balsoft/ligo
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Vendors: add ocaml-hacl binding for HACL* crypto library

Browse Source
This commit is contained in:
Marco Stronati 2018-05-04 19:10:30 +02:00 committed by Vincent Bernardoff
parent 01941fa725
commit 07a97ab94a
44 changed files with 11886 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
vendors/ocaml-hacl/hacl.opam vendored Normal file
View File

@ -0,0 +1,20 @@
opam-version: "1.2"
name: "hacl"
version: "dev"
authors: [ "Vincent Bernardoff <vb@luminar.eu.org>" "Marco Stronati <marco@stronati.org>" ]
maintainer: "Vincent Bernardoff <vb@luminar.eu.org>"
homepage: "https://gitlab.com/tezos/tezos"
bug-reports: "https://gitlab.com/tezos/tezos/issues"
dev-repo: "https://gitlab.com/tezos/tezos.git"
license: "MIT"
depends: [
"jbuilder" {build & >= "1.0+beta16"}
"bigstring" {>= "0.1.1"}
"ocplib-endian" {>= "1.0"}
"zarith" {>= "1.7"}
"alcotest" {test & >= "0.8.1"}
"hex" {test & >= "1.2.0"}
]
build: [ "jbuilder" "build" "-j" jobs "-p" name "@install" ]
build-test: [ "jbuilder" "runtest" "-p" name "-j" jobs ]
available: [ ocaml-version >= "4.02.0" ]

2
vendors/ocaml-hacl/readme.md vendored Normal file
View File

@ -0,0 +1,2 @@
Tezos binding for Hacl*
https://github.com/mitls/hacl-star/tree/master/snapshots/tezos

461
vendors/ocaml-hacl/src/AEAD_Poly1305_64.c vendored Normal file
View File

@ -0,0 +1,461 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "AEAD_Poly1305_64.h"
inline static void Hacl_Bignum_Modulo_reduce(uint64_t *b)
{
uint64_t b0 = b[0U];
b[0U] = (b0 << (uint32_t)4U) + (b0 << (uint32_t)2U);
}
inline static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
{
uint64_t b2 = b[2U];
uint64_t b0 = b[0U];
uint64_t b2_42 = b2 >> (uint32_t)42U;
b[2U] = b2 & (uint64_t)0x3ffffffffffU;
b[0U] = (b2_42 << (uint32_t)2U) + b2_42 + b0;
}
inline static void Hacl_Bignum_Modulo_carry_top_wide(FStar_UInt128_t *b)
{
FStar_UInt128_t b2 = b[2U];
FStar_UInt128_t b0 = b[0U];
FStar_UInt128_t
b2_ = FStar_UInt128_logand(b2, FStar_UInt128_uint64_to_uint128((uint64_t)0x3ffffffffffU));
uint64_t b2_42 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b2, (uint32_t)42U));
FStar_UInt128_t
b0_ = FStar_UInt128_add(b0, FStar_UInt128_uint64_to_uint128((b2_42 << (uint32_t)2U) + b2_42));
b[2U] = b2_;
b[0U] = b0_;
}
inline static void
Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U)
{
FStar_UInt128_t xi = input[i];
output[i] = FStar_UInt128_uint128_to_uint64(xi);
}
}
inline static void
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
FStar_UInt128_t *output,
uint64_t *input,
uint64_t s
)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U)
{
FStar_UInt128_t xi = output[i];
uint64_t yi = input[i];
output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
}
inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint32_t ctr = i;
FStar_UInt128_t tctr = tmp[ctr];
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0xfffffffffffU;
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)44U);
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
}
}
inline static void Hacl_Bignum_Fproduct_carry_limb_(uint64_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint32_t ctr = i;
uint64_t tctr = tmp[ctr];
uint64_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = tctr & (uint64_t)0xfffffffffffU;
uint64_t c = tctr >> (uint32_t)44U;
tmp[ctr] = r0;
tmp[ctr + (uint32_t)1U] = tctrp1 + c;
}
}
inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
{
uint64_t tmp = output[2U];
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint32_t ctr = (uint32_t)3U - i - (uint32_t)1U;
uint64_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
output[0U] = tmp;
Hacl_Bignum_Modulo_reduce(output);
}
static void
Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input2)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint64_t input2i = input2[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
uint32_t i = (uint32_t)2U;
uint64_t input2i = input2[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
}
inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2)
{
uint64_t tmp[3U] = { 0U };
memcpy(tmp, input, (uint32_t)3U * sizeof input[0U]);
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)3U);
FStar_UInt128_t t[3U];
for (uint32_t _i = 0U; _i < (uint32_t)3U; ++_i)
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
Hacl_Bignum_Fproduct_carry_wide_(t);
Hacl_Bignum_Modulo_carry_top_wide(t);
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
uint64_t i0 = output[0U];
uint64_t i1 = output[1U];
uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)44U);
output[0U] = i0_;
output[1U] = i1_;
}
inline static void
Hacl_Bignum_AddAndMultiply_add_and_multiply(uint64_t *acc, uint64_t *block, uint64_t *r)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U)
{
uint64_t xi = acc[i];
uint64_t yi = block[i];
acc[i] = xi + yi;
}
Hacl_Bignum_Fmul_fmul(acc, acc, r);
}
inline static void
Hacl_Impl_Poly1305_64_poly1305_update(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m
)
{
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
uint64_t *acc = h;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
uint64_t *r3 = r;
uint64_t tmp[3U] = { 0U };
FStar_UInt128_t m0 = load128_le(m);
uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U));
tmp[0U] = r0;
tmp[1U] = r1;
tmp[2U] = r2;
uint64_t b2 = tmp[2U];
uint64_t b2_ = (uint64_t)0x10000000000U | b2;
tmp[2U] = b2_;
Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r3);
}
inline static void
Hacl_Impl_Poly1305_64_poly1305_process_last_block_(
uint8_t *block,
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t rem_
)
{
uint64_t tmp[3U] = { 0U };
FStar_UInt128_t m0 = load128_le(block);
uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U));
tmp[0U] = r0;
tmp[1U] = r1;
tmp[2U] = r2;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r);
}
inline static void
Hacl_Impl_Poly1305_64_poly1305_process_last_block(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t rem_
)
{
uint8_t zero1 = (uint8_t)0U;
KRML_CHECK_SIZE(zero1, (uint32_t)16U);
uint8_t block[16U];
for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
block[_i] = zero1;
uint32_t i0 = (uint32_t)rem_;
uint32_t i = (uint32_t)rem_;
memcpy(block, m, i * sizeof m[0U]);
block[i0] = (uint8_t)1U;
Hacl_Impl_Poly1305_64_poly1305_process_last_block_(block, st, m, rem_);
}
static void Hacl_Impl_Poly1305_64_poly1305_last_pass(uint64_t *acc)
{
Hacl_Bignum_Fproduct_carry_limb_(acc);
Hacl_Bignum_Modulo_carry_top(acc);
uint64_t a0 = acc[0U];
uint64_t a10 = acc[1U];
uint64_t a20 = acc[2U];
uint64_t a0_ = a0 & (uint64_t)0xfffffffffffU;
uint64_t r0 = a0 >> (uint32_t)44U;
uint64_t a1_ = (a10 + r0) & (uint64_t)0xfffffffffffU;
uint64_t r1 = (a10 + r0) >> (uint32_t)44U;
uint64_t a2_ = a20 + r1;
acc[0U] = a0_;
acc[1U] = a1_;
acc[2U] = a2_;
Hacl_Bignum_Modulo_carry_top(acc);
uint64_t i0 = acc[0U];
uint64_t i1 = acc[1U];
uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)44U);
acc[0U] = i0_;
acc[1U] = i1_;
uint64_t a00 = acc[0U];
uint64_t a1 = acc[1U];
uint64_t a2 = acc[2U];
uint64_t mask0 = FStar_UInt64_gte_mask(a00, (uint64_t)0xffffffffffbU);
uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0xfffffffffffU);
uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x3ffffffffffU);
uint64_t mask = (mask0 & mask1) & mask2;
uint64_t a0_0 = a00 - ((uint64_t)0xffffffffffbU & mask);
uint64_t a1_0 = a1 - ((uint64_t)0xfffffffffffU & mask);
uint64_t a2_0 = a2 - ((uint64_t)0x3ffffffffffU & mask);
acc[0U] = a0_0;
acc[1U] = a1_0;
acc[2U] = a2_0;
}
static Hacl_Impl_Poly1305_64_State_poly1305_state
Hacl_Impl_Poly1305_64_mk_state(uint64_t *r, uint64_t *h)
{
return ((Hacl_Impl_Poly1305_64_State_poly1305_state){ .r = r, .h = h });
}
static void
Hacl_Standalone_Poly1305_64_poly1305_blocks(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t len1
)
{
if (!(len1 == (uint64_t)0U))
{
uint8_t *block = m;
uint8_t *tail1 = m + (uint32_t)16U;
Hacl_Impl_Poly1305_64_poly1305_update(st, block);
uint64_t len2 = len1 - (uint64_t)1U;
Hacl_Standalone_Poly1305_64_poly1305_blocks(st, tail1, len2);
}
}
static void
Hacl_Standalone_Poly1305_64_poly1305_partial(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint64_t len1,
uint8_t *kr
)
{
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
uint64_t *x0 = r;
FStar_UInt128_t k1 = load128_le(kr);
FStar_UInt128_t
k_clamped =
FStar_UInt128_logand(k1,
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
uint64_t r0 = FStar_UInt128_uint128_to_uint64(k_clamped) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t
r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)88U));
x0[0U] = r0;
x0[1U] = r1;
x0[2U] = r2;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
uint64_t *x00 = h;
x00[0U] = (uint64_t)0U;
x00[1U] = (uint64_t)0U;
x00[2U] = (uint64_t)0U;
Hacl_Standalone_Poly1305_64_poly1305_blocks(st, input, len1);
}
Prims_nat AEAD_Poly1305_64_seval(void *b)
{
printf("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "noextract flag");
exit(255U);
}
Prims_int AEAD_Poly1305_64_selem(void *s)
{
printf("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, "noextract flag");
exit(255U);
}
Hacl_Impl_Poly1305_64_State_poly1305_state
AEAD_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc)
{
return Hacl_Impl_Poly1305_64_mk_state(r, acc);
}
uint32_t AEAD_Poly1305_64_mul_div_16(uint32_t len1)
{
return (uint32_t)16U * (len1 >> (uint32_t)4U);
}
void
AEAD_Poly1305_64_pad_last(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint32_t len1
)
{
uint8_t b[16U];
if (!(len1 == (uint32_t)0U))
{
memset(b, 0U, (uint32_t)16U * sizeof b[0U]);
memcpy(b, input, len1 * sizeof input[0U]);
uint8_t *b0 = b;
Hacl_Impl_Poly1305_64_poly1305_update(st, b0);
}
}
void
AEAD_Poly1305_64_poly1305_blocks_init(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint32_t len1,
uint8_t *k1
)
{
uint32_t len_16 = len1 >> (uint32_t)4U;
uint32_t rem_16 = len1 & (uint32_t)15U;
uint8_t *kr = k1;
uint32_t len_ = (uint32_t)16U * (len1 >> (uint32_t)4U);
uint8_t *part_input = input;
uint8_t *last_block = input + len_;
Hacl_Standalone_Poly1305_64_poly1305_partial(st, part_input, (uint64_t)len_16, kr);
AEAD_Poly1305_64_pad_last(st, last_block, rem_16);
}
void
AEAD_Poly1305_64_poly1305_blocks_continue(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint32_t len1
)
{
uint32_t len_16 = len1 >> (uint32_t)4U;
uint32_t rem_16 = len1 & (uint32_t)15U;
uint32_t len_ = (uint32_t)16U * (len1 >> (uint32_t)4U);
uint8_t *part_input = input;
uint8_t *last_block = input + len_;
Hacl_Standalone_Poly1305_64_poly1305_blocks(st, part_input, (uint64_t)len_16);
AEAD_Poly1305_64_pad_last(st, last_block, rem_16);
}
void
AEAD_Poly1305_64_poly1305_blocks_finish_(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input
)
{
Hacl_Impl_Poly1305_64_poly1305_update(st, input);
uint8_t *x2 = input + (uint32_t)16U;
if (!((uint64_t)0U == (uint64_t)0U))
Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, x2, (uint64_t)0U);
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *h = scrut.h;
uint64_t *acc = h;
Hacl_Impl_Poly1305_64_poly1305_last_pass(acc);
}
void
AEAD_Poly1305_64_poly1305_blocks_finish(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint8_t *mac,
uint8_t *key_s
)
{
Hacl_Impl_Poly1305_64_poly1305_update(st, input);
uint8_t *x2 = input + (uint32_t)16U;
if (!((uint64_t)0U == (uint64_t)0U))
Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, x2, (uint64_t)0U);
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *h = scrut.h;
uint64_t *acc = h;
Hacl_Impl_Poly1305_64_poly1305_last_pass(acc);
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h3 = scrut0.h;
uint64_t *acc0 = h3;
FStar_UInt128_t k_ = load128_le(key_s);
uint64_t h0 = acc0[0U];
uint64_t h1 = acc0[1U];
uint64_t h2 = acc0[2U];
FStar_UInt128_t
acc_ =
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128(h2
<< (uint32_t)24U
| h1 >> (uint32_t)20U),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128(h1 << (uint32_t)44U | h0));
FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
store128_le(mac, mac_);
}

123
vendors/ocaml-hacl/src/AEAD_Poly1305_64.h vendored Normal file
View File

@ -0,0 +1,123 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __AEAD_Poly1305_64_H
#define __AEAD_Poly1305_64_H
typedef uint64_t Hacl_Bignum_Constants_limb;
typedef FStar_UInt128_t Hacl_Bignum_Constants_wide;
typedef FStar_UInt128_t Hacl_Bignum_Wide_t;
typedef uint64_t Hacl_Bignum_Limb_t;
typedef void *Hacl_Impl_Poly1305_64_State_log_t;
typedef uint8_t *Hacl_Impl_Poly1305_64_State_uint8_p;
typedef uint64_t *Hacl_Impl_Poly1305_64_State_bigint;
typedef void *Hacl_Impl_Poly1305_64_State_seqelem;
typedef uint64_t *Hacl_Impl_Poly1305_64_State_elemB;
typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB;
typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB_16;
typedef struct
{
uint64_t *r;
uint64_t *h;
}
Hacl_Impl_Poly1305_64_State_poly1305_state;
typedef void *Hacl_Impl_Poly1305_64_log_t;
typedef uint64_t *Hacl_Impl_Poly1305_64_bigint;
typedef uint8_t *Hacl_Impl_Poly1305_64_uint8_p;
typedef uint64_t *Hacl_Impl_Poly1305_64_elemB;
typedef uint8_t *Hacl_Impl_Poly1305_64_wordB;
typedef uint8_t *Hacl_Impl_Poly1305_64_wordB_16;
typedef uint8_t *AEAD_Poly1305_64_uint8_p;
typedef uint8_t *AEAD_Poly1305_64_key;
Prims_nat AEAD_Poly1305_64_seval(void *b);
Prims_int AEAD_Poly1305_64_selem(void *s);
typedef Hacl_Impl_Poly1305_64_State_poly1305_state AEAD_Poly1305_64_state;
Hacl_Impl_Poly1305_64_State_poly1305_state
AEAD_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc);
uint32_t AEAD_Poly1305_64_mul_div_16(uint32_t len1);
void
AEAD_Poly1305_64_pad_last(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint32_t len1
);
void
AEAD_Poly1305_64_poly1305_blocks_init(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint32_t len1,
uint8_t *k1
);
void
AEAD_Poly1305_64_poly1305_blocks_continue(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint32_t len1
);
void
AEAD_Poly1305_64_poly1305_blocks_finish_(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input
);
void
AEAD_Poly1305_64_poly1305_blocks_finish(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint8_t *mac,
uint8_t *key_s
);
#endif

