (uint64_t)2U; + FStar_UInt128_t + s0 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0), + FStar_UInt128_mul_wide(d4, r1)), + FStar_UInt128_mul_wide(d2, r3)); + FStar_UInt128_t + s1 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1), + FStar_UInt128_mul_wide(d4, r2)), + FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3)); + FStar_UInt128_t + s2 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2), + FStar_UInt128_mul_wide(r1, r1)), + FStar_UInt128_mul_wide(d4, r3)); + FStar_UInt128_t + s3 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3), + FStar_UInt128_mul_wide(d1, r2)), + FStar_UInt128_mul_wide(r4, d419)); + FStar_UInt128_t + s4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4), + FStar_UInt128_mul_wide(d1, r3)), + FStar_UInt128_mul_wide(r2, r2)); + tmp[0U] = s0; + tmp[1U] = s1; + tmp[2U] = s2; + tmp[3U] = s3; + tmp[4U] = s4; +} + +inline static void Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output) +{ + Hacl_Bignum_Fsquare_fsquare__(tmp, output); + Hacl_Bignum_Fproduct_carry_wide_(tmp); + FStar_UInt128_t b4 = tmp[4U]; + FStar_UInt128_t b0 = tmp[0U]; + FStar_UInt128_t + b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU)); + FStar_UInt128_t + b0_ = + FStar_UInt128_add(b0, + FStar_UInt128_mul_wide((uint64_t)19U, + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U)))); + tmp[4U] = b4_; + tmp[0U] = b0_; + Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp); + uint64_t i0 = output[0U]; + uint64_t i1 = output[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + output[0U] = i0_; + output[1U] = i1_; +} + +static void +Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1) +{ + Hacl_Bignum_Fsquare_fsquare_(tmp, input); + for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U) + Hacl_Bignum_Fsquare_fsquare_(tmp, input); +} + +inline static void +Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1) +{ + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t t[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + memcpy(output, input, (uint32_t)5U * sizeof input[0U]); + Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); +} + +inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1) +{ + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t t[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1); +} + +inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z) +{ + uint64_t buf[20U] = { 0U }; + uint64_t *a = buf; + uint64_t *t00 = buf + (uint32_t)5U; + uint64_t *b0 = buf + (uint32_t)10U; + Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U); + Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U); + Hacl_Bignum_Fmul_fmul(b0, t00, z); + Hacl_Bignum_Fmul_fmul(a, b0, a); + Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U); + Hacl_Bignum_Fmul_fmul(b0, t00, b0); + Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); + uint64_t *t01 = buf + (uint32_t)5U; + uint64_t *b1 = buf + (uint32_t)10U; + uint64_t *c0 = buf + (uint32_t)15U; + Hacl_Bignum_Fmul_fmul(b1, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); + Hacl_Bignum_Fmul_fmul(c0, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U); + Hacl_Bignum_Fmul_fmul(t01, t01, c0); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); + Hacl_Bignum_Fmul_fmul(b1, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); + uint64_t *a0 = buf; + uint64_t *t0 = buf + (uint32_t)5U; + uint64_t *b = buf + (uint32_t)10U; + uint64_t *c = buf + (uint32_t)15U; + Hacl_Bignum_Fmul_fmul(c, t0, b); + Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); + Hacl_Bignum_Fmul_fmul(t0, t0, c); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U); + Hacl_Bignum_Fmul_fmul(t0, t0, b); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U); + Hacl_Bignum_Fmul_fmul(out, t0, a0); +} + +inline static void Hacl_Bignum_Crecip_crecip_(uint64_t *out, uint64_t *z) +{ + uint64_t buf[20U] = { 0U }; + uint64_t *a = buf; + uint64_t *t00 = buf + (uint32_t)5U; + uint64_t *b0 = buf + (uint32_t)10U; + Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U); + Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U); + Hacl_Bignum_Fmul_fmul(b0, t00, z); + Hacl_Bignum_Fmul_fmul(a, b0, a); + Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U); + Hacl_Bignum_Fmul_fmul(b0, t00, b0); + Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U); + uint64_t *t01 = buf + (uint32_t)5U; + uint64_t *b1 = buf + (uint32_t)10U; + uint64_t *c0 = buf + (uint32_t)15U; + Hacl_Bignum_Fmul_fmul(b1, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U); + Hacl_Bignum_Fmul_fmul(c0, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U); + Hacl_Bignum_Fmul_fmul(t01, t01, c0); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U); + Hacl_Bignum_Fmul_fmul(b1, t01, b1); + Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U); + uint64_t *a0 = buf; + Hacl_Bignum_Fsquare_fsquare_times(a0, z, (uint32_t)1U); + uint64_t *a1 = buf; + uint64_t *t0 = buf + (uint32_t)5U; + uint64_t *b = buf + (uint32_t)10U; + uint64_t *c = buf + (uint32_t)15U; + Hacl_Bignum_Fmul_fmul(c, t0, b); + Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U); + Hacl_Bignum_Fmul_fmul(t0, t0, c); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U); + Hacl_Bignum_Fmul_fmul(t0, t0, b); + Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)2U); + Hacl_Bignum_Fmul_fmul(out, t0, a1); +} + +inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b) +{ + { + uint64_t xi = a[0U]; + uint64_t yi = b[0U]; + a[0U] = xi + yi; + } + { + uint64_t xi = a[1U]; + uint64_t yi = b[1U]; + a[1U] = xi + yi; + } + { + uint64_t xi = a[2U]; + uint64_t yi = b[2U]; + a[2U] = xi + yi; + } + { + uint64_t xi = a[3U]; + uint64_t yi = b[3U]; + a[3U] = xi + yi; + } + { + uint64_t xi = a[4U]; + uint64_t yi = b[4U]; + a[4U] = xi + yi; + } +} + +inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b) +{ + uint64_t tmp[5U] = { 0U }; + memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]); + uint64_t b0 = tmp[0U]; + uint64_t b1 = tmp[1U]; + uint64_t b2 = tmp[2U]; + uint64_t b3 = tmp[3U]; + uint64_t b4 = tmp[4U]; + tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U; + tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U; + tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U; + tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U; + tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U; + { + uint64_t xi = a[0U]; + uint64_t yi = tmp[0U]; + a[0U] = yi - xi; + } + { + uint64_t xi = a[1U]; + uint64_t yi = tmp[1U]; + a[1U] = yi - xi; + } + { + uint64_t xi = a[2U]; + uint64_t yi = tmp[2U]; + a[2U] = yi - xi; + } + { + uint64_t xi = a[3U]; + uint64_t yi = tmp[3U]; + a[3U] = yi - xi; + } + { + uint64_t xi = a[4U]; + uint64_t yi = tmp[4U]; + a[4U] = yi - xi; + } +} + +inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b) +{ + Hacl_Bignum_Fmul_fmul(output, a, b); +} + +static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input) +{ + uint64_t i0 = load64_le(input); + uint8_t *x00 = input + (uint32_t)6U; + uint64_t i1 = load64_le(x00); + uint8_t *x01 = input + (uint32_t)12U; + uint64_t i2 = load64_le(x01); + uint8_t *x02 = input + (uint32_t)19U; + uint64_t i3 = load64_le(x02); + uint8_t *x0 = input + (uint32_t)24U; + uint64_t i4 = load64_le(x0); + uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU; + uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU; + uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU; + uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU; + output[0U] = output0; + output[1U] = output1; + output[2U] = output2; + output[3U] = output3; + output[4U] = output4; +} + +static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input) +{ + uint64_t t0 = input[0U]; + uint64_t t1 = input[1U]; + uint64_t t2 = input[2U]; + uint64_t t3 = input[3U]; + uint64_t t4 = input[4U]; + uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); + uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; + uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); + uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; + uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); + uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; + uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); + uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; + input[0U] = t0_; + input[1U] = t1__; + input[2U] = t2__; + input[3U] = t3__; + input[4U] = t4_; +} + +static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input) +{ + Hacl_EC_Format_fcontract_first_carry_pass(input); + Hacl_Bignum_Modulo_carry_top(input); +} + +static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input) +{ + uint64_t t0 = input[0U]; + uint64_t t1 = input[1U]; + uint64_t t2 = input[2U]; + uint64_t t3 = input[3U]; + uint64_t t4 = input[4U]; + uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); + uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; + uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); + uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; + uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); + uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; + uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); + uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; + input[0U] = t0_; + input[1U] = t1__; + input[2U] = t2__; + input[3U] = t3__; + input[4U] = t4_; +} + +static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input) +{ + Hacl_EC_Format_fcontract_second_carry_pass(input); + Hacl_Bignum_Modulo_carry_top(input); + uint64_t i0 = input[0U]; + uint64_t i1 = input[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + input[0U] = i0_; + input[1U] = i1_; +} + +static void Hacl_EC_Format_fcontract_trim(uint64_t *input) +{ + uint64_t a0 = input[0U]; + uint64_t a1 = input[1U]; + uint64_t a2 = input[2U]; + uint64_t a3 = input[3U]; + uint64_t a4 = input[4U]; + uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU); + uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU); + uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU); + uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU); + uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU); + uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; + uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask); + uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask); + uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask); + uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask); + uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask); + input[0U] = a0_; + input[1U] = a1_; + input[2U] = a2_; + input[3U] = a3_; + input[4U] = a4_; +} + +static void Hacl_EC_Format_reduce(uint64_t *out) +{ + Hacl_EC_Format_fcontract_first_carry_full(out); + Hacl_EC_Format_fcontract_second_carry_full(out); + Hacl_EC_Format_fcontract_trim(out); +} + +static void +Hacl_Lib_Create64_make_h64_5( + uint64_t *b, + uint64_t s0, + uint64_t s1, + uint64_t s2, + uint64_t s3, + uint64_t s4 +) +{ + b[0U] = s0; + b[1U] = s1; + b[2U] = s2; + b[3U] = s3; + b[4U] = s4; +} + +static void +Hacl_Lib_Create64_make_h64_10( + uint64_t *b, + uint64_t s0, + uint64_t s1, + uint64_t s2, + uint64_t s3, + uint64_t s4, + uint64_t s5, + uint64_t s6, + uint64_t s7, + uint64_t s8, + uint64_t s9 +) +{ + b[0U] = s0; + b[1U] = s1; + b[2U] = s2; + b[3U] = s3; + b[4U] = s4; + b[5U] = s5; + b[6U] = s6; + b[7U] = s7; + b[8U] = s8; + b[9U] = s9; +} + +static void Hacl_Bignum25519_fsum(uint64_t *a, uint64_t *b) +{ + Hacl_Bignum_fsum(a, b); +} + +static void Hacl_Bignum25519_fdifference(uint64_t *a, uint64_t *b) +{ + Hacl_Bignum_fdifference(a, b); +} + +static void Hacl_Bignum25519_reduce_513(uint64_t *a) +{ + uint64_t t0 = a[0U]; + uint64_t t1 = a[1U]; + uint64_t t2 = a[2U]; + uint64_t t3 = a[3U]; + uint64_t t4 = a[4U]; + uint64_t t1_ = t1 + (t0 >> (uint32_t)51U); + uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU; + uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U); + uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU; + uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U); + uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU; + uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U); + uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU; + Hacl_Lib_Create64_make_h64_5(a, t0_, t1__, t2__, t3__, t4_); + Hacl_Bignum_Modulo_carry_top(a); + uint64_t i0 = a[0U]; + uint64_t i1 = a[1U]; + uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)51U); + a[0U] = i0_; + a[1U] = i1_; +} + +static void Hacl_Bignum25519_fdifference_reduced(uint64_t *a, uint64_t *b) +{ + Hacl_Bignum25519_fdifference(a, b); + Hacl_Bignum25519_reduce_513(a); +} + +static void Hacl_Bignum25519_fmul(uint64_t *out, uint64_t *a, uint64_t *b) +{ + Hacl_Bignum_fmul(out, a, b); +} + +static void Hacl_Bignum25519_times_2(uint64_t *out, uint64_t *a) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t o0 = (uint64_t)2U * a0; + uint64_t o1 = (uint64_t)2U * a1; + uint64_t o2 = (uint64_t)2U * a2; + uint64_t o3 = (uint64_t)2U * a3; + uint64_t o4 = (uint64_t)2U * a4; + Hacl_Lib_Create64_make_h64_5(out, o0, o1, o2, o3, o4); +} + +static void Hacl_Bignum25519_times_d(uint64_t *out, uint64_t *a) +{ + uint64_t d1[5U] = { 0U }; + Hacl_Lib_Create64_make_h64_5(d1, + (uint64_t)0x00034dca135978a3U, + (uint64_t)0x0001a8283b156ebdU, + (uint64_t)0x0005e7a26001c029U, + (uint64_t)0x000739c663a03cbbU, + (uint64_t)0x00052036cee2b6ffU); + Hacl_Bignum25519_fmul(out, d1, a); +} + +static void Hacl_Bignum25519_times_2d(uint64_t *out, uint64_t *a) +{ + uint64_t d2[5U] = { 0U }; + Hacl_Lib_Create64_make_h64_5(d2, + (uint64_t)0x00069b9426b2f159U, + (uint64_t)0x00035050762add7aU, + (uint64_t)0x0003cf44c0038052U, + (uint64_t)0x0006738cc7407977U, + (uint64_t)0x0002406d9dc56dffU); + Hacl_Bignum25519_fmul(out, a, d2); +} + +static void Hacl_Bignum25519_fsquare(uint64_t *out, uint64_t *a) +{ + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U); + FStar_UInt128_t tmp[5U]; + for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i) + tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + memcpy(out, a, (uint32_t)5U * sizeof a[0U]); + Hacl_Bignum_Fsquare_fsquare_(tmp, out); +} + +static void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a) +{ + Hacl_Bignum_Crecip_crecip(out, a); +} + +static void Hacl_Bignum25519_reduce(uint64_t *out) +{ + Hacl_EC_Format_reduce(out); +} + +static uint64_t *Hacl_Impl_Ed25519_ExtPoint_getx(uint64_t *p) +{ + return p; +} + +static uint64_t *Hacl_Impl_Ed25519_ExtPoint_gety(uint64_t *p) +{ + return p + (uint32_t)5U; +} + +static uint64_t *Hacl_Impl_Ed25519_ExtPoint_getz(uint64_t *p) +{ + return p + (uint32_t)10U; +} + +static uint64_t *Hacl_Impl_Ed25519_ExtPoint_gett(uint64_t *p) +{ + return p + (uint32_t)15U; +} + +static void Hacl_Impl_Ed25519_G_make_g(uint64_t *g1) +{ + uint64_t *gx = Hacl_Impl_Ed25519_ExtPoint_getx(g1); + uint64_t *gy = Hacl_Impl_Ed25519_ExtPoint_gety(g1); + uint64_t *gz = Hacl_Impl_Ed25519_ExtPoint_getz(g1); + uint64_t *gt1 = Hacl_Impl_Ed25519_ExtPoint_gett(g1); + Hacl_Lib_Create64_make_h64_5(gx, + (uint64_t)0x00062d608f25d51aU, + (uint64_t)0x000412a4b4f6592aU, + (uint64_t)0x00075b7171a4b31dU, + (uint64_t)0x0001ff60527118feU, + (uint64_t)0x000216936d3cd6e5U); + Hacl_Lib_Create64_make_h64_5(gy, + (uint64_t)0x0006666666666658U, + (uint64_t)0x0004ccccccccccccU, + (uint64_t)0x0001999999999999U, + (uint64_t)0x0003333333333333U, + (uint64_t)0x0006666666666666U); + Hacl_Lib_Create64_make_h64_5(gz, + (uint64_t)0x0000000000000001U, + (uint64_t)0x0000000000000000U, + (uint64_t)0x0000000000000000U, + (uint64_t)0x0000000000000000U, + (uint64_t)0x0000000000000000U); + Hacl_Lib_Create64_make_h64_5(gt1, + (uint64_t)0x00068ab3a5b7dda3U, + (uint64_t)0x00000eea2a5eadbbU, + (uint64_t)0x0002af8df483c27eU, + (uint64_t)0x000332b375274732U, + (uint64_t)0x00067875f0fd78b7U); +} + +static void Hacl_Impl_Store51_store_51_(uint8_t *output, uint64_t *input) +{ + uint64_t t0 = input[0U]; + uint64_t t1 = input[1U]; + uint64_t t2 = input[2U]; + uint64_t t3 = input[3U]; + uint64_t t4 = input[4U]; + uint64_t o0 = t1 << (uint32_t)51U | t0; + uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U; + uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U; + uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U; + uint8_t *b0 = output; + uint8_t *b1 = output + (uint32_t)8U; + uint8_t *b2 = output + (uint32_t)16U; + uint8_t *b3 = output + (uint32_t)24U; + store64_le(b0, o0); + store64_le(b1, o1); + store64_le(b2, o2); + store64_le(b3, o3); +} + +static uint64_t Hacl_Impl_Ed25519_PointCompress_x_mod_2(uint64_t *x) +{ + uint64_t x0 = x[0U]; + return x0 & (uint64_t)1U; +} + +static void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p) +{ + uint64_t tmp[15U] = { 0U }; + uint64_t *x0 = tmp + (uint32_t)5U; + uint64_t *out0 = tmp + (uint32_t)10U; + uint64_t *zinv = tmp; + uint64_t *x = tmp + (uint32_t)5U; + uint64_t *out = tmp + (uint32_t)10U; + uint64_t *px = Hacl_Impl_Ed25519_ExtPoint_getx(p); + uint64_t *py = Hacl_Impl_Ed25519_ExtPoint_gety(p); + uint64_t *pz = Hacl_Impl_Ed25519_ExtPoint_getz(p); + Hacl_Bignum25519_inverse(zinv, pz); + Hacl_Bignum25519_fmul(x, px, zinv); + Hacl_Bignum25519_reduce(x); + Hacl_Bignum25519_fmul(out, py, zinv); + Hacl_Bignum25519_reduce(out); + uint64_t b = Hacl_Impl_Ed25519_PointCompress_x_mod_2(x0); + Hacl_Impl_Store51_store_51_(z, out0); + uint8_t xbyte = (uint8_t)b; + uint8_t o31 = z[31U]; + z[31U] = o31 + (xbyte << (uint32_t)7U); +} + +static void +Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step( + uint64_t *a_, + uint64_t *b_, + uint64_t *a, + uint64_t *b, + uint64_t swap1 +) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + uint64_t x0 = swap1 & (a0 ^ b0); + uint64_t x1 = swap1 & (a1 ^ b1); + uint64_t x2 = swap1 & (a2 ^ b2); + uint64_t x3 = swap1 & (a3 ^ b3); + uint64_t x4 = swap1 & (a4 ^ b4); + uint64_t a0_ = a0 ^ x0; + uint64_t b0_ = b0 ^ x0; + uint64_t a1_ = a1 ^ x1; + uint64_t b1_ = b1 ^ x1; + uint64_t a2_ = a2 ^ x2; + uint64_t b2_ = b2 ^ x2; + uint64_t a3_ = a3 ^ x3; + uint64_t b3_ = b3 ^ x3; + uint64_t a4_ = a4 ^ x4; + uint64_t b4_ = b4 ^ x4; + Hacl_Lib_Create64_make_h64_5(a_, a0_, a1_, a2_, a3_, a4_); + Hacl_Lib_Create64_make_h64_5(b_, b0_, b1_, b2_, b3_, b4_); +} + +static void +Hacl_Impl_Ed25519_SwapConditional_swap_conditional( + uint64_t *a_, + uint64_t *b_, + uint64_t *a, + uint64_t *b, + uint64_t iswap +) +{ + uint64_t swap1 = (uint64_t)0U - iswap; + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_getx(a_), + Hacl_Impl_Ed25519_ExtPoint_getx(b_), + Hacl_Impl_Ed25519_ExtPoint_getx(a), + Hacl_Impl_Ed25519_ExtPoint_getx(b), + swap1); + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_gety(a_), + Hacl_Impl_Ed25519_ExtPoint_gety(b_), + Hacl_Impl_Ed25519_ExtPoint_gety(a), + Hacl_Impl_Ed25519_ExtPoint_gety(b), + swap1); + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_getz(a_), + Hacl_Impl_Ed25519_ExtPoint_getz(b_), + Hacl_Impl_Ed25519_ExtPoint_getz(a), + Hacl_Impl_Ed25519_ExtPoint_getz(b), + swap1); + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_gett(a_), + Hacl_Impl_Ed25519_ExtPoint_gett(b_), + Hacl_Impl_Ed25519_ExtPoint_gett(a), + Hacl_Impl_Ed25519_ExtPoint_gett(b), + swap1); +} + +static void +Hacl_Impl_Ed25519_SwapConditional_swap_conditional_inplace( + uint64_t *a, + uint64_t *b, + uint64_t iswap +) +{ + uint64_t swap1 = (uint64_t)0U - iswap; + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_getx(a), + Hacl_Impl_Ed25519_ExtPoint_getx(b), + Hacl_Impl_Ed25519_ExtPoint_getx(a), + Hacl_Impl_Ed25519_ExtPoint_getx(b), + swap1); + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_gety(a), + Hacl_Impl_Ed25519_ExtPoint_gety(b), + Hacl_Impl_Ed25519_ExtPoint_gety(a), + Hacl_Impl_Ed25519_ExtPoint_gety(b), + swap1); + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_getz(a), + Hacl_Impl_Ed25519_ExtPoint_getz(b), + Hacl_Impl_Ed25519_ExtPoint_getz(a), + Hacl_Impl_Ed25519_ExtPoint_getz(b), + swap1); + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_step(Hacl_Impl_Ed25519_ExtPoint_gett(a), + Hacl_Impl_Ed25519_ExtPoint_gett(b), + Hacl_Impl_Ed25519_ExtPoint_gett(a), + Hacl_Impl_Ed25519_ExtPoint_gett(b), + swap1); +} + +static void Hacl_Impl_Ed25519_SwapConditional_copy(uint64_t *output, uint64_t *input) +{ + memcpy(output, input, (uint32_t)20U * sizeof input[0U]); +} + +static void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q1) +{ + uint64_t tmp[30U] = { 0U }; + uint64_t *tmp1 = tmp; + uint64_t *tmp20 = tmp + (uint32_t)5U; + uint64_t *tmp30 = tmp + (uint32_t)10U; + uint64_t *tmp40 = tmp + (uint32_t)15U; + uint64_t *x1 = Hacl_Impl_Ed25519_ExtPoint_getx(p); + uint64_t *y1 = Hacl_Impl_Ed25519_ExtPoint_gety(p); + uint64_t *x2 = Hacl_Impl_Ed25519_ExtPoint_getx(q1); + uint64_t *y2 = Hacl_Impl_Ed25519_ExtPoint_gety(q1); + memcpy(tmp1, x1, (uint32_t)5U * sizeof x1[0U]); + memcpy(tmp20, x2, (uint32_t)5U * sizeof x2[0U]); + Hacl_Bignum25519_fdifference_reduced(tmp1, y1); + Hacl_Bignum25519_fdifference(tmp20, y2); + Hacl_Bignum25519_fmul(tmp30, tmp1, tmp20); + memcpy(tmp1, y1, (uint32_t)5U * sizeof y1[0U]); + memcpy(tmp20, y2, (uint32_t)5U * sizeof y2[0U]); + Hacl_Bignum25519_fsum(tmp1, x1); + Hacl_Bignum25519_fsum(tmp20, x2); + Hacl_Bignum25519_fmul(tmp40, tmp1, tmp20); + uint64_t *tmp10 = tmp; + uint64_t *tmp21 = tmp + (uint32_t)5U; + uint64_t *tmp31 = tmp + (uint32_t)10U; + uint64_t *tmp50 = tmp + (uint32_t)20U; + uint64_t *tmp60 = tmp + (uint32_t)25U; + uint64_t *z1 = Hacl_Impl_Ed25519_ExtPoint_getz(p); + uint64_t *t1 = Hacl_Impl_Ed25519_ExtPoint_gett(p); + uint64_t *z2 = Hacl_Impl_Ed25519_ExtPoint_getz(q1); + uint64_t *t2 = Hacl_Impl_Ed25519_ExtPoint_gett(q1); + Hacl_Bignum25519_times_2d(tmp10, t1); + Hacl_Bignum25519_fmul(tmp21, tmp10, t2); + Hacl_Bignum25519_times_2(tmp10, z1); + Hacl_Bignum25519_fmul(tmp50, tmp10, z2); + memcpy(tmp10, tmp31, (uint32_t)5U * sizeof tmp31[0U]); + memcpy(tmp60, tmp21, (uint32_t)5U * sizeof tmp21[0U]); + uint64_t *tmp11 = tmp; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp41 = tmp + (uint32_t)15U; + uint64_t *tmp51 = tmp + (uint32_t)20U; + uint64_t *tmp61 = tmp + (uint32_t)25U; + Hacl_Bignum25519_fdifference_reduced(tmp11, tmp41); + Hacl_Bignum25519_fdifference(tmp61, tmp51); + Hacl_Bignum25519_fsum(tmp51, tmp2); + Hacl_Bignum25519_fsum(tmp41, tmp3); + uint64_t *tmp12 = tmp; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp5 = tmp + (uint32_t)20U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = Hacl_Impl_Ed25519_ExtPoint_getx(out); + uint64_t *y3 = Hacl_Impl_Ed25519_ExtPoint_gety(out); + uint64_t *z3 = Hacl_Impl_Ed25519_ExtPoint_getz(out); + uint64_t *t3 = Hacl_Impl_Ed25519_ExtPoint_gett(out); + Hacl_Bignum25519_fmul(x3, tmp12, tmp6); + Hacl_Bignum25519_fmul(y3, tmp5, tmp4); + Hacl_Bignum25519_fmul(t3, tmp12, tmp4); + Hacl_Bignum25519_fmul(z3, tmp5, tmp6); +} + +static void Hacl_Impl_Ed25519_PointDouble_point_double_step_1(uint64_t *p, uint64_t *tmp) +{ + uint64_t *tmp1 = tmp; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *x1 = Hacl_Impl_Ed25519_ExtPoint_getx(p); + uint64_t *y1 = Hacl_Impl_Ed25519_ExtPoint_gety(p); + uint64_t *z1 = Hacl_Impl_Ed25519_ExtPoint_getz(p); + Hacl_Bignum25519_fsquare(tmp1, x1); + Hacl_Bignum25519_fsquare(tmp2, y1); + Hacl_Bignum25519_fsquare(tmp3, z1); + Hacl_Bignum25519_times_2(tmp4, tmp3); + memcpy(tmp3, tmp1, (uint32_t)5U * sizeof tmp1[0U]); + Hacl_Bignum25519_fsum(tmp3, tmp2); + Hacl_Bignum25519_reduce_513(tmp3); +} + +static void Hacl_Impl_Ed25519_PointDouble_point_double_step_2(uint64_t *p, uint64_t *tmp) +{ + uint64_t *tmp1 = tmp; + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp5 = tmp + (uint32_t)20U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x1 = Hacl_Impl_Ed25519_ExtPoint_getx(p); + uint64_t *y1 = Hacl_Impl_Ed25519_ExtPoint_gety(p); + memcpy(tmp5, x1, (uint32_t)5U * sizeof x1[0U]); + Hacl_Bignum25519_fsum(tmp5, y1); + Hacl_Bignum25519_fsquare(tmp6, tmp5); + memcpy(tmp5, tmp3, (uint32_t)5U * sizeof tmp3[0U]); + Hacl_Bignum25519_fdifference(tmp6, tmp5); + Hacl_Bignum25519_fdifference_reduced(tmp2, tmp1); + Hacl_Bignum25519_reduce_513(tmp4); + Hacl_Bignum25519_fsum(tmp4, tmp2); +} + +static void +Hacl_Impl_Ed25519_PointDouble_point_double_(uint64_t *out, uint64_t *p, uint64_t *tmp) +{ + uint64_t *tmp2 = tmp + (uint32_t)5U; + uint64_t *tmp3 = tmp + (uint32_t)10U; + uint64_t *tmp4 = tmp + (uint32_t)15U; + uint64_t *tmp6 = tmp + (uint32_t)25U; + uint64_t *x3 = Hacl_Impl_Ed25519_ExtPoint_getx(out); + uint64_t *y3 = Hacl_Impl_Ed25519_ExtPoint_gety(out); + uint64_t *z3 = Hacl_Impl_Ed25519_ExtPoint_getz(out); + uint64_t *t3 = Hacl_Impl_Ed25519_ExtPoint_gett(out); + Hacl_Impl_Ed25519_PointDouble_point_double_step_1(p, tmp); + Hacl_Impl_Ed25519_PointDouble_point_double_step_2(p, tmp); + Hacl_Bignum25519_fmul(x3, tmp4, tmp6); + Hacl_Bignum25519_fmul(y3, tmp2, tmp3); + Hacl_Bignum25519_fmul(t3, tmp3, tmp6); + Hacl_Bignum25519_fmul(z3, tmp4, tmp2); +} + +static void Hacl_Impl_Ed25519_PointDouble_point_double(uint64_t *out, uint64_t *p) +{ + uint64_t tmp[30U] = { 0U }; + Hacl_Impl_Ed25519_PointDouble_point_double_(out, p, tmp); +} + +static uint8_t Hacl_Impl_Ed25519_Ladder_Step_ith_bit(uint8_t *k1, uint32_t i) +{ + uint32_t q1 = i >> (uint32_t)3U; + uint32_t r = i & (uint32_t)7U; + uint8_t kq = k1[q1]; + return kq >> r & (uint8_t)1U; +} + +static void +Hacl_Impl_Ed25519_Ladder_Step_swap_cond_inplace(uint64_t *p, uint64_t *q1, uint64_t iswap) +{ + Hacl_Impl_Ed25519_SwapConditional_swap_conditional_inplace(p, q1, iswap); +} + +static void +Hacl_Impl_Ed25519_Ladder_Step_swap_cond( + uint64_t *p_, + uint64_t *q_, + uint64_t *p, + uint64_t *q1, + uint64_t iswap +) +{ + Hacl_Impl_Ed25519_SwapConditional_swap_conditional(p_, q_, p, q1, iswap); +} + +static void +Hacl_Impl_Ed25519_Ladder_Step_loop_step_1(uint64_t *b, uint8_t *k1, uint32_t ctr, uint8_t i) +{ + uint64_t *nq = b; + uint64_t *nqpq = b + (uint32_t)20U; + uint64_t bit = (uint64_t)i; + Hacl_Impl_Ed25519_Ladder_Step_swap_cond_inplace(nq, nqpq, bit); +} + +static void Hacl_Impl_Ed25519_Ladder_Step_loop_step_2(uint64_t *b, uint8_t *k1, uint32_t ctr) +{ + uint64_t *nq = b; + uint64_t *nqpq = b + (uint32_t)20U; + uint64_t *nq2 = b + (uint32_t)40U; + uint64_t *nqpq2 = b + (uint32_t)60U; + Hacl_Impl_Ed25519_PointDouble_point_double(nq2, nq); + Hacl_Impl_Ed25519_PointAdd_point_add(nqpq2, nq, nqpq); +} + +static void +Hacl_Impl_Ed25519_Ladder_Step_loop_step_3(uint64_t *b, uint8_t *k1, uint32_t ctr, uint8_t i) +{ + uint64_t *nq = b; + uint64_t *nqpq = b + (uint32_t)20U; + uint64_t *nq2 = b + (uint32_t)40U; + uint64_t *nqpq2 = b + (uint32_t)60U; + uint64_t bit = (uint64_t)i; + Hacl_Impl_Ed25519_Ladder_Step_swap_cond(nq, nqpq, nq2, nqpq2, bit); +} + +static void Hacl_Impl_Ed25519_Ladder_Step_loop_step(uint64_t *b, uint8_t *k1, uint32_t ctr) +{ + uint8_t bit = Hacl_Impl_Ed25519_Ladder_Step_ith_bit(k1, ctr); + Hacl_Impl_Ed25519_Ladder_Step_loop_step_1(b, k1, ctr, bit); + Hacl_Impl_Ed25519_Ladder_Step_loop_step_2(b, k1, ctr); + Hacl_Impl_Ed25519_Ladder_Step_loop_step_3(b, k1, ctr, bit); +} + +static void Hacl_Impl_Ed25519_Ladder_point_mul_(uint64_t *b, uint8_t *k1) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)256U; i = i + (uint32_t)1U) + Hacl_Impl_Ed25519_Ladder_Step_loop_step(b, k1, (uint32_t)256U - i - (uint32_t)1U); +} + +static void Hacl_Impl_Ed25519_Ladder_make_point_inf(uint64_t *b) +{ + uint64_t *x = b; + uint64_t *y = b + (uint32_t)5U; + uint64_t *z = b + (uint32_t)10U; + uint64_t *t = b + (uint32_t)15U; + uint64_t zero1 = (uint64_t)0U; + Hacl_Lib_Create64_make_h64_5(x, zero1, zero1, zero1, zero1, zero1); + uint64_t zero10 = (uint64_t)0U; + uint64_t one10 = (uint64_t)1U; + Hacl_Lib_Create64_make_h64_5(y, one10, zero10, zero10, zero10, zero10); + uint64_t zero11 = (uint64_t)0U; + uint64_t one1 = (uint64_t)1U; + Hacl_Lib_Create64_make_h64_5(z, one1, zero11, zero11, zero11, zero11); + uint64_t zero12 = (uint64_t)0U; + Hacl_Lib_Create64_make_h64_5(t, zero12, zero12, zero12, zero12, zero12); +} + +static void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *result, uint8_t *scalar, uint64_t *q1) +{ + uint64_t b[80U] = { 0U }; + uint64_t *nq = b; + uint64_t *nqpq = b + (uint32_t)20U; + Hacl_Impl_Ed25519_Ladder_make_point_inf(nq); + Hacl_Impl_Ed25519_SwapConditional_copy(nqpq, q1); + Hacl_Impl_Ed25519_Ladder_point_mul_(b, scalar); + Hacl_Impl_Ed25519_SwapConditional_copy(result, nq); +} + +static void +Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(uint64_t *output, uint8_t *input, uint32_t len1) +{ + for (uint32_t i = (uint32_t)0U; i < len1; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)8U * i; + uint64_t inputi = load64_be(x0); + output[i] = inputi; + } +} + +static void +Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(uint8_t *output, uint64_t *input, uint32_t len1) +{ + for (uint32_t i = (uint32_t)0U; i < len1; i = i + (uint32_t)1U) + { + uint64_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)8U * i; + store64_be(x0, hd1); + } +} + +static void Hacl_Impl_SHA2_512_init(uint64_t *state) +{ + uint64_t *n1 = state + (uint32_t)168U; + uint64_t *k1 = state; + uint64_t *h_01 = state + (uint32_t)160U; + uint64_t *p10 = k1; + uint64_t *p20 = k1 + (uint32_t)16U; + uint64_t *p3 = k1 + (uint32_t)32U; + uint64_t *p4 = k1 + (uint32_t)48U; + uint64_t *p5 = k1 + (uint32_t)64U; + uint64_t *p11 = p10; + uint64_t *p21 = p10 + (uint32_t)8U; + uint64_t *p12 = p11; + uint64_t *p22 = p11 + (uint32_t)4U; + p12[0U] = (uint64_t)0x428a2f98d728ae22U; + p12[1U] = (uint64_t)0x7137449123ef65cdU; + p12[2U] = (uint64_t)0xb5c0fbcfec4d3b2fU; + p12[3U] = (uint64_t)0xe9b5dba58189dbbcU; + p22[0U] = (uint64_t)0x3956c25bf348b538U; + p22[1U] = (uint64_t)0x59f111f1b605d019U; + p22[2U] = (uint64_t)0x923f82a4af194f9bU; + p22[3U] = (uint64_t)0xab1c5ed5da6d8118U; + uint64_t *p13 = p21; + uint64_t *p23 = p21 + (uint32_t)4U; + p13[0U] = (uint64_t)0xd807aa98a3030242U; + p13[1U] = (uint64_t)0x12835b0145706fbeU; + p13[2U] = (uint64_t)0x243185be4ee4b28cU; + p13[3U] = (uint64_t)0x550c7dc3d5ffb4e2U; + p23[0U] = (uint64_t)0x72be5d74f27b896fU; + p23[1U] = (uint64_t)0x80deb1fe3b1696b1U; + p23[2U] = (uint64_t)0x9bdc06a725c71235U; + p23[3U] = (uint64_t)0xc19bf174cf692694U; + uint64_t *p14 = p20; + uint64_t *p24 = p20 + (uint32_t)8U; + uint64_t *p15 = p14; + uint64_t *p25 = p14 + (uint32_t)4U; + p15[0U] = (uint64_t)0xe49b69c19ef14ad2U; + p15[1U] = (uint64_t)0xefbe4786384f25e3U; + p15[2U] = (uint64_t)0x0fc19dc68b8cd5b5U; + p15[3U] = (uint64_t)0x240ca1cc77ac9c65U; + p25[0U] = (uint64_t)0x2de92c6f592b0275U; + p25[1U] = (uint64_t)0x4a7484aa6ea6e483U; + p25[2U] = (uint64_t)0x5cb0a9dcbd41fbd4U; + p25[3U] = (uint64_t)0x76f988da831153b5U; + uint64_t *p16 = p24; + uint64_t *p26 = p24 + (uint32_t)4U; + p16[0U] = (uint64_t)0x983e5152ee66dfabU; + p16[1U] = (uint64_t)0xa831c66d2db43210U; + p16[2U] = (uint64_t)0xb00327c898fb213fU; + p16[3U] = (uint64_t)0xbf597fc7beef0ee4U; + p26[0U] = (uint64_t)0xc6e00bf33da88fc2U; + p26[1U] = (uint64_t)0xd5a79147930aa725U; + p26[2U] = (uint64_t)0x06ca6351e003826fU; + p26[3U] = (uint64_t)0x142929670a0e6e70U; + uint64_t *p17 = p3; + uint64_t *p27 = p3 + (uint32_t)8U; + uint64_t *p18 = p17; + uint64_t *p28 = p17 + (uint32_t)4U; + p18[0U] = (uint64_t)0x27b70a8546d22ffcU; + p18[1U] = (uint64_t)0x2e1b21385c26c926U; + p18[2U] = (uint64_t)0x4d2c6dfc5ac42aedU; + p18[3U] = (uint64_t)0x53380d139d95b3dfU; + p28[0U] = (uint64_t)0x650a73548baf63deU; + p28[1U] = (uint64_t)0x766a0abb3c77b2a8U; + p28[2U] = (uint64_t)0x81c2c92e47edaee6U; + p28[3U] = (uint64_t)0x92722c851482353bU; + uint64_t *p19 = p27; + uint64_t *p29 = p27 + (uint32_t)4U; + p19[0U] = (uint64_t)0xa2bfe8a14cf10364U; + p19[1U] = (uint64_t)0xa81a664bbc423001U; + p19[2U] = (uint64_t)0xc24b8b70d0f89791U; + p19[3U] = (uint64_t)0xc76c51a30654be30U; + p29[0U] = (uint64_t)0xd192e819d6ef5218U; + p29[1U] = (uint64_t)0xd69906245565a910U; + p29[2U] = (uint64_t)0xf40e35855771202aU; + p29[3U] = (uint64_t)0x106aa07032bbd1b8U; + uint64_t *p110 = p4; + uint64_t *p210 = p4 + (uint32_t)8U; + uint64_t *p111 = p110; + uint64_t *p211 = p110 + (uint32_t)4U; + p111[0U] = (uint64_t)0x19a4c116b8d2d0c8U; + p111[1U] = (uint64_t)0x1e376c085141ab53U; + p111[2U] = (uint64_t)0x2748774cdf8eeb99U; + p111[3U] = (uint64_t)0x34b0bcb5e19b48a8U; + p211[0U] = (uint64_t)0x391c0cb3c5c95a63U; + p211[1U] = (uint64_t)0x4ed8aa4ae3418acbU; + p211[2U] = (uint64_t)0x5b9cca4f7763e373U; + p211[3U] = (uint64_t)0x682e6ff3d6b2b8a3U; + uint64_t *p112 = p210; + uint64_t *p212 = p210 + (uint32_t)4U; + p112[0U] = (uint64_t)0x748f82ee5defb2fcU; + p112[1U] = (uint64_t)0x78a5636f43172f60U; + p112[2U] = (uint64_t)0x84c87814a1f0ab72U; + p112[3U] = (uint64_t)0x8cc702081a6439ecU; + p212[0U] = (uint64_t)0x90befffa23631e28U; + p212[1U] = (uint64_t)0xa4506cebde82bde9U; + p212[2U] = (uint64_t)0xbef9a3f7b2c67915U; + p212[3U] = (uint64_t)0xc67178f2e372532bU; + uint64_t *p113 = p5; + uint64_t *p213 = p5 + (uint32_t)8U; + uint64_t *p1 = p113; + uint64_t *p214 = p113 + (uint32_t)4U; + p1[0U] = (uint64_t)0xca273eceea26619cU; + p1[1U] = (uint64_t)0xd186b8c721c0c207U; + p1[2U] = (uint64_t)0xeada7dd6cde0eb1eU; + p1[3U] = (uint64_t)0xf57d4f7fee6ed178U; + p214[0U] = (uint64_t)0x06f067aa72176fbaU; + p214[1U] = (uint64_t)0x0a637dc5a2c898a6U; + p214[2U] = (uint64_t)0x113f9804bef90daeU; + p214[3U] = (uint64_t)0x1b710b35131c471bU; + uint64_t *p114 = p213; + uint64_t *p215 = p213 + (uint32_t)4U; + p114[0U] = (uint64_t)0x28db77f523047d84U; + p114[1U] = (uint64_t)0x32caab7b40c72493U; + p114[2U] = (uint64_t)0x3c9ebe0a15c9bebcU; + p114[3U] = (uint64_t)0x431d67c49c100d4cU; + p215[0U] = (uint64_t)0x4cc5d4becb3e42b6U; + p215[1U] = (uint64_t)0x597f299cfc657e2aU; + p215[2U] = (uint64_t)0x5fcb6fab3ad6faecU; + p215[3U] = (uint64_t)0x6c44198c4a475817U; + uint64_t *p115 = h_01; + uint64_t *p2 = h_01 + (uint32_t)4U; + p115[0U] = (uint64_t)0x6a09e667f3bcc908U; + p115[1U] = (uint64_t)0xbb67ae8584caa73bU; + p115[2U] = (uint64_t)0x3c6ef372fe94f82bU; + p115[3U] = (uint64_t)0xa54ff53a5f1d36f1U; + p2[0U] = (uint64_t)0x510e527fade682d1U; + p2[1U] = (uint64_t)0x9b05688c2b3e6c1fU; + p2[2U] = (uint64_t)0x1f83d9abfb41bd6bU; + p2[3U] = (uint64_t)0x5be0cd19137e2179U; + n1[0U] = (uint64_t)0U; +} + +static void Hacl_Impl_SHA2_512_update(uint64_t *state, uint8_t *data) +{ + KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)16U); + uint64_t data_w[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + data_w[_i] = (uint64_t)(uint32_t)0U; + Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(data_w, data, (uint32_t)16U); + uint64_t *hash_w = state + (uint32_t)160U; + uint64_t *ws_w = state + (uint32_t)80U; + uint64_t *k_w = state; + uint64_t *counter_w = state + (uint32_t)168U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint64_t b = data_w[i]; + ws_w[i] = b; + } + for (uint32_t i = (uint32_t)16U; i < (uint32_t)80U; i = i + (uint32_t)1U) + { + uint64_t t16 = ws_w[i - (uint32_t)16U]; + uint64_t t15 = ws_w[i - (uint32_t)15U]; + uint64_t t7 = ws_w[i - (uint32_t)7U]; + uint64_t t2 = ws_w[i - (uint32_t)2U]; + ws_w[i] = + ((t2 >> (uint32_t)19U | t2 << ((uint32_t)64U - (uint32_t)19U)) + ^ ((t2 >> (uint32_t)61U | t2 << ((uint32_t)64U - (uint32_t)61U)) ^ t2 >> (uint32_t)6U)) + + + t7 + + + ((t15 >> (uint32_t)1U | t15 << ((uint32_t)64U - (uint32_t)1U)) + ^ ((t15 >> (uint32_t)8U | t15 << ((uint32_t)64U - (uint32_t)8U)) ^ t15 >> (uint32_t)7U)) + + t16; + } + uint64_t hash_0[8U] = { 0U }; + memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i = i + (uint32_t)1U) + { + uint64_t a = hash_0[0U]; + uint64_t b = hash_0[1U]; + uint64_t c = hash_0[2U]; + uint64_t d1 = hash_0[3U]; + uint64_t e = hash_0[4U]; + uint64_t f1 = hash_0[5U]; + uint64_t g1 = hash_0[6U]; + uint64_t h = hash_0[7U]; + uint64_t k_t = k_w[i]; + uint64_t ws_t = ws_w[i]; + uint64_t + t1 = + h + + + ((e >> (uint32_t)14U | e << ((uint32_t)64U - (uint32_t)14U)) + ^ + ((e >> (uint32_t)18U | e << ((uint32_t)64U - (uint32_t)18U)) + ^ (e >> (uint32_t)41U | e << ((uint32_t)64U - (uint32_t)41U)))) + + ((e & f1) ^ (~e & g1)) + + k_t + + ws_t; + uint64_t + t2 = + ((a >> (uint32_t)28U | a << ((uint32_t)64U - (uint32_t)28U)) + ^ + ((a >> (uint32_t)34U | a << ((uint32_t)64U - (uint32_t)34U)) + ^ (a >> (uint32_t)39U | a << ((uint32_t)64U - (uint32_t)39U)))) + + ((a & b) ^ ((a & c) ^ (b & c))); + uint64_t x1 = t1 + t2; + uint64_t x5 = d1 + t1; + uint64_t *p1 = hash_0; + uint64_t *p2 = hash_0 + (uint32_t)4U; + p1[0U] = x1; + p1[1U] = a; + p1[2U] = b; + p1[3U] = c; + p2[0U] = x5; + p2[1U] = e; + p2[2U] = f1; + p2[3U] = g1; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) + { + uint64_t xi = hash_w[i]; + uint64_t yi = hash_0[i]; + hash_w[i] = xi + yi; + } + uint64_t c0 = counter_w[0U]; + uint64_t one1 = (uint64_t)(uint32_t)1U; + counter_w[0U] = c0 + one1; +} + +static void Hacl_Impl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1) +{ + for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U) + { + uint8_t *b = data + i * (uint32_t)128U; + Hacl_Impl_SHA2_512_update(state, b); + } +} + +static void Hacl_Impl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len1) +{ + uint8_t blocks[256U] = { 0U }; + uint32_t nb; + if (len1 < (uint64_t)112U) + nb = (uint32_t)1U; + else + nb = (uint32_t)2U; + uint8_t *final_blocks; + if (len1 < (uint64_t)112U) + final_blocks = blocks + (uint32_t)128U; + else + final_blocks = blocks; + memcpy(final_blocks, data, (uint32_t)len1 * sizeof data[0U]); + uint64_t n1 = state[168U]; + uint8_t *padding = final_blocks + (uint32_t)len1; + FStar_UInt128_t + encodedlen = + FStar_UInt128_shift_left(FStar_UInt128_add(FStar_UInt128_mul_wide(n1, (uint64_t)(uint32_t)128U), + FStar_UInt128_uint64_to_uint128(len1)), + (uint32_t)3U); + uint32_t + pad0len = ((uint32_t)256U - ((uint32_t)len1 + (uint32_t)16U + (uint32_t)1U)) % (uint32_t)128U; + uint8_t *buf1 = padding; + uint8_t *buf2 = padding + (uint32_t)1U + pad0len; + buf1[0U] = (uint8_t)0x80U; + store128_be(buf2, encodedlen); + Hacl_Impl_SHA2_512_update_multi(state, final_blocks, nb); +} + +static void Hacl_Impl_SHA2_512_finish(uint64_t *state, uint8_t *hash1) +{ + uint64_t *hash_w = state + (uint32_t)160U; + Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(hash1, hash_w, (uint32_t)8U); +} + +static void Hacl_Impl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len1) +{ + KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)169U); + uint64_t state[169U]; + for (uint32_t _i = 0U; _i < (uint32_t)169U; ++_i) + state[_i] = (uint64_t)(uint32_t)0U; + uint32_t n1 = len1 / (uint32_t)128U; + uint32_t r = len1 % (uint32_t)128U; + uint8_t *input_blocks = input; + uint8_t *input_last = input + n1 * (uint32_t)128U; + Hacl_Impl_SHA2_512_init(state); + Hacl_Impl_SHA2_512_update_multi(state, input_blocks, n1); + Hacl_Impl_SHA2_512_update_last(state, input_last, (uint64_t)r); + Hacl_Impl_SHA2_512_finish(state, hash1); +} + +static void Hacl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len1) +{ + Hacl_Impl_SHA2_512_hash(hash1, input, len1); +} + +static void Hacl_Impl_Ed25519_SecretExpand_secret_expand(uint8_t *expanded, uint8_t *secret) +{ + Hacl_SHA2_512_hash(expanded, secret, (uint32_t)32U); + uint8_t *h_low = expanded; + uint8_t h_low0 = h_low[0U]; + uint8_t h_low31 = h_low[31U]; + h_low[0U] = h_low0 & (uint8_t)0xf8U; + h_low[31U] = (h_low31 & (uint8_t)127U) | (uint8_t)64U; +} + +static void Hacl_Impl_Ed25519_SecretToPublic_point_mul_g(uint64_t *result, uint8_t *scalar) +{ + uint64_t g1[20U] = { 0U }; + Hacl_Impl_Ed25519_G_make_g(g1); + Hacl_Impl_Ed25519_Ladder_point_mul(result, scalar, g1); +} + +static void +Hacl_Impl_Ed25519_SecretToPublic_secret_to_public_( + uint8_t *out, + uint8_t *secret, + uint8_t *expanded_secret +) +{ + uint8_t *a = expanded_secret; + uint64_t res[20U] = { 0U }; + Hacl_Impl_Ed25519_SecretToPublic_point_mul_g(res, a); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, res); +} + +static void Hacl_Impl_Ed25519_SecretToPublic_secret_to_public(uint8_t *out, uint8_t *secret) +{ + uint8_t expanded[64U] = { 0U }; + Hacl_Impl_Ed25519_SecretExpand_secret_expand(expanded, secret); + Hacl_Impl_Ed25519_SecretToPublic_secret_to_public_(out, secret, expanded); +} + +static bool Hacl_Impl_Ed25519_PointEqual_gte_q(uint64_t *s) +{ + uint64_t s0 = s[0U]; + uint64_t s1 = s[1U]; + uint64_t s2 = s[2U]; + uint64_t s3 = s[3U]; + uint64_t s4 = s[4U]; + if (s4 > (uint64_t)0x00000010000000U) + return true; + else if (s4 < (uint64_t)0x00000010000000U) + return false; + else if (s3 > (uint64_t)0x00000000000000U) + return true; + else if (s2 > (uint64_t)0x000000000014deU) + return true; + else if (s2 < (uint64_t)0x000000000014deU) + return false; + else if (s1 > (uint64_t)0xf9dea2f79cd658U) + return true; + else if (s1 < (uint64_t)0xf9dea2f79cd658U) + return false; + else if (s0 >= (uint64_t)0x12631a5cf5d3edU) + return true; + else + return false; +} + +static bool Hacl_Impl_Ed25519_PointEqual_eq(uint64_t *a, uint64_t *b) +{ + uint64_t a0 = a[0U]; + uint64_t a1 = a[1U]; + uint64_t a2 = a[2U]; + uint64_t a3 = a[3U]; + uint64_t a4 = a[4U]; + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + bool z = a0 == b0 && a1 == b1 && a2 == b2 && a3 == b3 && a4 == b4; + return z; +} + +static bool +Hacl_Impl_Ed25519_PointEqual_point_equal_1(uint64_t *p, uint64_t *q1, uint64_t *tmp) +{ + uint64_t *pxqz = tmp; + uint64_t *qxpz = tmp + (uint32_t)5U; + Hacl_Bignum25519_fmul(pxqz, + Hacl_Impl_Ed25519_ExtPoint_getx(p), + Hacl_Impl_Ed25519_ExtPoint_getz(q1)); + Hacl_Bignum25519_reduce(pxqz); + Hacl_Bignum25519_fmul(qxpz, + Hacl_Impl_Ed25519_ExtPoint_getx(q1), + Hacl_Impl_Ed25519_ExtPoint_getz(p)); + Hacl_Bignum25519_reduce(qxpz); + bool b = Hacl_Impl_Ed25519_PointEqual_eq(pxqz, qxpz); + return b; +} + +static bool +Hacl_Impl_Ed25519_PointEqual_point_equal_2(uint64_t *p, uint64_t *q1, uint64_t *tmp) +{ + uint64_t *pyqz = tmp + (uint32_t)10U; + uint64_t *qypz = tmp + (uint32_t)15U; + Hacl_Bignum25519_fmul(pyqz, + Hacl_Impl_Ed25519_ExtPoint_gety(p), + Hacl_Impl_Ed25519_ExtPoint_getz(q1)); + Hacl_Bignum25519_reduce(pyqz); + Hacl_Bignum25519_fmul(qypz, + Hacl_Impl_Ed25519_ExtPoint_gety(q1), + Hacl_Impl_Ed25519_ExtPoint_getz(p)); + Hacl_Bignum25519_reduce(qypz); + bool b = Hacl_Impl_Ed25519_PointEqual_eq(pyqz, qypz); + return b; +} + +static bool Hacl_Impl_Ed25519_PointEqual_point_equal_(uint64_t *p, uint64_t *q1, uint64_t *tmp) +{ + bool b = Hacl_Impl_Ed25519_PointEqual_point_equal_1(p, q1, tmp); + if (b == true) + return Hacl_Impl_Ed25519_PointEqual_point_equal_2(p, q1, tmp); + else + return false; +} + +static bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q1) +{ + uint64_t tmp[20U] = { 0U }; + bool res = Hacl_Impl_Ed25519_PointEqual_point_equal_(p, q1, tmp); + return res; +} + +static void Hacl_Impl_Load56_load_64_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t z = load64_le(b80); + uint64_t z_ = z & (uint64_t)0xffffffffffffffU; + uint64_t b0 = z_; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t z0 = load64_le(b81); + uint64_t z_0 = z0 & (uint64_t)0xffffffffffffffU; + uint64_t b1 = z_0; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t z1 = load64_le(b82); + uint64_t z_1 = z1 & (uint64_t)0xffffffffffffffU; + uint64_t b2 = z_1; + uint8_t *b83 = b + (uint32_t)21U; + uint64_t z2 = load64_le(b83); + uint64_t z_2 = z2 & (uint64_t)0xffffffffffffffU; + uint64_t b3 = z_2; + uint8_t *b84 = b + (uint32_t)28U; + uint64_t z3 = load64_le(b84); + uint64_t z_3 = z3 & (uint64_t)0xffffffffffffffU; + uint64_t b4 = z_3; + uint8_t *b85 = b + (uint32_t)35U; + uint64_t z4 = load64_le(b85); + uint64_t z_4 = z4 & (uint64_t)0xffffffffffffffU; + uint64_t b5 = z_4; + uint8_t *b86 = b + (uint32_t)42U; + uint64_t z5 = load64_le(b86); + uint64_t z_5 = z5 & (uint64_t)0xffffffffffffffU; + uint64_t b6 = z_5; + uint8_t *b87 = b + (uint32_t)49U; + uint64_t z6 = load64_le(b87); + uint64_t z_6 = z6 & (uint64_t)0xffffffffffffffU; + uint64_t b7 = z_6; + uint8_t *b8 = b + (uint32_t)56U; + uint64_t z7 = load64_le(b8); + uint64_t z_7 = z7 & (uint64_t)0xffffffffffffffU; + uint64_t b88 = z_7; + uint8_t b63 = b[63U]; + uint64_t b9 = (uint64_t)b63; + Hacl_Lib_Create64_make_h64_10(out, b0, b1, b2, b3, b4, b5, b6, b7, b88, b9); +} + +static void Hacl_Impl_Load56_load_32_bytes(uint64_t *out, uint8_t *b) +{ + uint8_t *b80 = b; + uint64_t z = load64_le(b80); + uint64_t z_ = z & (uint64_t)0xffffffffffffffU; + uint64_t b0 = z_; + uint8_t *b81 = b + (uint32_t)7U; + uint64_t z0 = load64_le(b81); + uint64_t z_0 = z0 & (uint64_t)0xffffffffffffffU; + uint64_t b1 = z_0; + uint8_t *b82 = b + (uint32_t)14U; + uint64_t z1 = load64_le(b82); + uint64_t z_1 = z1 & (uint64_t)0xffffffffffffffU; + uint64_t b2 = z_1; + uint8_t *b8 = b + (uint32_t)21U; + uint64_t z2 = load64_le(b8); + uint64_t z_2 = z2 & (uint64_t)0xffffffffffffffU; + uint64_t b3 = z_2; + uint8_t *x0 = b + (uint32_t)28U; + uint32_t b4 = load32_le(x0); + uint64_t b41 = (uint64_t)b4; + Hacl_Lib_Create64_make_h64_5(out, b0, b1, b2, b3, b41); +} + +inline static void Hacl_Impl_Ed25519_Pow2_252m2_pow2_252m2(uint64_t *out, uint64_t *z) +{ + Hacl_Bignum_Crecip_crecip_(out, z); +} + +static bool Hacl_Impl_Ed25519_RecoverX_is_0(uint64_t *x) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + return + x0 + == (uint64_t)0U + && x1 == (uint64_t)0U + && x2 == (uint64_t)0U + && x3 == (uint64_t)0U + && x4 == (uint64_t)0U; +} + +static void +Hacl_Impl_Ed25519_RecoverX_recover_x_step_5(uint64_t *x, uint64_t sign1, uint64_t *tmp) +{ + uint64_t *x3 = tmp + (uint32_t)5U; + uint64_t *t0 = tmp + (uint32_t)10U; + uint64_t x0 = x3[0U]; + uint64_t x00 = x0 & (uint64_t)1U; + if (!(x00 == sign1)) + { + uint64_t zero1 = (uint64_t)0U; + Hacl_Lib_Create64_make_h64_5(t0, zero1, zero1, zero1, zero1, zero1); + Hacl_Bignum25519_fdifference(x3, t0); + Hacl_Bignum25519_reduce_513(x3); + Hacl_Bignum25519_reduce(x3); + } + memcpy(x, x3, (uint32_t)5U * sizeof x3[0U]); +} + +static bool +Hacl_Impl_Ed25519_RecoverX_recover_x_(uint64_t *x, uint64_t *y, uint64_t sign1, uint64_t *tmp) +{ + uint64_t *x20 = tmp; + uint64_t x0 = y[0U]; + uint64_t x1 = y[1U]; + uint64_t x2 = y[2U]; + uint64_t x30 = y[3U]; + uint64_t x4 = y[4U]; + bool + b = + x0 + >= (uint64_t)0x7ffffffffffedU + && x1 == (uint64_t)0x7ffffffffffffU + && x2 == (uint64_t)0x7ffffffffffffU + && x30 == (uint64_t)0x7ffffffffffffU + && x4 == (uint64_t)0x7ffffffffffffU; + if (b) + return false; + else + { + uint64_t tmp0[25U] = { 0U }; + uint64_t *one10 = tmp0; + uint64_t *y2 = tmp0 + (uint32_t)5U; + uint64_t *dyyi = tmp0 + (uint32_t)10U; + uint64_t *dyy = tmp0 + (uint32_t)15U; + uint64_t zero10 = (uint64_t)0U; + uint64_t one1 = (uint64_t)1U; + Hacl_Lib_Create64_make_h64_5(one10, one1, zero10, zero10, zero10, zero10); + Hacl_Bignum25519_fsquare(y2, y); + Hacl_Bignum25519_times_d(dyy, y2); + Hacl_Bignum25519_fsum(dyy, one10); + Hacl_Bignum25519_reduce_513(dyy); + Hacl_Bignum25519_inverse(dyyi, dyy); + Hacl_Bignum25519_fdifference(one10, y2); + Hacl_Bignum25519_fmul(x20, dyyi, one10); + Hacl_Bignum25519_reduce(x20); + bool x2_is_0 = Hacl_Impl_Ed25519_RecoverX_is_0(x20); + uint8_t z; + if (x2_is_0) + { + uint8_t ite; + if (sign1 == (uint64_t)0U) + { + uint64_t zero1 = (uint64_t)0U; + Hacl_Lib_Create64_make_h64_5(x, zero1, zero1, zero1, zero1, zero1); + ite = (uint8_t)1U; + } + else + ite = (uint8_t)0U; + z = ite; + } + else + z = (uint8_t)2U; + if (z == (uint8_t)0U) + return false; + else if (z == (uint8_t)1U) + return true; + else + { + uint64_t *x2 = tmp; + uint64_t *x30 = tmp + (uint32_t)5U; + uint64_t *t00 = tmp + (uint32_t)10U; + uint64_t *t10 = tmp + (uint32_t)15U; + Hacl_Impl_Ed25519_Pow2_252m2_pow2_252m2(x30, x2); + Hacl_Bignum25519_fsquare(t00, x30); + memcpy(t10, x2, (uint32_t)5U * sizeof x2[0U]); + Hacl_Bignum25519_fdifference(t10, t00); + Hacl_Bignum25519_reduce_513(t10); + Hacl_Bignum25519_reduce(t10); + bool t1_is_0 = Hacl_Impl_Ed25519_RecoverX_is_0(t10); + if (!t1_is_0) + { + uint64_t sqrt_m1[5U] = { 0U }; + Hacl_Lib_Create64_make_h64_5(sqrt_m1, + (uint64_t)0x00061b274a0ea0b0U, + (uint64_t)0x0000d5a5fc8f189dU, + (uint64_t)0x0007ef5e9cbd0c60U, + (uint64_t)0x00078595a6804c9eU, + (uint64_t)0x0002b8324804fc1dU); + Hacl_Bignum25519_fmul(x30, x30, sqrt_m1); + } + Hacl_Bignum25519_reduce(x30); + uint64_t *x20 = tmp; + uint64_t *x3 = tmp + (uint32_t)5U; + uint64_t *t0 = tmp + (uint32_t)10U; + uint64_t *t1 = tmp + (uint32_t)15U; + Hacl_Bignum25519_fsquare(t0, x3); + memcpy(t1, x20, (uint32_t)5U * sizeof x20[0U]); + Hacl_Bignum25519_fdifference(t1, t0); + Hacl_Bignum25519_reduce_513(t1); + Hacl_Bignum25519_reduce(t1); + bool z1 = Hacl_Impl_Ed25519_RecoverX_is_0(t1); + if (z1 == false) + return false; + else + { + Hacl_Impl_Ed25519_RecoverX_recover_x_step_5(x, sign1, tmp); + return true; + } + } + } +} + +static bool Hacl_Impl_Ed25519_RecoverX_recover_x(uint64_t *x, uint64_t *y, uint64_t sign1) +{ + uint64_t tmp[20U] = { 0U }; + bool res = Hacl_Impl_Ed25519_RecoverX_recover_x_(x, y, sign1, tmp); + return res; +} + +static void Hacl_Impl_Load51_load_51(uint64_t *output, uint8_t *input) +{ + Hacl_EC_Format_fexpand(output, input); +} + +static bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s) +{ + uint64_t tmp[10U] = { 0U }; + uint64_t *y0 = tmp; + uint64_t *x0 = tmp + (uint32_t)5U; + uint64_t *y = tmp; + uint64_t *x = tmp + (uint32_t)5U; + uint8_t s31 = s[31U]; + uint64_t sign1 = (uint64_t)(s31 >> (uint32_t)7U); + Hacl_Impl_Load51_load_51(y, s); + bool z = Hacl_Impl_Ed25519_RecoverX_recover_x(x, y, sign1); + bool z0 = z; + bool res; + if (z0 == false) + res = false; + else + { + uint64_t *outx = Hacl_Impl_Ed25519_ExtPoint_getx(out); + uint64_t *outy = Hacl_Impl_Ed25519_ExtPoint_gety(out); + uint64_t *outz = Hacl_Impl_Ed25519_ExtPoint_getz(out); + uint64_t *outt = Hacl_Impl_Ed25519_ExtPoint_gett(out); + memcpy(outx, x0, (uint32_t)5U * sizeof x0[0U]); + memcpy(outy, y0, (uint32_t)5U * sizeof y0[0U]); + uint64_t zero1 = (uint64_t)0U; + uint64_t one1 = (uint64_t)1U; + Hacl_Lib_Create64_make_h64_5(outz, one1, zero1, zero1, zero1, zero1); + Hacl_Bignum25519_fmul(outt, x0, y0); + res = true; + } + return res; +} + +static void Hacl_Impl_Store56_store_56(uint8_t *out, uint64_t *b) +{ + uint64_t b0 = b[0U]; + uint64_t b1 = b[1U]; + uint64_t b2 = b[2U]; + uint64_t b3 = b[3U]; + uint64_t b4 = b[4U]; + uint32_t b41 = (uint32_t)b4; + uint8_t *b8 = out; + store64_le(b8, b0); + uint8_t *b80 = out + (uint32_t)7U; + store64_le(b80, b1); + uint8_t *b81 = out + (uint32_t)14U; + store64_le(b81, b2); + uint8_t *b82 = out + (uint32_t)21U; + store64_le(b82, b3); + uint8_t *x0 = out + (uint32_t)28U; + store32_le(x0, b41); +} + +static void +Hacl_Impl_SHA512_Ed25519_2_hash_block_and_rest( + uint8_t *out, + uint8_t *block, + uint8_t *msg, + uint32_t len1 +) +{ + uint32_t nblocks = len1 >> (uint32_t)7U; + uint64_t rest = (uint64_t)(len1 & (uint32_t)127U); + uint64_t st[169U] = { 0U }; + Hacl_Impl_SHA2_512_init(st); + Hacl_Impl_SHA2_512_update(st, block); + Hacl_Impl_SHA2_512_update_multi(st, msg, nblocks); + Hacl_Impl_SHA2_512_update_last(st, msg + (uint32_t)128U * nblocks, rest); + Hacl_Impl_SHA2_512_finish(st, out); +} + +static void +Hacl_Impl_SHA512_Ed25519_1_copy_bytes(uint8_t *output, uint8_t *input, uint32_t len1) +{ + memcpy(output, input, len1 * sizeof input[0U]); +} + +static void +Hacl_Impl_SHA512_Ed25519_1_concat_2(uint8_t *out, uint8_t *pre, uint8_t *msg, uint32_t len1) +{ + Hacl_Impl_SHA512_Ed25519_1_copy_bytes(out, pre, (uint32_t)32U); + Hacl_Impl_SHA512_Ed25519_1_copy_bytes(out + (uint32_t)32U, msg, len1); +} + +static void +Hacl_Impl_SHA512_Ed25519_1_concat_3( + uint8_t *out, + uint8_t *pre, + uint8_t *pre2, + uint8_t *msg, + uint32_t len1 +) +{ + Hacl_Impl_SHA512_Ed25519_1_copy_bytes(out, pre, (uint32_t)32U); + Hacl_Impl_SHA512_Ed25519_1_copy_bytes(out + (uint32_t)32U, pre2, (uint32_t)32U); + Hacl_Impl_SHA512_Ed25519_1_copy_bytes(out + (uint32_t)64U, msg, len1); +} + +static void +Hacl_Impl_SHA512_Ed25519_1_sha512_pre_msg_1( + uint8_t *h, + uint8_t *prefix, + uint8_t *input, + uint32_t len1 +) +{ + uint8_t block[128U] = { 0U }; + uint8_t *block_ = block; + Hacl_Impl_SHA512_Ed25519_1_concat_2(block_, prefix, input, len1); + Hacl_Impl_SHA2_512_hash(h, block_, len1 + (uint32_t)32U); +} + +static void +Hacl_Impl_SHA512_Ed25519_1_sha512_pre_pre2_msg_1( + uint8_t *h, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1 +) +{ + uint8_t block[128U] = { 0U }; + uint8_t *block_ = block; + Hacl_Impl_SHA512_Ed25519_1_concat_3(block_, prefix, prefix2, input, len1); + Hacl_Impl_SHA2_512_hash(h, block_, len1 + (uint32_t)64U); +} + +static void +Hacl_Impl_SHA512_Ed25519_3_sha512_pre_msg_2( + uint8_t *h, + uint8_t *prefix, + uint8_t *input, + uint32_t len1 +) +{ + uint8_t *input11 = input; + uint8_t *input21 = input + (uint32_t)96U; + uint8_t block[128U] = { 0U }; + Hacl_Impl_SHA512_Ed25519_1_concat_2(block, prefix, input11, (uint32_t)96U); + Hacl_Impl_SHA512_Ed25519_2_hash_block_and_rest(h, block, input21, len1 - (uint32_t)96U); +} + +static void +Hacl_Impl_SHA512_Ed25519_3_sha512_pre_msg( + uint8_t *h, + uint8_t *prefix, + uint8_t *input, + uint32_t len1 +) +{ + if (len1 <= (uint32_t)96U) + Hacl_Impl_SHA512_Ed25519_1_sha512_pre_msg_1(h, prefix, input, len1); + else + Hacl_Impl_SHA512_Ed25519_3_sha512_pre_msg_2(h, prefix, input, len1); +} + +static void +Hacl_Impl_SHA512_Ed25519_3_sha512_pre_pre2_msg_2( + uint8_t *h, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1 +) +{ + uint8_t *input11 = input; + uint8_t *input21 = input + (uint32_t)64U; + uint8_t block[128U] = { 0U }; + Hacl_Impl_SHA512_Ed25519_1_concat_3(block, prefix, prefix2, input11, (uint32_t)64U); + Hacl_Impl_SHA512_Ed25519_2_hash_block_and_rest(h, block, input21, len1 - (uint32_t)64U); +} + +static void +Hacl_Impl_SHA512_Ed25519_3_sha512_pre_pre2_msg( + uint8_t *h, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1 +) +{ + if (len1 <= (uint32_t)64U) + Hacl_Impl_SHA512_Ed25519_1_sha512_pre_pre2_msg_1(h, prefix, prefix2, input, len1); + else + Hacl_Impl_SHA512_Ed25519_3_sha512_pre_pre2_msg_2(h, prefix, prefix2, input, len1); +} + +static void +Hacl_Impl_SHA512_Ed25519_sha512_pre_msg( + uint8_t *h, + uint8_t *prefix, + uint8_t *input, + uint32_t len1 +) +{ + Hacl_Impl_SHA512_Ed25519_3_sha512_pre_msg(h, prefix, input, len1); +} + +static void +Hacl_Impl_SHA512_Ed25519_sha512_pre_pre2_msg( + uint8_t *h, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1 +) +{ + Hacl_Impl_SHA512_Ed25519_3_sha512_pre_pre2_msg(h, prefix, prefix2, input, len1); +} + +static void +Hacl_Impl_Sha512_sha512_pre_msg(uint8_t *h, uint8_t *prefix, uint8_t *input, uint32_t len1) +{ + Hacl_Impl_SHA512_Ed25519_sha512_pre_msg(h, prefix, input, len1); +} + +static void +Hacl_Impl_Sha512_sha512_pre_pre2_msg( + uint8_t *h, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1 +) +{ + Hacl_Impl_SHA512_Ed25519_sha512_pre_pre2_msg(h, prefix, prefix2, input, len1); +} + +static void +Hacl_Lib_Create128_make_h128_9( + FStar_UInt128_t *b, + FStar_UInt128_t s0, + FStar_UInt128_t s1, + FStar_UInt128_t s2, + FStar_UInt128_t s3, + FStar_UInt128_t s4, + FStar_UInt128_t s5, + FStar_UInt128_t s6, + FStar_UInt128_t s7, + FStar_UInt128_t s8 +) +{ + b[0U] = s0; + b[1U] = s1; + b[2U] = s2; + b[3U] = s3; + b[4U] = s4; + b[5U] = s5; + b[6U] = s6; + b[7U] = s7; + b[8U] = s8; +} + +static void Hacl_Impl_BignumQ_Mul_make_m(uint64_t *m1) +{ + Hacl_Lib_Create64_make_h64_5(m1, + (uint64_t)0x12631a5cf5d3edU, + (uint64_t)0xf9dea2f79cd658U, + (uint64_t)0x000000000014deU, + (uint64_t)0x00000000000000U, + (uint64_t)0x00000010000000U); +} + +static void Hacl_Impl_BignumQ_Mul_make_mu(uint64_t *m1) +{ + Hacl_Lib_Create64_make_h64_5(m1, + (uint64_t)0x9ce5a30a2c131bU, + (uint64_t)0x215d086329a7edU, + (uint64_t)0xffffffffeb2106U, + (uint64_t)0xffffffffffffffU, + (uint64_t)0x00000fffffffffU); +} + +static void Hacl_Impl_BignumQ_Mul_choose(uint64_t *z, uint64_t *x, uint64_t *y, uint64_t b) +{ + uint64_t mask = b - (uint64_t)1U; + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + uint64_t z0 = ((y0 ^ x0) & mask) ^ x0; + uint64_t z1 = ((y1 ^ x1) & mask) ^ x1; + uint64_t z2 = ((y2 ^ x2) & mask) ^ x2; + uint64_t z3 = ((y3 ^ x3) & mask) ^ x3; + uint64_t z4 = ((y4 ^ x4) & mask) ^ x4; + Hacl_Lib_Create64_make_h64_5(z, z0, z1, z2, z3, z4); +} + +static uint64_t Hacl_Impl_BignumQ_Mul_lt(uint64_t a, uint64_t b) +{ + return (a - b) >> (uint32_t)63U; +} + +static uint64_t Hacl_Impl_BignumQ_Mul_shiftl_56(uint64_t b) +{ + return b << (uint32_t)56U; +} + +static void Hacl_Impl_BignumQ_Mul_sub_mod_264(uint64_t *z, uint64_t *x, uint64_t *y) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + uint64_t b = Hacl_Impl_BignumQ_Mul_lt(x0, y0); + uint64_t t0 = Hacl_Impl_BignumQ_Mul_shiftl_56(b) + x0 - y0; + uint64_t y11 = y1 + b; + uint64_t b1 = Hacl_Impl_BignumQ_Mul_lt(x1, y11); + uint64_t t1 = Hacl_Impl_BignumQ_Mul_shiftl_56(b1) + x1 - y11; + uint64_t y21 = y2 + b1; + uint64_t b2 = Hacl_Impl_BignumQ_Mul_lt(x2, y21); + uint64_t t2 = Hacl_Impl_BignumQ_Mul_shiftl_56(b2) + x2 - y21; + uint64_t y31 = y3 + b2; + uint64_t b3 = Hacl_Impl_BignumQ_Mul_lt(x3, y31); + uint64_t t3 = Hacl_Impl_BignumQ_Mul_shiftl_56(b3) + x3 - y31; + uint64_t y41 = y4 + b3; + uint64_t b4 = Hacl_Impl_BignumQ_Mul_lt(x4, y41); + uint64_t t4 = (b4 << (uint32_t)40U) + x4 - y41; + Hacl_Lib_Create64_make_h64_5(z, t0, t1, t2, t3, t4); +} + +static void Hacl_Impl_BignumQ_Mul_subm_conditional(uint64_t *z, uint64_t *x) +{ + uint64_t tmp[5U] = { 0U }; + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + Hacl_Lib_Create64_make_h64_5(tmp, x0, x1, x2, x3, x4); + uint64_t y0 = (uint64_t)0x12631a5cf5d3edU; + uint64_t y1 = (uint64_t)0xf9dea2f79cd658U; + uint64_t y2 = (uint64_t)0x000000000014deU; + uint64_t y3 = (uint64_t)0x00000000000000U; + uint64_t y4 = (uint64_t)0x00000010000000U; + uint64_t b = Hacl_Impl_BignumQ_Mul_lt(x0, y0); + uint64_t t0 = Hacl_Impl_BignumQ_Mul_shiftl_56(b) + x0 - y0; + uint64_t y11 = y1 + b; + uint64_t b1 = Hacl_Impl_BignumQ_Mul_lt(x1, y11); + uint64_t t1 = Hacl_Impl_BignumQ_Mul_shiftl_56(b1) + x1 - y11; + uint64_t y21 = y2 + b1; + uint64_t b2 = Hacl_Impl_BignumQ_Mul_lt(x2, y21); + uint64_t t2 = Hacl_Impl_BignumQ_Mul_shiftl_56(b2) + x2 - y21; + uint64_t y31 = y3 + b2; + uint64_t b3 = Hacl_Impl_BignumQ_Mul_lt(x3, y31); + uint64_t t3 = Hacl_Impl_BignumQ_Mul_shiftl_56(b3) + x3 - y31; + uint64_t y41 = y4 + b3; + uint64_t b4 = Hacl_Impl_BignumQ_Mul_lt(x4, y41); + uint64_t t4 = Hacl_Impl_BignumQ_Mul_shiftl_56(b4) + x4 - y41; + Hacl_Lib_Create64_make_h64_5(z, t0, t1, t2, t3, t4); + Hacl_Impl_BignumQ_Mul_choose(z, tmp, z, b4); +} + +static void Hacl_Impl_BignumQ_Mul_low_mul_5(uint64_t *z, uint64_t *x, uint64_t *y) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + FStar_UInt128_t xy00 = FStar_UInt128_mul_wide(x0, y0); + FStar_UInt128_t xy01 = FStar_UInt128_mul_wide(x0, y1); + FStar_UInt128_t xy02 = FStar_UInt128_mul_wide(x0, y2); + FStar_UInt128_t xy03 = FStar_UInt128_mul_wide(x0, y3); + FStar_UInt128_t xy04 = FStar_UInt128_mul_wide(x0, y4); + FStar_UInt128_t xy10 = FStar_UInt128_mul_wide(x1, y0); + FStar_UInt128_t xy11 = FStar_UInt128_mul_wide(x1, y1); + FStar_UInt128_t xy12 = FStar_UInt128_mul_wide(x1, y2); + FStar_UInt128_t xy13 = FStar_UInt128_mul_wide(x1, y3); + FStar_UInt128_t xy20 = FStar_UInt128_mul_wide(x2, y0); + FStar_UInt128_t xy21 = FStar_UInt128_mul_wide(x2, y1); + FStar_UInt128_t xy22 = FStar_UInt128_mul_wide(x2, y2); + FStar_UInt128_t xy30 = FStar_UInt128_mul_wide(x3, y0); + FStar_UInt128_t xy31 = FStar_UInt128_mul_wide(x3, y1); + FStar_UInt128_t xy40 = FStar_UInt128_mul_wide(x4, y0); + FStar_UInt128_t x5 = xy00; + FStar_UInt128_t carry1 = FStar_UInt128_shift_right(x5, (uint32_t)56U); + uint64_t t = FStar_UInt128_uint128_to_uint64(x5) & (uint64_t)0xffffffffffffffU; + uint64_t t0 = t; + FStar_UInt128_t x6 = FStar_UInt128_add(FStar_UInt128_add(xy01, xy10), carry1); + FStar_UInt128_t carry2 = FStar_UInt128_shift_right(x6, (uint32_t)56U); + uint64_t t1 = FStar_UInt128_uint128_to_uint64(x6) & (uint64_t)0xffffffffffffffU; + uint64_t t11 = t1; + FStar_UInt128_t + x7 = FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(xy02, xy11), xy20), carry2); + FStar_UInt128_t carry3 = FStar_UInt128_shift_right(x7, (uint32_t)56U); + uint64_t t2 = FStar_UInt128_uint128_to_uint64(x7) & (uint64_t)0xffffffffffffffU; + uint64_t t21 = t2; + FStar_UInt128_t + x8 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(xy03, xy12), xy21), + xy30), + carry3); + FStar_UInt128_t carry4 = FStar_UInt128_shift_right(x8, (uint32_t)56U); + uint64_t t3 = FStar_UInt128_uint128_to_uint64(x8) & (uint64_t)0xffffffffffffffU; + uint64_t t31 = t3; + uint64_t + t4 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(xy04, + xy13), + xy22), + xy31), + xy40), + carry4)) + & (uint64_t)0xffffffffffU; + Hacl_Lib_Create64_make_h64_5(z, t0, t11, t21, t31, t4); +} + +static void Hacl_Impl_BignumQ_Mul_mul_5(FStar_UInt128_t *z, uint64_t *x, uint64_t *y) +{ + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + FStar_UInt128_t xy00 = FStar_UInt128_mul_wide(x0, y0); + FStar_UInt128_t