281
vendors/ocaml-hacl/src/FStar.c vendored Normal file
View File

@ -0,0 +1,281 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
/* This file was auto-generated by KreMLin! */
#include "FStar.h"
static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
{
return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U;
}
static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b)
{
return FStar_UInt128_constant_time_carry(a, b);
}
FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return
(
(FStar_UInt128_uint128){
.low = a.low + b.low,
.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low)
}
);
}
FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return
(
(FStar_UInt128_uint128){
.low = a.low + b.low,
.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low)
}
);
}
FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return
(
(FStar_UInt128_uint128){
.low = a.low - b.low,
.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low)
}
);
}
static FStar_UInt128_uint128
FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return
(
(FStar_UInt128_uint128){
.low = a.low - b.low,
.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low)
}
);
}
FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return FStar_UInt128_sub_mod_impl(a, b);
}
FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return ((FStar_UInt128_uint128){ .low = a.low & b.low, .high = a.high & b.high });
}
FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return ((FStar_UInt128_uint128){ .low = a.low ^ b.low, .high = a.high ^ b.high });
}
FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return ((FStar_UInt128_uint128){ .low = a.low | b.low, .high = a.high | b.high });
}
FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a)
{
return ((FStar_UInt128_uint128){ .low = ~a.low, .high = ~a.high });
}
static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
static uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
{
return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
}
static uint64_t FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
{
return FStar_UInt128_add_u64_shift_left(hi, lo, s);
}
static FStar_UInt128_uint128
FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
{
if (s == (uint32_t)0U)
return a;
else
return
(
(FStar_UInt128_uint128){
.low = a.low << s,
.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s)
}
);
}
static FStar_UInt128_uint128
FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
{
return
((FStar_UInt128_uint128){ .low = (uint64_t)0U, .high = a.low << (s - FStar_UInt128_u32_64) });
}
FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
{
if (s < FStar_UInt128_u32_64)
return FStar_UInt128_shift_left_small(a, s);
else
return FStar_UInt128_shift_left_large(a, s);
}
static uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
{
return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
}
static uint64_t FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
{
return FStar_UInt128_add_u64_shift_right(hi, lo, s);
}
static FStar_UInt128_uint128
FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
{
if (s == (uint32_t)0U)
return a;
else
return
(
(FStar_UInt128_uint128){
.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s),
.high = a.high >> s
}
);
}
static FStar_UInt128_uint128
FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
{
return
((FStar_UInt128_uint128){ .low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0U });
}
FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
{
if (s < FStar_UInt128_u32_64)
return FStar_UInt128_shift_right_small(a, s);
else
return FStar_UInt128_shift_right_large(a, s);
}
FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return
(
(FStar_UInt128_uint128){
.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high),
.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high)
}
);
}
FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return
(
(FStar_UInt128_uint128){
.low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high))
| (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)),
.high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high))
| (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low))
}
);
}
FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a)
{
return ((FStar_UInt128_uint128){ .low = a, .high = (uint64_t)0U });
}
uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
{
return a.low;
}
static uint64_t FStar_UInt128_u64_l32_mask = (uint64_t)0xffffffffU;
static uint64_t FStar_UInt128_u64_mod_32(uint64_t a)
{
return a & FStar_UInt128_u64_l32_mask;
}
static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U;
static K___uint64_t_uint64_t_uint64_t_uint64_t
FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
{
return
(
(K___uint64_t_uint64_t_uint64_t_uint64_t){
.fst = FStar_UInt128_u64_mod_32(x),
.snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)),
.thd = x >> FStar_UInt128_u32_32,
.f3 = (x >> FStar_UInt128_u32_32)
* FStar_UInt128_u64_mod_32(y)
+ (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)
}
);
}
static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
{
return lo + (hi << FStar_UInt128_u32_32);
}
static FStar_UInt128_uint128 FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
{
K___uint64_t_uint64_t_uint64_t_uint64_t scrut = FStar_UInt128_mul_wide_impl_t_(x, y);
uint64_t u1 = scrut.fst;
uint64_t w3 = scrut.snd;
uint64_t x_ = scrut.thd;
uint64_t t_ = scrut.f3;
return
(
(FStar_UInt128_uint128){
.low = FStar_UInt128_u32_combine_(u1
* (y >> FStar_UInt128_u32_32)
+ FStar_UInt128_u64_mod_32(t_),
w3),
.high = x_
* (y >> FStar_UInt128_u32_32)
+ (t_ >> FStar_UInt128_u32_32)
+
((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_))
>> FStar_UInt128_u32_32)
}
);
}
FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
{
return FStar_UInt128_mul_wide_impl(x, y);
}

79
vendors/ocaml-hacl/src/FStar.h vendored Normal file
View File

@ -0,0 +1,79 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
/* This file was auto-generated by KreMLin! */
#ifndef __FStar_H
#define __FStar_H
#include "kremlib_base.h"
typedef struct
{
uint64_t low;
uint64_t high;
}
FStar_UInt128_uint128;
typedef FStar_UInt128_uint128 FStar_UInt128_t;
extern void FStar_UInt128_constant_time_carry_ok(uint64_t x0, uint64_t x1);
FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a);
FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s);
FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
typedef struct
{
uint64_t fst;
uint64_t snd;
uint64_t thd;
uint64_t f3;
}
K___uint64_t_uint64_t_uint64_t_uint64_t;
FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
#endif

41
vendors/ocaml-hacl/src/HACL.h vendored Normal file
View File

@ -0,0 +1,41 @@
/* MIT License
*
* Copyright (c) 2016-2018 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef __HACL_H
#define __HACL_H
#include "Hacl_Unverified_Random.h"
#include "NaCl.h"
#include "Hacl_Chacha20.h"
#include "Hacl_Curve25519.h"
#include "Hacl_Ed25519.h"
#include "Hacl_HMAC_SHA2_256.h"
#include "Hacl_Salsa20.h"
#include "Hacl_SHA2_256.h"
#include "Hacl_SHA2_384.h"
#include "Hacl_SHA2_512.h"
#include "Hacl_Policies.h"
#include "Hacl_Poly1305_32.h"
#include "Hacl_Poly1305_64.h"
#endif

283
vendors/ocaml-hacl/src/Hacl_Chacha20.c vendored Normal file
View File

@ -0,0 +1,283 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Chacha20.h"
static void
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *x0 = input + (uint32_t)4U * i;
uint32_t inputi = load32_le(x0);
output[i] = inputi;
}
}
static void
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint32_t hd1 = input[i];
uint8_t *x0 = output + (uint32_t)4U * i;
store32_le(x0, hd1);
}
}
inline static uint32_t Hacl_Impl_Chacha20_rotate_left(uint32_t a, uint32_t s)
{
return a << s | a >> ((uint32_t)32U - s);
}
inline static void
Hacl_Impl_Chacha20_quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
{
uint32_t sa = st[a];
uint32_t sb0 = st[b];
st[a] = sa + sb0;
uint32_t sd = st[d];
uint32_t sa10 = st[a];
uint32_t sda = sd ^ sa10;
st[d] = Hacl_Impl_Chacha20_rotate_left(sda, (uint32_t)16U);
uint32_t sa0 = st[c];
uint32_t sb1 = st[d];
st[c] = sa0 + sb1;
uint32_t sd0 = st[b];
uint32_t sa11 = st[c];
uint32_t sda0 = sd0 ^ sa11;
st[b] = Hacl_Impl_Chacha20_rotate_left(sda0, (uint32_t)12U);
uint32_t sa2 = st[a];
uint32_t sb2 = st[b];
st[a] = sa2 + sb2;
uint32_t sd1 = st[d];
uint32_t sa12 = st[a];
uint32_t sda1 = sd1 ^ sa12;
st[d] = Hacl_Impl_Chacha20_rotate_left(sda1, (uint32_t)8U);
uint32_t sa3 = st[c];
uint32_t sb = st[d];
st[c] = sa3 + sb;
uint32_t sd2 = st[b];
uint32_t sa1 = st[c];
uint32_t sda2 = sd2 ^ sa1;
st[b] = Hacl_Impl_Chacha20_rotate_left(sda2, (uint32_t)7U);
}
inline static void Hacl_Impl_Chacha20_double_round(uint32_t *st)
{
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U);
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U);
}
inline static void Hacl_Impl_Chacha20_rounds(uint32_t *st)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
Hacl_Impl_Chacha20_double_round(st);
}
inline static void Hacl_Impl_Chacha20_sum_states(uint32_t *st, uint32_t *st_)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint32_t xi = st[i];
uint32_t yi = st_[i];
st[i] = xi + yi;
}
}
inline static void Hacl_Impl_Chacha20_copy_state(uint32_t *st, uint32_t *st_)
{
memcpy(st, st_, (uint32_t)16U * sizeof st_[0U]);
}
inline static void Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *st, uint32_t ctr)
{
st[12U] = ctr;
Hacl_Impl_Chacha20_copy_state(k, st);
Hacl_Impl_Chacha20_rounds(k);
Hacl_Impl_Chacha20_sum_states(k, st);
}
inline static void
Hacl_Impl_Chacha20_chacha20_block(uint8_t *stream_block, uint32_t *st, uint32_t ctr)
{
uint32_t st_[16U] = { 0U };
Hacl_Impl_Chacha20_chacha20_core(st_, st, ctr);
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(stream_block, st_, (uint32_t)16U);
}
inline static void Hacl_Impl_Chacha20_init(uint32_t *st, uint8_t *k, uint8_t *n1)
{
uint32_t *stcst = st;
uint32_t *stk = st + (uint32_t)4U;
uint32_t *stc = st + (uint32_t)12U;
uint32_t *stn = st + (uint32_t)13U;
stcst[0U] = (uint32_t)0x61707865U;
stcst[1U] = (uint32_t)0x3320646eU;
stcst[2U] = (uint32_t)0x79622d32U;
stcst[3U] = (uint32_t)0x6b206574U;
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stk, k, (uint32_t)8U);
stc[0U] = (uint32_t)0U;
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stn, n1, (uint32_t)3U);
}
static void
Hacl_Impl_Chacha20_update(uint8_t *output, uint8_t *plain, uint32_t *st, uint32_t ctr)
{
uint32_t b[48U] = { 0U };
uint32_t *k = b;
uint32_t *ib = b + (uint32_t)16U;
uint32_t *ob = b + (uint32_t)32U;
Hacl_Impl_Chacha20_chacha20_core(k, st, ctr);
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U);
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint32_t xi = ib[i];
uint32_t yi = k[i];
ob[i] = xi ^ yi;
}
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, ob, (uint32_t)16U);
}
static void
Hacl_Impl_Chacha20_update_last(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint32_t *st,
uint32_t ctr
)
{
uint8_t block[64U] = { 0U };
Hacl_Impl_Chacha20_chacha20_block(block, st, ctr);
uint8_t *mask = block;
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t xi = plain[i];
uint8_t yi = mask[i];
output[i] = xi ^ yi;
}
}
static void
Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(
uint8_t *output,
uint8_t *plain,
uint32_t num_blocks,
uint32_t *st,
uint32_t ctr
)
{
for (uint32_t i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U)
{
uint8_t *b = plain + (uint32_t)64U * i;
uint8_t *o = output + (uint32_t)64U * i;
Hacl_Impl_Chacha20_update(o, b, st, ctr + i);
}
}
static void
Hacl_Impl_Chacha20_chacha20_counter_mode(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint32_t *st,
uint32_t ctr
)
{
uint32_t blocks_len = len >> (uint32_t)6U;
uint32_t part_len = len & (uint32_t)0x3fU;
uint8_t *output_ = output;
uint8_t *plain_ = plain;
uint8_t *output__ = output + (uint32_t)64U * blocks_len;
uint8_t *plain__ = plain + (uint32_t)64U * blocks_len;
Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(output_, plain_, blocks_len, st, ctr);
if (part_len > (uint32_t)0U)
Hacl_Impl_Chacha20_update_last(output__, plain__, part_len, st, ctr + blocks_len);
}
static void
Hacl_Impl_Chacha20_chacha20(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint8_t *k,
uint8_t *n1,
uint32_t ctr
)
{
uint32_t buf[16U] = { 0U };
uint32_t *st = buf;
Hacl_Impl_Chacha20_init(st, k, n1);
Hacl_Impl_Chacha20_chacha20_counter_mode(output, plain, len, st, ctr);
}
void Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr)
{
uint32_t buf[16U] = { 0U };
uint32_t *st = buf;
Hacl_Impl_Chacha20_init(st, k, n1);
Hacl_Impl_Chacha20_chacha20_block(block, st, ctr);
}
/*
This function implements Chacha20
val chacha20 :
output:uint8_p ->
plain:uint8_p{ disjoint output plain } ->
len:uint32_t{ v len = length output /\ v len = length plain } ->
key:uint8_p{ length key = 32 } ->
nonce:uint8_p{ length nonce = 12 } ->
ctr:uint32_t{ v ctr + length plain / 64 < pow2 32 } ->
Stack unit
(requires
fun h -> live h output /\ live h plain /\ live h nonce /\ live h key)
(ensures
fun h0 _ h1 ->
live h1 output /\ live h0 plain /\ modifies_1 output h0 h1 /\
live h0 nonce /\
live h0 key /\
h1.[ output ] ==
chacha20_encrypt_bytes h0.[ key ] h0.[ nonce ] (v ctr) h0.[ plain ])
*/
void
Hacl_Chacha20_chacha20(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint8_t *k,
uint8_t *n1,
uint32_t ctr
)
{
Hacl_Impl_Chacha20_chacha20(output, plain, len, k, n1, ctr);
}

95
vendors/ocaml-hacl/src/Hacl_Chacha20.h vendored Normal file
View File

@ -0,0 +1,95 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Chacha20_H
#define __Hacl_Chacha20_H
typedef uint32_t Hacl_Impl_Xor_Lemmas_u32;
typedef uint8_t Hacl_Impl_Xor_Lemmas_u8;
typedef uint8_t *Hacl_Lib_LoadStore32_uint8_p;
typedef uint32_t Hacl_Impl_Chacha20_u32;
typedef uint32_t Hacl_Impl_Chacha20_h32;
typedef uint8_t *Hacl_Impl_Chacha20_uint8_p;
typedef uint32_t *Hacl_Impl_Chacha20_state;
typedef uint32_t Hacl_Impl_Chacha20_idx;
typedef struct
{
void *k;
void *n;
}
Hacl_Impl_Chacha20_log_t_;
typedef void *Hacl_Impl_Chacha20_log_t;
typedef uint32_t Hacl_Lib_Create_h32;
typedef uint8_t *Hacl_Chacha20_uint8_p;
typedef uint32_t Hacl_Chacha20_uint32_t;
void Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr);
/*
This function implements Chacha20
val chacha20 :
output:uint8_p ->
plain:uint8_p{ disjoint output plain } ->
len:uint32_t{ v len = length output /\ v len = length plain } ->
key:uint8_p{ length key = 32 } ->
nonce:uint8_p{ length nonce = 12 } ->
ctr:uint32_t{ v ctr + length plain / 64 < pow2 32 } ->
Stack unit
(requires
fun h -> live h output /\ live h plain /\ live h nonce /\ live h key)
(ensures
fun h0 _ h1 ->
live h1 output /\ live h0 plain /\ modifies_1 output h0 h1 /\
live h0 nonce /\
live h0 key /\
h1.[ output ] ==
chacha20_encrypt_bytes h0.[ key ] h0.[ nonce ] (v ctr) h0.[ plain ])
*/
void
Hacl_Chacha20_chacha20(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint8_t *k,
uint8_t *n1,
uint32_t ctr
);
#endif

131
vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.c vendored Normal file
View File

@ -0,0 +1,131 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Chacha20Poly1305.h"
Prims_int Hacl_Chacha20Poly1305_noncelen = (krml_checked_int_t)12;
Prims_int Hacl_Chacha20Poly1305_keylen = (krml_checked_int_t)32;
Prims_int Hacl_Chacha20Poly1305_maclen = (krml_checked_int_t)16;
static void
Hacl_Chacha20Poly1305_aead_encrypt_poly(
uint8_t *c,
uint32_t mlen,
uint8_t *mac,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *tmp
)
{
uint8_t *b = tmp;
uint8_t *lb = tmp + (uint32_t)64U;
uint8_t *mk = b;
uint8_t *key_s = mk + (uint32_t)16U;
uint64_t tmp1[6U] = { 0U };
Hacl_Impl_Poly1305_64_State_poly1305_state
st = AEAD_Poly1305_64_mk_state(tmp1, tmp1 + (uint32_t)3U);
(void)AEAD_Poly1305_64_poly1305_blocks_init(st, aad1, aadlen, mk);
(void)AEAD_Poly1305_64_poly1305_blocks_continue(st, c, mlen);
AEAD_Poly1305_64_poly1305_blocks_finish(st, lb, mac, key_s);
}
void Hacl_Chacha20Poly1305_encode_length(uint8_t *lb, uint32_t aad_len, uint32_t mlen)
{
store64_le(lb, (uint64_t)aad_len);
uint8_t *x0 = lb + (uint32_t)8U;
store64_le(x0, (uint64_t)mlen);
}
uint32_t
Hacl_Chacha20Poly1305_aead_encrypt_(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint32_t mlen,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *k1,
uint8_t *n1
)
{
uint8_t tmp[80U] = { 0U };
uint8_t *b = tmp;
uint8_t *lb = tmp + (uint32_t)64U;
Hacl_Chacha20Poly1305_encode_length(lb, aadlen, mlen);
Hacl_Chacha20_chacha20(c, m, mlen, k1, n1, (uint32_t)1U);
Hacl_Chacha20_chacha20_key_block(b, k1, n1, (uint32_t)0U);
Hacl_Chacha20Poly1305_aead_encrypt_poly(c, mlen, mac, aad1, aadlen, tmp);
return (uint32_t)0U;
}
uint32_t
Hacl_Chacha20Poly1305_aead_encrypt(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint32_t mlen,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *k1,
uint8_t *n1
)
{
uint32_t z = Hacl_Chacha20Poly1305_aead_encrypt_(c, mac, m, mlen, aad1, aadlen, k1, n1);
return z;
}
uint32_t
Hacl_Chacha20Poly1305_aead_decrypt(
uint8_t *m,
uint8_t *c,
uint32_t mlen,
uint8_t *mac,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *k1,
uint8_t *n1
)
{
uint8_t tmp[96U] = { 0U };
uint8_t *b = tmp;
uint8_t *lb = tmp + (uint32_t)64U;
Hacl_Chacha20Poly1305_encode_length(lb, aadlen, mlen);
uint8_t *rmac = tmp + (uint32_t)80U;
Hacl_Chacha20_chacha20_key_block(b, k1, n1, (uint32_t)0U);
Hacl_Chacha20Poly1305_aead_encrypt_poly(c, mlen, rmac, aad1, aadlen, tmp);
uint8_t result = Hacl_Policies_cmp_bytes(mac, rmac, (uint32_t)16U);
uint8_t verify = result;
uint32_t res;
if (verify == (uint8_t)0U)
{
Hacl_Chacha20_chacha20(m, c, mlen, k1, n1, (uint32_t)1U);
res = (uint32_t)0U;
}
else
res = (uint32_t)1U;
return res;
}

80
vendors/ocaml-hacl/src/Hacl_Chacha20Poly1305.h vendored Normal file
View File

@ -0,0 +1,80 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Chacha20Poly1305_H
#define __Hacl_Chacha20Poly1305_H
#include "Hacl_Policies.h"
#include "Hacl_Chacha20.h"
#include "AEAD_Poly1305_64.h"
extern Prims_int Hacl_Chacha20Poly1305_noncelen;
extern Prims_int Hacl_Chacha20Poly1305_keylen;
extern Prims_int Hacl_Chacha20Poly1305_maclen;
typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Chacha20Poly1305_state;
typedef void *Hacl_Chacha20Poly1305_log_t;
void Hacl_Chacha20Poly1305_encode_length(uint8_t *lb, uint32_t aad_len, uint32_t mlen);
uint32_t
Hacl_Chacha20Poly1305_aead_encrypt_(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint32_t mlen,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *k1,
uint8_t *n1
);
uint32_t
Hacl_Chacha20Poly1305_aead_encrypt(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint32_t mlen,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *k1,
uint8_t *n1
);
uint32_t
Hacl_Chacha20Poly1305_aead_decrypt(
uint8_t *m,
uint8_t *c,
uint32_t mlen,
uint8_t *mac,
uint8_t *aad1,
uint32_t aadlen,
uint8_t *k1,
uint8_t *n1
);
#endif

837
vendors/ocaml-hacl/src/Hacl_Curve25519.c vendored Normal file
View File

@ -0,0 +1,837 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Curve25519.h"
static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
{
uint64_t b4 = b[4U];
uint64_t b0 = b[0U];
uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
b[4U] = b4_;
b[0U] = b0_;
}
inline static void
Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input)
{
{
FStar_UInt128_t xi = input[0U];
output[0U] = FStar_UInt128_uint128_to_uint64(xi);
}
{
FStar_UInt128_t xi = input[1U];
output[1U] = FStar_UInt128_uint128_to_uint64(xi);
}
{
FStar_UInt128_t xi = input[2U];
output[2U] = FStar_UInt128_uint128_to_uint64(xi);
}
{
FStar_UInt128_t xi = input[3U];
output[3U] = FStar_UInt128_uint128_to_uint64(xi);
}
{
FStar_UInt128_t xi = input[4U];
output[4U] = FStar_UInt128_uint128_to_uint64(xi);
}
}
inline static void
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
FStar_UInt128_t *output,
uint64_t *input,
uint64_t s
)
{
{
FStar_UInt128_t xi = output[0U];
uint64_t yi = input[0U];
output[0U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
{
FStar_UInt128_t xi = output[1U];
uint64_t yi = input[1U];
output[1U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
{
FStar_UInt128_t xi = output[2U];
uint64_t yi = input[2U];
output[2U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
{
FStar_UInt128_t xi = output[3U];
uint64_t yi = input[3U];
output[3U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
{
FStar_UInt128_t xi = output[4U];
uint64_t yi = input[4U];
output[4U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
}
inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp)
{
{
uint32_t ctr = (uint32_t)0U;
FStar_UInt128_t tctr = tmp[ctr];
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
}
{
uint32_t ctr = (uint32_t)1U;
FStar_UInt128_t tctr = tmp[ctr];
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
}
{
uint32_t ctr = (uint32_t)2U;
FStar_UInt128_t tctr = tmp[ctr];
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
}
{
uint32_t ctr = (uint32_t)3U;
FStar_UInt128_t tctr = tmp[ctr];
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
}
}
inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
{
uint64_t tmp = output[4U];
{
uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U;
uint64_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
{
uint32_t ctr = (uint32_t)5U - (uint32_t)1U - (uint32_t)1U;
uint64_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
{
uint32_t ctr = (uint32_t)5U - (uint32_t)2U - (uint32_t)1U;
uint64_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
{
uint32_t ctr = (uint32_t)5U - (uint32_t)3U - (uint32_t)1U;
uint64_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
output[0U] = tmp;
uint64_t b0 = output[0U];
output[0U] = (uint64_t)19U * b0;
}
static void
Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21)
{
{
uint64_t input2i = input21[0U];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
{
uint64_t input2i = input21[1U];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
{
uint64_t input2i = input21[2U];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
{
uint64_t input2i = input21[3U];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
uint32_t i = (uint32_t)4U;
uint64_t input2i = input21[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
}
inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21)
{
uint64_t tmp[5U] = { 0U };
memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
FStar_UInt128_t t[5U];
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21);
Hacl_Bignum_Fproduct_carry_wide_(t);
FStar_UInt128_t b4 = t[4U];
FStar_UInt128_t b0 = t[0U];
FStar_UInt128_t
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
FStar_UInt128_t
b0_ =
FStar_UInt128_add(b0,
FStar_UInt128_mul_wide((uint64_t)19U,
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
t[4U] = b4_;
t[0U] = b0_;
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
uint64_t i0 = output[0U];
uint64_t i1 = output[1U];
uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
output[0U] = i0_;
output[1U] = i1_;
}
inline static void Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_t *tmp, uint64_t *output)
{
uint64_t r0 = output[0U];
uint64_t r1 = output[1U];
uint64_t r2 = output[2U];
uint64_t r3 = output[3U];
uint64_t r4 = output[4U];
uint64_t d0 = r0 * (uint64_t)2U;
uint64_t d1 = r1 * (uint64_t)2U;
uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
uint64_t d419 = r4 * (uint64_t)19U;
uint64_t d4 = d419 * (uint64_t)2U;
FStar_UInt128_t
s0 =
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0),
FStar_UInt128_mul_wide(d4, r1)),
FStar_UInt128_mul_wide(d2, r3));
FStar_UInt128_t
s1 =
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1),
FStar_UInt128_mul_wide(d4, r2)),
FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3));
FStar_UInt128_t
s2 =
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2),
FStar_UInt128_mul_wide(r1, r1)),
FStar_UInt128_mul_wide(d4, r3));
FStar_UInt128_t
s3 =
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3),
FStar_UInt128_mul_wide(d1, r2)),
FStar_UInt128_mul_wide(r4, d419));
FStar_UInt128_t
s4 =
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4),
FStar_UInt128_mul_wide(d1, r3)),
FStar_UInt128_mul_wide(r2, r2));
tmp[0U] = s0;
tmp[1U] = s1;
tmp[2U] = s2;
tmp[3U] = s3;
tmp[4U] = s4;
}
inline static void Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output)
{
Hacl_Bignum_Fsquare_fsquare__(tmp, output);
Hacl_Bignum_Fproduct_carry_wide_(tmp);
FStar_UInt128_t b4 = tmp[4U];
FStar_UInt128_t b0 = tmp[0U];
FStar_UInt128_t
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
FStar_UInt128_t
b0_ =
FStar_UInt128_add(b0,
FStar_UInt128_mul_wide((uint64_t)19U,
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
tmp[4U] = b4_;
tmp[0U] = b0_;
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
uint64_t i0 = output[0U];
uint64_t i1 = output[1U];
uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
output[0U] = i0_;
output[1U] = i1_;
}
static void
Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1)
{
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
}
inline static void
Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
{
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
FStar_UInt128_t t[5U];
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
}
inline static void Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
{
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
FStar_UInt128_t t[5U];
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
}
inline static void Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
{
uint64_t buf[20U] = { 0U };
uint64_t *a = buf;
uint64_t *t00 = buf + (uint32_t)5U;
uint64_t *b0 = buf + (uint32_t)10U;
Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U);
Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U);
Hacl_Bignum_Fmul_fmul(b0, t00, z);
Hacl_Bignum_Fmul_fmul(a, b0, a);
Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U);
Hacl_Bignum_Fmul_fmul(b0, t00, b0);
Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
uint64_t *t01 = buf + (uint32_t)5U;
uint64_t *b1 = buf + (uint32_t)10U;
uint64_t *c0 = buf + (uint32_t)15U;
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
Hacl_Bignum_Fmul_fmul(c0, t01, b1);
Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
Hacl_Bignum_Fmul_fmul(t01, t01, c0);
Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
uint64_t *a0 = buf;
uint64_t *t0 = buf + (uint32_t)5U;
uint64_t *b = buf + (uint32_t)10U;
uint64_t *c = buf + (uint32_t)15U;
Hacl_Bignum_Fmul_fmul(c, t0, b);
Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
Hacl_Bignum_Fmul_fmul(t0, t0, c);
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
Hacl_Bignum_Fmul_fmul(t0, t0, b);
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
Hacl_Bignum_Fmul_fmul(out, t0, a0);
}
inline static void Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
{
{
uint64_t xi = a[0U];
uint64_t yi = b[0U];
a[0U] = xi + yi;
}
{
uint64_t xi = a[1U];
uint64_t yi = b[1U];
a[1U] = xi + yi;
}
{
uint64_t xi = a[2U];
uint64_t yi = b[2U];
a[2U] = xi + yi;
}
{
uint64_t xi = a[3U];
uint64_t yi = b[3U];
a[3U] = xi + yi;
}
{
uint64_t xi = a[4U];
uint64_t yi = b[4U];
a[4U] = xi + yi;
}
}
inline static void Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
{
uint64_t tmp[5U] = { 0U };
memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
uint64_t b0 = tmp[0U];
uint64_t b1 = tmp[1U];
uint64_t b2 = tmp[2U];
uint64_t b3 = tmp[3U];
uint64_t b4 = tmp[4U];
tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
{
uint64_t xi = a[0U];
uint64_t yi = tmp[0U];
a[0U] = yi - xi;
}
{
uint64_t xi = a[1U];
uint64_t yi = tmp[1U];
a[1U] = yi - xi;
}
{
uint64_t xi = a[2U];
uint64_t yi = tmp[2U];
a[2U] = yi - xi;
}
{
uint64_t xi = a[3U];
uint64_t yi = tmp[3U];
a[3U] = yi - xi;
}
{
uint64_t xi = a[4U];
uint64_t yi = tmp[4U];
a[4U] = yi - xi;
}
}
inline static void Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
{
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
FStar_UInt128_t tmp[5U];
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
{
uint64_t xi = b[0U];
tmp[0U] = FStar_UInt128_mul_wide(xi, s);
}
{
uint64_t xi = b[1U];
tmp[1U] = FStar_UInt128_mul_wide(xi, s);
}
{
uint64_t xi = b[2U];
tmp[2U] = FStar_UInt128_mul_wide(xi, s);
}
{
uint64_t xi = b[3U];
tmp[3U] = FStar_UInt128_mul_wide(xi, s);
}
{
uint64_t xi = b[4U];
tmp[4U] = FStar_UInt128_mul_wide(xi, s);
}
Hacl_Bignum_Fproduct_carry_wide_(tmp);
FStar_UInt128_t b4 = tmp[4U];
FStar_UInt128_t b0 = tmp[0U];
FStar_UInt128_t
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
FStar_UInt128_t
b0_ =
FStar_UInt128_add(b0,
FStar_UInt128_mul_wide((uint64_t)19U,
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
tmp[4U] = b4_;
tmp[0U] = b0_;
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
}
inline static void Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
{
Hacl_Bignum_Fmul_fmul(output, a, b);
}
inline static void Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
{
Hacl_Bignum_Crecip_crecip(output, input);
}
static void
Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
{
uint32_t i = ctr - (uint32_t)1U;
uint64_t ai = a[i];
uint64_t bi = b[i];
uint64_t x = swap1 & (ai ^ bi);
uint64_t ai1 = ai ^ x;
uint64_t bi1 = bi ^ x;
a[i] = ai1;
b[i] = bi1;
}
static void
Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
{
if (!(ctr == (uint32_t)0U))
{
Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
uint32_t i = ctr - (uint32_t)1U;
Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
}
}
static void Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
{
uint64_t swap1 = (uint64_t)0U - iswap;
Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
}
static void Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
{
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
memcpy(output + (uint32_t)5U,
input + (uint32_t)5U,
(uint32_t)5U * sizeof (input + (uint32_t)5U)[0U]);
}
static void
Hacl_EC_AddAndDouble_fmonty(
uint64_t *pp,
uint64_t *ppq,
uint64_t *p,
uint64_t *pq,
uint64_t *qmqp
)
{
uint64_t *qx = qmqp;
uint64_t *x2 = pp;
uint64_t *z2 = pp + (uint32_t)5U;
uint64_t *x3 = ppq;
uint64_t *z3 = ppq + (uint32_t)5U;
uint64_t *x = p;
uint64_t *z = p + (uint32_t)5U;
uint64_t *xprime = pq;
uint64_t *zprime = pq + (uint32_t)5U;
uint64_t buf[40U] = { 0U };
uint64_t *origx = buf;
uint64_t *origxprime = buf + (uint32_t)5U;
uint64_t *xxprime0 = buf + (uint32_t)25U;
uint64_t *zzprime0 = buf + (uint32_t)30U;
memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
Hacl_Bignum_fsum(x, z);
Hacl_Bignum_fdifference(z, origx);
memcpy(origxprime, xprime, (uint32_t)5U * sizeof xprime[0U]);
Hacl_Bignum_fsum(xprime, zprime);
Hacl_Bignum_fdifference(zprime, origxprime);
Hacl_Bignum_fmul(xxprime0, xprime, z);
Hacl_Bignum_fmul(zzprime0, x, zprime);
uint64_t *origxprime0 = buf + (uint32_t)5U;
uint64_t *xx0 = buf + (uint32_t)15U;
uint64_t *zz0 = buf + (uint32_t)20U;
uint64_t *xxprime = buf + (uint32_t)25U;
uint64_t *zzprime = buf + (uint32_t)30U;
uint64_t *zzzprime = buf + (uint32_t)35U;
memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
Hacl_Bignum_fsum(xxprime, zzprime);
Hacl_Bignum_fdifference(zzprime, origxprime0);
Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
Hacl_Bignum_fmul(z3, zzzprime, qx);
Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
uint64_t *zzz = buf + (uint32_t)10U;
uint64_t *xx = buf + (uint32_t)15U;
uint64_t *zz = buf + (uint32_t)20U;
Hacl_Bignum_fmul(x2, xx, zz);
Hacl_Bignum_fdifference(zz, xx);
uint64_t scalar = (uint64_t)121665U;
Hacl_Bignum_fscalar(zzz, zz, scalar);
Hacl_Bignum_fsum(zzz, xx);
Hacl_Bignum_fmul(z2, zzz, zz);
}
static void
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
uint64_t *nq,
uint64_t *nqpq,
uint64_t *nq2,
uint64_t *nqpq2,
uint64_t *q,
uint8_t byt
)
{
uint64_t bit = (uint64_t)(byt >> (uint32_t)7U);
Hacl_EC_Point_swap_conditional(nq, nqpq, bit);
Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0);
}
static void
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
uint64_t *nq,
uint64_t *nqpq,
uint64_t *nq2,
uint64_t *nqpq2,
uint64_t *q,
uint8_t byt
)
{
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
uint8_t byt1 = byt << (uint32_t)1U;
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
}
static void
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
uint64_t *nq,
uint64_t *nqpq,
uint64_t *nq2,
uint64_t *nqpq2,
uint64_t *q,
uint8_t byt,
uint32_t i
)
{
if (!(i == (uint32_t)0U))
{
uint32_t i_ = i - (uint32_t)1U;
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
uint8_t byt_ = byt << (uint32_t)2U;
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
}
}
static void
Hacl_EC_Ladder_BigLoop_cmult_big_loop(
uint8_t *n1,
uint64_t *nq,
uint64_t *nqpq,
uint64_t *nq2,
uint64_t *nqpq2,
uint64_t *q,
uint32_t i
)
{
if (!(i == (uint32_t)0U))
{
uint32_t i1 = i - (uint32_t)1U;
uint8_t byte = n1[i1];
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
}
}
static void Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
{
uint64_t point_buf[40U] = { 0U };
uint64_t *nq = point_buf;
uint64_t *nqpq = point_buf + (uint32_t)10U;
uint64_t *nq2 = point_buf + (uint32_t)20U;
uint64_t *nqpq2 = point_buf + (uint32_t)30U;
Hacl_EC_Point_copy(nqpq, q);
nq[0U] = (uint64_t)1U;
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
Hacl_EC_Point_copy(result, nq);
}
static void Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
{
uint64_t i0 = load64_le(input);
uint8_t *x00 = input + (uint32_t)6U;
uint64_t i1 = load64_le(x00);
uint8_t *x01 = input + (uint32_t)12U;
uint64_t i2 = load64_le(x01);
uint8_t *x02 = input + (uint32_t)19U;
uint64_t i3 = load64_le(x02);
uint8_t *x0 = input + (uint32_t)24U;
uint64_t i4 = load64_le(x0);
uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
output[0U] = output0;
output[1U] = output1;
output[2U] = output2;
output[3U] = output3;
output[4U] = output4;
}
static void Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
{
uint64_t t0 = input[0U];
uint64_t t1 = input[1U];
uint64_t t2 = input[2U];
uint64_t t3 = input[3U];
uint64_t t4 = input[4U];
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
input[0U] = t0_;
input[1U] = t1__;
input[2U] = t2__;
input[3U] = t3__;
input[4U] = t4_;
}
static void Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
{
Hacl_EC_Format_fcontract_first_carry_pass(input);
Hacl_Bignum_Modulo_carry_top(input);
}
static void Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
{
uint64_t t0 = input[0U];
uint64_t t1 = input[1U];
uint64_t t2 = input[2U];
uint64_t t3 = input[3U];
uint64_t t4 = input[4U];
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
input[0U] = t0_;
input[1U] = t1__;
input[2U] = t2__;
input[3U] = t3__;
input[4U] = t4_;
}
static void Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
{
Hacl_EC_Format_fcontract_second_carry_pass(input);
Hacl_Bignum_Modulo_carry_top(input);
uint64_t i0 = input[0U];
uint64_t i1 = input[1U];
uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
input[0U] = i0_;
input[1U] = i1_;
}
static void Hacl_EC_Format_fcontract_trim(uint64_t *input)
{
uint64_t a0 = input[0U];
uint64_t a1 = input[1U];
uint64_t a2 = input[2U];
uint64_t a3 = input[3U];
uint64_t a4 = input[4U];
uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
input[0U] = a0_;
input[1U] = a1_;
input[2U] = a2_;
input[3U] = a3_;
input[4U] = a4_;
}
static void Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
{
uint64_t t0 = input[0U];
uint64_t t1 = input[1U];
uint64_t t2 = input[2U];
uint64_t t3 = input[3U];
uint64_t t4 = input[4U];
uint64_t o0 = t1 << (uint32_t)51U | t0;
uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
uint8_t *b0 = output;
uint8_t *b1 = output + (uint32_t)8U;
uint8_t *b2 = output + (uint32_t)16U;
uint8_t *b3 = output + (uint32_t)24U;
store64_le(b0, o0);
store64_le(b1, o1);
store64_le(b2, o2);
store64_le(b3, o3);
}
static void Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
{
Hacl_EC_Format_fcontract_first_carry_full(input);
Hacl_EC_Format_fcontract_second_carry_full(input);
Hacl_EC_Format_fcontract_trim(input);
Hacl_EC_Format_fcontract_store(output, input);
}
static void Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
{
uint64_t *x = point;
uint64_t *z = point + (uint32_t)5U;
uint64_t buf[10U] = { 0U };
uint64_t *zmone = buf;
uint64_t *sc = buf + (uint32_t)5U;
Hacl_Bignum_crecip(zmone, z);
Hacl_Bignum_fmul(sc, x, zmone);
Hacl_EC_Format_fcontract(scalar, sc);
}
void Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
{
uint64_t buf0[10U] = { 0U };
uint64_t *x0 = buf0;
uint64_t *z = buf0 + (uint32_t)5U;
Hacl_EC_Format_fexpand(x0, basepoint);
z[0U] = (uint64_t)1U;
uint64_t *q = buf0;
uint8_t e[32U] = { 0U };
memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
uint8_t e0 = e[0U];
uint8_t e31 = e[31U];
uint8_t e01 = e0 & (uint8_t)248U;
uint8_t e311 = e31 & (uint8_t)127U;
uint8_t e312 = e311 | (uint8_t)64U;
e[0U] = e01;
e[31U] = e312;
uint8_t *scalar = e;
uint64_t buf[15U] = { 0U };
uint64_t *nq = buf;
uint64_t *x = nq;
x[0U] = (uint64_t)1U;
Hacl_EC_Ladder_cmult(nq, scalar, q);
Hacl_EC_Format_scalar_of_point(mypublic, nq);
}
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
{
Hacl_EC_crypto_scalarmult(mypublic, secret, basepoint);
}