xy01 = FStar_UInt128_mul_wide(x0, y1); + FStar_UInt128_t xy02 = FStar_UInt128_mul_wide(x0, y2); + FStar_UInt128_t xy03 = FStar_UInt128_mul_wide(x0, y3); + FStar_UInt128_t xy04 = FStar_UInt128_mul_wide(x0, y4); + FStar_UInt128_t xy10 = FStar_UInt128_mul_wide(x1, y0); + FStar_UInt128_t xy11 = FStar_UInt128_mul_wide(x1, y1); + FStar_UInt128_t xy12 = FStar_UInt128_mul_wide(x1, y2); + FStar_UInt128_t xy13 = FStar_UInt128_mul_wide(x1, y3); + FStar_UInt128_t xy14 = FStar_UInt128_mul_wide(x1, y4); + FStar_UInt128_t xy20 = FStar_UInt128_mul_wide(x2, y0); + FStar_UInt128_t xy21 = FStar_UInt128_mul_wide(x2, y1); + FStar_UInt128_t xy22 = FStar_UInt128_mul_wide(x2, y2); + FStar_UInt128_t xy23 = FStar_UInt128_mul_wide(x2, y3); + FStar_UInt128_t xy24 = FStar_UInt128_mul_wide(x2, y4); + FStar_UInt128_t xy30 = FStar_UInt128_mul_wide(x3, y0); + FStar_UInt128_t xy31 = FStar_UInt128_mul_wide(x3, y1); + FStar_UInt128_t xy32 = FStar_UInt128_mul_wide(x3, y2); + FStar_UInt128_t xy33 = FStar_UInt128_mul_wide(x3, y3); + FStar_UInt128_t xy34 = FStar_UInt128_mul_wide(x3, y4); + FStar_UInt128_t xy40 = FStar_UInt128_mul_wide(x4, y0); + FStar_UInt128_t xy41 = FStar_UInt128_mul_wide(x4, y1); + FStar_UInt128_t xy42 = FStar_UInt128_mul_wide(x4, y2); + FStar_UInt128_t xy43 = FStar_UInt128_mul_wide(x4, y3); + FStar_UInt128_t xy44 = FStar_UInt128_mul_wide(x4, y4); + FStar_UInt128_t z0 = xy00; + FStar_UInt128_t z1 = FStar_UInt128_add(xy01, xy10); + FStar_UInt128_t z2 = FStar_UInt128_add(FStar_UInt128_add(xy02, xy11), xy20); + FStar_UInt128_t + z3 = FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(xy03, xy12), xy21), xy30); + FStar_UInt128_t + z4 = + FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(xy04, xy13), xy22), + xy31), + xy40); + FStar_UInt128_t + z5 = FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_add(xy14, xy23), xy32), xy41); + FStar_UInt128_t z6 = FStar_UInt128_add(FStar_UInt128_add(xy24, xy33), xy42); + FStar_UInt128_t z7 = FStar_UInt128_add(xy34, xy43); + FStar_UInt128_t z8 = xy44; + Hacl_Lib_Create128_make_h128_9(z, z0, z1, z2, z3, z4, z5, z6, z7, z8); +} + +static void Hacl_Impl_BignumQ_Mul_carry(uint64_t *out, FStar_UInt128_t *z) +{ + FStar_UInt128_t z0 = z[0U]; + FStar_UInt128_t z1 = z[1U]; + FStar_UInt128_t z2 = z[2U]; + FStar_UInt128_t z3 = z[3U]; + FStar_UInt128_t z4 = z[4U]; + FStar_UInt128_t z5 = z[5U]; + FStar_UInt128_t z6 = z[6U]; + FStar_UInt128_t z7 = z[7U]; + FStar_UInt128_t z8 = z[8U]; + FStar_UInt128_t x = z0; + FStar_UInt128_t y = z1; + FStar_UInt128_t carry1 = FStar_UInt128_shift_right(x, (uint32_t)56U); + uint64_t t = FStar_UInt128_uint128_to_uint64(x) & (uint64_t)0xffffffffffffffU; + uint64_t x0 = t; + FStar_UInt128_t z1_ = FStar_UInt128_add(y, carry1); + FStar_UInt128_t x1 = z1_; + FStar_UInt128_t y1 = z2; + FStar_UInt128_t carry2 = FStar_UInt128_shift_right(x1, (uint32_t)56U); + uint64_t t1 = FStar_UInt128_uint128_to_uint64(x1) & (uint64_t)0xffffffffffffffU; + uint64_t x11 = t1; + FStar_UInt128_t z2_ = FStar_UInt128_add(y1, carry2); + FStar_UInt128_t x2 = z2_; + FStar_UInt128_t y2 = z3; + FStar_UInt128_t carry3 = FStar_UInt128_shift_right(x2, (uint32_t)56U); + uint64_t t2 = FStar_UInt128_uint128_to_uint64(x2) & (uint64_t)0xffffffffffffffU; + uint64_t x21 = t2; + FStar_UInt128_t z3_ = FStar_UInt128_add(y2, carry3); + FStar_UInt128_t x3 = z3_; + FStar_UInt128_t y3 = z4; + FStar_UInt128_t carry4 = FStar_UInt128_shift_right(x3, (uint32_t)56U); + uint64_t t3 = FStar_UInt128_uint128_to_uint64(x3) & (uint64_t)0xffffffffffffffU; + uint64_t x31 = t3; + FStar_UInt128_t z4_ = FStar_UInt128_add(y3, carry4); + FStar_UInt128_t x4 = z4_; + FStar_UInt128_t y4 = z5; + FStar_UInt128_t carry5 = FStar_UInt128_shift_right(x4, (uint32_t)56U); + uint64_t t4 = FStar_UInt128_uint128_to_uint64(x4) & (uint64_t)0xffffffffffffffU; + uint64_t x41 = t4; + FStar_UInt128_t z5_ = FStar_UInt128_add(y4, carry5); + FStar_UInt128_t x5 = z5_; + FStar_UInt128_t y5 = z6; + FStar_UInt128_t carry6 = FStar_UInt128_shift_right(x5, (uint32_t)56U); + uint64_t t5 = FStar_UInt128_uint128_to_uint64(x5) & (uint64_t)0xffffffffffffffU; + uint64_t x51 = t5; + FStar_UInt128_t z6_ = FStar_UInt128_add(y5, carry6); + FStar_UInt128_t x6 = z6_; + FStar_UInt128_t y6 = z7; + FStar_UInt128_t carry7 = FStar_UInt128_shift_right(x6, (uint32_t)56U); + uint64_t t6 = FStar_UInt128_uint128_to_uint64(x6) & (uint64_t)0xffffffffffffffU; + uint64_t x61 = t6; + FStar_UInt128_t z7_ = FStar_UInt128_add(y6, carry7); + FStar_UInt128_t x7 = z7_; + FStar_UInt128_t y7 = z8; + FStar_UInt128_t carry8 = FStar_UInt128_shift_right(x7, (uint32_t)56U); + uint64_t t7 = FStar_UInt128_uint128_to_uint64(x7) & (uint64_t)0xffffffffffffffU; + uint64_t x71 = t7; + FStar_UInt128_t z8_ = FStar_UInt128_add(y7, carry8); + FStar_UInt128_t x8 = z8_; + FStar_UInt128_t y8 = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + FStar_UInt128_t carry9 = FStar_UInt128_shift_right(x8, (uint32_t)56U); + uint64_t t8 = FStar_UInt128_uint128_to_uint64(x8) & (uint64_t)0xffffffffffffffU; + uint64_t x81 = t8; + FStar_UInt128_t z9_ = FStar_UInt128_add(y8, carry9); + uint64_t x9 = FStar_UInt128_uint128_to_uint64(z9_); + Hacl_Lib_Create64_make_h64_10(out, x0, x11, x21, x31, x41, x51, x61, x71, x81, x9); +} + +static void Hacl_Impl_BignumQ_Mul_mod_264(uint64_t *r, uint64_t *t) +{ + uint64_t x0 = t[0U]; + uint64_t x1 = t[1U]; + uint64_t x2 = t[2U]; + uint64_t x3 = t[3U]; + uint64_t x4 = t[4U]; + uint64_t x4_ = x4 & (uint64_t)0xffffffffffU; + Hacl_Lib_Create64_make_h64_5(r, x0, x1, x2, x3, x4_); +} + +static void Hacl_Impl_BignumQ_Mul_div_248(uint64_t *out, uint64_t *t) +{ + uint64_t x4 = t[4U]; + uint64_t x5 = t[5U]; + uint64_t x6 = t[6U]; + uint64_t x7 = t[7U]; + uint64_t x8 = t[8U]; + uint64_t x9 = t[9U]; + uint64_t z0 = (x5 & (uint64_t)0xffffffU) << (uint32_t)32U | x4 >> (uint32_t)24U; + uint64_t z1 = (x6 & (uint64_t)0xffffffU) << (uint32_t)32U | x5 >> (uint32_t)24U; + uint64_t z2 = (x7 & (uint64_t)0xffffffU) << (uint32_t)32U | x6 >> (uint32_t)24U; + uint64_t z3 = (x8 & (uint64_t)0xffffffU) << (uint32_t)32U | x7 >> (uint32_t)24U; + uint64_t z4 = (x9 & (uint64_t)0xffffffU) << (uint32_t)32U | x8 >> (uint32_t)24U; + Hacl_Lib_Create64_make_h64_5(out, z0, z1, z2, z3, z4); +} + +static void Hacl_Impl_BignumQ_Mul_div_264(uint64_t *out, uint64_t *t) +{ + uint64_t x4 = t[4U]; + uint64_t x5 = t[5U]; + uint64_t x6 = t[6U]; + uint64_t x7 = t[7U]; + uint64_t x8 = t[8U]; + uint64_t x9 = t[9U]; + uint64_t z0 = (x5 & (uint64_t)0xffffffffffU) << (uint32_t)16U | x4 >> (uint32_t)40U; + uint64_t z1 = (x6 & (uint64_t)0xffffffffffU) << (uint32_t)16U | x5 >> (uint32_t)40U; + uint64_t z2 = (x7 & (uint64_t)0xffffffffffU) << (uint32_t)16U | x6 >> (uint32_t)40U; + uint64_t z3 = (x8 & (uint64_t)0xffffffffffU) << (uint32_t)16U | x7 >> (uint32_t)40U; + uint64_t z4 = (x9 & (uint64_t)0xffffffffffU) << (uint32_t)16U | x8 >> (uint32_t)40U; + Hacl_Lib_Create64_make_h64_5(out, z0, z1, z2, z3, z4); +} + +static void +Hacl_Impl_BignumQ_Mul_barrett_reduction__1( + FStar_UInt128_t *qmu, + uint64_t *t, + uint64_t *mu1, + uint64_t *tmp +) +{ + uint64_t *q1 = tmp; + uint64_t *qmu_ = tmp + (uint32_t)10U; + uint64_t *qmu_264 = tmp + (uint32_t)20U; + Hacl_Impl_BignumQ_Mul_div_248(q1, t); + Hacl_Impl_BignumQ_Mul_mul_5(qmu, q1, mu1); + Hacl_Impl_BignumQ_Mul_carry(qmu_, qmu); + Hacl_Impl_BignumQ_Mul_div_264(qmu_264, qmu_); +} + +static void +Hacl_Impl_BignumQ_Mul_barrett_reduction__2(uint64_t *t, uint64_t *m1, uint64_t *tmp) +{ + uint64_t *qmul = tmp; + uint64_t *r = tmp + (uint32_t)5U; + uint64_t *qmu_264 = tmp + (uint32_t)20U; + uint64_t *s = tmp + (uint32_t)25U; + Hacl_Impl_BignumQ_Mul_mod_264(r, t); + Hacl_Impl_BignumQ_Mul_low_mul_5(qmul, qmu_264, m1); + Hacl_Impl_BignumQ_Mul_sub_mod_264(s, r, qmul); +} + +static void +Hacl_Impl_BignumQ_Mul_barrett_reduction__( + uint64_t *z, + uint64_t *t, + uint64_t *m1, + uint64_t *mu1, + uint64_t *tmp +) +{ + uint64_t *s = tmp + (uint32_t)25U; + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)9U); + FStar_UInt128_t qmu[9U]; + for (uint32_t _i = 0U; _i < (uint32_t)9U; ++_i) + qmu[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Impl_BignumQ_Mul_barrett_reduction__1(qmu, t, mu1, tmp); + Hacl_Impl_BignumQ_Mul_barrett_reduction__2(t, m1, tmp); + Hacl_Impl_BignumQ_Mul_subm_conditional(z, s); +} + +static void Hacl_Impl_BignumQ_Mul_barrett_reduction_(uint64_t *z, uint64_t *t) +{ + uint64_t tmp[40U] = { 0U }; + uint64_t *m1 = tmp; + uint64_t *mu1 = tmp + (uint32_t)5U; + uint64_t *tmp1 = tmp + (uint32_t)10U; + Hacl_Impl_BignumQ_Mul_make_m(m1); + Hacl_Impl_BignumQ_Mul_make_mu(mu1); + Hacl_Impl_BignumQ_Mul_barrett_reduction__(z, t, m1, mu1, tmp1); +} + +static void Hacl_Impl_BignumQ_Mul_barrett_reduction(uint64_t *z, uint64_t *t) +{ + Hacl_Impl_BignumQ_Mul_barrett_reduction_(z, t); +} + +static void Hacl_Impl_BignumQ_Mul_mul_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t z_[10U] = { 0U }; + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)9U); + FStar_UInt128_t z[9U]; + for (uint32_t _i = 0U; _i < (uint32_t)9U; ++_i) + z[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Impl_BignumQ_Mul_mul_5(z, x, y); + Hacl_Impl_BignumQ_Mul_carry(z_, z); + Hacl_Impl_BignumQ_Mul_barrett_reduction_(out, z_); +} + +static void Hacl_Impl_BignumQ_Mul_add_modq_(uint64_t *out, uint64_t *x, uint64_t *y) +{ + uint64_t tmp[5U] = { 0U }; + uint64_t x0 = x[0U]; + uint64_t x1 = x[1U]; + uint64_t x2 = x[2U]; + uint64_t x3 = x[3U]; + uint64_t x4 = x[4U]; + uint64_t y0 = y[0U]; + uint64_t y1 = y[1U]; + uint64_t y2 = y[2U]; + uint64_t y3 = y[3U]; + uint64_t y4 = y[4U]; + uint64_t z0 = x0 + y0; + uint64_t z1 = x1 + y1; + uint64_t z2 = x2 + y2; + uint64_t z3 = x3 + y3; + uint64_t z4 = x4 + y4; + uint64_t x5 = z0; + uint64_t y5 = z1; + uint64_t carry1 = x5 >> (uint32_t)56U; + uint64_t t = x5 & (uint64_t)0xffffffffffffffU; + uint64_t x01 = t; + uint64_t z1_ = y5 + carry1; + uint64_t x6 = z1_; + uint64_t y6 = z2; + uint64_t carry2 = x6 >> (uint32_t)56U; + uint64_t t1 = x6 & (uint64_t)0xffffffffffffffU; + uint64_t x11 = t1; + uint64_t z2_ = y6 + carry2; + uint64_t x7 = z2_; + uint64_t y7 = z3; + uint64_t carry3 = x7 >> (uint32_t)56U; + uint64_t t2 = x7 & (uint64_t)0xffffffffffffffU; + uint64_t x21 = t2; + uint64_t z3_ = y7 + carry3; + uint64_t x8 = z3_; + uint64_t y8 = z4; + uint64_t carry4 = x8 >> (uint32_t)56U; + uint64_t t3 = x8 & (uint64_t)0xffffffffffffffU; + uint64_t x31 = t3; + uint64_t x41 = y8 + carry4; + Hacl_Lib_Create64_make_h64_5(tmp, x01, x11, x21, x31, x41); + Hacl_Impl_BignumQ_Mul_subm_conditional(out, tmp); +} + +static void Hacl_Impl_BignumQ_Mul_add_modq(uint64_t *out, uint64_t *x, uint64_t *y) +{ + Hacl_Impl_BignumQ_Mul_add_modq_(out, x, y); +} + +static void +Hacl_Impl_SHA512_ModQ_sha512_modq_pre_( + uint64_t *out, + uint8_t *prefix, + uint8_t *input, + uint32_t len1, + uint64_t *tmp +) +{ + uint8_t hash1[64U] = { 0U }; + Hacl_Impl_Sha512_sha512_pre_msg(hash1, prefix, input, len1); + Hacl_Impl_Load56_load_64_bytes(tmp, hash1); + Hacl_Impl_BignumQ_Mul_barrett_reduction(out, tmp); +} + +static void +Hacl_Impl_SHA512_ModQ_sha512_modq_pre( + uint64_t *out, + uint8_t *prefix, + uint8_t *input, + uint32_t len1 +) +{ + uint64_t tmp[10U] = { 0U }; + Hacl_Impl_SHA512_ModQ_sha512_modq_pre_(out, prefix, input, len1, tmp); +} + +static void +Hacl_Impl_SHA512_ModQ_sha512_modq_pre_pre2_( + uint64_t *out, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1, + uint64_t *tmp +) +{ + uint8_t hash1[64U] = { 0U }; + Hacl_Impl_Sha512_sha512_pre_pre2_msg(hash1, prefix, prefix2, input, len1); + Hacl_Impl_Load56_load_64_bytes(tmp, hash1); + Hacl_Impl_BignumQ_Mul_barrett_reduction(out, tmp); +} + +static void +Hacl_Impl_SHA512_ModQ_sha512_modq_pre_pre2( + uint64_t *out, + uint8_t *prefix, + uint8_t *prefix2, + uint8_t *input, + uint32_t len1 +) +{ + uint64_t tmp[10U] = { 0U }; + Hacl_Impl_SHA512_ModQ_sha512_modq_pre_pre2_(out, prefix, prefix2, input, len1, tmp); +} + +static bool Hacl_Impl_Ed25519_Verify_Steps_verify_step_1(uint64_t *r_, uint8_t *signature) +{ + uint8_t *rs = signature; + bool b_ = Hacl_Impl_Ed25519_PointDecompress_point_decompress(r_, rs); + return b_; +} + +static void +Hacl_Impl_Ed25519_Verify_Steps_verify_step_2( + uint8_t *r, + uint8_t *msg, + uint32_t len1, + uint8_t *rs, + uint8_t *public +) +{ + uint64_t r_[5U] = { 0U }; + Hacl_Impl_SHA512_ModQ_sha512_modq_pre_pre2(r_, rs, public, msg, len1); + Hacl_Impl_Store56_store_56(r, r_); +} + +static void Hacl_Impl_Ed25519_Verify_Steps_point_mul_g(uint64_t *result, uint8_t *scalar) +{ + uint64_t g1[20U] = { 0U }; + Hacl_Impl_Ed25519_G_make_g(g1); + Hacl_Impl_Ed25519_Ladder_point_mul(result, scalar, g1); +} + +static bool +Hacl_Impl_Ed25519_Verify_Steps_verify_step_4( + uint8_t *s, + uint8_t *h_, + uint64_t *a_, + uint64_t *r_ +) +{ + uint64_t tmp[60U] = { 0U }; + uint64_t *hA = tmp; + uint64_t *rhA = tmp + (uint32_t)20U; + uint64_t *sB = tmp + (uint32_t)40U; + Hacl_Impl_Ed25519_Verify_Steps_point_mul_g(sB, s); + Hacl_Impl_Ed25519_Ladder_point_mul(hA, h_, a_); + Hacl_Impl_Ed25519_PointAdd_point_add(rhA, r_, hA); + bool b = Hacl_Impl_Ed25519_PointEqual_point_equal(sB, rhA); + return b; +} + +static bool +Hacl_Impl_Ed25519_Verify_verify__( + uint8_t *public, + uint8_t *msg, + uint32_t len1, + uint8_t *signature, + uint64_t *tmp, + uint8_t *tmp_ +) +{ + uint64_t *a_ = tmp; + uint64_t *r_ = tmp + (uint32_t)20U; + uint64_t *s = tmp + (uint32_t)40U; + uint8_t *h_ = tmp_; + bool b = Hacl_Impl_Ed25519_PointDecompress_point_decompress(a_, public); + if (b) + { + uint8_t *rs = signature; + bool b_ = Hacl_Impl_Ed25519_Verify_Steps_verify_step_1(r_, signature); + if (b_) + { + Hacl_Impl_Load56_load_32_bytes(s, signature + (uint32_t)32U); + bool b__ = Hacl_Impl_Ed25519_PointEqual_gte_q(s); + if (b__) + return false; + else + { + Hacl_Impl_Ed25519_Verify_Steps_verify_step_2(h_, msg, len1, rs, public); + bool + b1 = Hacl_Impl_Ed25519_Verify_Steps_verify_step_4(signature + (uint32_t)32U, h_, a_, r_); + return b1; + } + } + else + return false; + } + else + return false; +} + +static bool +Hacl_Impl_Ed25519_Verify_verify_( + uint8_t *public, + uint8_t *msg, + uint32_t len1, + uint8_t *signature +) +{ + uint64_t tmp[45U] = { 0U }; + uint8_t tmp_[32U] = { 0U }; + bool res = Hacl_Impl_Ed25519_Verify_verify__(public, msg, len1, signature, tmp, tmp_); + return res; +} + +static bool +Hacl_Impl_Ed25519_Verify_verify( + uint8_t *public, + uint8_t *msg, + uint32_t len1, + uint8_t *signature +) +{ + return Hacl_Impl_Ed25519_Verify_verify_(public, msg, len1, signature); +} + +static void Hacl_Impl_Ed25519_Sign_Steps_point_mul_g(uint64_t *result, uint8_t *scalar) +{ + uint64_t g1[20U] = { 0U }; + Hacl_Impl_Ed25519_G_make_g(g1); + Hacl_Impl_Ed25519_Ladder_point_mul(result, scalar, g1); +} + +static void Hacl_Impl_Ed25519_Sign_Steps_point_mul_g_compress(uint8_t *out, uint8_t *s) +{ + uint64_t tmp[20U] = { 0U }; + Hacl_Impl_Ed25519_Sign_Steps_point_mul_g(tmp, s); + Hacl_Impl_Ed25519_PointCompress_point_compress(out, tmp); +} + +static void +Hacl_Impl_Ed25519_Sign_Steps_copy_bytes(uint8_t *output, uint8_t *input, uint32_t len1) +{ + memcpy(output, input, len1 * sizeof input[0U]); +} + +static void Hacl_Impl_Ed25519_Sign_Steps_sign_step_1(uint8_t *secret, uint8_t *tmp_bytes) +{ + uint8_t *a__ = tmp_bytes + (uint32_t)96U; + uint8_t *apre = tmp_bytes + (uint32_t)224U; + uint8_t *a = apre; + Hacl_Impl_Ed25519_SecretExpand_secret_expand(apre, secret); + Hacl_Impl_Ed25519_Sign_Steps_point_mul_g_compress(a__, a); +} + +static void +Hacl_Impl_Ed25519_Sign_Steps_sign_step_2( + uint8_t *msg, + uint32_t len1, + uint8_t *tmp_bytes, + uint64_t *tmp_ints +) +{ + uint64_t *r = tmp_ints + (uint32_t)20U; + uint8_t *apre = tmp_bytes + (uint32_t)224U; + uint8_t *prefix = apre + (uint32_t)32U; + Hacl_Impl_SHA512_ModQ_sha512_modq_pre(r, prefix, msg, len1); +} + +static void +Hacl_Impl_Ed25519_Sign_Steps_sign_step_4( + uint8_t *msg, + uint32_t len1, + uint8_t *tmp_bytes, + uint64_t *tmp_ints +) +{ + uint64_t *h = tmp_ints + (uint32_t)60U; + uint8_t *a__ = tmp_bytes + (uint32_t)96U; + uint8_t *rs_ = tmp_bytes + (uint32_t)160U; + Hacl_Impl_SHA512_ModQ_sha512_modq_pre_pre2(h, rs_, a__, msg, len1); +} + +static void Hacl_Impl_Ed25519_Sign_Steps_sign_step_5(uint8_t *tmp_bytes, uint64_t *tmp_ints) +{ + uint64_t *r = tmp_ints + (uint32_t)20U; + uint64_t *aq = tmp_ints + (uint32_t)45U; + uint64_t *ha = tmp_ints + (uint32_t)50U; + uint64_t *s = tmp_ints + (uint32_t)55U; + uint64_t *h = tmp_ints + (uint32_t)60U; + uint8_t *s_ = tmp_bytes + (uint32_t)192U; + uint8_t *a = tmp_bytes + (uint32_t)224U; + Hacl_Impl_Load56_load_32_bytes(aq, a); + Hacl_Impl_BignumQ_Mul_mul_modq(ha, h, aq); + Hacl_Impl_BignumQ_Mul_add_modq(s, r, ha); + Hacl_Impl_Store56_store_56(s_, s); +} + +static void Hacl_Impl_Ed25519_Sign_append_to_sig(uint8_t *signature, uint8_t *a, uint8_t *b) +{ + Hacl_Impl_Ed25519_Sign_Steps_copy_bytes(signature, a, (uint32_t)32U); + Hacl_Impl_Ed25519_Sign_Steps_copy_bytes(signature + (uint32_t)32U, b, (uint32_t)32U); +} + +static void +Hacl_Impl_Ed25519_Sign_sign_(uint8_t *signature, uint8_t *secret, uint8_t *msg, uint32_t len1) +{ + uint8_t tmp_bytes[352U] = { 0U }; + uint64_t tmp_ints[65U] = { 0U }; + uint8_t *rs_ = tmp_bytes + (uint32_t)160U; + uint8_t *s_ = tmp_bytes + (uint32_t)192U; + Hacl_Impl_Ed25519_Sign_Steps_sign_step_1(secret, tmp_bytes); + Hacl_Impl_Ed25519_Sign_Steps_sign_step_2(msg, len1, tmp_bytes, tmp_ints); + uint8_t rb[32U] = { 0U }; + uint64_t *r = tmp_ints + (uint32_t)20U; + uint8_t *rs_0 = tmp_bytes + (uint32_t)160U; + Hacl_Impl_Store56_store_56(rb, r); + Hacl_Impl_Ed25519_Sign_Steps_point_mul_g_compress(rs_0, rb); + Hacl_Impl_Ed25519_Sign_Steps_sign_step_4(msg, len1, tmp_bytes, tmp_ints); + Hacl_Impl_Ed25519_Sign_Steps_sign_step_5(tmp_bytes, tmp_ints); + Hacl_Impl_Ed25519_Sign_append_to_sig(signature, rs_, s_); +} + +static void +Hacl_Impl_Ed25519_Sign_sign(uint8_t *signature, uint8_t *secret, uint8_t *msg, uint32_t len1) +{ + Hacl_Impl_Ed25519_Sign_sign_(signature, secret, msg, len1); +} + +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint8_t *msg, uint32_t len1) +{ + Hacl_Impl_Ed25519_Sign_sign(signature, secret, msg, len1); +} + +bool Hacl_Ed25519_verify(uint8_t *public, uint8_t *msg, uint32_t len1, uint8_t *signature) +{ + return Hacl_Impl_Ed25519_Verify_verify(public, msg, len1, signature); +} + +void Hacl_Ed25519_secret_to_public(uint8_t *out, uint8_t *secret) +{ + Hacl_Impl_Ed25519_SecretToPublic_secret_to_public(out, secret); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Ed25519.h b/vendors/ocaml-hacl/src/Hacl_Ed25519.h new file mode 100644 index 000000000..09e0d670a --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Ed25519.h @@ -0,0 +1,230 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Ed25519_H +#define __Hacl_Ed25519_H + + + + + +typedef uint64_t Hacl_Bignum_Constants_limb; + +typedef FStar_UInt128_t Hacl_Bignum_Constants_wide; + +typedef uint64_t Hacl_Bignum_Parameters_limb; + +typedef FStar_UInt128_t Hacl_Bignum_Parameters_wide; + +typedef uint32_t Hacl_Bignum_Parameters_ctr; + +typedef uint64_t *Hacl_Bignum_Parameters_felem; + +typedef FStar_UInt128_t *Hacl_Bignum_Parameters_felem_wide; + +typedef void *Hacl_Bignum_Parameters_seqelem; + +typedef void *Hacl_Bignum_Parameters_seqelem_wide; + +typedef FStar_UInt128_t Hacl_Bignum_Wide_t; + +typedef uint64_t Hacl_Bignum_Limb_t; + +extern void Hacl_Bignum_lemma_diff(Prims_int x0, Prims_int x1, Prims_pos x2); + +typedef struct +{ + void *fst; + void *snd; +} +K___FStar_Seq_Base_seq_uint64_t_FStar_Seq_Base_seq_uint64_t; + +typedef uint64_t *Hacl_EC_Point_point; + +typedef uint8_t *Hacl_EC_Format_uint8_p; + +typedef uint64_t Hacl_Lib_Create64_h64; + +typedef uint64_t Hacl_Bignum25519_limb; + +typedef uint64_t *Hacl_Bignum25519_felem; + +typedef void *Hacl_Bignum25519_seqelem; + +typedef uint64_t *Hacl_Impl_Ed25519_ExtPoint_point; + +typedef uint8_t *Hacl_Impl_Store51_uint8_p; + +typedef uint64_t *Hacl_Impl_Store51_felem; + +typedef uint8_t *Hacl_Impl_Ed25519_PointCompress_hint8_p; + +typedef uint64_t *Hacl_Impl_Ed25519_PointCompress_hint64_p; + +typedef uint64_t *Hacl_Impl_Ed25519_SwapConditional_felem; + +typedef uint8_t *Hacl_Impl_Ed25519_Ladder_Step_uint8_p; + +typedef uint64_t *Hacl_Impl_Ed25519_Ladder_elemB; + +typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p; + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_t; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_t; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_t; + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht; + +typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p; + +typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p; + +typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p; + +typedef uint8_t Hacl_Impl_SHA2_512_Lemmas_uint8_t; + +typedef uint32_t Hacl_Impl_SHA2_512_Lemmas_uint32_t; + +typedef uint64_t Hacl_Impl_SHA2_512_Lemmas_uint64_t; + +typedef uint8_t Hacl_Impl_SHA2_512_Lemmas_uint8_ht; + +typedef uint32_t Hacl_Impl_SHA2_512_Lemmas_uint32_ht; + +typedef uint64_t Hacl_Impl_SHA2_512_Lemmas_uint64_ht; + +typedef FStar_UInt128_t Hacl_Impl_SHA2_512_Lemmas_uint128_ht; + +typedef uint64_t *Hacl_Impl_SHA2_512_Lemmas_uint64_p; + +typedef uint8_t *Hacl_Impl_SHA2_512_Lemmas_uint8_p; + +typedef uint8_t Hacl_Impl_SHA2_512_uint8_t; + +typedef uint32_t Hacl_Impl_SHA2_512_uint32_t; + +typedef uint64_t Hacl_Impl_SHA2_512_uint64_t; + +typedef uint8_t Hacl_Impl_SHA2_512_uint8_ht; + +typedef uint32_t Hacl_Impl_SHA2_512_uint32_ht; + +typedef uint64_t Hacl_Impl_SHA2_512_uint64_ht; + +typedef FStar_UInt128_t Hacl_Impl_SHA2_512_uint128_ht; + +typedef uint64_t *Hacl_Impl_SHA2_512_uint64_p; + +typedef uint8_t *Hacl_Impl_SHA2_512_uint8_p; + +typedef uint8_t Hacl_SHA2_512_uint8_t; + +typedef uint32_t Hacl_SHA2_512_uint32_t; + +typedef uint64_t Hacl_SHA2_512_uint64_t; + +typedef uint8_t Hacl_SHA2_512_uint8_ht; + +typedef uint32_t Hacl_SHA2_512_uint32_ht; + +typedef uint64_t Hacl_SHA2_512_uint64_ht; + +typedef FStar_UInt128_t Hacl_SHA2_512_uint128_ht; + +typedef uint64_t *Hacl_SHA2_512_uint64_p; + +typedef uint8_t *Hacl_SHA2_512_uint8_p; + +typedef uint8_t *Hacl_Impl_Ed25519_SecretExpand_hint8_p; + +typedef uint8_t *Hacl_Impl_Ed25519_SecretToPublic_hint8_p; + +typedef Prims_nat Hacl_Impl_Ed25519_Verify_Lemmas_u51; + +typedef uint8_t *Hacl_Impl_Ed25519_PointEqual_uint8_p; + +typedef uint64_t *Hacl_Impl_Ed25519_PointEqual_felem; + +typedef uint32_t Hacl_Impl_Load56_u32; + +typedef uint8_t Hacl_Impl_Load56_h8; + +typedef uint64_t Hacl_Impl_Load56_h64; + +typedef uint8_t *Hacl_Impl_Load56_hint8_p; + +typedef uint64_t *Hacl_Impl_Ed25519_RecoverX_elemB; + +typedef uint32_t Hacl_Impl_Load51_u32; + +typedef uint8_t Hacl_Impl_Load51_h8; + +typedef uint64_t Hacl_Impl_Load51_h64; + +typedef uint8_t *Hacl_Impl_Load51_hint8_p; + +typedef uint8_t *Hacl_Impl_Store56_hint8_p; + +typedef uint64_t *Hacl_Impl_Store56_qelem; + +typedef uint8_t *Hacl_Impl_SHA512_Ed25519_1_hint8_p; + +typedef uint8_t *Hacl_Impl_SHA512_Ed25519_hint8_p; + +typedef uint8_t *Hacl_Impl_Sha512_hint8_p; + +typedef FStar_UInt128_t Hacl_Lib_Create128_h128; + +typedef uint64_t *Hacl_Impl_BignumQ_Mul_qelemB; + +typedef uint64_t Hacl_Impl_BignumQ_Mul_h64; + +typedef uint8_t *Hacl_Impl_Ed25519_Verify_Steps_uint8_p; + +typedef uint64_t *Hacl_Impl_Ed25519_Verify_Steps_felem; + +typedef uint8_t *Hacl_Impl_Ed25519_Verify_uint8_p; + +typedef uint64_t *Hacl_Impl_Ed25519_Verify_felem; + +typedef uint8_t *Hacl_Impl_Ed25519_Sign_Steps_hint8_p; + +typedef uint8_t *Hacl_Impl_Ed25519_Sign_hint8_p; + +typedef uint8_t *Hacl_Ed25519_uint8_p; + +typedef uint8_t *Hacl_Ed25519_hint8_p; + +void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint8_t *msg, uint32_t len1); + +bool Hacl_Ed25519_verify(uint8_t *public, uint8_t *msg, uint32_t len1, uint8_t *signature); + +void Hacl_Ed25519_secret_to_public(uint8_t *out, uint8_t *secret); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.c b/vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.c new file mode 100644 index 000000000..9745af328 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.c @@ -0,0 +1,377 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_HMAC_SHA2_256.h" + +static void +Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(uint32_t *output, uint8_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)4U * i; + uint32_t inputi = load32_be(x0); + output[i] = inputi; + } +} + +static void +Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(uint8_t *output, uint32_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint32_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)4U * i; + store32_be(x0, hd1); + } +} + +static void Hacl_Impl_SHA2_256_init(uint32_t *state) +{ + uint32_t *n1 = state + (uint32_t)136U; + uint32_t *k1 = state; + uint32_t *h_01 = state + (uint32_t)128U; + uint32_t *p10 = k1; + uint32_t *p20 = k1 + (uint32_t)16U; + uint32_t *p3 = k1 + (uint32_t)32U; + uint32_t *p4 = k1 + (uint32_t)48U; + uint32_t *p11 = p10; + uint32_t *p21 = p10 + (uint32_t)8U; + uint32_t *p12 = p11; + uint32_t *p22 = p11 + (uint32_t)4U; + p12[0U] = (uint32_t)0x428a2f98U; + p12[1U] = (uint32_t)0x71374491U; + p12[2U] = (uint32_t)0xb5c0fbcfU; + p12[3U] = (uint32_t)0xe9b5dba5U; + p22[0U] = (uint32_t)0x3956c25bU; + p22[1U] = (uint32_t)0x59f111f1U; + p22[2U] = (uint32_t)0x923f82a4U; + p22[3U] = (uint32_t)0xab1c5ed5U; + uint32_t *p13 = p21; + uint32_t *p23 = p21 + (uint32_t)4U; + p13[0U] = (uint32_t)0xd807aa98U; + p13[1U] = (uint32_t)0x12835b01U; + p13[2U] = (uint32_t)0x243185beU; + p13[3U] = (uint32_t)0x550c7dc3U; + p23[0U] = (uint32_t)0x72be5d74U; + p23[1U] = (uint32_t)0x80deb1feU; + p23[2U] = (uint32_t)0x9bdc06a7U; + p23[3U] = (uint32_t)0xc19bf174U; + uint32_t *p14 = p20; + uint32_t *p24 = p20 + (uint32_t)8U; + uint32_t *p15 = p14; + uint32_t *p25 = p14 + (uint32_t)4U; + p15[0U] = (uint32_t)0xe49b69c1U; + p15[1U] = (uint32_t)0xefbe4786U; + p15[2U] = (uint32_t)0x0fc19dc6U; + p15[3U] = (uint32_t)0x240ca1ccU; + p25[0U] = (uint32_t)0x2de92c6fU; + p25[1U] = (uint32_t)0x4a7484aaU; + p25[2U] = (uint32_t)0x5cb0a9dcU; + p25[3U] = (uint32_t)0x76f988daU; + uint32_t *p16 = p24; + uint32_t *p26 = p24 + (uint32_t)4U; + p16[0U] = (uint32_t)0x983e5152U; + p16[1U] = (uint32_t)0xa831c66dU; + p16[2U] = (uint32_t)0xb00327c8U; + p16[3U] = (uint32_t)0xbf597fc7U; + p26[0U] = (uint32_t)0xc6e00bf3U; + p26[1U] = (uint32_t)0xd5a79147U; + p26[2U] = (uint32_t)0x06ca6351U; + p26[3U] = (uint32_t)0x14292967U; + uint32_t *p17 = p3; + uint32_t *p27 = p3 + (uint32_t)8U; + uint32_t *p18 = p17; + uint32_t *p28 = p17 + (uint32_t)4U; + p18[0U] = (uint32_t)0x27b70a85U; + p18[1U] = (uint32_t)0x2e1b2138U; + p18[2U] = (uint32_t)0x4d2c6dfcU; + p18[3U] = (uint32_t)0x53380d13U; + p28[0U] = (uint32_t)0x650a7354U; + p28[1U] = (uint32_t)0x766a0abbU; + p28[2U] = (uint32_t)0x81c2c92eU; + p28[3U] = (uint32_t)0x92722c85U; + uint32_t *p19 = p27; + uint32_t *p29 = p27 + (uint32_t)4U; + p19[0U] = (uint32_t)0xa2bfe8a1U; + p19[1U] = (uint32_t)0xa81a664bU; + p19[2U] = (uint32_t)0xc24b8b70U; + p19[3U] = (uint32_t)0xc76c51a3U; + p29[0U] = (uint32_t)0xd192e819U; + p29[1U] = (uint32_t)0xd6990624U; + p29[2U] = (uint32_t)0xf40e3585U; + p29[3U] = (uint32_t)0x106aa070U; + uint32_t *p110 = p4; + uint32_t *p210 = p4 + (uint32_t)8U; + uint32_t *p1 = p110; + uint32_t *p211 = p110 + (uint32_t)4U; + p1[0U] = (uint32_t)0x19a4c116U; + p1[1U] = (uint32_t)0x1e376c08U; + p1[2U] = (uint32_t)0x2748774cU; + p1[3U] = (uint32_t)0x34b0bcb5U; + p211[0U] = (uint32_t)0x391c0cb3U; + p211[1U] = (uint32_t)0x4ed8aa4aU; + p211[2U] = (uint32_t)0x5b9cca4fU; + p211[3U] = (uint32_t)0x682e6ff3U; + uint32_t *p111 = p210; + uint32_t *p212 = p210 + (uint32_t)4U; + p111[0U] = (uint32_t)0x748f82eeU; + p111[1U] = (uint32_t)0x78a5636fU; + p111[2U] = (uint32_t)0x84c87814U; + p111[3U] = (uint32_t)0x8cc70208U; + p212[0U] = (uint32_t)0x90befffaU; + p212[1U] = (uint32_t)0xa4506cebU; + p212[2U] = (uint32_t)0xbef9a3f7U; + p212[3U] = (uint32_t)0xc67178f2U; + uint32_t *p112 = h_01; + uint32_t *p2 = h_01 + (uint32_t)4U; + p112[0U] = (uint32_t)0x6a09e667U; + p112[1U] = (uint32_t)0xbb67ae85U; + p112[2U] = (uint32_t)0x3c6ef372U; + p112[3U] = (uint32_t)0xa54ff53aU; + p2[0U] = (uint32_t)0x510e527fU; + p2[1U] = (uint32_t)0x9b05688cU; + p2[2U] = (uint32_t)0x1f83d9abU; + p2[3U] = (uint32_t)0x5be0cd19U; + n1[0U] = (uint32_t)0U; +} + +static void Hacl_Impl_SHA2_256_update(uint32_t *state, uint8_t *data) +{ + uint32_t data_w[16U] = { 0U }; + Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(data_w, data, (uint32_t)16U); + uint32_t *hash_w = state + (uint32_t)128U; + uint32_t *ws_w = state + (uint32_t)64U; + uint32_t *k_w = state; + uint32_t *counter_w = state + (uint32_t)136U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint32_t b = data_w[i]; + ws_w[i] = b; + } + for (uint32_t i = (uint32_t)16U; i < (uint32_t)64U; i = i + (uint32_t)1U) + { + uint32_t t16 = ws_w[i - (uint32_t)16U]; + uint32_t t15 = ws_w[i - (uint32_t)15U]; + uint32_t t7 = ws_w[i - (uint32_t)7U]; + uint32_t t2 = ws_w[i - (uint32_t)2U]; + ws_w[i] = + ((t2 >> (uint32_t)17U | t2 << ((uint32_t)32U - (uint32_t)17U)) + ^ ((t2 >> (uint32_t)19U | t2 << ((uint32_t)32U - (uint32_t)19U)) ^ t2 >> (uint32_t)10U)) + + + t7 + + + ((t15 >> (uint32_t)7U | t15 << ((uint32_t)32U - (uint32_t)7U)) + ^ ((t15 >> (uint32_t)18U | t15 << ((uint32_t)32U - (uint32_t)18U)) ^ t15 >> (uint32_t)3U)) + + t16; + } + uint32_t hash_0[8U] = { 0U }; + memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i = i + (uint32_t)1U) + { + uint32_t a = hash_0[0U]; + uint32_t b = hash_0[1U]; + uint32_t c = hash_0[2U]; + uint32_t d = hash_0[3U]; + uint32_t e = hash_0[4U]; + uint32_t f1 = hash_0[5U]; + uint32_t g = hash_0[6U]; + uint32_t h = hash_0[7U]; + uint32_t kt = k_w[i]; + uint32_t wst = ws_w[i]; + uint32_t + t1 = + h + + + ((e >> (uint32_t)6U | e << ((uint32_t)32U - (uint32_t)6U)) + ^ + ((e >> (uint32_t)11U | e << ((uint32_t)32U - (uint32_t)11U)) + ^ (e >> (uint32_t)25U | e << ((uint32_t)32U - (uint32_t)25U)))) + + ((e & f1) ^ (~e & g)) + + kt + + wst; + uint32_t + t2 = + ((a >> (uint32_t)2U | a << ((uint32_t)32U - (uint32_t)2U)) + ^ + ((a >> (uint32_t)13U | a << ((uint32_t)32U - (uint32_t)13U)) + ^ (a >> (uint32_t)22U | a << ((uint32_t)32U - (uint32_t)22U)))) + + ((a & b) ^ ((a & c) ^ (b & c))); + uint32_t x1 = t1 + t2; + uint32_t x5 = d + t1; + uint32_t *p1 = hash_0; + uint32_t *p2 = hash_0 + (uint32_t)4U; + p1[0U] = x1; + p1[1U] = a; + p1[2U] = b; + p1[3U] = c; + p2[0U] = x5; + p2[1U] = e; + p2[2U] = f1; + p2[3U] = g; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) + { + uint32_t xi = hash_w[i]; + uint32_t yi = hash_0[i]; + hash_w[i] = xi + yi; + } + uint32_t c0 = counter_w[0U]; + uint32_t one1 = (uint32_t)1U; + counter_w[0U] = c0 + one1; +} + +static void Hacl_Impl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1) +{ + for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U) + { + uint8_t *b = data + i * (uint32_t)64U; + Hacl_Impl_SHA2_256_update(state, b); + } +} + +static void Hacl_Impl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len) +{ + uint8_t blocks[128U] = { 0U }; + uint32_t nb; + if (len < (uint32_t)56U) + nb = (uint32_t)1U; + else + nb = (uint32_t)2U; + uint8_t *final_blocks; + if (len < (uint32_t)56U) + final_blocks = blocks + (uint32_t)64U; + else + final_blocks = blocks; + memcpy(final_blocks, data, len * sizeof data[0U]); + uint32_t n1 = state[136U]; + uint8_t *padding = final_blocks + len; + uint32_t + pad0len = ((uint32_t)64U - (len + (uint32_t)8U + (uint32_t)1U) % (uint32_t)64U) % (uint32_t)64U; + uint8_t *buf1 = padding; + uint8_t *buf2 = padding + (uint32_t)1U + pad0len; + uint64_t + encodedlen = ((uint64_t)n1 * (uint64_t)(uint32_t)64U + (uint64_t)len) * (uint64_t)(uint32_t)8U; + buf1[0U] = (uint8_t)0x80U; + store64_be(buf2, encodedlen); + Hacl_Impl_SHA2_256_update_multi(state, final_blocks, nb); +} + +static void Hacl_Impl_SHA2_256_finish(uint32_t *state, uint8_t *hash1) +{ + uint32_t *hash_w = state + (uint32_t)128U; + Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(hash1, hash_w, (uint32_t)8U); +} + +static void Hacl_Impl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + uint32_t state[137U] = { 0U }; + uint32_t n1 = len / (uint32_t)64U; + uint32_t r = len % (uint32_t)64U; + uint8_t *input_blocks = input; + uint8_t *input_last = input + n1 * (uint32_t)64U; + Hacl_Impl_SHA2_256_init(state); + Hacl_Impl_SHA2_256_update_multi(state, input_blocks, n1); + Hacl_Impl_SHA2_256_update_last(state, input_last, r); + Hacl_Impl_SHA2_256_finish(state, hash1); +} + +static void Hacl_Impl_HMAC_SHA2_256_xor_bytes_inplace(uint8_t *a, uint8_t *b, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t xi = a[i]; + uint8_t yi = b[i]; + a[i] = xi ^ yi; + } +} + +static void +Hacl_Impl_HMAC_SHA2_256_hmac_core(uint8_t *mac, uint8_t *key, uint8_t *data, uint32_t len) +{ + uint8_t ipad[64U]; + for (uint32_t _i = 0U; _i < (uint32_t)64U; ++_i) + ipad[_i] = (uint8_t)0x36U; + uint8_t opad[64U]; + for (uint32_t _i = 0U; _i < (uint32_t)64U; ++_i) + opad[_i] = (uint8_t)0x5cU; + Hacl_Impl_HMAC_SHA2_256_xor_bytes_inplace(ipad, key, (uint32_t)64U); + uint32_t state0[137U] = { 0U }; + uint32_t n0 = len / (uint32_t)64U; + uint32_t r0 = len % (uint32_t)64U; + uint8_t *blocks0 = data; + uint8_t *last0 = data + n0 * (uint32_t)64U; + Hacl_Impl_SHA2_256_init(state0); + Hacl_Impl_SHA2_256_update(state0, ipad); + Hacl_Impl_SHA2_256_update_multi(state0, blocks0, n0); + Hacl_Impl_SHA2_256_update_last(state0, last0, r0); + uint8_t *hash0 = ipad; + Hacl_Impl_SHA2_256_finish(state0, hash0); + uint8_t *s4 = ipad; + Hacl_Impl_HMAC_SHA2_256_xor_bytes_inplace(opad, key, (uint32_t)64U); + uint32_t state1[137U] = { 0U }; + Hacl_Impl_SHA2_256_init(state1); + Hacl_Impl_SHA2_256_update(state1, opad); + Hacl_Impl_SHA2_256_update_last(state1, s4, (uint32_t)32U); + Hacl_Impl_SHA2_256_finish(state1, mac); +} + +static void +Hacl_Impl_HMAC_SHA2_256_hmac( + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +) +{ + uint8_t nkey[64U]; + for (uint32_t _i = 0U; _i < (uint32_t)64U; ++_i) + nkey[_i] = (uint8_t)0x00U; + if (keylen <= (uint32_t)64U) + memcpy(nkey, key, keylen * sizeof key[0U]); + else + { + uint8_t *nkey0 = nkey; + Hacl_Impl_SHA2_256_hash(nkey0, key, keylen); + } + Hacl_Impl_HMAC_SHA2_256_hmac_core(mac, nkey, data, datalen); +} + +void Hacl_HMAC_SHA2_256_hmac_core(uint8_t *mac, uint8_t *key, uint8_t *data, uint32_t len) +{ + Hacl_Impl_HMAC_SHA2_256_hmac_core(mac, key, data, len); +} + +void +Hacl_HMAC_SHA2_256_hmac( + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +) +{ + Hacl_Impl_HMAC_SHA2_256_hmac(mac, key, keylen, data, datalen); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.h b/vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.h new file mode 100644 index 000000000..75bd6dfe8 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.h @@ -0,0 +1,100 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_HMAC_SHA2_256_H +#define __Hacl_HMAC_SHA2_256_H + + + + + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_t; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_t; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_t; + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht; + +typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p; + +typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p; + +typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p; + +typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p; + +typedef uint8_t Hacl_Impl_SHA2_256_uint8_t; + +typedef uint32_t Hacl_Impl_SHA2_256_uint32_t; + +typedef uint64_t Hacl_Impl_SHA2_256_uint64_t; + +typedef uint8_t Hacl_Impl_SHA2_256_uint8_ht; + +typedef uint32_t Hacl_Impl_SHA2_256_uint32_ht; + +typedef uint64_t Hacl_Impl_SHA2_256_uint64_ht; + +typedef uint32_t *Hacl_Impl_SHA2_256_uint32_p; + +typedef uint8_t *Hacl_Impl_SHA2_256_uint8_p; + +typedef uint8_t Hacl_Impl_HMAC_SHA2_256_uint8_t; + +typedef uint32_t Hacl_Impl_HMAC_SHA2_256_uint32_t; + +typedef uint64_t Hacl_Impl_HMAC_SHA2_256_uint64_t; + +typedef uint8_t Hacl_Impl_HMAC_SHA2_256_uint8_ht; + +typedef uint32_t Hacl_Impl_HMAC_SHA2_256_uint32_ht; + +typedef uint64_t Hacl_Impl_HMAC_SHA2_256_uint64_ht; + +typedef uint32_t *Hacl_Impl_HMAC_SHA2_256_uint32_p; + +typedef uint8_t *Hacl_Impl_HMAC_SHA2_256_uint8_p; + +typedef uint8_t Hacl_HMAC_SHA2_256_uint8_ht; + +typedef uint32_t Hacl_HMAC_SHA2_256_uint32_t; + +typedef uint8_t *Hacl_HMAC_SHA2_256_uint8_p; + +void Hacl_HMAC_SHA2_256_hmac_core(uint8_t *mac, uint8_t *key, uint8_t *data, uint32_t len); + +void +Hacl_HMAC_SHA2_256_hmac( + uint8_t *mac, + uint8_t *key, + uint32_t keylen, + uint8_t *data, + uint32_t datalen +); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Policies.c b/vendors/ocaml-hacl/src/Hacl_Policies.c new file mode 100644 index 000000000..ea176dfa6 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Policies.c @@ -0,0 +1,66 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Policies.h" + +uint8_t Hacl_Policies_declassify_u8(uint8_t x) +{ + return x; +} + +uint32_t Hacl_Policies_declassify_u32(uint32_t x) +{ + return x; +} + +uint64_t Hacl_Policies_declassify_u64(uint64_t x) +{ + return x; +} + +FStar_UInt128_t Hacl_Policies_declassify_u128(FStar_UInt128_t x) +{ + return x; +} + +uint8_t Hacl_Policies_cmp_bytes_(uint8_t *b1, uint8_t *b2, uint32_t len, uint8_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t bi1 = b1[i]; + uint8_t bi2 = b2[i]; + uint8_t z0 = tmp[0U]; + tmp[0U] = FStar_UInt8_eq_mask(bi1, bi2) & z0; + } + return tmp[0U]; +} + +uint8_t Hacl_Policies_cmp_bytes(uint8_t *b1, uint8_t *b2, uint32_t len) +{ + uint8_t tmp[1U]; + tmp[0U] = (uint8_t)255U; + uint8_t z = Hacl_Policies_cmp_bytes_(b1, b2, len, tmp); + return ~z; +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Policies.h b/vendors/ocaml-hacl/src/Hacl_Policies.h new file mode 100644 index 000000000..290029fb1 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Policies.h @@ -0,0 +1,43 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Policies_H +#define __Hacl_Policies_H + + + + + +uint8_t Hacl_Policies_declassify_u8(uint8_t x); + +uint32_t Hacl_Policies_declassify_u32(uint32_t x); + +uint64_t Hacl_Policies_declassify_u64(uint64_t x); + +FStar_UInt128_t Hacl_Policies_declassify_u128(FStar_UInt128_t x); + +uint8_t Hacl_Policies_cmp_bytes_(uint8_t *b1, uint8_t *b2, uint32_t len, uint8_t *tmp); + +uint8_t Hacl_Policies_cmp_bytes(uint8_t *b1, uint8_t *b2, uint32_t len); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Poly1305_32.c b/vendors/ocaml-hacl/src/Hacl_Poly1305_32.c new file mode 100644 index 000000000..c4ab05b76 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Poly1305_32.c @@ -0,0 +1,605 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Poly1305_32.h" + +inline static void Hacl_Bignum_Modulo_reduce(uint32_t *b) +{ + uint32_t b0 = b[0U]; + b[0U] = (b0 << (uint32_t)2U) + b0; +} + +inline static void Hacl_Bignum_Modulo_carry_top(uint32_t *b) +{ + uint32_t b4 = b[4U]; + uint32_t b0 = b[0U]; + uint32_t b4_26 = b4 >> (uint32_t)26U; + b[4U] = b4 & (uint32_t)0x3ffffffU; + b[0U] = (b4_26 << (uint32_t)2U) + b4_26 + b0; +} + +inline static void Hacl_Bignum_Modulo_carry_top_wide(uint64_t *b) +{ + uint64_t b4 = b[4U]; + uint64_t b0 = b[0U]; + uint64_t b4_ = b4 & (uint64_t)(uint32_t)0x3ffffffU; + uint32_t b4_26 = (uint32_t)(b4 >> (uint32_t)26U); + uint64_t b0_ = b0 + (uint64_t)((b4_26 << (uint32_t)2U) + b4_26); + b[4U] = b4_; + b[0U] = b0_; +} + +inline static void Hacl_Bignum_Fproduct_copy_from_wide_(uint32_t *output, uint64_t *input) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) + { + uint64_t xi = input[i]; + output[i] = (uint32_t)xi; + } +} + +inline static void +Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint64_t *output, uint32_t *input, uint32_t s) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) + { + uint64_t xi = output[i]; + uint32_t yi = input[i]; + uint64_t x_wide = (uint64_t)yi; + uint64_t y_wide = (uint64_t)s; + output[i] = xi + x_wide * y_wide; + } +} + +inline static void Hacl_Bignum_Fproduct_carry_wide_(uint64_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) + { + uint32_t ctr = i; + uint64_t tctr = tmp[ctr]; + uint64_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint32_t r0 = (uint32_t)tctr & (uint32_t)0x3ffffffU; + uint64_t c = tctr >> (uint32_t)26U; + tmp[ctr] = (uint64_t)r0; + tmp[ctr + (uint32_t)1U] = tctrp1 + c; + } +} + +inline static void Hacl_Bignum_Fproduct_carry_limb_(uint32_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) + { + uint32_t ctr = i; + uint32_t tctr = tmp[ctr]; + uint32_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint32_t r0 = tctr & (uint32_t)0x3ffffffU; + uint32_t c = tctr >> (uint32_t)26U; + tmp[ctr] = r0; + tmp[ctr + (uint32_t)1U] = tctrp1 + c; + } +} + +inline static void Hacl_Bignum_Fmul_shift_reduce(uint32_t *output) +{ + uint32_t tmp = output[4U]; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) + { + uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U; + uint32_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + output[0U] = tmp; + Hacl_Bignum_Modulo_reduce(output); +} + +static void +Hacl_Bignum_Fmul_mul_shift_reduce_(uint64_t *output, uint32_t *input, uint32_t *input2) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) + { + uint32_t input2i = input2[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + uint32_t i = (uint32_t)4U; + uint32_t input2i = input2[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); +} + +inline static void Hacl_Bignum_Fmul_fmul(uint32_t *output, uint32_t *input, uint32_t *input2) +{ + uint32_t tmp[5U] = { 0U }; + memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]); + uint64_t t[5U] = { 0U }; + Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); + Hacl_Bignum_Fproduct_carry_wide_(t); + Hacl_Bignum_Modulo_carry_top_wide(t); + Hacl_Bignum_Fproduct_copy_from_wide_(output, t); + uint32_t i0 = output[0U]; + uint32_t i1 = output[1U]; + uint32_t i0_ = i0 & (uint32_t)0x3ffffffU; + uint32_t i1_ = i1 + (i0 >> (uint32_t)26U); + output[0U] = i0_; + output[1U] = i1_; +} + +inline static void +Hacl_Bignum_AddAndMultiply_add_and_multiply(uint32_t *acc, uint32_t *block, uint32_t *r) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U) + { + uint32_t xi = acc[i]; + uint32_t yi = block[i]; + acc[i] = xi + yi; + } + Hacl_Bignum_Fmul_fmul(acc, acc, r); +} + +inline static void +Hacl_Impl_Poly1305_32_poly1305_update( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m +) +{ + Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; + uint32_t *h = scrut0.h; + uint32_t *acc = h; + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *r = scrut.r; + uint32_t *r5 = r; + uint32_t tmp[5U] = { 0U }; + uint8_t *s0 = m; + uint8_t *s1 = m + (uint32_t)3U; + uint8_t *s2 = m + (uint32_t)6U; + uint8_t *s3 = m + (uint32_t)9U; + uint8_t *s4 = m + (uint32_t)12U; + uint32_t i0 = load32_le(s0); + uint32_t i1 = load32_le(s1); + uint32_t i2 = load32_le(s2); + uint32_t i3 = load32_le(s3); + uint32_t i4 = load32_le(s4); + uint32_t r0 = i0 & (uint32_t)0x3ffffffU; + uint32_t r1 = i1 >> (uint32_t)2U & (uint32_t)0x3ffffffU; + uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU; + uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU; + uint32_t r4 = i4 >> (uint32_t)8U; + tmp[0U] = r0; + tmp[1U] = r1; + tmp[2U] = r2; + tmp[3U] = r3; + tmp[4U] = r4; + uint32_t b4 = tmp[4U]; + uint32_t b4_ = (uint32_t)0x1000000U | b4; + tmp[4U] = b4_; + Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r5); +} + +inline static void +Hacl_Impl_Poly1305_32_poly1305_process_last_block_( + uint8_t *block, + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint64_t rem_ +) +{ + uint32_t tmp[5U] = { 0U }; + uint8_t *s0 = block; + uint8_t *s1 = block + (uint32_t)3U; + uint8_t *s2 = block + (uint32_t)6U; + uint8_t *s3 = block + (uint32_t)9U; + uint8_t *s4 = block + (uint32_t)12U; + uint32_t i0 = load32_le(s0); + uint32_t i1 = load32_le(s1); + uint32_t i2 = load32_le(s2); + uint32_t i3 = load32_le(s3); + uint32_t i4 = load32_le(s4); + uint32_t r0 = i0 & (uint32_t)0x3ffffffU; + uint32_t r1 = i1 >> (uint32_t)2U & (uint32_t)0x3ffffffU; + uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU; + uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU; + uint32_t r4 = i4 >> (uint32_t)8U; + tmp[0U] = r0; + tmp[1U] = r1; + tmp[2U] = r2; + tmp[3U] = r3; + tmp[4U] = r4; + Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; + uint32_t *h = scrut0.h; + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *r = scrut.r; + Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r); +} + +inline static void +Hacl_Impl_Poly1305_32_poly1305_process_last_block( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint64_t rem_ +) +{ + uint8_t zero1 = (uint8_t)0U; + KRML_CHECK_SIZE(zero1, (uint32_t)16U); + uint8_t block[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + block[_i] = zero1; + uint32_t i0 = (uint32_t)rem_; + uint32_t i = (uint32_t)rem_; + memcpy(block, m, i * sizeof m[0U]); + block[i0] = (uint8_t)1U; + Hacl_Impl_Poly1305_32_poly1305_process_last_block_(block, st, m, rem_); +} + +static void Hacl_Impl_Poly1305_32_poly1305_last_pass(uint32_t *acc) +{ + Hacl_Bignum_Fproduct_carry_limb_(acc); + Hacl_Bignum_Modulo_carry_top(acc); + uint32_t t0 = acc[0U]; + uint32_t t10 = acc[1U]; + uint32_t t20 = acc[2U]; + uint32_t t30 = acc[3U]; + uint32_t t40 = acc[4U]; + uint32_t t1_ = t10 + (t0 >> (uint32_t)26U); + uint32_t mask_261 = (uint32_t)0x3ffffffU; + uint32_t t0_ = t0 & mask_261; + uint32_t t2_ = t20 + (t1_ >> (uint32_t)26U); + uint32_t t1__ = t1_ & mask_261; + uint32_t t3_ = t30 + (t2_ >> (uint32_t)26U); + uint32_t t2__ = t2_ & mask_261; + uint32_t t4_ = t40 + (t3_ >> (uint32_t)26U); + uint32_t t3__ = t3_ & mask_261; + acc[0U] = t0_; + acc[1U] = t1__; + acc[2U] = t2__; + acc[3U] = t3__; + acc[4U] = t4_; + Hacl_Bignum_Modulo_carry_top(acc); + uint32_t t00 = acc[0U]; + uint32_t t1 = acc[1U]; + uint32_t t2 = acc[2U]; + uint32_t t3 = acc[3U]; + uint32_t t4 = acc[4U]; + uint32_t t1_0 = t1 + (t00 >> (uint32_t)26U); + uint32_t t0_0 = t00 & (uint32_t)0x3ffffffU; + uint32_t t2_0 = t2 + (t1_0 >> (uint32_t)26U); + uint32_t t1__0 = t1_0 & (uint32_t)0x3ffffffU; + uint32_t t3_0 = t3 + (t2_0 >> (uint32_t)26U); + uint32_t t2__0 = t2_0 & (uint32_t)0x3ffffffU; + uint32_t t4_0 = t4 + (t3_0 >> (uint32_t)26U); + uint32_t t3__0 = t3_0 & (uint32_t)0x3ffffffU; + acc[0U] = t0_0; + acc[1U] = t1__0; + acc[2U] = t2__0; + acc[3U] = t3__0; + acc[4U] = t4_0; + Hacl_Bignum_Modulo_carry_top(acc); + uint32_t i0 = acc[0U]; + uint32_t i1 = acc[1U]; + uint32_t i0_ = i0 & (uint32_t)0x3ffffffU; + uint32_t i1_ = i1 + (i0 >> (uint32_t)26U); + acc[0U] = i0_; + acc[1U] = i1_; + uint32_t a0 = acc[0U]; + uint32_t a1 = acc[1U]; + uint32_t a2 = acc[2U]; + uint32_t a3 = acc[3U]; + uint32_t a4 = acc[4U]; + uint32_t mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU); + uint32_t mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU); + uint32_t mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU); + uint32_t mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU); + uint32_t mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU); + uint32_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4; + uint32_t a0_ = a0 - ((uint32_t)0x3fffffbU & mask); + uint32_t a1_ = a1 - ((uint32_t)0x3ffffffU & mask); + uint32_t a2_ = a2 - ((uint32_t)0x3ffffffU & mask); + uint32_t a3_ = a3 - ((uint32_t)0x3ffffffU & mask); + uint32_t a4_ = a4 - ((uint32_t)0x3ffffffU & mask); + acc[0U] = a0_; + acc[1U] = a1_; + acc[2U] = a2_; + acc[3U] = a3_; + acc[4U] = a4_; +} + +static Hacl_Impl_Poly1305_32_State_poly1305_state +Hacl_Impl_Poly1305_32_mk_state(uint32_t *r, uint32_t *h) +{ + return ((Hacl_Impl_Poly1305_32_State_poly1305_state){ .r = r, .h = h }); +} + +static void +Hacl_Standalone_Poly1305_32_poly1305_blocks( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint64_t len1 +) +{ + if (!(len1 == (uint64_t)0U)) + { + uint8_t *block = m; + uint8_t *tail1 = m + (uint32_t)16U; + Hacl_Impl_Poly1305_32_poly1305_update(st, block); + uint64_t len2 = len1 - (uint64_t)1U; + Hacl_Standalone_Poly1305_32_poly1305_blocks(st, tail1, len2); + } +} + +static void +Hacl_Standalone_Poly1305_32_poly1305_partial( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *input, + uint64_t len1, + uint8_t *kr +) +{ + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *r = scrut.r; + uint32_t *x0 = r; + FStar_UInt128_t k1 = load128_le(kr); + FStar_UInt128_t + k_clamped = + FStar_UInt128_logand(k1, + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU))); + uint32_t r0 = (uint32_t)FStar_UInt128_uint128_to_uint64(k_clamped) & (uint32_t)0x3ffffffU; + uint32_t + r1 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)26U)) + & (uint32_t)0x3ffffffU; + uint32_t + r2 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)52U)) + & (uint32_t)0x3ffffffU; + uint32_t + r3 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)78U)) + & (uint32_t)0x3ffffffU; + uint32_t + r4 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) + & (uint32_t)0x3ffffffU; + x0[0U] = r0; + x0[1U] = r1; + x0[2U] = r2; + x0[3U] = r3; + x0[4U] = r4; + Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; + uint32_t *h = scrut0.h; + uint32_t *x00 = h; + x00[0U] = (uint32_t)0U; + x00[1U] = (uint32_t)0U; + x00[2U] = (uint32_t)0U; + x00[3U] = (uint32_t)0U; + x00[4U] = (uint32_t)0U; + Hacl_Standalone_Poly1305_32_poly1305_blocks(st, input, len1); +} + +static void +Hacl_Standalone_Poly1305_32_poly1305_complete( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint64_t len1, + uint8_t *k1 +) +{ + uint8_t *kr = k1; + uint64_t len16 = len1 >> (uint32_t)4U; + uint64_t rem16 = len1 & (uint64_t)0xfU; + uint8_t *part_input = m; + uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16); + Hacl_Standalone_Poly1305_32_poly1305_partial(st, part_input, len16, kr); + if (!(rem16 == (uint64_t)0U)) + Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, last_block, rem16); + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *h = scrut.h; + uint32_t *acc = h; + Hacl_Impl_Poly1305_32_poly1305_last_pass(acc); +} + +static void +Hacl_Standalone_Poly1305_32_crypto_onetimeauth_( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +) +{ + uint32_t buf[10U] = { 0U }; + uint32_t *r = buf; + uint32_t *h = buf + (uint32_t)5U; + Hacl_Impl_Poly1305_32_State_poly1305_state st = Hacl_Impl_Poly1305_32_mk_state(r, h); + uint8_t *key_s = k1 + (uint32_t)16U; + Hacl_Standalone_Poly1305_32_poly1305_complete(st, input, len1, k1); + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *h5 = scrut.h; + uint32_t *acc = h5; + FStar_UInt128_t k_ = load128_le(key_s); + uint32_t h0 = acc[0U]; + uint32_t h1 = acc[1U]; + uint32_t h2 = acc[2U]; + uint32_t h3 = acc[3U]; + uint32_t h4 = acc[4U]; + FStar_UInt128_t + acc_ = + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4), + (uint32_t)104U), + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3), + (uint32_t)78U), + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h2), + (uint32_t)52U), + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1), + (uint32_t)26U), + FStar_UInt128_uint64_to_uint128((uint64_t)h0))))); + FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); + store128_le(output, mac_); +} + +static void +Hacl_Standalone_Poly1305_32_crypto_onetimeauth( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +) +{ + Hacl_Standalone_Poly1305_32_crypto_onetimeauth_(output, input, len1, k1); +} + +void *Hacl_Poly1305_32_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b) +{ + return (void *)(uint8_t)0U; +} + +Hacl_Impl_Poly1305_32_State_poly1305_state +Hacl_Poly1305_32_mk_state(uint32_t *r, uint32_t *acc) +{ + return Hacl_Impl_Poly1305_32_mk_state(r, acc); +} + +void Hacl_Poly1305_32_init(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *k1) +{ + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *r = scrut.r; + uint32_t *x0 = r; + FStar_UInt128_t k10 = load128_le(k1); + FStar_UInt128_t + k_clamped = + FStar_UInt128_logand(k10, + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU))); + uint32_t r0 = (uint32_t)FStar_UInt128_uint128_to_uint64(k_clamped) & (uint32_t)0x3ffffffU; + uint32_t + r1 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)26U)) + & (uint32_t)0x3ffffffU; + uint32_t + r2 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)52U)) + & (uint32_t)0x3ffffffU; + uint32_t + r3 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)78U)) + & (uint32_t)0x3ffffffU; + uint32_t + r4 = + (uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U)) + & (uint32_t)0x3ffffffU; + x0[0U] = r0; + x0[1U] = r1; + x0[2U] = r2; + x0[3U] = r3; + x0[4U] = r4; + Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st; + uint32_t *h = scrut0.h; + uint32_t *x00 = h; + x00[0U] = (uint32_t)0U; + x00[1U] = (uint32_t)0U; + x00[2U] = (uint32_t)0U; + x00[3U] = (uint32_t)0U; + x00[4U] = (uint32_t)0U; +} + +void *Hacl_Poly1305_32_empty_log = (void *)(uint8_t)0U; + +void Hacl_Poly1305_32_update_block(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *m) +{ + Hacl_Impl_Poly1305_32_poly1305_update(st, m); +} + +void +Hacl_Poly1305_32_update( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint32_t len1 +) +{ + if (!(len1 == (uint32_t)0U)) + { + uint8_t *block = m; + uint8_t *m_ = m + (uint32_t)16U; + uint32_t len2 = len1 - (uint32_t)1U; + Hacl_Poly1305_32_update_block(st, block); + Hacl_Poly1305_32_update(st, m_, len2); + } +} + +void +Hacl_Poly1305_32_update_last( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint32_t len1 +) +{ + if (!((uint64_t)len1 == (uint64_t)0U)) + Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, m, (uint64_t)len1); + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *h = scrut.h; + uint32_t *acc = h; + Hacl_Impl_Poly1305_32_poly1305_last_pass(acc); +} + +void +Hacl_Poly1305_32_finish( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *mac, + uint8_t *k1 +) +{ + Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st; + uint32_t *h = scrut.h; + uint32_t *acc = h; + FStar_UInt128_t k_ = load128_le(k1); + uint32_t h0 = acc[0U]; + uint32_t h1 = acc[1U]; + uint32_t h2 = acc[2U]; + uint32_t h3 = acc[3U]; + uint32_t h4 = acc[4U]; + FStar_UInt128_t + acc_ = + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4), + (uint32_t)104U), + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3), + (uint32_t)78U), + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h2), + (uint32_t)52U), + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1), + (uint32_t)26U), + FStar_UInt128_uint64_to_uint128((uint64_t)h0))))); + FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); + store128_le(mac, mac_); +} + +void +Hacl_Poly1305_32_crypto_onetimeauth( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +) +{ + Hacl_Standalone_Poly1305_32_crypto_onetimeauth(output, input, len1, k1); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Poly1305_32.h b/vendors/ocaml-hacl/src/Hacl_Poly1305_32.h new file mode 100644 index 000000000..dff33a6fa --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Poly1305_32.h @@ -0,0 +1,120 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Poly1305_32_H +#define __Hacl_Poly1305_32_H + + + + + +typedef uint32_t Hacl_Bignum_Constants_limb; + +typedef uint64_t Hacl_Bignum_Constants_wide; + +typedef uint64_t Hacl_Bignum_Wide_t; + +typedef uint32_t Hacl_Bignum_Limb_t; + +typedef void *Hacl_Impl_Poly1305_32_State_log_t; + +typedef uint8_t *Hacl_Impl_Poly1305_32_State_uint8_p; + +typedef uint32_t *Hacl_Impl_Poly1305_32_State_bigint; + +typedef void *Hacl_Impl_Poly1305_32_State_seqelem; + +typedef uint32_t *Hacl_Impl_Poly1305_32_State_elemB; + +typedef uint8_t *Hacl_Impl_Poly1305_32_State_wordB; + +typedef uint8_t *Hacl_Impl_Poly1305_32_State_wordB_16; + +typedef struct +{ + uint32_t *r; + uint32_t *h; +} +Hacl_Impl_Poly1305_32_State_poly1305_state; + +typedef void *Hacl_Impl_Poly1305_32_log_t; + +typedef uint32_t *Hacl_Impl_Poly1305_32_bigint; + +typedef uint8_t *Hacl_Impl_Poly1305_32_uint8_p; + +typedef uint32_t *Hacl_Impl_Poly1305_32_elemB; + +typedef uint8_t *Hacl_Impl_Poly1305_32_wordB; + +typedef uint8_t *Hacl_Impl_Poly1305_32_wordB_16; + +typedef uint8_t *Hacl_Poly1305_32_uint8_p; + +typedef uint64_t Hacl_Poly1305_32_uint64_t; + +void *Hacl_Poly1305_32_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b); + +typedef uint8_t *Hacl_Poly1305_32_key; + +typedef Hacl_Impl_Poly1305_32_State_poly1305_state Hacl_Poly1305_32_state; + +Hacl_Impl_Poly1305_32_State_poly1305_state +Hacl_Poly1305_32_mk_state(uint32_t *r, uint32_t *acc); + +void Hacl_Poly1305_32_init(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *k1); + +extern void *Hacl_Poly1305_32_empty_log; + +void Hacl_Poly1305_32_update_block(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *m); + +void +Hacl_Poly1305_32_update( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint32_t len1 +); + +void +Hacl_Poly1305_32_update_last( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *m, + uint32_t len1 +); + +void +Hacl_Poly1305_32_finish( + Hacl_Impl_Poly1305_32_State_poly1305_state st, + uint8_t *mac, + uint8_t *k1 +); + +void +Hacl_Poly1305_32_crypto_onetimeauth( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Poly1305_64.c b/vendors/ocaml-hacl/src/Hacl_Poly1305_64.c new file mode 100644 index 000000000..3bb5ad84b --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Poly1305_64.c @@ -0,0 +1,511 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Poly1305_64.h" + +inline static void Hacl_Bignum_Modulo_reduce(uint64_t *b) +{ + uint64_t b0 = b[0U]; + b[0U] = (b0 << (uint32_t)4U) + (b0 << (uint32_t)2U); +} + +inline static void Hacl_Bignum_Modulo_carry_top(uint64_t *b) +{ + uint64_t b2 = b[2U]; + uint64_t b0 = b[0U]; + uint64_t b2_42 = b2 >> (uint32_t)42U; + b[2U] = b2 & (uint64_t)0x3ffffffffffU; + b[0U] = (b2_42 << (uint32_t)2U) + b2_42 + b0; +} + +inline static void Hacl_Bignum_Modulo_carry_top_wide(FStar_UInt128_t *b) +{ + FStar_UInt128_t b2 = b[2U]; + FStar_UInt128_t b0 = b[0U]; + FStar_UInt128_t + b2_ = FStar_UInt128_logand(b2, FStar_UInt128_uint64_to_uint128((uint64_t)0x3ffffffffffU)); + uint64_t b2_42 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b2, (uint32_t)42U)); + FStar_UInt128_t + b0_ = FStar_UInt128_add(b0, FStar_UInt128_uint64_to_uint128((b2_42 << (uint32_t)2U) + b2_42)); + b[2U] = b2_; + b[0U] = b0_; +} + +inline static void +Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) + { + FStar_UInt128_t xi = input[i]; + output[i] = FStar_UInt128_uint128_to_uint64(xi); + } +} + +inline static void +Hacl_Bignum_Fproduct_sum_scalar_multiplication_( + FStar_UInt128_t *output, + uint64_t *input, + uint64_t s +) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) + { + FStar_UInt128_t xi = output[i]; + uint64_t yi = input[i]; + output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s)); + } +} + +inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint32_t ctr = i; + FStar_UInt128_t tctr = tmp[ctr]; + FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0xfffffffffffU; + FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)44U); + tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0); + tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c); + } +} + +inline static void Hacl_Bignum_Fproduct_carry_limb_(uint64_t *tmp) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint32_t ctr = i; + uint64_t tctr = tmp[ctr]; + uint64_t tctrp1 = tmp[ctr + (uint32_t)1U]; + uint64_t r0 = tctr & (uint64_t)0xfffffffffffU; + uint64_t c = tctr >> (uint32_t)44U; + tmp[ctr] = r0; + tmp[ctr + (uint32_t)1U] = tctrp1 + c; + } +} + +inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output) +{ + uint64_t tmp = output[2U]; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint32_t ctr = (uint32_t)3U - i - (uint32_t)1U; + uint64_t z = output[ctr - (uint32_t)1U]; + output[ctr] = z; + } + output[0U] = tmp; + Hacl_Bignum_Modulo_reduce(output); +} + +static void +Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input2) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U) + { + uint64_t input2i = input2[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); + Hacl_Bignum_Fmul_shift_reduce(input); + } + uint32_t i = (uint32_t)2U; + uint64_t input2i = input2[i]; + Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i); +} + +inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2) +{ + uint64_t tmp[3U] = { 0U }; + memcpy(tmp, input, (uint32_t)3U * sizeof input[0U]); + KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)3U); + FStar_UInt128_t t[3U]; + for (uint32_t _i = 0U; _i < (uint32_t)3U; ++_i) + t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U); + Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2); + Hacl_Bignum_Fproduct_carry_wide_(t); + Hacl_Bignum_Modulo_carry_top_wide(t); + Hacl_Bignum_Fproduct_copy_from_wide_(output, t); + uint64_t i0 = output[0U]; + uint64_t i1 = output[1U]; + uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)44U); + output[0U] = i0_; + output[1U] = i1_; +} + +inline static void +Hacl_Bignum_AddAndMultiply_add_and_multiply(uint64_t *acc, uint64_t *block, uint64_t *r) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) + { + uint64_t xi = acc[i]; + uint64_t yi = block[i]; + acc[i] = xi + yi; + } + Hacl_Bignum_Fmul_fmul(acc, acc, r); +} + +inline static void +Hacl_Impl_Poly1305_64_poly1305_update( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m +) +{ + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + uint64_t *acc = h; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + uint64_t *r3 = r; + uint64_t tmp[3U] = { 0U }; + FStar_UInt128_t m0 = load128_le(m); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U)); + tmp[0U] = r0; + tmp[1U] = r1; + tmp[2U] = r2; + uint64_t b2 = tmp[2U]; + uint64_t b2_ = (uint64_t)0x10000000000U | b2; + tmp[2U] = b2_; + Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r3); +} + +inline static void +Hacl_Impl_Poly1305_64_poly1305_process_last_block_( + uint8_t *block, + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t rem_ +) +{ + uint64_t tmp[3U] = { 0U }; + FStar_UInt128_t m0 = load128_le(block); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U)); + tmp[0U] = r0; + tmp[1U] = r1; + tmp[2U] = r2; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r); +} + +inline static void +Hacl_Impl_Poly1305_64_poly1305_process_last_block( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t rem_ +) +{ + uint8_t zero1 = (uint8_t)0U; + KRML_CHECK_SIZE(zero1, (uint32_t)16U); + uint8_t block[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + block[_i] = zero1; + uint32_t i0 = (uint32_t)rem_; + uint32_t i = (uint32_t)rem_; + memcpy(block, m, i * sizeof m[0U]); + block[i0] = (uint8_t)1U; + Hacl_Impl_Poly1305_64_poly1305_process_last_block_(block, st, m, rem_); +} + +static void Hacl_Impl_Poly1305_64_poly1305_last_pass(uint64_t *acc) +{ + Hacl_Bignum_Fproduct_carry_limb_(acc); + Hacl_Bignum_Modulo_carry_top(acc); + uint64_t a0 = acc[0U]; + uint64_t a10 = acc[1U]; + uint64_t a20 = acc[2U]; + uint64_t a0_ = a0 & (uint64_t)0xfffffffffffU; + uint64_t r0 = a0 >> (uint32_t)44U; + uint64_t a1_ = (a10 + r0) & (uint64_t)0xfffffffffffU; + uint64_t r1 = (a10 + r0) >> (uint32_t)44U; + uint64_t a2_ = a20 + r1; + acc[0U] = a0_; + acc[1U] = a1_; + acc[2U] = a2_; + Hacl_Bignum_Modulo_carry_top(acc); + uint64_t i0 = acc[0U]; + uint64_t i1 = acc[1U]; + uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU; + uint64_t i1_ = i1 + (i0 >> (uint32_t)44U); + acc[0U] = i0_; + acc[1U] = i1_; + uint64_t a00 = acc[0U]; + uint64_t a1 = acc[1U]; + uint64_t a2 = acc[2U]; + uint64_t mask0 = FStar_UInt64_gte_mask(a00, (uint64_t)0xffffffffffbU); + uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0xfffffffffffU); + uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x3ffffffffffU); + uint64_t mask = (mask0 & mask1) & mask2; + uint64_t a0_0 = a00 - ((uint64_t)0xffffffffffbU & mask); + uint64_t a1_0 = a1 - ((uint64_t)0xfffffffffffU & mask); + uint64_t a2_0 = a2 - ((uint64_t)0x3ffffffffffU & mask); + acc[0U] = a0_0; + acc[1U] = a1_0; + acc[2U] = a2_0; +} + +static Hacl_Impl_Poly1305_64_State_poly1305_state +Hacl_Impl_Poly1305_64_mk_state(uint64_t *r, uint64_t *h) +{ + return ((Hacl_Impl_Poly1305_64_State_poly1305_state){ .r = r, .h = h }); +} + +static void +Hacl_Standalone_Poly1305_64_poly1305_blocks( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t len1 +) +{ + if (!