69
vendors/ocaml-hacl/src/Hacl_Curve25519.h vendored Normal file
View File

@ -0,0 +1,69 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Curve25519_H
#define __Hacl_Curve25519_H
typedef uint64_t Hacl_Bignum_Constants_limb;
typedef FStar_UInt128_t Hacl_Bignum_Constants_wide;
typedef uint64_t Hacl_Bignum_Parameters_limb;
typedef FStar_UInt128_t Hacl_Bignum_Parameters_wide;
typedef uint32_t Hacl_Bignum_Parameters_ctr;
typedef uint64_t *Hacl_Bignum_Parameters_felem;
typedef FStar_UInt128_t *Hacl_Bignum_Parameters_felem_wide;
typedef void *Hacl_Bignum_Parameters_seqelem;
typedef void *Hacl_Bignum_Parameters_seqelem_wide;
typedef FStar_UInt128_t Hacl_Bignum_Wide_t;
typedef uint64_t Hacl_Bignum_Limb_t;
extern void Hacl_Bignum_lemma_diff(Prims_int x0, Prims_int x1, Prims_pos x2);
typedef uint64_t *Hacl_EC_Point_point;
typedef uint8_t *Hacl_EC_Ladder_SmallLoop_uint8_p;
typedef uint8_t *Hacl_EC_Ladder_uint8_p;
typedef uint8_t *Hacl_EC_Format_uint8_p;
void Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
typedef uint8_t *Hacl_Curve25519_uint8_p;
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
#endif

2828
vendors/ocaml-hacl/src/Hacl_Ed25519.c vendored Normal file
View File

File diff suppressed because it is too large Load Diff

230
vendors/ocaml-hacl/src/Hacl_Ed25519.h vendored Normal file
View File

@ -0,0 +1,230 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Ed25519_H
#define __Hacl_Ed25519_H
typedef uint64_t Hacl_Bignum_Constants_limb;
typedef FStar_UInt128_t Hacl_Bignum_Constants_wide;
typedef uint64_t Hacl_Bignum_Parameters_limb;
typedef FStar_UInt128_t Hacl_Bignum_Parameters_wide;
typedef uint32_t Hacl_Bignum_Parameters_ctr;
typedef uint64_t *Hacl_Bignum_Parameters_felem;
typedef FStar_UInt128_t *Hacl_Bignum_Parameters_felem_wide;
typedef void *Hacl_Bignum_Parameters_seqelem;
typedef void *Hacl_Bignum_Parameters_seqelem_wide;
typedef FStar_UInt128_t Hacl_Bignum_Wide_t;
typedef uint64_t Hacl_Bignum_Limb_t;
extern void Hacl_Bignum_lemma_diff(Prims_int x0, Prims_int x1, Prims_pos x2);
typedef struct
{
void *fst;
void *snd;
}
K___FStar_Seq_Base_seq_uint64_t_FStar_Seq_Base_seq_uint64_t;
typedef uint64_t *Hacl_EC_Point_point;
typedef uint8_t *Hacl_EC_Format_uint8_p;
typedef uint64_t Hacl_Lib_Create64_h64;
typedef uint64_t Hacl_Bignum25519_limb;
typedef uint64_t *Hacl_Bignum25519_felem;
typedef void *Hacl_Bignum25519_seqelem;
typedef uint64_t *Hacl_Impl_Ed25519_ExtPoint_point;
typedef uint8_t *Hacl_Impl_Store51_uint8_p;
typedef uint64_t *Hacl_Impl_Store51_felem;
typedef uint8_t *Hacl_Impl_Ed25519_PointCompress_hint8_p;
typedef uint64_t *Hacl_Impl_Ed25519_PointCompress_hint64_p;
typedef uint64_t *Hacl_Impl_Ed25519_SwapConditional_felem;
typedef uint8_t *Hacl_Impl_Ed25519_Ladder_Step_uint8_p;
typedef uint64_t *Hacl_Impl_Ed25519_Ladder_elemB;
typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p;
typedef uint8_t Hacl_Hash_Lib_Create_uint8_t;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_t;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_t;
typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht;
typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p;
typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p;
typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p;
typedef uint8_t Hacl_Impl_SHA2_512_Lemmas_uint8_t;
typedef uint32_t Hacl_Impl_SHA2_512_Lemmas_uint32_t;
typedef uint64_t Hacl_Impl_SHA2_512_Lemmas_uint64_t;
typedef uint8_t Hacl_Impl_SHA2_512_Lemmas_uint8_ht;
typedef uint32_t Hacl_Impl_SHA2_512_Lemmas_uint32_ht;
typedef uint64_t Hacl_Impl_SHA2_512_Lemmas_uint64_ht;
typedef FStar_UInt128_t Hacl_Impl_SHA2_512_Lemmas_uint128_ht;
typedef uint64_t *Hacl_Impl_SHA2_512_Lemmas_uint64_p;
typedef uint8_t *Hacl_Impl_SHA2_512_Lemmas_uint8_p;
typedef uint8_t Hacl_Impl_SHA2_512_uint8_t;
typedef uint32_t Hacl_Impl_SHA2_512_uint32_t;
typedef uint64_t Hacl_Impl_SHA2_512_uint64_t;
typedef uint8_t Hacl_Impl_SHA2_512_uint8_ht;
typedef uint32_t Hacl_Impl_SHA2_512_uint32_ht;
typedef uint64_t Hacl_Impl_SHA2_512_uint64_ht;
typedef FStar_UInt128_t Hacl_Impl_SHA2_512_uint128_ht;
typedef uint64_t *Hacl_Impl_SHA2_512_uint64_p;
typedef uint8_t *Hacl_Impl_SHA2_512_uint8_p;
typedef uint8_t Hacl_SHA2_512_uint8_t;
typedef uint32_t Hacl_SHA2_512_uint32_t;
typedef uint64_t Hacl_SHA2_512_uint64_t;
typedef uint8_t Hacl_SHA2_512_uint8_ht;
typedef uint32_t Hacl_SHA2_512_uint32_ht;
typedef uint64_t Hacl_SHA2_512_uint64_ht;
typedef FStar_UInt128_t Hacl_SHA2_512_uint128_ht;
typedef uint64_t *Hacl_SHA2_512_uint64_p;
typedef uint8_t *Hacl_SHA2_512_uint8_p;
typedef uint8_t *Hacl_Impl_Ed25519_SecretExpand_hint8_p;
typedef uint8_t *Hacl_Impl_Ed25519_SecretToPublic_hint8_p;
typedef Prims_nat Hacl_Impl_Ed25519_Verify_Lemmas_u51;
typedef uint8_t *Hacl_Impl_Ed25519_PointEqual_uint8_p;
typedef uint64_t *Hacl_Impl_Ed25519_PointEqual_felem;
typedef uint32_t Hacl_Impl_Load56_u32;
typedef uint8_t Hacl_Impl_Load56_h8;
typedef uint64_t Hacl_Impl_Load56_h64;
typedef uint8_t *Hacl_Impl_Load56_hint8_p;
typedef uint64_t *Hacl_Impl_Ed25519_RecoverX_elemB;
typedef uint32_t Hacl_Impl_Load51_u32;
typedef uint8_t Hacl_Impl_Load51_h8;
typedef uint64_t Hacl_Impl_Load51_h64;
typedef uint8_t *Hacl_Impl_Load51_hint8_p;
typedef uint8_t *Hacl_Impl_Store56_hint8_p;
typedef uint64_t *Hacl_Impl_Store56_qelem;
typedef uint8_t *Hacl_Impl_SHA512_Ed25519_1_hint8_p;
typedef uint8_t *Hacl_Impl_SHA512_Ed25519_hint8_p;
typedef uint8_t *Hacl_Impl_Sha512_hint8_p;
typedef FStar_UInt128_t Hacl_Lib_Create128_h128;
typedef uint64_t *Hacl_Impl_BignumQ_Mul_qelemB;
typedef uint64_t Hacl_Impl_BignumQ_Mul_h64;
typedef uint8_t *Hacl_Impl_Ed25519_Verify_Steps_uint8_p;
typedef uint64_t *Hacl_Impl_Ed25519_Verify_Steps_felem;
typedef uint8_t *Hacl_Impl_Ed25519_Verify_uint8_p;
typedef uint64_t *Hacl_Impl_Ed25519_Verify_felem;
typedef uint8_t *Hacl_Impl_Ed25519_Sign_Steps_hint8_p;
typedef uint8_t *Hacl_Impl_Ed25519_Sign_hint8_p;
typedef uint8_t *Hacl_Ed25519_uint8_p;
typedef uint8_t *Hacl_Ed25519_hint8_p;
void Hacl_Ed25519_sign(uint8_t *signature, uint8_t *secret, uint8_t *msg, uint32_t len1);
bool Hacl_Ed25519_verify(uint8_t *public, uint8_t *msg, uint32_t len1, uint8_t *signature);
void Hacl_Ed25519_secret_to_public(uint8_t *out, uint8_t *secret);
#endif

377
vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.c vendored Normal file
View File