(len1 == (uint64_t)0U)) + { + uint8_t *block = m; + uint8_t *tail1 = m + (uint32_t)16U; + Hacl_Impl_Poly1305_64_poly1305_update(st, block); + uint64_t len2 = len1 - (uint64_t)1U; + Hacl_Standalone_Poly1305_64_poly1305_blocks(st, tail1, len2); + } +} + +static void +Hacl_Standalone_Poly1305_64_poly1305_partial( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *input, + uint64_t len1, + uint8_t *kr +) +{ + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + uint64_t *x0 = r; + FStar_UInt128_t k1 = load128_le(kr); + FStar_UInt128_t + k_clamped = + FStar_UInt128_logand(k1, + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU))); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(k_clamped) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t + r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)88U)); + x0[0U] = r0; + x0[1U] = r1; + x0[2U] = r2; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + uint64_t *x00 = h; + x00[0U] = (uint64_t)0U; + x00[1U] = (uint64_t)0U; + x00[2U] = (uint64_t)0U; + Hacl_Standalone_Poly1305_64_poly1305_blocks(st, input, len1); +} + +static void +Hacl_Standalone_Poly1305_64_poly1305_complete( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint64_t len1, + uint8_t *k1 +) +{ + uint8_t *kr = k1; + uint64_t len16 = len1 >> (uint32_t)4U; + uint64_t rem16 = len1 & (uint64_t)0xfU; + uint8_t *part_input = m; + uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16); + Hacl_Standalone_Poly1305_64_poly1305_partial(st, part_input, len16, kr); + if (!(rem16 == (uint64_t)0U)) + Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, last_block, rem16); + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *h = scrut.h; + uint64_t *acc = h; + Hacl_Impl_Poly1305_64_poly1305_last_pass(acc); +} + +static void +Hacl_Standalone_Poly1305_64_crypto_onetimeauth_( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +) +{ + uint64_t buf[6U] = { 0U }; + uint64_t *r = buf; + uint64_t *h = buf + (uint32_t)3U; + Hacl_Impl_Poly1305_64_State_poly1305_state st = Hacl_Impl_Poly1305_64_mk_state(r, h); + uint8_t *key_s = k1 + (uint32_t)16U; + Hacl_Standalone_Poly1305_64_poly1305_complete(st, input, len1, k1); + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *h3 = scrut.h; + uint64_t *acc = h3; + FStar_UInt128_t k_ = load128_le(key_s); + uint64_t h0 = acc[0U]; + uint64_t h1 = acc[1U]; + uint64_t h2 = acc[2U]; + FStar_UInt128_t + acc_ = + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128(h2 + << (uint32_t)24U + | h1 >> (uint32_t)20U), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128(h1 << (uint32_t)44U | h0)); + FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); + store128_le(output, mac_); +} + +static void +Hacl_Standalone_Poly1305_64_crypto_onetimeauth( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +) +{ + Hacl_Standalone_Poly1305_64_crypto_onetimeauth_(output, input, len1, k1); +} + +Hacl_Impl_Poly1305_64_State_poly1305_state +Hacl_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc) +{ + return Hacl_Impl_Poly1305_64_mk_state(r, acc); +} + +void Hacl_Poly1305_64_init(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *k1) +{ + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *r = scrut.r; + uint64_t *x0 = r; + FStar_UInt128_t k10 = load128_le(k1); + FStar_UInt128_t + k_clamped = + FStar_UInt128_logand(k10, + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU))); + uint64_t r0 = FStar_UInt128_uint128_to_uint64(k_clamped) & (uint64_t)0xfffffffffffU; + uint64_t + r1 = + FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)44U)) + & (uint64_t)0xfffffffffffU; + uint64_t + r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)88U)); + x0[0U] = r0; + x0[1U] = r1; + x0[2U] = r2; + Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st; + uint64_t *h = scrut0.h; + uint64_t *x00 = h; + x00[0U] = (uint64_t)0U; + x00[1U] = (uint64_t)0U; + x00[2U] = (uint64_t)0U; +} + +void Hacl_Poly1305_64_update_block(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *m) +{ + Hacl_Impl_Poly1305_64_poly1305_update(st, m); +} + +void +Hacl_Poly1305_64_update( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint32_t num_blocks +) +{ + if (!(num_blocks == (uint32_t)0U)) + { + uint8_t *block = m; + uint8_t *m_ = m + (uint32_t)16U; + uint32_t n1 = num_blocks - (uint32_t)1U; + Hacl_Poly1305_64_update_block(st, block); + Hacl_Poly1305_64_update(st, m_, n1); + } +} + +void +Hacl_Poly1305_64_update_last( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint32_t len1 +) +{ + if (!((uint64_t)len1 == (uint64_t)0U)) + Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, m, (uint64_t)len1); + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *h = scrut.h; + uint64_t *acc = h; + Hacl_Impl_Poly1305_64_poly1305_last_pass(acc); +} + +void +Hacl_Poly1305_64_finish( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *mac, + uint8_t *k1 +) +{ + Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st; + uint64_t *h = scrut.h; + uint64_t *acc = h; + FStar_UInt128_t k_ = load128_le(k1); + uint64_t h0 = acc[0U]; + uint64_t h1 = acc[1U]; + uint64_t h2 = acc[2U]; + FStar_UInt128_t + acc_ = + FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128(h2 + << (uint32_t)24U + | h1 >> (uint32_t)20U), + (uint32_t)64U), + FStar_UInt128_uint64_to_uint128(h1 << (uint32_t)44U | h0)); + FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_); + store128_le(mac, mac_); +} + +void +Hacl_Poly1305_64_crypto_onetimeauth( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +) +{ + Hacl_Standalone_Poly1305_64_crypto_onetimeauth(output, input, len1, k1); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Poly1305_64.h b/vendors/ocaml-hacl/src/Hacl_Poly1305_64.h new file mode 100644 index 000000000..586d2994c --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Poly1305_64.h @@ -0,0 +1,116 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Poly1305_64_H +#define __Hacl_Poly1305_64_H + + + + + +typedef uint64_t Hacl_Bignum_Constants_limb; + +typedef FStar_UInt128_t Hacl_Bignum_Constants_wide; + +typedef FStar_UInt128_t Hacl_Bignum_Wide_t; + +typedef uint64_t Hacl_Bignum_Limb_t; + +typedef void *Hacl_Impl_Poly1305_64_State_log_t; + +typedef uint8_t *Hacl_Impl_Poly1305_64_State_uint8_p; + +typedef uint64_t *Hacl_Impl_Poly1305_64_State_bigint; + +typedef void *Hacl_Impl_Poly1305_64_State_seqelem; + +typedef uint64_t *Hacl_Impl_Poly1305_64_State_elemB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB_16; + +typedef struct +{ + uint64_t *r; + uint64_t *h; +} +Hacl_Impl_Poly1305_64_State_poly1305_state; + +typedef void *Hacl_Impl_Poly1305_64_log_t; + +typedef uint64_t *Hacl_Impl_Poly1305_64_bigint; + +typedef uint8_t *Hacl_Impl_Poly1305_64_uint8_p; + +typedef uint64_t *Hacl_Impl_Poly1305_64_elemB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_wordB; + +typedef uint8_t *Hacl_Impl_Poly1305_64_wordB_16; + +typedef uint8_t *Hacl_Poly1305_64_uint8_p; + +typedef uint64_t Hacl_Poly1305_64_uint64_t; + +typedef uint8_t *Hacl_Poly1305_64_key; + +typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Poly1305_64_state; + +Hacl_Impl_Poly1305_64_State_poly1305_state +Hacl_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc); + +void Hacl_Poly1305_64_init(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *k1); + +void Hacl_Poly1305_64_update_block(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *m); + +void +Hacl_Poly1305_64_update( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint32_t num_blocks +); + +void +Hacl_Poly1305_64_update_last( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *m, + uint32_t len1 +); + +void +Hacl_Poly1305_64_finish( + Hacl_Impl_Poly1305_64_State_poly1305_state st, + uint8_t *mac, + uint8_t *k1 +); + +void +Hacl_Poly1305_64_crypto_onetimeauth( + uint8_t *output, + uint8_t *input, + uint64_t len1, + uint8_t *k1 +); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_SHA2_256.c b/vendors/ocaml-hacl/src/Hacl_SHA2_256.c new file mode 100644 index 000000000..434ad4e26 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_SHA2_256.c @@ -0,0 +1,334 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA2_256.h" + +static void +Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(uint32_t *output, uint8_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)4U * i; + uint32_t inputi = load32_be(x0); + output[i] = inputi; + } +} + +static void +Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(uint8_t *output, uint32_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint32_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)4U * i; + store32_be(x0, hd1); + } +} + +static void Hacl_Impl_SHA2_256_init(uint32_t *state) +{ + uint32_t *n1 = state + (uint32_t)136U; + uint32_t *k1 = state; + uint32_t *h_01 = state + (uint32_t)128U; + uint32_t *p10 = k1; + uint32_t *p20 = k1 + (uint32_t)16U; + uint32_t *p3 = k1 + (uint32_t)32U; + uint32_t *p4 = k1 + (uint32_t)48U; + uint32_t *p11 = p10; + uint32_t *p21 = p10 + (uint32_t)8U; + uint32_t *p12 = p11; + uint32_t *p22 = p11 + (uint32_t)4U; + p12[0U] = (uint32_t)0x428a2f98U; + p12[1U] = (uint32_t)0x71374491U; + p12[2U] = (uint32_t)0xb5c0fbcfU; + p12[3U] = (uint32_t)0xe9b5dba5U; + p22[0U] = (uint32_t)0x3956c25bU; + p22[1U] = (uint32_t)0x59f111f1U; + p22[2U] = (uint32_t)0x923f82a4U; + p22[3U] = (uint32_t)0xab1c5ed5U; + uint32_t *p13 = p21; + uint32_t *p23 = p21 + (uint32_t)4U; + p13[0U] = (uint32_t)0xd807aa98U; + p13[1U] = (uint32_t)0x12835b01U; + p13[2U] = (uint32_t)0x243185beU; + p13[3U] = (uint32_t)0x550c7dc3U; + p23[0U] = (uint32_t)0x72be5d74U; + p23[1U] = (uint32_t)0x80deb1feU; + p23[2U] = (uint32_t)0x9bdc06a7U; + p23[3U] = (uint32_t)0xc19bf174U; + uint32_t *p14 = p20; + uint32_t *p24 = p20 + (uint32_t)8U; + uint32_t *p15 = p14; + uint32_t *p25 = p14 + (uint32_t)4U; + p15[0U] = (uint32_t)0xe49b69c1U; + p15[1U] = (uint32_t)0xefbe4786U; + p15[2U] = (uint32_t)0x0fc19dc6U; + p15[3U] = (uint32_t)0x240ca1ccU; + p25[0U] = (uint32_t)0x2de92c6fU; + p25[1U] = (uint32_t)0x4a7484aaU; + p25[2U] = (uint32_t)0x5cb0a9dcU; + p25[3U] = (uint32_t)0x76f988daU; + uint32_t *p16 = p24; + uint32_t *p26 = p24 + (uint32_t)4U; + p16[0U] = (uint32_t)0x983e5152U; + p16[1U] = (uint32_t)0xa831c66dU; + p16[2U] = (uint32_t)0xb00327c8U; + p16[3U] = (uint32_t)0xbf597fc7U; + p26[0U] = (uint32_t)0xc6e00bf3U; + p26[1U] = (uint32_t)0xd5a79147U; + p26[2U] = (uint32_t)0x06ca6351U; + p26[3U] = (uint32_t)0x14292967U; + uint32_t *p17 = p3; + uint32_t *p27 = p3 + (uint32_t)8U; + uint32_t *p18 = p17; + uint32_t *p28 = p17 + (uint32_t)4U; + p18[0U] = (uint32_t)0x27b70a85U; + p18[1U] = (uint32_t)0x2e1b2138U; + p18[2U] = (uint32_t)0x4d2c6dfcU; + p18[3U] = (uint32_t)0x53380d13U; + p28[0U] = (uint32_t)0x650a7354U; + p28[1U] = (uint32_t)0x766a0abbU; + p28[2U] = (uint32_t)0x81c2c92eU; + p28[3U] = (uint32_t)0x92722c85U; + uint32_t *p19 = p27; + uint32_t *p29 = p27 + (uint32_t)4U; + p19[0U] = (uint32_t)0xa2bfe8a1U; + p19[1U] = (uint32_t)0xa81a664bU; + p19[2U] = (uint32_t)0xc24b8b70U; + p19[3U] = (uint32_t)0xc76c51a3U; + p29[0U] = (uint32_t)0xd192e819U; + p29[1U] = (uint32_t)0xd6990624U; + p29[2U] = (uint32_t)0xf40e3585U; + p29[3U] = (uint32_t)0x106aa070U; + uint32_t *p110 = p4; + uint32_t *p210 = p4 + (uint32_t)8U; + uint32_t *p1 = p110; + uint32_t *p211 = p110 + (uint32_t)4U; + p1[0U] = (uint32_t)0x19a4c116U; + p1[1U] = (uint32_t)0x1e376c08U; + p1[2U] = (uint32_t)0x2748774cU; + p1[3U] = (uint32_t)0x34b0bcb5U; + p211[0U] = (uint32_t)0x391c0cb3U; + p211[1U] = (uint32_t)0x4ed8aa4aU; + p211[2U] = (uint32_t)0x5b9cca4fU; + p211[3U] = (uint32_t)0x682e6ff3U; + uint32_t *p111 = p210; + uint32_t *p212 = p210 + (uint32_t)4U; + p111[0U] = (uint32_t)0x748f82eeU; + p111[1U] = (uint32_t)0x78a5636fU; + p111[2U] = (uint32_t)0x84c87814U; + p111[3U] = (uint32_t)0x8cc70208U; + p212[0U] = (uint32_t)0x90befffaU; + p212[1U] = (uint32_t)0xa4506cebU; + p212[2U] = (uint32_t)0xbef9a3f7U; + p212[3U] = (uint32_t)0xc67178f2U; + uint32_t *p112 = h_01; + uint32_t *p2 = h_01 + (uint32_t)4U; + p112[0U] = (uint32_t)0x6a09e667U; + p112[1U] = (uint32_t)0xbb67ae85U; + p112[2U] = (uint32_t)0x3c6ef372U; + p112[3U] = (uint32_t)0xa54ff53aU; + p2[0U] = (uint32_t)0x510e527fU; + p2[1U] = (uint32_t)0x9b05688cU; + p2[2U] = (uint32_t)0x1f83d9abU; + p2[3U] = (uint32_t)0x5be0cd19U; + n1[0U] = (uint32_t)0U; +} + +static void Hacl_Impl_SHA2_256_update(uint32_t *state, uint8_t *data) +{ + uint32_t data_w[16U] = { 0U }; + Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(data_w, data, (uint32_t)16U); + uint32_t *hash_w = state + (uint32_t)128U; + uint32_t *ws_w = state + (uint32_t)64U; + uint32_t *k_w = state; + uint32_t *counter_w = state + (uint32_t)136U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint32_t b = data_w[i]; + ws_w[i] = b; + } + for (uint32_t i = (uint32_t)16U; i < (uint32_t)64U; i = i + (uint32_t)1U) + { + uint32_t t16 = ws_w[i - (uint32_t)16U]; + uint32_t t15 = ws_w[i - (uint32_t)15U]; + uint32_t t7 = ws_w[i - (uint32_t)7U]; + uint32_t t2 = ws_w[i - (uint32_t)2U]; + ws_w[i] = + ((t2 >> (uint32_t)17U | t2 << ((uint32_t)32U - (uint32_t)17U)) + ^ ((t2 >> (uint32_t)19U | t2 << ((uint32_t)32U - (uint32_t)19U)) ^ t2 >> (uint32_t)10U)) + + + t7 + + + ((t15 >> (uint32_t)7U | t15 << ((uint32_t)32U - (uint32_t)7U)) + ^ ((t15 >> (uint32_t)18U | t15 << ((uint32_t)32U - (uint32_t)18U)) ^ t15 >> (uint32_t)3U)) + + t16; + } + uint32_t hash_0[8U] = { 0U }; + memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i = i + (uint32_t)1U) + { + uint32_t a = hash_0[0U]; + uint32_t b = hash_0[1U]; + uint32_t c = hash_0[2U]; + uint32_t d = hash_0[3U]; + uint32_t e = hash_0[4U]; + uint32_t f1 = hash_0[5U]; + uint32_t g = hash_0[6U]; + uint32_t h = hash_0[7U]; + uint32_t kt = k_w[i]; + uint32_t wst = ws_w[i]; + uint32_t + t1 = + h + + + ((e >> (uint32_t)6U | e << ((uint32_t)32U - (uint32_t)6U)) + ^ + ((e >> (uint32_t)11U | e << ((uint32_t)32U - (uint32_t)11U)) + ^ (e >> (uint32_t)25U | e << ((uint32_t)32U - (uint32_t)25U)))) + + ((e & f1) ^ (~e & g)) + + kt + + wst; + uint32_t + t2 = + ((a >> (uint32_t)2U | a << ((uint32_t)32U - (uint32_t)2U)) + ^ + ((a >> (uint32_t)13U | a << ((uint32_t)32U - (uint32_t)13U)) + ^ (a >> (uint32_t)22U | a << ((uint32_t)32U - (uint32_t)22U)))) + + ((a & b) ^ ((a & c) ^ (b & c))); + uint32_t x1 = t1 + t2; + uint32_t x5 = d + t1; + uint32_t *p1 = hash_0; + uint32_t *p2 = hash_0 + (uint32_t)4U; + p1[0U] = x1; + p1[1U] = a; + p1[2U] = b; + p1[3U] = c; + p2[0U] = x5; + p2[1U] = e; + p2[2U] = f1; + p2[3U] = g; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) + { + uint32_t xi = hash_w[i]; + uint32_t yi = hash_0[i]; + hash_w[i] = xi + yi; + } + uint32_t c0 = counter_w[0U]; + uint32_t one1 = (uint32_t)1U; + counter_w[0U] = c0 + one1; +} + +static void Hacl_Impl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1) +{ + for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U) + { + uint8_t *b = data + i * (uint32_t)64U; + Hacl_Impl_SHA2_256_update(state, b); + } +} + +static void Hacl_Impl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len) +{ + uint8_t blocks[128U] = { 0U }; + uint32_t nb; + if (len < (uint32_t)56U) + nb = (uint32_t)1U; + else + nb = (uint32_t)2U; + uint8_t *final_blocks; + if (len < (uint32_t)56U) + final_blocks = blocks + (uint32_t)64U; + else + final_blocks = blocks; + memcpy(final_blocks, data, len * sizeof data[0U]); + uint32_t n1 = state[136U]; + uint8_t *padding = final_blocks + len; + uint32_t + pad0len = ((uint32_t)64U - (len + (uint32_t)8U + (uint32_t)1U) % (uint32_t)64U) % (uint32_t)64U; + uint8_t *buf1 = padding; + uint8_t *buf2 = padding + (uint32_t)1U + pad0len; + uint64_t + encodedlen = ((uint64_t)n1 * (uint64_t)(uint32_t)64U + (uint64_t)len) * (uint64_t)(uint32_t)8U; + buf1[0U] = (uint8_t)0x80U; + store64_be(buf2, encodedlen); + Hacl_Impl_SHA2_256_update_multi(state, final_blocks, nb); +} + +static void Hacl_Impl_SHA2_256_finish(uint32_t *state, uint8_t *hash1) +{ + uint32_t *hash_w = state + (uint32_t)128U; + Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(hash1, hash_w, (uint32_t)8U); +} + +static void Hacl_Impl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + uint32_t state[137U] = { 0U }; + uint32_t n1 = len / (uint32_t)64U; + uint32_t r = len % (uint32_t)64U; + uint8_t *input_blocks = input; + uint8_t *input_last = input + n1 * (uint32_t)64U; + Hacl_Impl_SHA2_256_init(state); + Hacl_Impl_SHA2_256_update_multi(state, input_blocks, n1); + Hacl_Impl_SHA2_256_update_last(state, input_last, r); + Hacl_Impl_SHA2_256_finish(state, hash1); +} + +uint32_t Hacl_SHA2_256_size_hash = (uint32_t)32U; + +uint32_t Hacl_SHA2_256_size_block = (uint32_t)64U; + +uint32_t Hacl_SHA2_256_size_state = (uint32_t)137U; + +void Hacl_SHA2_256_init(uint32_t *state) +{ + Hacl_Impl_SHA2_256_init(state); +} + +void Hacl_SHA2_256_update(uint32_t *state, uint8_t *data_8) +{ + Hacl_Impl_SHA2_256_update(state, data_8); +} + +void Hacl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1) +{ + Hacl_Impl_SHA2_256_update_multi(state, data, n1); +} + +void Hacl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len) +{ + Hacl_Impl_SHA2_256_update_last(state, data, len); +} + +void Hacl_SHA2_256_finish(uint32_t *state, uint8_t *hash1) +{ + Hacl_Impl_SHA2_256_finish(state, hash1); +} + +void Hacl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + Hacl_Impl_SHA2_256_hash(hash1, input, len); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_SHA2_256.h b/vendors/ocaml-hacl/src/Hacl_SHA2_256.h new file mode 100644 index 000000000..fa326849d --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_SHA2_256.h @@ -0,0 +1,99 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_SHA2_256_H +#define __Hacl_SHA2_256_H + + + + + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_t; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_t; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_t; + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht; + +typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p; + +typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p; + +typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p; + +typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p; + +typedef uint8_t Hacl_Impl_SHA2_256_uint8_t; + +typedef uint32_t Hacl_Impl_SHA2_256_uint32_t; + +typedef uint64_t Hacl_Impl_SHA2_256_uint64_t; + +typedef uint8_t Hacl_Impl_SHA2_256_uint8_ht; + +typedef uint32_t Hacl_Impl_SHA2_256_uint32_ht; + +typedef uint64_t Hacl_Impl_SHA2_256_uint64_ht; + +typedef uint32_t *Hacl_Impl_SHA2_256_uint32_p; + +typedef uint8_t *Hacl_Impl_SHA2_256_uint8_p; + +typedef uint8_t Hacl_SHA2_256_uint8_t; + +typedef uint32_t Hacl_SHA2_256_uint32_t; + +typedef uint64_t Hacl_SHA2_256_uint64_t; + +typedef uint8_t Hacl_SHA2_256_uint8_ht; + +typedef uint32_t Hacl_SHA2_256_uint32_ht; + +typedef uint32_t *Hacl_SHA2_256_uint32_p; + +typedef uint8_t *Hacl_SHA2_256_uint8_p; + +extern uint32_t Hacl_SHA2_256_size_hash; + +extern uint32_t Hacl_SHA2_256_size_block; + +extern uint32_t Hacl_SHA2_256_size_state; + +void Hacl_SHA2_256_init(uint32_t *state); + +void Hacl_SHA2_256_update(uint32_t *state, uint8_t *data_8); + +void Hacl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1); + +void Hacl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len); + +void Hacl_SHA2_256_finish(uint32_t *state, uint8_t *hash1); + +void Hacl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_SHA2_384.c b/vendors/ocaml-hacl/src/Hacl_SHA2_384.c new file mode 100644 index 000000000..b933c2413 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_SHA2_384.c @@ -0,0 +1,368 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA2_384.h" + +static void +Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(uint64_t *output, uint8_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)8U * i; + uint64_t inputi = load64_be(x0); + output[i] = inputi; + } +} + +static void +Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(uint8_t *output, uint64_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint64_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)8U * i; + store64_be(x0, hd1); + } +} + +static void Hacl_Impl_SHA2_384_init(uint64_t *state) +{ + uint64_t *n1 = state + (uint32_t)168U; + uint64_t *k1 = state; + uint64_t *h_01 = state + (uint32_t)160U; + uint64_t *p10 = k1; + uint64_t *p20 = k1 + (uint32_t)16U; + uint64_t *p3 = k1 + (uint32_t)32U; + uint64_t *p4 = k1 + (uint32_t)48U; + uint64_t *p5 = k1 + (uint32_t)64U; + uint64_t *p11 = p10; + uint64_t *p21 = p10 + (uint32_t)8U; + uint64_t *p12 = p11; + uint64_t *p22 = p11 + (uint32_t)4U; + p12[0U] = (uint64_t)0x428a2f98d728ae22U; + p12[1U] = (uint64_t)0x7137449123ef65cdU; + p12[2U] = (uint64_t)0xb5c0fbcfec4d3b2fU; + p12[3U] = (uint64_t)0xe9b5dba58189dbbcU; + p22[0U] = (uint64_t)0x3956c25bf348b538U; + p22[1U] = (uint64_t)0x59f111f1b605d019U; + p22[2U] = (uint64_t)0x923f82a4af194f9bU; + p22[3U] = (uint64_t)0xab1c5ed5da6d8118U; + uint64_t *p13 = p21; + uint64_t *p23 = p21 + (uint32_t)4U; + p13[0U] = (uint64_t)0xd807aa98a3030242U; + p13[1U] = (uint64_t)0x12835b0145706fbeU; + p13[2U] = (uint64_t)0x243185be4ee4b28cU; + p13[3U] = (uint64_t)0x550c7dc3d5ffb4e2U; + p23[0U] = (uint64_t)0x72be5d74f27b896fU; + p23[1U] = (uint64_t)0x80deb1fe3b1696b1U; + p23[2U] = (uint64_t)0x9bdc06a725c71235U; + p23[3U] = (uint64_t)0xc19bf174cf692694U; + uint64_t *p14 = p20; + uint64_t *p24 = p20 + (uint32_t)8U; + uint64_t *p15 = p14; + uint64_t *p25 = p14 + (uint32_t)4U; + p15[0U] = (uint64_t)0xe49b69c19ef14ad2U; + p15[1U] = (uint64_t)0xefbe4786384f25e3U; + p15[2U] = (uint64_t)0x0fc19dc68b8cd5b5U; + p15[3U] = (uint64_t)0x240ca1cc77ac9c65U; + p25[0U] = (uint64_t)0x2de92c6f592b0275U; + p25[1U] = (uint64_t)0x4a7484aa6ea6e483U; + p25[2U] = (uint64_t)0x5cb0a9dcbd41fbd4U; + p25[3U] = (uint64_t)0x76f988da831153b5U; + uint64_t *p16 = p24; + uint64_t *p26 = p24 + (uint32_t)4U; + p16[0U] = (uint64_t)0x983e5152ee66dfabU; + p16[1U] = (uint64_t)0xa831c66d2db43210U; + p16[2U] = (uint64_t)0xb00327c898fb213fU; + p16[3U] = (uint64_t)0xbf597fc7beef0ee4U; + p26[0U] = (uint64_t)0xc6e00bf33da88fc2U; + p26[1U] = (uint64_t)0xd5a79147930aa725U; + p26[2U] = (uint64_t)0x06ca6351e003826fU; + p26[3U] = (uint64_t)0x142929670a0e6e70U; + uint64_t *p17 = p3; + uint64_t *p27 = p3 + (uint32_t)8U; + uint64_t *p18 = p17; + uint64_t *p28 = p17 + (uint32_t)4U; + p18[0U] = (uint64_t)0x27b70a8546d22ffcU; + p18[1U] = (uint64_t)0x2e1b21385c26c926U; + p18[2U] = (uint64_t)0x4d2c6dfc5ac42aedU; + p18[3U] = (uint64_t)0x53380d139d95b3dfU; + p28[0U] = (uint64_t)0x650a73548baf63deU; + p28[1U] = (uint64_t)0x766a0abb3c77b2a8U; + p28[2U] = (uint64_t)0x81c2c92e47edaee6U; + p28[3U] = (uint64_t)0x92722c851482353bU; + uint64_t *p19 = p27; + uint64_t *p29 = p27 + (uint32_t)4U; + p19[0U] = (uint64_t)0xa2bfe8a14cf10364U; + p19[1U] = (uint64_t)0xa81a664bbc423001U; + p19[2U] = (uint64_t)0xc24b8b70d0f89791U; + p19[3U] = (uint64_t)0xc76c51a30654be30U; + p29[0U] = (uint64_t)0xd192e819d6ef5218U; + p29[1U] = (uint64_t)0xd69906245565a910U; + p29[2U] = (uint64_t)0xf40e35855771202aU; + p29[3U] = (uint64_t)0x106aa07032bbd1b8U; + uint64_t *p110 = p4; + uint64_t *p210 = p4 + (uint32_t)8U; + uint64_t *p111 = p110; + uint64_t *p211 = p110 + (uint32_t)4U; + p111[0U] = (uint64_t)0x19a4c116b8d2d0c8U; + p111[1U] = (uint64_t)0x1e376c085141ab53U; + p111[2U] = (uint64_t)0x2748774cdf8eeb99U; + p111[3U] = (uint64_t)0x34b0bcb5e19b48a8U; + p211[0U] = (uint64_t)0x391c0cb3c5c95a63U; + p211[1U] = (uint64_t)0x4ed8aa4ae3418acbU; + p211[2U] = (uint64_t)0x5b9cca4f7763e373U; + p211[3U] = (uint64_t)0x682e6ff3d6b2b8a3U; + uint64_t *p112 = p210; + uint64_t *p212 = p210 + (uint32_t)4U; + p112[0U] = (uint64_t)0x748f82ee5defb2fcU; + p112[1U] = (uint64_t)0x78a5636f43172f60U; + p112[2U] = (uint64_t)0x84c87814a1f0ab72U; + p112[3U] = (uint64_t)0x8cc702081a6439ecU; + p212[0U] = (uint64_t)0x90befffa23631e28U; + p212[1U] = (uint64_t)0xa4506cebde82bde9U; + p212[2U] = (uint64_t)0xbef9a3f7b2c67915U; + p212[3U] = (uint64_t)0xc67178f2e372532bU; + uint64_t *p113 = p5; + uint64_t *p213 = p5 + (uint32_t)8U; + uint64_t *p1 = p113; + uint64_t *p214 = p113 + (uint32_t)4U; + p1[0U] = (uint64_t)0xca273eceea26619cU; + p1[1U] = (uint64_t)0xd186b8c721c0c207U; + p1[2U] = (uint64_t)0xeada7dd6cde0eb1eU; + p1[3U] = (uint64_t)0xf57d4f7fee6ed178U; + p214[0U] = (uint64_t)0x06f067aa72176fbaU; + p214[1U] = (uint64_t)0x0a637dc5a2c898a6U; + p214[2U] = (uint64_t)0x113f9804bef90daeU; + p214[3U] = (uint64_t)0x1b710b35131c471bU; + uint64_t *p114 = p213; + uint64_t *p215 = p213 + (uint32_t)4U; + p114[0U] = (uint64_t)0x28db77f523047d84U; + p114[1U] = (uint64_t)0x32caab7b40c72493U; + p114[2U] = (uint64_t)0x3c9ebe0a15c9bebcU; + p114[3U] = (uint64_t)0x431d67c49c100d4cU; + p215[0U] = (uint64_t)0x4cc5d4becb3e42b6U; + p215[1U] = (uint64_t)0x597f299cfc657e2aU; + p215[2U] = (uint64_t)0x5fcb6fab3ad6faecU; + p215[3U] = (uint64_t)0x6c44198c4a475817U; + uint64_t *p115 = h_01; + uint64_t *p2 = h_01 + (uint32_t)4U; + p115[0U] = (uint64_t)0xcbbb9d5dc1059ed8U; + p115[1U] = (uint64_t)0x629a292a367cd507U; + p115[2U] = (uint64_t)0x9159015a3070dd17U; + p115[3U] = (uint64_t)0x152fecd8f70e5939U; + p2[0U] = (uint64_t)0x67332667ffc00b31U; + p2[1U] = (uint64_t)0x8eb44a8768581511U; + p2[2U] = (uint64_t)0xdb0c2e0d64f98fa7U; + p2[3U] = (uint64_t)0x47b5481dbefa4fa4U; + n1[0U] = (uint64_t)0U; +} + +static void Hacl_Impl_SHA2_384_update(uint64_t *state, uint8_t *data) +{ + KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)16U); + uint64_t data_w[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + data_w[_i] = (uint64_t)(uint32_t)0U; + Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(data_w, data, (uint32_t)16U); + uint64_t *hash_w = state + (uint32_t)160U; + uint64_t *ws_w = state + (uint32_t)80U; + uint64_t *k_w = state; + uint64_t *counter_w = state + (uint32_t)168U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint64_t b = data_w[i]; + ws_w[i] = b; + } + for (uint32_t i = (uint32_t)16U; i < (uint32_t)80U; i = i + (uint32_t)1U) + { + uint64_t t16 = ws_w[i - (uint32_t)16U]; + uint64_t t15 = ws_w[i - (uint32_t)15U]; + uint64_t t7 = ws_w[i - (uint32_t)7U]; + uint64_t t2 = ws_w[i - (uint32_t)2U]; + ws_w[i] = + ((t2 >> (uint32_t)19U | t2 << ((uint32_t)64U - (uint32_t)19U)) + ^ ((t2 >> (uint32_t)61U | t2 << ((uint32_t)64U - (uint32_t)61U)) ^ t2 >> (uint32_t)6U)) + + + t7 + + + ((t15 >> (uint32_t)1U | t15 << ((uint32_t)64U - (uint32_t)1U)) + ^ ((t15 >> (uint32_t)8U | t15 << ((uint32_t)64U - (uint32_t)8U)) ^ t15 >> (uint32_t)7U)) + + t16; + } + uint64_t hash_0[8U] = { 0U }; + memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i = i + (uint32_t)1U) + { + uint64_t a = hash_0[0U]; + uint64_t b = hash_0[1U]; + uint64_t c = hash_0[2U]; + uint64_t d = hash_0[3U]; + uint64_t e = hash_0[4U]; + uint64_t f1 = hash_0[5U]; + uint64_t g = hash_0[6U]; + uint64_t h = hash_0[7U]; + uint64_t k_t = k_w[i]; + uint64_t ws_t = ws_w[i]; + uint64_t + t1 = + h + + + ((e >> (uint32_t)14U | e << ((uint32_t)64U - (uint32_t)14U)) + ^ + ((e >> (uint32_t)18U | e << ((uint32_t)64U - (uint32_t)18U)) + ^ (e >> (uint32_t)41U | e << ((uint32_t)64U - (uint32_t)41U)))) + + ((e & f1) ^ (~e & g)) + + k_t + + ws_t; + uint64_t + t2 = + ((a >> (uint32_t)28U | a << ((uint32_t)64U - (uint32_t)28U)) + ^ + ((a >> (uint32_t)34U | a << ((uint32_t)64U - (uint32_t)34U)) + ^ (a >> (uint32_t)39U | a << ((uint32_t)64U - (uint32_t)39U)))) + + ((a & b) ^ ((a & c) ^ (b & c))); + uint64_t x1 = t1 + t2; + uint64_t x5 = d + t1; + uint64_t *p1 = hash_0; + uint64_t *p2 = hash_0 + (uint32_t)4U; + p1[0U] = x1; + p1[1U] = a; + p1[2U] = b; + p1[3U] = c; + p2[0U] = x5; + p2[1U] = e; + p2[2U] = f1; + p2[3U] = g; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) + { + uint64_t xi = hash_w[i]; + uint64_t yi = hash_0[i]; + hash_w[i] = xi + yi; + } + uint64_t c0 = counter_w[0U]; + uint64_t one1 = (uint64_t)(uint32_t)1U; + counter_w[0U] = c0 + one1; +} + +static void Hacl_Impl_SHA2_384_update_multi(uint64_t *state, uint8_t *data, uint32_t n1) +{ + for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U) + { + uint8_t *b = data + i * (uint32_t)128U; + Hacl_Impl_SHA2_384_update(state, b); + } +} + +static void Hacl_Impl_SHA2_384_update_last(uint64_t *state, uint8_t *data, uint64_t len) +{ + uint8_t blocks[256U] = { 0U }; + uint32_t nb; + if (len < (uint64_t)112U) + nb = (uint32_t)1U; + else + nb = (uint32_t)2U; + uint8_t *final_blocks; + if (len < (uint64_t)112U) + final_blocks = blocks + (uint32_t)128U; + else + final_blocks = blocks; + memcpy(final_blocks, data, (uint32_t)len * sizeof data[0U]); + uint64_t n1 = state[168U]; + uint8_t *padding = final_blocks + (uint32_t)len; + FStar_UInt128_t + encodedlen = + FStar_UInt128_shift_left(FStar_UInt128_add(FStar_UInt128_mul_wide(n1, (uint64_t)(uint32_t)128U), + FStar_UInt128_uint64_to_uint128(len)), + (uint32_t)3U); + uint32_t + pad0len = + ((uint32_t)128U - ((uint32_t)len + (uint32_t)16U + (uint32_t)1U) % (uint32_t)128U) + % (uint32_t)128U; + uint8_t *buf1 = padding; + uint8_t *buf2 = padding + (uint32_t)1U + pad0len; + buf1[0U] = (uint8_t)0x80U; + store128_be(buf2, encodedlen); + Hacl_Impl_SHA2_384_update_multi(state, final_blocks, nb); +} + +static void Hacl_Impl_SHA2_384_finish(uint64_t *state, uint8_t *hash1) +{ + uint64_t *hash_w = state + (uint32_t)160U; + Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(hash1, hash_w, (uint32_t)6U); +} + +static void Hacl_Impl_SHA2_384_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)169U); + uint64_t state[169U]; + for (uint32_t _i = 0U; _i < (uint32_t)169U; ++_i) + state[_i] = (uint64_t)(uint32_t)0U; + uint32_t n1 = len / (uint32_t)128U; + uint32_t r = len % (uint32_t)128U; + uint8_t *input_blocks = input; + uint8_t *input_last = input + n1 * (uint32_t)128U; + Hacl_Impl_SHA2_384_init(state); + Hacl_Impl_SHA2_384_update_multi(state, input_blocks, n1); + Hacl_Impl_SHA2_384_update_last(state, input_last, (uint64_t)r); + Hacl_Impl_SHA2_384_finish(state, hash1); +} + +uint32_t Hacl_SHA2_384_size_hash = (uint32_t)48U; + +uint32_t Hacl_SHA2_384_size_block = (uint32_t)128U; + +uint32_t Hacl_SHA2_384_size_state = (uint32_t)169U; + +void Hacl_SHA2_384_init(uint64_t *state) +{ + Hacl_Impl_SHA2_384_init(state); +} + +void Hacl_SHA2_384_update(uint64_t *state, uint8_t *data_8) +{ + Hacl_Impl_SHA2_384_update(state, data_8); +} + +void Hacl_SHA2_384_update_multi(uint64_t *state, uint8_t *data, uint32_t n1) +{ + Hacl_Impl_SHA2_384_update_multi(state, data, n1); +} + +void Hacl_SHA2_384_update_last(uint64_t *state, uint8_t *data, uint64_t len) +{ + Hacl_Impl_SHA2_384_update_last(state, data, len); +} + +void Hacl_SHA2_384_finish(uint64_t *state, uint8_t *hash1) +{ + Hacl_Impl_SHA2_384_finish(state, hash1); +} + +void Hacl_SHA2_384_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + Hacl_Impl_SHA2_384_hash(hash1, input, len); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_SHA2_384.h b/vendors/ocaml-hacl/src/Hacl_SHA2_384.h new file mode 100644 index 000000000..2c99b5de5 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_SHA2_384.h @@ -0,0 +1,101 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_SHA2_384_H +#define __Hacl_SHA2_384_H + + + + + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_t; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_t; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_t; + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht; + +typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p; + +typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p; + +typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p; + +typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p; + +typedef uint8_t Hacl_Impl_SHA2_384_uint8_t; + +typedef uint32_t Hacl_Impl_SHA2_384_uint32_t; + +typedef uint64_t Hacl_Impl_SHA2_384_uint64_t; + +typedef uint8_t Hacl_Impl_SHA2_384_uint8_ht; + +typedef uint32_t Hacl_Impl_SHA2_384_uint32_ht; + +typedef uint64_t Hacl_Impl_SHA2_384_uint64_ht; + +typedef FStar_UInt128_t Hacl_Impl_SHA2_384_uint128_ht; + +typedef uint64_t *Hacl_Impl_SHA2_384_uint64_p; + +typedef uint8_t *Hacl_Impl_SHA2_384_uint8_p; + +typedef uint8_t Hacl_SHA2_384_uint8_t; + +typedef uint32_t Hacl_SHA2_384_uint32_t; + +typedef uint64_t Hacl_SHA2_384_uint64_t; + +typedef uint8_t Hacl_SHA2_384_uint8_ht; + +typedef uint64_t Hacl_SHA2_384_uint64_ht; + +typedef uint64_t *Hacl_SHA2_384_uint64_p; + +typedef uint8_t *Hacl_SHA2_384_uint8_p; + +extern uint32_t Hacl_SHA2_384_size_hash; + +extern uint32_t Hacl_SHA2_384_size_block; + +extern uint32_t Hacl_SHA2_384_size_state; + +void Hacl_SHA2_384_init(uint64_t *state); + +void Hacl_SHA2_384_update(uint64_t *state, uint8_t *data_8); + +void Hacl_SHA2_384_update_multi(uint64_t *state, uint8_t *data, uint32_t n1); + +void Hacl_SHA2_384_update_last(uint64_t *state, uint8_t *data, uint64_t len); + +void Hacl_SHA2_384_finish(uint64_t *state, uint8_t *hash1); + +void Hacl_SHA2_384_hash(uint8_t *hash1, uint8_t *input, uint32_t len); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_SHA2_512.c b/vendors/ocaml-hacl/src/Hacl_SHA2_512.c new file mode 100644 index 000000000..3535e772c --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_SHA2_512.c @@ -0,0 +1,390 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_SHA2_512.h" + +static void +Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(uint64_t *output, uint8_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)8U * i; + uint64_t inputi = load64_be(x0); + output[i] = inputi; + } +} + +static void +Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(uint8_t *output, uint64_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint64_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)8U * i; + store64_be(x0, hd1); + } +} + +static void Hacl_Impl_SHA2_512_init(uint64_t *state) +{ + uint64_t *n1 = state + (uint32_t)168U; + uint64_t *k1 = state; + uint64_t *h_01 = state + (uint32_t)160U; + uint64_t *p10 = k1; + uint64_t *p20 = k1 + (uint32_t)16U; + uint64_t *p3 = k1 + (uint32_t)32U; + uint64_t *p4 = k1 + (uint32_t)48U; + uint64_t *p5 = k1 + (uint32_t)64U; + uint64_t *p11 = p10; + uint64_t *p21 = p10 + (uint32_t)8U; + uint64_t *p12 = p11; + uint64_t *p22 = p11 + (uint32_t)4U; + p12[0U] = (uint64_t)0x428a2f98d728ae22U; + p12[1U] = (uint64_t)0x7137449123ef65cdU; + p12[2U] = (uint64_t)0xb5c0fbcfec4d3b2fU; + p12[3U] = (uint64_t)0xe9b5dba58189dbbcU; + p22[0U] = (uint64_t)0x3956c25bf348b538U; + p22[1U] = (uint64_t)0x59f111f1b605d019U; + p22[2U] = (uint64_t)0x923f82a4af194f9bU; + p22[3U] = (uint64_t)0xab1c5ed5da6d8118U; + uint64_t *p13 = p21; + uint64_t *p23 = p21 + (uint32_t)4U; + p13[0U] = (uint64_t)0xd807aa98a3030242U; + p13[1U] = (uint64_t)0x12835b0145706fbeU; + p13[2U] = (uint64_t)0x243185be4ee4b28cU; + p13[3U] = (uint64_t)0x550c7dc3d5ffb4e2U; + p23[0U] = (uint64_t)0x72be5d74f27b896fU; + p23[1U] = (uint64_t)0x80deb1fe3b1696b1U; + p23[2U] = (uint64_t)0x9bdc06a725c71235U; + p23[3U] = (uint64_t)0xc19bf174cf692694U; + uint64_t *p14 = p20; + uint64_t *p24 = p20 + (uint32_t)8U; + uint64_t *p15 = p14; + uint64_t *p25 = p14 + (uint32_t)4U; + p15[0U] = (uint64_t)0xe49b69c19ef14ad2U; + p15[1U] = (uint64_t)0xefbe4786384f25e3U; + p15[2U] = (uint64_t)0x0fc19dc68b8cd5b5U; + p15[3U] = (uint64_t)0x240ca1cc77ac9c65U; + p25[0U] = (uint64_t)0x2de92c6f592b0275U; + p25[1U] = (uint64_t)0x4a7484aa6ea6e483U; + p25[2U] = (uint64_t)0x5cb0a9dcbd41fbd4U; + p25[3U] = (uint64_t)0x76f988da831153b5U; + uint64_t *p16 = p24; + uint64_t *p26 = p24 + (uint32_t)4U; + p16[0U] = (uint64_t)0x983e5152ee66dfabU; + p16[1U] = (uint64_t)0xa831c66d2db43210U; + p16[2U] = (uint64_t)0xb00327c898fb213fU; + p16[3U] = (uint64_t)0xbf597fc7beef0ee4U; + p26[0U] = (uint64_t)0xc6e00bf33da88fc2U; + p26[1U] = (uint64_t)0xd5a79147930aa725U; + p26[2U] = (uint64_t)0x06ca6351e003826fU; + p26[3U] = (uint64_t)0x142929670a0e6e70U; + uint64_t *p17 = p3; + uint64_t *p27 = p3 + (uint32_t)8U; + uint64_t *p18 = p17; + uint64_t *p28 = p17 + (uint32_t)4U; + p18[0U] = (uint64_t)0x27b70a8546d22ffcU; + p18[1U] = (uint64_t)0x2e1b21385c26c926U; + p18[2U] = (uint64_t)0x4d2c6dfc5ac42aedU; + p18[3U] = (uint64_t)0x53380d139d95b3dfU; + p28[0U] = (uint64_t)0x650a73548baf63deU; + p28[1U] = (uint64_t)0x766a0abb3c77b2a8U; + p28[2U] = (uint64_t)0x81c2c92e47edaee6U; + p28[3U] = (uint64_t)0x92722c851482353bU; + uint64_t *p19 = p27; + uint64_t *p29 = p27 + (uint32_t)4U; + p19[0U] = (uint64_t)0xa2bfe8a14cf10364U; + p19[1U] = (uint64_t)0xa81a664bbc423001U; + p19[2U] = (uint64_t)0xc24b8b70d0f89791U; + p19[3U] = (uint64_t)0xc76c51a30654be30U; + p29[0U] = (uint64_t)0xd192e819d6ef5218U; + p29[1U] = (uint64_t)0xd69906245565a910U; + p29[2U] = (uint64_t)0xf40e35855771202aU; + p29[3U] = (uint64_t)0x106aa07032bbd1b8U; + uint64_t *p110 = p4; + uint64_t *p210 = p4 + (uint32_t)8U; + uint64_t *p111 = p110; + uint64_t *p211 = p110 + (uint32_t)4U; + p111[0U] = (uint64_t)0x19a4c116b8d2d0c8U; + p111[1U] = (uint64_t)0x1e376c085141ab53U; + p111[2U] = (uint64_t)0x2748774cdf8eeb99U; + p111[3U] = (uint64_t)0x34b0bcb5e19b48a8U; + p211[0U] = (uint64_t)0x391c0cb3c5c95a63U; + p211[1U] = (uint64_t)0x4ed8aa4ae3418acbU; + p211[2U] = (uint64_t)0x5b9cca4f7763e373U; + p211[3U] = (uint64_t)0x682e6ff3d6b2b8a3U; + uint64_t *p112 = p210; + uint64_t *p212 = p210 + (uint32_t)4U; + p112[0U] = (uint64_t)0x748f82ee5defb2fcU; + p112[1U] = (uint64_t)0x78a5636f43172f60U; + p112[2U] = (uint64_t)0x84c87814a1f0ab72U; + p112[3U] = (uint64_t)0x8cc702081a6439ecU; + p212[0U] = (uint64_t)0x90befffa23631e28U; + p212[1U] = (uint64_t)0xa4506cebde82bde9U; + p212[2U] = (uint64_t)0xbef9a3f7b2c67915U; + p212[3U] = (uint64_t)0xc67178f2e372532bU; + uint64_t *p113 = p5; + uint64_t *p213 = p5 + (uint32_t)8U; + uint64_t *p1 = p113; + uint64_t *p214 = p113 + (uint32_t)4U; + p1[0U] = (uint64_t)0xca273eceea26619cU; + p1[1U] = (uint64_t)0xd186b8c721c0c207U; + p1[2U] = (uint64_t)0xeada7dd6cde0eb1eU; + p1[3U] = (uint64_t)0xf57d4f7fee6ed178U; + p214[0U] = (uint64_t)0x06f067aa72176fbaU; + p214[1U] = (uint64_t)0x0a637dc5a2c898a6U; + p214[2U] = (uint64_t)0x113f9804bef90daeU; + p214[3U] = (uint64_t)0x1b710b35131c471bU; + uint64_t *p114 = p213; + uint64_t *p215 = p213 + (uint32_t)4U; + p114[0U] = (uint64_t)0x28db77f523047d84U; + p114[1U] = (uint64_t)0x32caab7b40c72493U; + p114[2U] = (uint64_t)0x3c9ebe0a15c9bebcU; + p114[3U] = (uint64_t)0x431d67c49c100d4cU; + p215[0U] = (uint64_t)0x4cc5d4becb3e42b6U; + p215[1U] = (uint64_t)0x597f299cfc657e2aU; + p215[2U] = (uint64_t)0x5fcb6fab3ad6faecU; + p215[3U] = (uint64_t)0x6c44198c4a475817U; + uint64_t *p115 = h_01; + uint64_t *p2 = h_01 + (uint32_t)4U; + p115[0U] = (uint64_t)0x6a09e667f3bcc908U; + p115[1U] = (uint64_t)0xbb67ae8584caa73bU; + p115[2U] = (uint64_t)0x3c6ef372fe94f82bU; + p115[3U] = (uint64_t)0xa54ff53a5f1d36f1U; + p2[0U] = (uint64_t)0x510e527fade682d1U; + p2[1U] = (uint64_t)0x9b05688c2b3e6c1fU; + p2[2U] = (uint64_t)0x1f83d9abfb41bd6bU; + p2[3U] = (uint64_t)0x5be0cd19137e2179U; + n1[0U] = (uint64_t)0U; +} + +static void Hacl_Impl_SHA2_512_update(uint64_t *state, uint8_t *data) +{ + KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)16U); + uint64_t data_w[16U]; + for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i) + data_w[_i] = (uint64_t)(uint32_t)0U; + Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(data_w, data, (uint32_t)16U); + uint64_t *hash_w = state + (uint32_t)160U; + uint64_t *ws_w = state + (uint32_t)80U; + uint64_t *k_w = state; + uint64_t *counter_w = state + (uint32_t)168U; + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint64_t b = data_w[i]; + ws_w[i] = b; + } + for (uint32_t i = (uint32_t)16U; i < (uint32_t)80U; i = i + (uint32_t)1U) + { + uint64_t t16 = ws_w[i - (uint32_t)16U]; + uint64_t t15 = ws_w[i - (uint32_t)15U]; + uint64_t t7 = ws_w[i - (uint32_t)7U]; + uint64_t t2 = ws_w[i - (uint32_t)2U]; + ws_w[i] = + ((t2 >> (uint32_t)19U | t2 << ((uint32_t)64U - (uint32_t)19U)) + ^ ((t2 >> (uint32_t)61U | t2 << ((uint32_t)64U - (uint32_t)61U)) ^ t2 >> (uint32_t)6U)) + + + t7 + + + ((t15 >> (uint32_t)1U | t15 << ((uint32_t)64U - (uint32_t)1U)) + ^ ((t15 >> (uint32_t)8U | t15 << ((uint32_t)64U - (uint32_t)8U)) ^ t15 >> (uint32_t)7U)) + + t16; + } + uint64_t hash_0[8U] = { 0U }; + memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i = i + (uint32_t)1U) + { + uint64_t a = hash_0[0U]; + uint64_t b = hash_0[1U]; + uint64_t c = hash_0[2U]; + uint64_t d = hash_0[3U]; + uint64_t e = hash_0[4U]; + uint64_t f1 = hash_0[5U]; + uint64_t g = hash_0[6U]; + uint64_t h = hash_0[7U]; + uint64_t k_t = k_w[i]; + uint64_t ws_t = ws_w[i]; + uint64_t + t1 = + h + + + ((e >> (uint32_t)14U | e << ((uint32_t)64U - (uint32_t)14U)) + ^ + ((e >> (uint32_t)18U | e << ((uint32_t)64U - (uint32_t)18U)) + ^ (e >> (uint32_t)41U | e << ((uint32_t)64U - (uint32_t)41U)))) + + ((e & f1) ^ (~e & g)) + + k_t + + ws_t; + uint64_t + t2 = + ((a >> (uint32_t)28U | a << ((uint32_t)64U - (uint32_t)28U)) + ^ + ((a >> (uint32_t)34U | a << ((uint32_t)64U - (uint32_t)34U)) + ^ (a >> (uint32_t)39U | a << ((uint32_t)64U - (uint32_t)39U)))) + + ((a & b) ^ ((a & c) ^ (b & c))); + uint64_t x1 = t1 + t2; + uint64_t x5 = d + t1; + uint64_t *p1 = hash_0; + uint64_t *p2 = hash_0 + (uint32_t)4U; + p1[0U] = x1; + p1[1U] = a; + p1[2U] = b; + p1[3U] = c; + p2[0U] = x5; + p2[1U] = e; + p2[2U] = f1; + p2[3U] = g; + } + for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) + { + uint64_t xi = hash_w[i]; + uint64_t yi = hash_0[i]; + hash_w[i] = xi + yi; + } + uint64_t c0 = counter_w[0U]; + uint64_t one1 = (uint64_t)(uint32_t)1U; + counter_w[0U] = c0 + one1; +} + +static void Hacl_Impl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1) +{ + for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U) + { + uint8_t *b = data + i * (uint32_t)128U; + Hacl_Impl_SHA2_512_update(state, b); + } +} + +static void Hacl_Impl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len) +{ + uint8_t blocks[256U] = { 0U }; + uint32_t nb; + if (len < (uint64_t)112U) + nb = (uint32_t)1U; + else + nb = (uint32_t)2U; + uint8_t *final_blocks; + if (len < (uint64_t)112U) + final_blocks = blocks + (uint32_t)128U; + else + final_blocks = blocks; + memcpy(final_blocks, data, (uint32_t)len * sizeof data[0U]); + uint64_t n1 = state[168U]; + uint8_t *padding = final_blocks + (uint32_t)len; + FStar_UInt128_t + encodedlen = + FStar_UInt128_shift_left(FStar_UInt128_add(FStar_UInt128_mul_wide(n1, (uint64_t)(uint32_t)128U), + FStar_UInt128_uint64_to_uint128(len)), + (uint32_t)3U); + uint32_t + pad0len = ((uint32_t)256U - ((uint32_t)len + (uint32_t)16U + (uint32_t)1U)) % (uint32_t)128U; + uint8_t *buf1 = padding; + uint8_t *buf2 = padding + (uint32_t)1U + pad0len; + buf1[0U] = (uint8_t)0x80U; + store128_be(buf2, encodedlen); + Hacl_Impl_SHA2_512_update_multi(state, final_blocks, nb); +} + +static void Hacl_Impl_SHA2_512_finish(uint64_t *state, uint8_t *hash1) +{ + uint64_t *hash_w = state + (uint32_t)160U; + Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(hash1, hash_w, (uint32_t)8U); +} + +static void Hacl_Impl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)169U); + uint64_t state[169U]; + for (uint32_t _i = 0U; _i < (uint32_t)169U; ++_i) + state[_i] = (uint64_t)(uint32_t)0U; + uint32_t n1 = len / (uint32_t)128U; + uint32_t r = len % (uint32_t)128U; + uint8_t *input_blocks = input; + uint8_t *input_last = input + n1 * (uint32_t)128U; + Hacl_Impl_SHA2_512_init(state); + Hacl_Impl_SHA2_512_update_multi(state, input_blocks, n1); + Hacl_Impl_SHA2_512_update_last(state, input_last, (uint64_t)r); + Hacl_Impl_SHA2_512_finish(state, hash1); +} + +uint32_t Hacl_SHA2_512_size_word = (uint32_t)8U; + +uint32_t Hacl_SHA2_512_size_hash_w = (uint32_t)8U; + +uint32_t Hacl_SHA2_512_size_block_w = (uint32_t)16U; + +uint32_t Hacl_SHA2_512_size_hash = (uint32_t)64U; + +uint32_t Hacl_SHA2_512_size_block = (uint32_t)128U; + +uint32_t Hacl_SHA2_512_size_k_w = (uint32_t)80U; + +uint32_t Hacl_SHA2_512_size_ws_w = (uint32_t)80U; + +uint32_t Hacl_SHA2_512_size_whash_w = (uint32_t)8U; + +uint32_t Hacl_SHA2_512_size_count_w = (uint32_t)1U; + +uint32_t Hacl_SHA2_512_size_len_8 = (uint32_t)16U; + +uint32_t Hacl_SHA2_512_size_state = (uint32_t)169U; + +uint32_t Hacl_SHA2_512_pos_k_w = (uint32_t)0U; + +uint32_t Hacl_SHA2_512_pos_ws_w = (uint32_t)80U; + +uint32_t Hacl_SHA2_512_pos_whash_w = (uint32_t)160U; + +uint32_t Hacl_SHA2_512_pos_count_w = (uint32_t)168U; + +void Hacl_SHA2_512_init(uint64_t *state) +{ + Hacl_Impl_SHA2_512_init(state); +} + +void Hacl_SHA2_512_update(uint64_t *state, uint8_t *data) +{ + Hacl_Impl_SHA2_512_update(state, data); +} + +void Hacl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1) +{ + Hacl_Impl_SHA2_512_update_multi(state, data, n1); +} + +void Hacl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len) +{ + Hacl_Impl_SHA2_512_update_last(state, data, len); +} + +void Hacl_SHA2_512_finish(uint64_t *state, uint8_t *hash1) +{ + Hacl_Impl_SHA2_512_finish(state, hash1); +} + +void Hacl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len) +{ + Hacl_Impl_SHA2_512_hash(hash1, input, len); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_SHA2_512.h b/vendors/ocaml-hacl/src/Hacl_SHA2_512.h new file mode 100644 index 000000000..121b8e641 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_SHA2_512.h @@ -0,0 +1,129 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_SHA2_512_H +#define __Hacl_SHA2_512_H + + + + + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_t; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_t; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_t; + +typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht; + +typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht; + +typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht; + +typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p; + +typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p; + +typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p; + +typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p; + +typedef uint8_t Hacl_Impl_SHA2_512_uint8_t; + +typedef uint32_t Hacl_Impl_SHA2_512_uint32_t; + +typedef uint64_t Hacl_Impl_SHA2_512_uint64_t; + +typedef uint8_t Hacl_Impl_SHA2_512_uint8_ht; + +typedef uint32_t Hacl_Impl_SHA2_512_uint32_ht; + +typedef uint64_t Hacl_Impl_SHA2_512_uint64_ht; + +typedef FStar_UInt128_t Hacl_Impl_SHA2_512_uint128_ht; + +typedef uint64_t *Hacl_Impl_SHA2_512_uint64_p; + +typedef uint8_t *Hacl_Impl_SHA2_512_uint8_p; + +typedef uint8_t Hacl_SHA2_512_uint8_t; + +typedef uint32_t Hacl_SHA2_512_uint32_t; + +typedef uint64_t Hacl_SHA2_512_uint64_t; + +typedef uint8_t Hacl_SHA2_512_uint8_ht; + +typedef uint32_t Hacl_SHA2_512_uint32_ht; + +typedef uint64_t Hacl_SHA2_512_uint64_ht; + +typedef FStar_UInt128_t Hacl_SHA2_512_uint128_ht; + +typedef uint64_t *Hacl_SHA2_512_uint64_p; + +typedef uint8_t *Hacl_SHA2_512_uint8_p; + +extern uint32_t Hacl_SHA2_512_size_word; + +extern uint32_t Hacl_SHA2_512_size_hash_w; + +extern uint32_t Hacl_SHA2_512_size_block_w; + +extern uint32_t Hacl_SHA2_512_size_hash; + +extern uint32_t Hacl_SHA2_512_size_block; + +extern uint32_t Hacl_SHA2_512_size_k_w; + +extern uint32_t Hacl_SHA2_512_size_ws_w; + +extern uint32_t Hacl_SHA2_512_size_whash_w; + +extern uint32_t Hacl_SHA2_512_size_count_w; + +extern uint32_t Hacl_SHA2_512_size_len_8; + +extern uint32_t Hacl_SHA2_512_size_state; + +extern uint32_t Hacl_SHA2_512_pos_k_w; + +extern uint32_t Hacl_SHA2_512_pos_ws_w; + +extern uint32_t Hacl_SHA2_512_pos_whash_w; + +extern uint32_t Hacl_SHA2_512_pos_count_w; + +void Hacl_SHA2_512_init(uint64_t *state); + +void Hacl_SHA2_512_update(uint64_t *state, uint8_t *data); + +void Hacl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1); + +void Hacl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len); + +void Hacl_SHA2_512_finish(uint64_t *state, uint8_t *hash1); + +void Hacl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Salsa20.c b/vendors/ocaml-hacl/src/Hacl_Salsa20.c new file mode 100644 index 000000000..be480be3c --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Salsa20.c @@ -0,0 +1,385 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Salsa20.h" + +static void +Hacl_Lib_Create_make_h32_4(uint32_t *b, uint32_t s0, uint32_t s1, uint32_t s2, uint32_t s3) +{ + b[0U] = s0; + b[1U] = s1; + b[2U] = s2; + b[3U] = s3; +} + +static void +Hacl_Lib_Create_make_h32_8( + uint32_t *b, + uint32_t s0, + uint32_t s1, + uint32_t s2, + uint32_t s3, + uint32_t s4, + uint32_t s5, + uint32_t s6, + uint32_t s7 +) +{ + Hacl_Lib_Create_make_h32_4(b, s0, s1, s2, s3); + Hacl_Lib_Create_make_h32_4(b + (uint32_t)4U, s4, s5, s6, s7); +} + +static void +Hacl_Lib_Create_make_h32_16( + uint32_t *b, + uint32_t s0, + uint32_t s1, + uint32_t s2, + uint32_t s3, + uint32_t s4, + uint32_t s5, + uint32_t s6, + uint32_t s7, + uint32_t s8, + uint32_t s9, + uint32_t s10, + uint32_t s11, + uint32_t s12, + uint32_t s13, + uint32_t s14, + uint32_t s15 +) +{ + Hacl_Lib_Create_make_h32_8(b, s0, s1, s2, s3, s4, s5, s6, s7); + Hacl_Lib_Create_make_h32_8(b + (uint32_t)8U, s8, s9, s10, s11, s12, s13, s14, s15); +} + +static void +Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *x0 = input + (uint32_t)4U * i; + uint32_t inputi = load32_le(x0); + output[i] = inputi; + } +} + +static void +Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint32_t hd1 = input[i]; + uint8_t *x0 = output + (uint32_t)4U * i; + store32_le(x0, hd1); + } +} + +inline static void Hacl_Impl_Salsa20_setup(uint32_t *st, uint8_t *k, uint8_t *n1, uint64_t c) +{ + uint32_t tmp[10U] = { 0U }; + uint32_t *k_ = tmp; + uint32_t *n_ = tmp + (uint32_t)8U; + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(k_, k, (uint32_t)8U); + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(n_, n1, (uint32_t)2U); + uint32_t c0 = (uint32_t)c; + uint32_t c1 = (uint32_t)(c >> (uint32_t)32U); + uint32_t k0 = k_[0U]; + uint32_t k1 = k_[1U]; + uint32_t k2 = k_[2U]; + uint32_t k3 = k_[3U]; + uint32_t k4 = k_[4U]; + uint32_t k5 = k_[5U]; + uint32_t k6 = k_[6U]; + uint32_t k7 = k_[7U]; + uint32_t n0 = n_[0U]; + uint32_t n11 = n_[1U]; + Hacl_Lib_Create_make_h32_16(st, + (uint32_t)0x61707865U, + k0, + k1, + k2, + k3, + (uint32_t)0x3320646eU, + n0, + n11, + c0, + c1, + (uint32_t)0x79622d32U, + k4, + k5, + k6, + k7, + (uint32_t)0x6b206574U); +} + +inline static void +Hacl_Impl_Salsa20_line(uint32_t *st, uint32_t a, uint32_t b, uint32_t d, uint32_t s) +{ + uint32_t sa = st[a]; + uint32_t sb = st[b]; + uint32_t sd = st[d]; + uint32_t sbd = sb + sd; + uint32_t sbds = sbd << s | sbd >> ((uint32_t)32U - s); + st[a] = sa ^ sbds; +} + +inline static void +Hacl_Impl_Salsa20_quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d) +{ + Hacl_Impl_Salsa20_line(st, b, a, d, (uint32_t)7U); + Hacl_Impl_Salsa20_line(st, c, b, a, (uint32_t)9U); + Hacl_Impl_Salsa20_line(st, d, c, b, (uint32_t)13U); + Hacl_Impl_Salsa20_line(st, a, d, c, (uint32_t)18U); +} + +inline static void Hacl_Impl_Salsa20_double_round(uint32_t *st) +{ + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U); + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U, (uint32_t)1U); + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)10U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U); + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)15U, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U); + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U); + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)5U, (uint32_t)6U, (uint32_t)7U, (uint32_t)4U); + Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)10U, (uint32_t)11U, (uint32_t)8U, (uint32_t)9U); + Hacl_Impl_Salsa20_quarter_round(st, + (uint32_t)15U, + (uint32_t)12U, + (uint32_t)13U, + (uint32_t)14U); +} + +inline static void Hacl_Impl_Salsa20_rounds(uint32_t *st) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) + Hacl_Impl_Salsa20_double_round(st); +} + +inline static void Hacl_Impl_Salsa20_sum_states(uint32_t *st, uint32_t *st_) +{ + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint32_t xi = st[i]; + uint32_t yi = st_[i]; + st[i] = xi + yi; + } +} + +inline static void Hacl_Impl_Salsa20_copy_state(uint32_t *st, uint32_t *st_) +{ + memcpy(st, st_, (uint32_t)16U * sizeof st_[0U]); +} + +inline static void Hacl_Impl_Salsa20_salsa20_core(uint32_t *k, uint32_t *st, uint64_t ctr) +{ + uint32_t c0 = (uint32_t)ctr; + uint32_t c1 = (uint32_t)(ctr >> (uint32_t)32U); + st[8U] = c0; + st[9U] = c1; + Hacl_Impl_Salsa20_copy_state(k, st); + Hacl_Impl_Salsa20_rounds(k); + Hacl_Impl_Salsa20_sum_states(k, st); +} + +inline static void +Hacl_Impl_Salsa20_salsa20_block(uint8_t *stream_block, uint32_t *st, uint64_t ctr) +{ + uint32_t st_[16U] = { 0U }; + Hacl_Impl_Salsa20_salsa20_core(st_, st, ctr); + Hacl_Lib_LoadStore32_uint32s_to_le_bytes(stream_block, st_, (uint32_t)16U); +} + +inline static void Hacl_Impl_Salsa20_init(uint32_t *st, uint8_t *k, uint8_t *n1) +{ + Hacl_Impl_Salsa20_setup(st, k, n1, (uint64_t)0U); +} + +static void +Hacl_Impl_Salsa20_update_last( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint32_t *st, + uint64_t ctr +) +{ + uint8_t block[64U] = { 0U }; + Hacl_Impl_Salsa20_salsa20_block(block, st, ctr); + uint8_t *mask = block; + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t xi = plain[i]; + uint8_t yi = mask[i]; + output[i] = xi ^ yi; + } +} + +static void +Hacl_Impl_Salsa20_update(uint8_t *output, uint8_t *plain, uint32_t *st, uint64_t ctr) +{ + uint32_t b[48U] = { 0U }; + uint32_t *k = b; + uint32_t *ib = b + (uint32_t)16U; + uint32_t *ob = b + (uint32_t)32U; + Hacl_Impl_Salsa20_salsa20_core(k, st, ctr); + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U); + for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) + { + uint32_t xi = ib[i]; + uint32_t yi = k[i]; + ob[i] = xi ^ yi; + } + Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, ob, (uint32_t)16U); +} + +static void +Hacl_Impl_Salsa20_salsa20_counter_mode_blocks( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint32_t *st, + uint64_t ctr +) +{ + for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) + { + uint8_t *b = plain + (uint32_t)64U * i; + uint8_t *o = output + (uint32_t)64U * i; + Hacl_Impl_Salsa20_update(o, b, st, ctr + (uint64_t)i); + } +} + +static void +Hacl_Impl_Salsa20_salsa20_counter_mode( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint32_t *st, + uint64_t ctr +) +{ + uint32_t blocks_len = len >> (uint32_t)6U; + uint32_t part_len = len & (uint32_t)0x3fU; + uint8_t *output_ = output; + uint8_t *plain_ = plain; + uint8_t *output__ = output + (uint32_t)64U * blocks_len; + uint8_t *plain__ = plain + (uint32_t)64U * blocks_len; + Hacl_Impl_Salsa20_salsa20_counter_mode_blocks(output_, plain_, blocks_len, st, ctr); + if (part_len > (uint32_t)0U) + Hacl_Impl_Salsa20_update_last(output__, plain__, part_len, st, ctr + (uint64_t)blocks_len); +} + +static void +Hacl_Impl_Salsa20_salsa20( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint8_t *k, + uint8_t *n1, + uint64_t ctr +) +{ + uint32_t buf[16U] = { 0U }; + uint32_t *st = buf; + Hacl_Impl_Salsa20_init(st, k, n1); + Hacl_Impl_Salsa20_salsa20_counter_mode(output, plain, len, st, ctr); +} + +inline static void Hacl_Impl_HSalsa20_setup(uint32_t *st, uint8_t *k, uint8_t *n1) +{ + uint32_t tmp[12U] = { 0U }; + uint32_t *k_ = tmp; + uint32_t *n_ = tmp + (uint32_t)8U; + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(k_, k, (uint32_t)8U); + Hacl_Lib_LoadStore32_uint32s_from_le_bytes(n_, n1, (uint32_t)4U); + uint32_t k0 = k_[0U]; + uint32_t k1 = k_[1U]; + uint32_t k2 = k_[2U]; + uint32_t k3 = k_[3U]; + uint32_t k4 = k_[4U]; + uint32_t k5 = k_[5U]; + uint32_t k6 = k_[6U]; + uint32_t k7 = k_[7U]; + uint32_t n0 = n_[0U]; + uint32_t n11 = n_[1U]; + uint32_t n2 = n_[2U]; + uint32_t n3 = n_[3U]; + Hacl_Lib_Create_make_h32_16(st, + (uint32_t)0x61707865U, + k0, + k1, + k2, + k3, + (uint32_t)0x3320646eU, + n0, + n11, + n2, + n3, + (uint32_t)0x79622d32U, + k4, + k5, + k6, + k7, + (uint32_t)0x6b206574U); +} + +static void +Hacl_Impl_HSalsa20_crypto_core_hsalsa20(uint8_t *output, uint8_t *nonce, uint8_t *key) +{ + uint32_t tmp[24U] = { 0U }; + uint32_t *st = tmp; + uint32_t *hs = tmp + (uint32_t)16U; + Hacl_Impl_HSalsa20_setup(st, key, nonce); + Hacl_Impl_Salsa20_rounds(st); + uint32_t hs0 = st[0U]; + uint32_t hs1 = st[5U]; + uint32_t hs2 = st[10U]; + uint32_t hs3 = st[15U]; + uint32_t hs4 = st[6U]; + uint32_t hs5 = st[7U]; + uint32_t hs6 = st[8U]; + uint32_t hs7 = st[9U]; + Hacl_Lib_Create_make_h32_8(hs, hs0, hs1, hs2, hs3, hs4, hs5, hs6, hs7); + Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, hs, (uint32_t)8U); +} + +void +Hacl_Salsa20_salsa20( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint8_t *k, + uint8_t *n1, + uint64_t ctr +) +{ + Hacl_Impl_Salsa20_salsa20(output, plain, len, k, n1, ctr); +} + +void Hacl_Salsa20_hsalsa20(uint8_t *output, uint8_t *key, uint8_t *nonce) +{ + Hacl_Impl_HSalsa20_crypto_core_hsalsa20(output, nonce, key); +} + diff --git a/vendors/ocaml-hacl/src/Hacl_Salsa20.h b/vendors/ocaml-hacl/src/Hacl_Salsa20.h new file mode 100644 index 000000000..e18003f74 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Salsa20.h @@ -0,0 +1,84 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __Hacl_Salsa20_H +#define __Hacl_Salsa20_H + + + + + +typedef uint32_t Hacl_Impl_Xor_Lemmas_u32; + +typedef uint8_t Hacl_Impl_Xor_Lemmas_u8; + +typedef uint32_t Hacl_Lib_Create_h32; + +typedef uint8_t *Hacl_Lib_LoadStore32_uint8_p; + +typedef uint32_t Hacl_Impl_Salsa20_u32; + +typedef uint32_t Hacl_Impl_Salsa20_h32; + +typedef uint8_t *Hacl_Impl_Salsa20_uint8_p; + +typedef uint32_t *Hacl_Impl_Salsa20_state; + +typedef uint32_t Hacl_Impl_Salsa20_idx; + +typedef struct +{ + void *k; + void *n; +} +Hacl_Impl_Salsa20_log_t_; + +typedef void *Hacl_Impl_Salsa20_log_t; + +typedef uint32_t Hacl_Impl_HSalsa20_h32; + +typedef uint32_t Hacl_Impl_HSalsa20_u32; + +typedef uint8_t *Hacl_Impl_HSalsa20_uint8_p; + +typedef uint32_t *Hacl_Impl_HSalsa20_state; + +typedef uint8_t *Hacl_Salsa20_uint8_p; + +typedef uint32_t Hacl_Salsa20_uint32_t; + +typedef uint32_t *Hacl_Salsa20_state; + +void +Hacl_Salsa20_salsa20( + uint8_t *output, + uint8_t *plain, + uint32_t len, + uint8_t *k, + uint8_t *n1, + uint64_t ctr +); + +void Hacl_Salsa20_hsalsa20(uint8_t *output, uint8_t *key, uint8_t *nonce); +#endif diff --git a/vendors/ocaml-hacl/src/Hacl_Unverified_Random.c b/vendors/ocaml-hacl/src/Hacl_Unverified_Random.c new file mode 100644 index 000000000..5f116b55a --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Unverified_Random.c @@ -0,0 +1,104 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +#include "Hacl_Unverified_Random.h" +#include + + +#if HACL_IS_WINDOWS + +#include +#include +#include + +bool read_random_bytes(uint64_t len, uint8_t * buf) { + HCRYPTPROV ctxt; + if (! (CryptAcquireContext(&ctxt, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))) { + DWORD error = GetLastError(); + printf("Cannot acquire crypto context: 0x%lx\n", error); + return false; + } + bool pass = true; + if (! (CryptGenRandom(ctxt, len, buf))) { + printf("Cannot read random bytes\n"); + pass = false; + } + CryptReleaseContext(ctxt, 0); + return pass; +} + +void * hacl_aligned_malloc(size_t alignment, size_t size) { + void * res = _aligned_malloc(size, alignment); + if (res == NULL) { + printf("Cannot allocate %" PRIu64 " bytes aligned to %" PRIu64 "\n", (uint64_t) size, (uint64_t) alignment); + } + return res; +} + +void hacl_aligned_free(void * ptr) { + _aligned_free(ptr); +} + +#else // ! HACL_IS_WINDOWS + +/* assume POSIX here */ +#include +#include +#include +#include +#include + +bool read_random_bytes(uint64_t len, uint8_t * buf) { + int fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) { + printf("Cannot open /dev/urandom\n"); + return false; + } + bool pass = true; + uint64_t res = read(fd, buf, len); + if (res != len) { + printf("Error on reading, expected %" PRIu64 " bytes, got %" PRIu64 " bytes\n", len, res); + pass = false; + } + close(fd); + return pass; +} + +void * hacl_aligned_malloc(size_t alignment, size_t size) { + void * res = NULL; + if (posix_memalign(&res, alignment, size)) { + printf("Cannot allocate %" PRIu64 " bytes aligned to %" PRIu64 "\n", (uint64_t) size, (uint64_t) alignment); + return NULL; + } + return res; +} + +void hacl_aligned_free(void * ptr) { + free(ptr); +} + +#endif // HACL_IS_WINDOWS + +void randombytes(uint8_t * x,uint64_t len) { + if (! (read_random_bytes(len, x))) + exit(1); +} diff --git a/vendors/ocaml-hacl/src/Hacl_Unverified_Random.h b/vendors/ocaml-hacl/src/Hacl_Unverified_Random.h new file mode 100644 index 000000000..4bbb9f143 --- /dev/null +++ b/vendors/ocaml-hacl/src/Hacl_Unverified_Random.h @@ -0,0 +1,43 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +#ifndef __HACL_UNVERIFIED_RANDOM +#define __HACL_UNVERIFIED_RANDOM + +#include +#include +#include + +#if ((defined(_WIN32) || defined(_WIN64)) && (! (defined(__CYGWIN__)))) +#define HACL_IS_WINDOWS 1 +#else +#define HACL_IS_WINDOWS 0 +#endif + +bool read_random_bytes(uint64_t len, uint8_t * buf); +void * hacl_aligned_malloc(size_t alignment, size_t size); +void hacl_aligned_free(void * ptr); + +void randombytes(uint8_t * x,uint64_t len); + +#endif // __HACL_UNVERIFIED_RANDOM + diff --git a/vendors/ocaml-hacl/src/NaCl.c b/vendors/ocaml-hacl/src/NaCl.c new file mode 100644 index 000000000..a3f1f3c2f --- /dev/null +++ b/vendors/ocaml-hacl/src/NaCl.c @@ -0,0 +1,463 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "NaCl.h" + +static void Hacl_SecretBox_ZeroPad_set_zero_bytes(uint8_t *b) +{ + uint8_t zero1 = (uint8_t)0U; + b[0U] = zero1; + b[1U] = zero1; + b[2U] = zero1; + b[3U] = zero1; + b[4U] = zero1; + b[5U] = zero1; + b[6U] = zero1; + b[7U] = zero1; + b[8U] = zero1; + b[9U] = zero1; + b[10U] = zero1; + b[11U] = zero1; + b[12U] = zero1; + b[13U] = zero1; + b[14U] = zero1; + b[15U] = zero1; + b[16U] = zero1; + b[17U] = zero1; + b[18U] = zero1; + b[19U] = zero1; + b[20U] = zero1; + b[21U] = zero1; + b[22U] = zero1; + b[23U] = zero1; + b[24U] = zero1; + b[25U] = zero1; + b[26U] = zero1; + b[27U] = zero1; + b[28U] = zero1; + b[29U] = zero1; + b[30U] = zero1; + b[31U] = zero1; +} + +static uint32_t +Hacl_SecretBox_ZeroPad_crypto_secretbox_detached( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + uint32_t mlen_ = (uint32_t)mlen; + uint8_t subkey[32U] = { 0U }; + Hacl_Salsa20_hsalsa20(subkey, k1, n1); + Hacl_Salsa20_salsa20(c, m, mlen_ + (uint32_t)32U, subkey, n1 + (uint32_t)16U, (uint64_t)0U); + Hacl_Poly1305_64_crypto_onetimeauth(mac, c + (uint32_t)32U, mlen, c); + Hacl_SecretBox_ZeroPad_set_zero_bytes(c); + Hacl_SecretBox_ZeroPad_set_zero_bytes(subkey); + return (uint32_t)0U; +} + +static uint32_t +Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached_decrypt( + uint8_t *m, + uint8_t *c, + uint64_t clen, + uint8_t *n1, + uint8_t *subkey, + uint8_t verify +) +{ + uint32_t clen_ = (uint32_t)clen; + if (verify == (uint8_t)0U) + { + Hacl_Salsa20_salsa20(m, c, clen_ + (uint32_t)32U, subkey, n1 + (uint32_t)16U, (uint64_t)0U); + Hacl_SecretBox_ZeroPad_set_zero_bytes(subkey); + Hacl_SecretBox_ZeroPad_set_zero_bytes(m); + return (uint32_t)0U; + } + else + return (uint32_t)0xffffffffU; +} + +static uint32_t +Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t clen, + uint8_t *n1, + uint8_t *k1 +) +{ + uint8_t tmp[112U] = { 0U }; + uint8_t *subkey = tmp; + uint8_t *mackey = tmp + (uint32_t)32U; + uint8_t *mackey_ = tmp + (uint32_t)64U; + uint8_t *cmac = tmp + (uint32_t)96U; + Hacl_Salsa20_hsalsa20(subkey, k1, n1); + Hacl_Salsa20_salsa20(mackey, mackey_, (uint32_t)32U, subkey, n1 + (uint32_t)16U, (uint64_t)0U); + Hacl_Poly1305_64_crypto_onetimeauth(cmac, c + (uint32_t)32U, clen, mackey); + uint8_t result = Hacl_Policies_cmp_bytes(mac, cmac, (uint32_t)16U); + uint8_t verify = result; + uint32_t + z = + Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached_decrypt(m, + c, + clen, + n1, + subkey, + verify); + return z; +} + +static uint32_t +Hacl_SecretBox_ZeroPad_crypto_secretbox_easy( + uint8_t *c, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + uint8_t cmac[16U] = { 0U }; + uint32_t res = Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, cmac, m, mlen, n1, k1); + memcpy(c + (uint32_t)16U, cmac, (uint32_t)16U * sizeof cmac[0U]); + return res; +} + +static uint32_t +Hacl_SecretBox_ZeroPad_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint64_t clen, + uint8_t *n1, + uint8_t *k1 +) +{ + uint8_t *mac = c; + return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, clen, n1, k1); +} + +static uint32_t Hacl_Box_ZeroPad_crypto_box_beforenm(uint8_t *k1, uint8_t *pk, uint8_t *sk) +{ + uint8_t tmp[48U] = { 0U }; + uint8_t *hsalsa_k = tmp; + uint8_t *hsalsa_n = tmp + (uint32_t)32U; + Hacl_Curve25519_crypto_scalarmult(hsalsa_k, sk, pk); + Hacl_Salsa20_hsalsa20(k1, hsalsa_k, hsalsa_n); + return (uint32_t)0U; +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, mac, m, mlen, n1, k1); +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_detached( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + uint8_t key[80U] = { 0U }; + uint8_t *k1 = key; + uint8_t *subkey = key + (uint32_t)32U; + uint8_t *hsalsa_n = key + (uint32_t)64U; + Hacl_Curve25519_crypto_scalarmult(k1, sk, pk); + Hacl_Salsa20_hsalsa20(subkey, k1, hsalsa_n); + uint32_t z = Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, mac, m, mlen, n1, subkey); + return z; +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + uint8_t key[80U] = { 0U }; + uint8_t *k1 = key; + uint8_t *subkey = key + (uint32_t)32U; + uint8_t *hsalsa_n = key + (uint32_t)64U; + Hacl_Curve25519_crypto_scalarmult(k1, sk, pk); + Hacl_Salsa20_hsalsa20(subkey, k1, hsalsa_n); + uint32_t + z = Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, mlen, n1, subkey); + return z; +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_easy_afternm( + uint8_t *c, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + uint8_t cmac[16U] = { 0U }; + uint32_t z = Hacl_Box_ZeroPad_crypto_box_detached_afternm(c, cmac, m, mlen, n1, k1); + memcpy(c + (uint32_t)16U, cmac, (uint32_t)16U * sizeof cmac[0U]); + return z; +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + uint8_t cmac[16U] = { 0U }; + uint32_t res = Hacl_Box_ZeroPad_crypto_box_detached(c, cmac, m, mlen, n1, pk, sk); + memcpy(c + (uint32_t)16U, cmac, (uint32_t)16U * sizeof cmac[0U]); + return res; +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + uint8_t *mac = c + (uint32_t)16U; + return Hacl_Box_ZeroPad_crypto_box_open_detached(m, c, mac, mlen, n1, pk, sk); +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, mlen, n1, k1); +} + +static uint32_t +Hacl_Box_ZeroPad_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + uint8_t *mac = c + (uint32_t)16U; + uint32_t t = Hacl_Box_ZeroPad_crypto_box_open_detached_afternm(m, c, mac, mlen, n1, k1); + return t; +} + +Prims_int NaCl_crypto_box_NONCEBYTES = (krml_checked_int_t)24; + +Prims_int NaCl_crypto_box_PUBLICKEYBYTES = (krml_checked_int_t)32; + +Prims_int NaCl_crypto_box_SECRETKEYBYTES = (krml_checked_int_t)32; + +Prims_int NaCl_crypto_box_MACBYTES = (krml_checked_int_t)16; + +Prims_int NaCl_crypto_secretbox_NONCEBYTES = (krml_checked_int_t)24; + +Prims_int NaCl_crypto_secretbox_KEYBYTES = (krml_checked_int_t)32; + +Prims_int NaCl_crypto_secretbox_MACBYTES = (krml_checked_int_t)16; + +uint32_t +NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, mac, m, mlen, n1, k1); +} + +uint32_t +NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t clen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, clen, n1, k1); +} + +uint32_t +NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1) +{ + return Hacl_SecretBox_ZeroPad_crypto_secretbox_easy(c, m, mlen, n1, k1); +} + +uint32_t +NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint64_t clen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_easy(m, c, clen, n1, k1); +} + +uint32_t NaCl_crypto_box_beforenm(uint8_t *k1, uint8_t *pk, uint8_t *sk) +{ + return Hacl_Box_ZeroPad_crypto_box_beforenm(k1, pk, sk); +} + +uint32_t +NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_Box_ZeroPad_crypto_box_detached_afternm(c, mac, m, mlen, n1, k1); +} + +uint32_t +NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + return Hacl_Box_ZeroPad_crypto_box_detached(c, mac, m, mlen, n1, pk, sk); +} + +uint32_t +NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + return Hacl_Box_ZeroPad_crypto_box_open_detached(m, c, mac, mlen, n1, pk, sk); +} + +uint32_t +NaCl_crypto_box_easy_afternm(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1) +{ + return Hacl_Box_ZeroPad_crypto_box_easy_afternm(c, m, mlen, n1, k1); +} + +uint32_t +NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + return Hacl_Box_ZeroPad_crypto_box_easy(c, m, mlen, n1, pk, sk); +} + +uint32_t +NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +) +{ + return Hacl_Box_ZeroPad_crypto_box_open_easy(m, c, mlen, n1, pk, sk); +} + +uint32_t +NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_Box_ZeroPad_crypto_box_open_detached_afternm(m, c, mac, mlen, n1, k1); +} + +uint32_t +NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +) +{ + return Hacl_Box_ZeroPad_crypto_box_open_easy_afternm(m, c, mlen, n1, k1); +} + diff --git a/vendors/ocaml-hacl/src/NaCl.h b/vendors/ocaml-hacl/src/NaCl.h new file mode 100644 index 000000000..bdd92d496 --- /dev/null +++ b/vendors/ocaml-hacl/src/NaCl.h @@ -0,0 +1,156 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include "kremlib.h" +#ifndef __NaCl_H +#define __NaCl_H + + +#include "Hacl_Salsa20.h" +#include "Hacl_Curve25519.h" +#include "Hacl_Poly1305_64.h" +#include "Hacl_Policies.h" + + +extern Prims_int NaCl_crypto_box_NONCEBYTES; + +extern Prims_int NaCl_crypto_box_PUBLICKEYBYTES; + +extern Prims_int NaCl_crypto_box_SECRETKEYBYTES; + +extern Prims_int NaCl_crypto_box_MACBYTES; + +extern Prims_int NaCl_crypto_secretbox_NONCEBYTES; + +extern Prims_int NaCl_crypto_secretbox_KEYBYTES; + +extern Prims_int NaCl_crypto_secretbox_MACBYTES; + +uint32_t +NaCl_crypto_secretbox_detached( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +); + +uint32_t +NaCl_crypto_secretbox_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t clen, + uint8_t *n1, + uint8_t *k1 +); + +uint32_t +NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1); + +uint32_t +NaCl_crypto_secretbox_open_easy( + uint8_t *m, + uint8_t *c, + uint64_t clen, + uint8_t *n1, + uint8_t *k1 +); + +uint32_t NaCl_crypto_box_beforenm(uint8_t *k1, uint8_t *pk, uint8_t *sk); + +uint32_t +NaCl_crypto_box_detached_afternm( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +); + +uint32_t +NaCl_crypto_box_detached( + uint8_t *c, + uint8_t *mac, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +NaCl_crypto_box_open_detached( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +NaCl_crypto_box_easy_afternm(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1); + +uint32_t +NaCl_crypto_box_easy( + uint8_t *c, + uint8_t *m, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +NaCl_crypto_box_open_easy( + uint8_t *m, + uint8_t *c, + uint64_t mlen, + uint8_t *n1, + uint8_t *pk, + uint8_t *sk +); + +uint32_t +NaCl_crypto_box_open_detached_afternm( + uint8_t *m, + uint8_t *c, + uint8_t *mac, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +); + +uint32_t +NaCl_crypto_box_open_easy_afternm( + uint8_t *m, + uint8_t *c, + uint64_t mlen, + uint8_t *n1, + uint8_t *k1 +); +#endif diff --git a/vendors/ocaml-hacl/src/hacl.ml b/vendors/ocaml-hacl/src/hacl.ml new file mode 100644 index 000000000..7f68b027f --- /dev/null +++ b/vendors/ocaml-hacl/src/hacl.ml @@ -0,0 +1,392 @@ +(* Copyright 2018 Vincent Bernardoff, Marco Stronati. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. *) + +open EndianBigstring + +module Rand = struct + external write : Bigstring.t -> unit = + "ml_randombytes" [@@noalloc] + + let gen len = + let buf = Bigstring.create len in + write buf ; + buf +end + +module Hash = struct + module type S = sig + val init : Bigstring.t -> unit + val update : Bigstring.t -> Bigstring.t -> unit + val update_last : Bigstring.t -> Bigstring.t -> int -> unit + val finish : Bigstring.t -> Bigstring.t -> unit + + val bytes : int + val blockbytes : int + val statebytes : int + end + + module Make(S: S) = struct + type state = { + state : Bigstring.t ; + buf : Bigstring.t ; + mutable pos : int ; + } + + let init () = + let state = Bigstring.create S.statebytes in + let buf = Bigstring.create S.blockbytes in + S.init state ; + { state ; buf ; pos = 0 } + + let rec update ({ state ; buf ; pos } as st) m p l = + if pos + l < S.blockbytes then begin + Bigstring.blit m p buf pos l ; + st.pos <- st.pos + l + end + else begin + let nb_consumed = S.blockbytes - pos in + Bigstring.blit m p buf pos nb_consumed ; + S.update state buf ; + st.pos <- 0 ; + update st m (p + nb_consumed) (l - nb_consumed) + end + + let update st msg = + update st msg 0 (Bigstring.length msg) + + let finish { state ; buf ; pos } = + S.update_last state buf pos ; + S.finish state buf ; + Bigstring.sub buf 0 S.bytes + + let digest msg = + let st = init () in + update st msg ; + finish st + end + + module SHA256 = Make(struct + (* state -> unit *) + external init : Bigstring.t -> unit = + "ml_Hacl_SHA2_256_init" [@@noalloc] + + (* state -> data -> unit *) + external update : Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_SHA2_256_update" [@@noalloc] + + (* state -> data -> datalen -> unit *) + external update_last : Bigstring.t -> Bigstring.t -> int -> unit = + "ml_Hacl_SHA2_256_update_last" [@@noalloc] + + (* state -> hash *) + external finish : Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_SHA2_256_finish" [@@noalloc] + + let bytes = 32 + let blockbytes = 64 + let statebytes = 137 * 4 + end) + + module SHA512 = Make(struct + (* state -> unit *) + external init : Bigstring.t -> unit = + "ml_Hacl_SHA2_512_init" [@@noalloc] + + (* state -> data -> unit *) + external update : Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_SHA2_512_update" [@@noalloc] + + (* state -> data -> datalen -> unit *) + external update_last : Bigstring.t -> Bigstring.t -> int -> unit = + "ml_Hacl_SHA2_512_update_last" [@@noalloc] + + (* state -> hash *) + external finish : Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_SHA2_512_finish" [@@noalloc] + + let bytes = 64 + let blockbytes = 128 + let statebytes = 169 * 4 + end) + + module HMAC_SHA256 = struct + (* mac -> key -> data *) + external hmac : + Bigstring.t -> Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_HMAC_SHA2_256_hmac" [@@noalloc] + + let write_hmac ~key ~msg buf = + if Bigstring.length buf < 32 then + invalid_arg (Printf.sprintf "Hash.write_hmac_sha156: invalid len \ + %d" 32) ; + hmac buf key msg + + let hmac ~key ~msg = + let buf = Bigstring.create 32 in + write_hmac ~key ~msg buf ; + buf + end +end + +module Nonce = struct + type t = Bigstring.t + let bytes = 24 + + let gen () = + Rand.gen bytes + + let rec incr_byte b step byteno = + let res = BigEndian.get_uint16 b byteno + step in + let lo = res land 0xffff in + let hi = res asr 16 in + BigEndian.set_int16 b byteno lo ; + if hi = 0 || byteno = 0 then () + else incr_byte b hi (byteno - 2) + + let increment ?(step = 1) nonce = + let new_nonce = Bigstring.create 24 in + Bigstring.blit nonce 0 new_nonce 0 24 ; + incr_byte new_nonce step 22 ; + new_nonce +end + +module Secretbox = struct + type key = Bigstring.t + + let keybytes = 32 + let zerobytes = 32 + let boxzerobytes = 16 + + let unsafe_of_bytes buf = + if Bigstring.length buf <> keybytes then + invalid_arg (Printf.sprintf "Secretbox.unsafe_of_bytes: buffer \ + must be %d bytes long" keybytes) ; + buf + + let blit_of_bytes buf pos = + if Bigstring.length buf < keybytes then + invalid_arg (Printf.sprintf "Secretbox.blit_of_bytes: buffer \ + must be at least %d bytes long" keybytes) ; + let key = Bigstring.create keybytes in + Bigstring.blit buf pos key 0 keybytes ; + key + + let genkey () = Rand.gen 32 + + (* c -> m -> n -> k -> unit *) + external box : + Bigstring.t -> Bigstring.t -> Bigstring.t -> Bigstring.t -> unit = + "ml_NaCl_crypto_secretbox_easy" [@@noalloc] + + (* m -> c -> mac -> n -> k -> int *) + external box_open : + Bigstring.t -> Bigstring.t -> Bigstring.t -> + Bigstring.t -> Bigstring.t -> int = + "ml_NaCl_crypto_secretbox_open_detached" [@@noalloc] + + let box ~key ~nonce ~msg ~cmsg = + box cmsg msg nonce key + + let box_open ~key ~nonce ~cmsg ~msg = + let mac = Bigstring.sub cmsg boxzerobytes boxzerobytes in + match box_open msg cmsg mac nonce key with + | 0 -> true + | _ -> false +end + +type secret +type public + +module Box = struct + type combined + type _ key = + | Sk : Bigstring.t -> secret key + | Pk : Bigstring.t -> public key + | Ck : Bigstring.t -> combined key + + let skbytes = 32 + let pkbytes = 32 + let ckbytes = 32 + let zerobytes = 32 + let boxzerobytes = 16 + + let unsafe_to_bytes : type a. a key -> Bigstring.t = function + | Pk buf -> buf + | Sk buf -> buf + | Ck buf -> buf + + let blit_to_bytes : + type a. a key -> ?pos:int -> Bigstring.t -> unit = fun key ?(pos=0) buf -> + match key with + | Pk pk -> Bigstring.blit pk 0 buf pos pkbytes + | Sk sk -> Bigstring.blit sk 0 buf pos skbytes + | Ck ck -> Bigstring.blit ck 0 buf pos ckbytes + + let equal : + type a. a key -> a key -> bool = fun a b -> match a, b with + | Pk a, Pk b -> Bigstring.equal a b + | Sk a, Sk b -> Bigstring.equal a b + | Ck a, Ck b -> Bigstring.equal a b + + let unsafe_sk_of_bytes buf = + if Bigstring.length buf <> skbytes then + invalid_arg (Printf.sprintf "Box.unsafe_sk_of_bytes: buffer must \ + be %d bytes long" skbytes) ; + Sk buf + + let unsafe_pk_of_bytes buf = + if Bigstring.length buf <> pkbytes then + invalid_arg (Printf.sprintf "Box.unsafe_pk_of_bytes: buffer must \ + be %d bytes long" pkbytes) ; + Pk buf + + let unsafe_ck_of_bytes buf = + if Bigstring.length buf <> ckbytes then + invalid_arg (Printf.sprintf "Box.unsafe_ck_of_bytes: buffer must \ + be %d bytes long" ckbytes) ; + Ck buf + + let of_seed ?(pos=0) buf = + let buflen = Bigstring.length buf in + if pos < 0 || pos + skbytes > buflen then + invalid_arg (Printf.sprintf "Box.of_seed: invalid pos (%d) or \ + buffer size (%d)" pos buflen) ; + let sk = Bigstring.create skbytes in + Bigstring.blit buf pos sk 0 skbytes ; + Sk sk + + let basepoint = + Bigstring.init 32 (function 0 -> '\x09' | _ -> '\x00') + + (* pk -> sk -> basepoint -> unit *) + external scalarmult : + Bigstring.t -> Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_Curve25519_crypto_scalarmult" [@@noalloc] + + let neuterize (Sk sk) = + let pk = Bigstring.create pkbytes in + scalarmult pk sk basepoint ; + Pk pk + + let keypair () = + let sk = Sk (Rand.gen skbytes) in + neuterize sk, sk + + (* ck -> pk -> sk -> unit *) + external box_beforenm : + Bigstring.t -> Bigstring.t -> Bigstring.t -> unit = + "ml_NaCl_crypto_box_beforenm" [@@noalloc] + + let dh (Pk pk) (Sk sk) = + let combined = Bigstring.create ckbytes in + box_beforenm combined pk sk ; + Ck combined + + (* cmsg -> msg -> nonce -> k -> unit *) + external box_easy_afternm : + Bigstring.t -> Bigstring.t -> Bigstring.t -> Bigstring.t -> unit = + "ml_NaCl_crypto_box_easy_afternm" [@@noalloc] + + let box ~k:(Ck k) ~nonce ~msg ~cmsg = + box_easy_afternm cmsg msg nonce k + + (* msg -> cmsg -> n -> k -> int *) + external box_open_easy_afternm : + Bigstring.t -> Bigstring.t -> Bigstring.t -> Bigstring.t -> int = + "ml_NaCl_crypto_box_open_easy_afternm" [@@noalloc] + + let box_open ~k:(Ck k) ~nonce ~cmsg ~msg = + match box_open_easy_afternm msg cmsg nonce k with + | 0 -> true + | _ -> false +end + +module Sign = struct + type _ key = + | Sk : Bigstring.t -> secret key + | Pk : Bigstring.t -> public key + + let bytes = 64 + let pkbytes = 32 + let skbytes = 32 + + let unsafe_to_bytes : type a. a key -> Bigstring.t = function + | Pk buf -> buf + | Sk buf -> buf + + let unsafe_sk_of_bytes seed = + if Bigstring.length seed <> skbytes then + invalid_arg (Printf.sprintf "Sign.unsafe_sk_of_bytes: sk must \ + be at least %d bytes long" skbytes) ; + Sk seed + + let unsafe_pk_of_bytes pk = + if Bigstring.length pk <> pkbytes then + invalid_arg (Printf.sprintf "Sign.unsafe_pk_of_bytes: pk must be \ + at least %d bytes long" pkbytes) ; + Pk pk + + let blit_to_bytes : + type a. a key -> ?pos:int -> Bigstring.t -> unit = fun key ?(pos=0) buf -> + match key with + | Pk pk -> Bigstring.blit pk 0 buf pos pkbytes + | Sk sk -> Bigstring.blit sk 0 buf pos skbytes + + let equal : + type a. a key -> a key -> bool = fun a b -> match a, b with + | Pk a, Pk b -> Bigstring.equal a b + | Sk a, Sk b -> Bigstring.equal a b + + (* pk -> sk -> unit *) + external neuterize : + Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_Ed25519_secret_to_public" [@@noalloc] + + let neuterize : type a. a key -> public key = function + | Pk pk -> Pk pk + | Sk sk -> + let pk = Bigstring.create pkbytes in + neuterize pk sk ; + Pk pk + + let keypair () = + let sk = Sk (Rand.gen skbytes) in + neuterize sk, sk + + (* sig -> sk -> m -> unit *) + external sign : + Bigstring.t -> Bigstring.t -> Bigstring.t -> unit = + "ml_Hacl_Ed25519_sign" [@@noalloc] + + let sign ~sk:(Sk sk) ~msg ~signature = + if Bigstring.length signature < bytes then + invalid_arg (Printf.sprintf "Sign.write_sign: output buffer must \ + be at least %d bytes long" bytes) ; + sign signature sk msg + + (* pk -> m -> sig -> bool *) + external verify : + Bigstring.t -> Bigstring.t -> Bigstring.t -> bool = + "ml_Hacl_Ed25519_verify" [@@noalloc] + + let verify ~pk:(Pk pk) ~msg ~signature = + verify pk msg signature +end diff --git a/vendors/ocaml-hacl/src/hacl.mli b/vendors/ocaml-hacl/src/hacl.mli new file mode 100644 index 000000000..84f2f361c --- /dev/null +++ b/vendors/ocaml-hacl/src/hacl.mli @@ -0,0 +1,181 @@ +(* Copyright 2018 Vincent Bernardoff, Marco Stronati. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. *) + +module Rand : sig + val write : Bigstring.t -> unit + (** [write buf] writes random bytes on [buf]. *) + + val gen : int -> Bigstring.t + (** [gen len] is a random buffer of length [len]. *) +end + +module Hash : sig + module SHA256 : sig + type state + + (** Incremental Interface *) + + val init : unit -> state + val update : state -> Bigstring.t -> unit + val finish : state -> Bigstring.t + + (** Direct Interface *) + + val digest : Bigstring.t -> Bigstring.t + end + + module SHA512 : sig + type state + + (** Incremental Interface *) + + val init : unit -> state + val update : state -> Bigstring.t -> unit + val finish : state -> Bigstring.t + + (** Direct Interface *) + + val digest : Bigstring.t -> Bigstring.t + end + + module HMAC_SHA256 : sig + val write_hmac : + key:Bigstring.t -> msg:Bigstring.t -> Bigstring.t -> unit + (** @raise [Invalid_argument] if argument is less than 32 bytes long *) + + val hmac : + key:Bigstring.t -> msg:Bigstring.t -> Bigstring.t + end +end + +module Nonce : sig + type t = Bigstring.t + val bytes : int + val gen : unit -> t + val increment : ?step:int -> t -> t +end + +module Secretbox : sig + type key + + val keybytes : int + val zerobytes : int + val boxzerobytes : int + + val unsafe_of_bytes : Bigstring.t -> key + (** @raise [Invalid_argument] if argument is not [keybytes] bytes long *) + + val blit_of_bytes : Bigstring.t -> int -> key + (** @raise [Invalid_argument] if argument is not [keybytes] bytes long *) + + val genkey : unit -> key + + val box : + key:key -> nonce:Bigstring.t -> + msg:Bigstring.t -> cmsg:Bigstring.t -> unit + + val box_open : + key:key -> nonce:Bigstring.t -> + cmsg:Bigstring.t -> msg:Bigstring.t -> bool +end + +type secret +type public + +module Box : sig + type combined + type _ key + + val skbytes : int + val pkbytes : int + val ckbytes : int + val zerobytes : int + val boxzerobytes : int + + val equal : 'a key -> 'a key -> bool + + val unsafe_to_bytes : _ key -> Bigstring.t + (** [unsafe_to_bytes k] is the internal [Bigstring.t] where the key + is stored. DO NOT MODIFY. *) + + val blit_to_bytes : _ key -> ?pos:int -> Bigstring.t -> unit + + val unsafe_sk_of_bytes : Bigstring.t -> secret key + (** @raise [Invalid_argument] if argument is not [skbytes] bytes long *) + + val unsafe_pk_of_bytes : Bigstring.t -> public key + (** @raise [Invalid_argument] if argument is not [pkbytes] bytes long *) + + val unsafe_ck_of_bytes : Bigstring.t -> combined key + (** @raise [Invalid_argument] if argument is not [ckbytes] bytes long *) + + val of_seed : ?pos:int -> Bigstring.t -> secret key + (** @raise [Invalid_argument] if [pos] is outside the buffer or the buffer + is less than [skbytes] bytes long *) + + val neuterize : secret key -> public key + val keypair : unit -> public key * secret key + val dh : public key -> secret key -> combined key + + val box : + k:combined key -> nonce:Bigstring.t -> + msg:Bigstring.t -> cmsg:Bigstring.t -> unit + + val box_open : + k:combined key -> nonce:Bigstring.t -> + cmsg:Bigstring.t -> msg:Bigstring.t -> bool +end + +module Sign : sig + type _ key + + val bytes : int + val pkbytes : int + val skbytes : int + + val equal : 'a key -> 'a key -> bool + + val unsafe_sk_of_bytes : Bigstring.t -> secret key + (** @raise [Invalid_argument] if argument is less than [skbytes] bytes long *) + + val unsafe_pk_of_bytes : Bigstring.t -> public key + (** @raise [Invalid_argument] if argument is less than [pkbytes] bytes long *) + + val unsafe_to_bytes : _ key -> Bigstring.t + (** [unsafe_to_bytes k] is the internal [Bigstring.t] where the key + is stored. DO NOT MODIFY. *) + + val blit_to_bytes : _ key -> ?pos:int -> Bigstring.t -> unit + + val neuterize : _ key -> public key + val keypair : unit -> public key * secret key + + val sign : + sk:secret key -> msg:Bigstring.t -> signature:Bigstring.t -> unit + (** [sign sk msg buf] writes the signature of [msg] with [sk] at + [buf]. + + @raises [Invalid_argument] if [buf] is smaller than [bytes] + bytes long. *) + + val verify : + pk:public key -> msg:Bigstring.t -> signature:Bigstring.t -> bool +end diff --git a/vendors/ocaml-hacl/src/hacl_stubs.c b/vendors/ocaml-hacl/src/hacl_stubs.c new file mode 100644 index 000000000..e1328d39e --- /dev/null +++ b/vendors/ocaml-hacl/src/hacl_stubs.c @@ -0,0 +1,165 @@ +/* Copyright 2018 Vincent Bernardoff, Marco Stronati. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +#include +#include + +#include "Hacl_Unverified_Random.h" +CAMLprim value ml_randombytes(value buf) { + randombytes(Caml_ba_data_val(buf), + Caml_ba_array_val(buf)->dim[0]); + return Val_unit; +} + +#include "Hacl_HMAC_SHA2_256.h" +CAMLprim value ml_Hacl_HMAC_SHA2_256_hmac(value mac, value key, value data) { + Hacl_HMAC_SHA2_256_hmac(Caml_ba_data_val(mac), + Caml_ba_data_val(key), + Caml_ba_array_val(key)->dim[0], + Caml_ba_data_val(data), + Caml_ba_array_val(data)->dim[0]); + return Val_unit; +} + +#include "Hacl_SHA2_256.h" +CAMLprim value ml_Hacl_SHA2_256_init(value state) { + Hacl_SHA2_256_init(Caml_ba_data_val(state)); + return Val_unit; +} + +CAMLprim value ml_Hacl_SHA2_256_update(value state, value data) { + Hacl_SHA2_256_update(Caml_ba_data_val(state), + Caml_ba_data_val(data)); + return Val_unit; +} + +CAMLprim value ml_Hacl_SHA2_256_update_last(value state, value data, value datalen) { + Hacl_SHA2_256_update_last(Caml_ba_data_val(state), + Caml_ba_data_val(data), + Int_val(datalen)); + return Val_unit; +} + +CAMLprim value ml_Hacl_SHA2_256_finish(value state, value hash) { + Hacl_SHA2_256_finish(Caml_ba_data_val(state), + Caml_ba_data_val(hash)); + return Val_unit; +} + +#include "Hacl_SHA2_512.h" +CAMLprim value ml_Hacl_SHA2_512_init(value state) { + Hacl_SHA2_512_init(Caml_ba_data_val(state)); + return Val_unit; +} + +CAMLprim value ml_Hacl_SHA2_512_update(value state, value data) { + Hacl_SHA2_512_update(Caml_ba_data_val(state), + Caml_ba_data_val(data)); + return Val_unit; +} + +CAMLprim value ml_Hacl_SHA2_512_update_last(value state, value data, value datalen) { + Hacl_SHA2_512_update_last(Caml_ba_data_val(state), + Caml_ba_data_val(data), + Int_val(datalen)); + return Val_unit; +} + +CAMLprim value ml_Hacl_SHA2_512_finish(value state, value hash) { + Hacl_SHA2_512_finish(Caml_ba_data_val(state), + Caml_ba_data_val(hash)); + return Val_unit; +} + +#include "Hacl_Curve25519.h" +CAMLprim value ml_Hacl_Curve25519_crypto_scalarmult(value pk, value sk, value basepoint) { + Hacl_Curve25519_crypto_scalarmult(Caml_ba_data_val(pk), + Caml_ba_data_val(sk), + Caml_ba_data_val(basepoint)); + return Val_unit; +} + +#include "NaCl.h" +CAMLprim value ml_NaCl_crypto_secretbox_easy(value c, value m, value n, value k) { + NaCl_crypto_secretbox_easy(Caml_ba_data_val(c), + Caml_ba_data_val(m), + Caml_ba_array_val(m)->dim[0] - 32, + Caml_ba_data_val(n), + Caml_ba_data_val(k)); + return Val_unit; +} + +CAMLprim value ml_NaCl_crypto_secretbox_open_detached(value m, value c, value mac, + value n, value k) { + return Val_int(NaCl_crypto_secretbox_open_detached(Caml_ba_data_val(m), + Caml_ba_data_val(c), + Caml_ba_data_val(mac), + Caml_ba_array_val(c)->dim[0] - 32, + Caml_ba_data_val(n), + Caml_ba_data_val(k))); +} + +CAMLprim value ml_NaCl_crypto_box_beforenm(value k, value pk, value sk) { + NaCl_crypto_box_beforenm(Caml_ba_data_val(k), + Caml_ba_data_val(pk), + Caml_ba_data_val(sk)); + return Val_unit; +} + +CAMLprim value ml_NaCl_crypto_box_easy_afternm(value c, value m, value n, value k) { + NaCl_crypto_box_easy_afternm(Caml_ba_data_val(c), + Caml_ba_data_val(m), + Caml_ba_array_val(m)->dim[0] - 32, + Caml_ba_data_val(n), + Caml_ba_data_val(k)); + return Val_unit; +} + +CAMLprim value ml_NaCl_crypto_box_open_easy_afternm(value m, value c, value n, value k) { + return Val_int(NaCl_crypto_box_open_easy_afternm(Caml_ba_data_val(m), + Caml_ba_data_val(c), + Caml_ba_array_val(c)->dim[0] - 32, + Caml_ba_data_val(n), + Caml_ba_data_val(k))); +} + +#include "Hacl_Ed25519.h" +CAMLprim value ml_Hacl_Ed25519_secret_to_public(value pk, value sk) { + Hacl_Ed25519_secret_to_public(Caml_ba_data_val(pk), + Caml_ba_data_val(sk)); + return Val_unit; +} + +CAMLprim value ml_Hacl_Ed25519_sign(value sig, value sk, value m) { + Hacl_Ed25519_sign(Caml_ba_data_val(sig), + Caml_ba_data_val(sk), + Caml_ba_data_val(m), + Caml_ba_array_val(m)->dim[0]); + return Val_unit; +} + +CAMLprim value ml_Hacl_Ed25519_verify(value pk, value m, value sig) { + return Val_bool(Hacl_Ed25519_verify(Caml_ba_data_val(pk), + Caml_ba_data_val(m), + Caml_ba_array_val(m)->dim[0], + Caml_ba_data_val(sig))); +} diff --git a/vendors/ocaml-hacl/src/jbuild b/vendors/ocaml-hacl/src/jbuild new file mode 100644 index 000000000..519cb83bf --- /dev/null +++ b/vendors/ocaml-hacl/src/jbuild @@ -0,0 +1,26 @@ +(jbuild_version 1) + +(library + ((name hacl) + (public_name hacl) + (libraries (bigstring ocplib-endian.bigstring zarith)) + (c_names (hacl_stubs + kremlib + FStar + Hacl_Policies + AEAD_Poly1305_64 + Hacl_Chacha20 + Hacl_Chacha20Poly1305 + Hacl_Curve25519 + Hacl_Ed25519 + Hacl_Poly1305_32 + Hacl_Poly1305_64 + Hacl_SHA2_256 + Hacl_SHA2_384 + Hacl_SHA2_512 + Hacl_HMAC_SHA2_256 + Hacl_Salsa20 + NaCl + Hacl_Unverified_Random)) + (c_flags (-O3 -Wall -Werror -Wfatal-errors)) +)) diff --git a/vendors/ocaml-hacl/src/kremlib.c b/vendors/ocaml-hacl/src/kremlib.c new file mode 100644 index 000000000..d83d1ba2a --- /dev/null +++ b/vendors/ocaml-hacl/src/kremlib.c @@ -0,0 +1,39 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +#include "kremlib.h" +#include + +int exit_success = EXIT_SUCCESS; +int exit_failure = EXIT_FAILURE; + +void print_string(const char *s) { + printf("%s", s); +} + +void print_bytes(uint8_t *b, uint32_t len) { + uint32_t i; + for (i = 0; i < len; i++){ + printf("%02x", b[i]); + } + printf("\n"); +} diff --git a/vendors/ocaml-hacl/src/kremlib.h b/vendors/ocaml-hacl/src/kremlib.h new file mode 100644 index 000000000..138846acd --- /dev/null +++ b/vendors/ocaml-hacl/src/kremlib.h @@ -0,0 +1,569 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +#ifndef __KREMLIB_H +#define __KREMLIB_H + +#include "kremlib_base.h" + + +/* For tests only: we might need this function to be forward-declared, because + * the dependency on WasmSupport appears very late, after SimplifyWasm, and + * sadly, after the topological order has been done. */ +void WasmSupport_check_buffer_size(uint32_t s); + +/******************************************************************************/ +/* Stubs to ease compilation of non-Low* code */ +/******************************************************************************/ + +/* Some types that KreMLin has no special knowledge of; many of them appear in + * signatures of ghost functions, meaning that it suffices to give them (any) + * definition. */ +typedef void *FStar_Seq_Base_seq, *Prims_prop, *FStar_HyperStack_mem, + *FStar_Set_set, *Prims_st_pre_h, *FStar_Heap_heap, *Prims_all_pre_h, + *FStar_TSet_set, *Prims_list, *FStar_Map_t, *FStar_UInt63_t_, + *FStar_Int63_t_, *FStar_UInt63_t, *FStar_Int63_t, *FStar_UInt_uint_t, + *FStar_Int_int_t, *FStar_HyperStack_stackref, *FStar_Bytes_bytes, + *FStar_HyperHeap_rid, *FStar_Heap_aref, *FStar_Monotonic_Heap_heap, + *FStar_Monotonic_Heap_aref, *FStar_Monotonic_HyperHeap_rid, + *FStar_Monotonic_HyperStack_mem, *FStar_Char_char_; + +typedef const char *Prims_string; + +/* For "bare" targets that do not have a C stdlib, the user might want to use + * [-add-include '"mydefinitions.h"'] and override these. */ +#ifndef KRML_HOST_PRINTF +# define KRML_HOST_PRINTF printf +#endif + +#ifndef KRML_HOST_EXIT +# define KRML_HOST_EXIT exit +#endif + +#ifndef KRML_HOST_MALLOC +# define KRML_HOST_MALLOC malloc +#endif + +/* In statement position, exiting is easy. */ +#define KRML_EXIT \ + do { \ + KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \ + KRML_HOST_EXIT(254); \ + } while (0) + +/* In expression position, use the comma-operator and a malloc to return an + * expression of the right size. KreMLin passes t as the parameter to the macro. + */ +#define KRML_EABORT(t, msg) \ + (KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \ + KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t)))) + +/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of + * *elements*. Do an ugly, run-time check (some of which KreMLin can eliminate). + */ +#define KRML_CHECK_SIZE(elt, size) \ + if (((size_t)size) > SIZE_MAX / sizeof(elt)) { \ + KRML_HOST_PRINTF( \ + "Maximum allocatable size exceeded, aborting before overflow at " \ + "%s:%d\n", \ + __FILE__, __LINE__); \ + KRML_HOST_EXIT(253); \ + } + +/* A series of GCC atrocities to trace function calls (kremlin's [-d c-calls] + * option). Useful when trying to debug, say, Wasm, to compare traces. */ +/* clang-format off */ +#ifdef __GNUC__ +#define KRML_FORMAT(X) _Generic((X), \ + uint8_t : "0x%08" PRIx8, \ + uint16_t: "0x%08" PRIx16, \ + uint32_t: "0x%08" PRIx32, \ + uint64_t: "0x%08" PRIx64, \ + int8_t : "0x%08" PRIx8, \ + int16_t : "0x%08" PRIx16, \ + int32_t : "0x%08" PRIx32, \ + int64_t : "0x%08" PRIx64, \ + default : "%s") + +#define KRML_FORMAT_ARG(X) _Generic((X), \ + uint8_t : X, \ + uint16_t: X, \ + uint32_t: X, \ + uint64_t: X, \ + int8_t : X, \ + int16_t : X, \ + int32_t : X, \ + int64_t : X, \ + default : "unknown") +/* clang-format on */ + +# define KRML_DEBUG_RETURN(X) \ + ({ \ + __auto_type _ret = (X); \ + KRML_HOST_PRINTF("returning: "); \ + KRML_HOST_PRINTF(KRML_FORMAT(_ret), KRML_FORMAT_ARG(_ret)); \ + KRML_HOST_PRINTF(" \n"); \ + _ret; \ + }) +#endif + +#define FStar_Buffer_eqb(b1, b2, n) \ + (memcmp((b1), (b2), (n) * sizeof((b1)[0])) == 0) + +/* Stubs to make ST happy. Important note: you must generate a use of the macro + * argument, otherwise, you may have FStar_ST_recall(f) as the only use of f; + * KreMLin will think that this is a valid use, but then the C compiler, after + * macro expansion, will error out. */ +#define FStar_HyperHeap_root 0 +#define FStar_Pervasives_Native_fst(x) (x).fst +#define FStar_Pervasives_Native_snd(x) (x).snd +#define FStar_Seq_Base_createEmpty(x) 0 +#define FStar_Seq_Base_create(len, init) 0 +#define FStar_Seq_Base_upd(s, i, e) 0 +#define FStar_Seq_Base_eq(l1, l2) 0 +#define FStar_Seq_Base_length(l1) 0 +#define FStar_Seq_Base_append(x, y) 0 +#define FStar_Seq_Base_slice(x, y, z) 0 +#define FStar_Seq_Properties_snoc(x, y) 0 +#define FStar_Seq_Properties_cons(x, y) 0 +#define FStar_Seq_Base_index(x, y) 0 +#define FStar_HyperStack_is_eternal_color(x) 0 +#define FStar_Monotonic_HyperHeap_root 0 +#define FStar_Buffer_to_seq_full(x) 0 +#define FStar_Buffer_recall(x) +#define FStar_HyperStack_ST_op_Colon_Equals(x, v) KRML_EXIT +#define FStar_HyperStack_ST_op_Bang(x) 0 +#define FStar_HyperStack_ST_salloc(x) 0 +#define FStar_HyperStack_ST_ralloc(x, y) 0 +#define FStar_HyperStack_ST_new_region(x) (0) +#define FStar_Monotonic_RRef_m_alloc(x) \ + { 0 } + +#define FStar_HyperStack_ST_recall(x) \ + do { \ + (void)(x); \ + } while (0) + +#define FStar_HyperStack_ST_recall_region(x) \ + do { \ + (void)(x); \ + } while (0) + +#define FStar_Monotonic_RRef_m_recall(x1, x2) \ + do { \ + (void)(x1); \ + (void)(x2); \ + } while (0) + +#define FStar_Monotonic_RRef_m_write(x1, x2, x3, x4, x5) \ + do { \ + (void)(x1); \ + (void)(x2); \ + (void)(x3); \ + (void)(x4); \ + (void)(x5); \ + } while (0) + +/******************************************************************************/ +/* Endian-ness macros that can only be implemented in C */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) +# include + +/* ... for OSX */ +#elif defined(__APPLE__) +# include +# define htole64(x) OSSwapHostToLittleInt64(x) +# define le64toh(x) OSSwapLittleToHostInt64(x) +# define htobe64(x) OSSwapHostToBigInt64(x) +# define be64toh(x) OSSwapBigToHostInt64(x) + +# define htole16(x) OSSwapHostToLittleInt16(x) +# define le16toh(x) OSSwapLittleToHostInt16(x) +# define htobe16(x) OSSwapHostToBigInt16(x) +# define be16toh(x) OSSwapBigToHostInt16(x) + +# define htole32(x) OSSwapHostToLittleInt32(x) +# define le32toh(x) OSSwapLittleToHostInt32(x) +# define htobe32(x) OSSwapHostToBigInt32(x) +# define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +# include +# define htole64(x) LE_64(x) +# define le64toh(x) LE_64(x) +# define htobe64(x) BE_64(x) +# define be64toh(x) BE_64(x) + +# define htole16(x) LE_16(x) +# define le16toh(x) LE_16(x) +# define htobe16(x) BE_16(x) +# define be16toh(x) BE_16(x) + +# define htole32(x) LE_32(x) +# define le32toh(x) LE_32(x) +# define htobe32(x) BE_32(x) +# define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +# include +#elif defined(__OpenBSD__) +# include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +# include +# define htobe16(x) _byteswap_ushort(x) +# define htole16(x) (x) +# define be16toh(x) _byteswap_ushort(x) +# define le16toh(x) (x) + +# define htobe32(x) _byteswap_ulong(x) +# define htole32(x) (x) +# define be32toh(x) _byteswap_ulong(x) +# define le32toh(x) (x) + +# define htobe64(x) _byteswap_uint64(x) +# define htole64(x) (x) +# define be64toh(x) _byteswap_uint64(x) +# define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64)) && \ + (defined(__GNUC__) || defined(__clang__)) + +# define htobe16(x) __builtin_bswap16(x) +# define htole16(x) (x) +# define be16toh(x) __builtin_bswap16(x) +# define le16toh(x) (x) + +# define htobe32(x) __builtin_bswap32(x) +# define htole32(x) (x) +# define be32toh(x) __builtin_bswap32(x) +# define le32toh(x) (x) + +# define htobe64(x) __builtin_bswap64(x) +# define htole64(x) (x) +# define be64toh(x) __builtin_bswap64(x) +# define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +# define htobe32(x) (x) +# define be32toh(x) (x) +# define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +# define le32toh(x) (htole32((x))) + +# define htobe64(x) (x) +# define be64toh(x) (x) +# define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +# define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +# define htole32(x) (x) +# define le32toh(x) (x) +# define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +# define be32toh(x) (htobe32((x))) + +# define htole64(x) (x) +# define le64toh(x) (x) +# define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +# define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +# error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); } + +inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); } + +inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); } + +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/******************************************************************************/ +/* Checked integers to ease the compilation of non-Low* code */ +/******************************************************************************/ + +typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int, + krml_checked_int_t; + +inline static bool Prims_op_GreaterThanOrEqual(int32_t x, int32_t y) { + return x >= y; +} + +inline static bool Prims_op_LessThanOrEqual(int32_t x, int32_t y) { + return x <= y; +} + +inline static bool Prims_op_GreaterThan(int32_t x, int32_t y) { return x > y; } + +inline static bool Prims_op_LessThan(int32_t x, int32_t y) { return x < y; } + +#define RETURN_OR(x) \ + do { \ + int64_t __ret = x; \ + if (__ret < INT32_MIN || INT32_MAX < __ret) { \ + KRML_HOST_PRINTF("Prims.{int,nat,pos} integer overflow at %s:%d\n", \ + __FILE__, __LINE__); \ + KRML_HOST_EXIT(252); \ + } \ + return (int32_t)__ret; \ + } while (0) + +inline static int32_t Prims_pow2(int32_t x) { + RETURN_OR((int64_t)1 << (int64_t)x); +} + +inline static int32_t Prims_op_Multiply(int32_t x, int32_t y) { + RETURN_OR((int64_t)x * (int64_t)y); +} + +inline static int32_t Prims_op_Addition(int32_t x, int32_t y) { + RETURN_OR((int64_t)x + (int64_t)y); +} + +inline static int32_t Prims_op_Subtraction(int32_t x, int32_t y) { + RETURN_OR((int64_t)x - (int64_t)y); +} + +inline static int32_t Prims_op_Division(int32_t x, int32_t y) { + RETURN_OR((int64_t)x / (int64_t)y); +} + +inline static int32_t Prims_op_Modulus(int32_t x, int32_t y) { + RETURN_OR((int64_t)x % (int64_t)y); +} + +inline static int8_t FStar_UInt8_uint_to_t(int8_t x) { return x; } +inline static int16_t FStar_UInt16_uint_to_t(int16_t x) { return x; } +inline static int32_t FStar_UInt32_uint_to_t(int32_t x) { return x; } +inline static int64_t FStar_UInt64_uint_to_t(int64_t x) { return x; } + +inline static int8_t FStar_UInt8_v(int8_t x) { return x; } +inline static int16_t FStar_UInt16_v(int16_t x) { return x; } +inline static int32_t FStar_UInt32_v(int32_t x) { return x; } +inline static int64_t FStar_UInt64_v(int64_t x) { return x; } + + +/* Platform-specific 128-bit arithmetic. These are static functions in a header, + * so that each translation unit gets its own copy and the C compiler can + * optimize. */ +#ifndef KRML_NOUINT128 +typedef unsigned __int128 FStar_UInt128_t, FStar_UInt128_t_, uint128_t; + +static inline void print128(const char *where, uint128_t n) { + KRML_HOST_PRINTF("%s: [%" PRIu64 ",%" PRIu64 "]\n", where, + (uint64_t)(n >> 64), (uint64_t)n); +} + +static inline uint128_t load128_le(uint8_t *b) { + uint128_t l = (uint128_t)load64_le(b); + uint128_t h = (uint128_t)load64_le(b + 8); + return (h << 64 | l); +} + +static inline void store128_le(uint8_t *b, uint128_t n) { + store64_le(b, (uint64_t)n); + store64_le(b + 8, (uint64_t)(n >> 64)); +} + +static inline uint128_t load128_be(uint8_t *b) { + uint128_t h = (uint128_t)load64_be(b); + uint128_t l = (uint128_t)load64_be(b + 8); + return (h << 64 | l); +} + +static inline void store128_be(uint8_t *b, uint128_t n) { + store64_be(b, (uint64_t)(n >> 64)); + store64_be(b + 8, (uint64_t)n); +} + +# define FStar_UInt128_add(x, y) ((x) + (y)) +# define FStar_UInt128_mul(x, y) ((x) * (y)) +# define FStar_UInt128_add_mod(x, y) ((x) + (y)) +# define FStar_UInt128_sub(x, y) ((x) - (y)) +# define FStar_UInt128_sub_mod(x, y) ((x) - (y)) +# define FStar_UInt128_logand(x, y) ((x) & (y)) +# define FStar_UInt128_logor(x, y) ((x) | (y)) +# define FStar_UInt128_logxor(x, y) ((x) ^ (y)) +# define FStar_UInt128_lognot(x) (~(x)) +# define FStar_UInt128_shift_left(x, y) ((x) << (y)) +# define FStar_UInt128_shift_right(x, y) ((x) >> (y)) +# define FStar_UInt128_uint64_to_uint128(x) ((uint128_t)(x)) +# define FStar_UInt128_uint128_to_uint64(x) ((uint64_t)(x)) +# define FStar_UInt128_mul_wide(x, y) ((uint128_t)(x) * (y)) +# define FStar_UInt128_op_Hat_Hat(x, y) ((x) ^ (y)) + +static inline uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { + uint64_t mask = + FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & + FStar_UInt64_eq_mask(x, y); + return ((uint128_t)mask) << 64 | mask; +} + +static inline uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { + uint64_t mask = + (FStar_UInt64_gte_mask(x >> 64, y >> 64) & + ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); + return ((uint128_t)mask) << 64 | mask; +} + + + +# else /* !defined(KRML_NOUINT128) */ + + /* This is a bad circular dependency... should fix it properly. */ +# include "FStar.h" + +typedef FStar_UInt128_uint128 FStar_UInt128_t_, uint128_t; + +/* A series of definitions written using pointers. */ +static inline void print128_(const char *where, uint128_t *n) { + KRML_HOST_PRINTF("%s: [0x%08" PRIx64 ",0x%08" PRIx64 "]\n", where, n->high, n->low); +} + +static inline void load128_le_(uint8_t *b, uint128_t *r) { + r->low = load64_le(b); + r->high = load64_le(b + 8); +} + +static inline void store128_le_(uint8_t *b, uint128_t *n) { + store64_le(b, n->low); + store64_le(b + 8, n->high); +} + +static inline void load128_be_(uint8_t *b, uint128_t *r) { + r->high = load64_be(b); + r->low = load64_be(b + 8); +} + +static inline void store128_be_(uint8_t *b, uint128_t *n) { + store64_be(b, n->high); + store64_be(b + 8, n->low); +} + +# ifndef KRML_NOSTRUCT_PASSING + +static inline void print128(const char *where, uint128_t n) { + print128_(where, &n); +} + +static inline uint128_t load128_le(uint8_t *b) { + uint128_t r; + load128_le_(b, &r); + return r; +} + +static inline void store128_le(uint8_t *b, uint128_t n) { store128_le_(b, &n); } + +static inline uint128_t load128_be(uint8_t *b) { + uint128_t r; + load128_be_(b, &r); + return r; +} + +static inline void store128_be(uint8_t *b, uint128_t n) { store128_be_(b, &n); } + +# else /* !defined(KRML_STRUCT_PASSING) */ + +# define print128 print128_ +# define load128_le load128_le_ +# define store128_le store128_le_ +# define load128_be load128_be_ +# define store128_be store128_be_ + +# endif /* KRML_STRUCT_PASSING */ +# endif /* KRML_UINT128 */ +#endif /* __KREMLIB_H */ diff --git a/vendors/ocaml-hacl/src/kremlib_base.h b/vendors/ocaml-hacl/src/kremlib_base.h new file mode 100644 index 000000000..b8479efde --- /dev/null +++ b/vendors/ocaml-hacl/src/kremlib_base.h @@ -0,0 +1,181 @@ +/* MIT License + * + * Copyright (c) 2016-2017 INRIA and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ +#ifndef __KREMLIB_BASE_H +#define __KREMLIB_BASE_H + +#include +#include +#include +#include +#include +#include +#include + +/******************************************************************************/ +/* Some macros to ease compatibility */ +/******************************************************************************/ + +/* Define __cdecl and friends when using GCC, so that we can safely compile code + * that contains __cdecl on all platforms. Note that this is in a separate + * header so that Dafny-generated code can include just this file. */ +#ifndef _MSC_VER +/* Use the gcc predefined macros if on a platform/architectures that set them. + * Otherwise define them to be empty. */ +#ifndef __cdecl +#define __cdecl +#endif +#ifndef __stdcall +#define __stdcall +#endif +#ifndef __fastcall +#define __fastcall +#endif +#endif + +#ifdef __GNUC__ +# define inline __inline__ +#endif + +/* GCC-specific attribute syntax; everyone else gets the standard C inline + * attribute. */ +#ifdef __GNU_C__ +# ifndef __clang__ +# define force_inline inline __attribute__((always_inline)) +# else +# define force_inline inline +# endif +#else +# define force_inline inline +#endif + + +/******************************************************************************/ +/* Implementing C.fst */ +/******************************************************************************/ + +/* Uppercase issue; we have to define lowercase versions of the C macros (as we + * have no way to refer to an uppercase *variable* in F*). */ +extern int exit_success; +extern int exit_failure; + +/* This one allows the user to write C.EXIT_SUCCESS. */ +typedef int exit_code; + +void print_string(const char *s); +void print_bytes(uint8_t *b, uint32_t len); + +/* The universal null pointer defined in C.Nullity.fst */ +#define C_Nullity_null(X) 0 + +/* If some globals need to be initialized before the main, then kremlin will + * generate and try to link last a function with this type: */ +void kremlinit_globals(void); + +/******************************************************************************/ +/* Implementation of machine integers (possibly of 128-bit integers) */ +/******************************************************************************/ + +/* Integer types */ +typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_; +typedef int64_t FStar_Int64_t, FStar_Int64_t_; +typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_; +typedef int32_t FStar_Int32_t, FStar_Int32_t_; +typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_; +typedef int16_t FStar_Int16_t, FStar_Int16_t_; +typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_; +typedef int8_t FStar_Int8_t, FStar_Int8_t_; + +static inline uint32_t rotate32_left(uint32_t x, uint32_t n) { + /* assert (n<32); */ + return (x << n) | (x >> (32 - n)); +} +static inline uint32_t rotate32_right(uint32_t x, uint32_t n) { + /* assert (n<32); */ + return (x >> n) | (x << (32 - n)); +} + +/* Constant time comparisons */ +static inline uint8_t FStar_UInt8_eq_mask(uint8_t x, uint8_t y) { + x = ~(x ^ y); + x &= x << 4; + x &= x << 2; + x &= x << 1; + return (int8_t)x >> 7; +} + +static inline uint8_t FStar_UInt8_gte_mask(uint8_t x, uint8_t y) { + return ~(uint8_t)(((int32_t)x - y) >> 31); +} + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t x, uint16_t y) { + x = ~(x ^ y); + x &= x << 8; + x &= x << 4; + x &= x << 2; + x &= x << 1; + return (int16_t)x >> 15; +} + +static inline uint16_t FStar_UInt16_gte_mask(uint16_t x, uint16_t y) { + return ~(uint16_t)(((int32_t)x - y) >> 31); +} + +static inline uint32_t FStar_UInt32_eq_mask(uint32_t x, uint32_t y) { + x = ~(x ^ y); + x &= x << 16; + x &= x << 8; + x &= x << 4; + x &= x << 2; + x &= x << 1; + return ((int32_t)x) >> 31; +} + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t x, uint32_t y) { + return ~((uint32_t)(((int64_t)x - y) >> 63)); +} + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t x, uint64_t y) { + x = ~(x ^ y); + x &= x << 32; + x &= x << 16; + x &= x << 8; + x &= x << 4; + x &= x << 2; + x &= x << 1; + return ((int64_t)x) >> 63; +} + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t x, uint64_t y) { + uint64_t low63 = + ~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x7fffffffffffffff)) - + (int64_t)(y & UINT64_C(0x7fffffffffffffff))) >> + 63)); + uint64_t high_bit = + ~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x8000000000000000)) - + (int64_t)(y & UINT64_C(0x8000000000000000))) >> + 63)); + return low63 & high_bit; +} + + +#endif diff --git a/vendors/ocaml-hacl/test/jbuild b/vendors/ocaml-hacl/test/jbuild new file mode 100644 index 000000000..a36d9064e --- /dev/null +++ b/vendors/ocaml-hacl/test/jbuild @@ -0,0 +1,14 @@ +(jbuild_version 1) + +(executable + ((name test) + (libraries (hex hacl alcotest)))) + +(alias + ((name runtest-hacl) + (deps (test.exe)) + (action (run ${<})))) + +(alias + ((name runtest) + (deps ((alias runtest-hacl))))) diff --git a/vendors/ocaml-hacl/test/test.ml b/vendors/ocaml-hacl/test/test.ml new file mode 100644 index 000000000..8b1897878 --- /dev/null +++ b/vendors/ocaml-hacl/test/test.ml @@ -0,0 +1,165 @@ +(* Copyright 2018 Vincent Bernardoff, Marco Stronati. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE + * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION + * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION + * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. *) + +open Hacl + +let bigstring = Alcotest.testable + (fun ppf t -> Cstruct.(hexdump_pp ppf (of_bigarray t))) + Bigstring.equal + +let msg = Bigstring.of_string "Voulez-vous coucher avec moi, ce soir ?" +let msglen = Bigstring.length msg + +let of_hex hex = + Cstruct.(to_bigarray (of_hex hex)) + +let randmsg = of_hex "12c0c5a283401a81163dfd645e57ef6ff58b2f877c4e2d4add10345ec80bef3ffc720060c82e4288a20eccf99d64f18223edb30069fa76de9fe9ae8f875f3a3f75f91dd625652632869766839075e88afc852918da3445bca6d428a4f55d98366065fc70e0306fc6c84ec9e8d1325cc63ba09d5803383d0be40bd7ace7e7551615e4267f94630a0ad62cf798b4a7648390547a3616f42d8b8e58d7223f3c07826670209601be0ef2ea60e662c34b21113680141bead22e8b31015d7fe1a6617101036f03050d8b6854989bdfc13efaa6b2e1960c291f91da346911b1d46f20242bb1eb16f4104f9d684ed0dfca8e13e46b47ba9c39513f5e0746dd828f43da416e10341f3b169691ee823a53500f1ef00c6a52c3f4ecb42f68e1894785d4d192079cc8e53be8bb4ca1e000553504d6132e95490a4b477baaddca598f8947b20fbf732ac608830fb4b11c3cd1e19257e8cb00a22a8fc54ad6e47960086cd5ed24451c1f2ac2cda4514e6e1118ffabd74e7aae3514f3e5d40443ed94bdbbf7af5fa737d2da3b19cac58ca24539313a545164c20c4fae74d01fcb535d4414885ee50cdbb5ff1fcd465fc0c0a0c0f0ebc62687569bd5d36774a6a9c8d9e05b33ac30f13fdd7906aebd27dfd2ee19616a6f3694f2539b89b9ce6d73396816202700f50617f26a7134a6819fe808775bff75df240102fb0352f67eb97e022f66d40403" +let randmsg_len = Bigstring.length randmsg + +let sha256 () = + let open Hash.SHA256 in + let resp = of_hex "bd4860cc3f39995c47f94205a86c9e22e2fc8ab91c88c5293b704d454991f757" in + let randresp = of_hex "9f043732d7117fa402d24e7343108976524b097390b0b160df42b0fa5bc6425c" in + let st = init () in + Printf.printf "Init done\n" ; + update st msg ; + print_endline "Update done." ; + let d = finish st in + Printf.printf "Digest size %d\n" (Bigstring.length d) ; + print_endline "Finish done." ; + Alcotest.(check bigstring "sha256" resp d) ; + let d = digest msg in + print_endline "Direct hash done." ; + Alcotest.(check bigstring "sha256" resp d) ; + + let st = init () in + Printf.printf "Init done\n" ; + update st randmsg ; + print_endline "Update done." ; + let d = finish st in + Printf.printf "Digest size %d\n" (Bigstring.length d) ; + print_endline "Finish done." ; + Alcotest.(check bigstring "sha256" randresp d) ; + let d = digest randmsg in + print_endline "Direct hash done." ; + Alcotest.(check bigstring "sha256" randresp d) + +let sha512 () = + let resp = of_hex "7941f442d956f124d77ee1d1f0ba3db100751090462cdce4aed5fcd240529097bc666bf9c424becde760910df652c7aefec50b02d7f6efe666f79e5242fb755b" in + let digest = Hash.SHA512.digest msg in + Alcotest.(check bigstring "sha512" resp digest) + +let hmac_sha256 () = + let key = Bigstring.of_string "key" in + let msg = Bigstring.of_string "The quick brown fox jumps over the lazy dog" in + let resp = of_hex "f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8" in + let digest = Hash.HMAC_SHA256.hmac ~key ~msg in + Alcotest.(check bigstring "hmac_sha256" resp digest) + +let hash = [ + "hmac_sha256", `Quick, hmac_sha256 ; + + "sha256", `Quick, sha256 ; + "sha512", `Quick, sha512 ; +] + +let secretbox () = + let open Secretbox in + let key = genkey () in + let nonce = Nonce.gen () in + let orig_msg = Bigstring.create (msglen + zerobytes) in + Bigstring.fill orig_msg '\x00' ; + Bigstring.blit msg 0 orig_msg zerobytes msglen ; + let cmsg = Bigstring.create (msglen + zerobytes) in + box ~key ~nonce ~msg:orig_msg ~cmsg ; + let decrypted_msg = Bigstring.create (msglen + zerobytes) in + assert (box_open ~key ~nonce ~cmsg ~msg:decrypted_msg) ; + Alcotest.check bigstring "secretbox_decrypt" orig_msg decrypted_msg ; + (* in place *) + box ~key ~nonce ~msg:orig_msg ~cmsg:orig_msg ; + assert (box_open ~key ~nonce ~cmsg:orig_msg ~msg:orig_msg) ; + Alcotest.check bigstring "secretbox_decrypt_inplace" decrypted_msg orig_msg + +let secretbox = [ + "secretbox", `Quick, secretbox ; +] + +let box () = + let open Box in + let pk, sk = keypair () in + let k = dh pk sk in + let nonce = Nonce.gen () in + let msg_orig = Bigstring.create (msglen + zerobytes) in + Bigstring.fill msg_orig '\x00' ; + Bigstring.blit msg 0 msg_orig zerobytes msglen ; + let cmsg = Bigstring.create (msglen + zerobytes) in + Bigstring.fill cmsg '\x00' ; + let decrypted_msg = Bigstring.create (msglen + zerobytes) in + box ~k ~nonce ~msg:msg_orig ~cmsg ; + assert (box_open ~k ~nonce ~cmsg ~msg:decrypted_msg) ; + Alcotest.check bigstring "box" msg_orig decrypted_msg ; + (* in place *) + assert (box_open ~k ~nonce ~cmsg ~msg:cmsg) ; + Alcotest.check bigstring "box" msg_orig cmsg + +let box = [ + "box", `Quick, box ; +] + +let keypair () = + let seed = Hacl.Rand.gen 32 in + let sk = Sign.unsafe_sk_of_bytes seed in + let pk = Sign.neuterize sk in + let sk' = Sign.unsafe_sk_of_bytes seed in + let pk' = Sign.neuterize sk' in + Alcotest.(check bool "Sign.of_seed" true (Sign.equal pk pk')) ; + Alcotest.(check bool "Sign.of_seed" true (Sign.equal sk sk')) ; + let pk_bytes = Sign.unsafe_to_bytes pk in + let pk_bytes_length = Bigstring.length pk_bytes in + Alcotest.(check int "Sign.to_bytes" Sign.pkbytes pk_bytes_length) + +let sign () = + let pk, sk = Sign.keypair () in + let signature = Bigstring.create Sign.bytes in + Sign.sign ~sk ~msg ~signature ; + assert (Sign.verify ~pk ~msg ~signature) + +let public () = + let pk, sk = Sign.keypair () in + let pk' = Sign.unsafe_to_bytes pk in + let ppk = Sign.(unsafe_to_bytes (neuterize pk)) in + let psk = Sign.(unsafe_to_bytes (neuterize sk)) in + Alcotest.check bigstring "public" pk' ppk ; + Alcotest.check bigstring "public" pk' psk + +let sign = [ + "keypair", `Quick, keypair ; + "sign", `Quick, sign ; + "public", `Quick, public ; +] + +let () = + Alcotest.run "hacl" [ + "hash", hash ; + "secretbox", secretbox ; + "box", box ; + "sign", sign ; + ]