@ -0,0 +1,377 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_HMAC_SHA2_256.h"
static void
Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(uint32_t *output, uint8_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *x0 = input + (uint32_t)4U * i;
uint32_t inputi = load32_be(x0);
output[i] = inputi;
}
}
static void
Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(uint8_t *output, uint32_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint32_t hd1 = input[i];
uint8_t *x0 = output + (uint32_t)4U * i;
store32_be(x0, hd1);
}
}
static void Hacl_Impl_SHA2_256_init(uint32_t *state)
{
uint32_t *n1 = state + (uint32_t)136U;
uint32_t *k1 = state;
uint32_t *h_01 = state + (uint32_t)128U;
uint32_t *p10 = k1;
uint32_t *p20 = k1 + (uint32_t)16U;
uint32_t *p3 = k1 + (uint32_t)32U;
uint32_t *p4 = k1 + (uint32_t)48U;
uint32_t *p11 = p10;
uint32_t *p21 = p10 + (uint32_t)8U;
uint32_t *p12 = p11;
uint32_t *p22 = p11 + (uint32_t)4U;
p12[0U] = (uint32_t)0x428a2f98U;
p12[1U] = (uint32_t)0x71374491U;
p12[2U] = (uint32_t)0xb5c0fbcfU;
p12[3U] = (uint32_t)0xe9b5dba5U;
p22[0U] = (uint32_t)0x3956c25bU;
p22[1U] = (uint32_t)0x59f111f1U;
p22[2U] = (uint32_t)0x923f82a4U;
p22[3U] = (uint32_t)0xab1c5ed5U;
uint32_t *p13 = p21;
uint32_t *p23 = p21 + (uint32_t)4U;
p13[0U] = (uint32_t)0xd807aa98U;
p13[1U] = (uint32_t)0x12835b01U;
p13[2U] = (uint32_t)0x243185beU;
p13[3U] = (uint32_t)0x550c7dc3U;
p23[0U] = (uint32_t)0x72be5d74U;
p23[1U] = (uint32_t)0x80deb1feU;
p23[2U] = (uint32_t)0x9bdc06a7U;
p23[3U] = (uint32_t)0xc19bf174U;
uint32_t *p14 = p20;
uint32_t *p24 = p20 + (uint32_t)8U;
uint32_t *p15 = p14;
uint32_t *p25 = p14 + (uint32_t)4U;
p15[0U] = (uint32_t)0xe49b69c1U;
p15[1U] = (uint32_t)0xefbe4786U;
p15[2U] = (uint32_t)0x0fc19dc6U;
p15[3U] = (uint32_t)0x240ca1ccU;
p25[0U] = (uint32_t)0x2de92c6fU;
p25[1U] = (uint32_t)0x4a7484aaU;
p25[2U] = (uint32_t)0x5cb0a9dcU;
p25[3U] = (uint32_t)0x76f988daU;
uint32_t *p16 = p24;
uint32_t *p26 = p24 + (uint32_t)4U;
p16[0U] = (uint32_t)0x983e5152U;
p16[1U] = (uint32_t)0xa831c66dU;
p16[2U] = (uint32_t)0xb00327c8U;
p16[3U] = (uint32_t)0xbf597fc7U;
p26[0U] = (uint32_t)0xc6e00bf3U;
p26[1U] = (uint32_t)0xd5a79147U;
p26[2U] = (uint32_t)0x06ca6351U;
p26[3U] = (uint32_t)0x14292967U;
uint32_t *p17 = p3;
uint32_t *p27 = p3 + (uint32_t)8U;
uint32_t *p18 = p17;
uint32_t *p28 = p17 + (uint32_t)4U;
p18[0U] = (uint32_t)0x27b70a85U;
p18[1U] = (uint32_t)0x2e1b2138U;
p18[2U] = (uint32_t)0x4d2c6dfcU;
p18[3U] = (uint32_t)0x53380d13U;
p28[0U] = (uint32_t)0x650a7354U;
p28[1U] = (uint32_t)0x766a0abbU;
p28[2U] = (uint32_t)0x81c2c92eU;
p28[3U] = (uint32_t)0x92722c85U;
uint32_t *p19 = p27;
uint32_t *p29 = p27 + (uint32_t)4U;
p19[0U] = (uint32_t)0xa2bfe8a1U;
p19[1U] = (uint32_t)0xa81a664bU;
p19[2U] = (uint32_t)0xc24b8b70U;
p19[3U] = (uint32_t)0xc76c51a3U;
p29[0U] = (uint32_t)0xd192e819U;
p29[1U] = (uint32_t)0xd6990624U;
p29[2U] = (uint32_t)0xf40e3585U;
p29[3U] = (uint32_t)0x106aa070U;
uint32_t *p110 = p4;
uint32_t *p210 = p4 + (uint32_t)8U;
uint32_t *p1 = p110;
uint32_t *p211 = p110 + (uint32_t)4U;
p1[0U] = (uint32_t)0x19a4c116U;
p1[1U] = (uint32_t)0x1e376c08U;
p1[2U] = (uint32_t)0x2748774cU;
p1[3U] = (uint32_t)0x34b0bcb5U;
p211[0U] = (uint32_t)0x391c0cb3U;
p211[1U] = (uint32_t)0x4ed8aa4aU;
p211[2U] = (uint32_t)0x5b9cca4fU;
p211[3U] = (uint32_t)0x682e6ff3U;
uint32_t *p111 = p210;
uint32_t *p212 = p210 + (uint32_t)4U;
p111[0U] = (uint32_t)0x748f82eeU;
p111[1U] = (uint32_t)0x78a5636fU;
p111[2U] = (uint32_t)0x84c87814U;
p111[3U] = (uint32_t)0x8cc70208U;
p212[0U] = (uint32_t)0x90befffaU;
p212[1U] = (uint32_t)0xa4506cebU;
p212[2U] = (uint32_t)0xbef9a3f7U;
p212[3U] = (uint32_t)0xc67178f2U;
uint32_t *p112 = h_01;
uint32_t *p2 = h_01 + (uint32_t)4U;
p112[0U] = (uint32_t)0x6a09e667U;
p112[1U] = (uint32_t)0xbb67ae85U;
p112[2U] = (uint32_t)0x3c6ef372U;
p112[3U] = (uint32_t)0xa54ff53aU;
p2[0U] = (uint32_t)0x510e527fU;
p2[1U] = (uint32_t)0x9b05688cU;
p2[2U] = (uint32_t)0x1f83d9abU;
p2[3U] = (uint32_t)0x5be0cd19U;
n1[0U] = (uint32_t)0U;
}
static void Hacl_Impl_SHA2_256_update(uint32_t *state, uint8_t *data)
{
uint32_t data_w[16U] = { 0U };
Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(data_w, data, (uint32_t)16U);
uint32_t *hash_w = state + (uint32_t)128U;
uint32_t *ws_w = state + (uint32_t)64U;
uint32_t *k_w = state;
uint32_t *counter_w = state + (uint32_t)136U;
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint32_t b = data_w[i];
ws_w[i] = b;
}
for (uint32_t i = (uint32_t)16U; i < (uint32_t)64U; i = i + (uint32_t)1U)
{
uint32_t t16 = ws_w[i - (uint32_t)16U];
uint32_t t15 = ws_w[i - (uint32_t)15U];
uint32_t t7 = ws_w[i - (uint32_t)7U];
uint32_t t2 = ws_w[i - (uint32_t)2U];
ws_w[i] =
((t2 >> (uint32_t)17U | t2 << ((uint32_t)32U - (uint32_t)17U))
^ ((t2 >> (uint32_t)19U | t2 << ((uint32_t)32U - (uint32_t)19U)) ^ t2 >> (uint32_t)10U))
+
t7
+
((t15 >> (uint32_t)7U | t15 << ((uint32_t)32U - (uint32_t)7U))
^ ((t15 >> (uint32_t)18U | t15 << ((uint32_t)32U - (uint32_t)18U)) ^ t15 >> (uint32_t)3U))
+ t16;
}
uint32_t hash_0[8U] = { 0U };
memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]);
for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i = i + (uint32_t)1U)
{
uint32_t a = hash_0[0U];
uint32_t b = hash_0[1U];
uint32_t c = hash_0[2U];
uint32_t d = hash_0[3U];
uint32_t e = hash_0[4U];
uint32_t f1 = hash_0[5U];
uint32_t g = hash_0[6U];
uint32_t h = hash_0[7U];
uint32_t kt = k_w[i];
uint32_t wst = ws_w[i];
uint32_t
t1 =
h
+
((e >> (uint32_t)6U | e << ((uint32_t)32U - (uint32_t)6U))
^
((e >> (uint32_t)11U | e << ((uint32_t)32U - (uint32_t)11U))
^ (e >> (uint32_t)25U | e << ((uint32_t)32U - (uint32_t)25U))))
+ ((e & f1) ^ (~e & g))
+ kt
+ wst;
uint32_t
t2 =
((a >> (uint32_t)2U | a << ((uint32_t)32U - (uint32_t)2U))
^
((a >> (uint32_t)13U | a << ((uint32_t)32U - (uint32_t)13U))
^ (a >> (uint32_t)22U | a << ((uint32_t)32U - (uint32_t)22U))))
+ ((a & b) ^ ((a & c) ^ (b & c)));
uint32_t x1 = t1 + t2;
uint32_t x5 = d + t1;
uint32_t *p1 = hash_0;
uint32_t *p2 = hash_0 + (uint32_t)4U;
p1[0U] = x1;
p1[1U] = a;
p1[2U] = b;
p1[3U] = c;
p2[0U] = x5;
p2[1U] = e;
p2[2U] = f1;
p2[3U] = g;
}
for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U)
{
uint32_t xi = hash_w[i];
uint32_t yi = hash_0[i];
hash_w[i] = xi + yi;
}
uint32_t c0 = counter_w[0U];
uint32_t one1 = (uint32_t)1U;
counter_w[0U] = c0 + one1;
}
static void Hacl_Impl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1)
{
for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U)
{
uint8_t *b = data + i * (uint32_t)64U;
Hacl_Impl_SHA2_256_update(state, b);
}
}
static void Hacl_Impl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len)
{
uint8_t blocks[128U] = { 0U };
uint32_t nb;
if (len < (uint32_t)56U)
nb = (uint32_t)1U;
else
nb = (uint32_t)2U;
uint8_t *final_blocks;
if (len < (uint32_t)56U)
final_blocks = blocks + (uint32_t)64U;
else
final_blocks = blocks;
memcpy(final_blocks, data, len * sizeof data[0U]);
uint32_t n1 = state[136U];
uint8_t *padding = final_blocks + len;
uint32_t
pad0len = ((uint32_t)64U - (len + (uint32_t)8U + (uint32_t)1U) % (uint32_t)64U) % (uint32_t)64U;
uint8_t *buf1 = padding;
uint8_t *buf2 = padding + (uint32_t)1U + pad0len;
uint64_t
encodedlen = ((uint64_t)n1 * (uint64_t)(uint32_t)64U + (uint64_t)len) * (uint64_t)(uint32_t)8U;
buf1[0U] = (uint8_t)0x80U;
store64_be(buf2, encodedlen);
Hacl_Impl_SHA2_256_update_multi(state, final_blocks, nb);
}
static void Hacl_Impl_SHA2_256_finish(uint32_t *state, uint8_t *hash1)
{
uint32_t *hash_w = state + (uint32_t)128U;
Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(hash1, hash_w, (uint32_t)8U);
}
static void Hacl_Impl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
uint32_t state[137U] = { 0U };
uint32_t n1 = len / (uint32_t)64U;
uint32_t r = len % (uint32_t)64U;
uint8_t *input_blocks = input;
uint8_t *input_last = input + n1 * (uint32_t)64U;
Hacl_Impl_SHA2_256_init(state);
Hacl_Impl_SHA2_256_update_multi(state, input_blocks, n1);
Hacl_Impl_SHA2_256_update_last(state, input_last, r);
Hacl_Impl_SHA2_256_finish(state, hash1);
}
static void Hacl_Impl_HMAC_SHA2_256_xor_bytes_inplace(uint8_t *a, uint8_t *b, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t xi = a[i];
uint8_t yi = b[i];
a[i] = xi ^ yi;
}
}
static void
Hacl_Impl_HMAC_SHA2_256_hmac_core(uint8_t *mac, uint8_t *key, uint8_t *data, uint32_t len)
{
uint8_t ipad[64U];
for (uint32_t _i = 0U; _i < (uint32_t)64U; ++_i)
ipad[_i] = (uint8_t)0x36U;
uint8_t opad[64U];
for (uint32_t _i = 0U; _i < (uint32_t)64U; ++_i)
opad[_i] = (uint8_t)0x5cU;
Hacl_Impl_HMAC_SHA2_256_xor_bytes_inplace(ipad, key, (uint32_t)64U);
uint32_t state0[137U] = { 0U };
uint32_t n0 = len / (uint32_t)64U;
uint32_t r0 = len % (uint32_t)64U;
uint8_t *blocks0 = data;
uint8_t *last0 = data + n0 * (uint32_t)64U;
Hacl_Impl_SHA2_256_init(state0);
Hacl_Impl_SHA2_256_update(state0, ipad);
Hacl_Impl_SHA2_256_update_multi(state0, blocks0, n0);
Hacl_Impl_SHA2_256_update_last(state0, last0, r0);
uint8_t *hash0 = ipad;
Hacl_Impl_SHA2_256_finish(state0, hash0);
uint8_t *s4 = ipad;
Hacl_Impl_HMAC_SHA2_256_xor_bytes_inplace(opad, key, (uint32_t)64U);
uint32_t state1[137U] = { 0U };
Hacl_Impl_SHA2_256_init(state1);
Hacl_Impl_SHA2_256_update(state1, opad);
Hacl_Impl_SHA2_256_update_last(state1, s4, (uint32_t)32U);
Hacl_Impl_SHA2_256_finish(state1, mac);
}
static void
Hacl_Impl_HMAC_SHA2_256_hmac(
uint8_t *mac,
uint8_t *key,
uint32_t keylen,
uint8_t *data,
uint32_t datalen
)
{
uint8_t nkey[64U];
for (uint32_t _i = 0U; _i < (uint32_t)64U; ++_i)
nkey[_i] = (uint8_t)0x00U;
if (keylen <= (uint32_t)64U)
memcpy(nkey, key, keylen * sizeof key[0U]);
else
{
uint8_t *nkey0 = nkey;
Hacl_Impl_SHA2_256_hash(nkey0, key, keylen);
}
Hacl_Impl_HMAC_SHA2_256_hmac_core(mac, nkey, data, datalen);
}
void Hacl_HMAC_SHA2_256_hmac_core(uint8_t *mac, uint8_t *key, uint8_t *data, uint32_t len)
{
Hacl_Impl_HMAC_SHA2_256_hmac_core(mac, key, data, len);
}
void
Hacl_HMAC_SHA2_256_hmac(
uint8_t *mac,
uint8_t *key,
uint32_t keylen,
uint8_t *data,
uint32_t datalen
)
{
Hacl_Impl_HMAC_SHA2_256_hmac(mac, key, keylen, data, datalen);
}

100
vendors/ocaml-hacl/src/Hacl_HMAC_SHA2_256.h vendored Normal file
View File

@ -0,0 +1,100 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_HMAC_SHA2_256_H
#define __Hacl_HMAC_SHA2_256_H
typedef uint8_t Hacl_Hash_Lib_Create_uint8_t;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_t;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_t;
typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht;
typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p;
typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p;
typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p;
typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p;
typedef uint8_t Hacl_Impl_SHA2_256_uint8_t;
typedef uint32_t Hacl_Impl_SHA2_256_uint32_t;
typedef uint64_t Hacl_Impl_SHA2_256_uint64_t;
typedef uint8_t Hacl_Impl_SHA2_256_uint8_ht;
typedef uint32_t Hacl_Impl_SHA2_256_uint32_ht;
typedef uint64_t Hacl_Impl_SHA2_256_uint64_ht;
typedef uint32_t *Hacl_Impl_SHA2_256_uint32_p;
typedef uint8_t *Hacl_Impl_SHA2_256_uint8_p;
typedef uint8_t Hacl_Impl_HMAC_SHA2_256_uint8_t;
typedef uint32_t Hacl_Impl_HMAC_SHA2_256_uint32_t;
typedef uint64_t Hacl_Impl_HMAC_SHA2_256_uint64_t;
typedef uint8_t Hacl_Impl_HMAC_SHA2_256_uint8_ht;
typedef uint32_t Hacl_Impl_HMAC_SHA2_256_uint32_ht;
typedef uint64_t Hacl_Impl_HMAC_SHA2_256_uint64_ht;
typedef uint32_t *Hacl_Impl_HMAC_SHA2_256_uint32_p;
typedef uint8_t *Hacl_Impl_HMAC_SHA2_256_uint8_p;
typedef uint8_t Hacl_HMAC_SHA2_256_uint8_ht;
typedef uint32_t Hacl_HMAC_SHA2_256_uint32_t;
typedef uint8_t *Hacl_HMAC_SHA2_256_uint8_p;
void Hacl_HMAC_SHA2_256_hmac_core(uint8_t *mac, uint8_t *key, uint8_t *data, uint32_t len);
void
Hacl_HMAC_SHA2_256_hmac(
uint8_t *mac,
uint8_t *key,
uint32_t keylen,
uint8_t *data,
uint32_t datalen
);
#endif

66
vendors/ocaml-hacl/src/Hacl_Policies.c vendored Normal file
View File

@ -0,0 +1,66 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Policies.h"
uint8_t Hacl_Policies_declassify_u8(uint8_t x)
{
return x;
}
uint32_t Hacl_Policies_declassify_u32(uint32_t x)
{
return x;
}
uint64_t Hacl_Policies_declassify_u64(uint64_t x)
{
return x;
}
FStar_UInt128_t Hacl_Policies_declassify_u128(FStar_UInt128_t x)
{
return x;
}
uint8_t Hacl_Policies_cmp_bytes_(uint8_t *b1, uint8_t *b2, uint32_t len, uint8_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t bi1 = b1[i];
uint8_t bi2 = b2[i];
uint8_t z0 = tmp[0U];
tmp[0U] = FStar_UInt8_eq_mask(bi1, bi2) & z0;
}
return tmp[0U];
}
uint8_t Hacl_Policies_cmp_bytes(uint8_t *b1, uint8_t *b2, uint32_t len)
{
uint8_t tmp[1U];
tmp[0U] = (uint8_t)255U;
uint8_t z = Hacl_Policies_cmp_bytes_(b1, b2, len, tmp);
return ~z;
}

43
vendors/ocaml-hacl/src/Hacl_Policies.h vendored Normal file
View File

@ -0,0 +1,43 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Policies_H
#define __Hacl_Policies_H
uint8_t Hacl_Policies_declassify_u8(uint8_t x);
uint32_t Hacl_Policies_declassify_u32(uint32_t x);
uint64_t Hacl_Policies_declassify_u64(uint64_t x);
FStar_UInt128_t Hacl_Policies_declassify_u128(FStar_UInt128_t x);
uint8_t Hacl_Policies_cmp_bytes_(uint8_t *b1, uint8_t *b2, uint32_t len, uint8_t *tmp);
uint8_t Hacl_Policies_cmp_bytes(uint8_t *b1, uint8_t *b2, uint32_t len);
#endif

605
vendors/ocaml-hacl/src/Hacl_Poly1305_32.c vendored Normal file
View File

@ -0,0 +1,605 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Poly1305_32.h"
inline static void Hacl_Bignum_Modulo_reduce(uint32_t *b)
{
uint32_t b0 = b[0U];
b[0U] = (b0 << (uint32_t)2U) + b0;
}
inline static void Hacl_Bignum_Modulo_carry_top(uint32_t *b)
{
uint32_t b4 = b[4U];
uint32_t b0 = b[0U];
uint32_t b4_26 = b4 >> (uint32_t)26U;
b[4U] = b4 & (uint32_t)0x3ffffffU;
b[0U] = (b4_26 << (uint32_t)2U) + b4_26 + b0;
}
inline static void Hacl_Bignum_Modulo_carry_top_wide(uint64_t *b)
{
uint64_t b4 = b[4U];
uint64_t b0 = b[0U];
uint64_t b4_ = b4 & (uint64_t)(uint32_t)0x3ffffffU;
uint32_t b4_26 = (uint32_t)(b4 >> (uint32_t)26U);
uint64_t b0_ = b0 + (uint64_t)((b4_26 << (uint32_t)2U) + b4_26);
b[4U] = b4_;
b[0U] = b0_;
}
inline static void Hacl_Bignum_Fproduct_copy_from_wide_(uint32_t *output, uint64_t *input)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
{
uint64_t xi = input[i];
output[i] = (uint32_t)xi;
}
}
inline static void
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(uint64_t *output, uint32_t *input, uint32_t s)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
{
uint64_t xi = output[i];
uint32_t yi = input[i];
uint64_t x_wide = (uint64_t)yi;
uint64_t y_wide = (uint64_t)s;
output[i] = xi + x_wide * y_wide;
}
}
inline static void Hacl_Bignum_Fproduct_carry_wide_(uint64_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
{
uint32_t ctr = i;
uint64_t tctr = tmp[ctr];
uint64_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint32_t r0 = (uint32_t)tctr & (uint32_t)0x3ffffffU;
uint64_t c = tctr >> (uint32_t)26U;
tmp[ctr] = (uint64_t)r0;
tmp[ctr + (uint32_t)1U] = tctrp1 + c;
}
}
inline static void Hacl_Bignum_Fproduct_carry_limb_(uint32_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
{
uint32_t ctr = i;
uint32_t tctr = tmp[ctr];
uint32_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint32_t r0 = tctr & (uint32_t)0x3ffffffU;
uint32_t c = tctr >> (uint32_t)26U;
tmp[ctr] = r0;
tmp[ctr + (uint32_t)1U] = tctrp1 + c;
}
}
inline static void Hacl_Bignum_Fmul_shift_reduce(uint32_t *output)
{
uint32_t tmp = output[4U];
for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
{
uint32_t ctr = (uint32_t)5U - i - (uint32_t)1U;
uint32_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
output[0U] = tmp;
Hacl_Bignum_Modulo_reduce(output);
}
static void
Hacl_Bignum_Fmul_mul_shift_reduce_(uint64_t *output, uint32_t *input, uint32_t *input2)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U)
{
uint32_t input2i = input2[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
uint32_t i = (uint32_t)4U;
uint32_t input2i = input2[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
}
inline static void Hacl_Bignum_Fmul_fmul(uint32_t *output, uint32_t *input, uint32_t *input2)
{
uint32_t tmp[5U] = { 0U };
memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
uint64_t t[5U] = { 0U };
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
Hacl_Bignum_Fproduct_carry_wide_(t);
Hacl_Bignum_Modulo_carry_top_wide(t);
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
uint32_t i0 = output[0U];
uint32_t i1 = output[1U];
uint32_t i0_ = i0 & (uint32_t)0x3ffffffU;
uint32_t i1_ = i1 + (i0 >> (uint32_t)26U);
output[0U] = i0_;
output[1U] = i1_;
}
inline static void
Hacl_Bignum_AddAndMultiply_add_and_multiply(uint32_t *acc, uint32_t *block, uint32_t *r)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)5U; i = i + (uint32_t)1U)
{
uint32_t xi = acc[i];
uint32_t yi = block[i];
acc[i] = xi + yi;
}
Hacl_Bignum_Fmul_fmul(acc, acc, r);
}
inline static void
Hacl_Impl_Poly1305_32_poly1305_update(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m
)
{
Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
uint32_t *h = scrut0.h;
uint32_t *acc = h;
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *r = scrut.r;
uint32_t *r5 = r;
uint32_t tmp[5U] = { 0U };
uint8_t *s0 = m;
uint8_t *s1 = m + (uint32_t)3U;
uint8_t *s2 = m + (uint32_t)6U;
uint8_t *s3 = m + (uint32_t)9U;
uint8_t *s4 = m + (uint32_t)12U;
uint32_t i0 = load32_le(s0);
uint32_t i1 = load32_le(s1);
uint32_t i2 = load32_le(s2);
uint32_t i3 = load32_le(s3);
uint32_t i4 = load32_le(s4);
uint32_t r0 = i0 & (uint32_t)0x3ffffffU;
uint32_t r1 = i1 >> (uint32_t)2U & (uint32_t)0x3ffffffU;
uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU;
uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU;
uint32_t r4 = i4 >> (uint32_t)8U;
tmp[0U] = r0;
tmp[1U] = r1;
tmp[2U] = r2;
tmp[3U] = r3;
tmp[4U] = r4;
uint32_t b4 = tmp[4U];
uint32_t b4_ = (uint32_t)0x1000000U | b4;
tmp[4U] = b4_;
Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r5);
}
inline static void
Hacl_Impl_Poly1305_32_poly1305_process_last_block_(
uint8_t *block,
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint64_t rem_
)
{
uint32_t tmp[5U] = { 0U };
uint8_t *s0 = block;
uint8_t *s1 = block + (uint32_t)3U;
uint8_t *s2 = block + (uint32_t)6U;
uint8_t *s3 = block + (uint32_t)9U;
uint8_t *s4 = block + (uint32_t)12U;
uint32_t i0 = load32_le(s0);
uint32_t i1 = load32_le(s1);
uint32_t i2 = load32_le(s2);
uint32_t i3 = load32_le(s3);
uint32_t i4 = load32_le(s4);
uint32_t r0 = i0 & (uint32_t)0x3ffffffU;
uint32_t r1 = i1 >> (uint32_t)2U & (uint32_t)0x3ffffffU;
uint32_t r2 = i2 >> (uint32_t)4U & (uint32_t)0x3ffffffU;
uint32_t r3 = i3 >> (uint32_t)6U & (uint32_t)0x3ffffffU;
uint32_t r4 = i4 >> (uint32_t)8U;
tmp[0U] = r0;
tmp[1U] = r1;
tmp[2U] = r2;
tmp[3U] = r3;
tmp[4U] = r4;
Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
uint32_t *h = scrut0.h;
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *r = scrut.r;
Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r);
}
inline static void
Hacl_Impl_Poly1305_32_poly1305_process_last_block(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint64_t rem_
)
{
uint8_t zero1 = (uint8_t)0U;
KRML_CHECK_SIZE(zero1, (uint32_t)16U);
uint8_t block[16U];
for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
block[_i] = zero1;
uint32_t i0 = (uint32_t)rem_;
uint32_t i = (uint32_t)rem_;
memcpy(block, m, i * sizeof m[0U]);
block[i0] = (uint8_t)1U;
Hacl_Impl_Poly1305_32_poly1305_process_last_block_(block, st, m, rem_);
}
static void Hacl_Impl_Poly1305_32_poly1305_last_pass(uint32_t *acc)
{
Hacl_Bignum_Fproduct_carry_limb_(acc);
Hacl_Bignum_Modulo_carry_top(acc);
uint32_t t0 = acc[0U];
uint32_t t10 = acc[1U];
uint32_t t20 = acc[2U];
uint32_t t30 = acc[3U];
uint32_t t40 = acc[4U];
uint32_t t1_ = t10 + (t0 >> (uint32_t)26U);
uint32_t mask_261 = (uint32_t)0x3ffffffU;
uint32_t t0_ = t0 & mask_261;
uint32_t t2_ = t20 + (t1_ >> (uint32_t)26U);
uint32_t t1__ = t1_ & mask_261;
uint32_t t3_ = t30 + (t2_ >> (uint32_t)26U);
uint32_t t2__ = t2_ & mask_261;
uint32_t t4_ = t40 + (t3_ >> (uint32_t)26U);
uint32_t t3__ = t3_ & mask_261;
acc[0U] = t0_;
acc[1U] = t1__;
acc[2U] = t2__;
acc[3U] = t3__;
acc[4U] = t4_;
Hacl_Bignum_Modulo_carry_top(acc);
uint32_t t00 = acc[0U];
uint32_t t1 = acc[1U];
uint32_t t2 = acc[2U];
uint32_t t3 = acc[3U];
uint32_t t4 = acc[4U];
uint32_t t1_0 = t1 + (t00 >> (uint32_t)26U);
uint32_t t0_0 = t00 & (uint32_t)0x3ffffffU;
uint32_t t2_0 = t2 + (t1_0 >> (uint32_t)26U);
uint32_t t1__0 = t1_0 & (uint32_t)0x3ffffffU;
uint32_t t3_0 = t3 + (t2_0 >> (uint32_t)26U);
uint32_t t2__0 = t2_0 & (uint32_t)0x3ffffffU;
uint32_t t4_0 = t4 + (t3_0 >> (uint32_t)26U);
uint32_t t3__0 = t3_0 & (uint32_t)0x3ffffffU;
acc[0U] = t0_0;
acc[1U] = t1__0;
acc[2U] = t2__0;
acc[3U] = t3__0;
acc[4U] = t4_0;
Hacl_Bignum_Modulo_carry_top(acc);
uint32_t i0 = acc[0U];
uint32_t i1 = acc[1U];
uint32_t i0_ = i0 & (uint32_t)0x3ffffffU;
uint32_t i1_ = i1 + (i0 >> (uint32_t)26U);
acc[0U] = i0_;
acc[1U] = i1_;
uint32_t a0 = acc[0U];
uint32_t a1 = acc[1U];
uint32_t a2 = acc[2U];
uint32_t a3 = acc[3U];
uint32_t a4 = acc[4U];
uint32_t mask0 = FStar_UInt32_gte_mask(a0, (uint32_t)0x3fffffbU);
uint32_t mask1 = FStar_UInt32_eq_mask(a1, (uint32_t)0x3ffffffU);
uint32_t mask2 = FStar_UInt32_eq_mask(a2, (uint32_t)0x3ffffffU);
uint32_t mask3 = FStar_UInt32_eq_mask(a3, (uint32_t)0x3ffffffU);
uint32_t mask4 = FStar_UInt32_eq_mask(a4, (uint32_t)0x3ffffffU);
uint32_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
uint32_t a0_ = a0 - ((uint32_t)0x3fffffbU & mask);
uint32_t a1_ = a1 - ((uint32_t)0x3ffffffU & mask);
uint32_t a2_ = a2 - ((uint32_t)0x3ffffffU & mask);
uint32_t a3_ = a3 - ((uint32_t)0x3ffffffU & mask);
uint32_t a4_ = a4 - ((uint32_t)0x3ffffffU & mask);
acc[0U] = a0_;
acc[1U] = a1_;
acc[2U] = a2_;
acc[3U] = a3_;
acc[4U] = a4_;
}
static Hacl_Impl_Poly1305_32_State_poly1305_state
Hacl_Impl_Poly1305_32_mk_state(uint32_t *r, uint32_t *h)
{
return ((Hacl_Impl_Poly1305_32_State_poly1305_state){ .r = r, .h = h });
}
static void
Hacl_Standalone_Poly1305_32_poly1305_blocks(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint64_t len1
)
{
if (!(len1 == (uint64_t)0U))
{
uint8_t *block = m;
uint8_t *tail1 = m + (uint32_t)16U;
Hacl_Impl_Poly1305_32_poly1305_update(st, block);
uint64_t len2 = len1 - (uint64_t)1U;
Hacl_Standalone_Poly1305_32_poly1305_blocks(st, tail1, len2);
}
}
static void
Hacl_Standalone_Poly1305_32_poly1305_partial(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *input,
uint64_t len1,
uint8_t *kr
)
{
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *r = scrut.r;
uint32_t *x0 = r;
FStar_UInt128_t k1 = load128_le(kr);
FStar_UInt128_t
k_clamped =
FStar_UInt128_logand(k1,
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
uint32_t r0 = (uint32_t)FStar_UInt128_uint128_to_uint64(k_clamped) & (uint32_t)0x3ffffffU;
uint32_t
r1 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)26U))
& (uint32_t)0x3ffffffU;
uint32_t
r2 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)52U))
& (uint32_t)0x3ffffffU;
uint32_t
r3 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)78U))
& (uint32_t)0x3ffffffU;
uint32_t
r4 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U))
& (uint32_t)0x3ffffffU;
x0[0U] = r0;
x0[1U] = r1;
x0[2U] = r2;
x0[3U] = r3;
x0[4U] = r4;
Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
uint32_t *h = scrut0.h;
uint32_t *x00 = h;
x00[0U] = (uint32_t)0U;
x00[1U] = (uint32_t)0U;
x00[2U] = (uint32_t)0U;
x00[3U] = (uint32_t)0U;
x00[4U] = (uint32_t)0U;
Hacl_Standalone_Poly1305_32_poly1305_blocks(st, input, len1);
}
static void
Hacl_Standalone_Poly1305_32_poly1305_complete(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint64_t len1,
uint8_t *k1
)
{
uint8_t *kr = k1;
uint64_t len16 = len1 >> (uint32_t)4U;
uint64_t rem16 = len1 & (uint64_t)0xfU;
uint8_t *part_input = m;
uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16);
Hacl_Standalone_Poly1305_32_poly1305_partial(st, part_input, len16, kr);
if (!(rem16 == (uint64_t)0U))
Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, last_block, rem16);
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *h = scrut.h;
uint32_t *acc = h;
Hacl_Impl_Poly1305_32_poly1305_last_pass(acc);
}
static void
Hacl_Standalone_Poly1305_32_crypto_onetimeauth_(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
)
{
uint32_t buf[10U] = { 0U };
uint32_t *r = buf;
uint32_t *h = buf + (uint32_t)5U;
Hacl_Impl_Poly1305_32_State_poly1305_state st = Hacl_Impl_Poly1305_32_mk_state(r, h);
uint8_t *key_s = k1 + (uint32_t)16U;
Hacl_Standalone_Poly1305_32_poly1305_complete(st, input, len1, k1);
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *h5 = scrut.h;
uint32_t *acc = h5;
FStar_UInt128_t k_ = load128_le(key_s);
uint32_t h0 = acc[0U];
uint32_t h1 = acc[1U];
uint32_t h2 = acc[2U];
uint32_t h3 = acc[3U];
uint32_t h4 = acc[4U];
FStar_UInt128_t
acc_ =
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4),
(uint32_t)104U),
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3),
(uint32_t)78U),
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h2),
(uint32_t)52U),
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1),
(uint32_t)26U),
FStar_UInt128_uint64_to_uint128((uint64_t)h0)))));
FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
store128_le(output, mac_);
}
static void
Hacl_Standalone_Poly1305_32_crypto_onetimeauth(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
)
{
Hacl_Standalone_Poly1305_32_crypto_onetimeauth_(output, input, len1, k1);
}
void *Hacl_Poly1305_32_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b)
{
return (void *)(uint8_t)0U;
}
Hacl_Impl_Poly1305_32_State_poly1305_state
Hacl_Poly1305_32_mk_state(uint32_t *r, uint32_t *acc)
{
return Hacl_Impl_Poly1305_32_mk_state(r, acc);
}
void Hacl_Poly1305_32_init(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *k1)
{
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *r = scrut.r;
uint32_t *x0 = r;
FStar_UInt128_t k10 = load128_le(k1);
FStar_UInt128_t
k_clamped =
FStar_UInt128_logand(k10,
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
uint32_t r0 = (uint32_t)FStar_UInt128_uint128_to_uint64(k_clamped) & (uint32_t)0x3ffffffU;
uint32_t
r1 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)26U))
& (uint32_t)0x3ffffffU;
uint32_t
r2 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)52U))
& (uint32_t)0x3ffffffU;
uint32_t
r3 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)78U))
& (uint32_t)0x3ffffffU;
uint32_t
r4 =
(uint32_t)FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)104U))
& (uint32_t)0x3ffffffU;
x0[0U] = r0;
x0[1U] = r1;
x0[2U] = r2;
x0[3U] = r3;
x0[4U] = r4;
Hacl_Impl_Poly1305_32_State_poly1305_state scrut0 = st;
uint32_t *h = scrut0.h;
uint32_t *x00 = h;
x00[0U] = (uint32_t)0U;
x00[1U] = (uint32_t)0U;
x00[2U] = (uint32_t)0U;
x00[3U] = (uint32_t)0U;
x00[4U] = (uint32_t)0U;
}
void *Hacl_Poly1305_32_empty_log = (void *)(uint8_t)0U;
void Hacl_Poly1305_32_update_block(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *m)
{
Hacl_Impl_Poly1305_32_poly1305_update(st, m);
}
void
Hacl_Poly1305_32_update(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint32_t len1
)
{
if (!(len1 == (uint32_t)0U))
{
uint8_t *block = m;
uint8_t *m_ = m + (uint32_t)16U;
uint32_t len2 = len1 - (uint32_t)1U;
Hacl_Poly1305_32_update_block(st, block);
Hacl_Poly1305_32_update(st, m_, len2);
}
}
void
Hacl_Poly1305_32_update_last(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint32_t len1
)
{
if (!((uint64_t)len1 == (uint64_t)0U))
Hacl_Impl_Poly1305_32_poly1305_process_last_block(st, m, (uint64_t)len1);
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *h = scrut.h;
uint32_t *acc = h;
Hacl_Impl_Poly1305_32_poly1305_last_pass(acc);
}
void
Hacl_Poly1305_32_finish(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *mac,
uint8_t *k1
)
{
Hacl_Impl_Poly1305_32_State_poly1305_state scrut = st;
uint32_t *h = scrut.h;
uint32_t *acc = h;
FStar_UInt128_t k_ = load128_le(k1);
uint32_t h0 = acc[0U];
uint32_t h1 = acc[1U];
uint32_t h2 = acc[2U];
uint32_t h3 = acc[3U];
uint32_t h4 = acc[4U];
FStar_UInt128_t
acc_ =
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h4),
(uint32_t)104U),
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h3),
(uint32_t)78U),
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h2),
(uint32_t)52U),
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)h1),
(uint32_t)26U),
FStar_UInt128_uint64_to_uint128((uint64_t)h0)))));
FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
store128_le(mac, mac_);
}
void
Hacl_Poly1305_32_crypto_onetimeauth(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
)
{
Hacl_Standalone_Poly1305_32_crypto_onetimeauth(output, input, len1, k1);
}

120
vendors/ocaml-hacl/src/Hacl_Poly1305_32.h vendored Normal file
View File

@ -0,0 +1,120 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Poly1305_32_H
#define __Hacl_Poly1305_32_H
typedef uint32_t Hacl_Bignum_Constants_limb;
typedef uint64_t Hacl_Bignum_Constants_wide;
typedef uint64_t Hacl_Bignum_Wide_t;
typedef uint32_t Hacl_Bignum_Limb_t;
typedef void *Hacl_Impl_Poly1305_32_State_log_t;
typedef uint8_t *Hacl_Impl_Poly1305_32_State_uint8_p;
typedef uint32_t *Hacl_Impl_Poly1305_32_State_bigint;
typedef void *Hacl_Impl_Poly1305_32_State_seqelem;
typedef uint32_t *Hacl_Impl_Poly1305_32_State_elemB;
typedef uint8_t *Hacl_Impl_Poly1305_32_State_wordB;
typedef uint8_t *Hacl_Impl_Poly1305_32_State_wordB_16;
typedef struct
{
uint32_t *r;
uint32_t *h;
}
Hacl_Impl_Poly1305_32_State_poly1305_state;
typedef void *Hacl_Impl_Poly1305_32_log_t;
typedef uint32_t *Hacl_Impl_Poly1305_32_bigint;
typedef uint8_t *Hacl_Impl_Poly1305_32_uint8_p;
typedef uint32_t *Hacl_Impl_Poly1305_32_elemB;
typedef uint8_t *Hacl_Impl_Poly1305_32_wordB;
typedef uint8_t *Hacl_Impl_Poly1305_32_wordB_16;
typedef uint8_t *Hacl_Poly1305_32_uint8_p;
typedef uint64_t Hacl_Poly1305_32_uint64_t;
void *Hacl_Poly1305_32_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b);
typedef uint8_t *Hacl_Poly1305_32_key;
typedef Hacl_Impl_Poly1305_32_State_poly1305_state Hacl_Poly1305_32_state;
Hacl_Impl_Poly1305_32_State_poly1305_state
Hacl_Poly1305_32_mk_state(uint32_t *r, uint32_t *acc);
void Hacl_Poly1305_32_init(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *k1);
extern void *Hacl_Poly1305_32_empty_log;
void Hacl_Poly1305_32_update_block(Hacl_Impl_Poly1305_32_State_poly1305_state st, uint8_t *m);
void
Hacl_Poly1305_32_update(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint32_t len1
);
void
Hacl_Poly1305_32_update_last(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *m,
uint32_t len1
);
void
Hacl_Poly1305_32_finish(
Hacl_Impl_Poly1305_32_State_poly1305_state st,
uint8_t *mac,
uint8_t *k1
);
void
Hacl_Poly1305_32_crypto_onetimeauth(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
);
#endif

511
vendors/ocaml-hacl/src/Hacl_Poly1305_64.c vendored Normal file
View File

@ -0,0 +1,511 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Poly1305_64.h"
inline static void Hacl_Bignum_Modulo_reduce(uint64_t *b)
{
uint64_t b0 = b[0U];
b[0U] = (b0 << (uint32_t)4U) + (b0 << (uint32_t)2U);
}
inline static void Hacl_Bignum_Modulo_carry_top(uint64_t *b)
{
uint64_t b2 = b[2U];
uint64_t b0 = b[0U];
uint64_t b2_42 = b2 >> (uint32_t)42U;
b[2U] = b2 & (uint64_t)0x3ffffffffffU;
b[0U] = (b2_42 << (uint32_t)2U) + b2_42 + b0;
}
inline static void Hacl_Bignum_Modulo_carry_top_wide(FStar_UInt128_t *b)
{
FStar_UInt128_t b2 = b[2U];
FStar_UInt128_t b0 = b[0U];
FStar_UInt128_t
b2_ = FStar_UInt128_logand(b2, FStar_UInt128_uint64_to_uint128((uint64_t)0x3ffffffffffU));
uint64_t b2_42 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b2, (uint32_t)42U));
FStar_UInt128_t
b0_ = FStar_UInt128_add(b0, FStar_UInt128_uint64_to_uint128((b2_42 << (uint32_t)2U) + b2_42));
b[2U] = b2_;
b[0U] = b0_;
}
inline static void
Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U)
{
FStar_UInt128_t xi = input[i];
output[i] = FStar_UInt128_uint128_to_uint64(xi);
}
}
inline static void
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
FStar_UInt128_t *output,
uint64_t *input,
uint64_t s
)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U)
{
FStar_UInt128_t xi = output[i];
uint64_t yi = input[i];
output[i] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
}
}
inline static void Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint32_t ctr = i;
FStar_UInt128_t tctr = tmp[ctr];
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0xfffffffffffU;
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)44U);
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
}
}
inline static void Hacl_Bignum_Fproduct_carry_limb_(uint64_t *tmp)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint32_t ctr = i;
uint64_t tctr = tmp[ctr];
uint64_t tctrp1 = tmp[ctr + (uint32_t)1U];
uint64_t r0 = tctr & (uint64_t)0xfffffffffffU;
uint64_t c = tctr >> (uint32_t)44U;
tmp[ctr] = r0;
tmp[ctr + (uint32_t)1U] = tctrp1 + c;
}
}
inline static void Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
{
uint64_t tmp = output[2U];
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint32_t ctr = (uint32_t)3U - i - (uint32_t)1U;
uint64_t z = output[ctr - (uint32_t)1U];
output[ctr] = z;
}
output[0U] = tmp;
Hacl_Bignum_Modulo_reduce(output);
}
static void
Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input2)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)2U; i = i + (uint32_t)1U)
{
uint64_t input2i = input2[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
Hacl_Bignum_Fmul_shift_reduce(input);
}
uint32_t i = (uint32_t)2U;
uint64_t input2i = input2[i];
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
}
inline static void Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input2)
{
uint64_t tmp[3U] = { 0U };
memcpy(tmp, input, (uint32_t)3U * sizeof input[0U]);
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)3U);
FStar_UInt128_t t[3U];
for (uint32_t _i = 0U; _i < (uint32_t)3U; ++_i)
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input2);
Hacl_Bignum_Fproduct_carry_wide_(t);
Hacl_Bignum_Modulo_carry_top_wide(t);
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
uint64_t i0 = output[0U];
uint64_t i1 = output[1U];
uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)44U);
output[0U] = i0_;
output[1U] = i1_;
}
inline static void
Hacl_Bignum_AddAndMultiply_add_and_multiply(uint64_t *acc, uint64_t *block, uint64_t *r)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U)
{
uint64_t xi = acc[i];
uint64_t yi = block[i];
acc[i] = xi + yi;
}
Hacl_Bignum_Fmul_fmul(acc, acc, r);
}
inline static void
Hacl_Impl_Poly1305_64_poly1305_update(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m
)
{
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
uint64_t *acc = h;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
uint64_t *r3 = r;
uint64_t tmp[3U] = { 0U };
FStar_UInt128_t m0 = load128_le(m);
uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U));
tmp[0U] = r0;
tmp[1U] = r1;
tmp[2U] = r2;
uint64_t b2 = tmp[2U];
uint64_t b2_ = (uint64_t)0x10000000000U | b2;
tmp[2U] = b2_;
Hacl_Bignum_AddAndMultiply_add_and_multiply(acc, tmp, r3);
}
inline static void
Hacl_Impl_Poly1305_64_poly1305_process_last_block_(
uint8_t *block,
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t rem_
)
{
uint64_t tmp[3U] = { 0U };
FStar_UInt128_t m0 = load128_le(block);
uint64_t r0 = FStar_UInt128_uint128_to_uint64(m0) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(m0, (uint32_t)88U));
tmp[0U] = r0;
tmp[1U] = r1;
tmp[2U] = r2;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
Hacl_Bignum_AddAndMultiply_add_and_multiply(h, tmp, r);
}
inline static void
Hacl_Impl_Poly1305_64_poly1305_process_last_block(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t rem_
)
{
uint8_t zero1 = (uint8_t)0U;
KRML_CHECK_SIZE(zero1, (uint32_t)16U);
uint8_t block[16U];
for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
block[_i] = zero1;
uint32_t i0 = (uint32_t)rem_;
uint32_t i = (uint32_t)rem_;
memcpy(block, m, i * sizeof m[0U]);
block[i0] = (uint8_t)1U;
Hacl_Impl_Poly1305_64_poly1305_process_last_block_(block, st, m, rem_);
}
static void Hacl_Impl_Poly1305_64_poly1305_last_pass(uint64_t *acc)
{
Hacl_Bignum_Fproduct_carry_limb_(acc);
Hacl_Bignum_Modulo_carry_top(acc);
uint64_t a0 = acc[0U];
uint64_t a10 = acc[1U];
uint64_t a20 = acc[2U];
uint64_t a0_ = a0 & (uint64_t)0xfffffffffffU;
uint64_t r0 = a0 >> (uint32_t)44U;
uint64_t a1_ = (a10 + r0) & (uint64_t)0xfffffffffffU;
uint64_t r1 = (a10 + r0) >> (uint32_t)44U;
uint64_t a2_ = a20 + r1;
acc[0U] = a0_;
acc[1U] = a1_;
acc[2U] = a2_;
Hacl_Bignum_Modulo_carry_top(acc);
uint64_t i0 = acc[0U];
uint64_t i1 = acc[1U];
uint64_t i0_ = i0 & (uint64_t)0xfffffffffffU;
uint64_t i1_ = i1 + (i0 >> (uint32_t)44U);
acc[0U] = i0_;
acc[1U] = i1_;
uint64_t a00 = acc[0U];
uint64_t a1 = acc[1U];
uint64_t a2 = acc[2U];
uint64_t mask0 = FStar_UInt64_gte_mask(a00, (uint64_t)0xffffffffffbU);
uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0xfffffffffffU);
uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x3ffffffffffU);
uint64_t mask = (mask0 & mask1) & mask2;
uint64_t a0_0 = a00 - ((uint64_t)0xffffffffffbU & mask);
uint64_t a1_0 = a1 - ((uint64_t)0xfffffffffffU & mask);
uint64_t a2_0 = a2 - ((uint64_t)0x3ffffffffffU & mask);
acc[0U] = a0_0;
acc[1U] = a1_0;
acc[2U] = a2_0;
}
static Hacl_Impl_Poly1305_64_State_poly1305_state
Hacl_Impl_Poly1305_64_mk_state(uint64_t *r, uint64_t *h)
{
return ((Hacl_Impl_Poly1305_64_State_poly1305_state){ .r = r, .h = h });
}
static void
Hacl_Standalone_Poly1305_64_poly1305_blocks(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t len1
)
{
if (!(len1 == (uint64_t)0U))
{
uint8_t *block = m;
uint8_t *tail1 = m + (uint32_t)16U;
Hacl_Impl_Poly1305_64_poly1305_update(st, block);
uint64_t len2 = len1 - (uint64_t)1U;
Hacl_Standalone_Poly1305_64_poly1305_blocks(st, tail1, len2);
}
}
static void
Hacl_Standalone_Poly1305_64_poly1305_partial(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *input,
uint64_t len1,
uint8_t *kr
)
{
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
uint64_t *x0 = r;
FStar_UInt128_t k1 = load128_le(kr);
FStar_UInt128_t
k_clamped =
FStar_UInt128_logand(k1,
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
uint64_t r0 = FStar_UInt128_uint128_to_uint64(k_clamped) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t
r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)88U));
x0[0U] = r0;
x0[1U] = r1;
x0[2U] = r2;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
uint64_t *x00 = h;
x00[0U] = (uint64_t)0U;
x00[1U] = (uint64_t)0U;
x00[2U] = (uint64_t)0U;
Hacl_Standalone_Poly1305_64_poly1305_blocks(st, input, len1);
}
static void
Hacl_Standalone_Poly1305_64_poly1305_complete(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint64_t len1,
uint8_t *k1
)
{
uint8_t *kr = k1;
uint64_t len16 = len1 >> (uint32_t)4U;
uint64_t rem16 = len1 & (uint64_t)0xfU;
uint8_t *part_input = m;
uint8_t *last_block = m + (uint32_t)((uint64_t)16U * len16);
Hacl_Standalone_Poly1305_64_poly1305_partial(st, part_input, len16, kr);
if (!(rem16 == (uint64_t)0U))
Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, last_block, rem16);
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *h = scrut.h;
uint64_t *acc = h;
Hacl_Impl_Poly1305_64_poly1305_last_pass(acc);
}
static void
Hacl_Standalone_Poly1305_64_crypto_onetimeauth_(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
)
{
uint64_t buf[6U] = { 0U };
uint64_t *r = buf;
uint64_t *h = buf + (uint32_t)3U;
Hacl_Impl_Poly1305_64_State_poly1305_state st = Hacl_Impl_Poly1305_64_mk_state(r, h);
uint8_t *key_s = k1 + (uint32_t)16U;
Hacl_Standalone_Poly1305_64_poly1305_complete(st, input, len1, k1);
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *h3 = scrut.h;
uint64_t *acc = h3;
FStar_UInt128_t k_ = load128_le(key_s);
uint64_t h0 = acc[0U];
uint64_t h1 = acc[1U];
uint64_t h2 = acc[2U];
FStar_UInt128_t
acc_ =
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128(h2
<< (uint32_t)24U
| h1 >> (uint32_t)20U),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128(h1 << (uint32_t)44U | h0));
FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
store128_le(output, mac_);
}
static void
Hacl_Standalone_Poly1305_64_crypto_onetimeauth(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
)
{
Hacl_Standalone_Poly1305_64_crypto_onetimeauth_(output, input, len1, k1);
}
Hacl_Impl_Poly1305_64_State_poly1305_state
Hacl_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc)
{
return Hacl_Impl_Poly1305_64_mk_state(r, acc);
}
void Hacl_Poly1305_64_init(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *k1)
{
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *r = scrut.r;
uint64_t *x0 = r;
FStar_UInt128_t k10 = load128_le(k1);
FStar_UInt128_t
k_clamped =
FStar_UInt128_logand(k10,
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0ffffffcU),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128((uint64_t)0x0ffffffc0fffffffU)));
uint64_t r0 = FStar_UInt128_uint128_to_uint64(k_clamped) & (uint64_t)0xfffffffffffU;
uint64_t
r1 =
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)44U))
& (uint64_t)0xfffffffffffU;
uint64_t
r2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(k_clamped, (uint32_t)88U));
x0[0U] = r0;
x0[1U] = r1;
x0[2U] = r2;
Hacl_Impl_Poly1305_64_State_poly1305_state scrut0 = st;
uint64_t *h = scrut0.h;
uint64_t *x00 = h;
x00[0U] = (uint64_t)0U;
x00[1U] = (uint64_t)0U;
x00[2U] = (uint64_t)0U;
}
void Hacl_Poly1305_64_update_block(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *m)
{
Hacl_Impl_Poly1305_64_poly1305_update(st, m);
}
void
Hacl_Poly1305_64_update(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint32_t num_blocks
)
{
if (!(num_blocks == (uint32_t)0U))
{
uint8_t *block = m;
uint8_t *m_ = m + (uint32_t)16U;
uint32_t n1 = num_blocks - (uint32_t)1U;
Hacl_Poly1305_64_update_block(st, block);
Hacl_Poly1305_64_update(st, m_, n1);
}
}
void
Hacl_Poly1305_64_update_last(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint32_t len1
)
{
if (!((uint64_t)len1 == (uint64_t)0U))
Hacl_Impl_Poly1305_64_poly1305_process_last_block(st, m, (uint64_t)len1);
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *h = scrut.h;
uint64_t *acc = h;
Hacl_Impl_Poly1305_64_poly1305_last_pass(acc);
}
void
Hacl_Poly1305_64_finish(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *mac,
uint8_t *k1
)
{
Hacl_Impl_Poly1305_64_State_poly1305_state scrut = st;
uint64_t *h = scrut.h;
uint64_t *acc = h;
FStar_UInt128_t k_ = load128_le(k1);
uint64_t h0 = acc[0U];
uint64_t h1 = acc[1U];
uint64_t h2 = acc[2U];
FStar_UInt128_t
acc_ =
FStar_UInt128_logor(FStar_UInt128_shift_left(FStar_UInt128_uint64_to_uint128(h2
<< (uint32_t)24U
| h1 >> (uint32_t)20U),
(uint32_t)64U),
FStar_UInt128_uint64_to_uint128(h1 << (uint32_t)44U | h0));
FStar_UInt128_t mac_ = FStar_UInt128_add_mod(acc_, k_);
store128_le(mac, mac_);
}
void
Hacl_Poly1305_64_crypto_onetimeauth(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
)
{
Hacl_Standalone_Poly1305_64_crypto_onetimeauth(output, input, len1, k1);
}

116
vendors/ocaml-hacl/src/Hacl_Poly1305_64.h vendored Normal file
View File

@ -0,0 +1,116 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Poly1305_64_H
#define __Hacl_Poly1305_64_H
typedef uint64_t Hacl_Bignum_Constants_limb;
typedef FStar_UInt128_t Hacl_Bignum_Constants_wide;
typedef FStar_UInt128_t Hacl_Bignum_Wide_t;
typedef uint64_t Hacl_Bignum_Limb_t;
typedef void *Hacl_Impl_Poly1305_64_State_log_t;
typedef uint8_t *Hacl_Impl_Poly1305_64_State_uint8_p;
typedef uint64_t *Hacl_Impl_Poly1305_64_State_bigint;
typedef void *Hacl_Impl_Poly1305_64_State_seqelem;
typedef uint64_t *Hacl_Impl_Poly1305_64_State_elemB;
typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB;
typedef uint8_t *Hacl_Impl_Poly1305_64_State_wordB_16;
typedef struct
{
uint64_t *r;
uint64_t *h;
}
Hacl_Impl_Poly1305_64_State_poly1305_state;
typedef void *Hacl_Impl_Poly1305_64_log_t;
typedef uint64_t *Hacl_Impl_Poly1305_64_bigint;
typedef uint8_t *Hacl_Impl_Poly1305_64_uint8_p;
typedef uint64_t *Hacl_Impl_Poly1305_64_elemB;
typedef uint8_t *Hacl_Impl_Poly1305_64_wordB;
typedef uint8_t *Hacl_Impl_Poly1305_64_wordB_16;
typedef uint8_t *Hacl_Poly1305_64_uint8_p;
typedef uint64_t Hacl_Poly1305_64_uint64_t;
typedef uint8_t *Hacl_Poly1305_64_key;
typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Poly1305_64_state;
Hacl_Impl_Poly1305_64_State_poly1305_state
Hacl_Poly1305_64_mk_state(uint64_t *r, uint64_t *acc);
void Hacl_Poly1305_64_init(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *k1);
void Hacl_Poly1305_64_update_block(Hacl_Impl_Poly1305_64_State_poly1305_state st, uint8_t *m);
void
Hacl_Poly1305_64_update(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint32_t num_blocks
);
void
Hacl_Poly1305_64_update_last(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *m,
uint32_t len1
);
void
Hacl_Poly1305_64_finish(
Hacl_Impl_Poly1305_64_State_poly1305_state st,
uint8_t *mac,
uint8_t *k1
);
void
Hacl_Poly1305_64_crypto_onetimeauth(
uint8_t *output,
uint8_t *input,
uint64_t len1,
uint8_t *k1
);
#endif

334
vendors/ocaml-hacl/src/Hacl_SHA2_256.c vendored Normal file
View File

@ -0,0 +1,334 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_SHA2_256.h"
static void
Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(uint32_t *output, uint8_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *x0 = input + (uint32_t)4U * i;
uint32_t inputi = load32_be(x0);
output[i] = inputi;
}
}
static void
Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(uint8_t *output, uint32_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint32_t hd1 = input[i];
uint8_t *x0 = output + (uint32_t)4U * i;
store32_be(x0, hd1);
}
}
static void Hacl_Impl_SHA2_256_init(uint32_t *state)
{
uint32_t *n1 = state + (uint32_t)136U;
uint32_t *k1 = state;
uint32_t *h_01 = state + (uint32_t)128U;
uint32_t *p10 = k1;
uint32_t *p20 = k1 + (uint32_t)16U;
uint32_t *p3 = k1 + (uint32_t)32U;
uint32_t *p4 = k1 + (uint32_t)48U;
uint32_t *p11 = p10;
uint32_t *p21 = p10 + (uint32_t)8U;
uint32_t *p12 = p11;
uint32_t *p22 = p11 + (uint32_t)4U;
p12[0U] = (uint32_t)0x428a2f98U;
p12[1U] = (uint32_t)0x71374491U;
p12[2U] = (uint32_t)0xb5c0fbcfU;
p12[3U] = (uint32_t)0xe9b5dba5U;
p22[0U] = (uint32_t)0x3956c25bU;
p22[1U] = (uint32_t)0x59f111f1U;
p22[2U] = (uint32_t)0x923f82a4U;
p22[3U] = (uint32_t)0xab1c5ed5U;
uint32_t *p13 = p21;
uint32_t *p23 = p21 + (uint32_t)4U;
p13[0U] = (uint32_t)0xd807aa98U;
p13[1U] = (uint32_t)0x12835b01U;
p13[2U] = (uint32_t)0x243185beU;
p13[3U] = (uint32_t)0x550c7dc3U;
p23[0U] = (uint32_t)0x72be5d74U;
p23[1U] = (uint32_t)0x80deb1feU;
p23[2U] = (uint32_t)0x9bdc06a7U;
p23[3U] = (uint32_t)0xc19bf174U;
uint32_t *p14 = p20;
uint32_t *p24 = p20 + (uint32_t)8U;
uint32_t *p15 = p14;
uint32_t *p25 = p14 + (uint32_t)4U;
p15[0U] = (uint32_t)0xe49b69c1U;
p15[1U] = (uint32_t)0xefbe4786U;
p15[2U] = (uint32_t)0x0fc19dc6U;
p15[3U] = (uint32_t)0x240ca1ccU;
p25[0U] = (uint32_t)0x2de92c6fU;
p25[1U] = (uint32_t)0x4a7484aaU;
p25[2U] = (uint32_t)0x5cb0a9dcU;
p25[3U] = (uint32_t)0x76f988daU;
uint32_t *p16 = p24;
uint32_t *p26 = p24 + (uint32_t)4U;
p16[0U] = (uint32_t)0x983e5152U;
p16[1U] = (uint32_t)0xa831c66dU;
p16[2U] = (uint32_t)0xb00327c8U;
p16[3U] = (uint32_t)0xbf597fc7U;
p26[0U] = (uint32_t)0xc6e00bf3U;
p26[1U] = (uint32_t)0xd5a79147U;
p26[2U] = (uint32_t)0x06ca6351U;
p26[3U] = (uint32_t)0x14292967U;
uint32_t *p17 = p3;
uint32_t *p27 = p3 + (uint32_t)8U;
uint32_t *p18 = p17;
uint32_t *p28 = p17 + (uint32_t)4U;
p18[0U] = (uint32_t)0x27b70a85U;
p18[1U] = (uint32_t)0x2e1b2138U;
p18[2U] = (uint32_t)0x4d2c6dfcU;
p18[3U] = (uint32_t)0x53380d13U;
p28[0U] = (uint32_t)0x650a7354U;
p28[1U] = (uint32_t)0x766a0abbU;
p28[2U] = (uint32_t)0x81c2c92eU;
p28[3U] = (uint32_t)0x92722c85U;
uint32_t *p19 = p27;
uint32_t *p29 = p27 + (uint32_t)4U;
p19[0U] = (uint32_t)0xa2bfe8a1U;
p19[1U] = (uint32_t)0xa81a664bU;
p19[2U] = (uint32_t)0xc24b8b70U;
p19[3U] = (uint32_t)0xc76c51a3U;
p29[0U] = (uint32_t)0xd192e819U;
p29[1U] = (uint32_t)0xd6990624U;
p29[2U] = (uint32_t)0xf40e3585U;
p29[3U] = (uint32_t)0x106aa070U;
uint32_t *p110 = p4;
uint32_t *p210 = p4 + (uint32_t)8U;
uint32_t *p1 = p110;
uint32_t *p211 = p110 + (uint32_t)4U;
p1[0U] = (uint32_t)0x19a4c116U;
p1[1U] = (uint32_t)0x1e376c08U;
p1[2U] = (uint32_t)0x2748774cU;
p1[3U] = (uint32_t)0x34b0bcb5U;
p211[0U] = (uint32_t)0x391c0cb3U;
p211[1U] = (uint32_t)0x4ed8aa4aU;
p211[2U] = (uint32_t)0x5b9cca4fU;
p211[3U] = (uint32_t)0x682e6ff3U;
uint32_t *p111 = p210;
uint32_t *p212 = p210 + (uint32_t)4U;
p111[0U] = (uint32_t)0x748f82eeU;
p111[1U] = (uint32_t)0x78a5636fU;
p111[2U] = (uint32_t)0x84c87814U;
p111[3U] = (uint32_t)0x8cc70208U;
p212[0U] = (uint32_t)0x90befffaU;
p212[1U] = (uint32_t)0xa4506cebU;
p212[2U] = (uint32_t)0xbef9a3f7U;
p212[3U] = (uint32_t)0xc67178f2U;
uint32_t *p112 = h_01;
uint32_t *p2 = h_01 + (uint32_t)4U;
p112[0U] = (uint32_t)0x6a09e667U;
p112[1U] = (uint32_t)0xbb67ae85U;
p112[2U] = (uint32_t)0x3c6ef372U;
p112[3U] = (uint32_t)0xa54ff53aU;
p2[0U] = (uint32_t)0x510e527fU;
p2[1U] = (uint32_t)0x9b05688cU;
p2[2U] = (uint32_t)0x1f83d9abU;
p2[3U] = (uint32_t)0x5be0cd19U;
n1[0U] = (uint32_t)0U;
}
static void Hacl_Impl_SHA2_256_update(uint32_t *state, uint8_t *data)
{
uint32_t data_w[16U] = { 0U };
Hacl_Hash_Lib_LoadStore_uint32s_from_be_bytes(data_w, data, (uint32_t)16U);
uint32_t *hash_w = state + (uint32_t)128U;
uint32_t *ws_w = state + (uint32_t)64U;
uint32_t *k_w = state;
uint32_t *counter_w = state + (uint32_t)136U;
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint32_t b = data_w[i];
ws_w[i] = b;
}
for (uint32_t i = (uint32_t)16U; i < (uint32_t)64U; i = i + (uint32_t)1U)
{
uint32_t t16 = ws_w[i - (uint32_t)16U];
uint32_t t15 = ws_w[i - (uint32_t)15U];
uint32_t t7 = ws_w[i - (uint32_t)7U];
uint32_t t2 = ws_w[i - (uint32_t)2U];
ws_w[i] =
((t2 >> (uint32_t)17U | t2 << ((uint32_t)32U - (uint32_t)17U))
^ ((t2 >> (uint32_t)19U | t2 << ((uint32_t)32U - (uint32_t)19U)) ^ t2 >> (uint32_t)10U))
+
t7
+
((t15 >> (uint32_t)7U | t15 << ((uint32_t)32U - (uint32_t)7U))
^ ((t15 >> (uint32_t)18U | t15 << ((uint32_t)32U - (uint32_t)18U)) ^ t15 >> (uint32_t)3U))
+ t16;
}
uint32_t hash_0[8U] = { 0U };
memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]);
for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i = i + (uint32_t)1U)
{
uint32_t a = hash_0[0U];
uint32_t b = hash_0[1U];
uint32_t c = hash_0[2U];
uint32_t d = hash_0[3U];
uint32_t e = hash_0[4U];
uint32_t f1 = hash_0[5U];
uint32_t g = hash_0[6U];
uint32_t h = hash_0[7U];
uint32_t kt = k_w[i];
uint32_t wst = ws_w[i];
uint32_t
t1 =
h
+
((e >> (uint32_t)6U | e << ((uint32_t)32U - (uint32_t)6U))
^
((e >> (uint32_t)11U | e << ((uint32_t)32U - (uint32_t)11U))
^ (e >> (uint32_t)25U | e << ((uint32_t)32U - (uint32_t)25U))))
+ ((e & f1) ^ (~e & g))
+ kt
+ wst;
uint32_t
t2 =
((a >> (uint32_t)2U | a << ((uint32_t)32U - (uint32_t)2U))
^
((a >> (uint32_t)13U | a << ((uint32_t)32U - (uint32_t)13U))
^ (a >> (uint32_t)22U | a << ((uint32_t)32U - (uint32_t)22U))))
+ ((a & b) ^ ((a & c) ^ (b & c)));
uint32_t x1 = t1 + t2;
uint32_t x5 = d + t1;
uint32_t *p1 = hash_0;
uint32_t *p2 = hash_0 + (uint32_t)4U;
p1[0U] = x1;
p1[1U] = a;
p1[2U] = b;
p1[3U] = c;
p2[0U] = x5;
p2[1U] = e;
p2[2U] = f1;
p2[3U] = g;
}
for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U)
{
uint32_t xi = hash_w[i];
uint32_t yi = hash_0[i];
hash_w[i] = xi + yi;
}
uint32_t c0 = counter_w[0U];
uint32_t one1 = (uint32_t)1U;
counter_w[0U] = c0 + one1;
}
static void Hacl_Impl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1)
{
for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U)
{
uint8_t *b = data + i * (uint32_t)64U;
Hacl_Impl_SHA2_256_update(state, b);
}
}
static void Hacl_Impl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len)
{
uint8_t blocks[128U] = { 0U };
uint32_t nb;
if (len < (uint32_t)56U)
nb = (uint32_t)1U;
else
nb = (uint32_t)2U;
uint8_t *final_blocks;
if (len < (uint32_t)56U)
final_blocks = blocks + (uint32_t)64U;
else
final_blocks = blocks;
memcpy(final_blocks, data, len * sizeof data[0U]);
uint32_t n1 = state[136U];
uint8_t *padding = final_blocks + len;
uint32_t
pad0len = ((uint32_t)64U - (len + (uint32_t)8U + (uint32_t)1U) % (uint32_t)64U) % (uint32_t)64U;
uint8_t *buf1 = padding;
uint8_t *buf2 = padding + (uint32_t)1U + pad0len;
uint64_t
encodedlen = ((uint64_t)n1 * (uint64_t)(uint32_t)64U + (uint64_t)len) * (uint64_t)(uint32_t)8U;
buf1[0U] = (uint8_t)0x80U;
store64_be(buf2, encodedlen);
Hacl_Impl_SHA2_256_update_multi(state, final_blocks, nb);
}
static void Hacl_Impl_SHA2_256_finish(uint32_t *state, uint8_t *hash1)
{
uint32_t *hash_w = state + (uint32_t)128U;
Hacl_Hash_Lib_LoadStore_uint32s_to_be_bytes(hash1, hash_w, (uint32_t)8U);
}
static void Hacl_Impl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
uint32_t state[137U] = { 0U };
uint32_t n1 = len / (uint32_t)64U;
uint32_t r = len % (uint32_t)64U;
uint8_t *input_blocks = input;
uint8_t *input_last = input + n1 * (uint32_t)64U;
Hacl_Impl_SHA2_256_init(state);
Hacl_Impl_SHA2_256_update_multi(state, input_blocks, n1);
Hacl_Impl_SHA2_256_update_last(state, input_last, r);
Hacl_Impl_SHA2_256_finish(state, hash1);
}
uint32_t Hacl_SHA2_256_size_hash = (uint32_t)32U;
uint32_t Hacl_SHA2_256_size_block = (uint32_t)64U;
uint32_t Hacl_SHA2_256_size_state = (uint32_t)137U;
void Hacl_SHA2_256_init(uint32_t *state)
{
Hacl_Impl_SHA2_256_init(state);
}
void Hacl_SHA2_256_update(uint32_t *state, uint8_t *data_8)
{
Hacl_Impl_SHA2_256_update(state, data_8);
}
void Hacl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1)
{
Hacl_Impl_SHA2_256_update_multi(state, data, n1);
}
void Hacl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len)
{
Hacl_Impl_SHA2_256_update_last(state, data, len);
}
void Hacl_SHA2_256_finish(uint32_t *state, uint8_t *hash1)
{
Hacl_Impl_SHA2_256_finish(state, hash1);
}
void Hacl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
Hacl_Impl_SHA2_256_hash(hash1, input, len);
}

99
vendors/ocaml-hacl/src/Hacl_SHA2_256.h vendored Normal file
View File

@ -0,0 +1,99 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_SHA2_256_H
#define __Hacl_SHA2_256_H
typedef uint8_t Hacl_Hash_Lib_Create_uint8_t;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_t;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_t;
typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht;
typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p;
typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p;
typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p;
typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p;
typedef uint8_t Hacl_Impl_SHA2_256_uint8_t;
typedef uint32_t Hacl_Impl_SHA2_256_uint32_t;
typedef uint64_t Hacl_Impl_SHA2_256_uint64_t;
typedef uint8_t Hacl_Impl_SHA2_256_uint8_ht;
typedef uint32_t Hacl_Impl_SHA2_256_uint32_ht;
typedef uint64_t Hacl_Impl_SHA2_256_uint64_ht;
typedef uint32_t *Hacl_Impl_SHA2_256_uint32_p;
typedef uint8_t *Hacl_Impl_SHA2_256_uint8_p;
typedef uint8_t Hacl_SHA2_256_uint8_t;
typedef uint32_t Hacl_SHA2_256_uint32_t;
typedef uint64_t Hacl_SHA2_256_uint64_t;
typedef uint8_t Hacl_SHA2_256_uint8_ht;
typedef uint32_t Hacl_SHA2_256_uint32_ht;
typedef uint32_t *Hacl_SHA2_256_uint32_p;
typedef uint8_t *Hacl_SHA2_256_uint8_p;
extern uint32_t Hacl_SHA2_256_size_hash;
extern uint32_t Hacl_SHA2_256_size_block;
extern uint32_t Hacl_SHA2_256_size_state;
void Hacl_SHA2_256_init(uint32_t *state);
void Hacl_SHA2_256_update(uint32_t *state, uint8_t *data_8);
void Hacl_SHA2_256_update_multi(uint32_t *state, uint8_t *data, uint32_t n1);
void Hacl_SHA2_256_update_last(uint32_t *state, uint8_t *data, uint32_t len);
void Hacl_SHA2_256_finish(uint32_t *state, uint8_t *hash1);
void Hacl_SHA2_256_hash(uint8_t *hash1, uint8_t *input, uint32_t len);
#endif

368
vendors/ocaml-hacl/src/Hacl_SHA2_384.c vendored Normal file
View File

@ -0,0 +1,368 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_SHA2_384.h"
static void
Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(uint64_t *output, uint8_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *x0 = input + (uint32_t)8U * i;
uint64_t inputi = load64_be(x0);
output[i] = inputi;
}
}
static void
Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(uint8_t *output, uint64_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint64_t hd1 = input[i];
uint8_t *x0 = output + (uint32_t)8U * i;
store64_be(x0, hd1);
}
}
static void Hacl_Impl_SHA2_384_init(uint64_t *state)
{
uint64_t *n1 = state + (uint32_t)168U;
uint64_t *k1 = state;
uint64_t *h_01 = state + (uint32_t)160U;
uint64_t *p10 = k1;
uint64_t *p20 = k1 + (uint32_t)16U;
uint64_t *p3 = k1 + (uint32_t)32U;
uint64_t *p4 = k1 + (uint32_t)48U;
uint64_t *p5 = k1 + (uint32_t)64U;
uint64_t *p11 = p10;
uint64_t *p21 = p10 + (uint32_t)8U;
uint64_t *p12 = p11;
uint64_t *p22 = p11 + (uint32_t)4U;
p12[0U] = (uint64_t)0x428a2f98d728ae22U;
p12[1U] = (uint64_t)0x7137449123ef65cdU;
p12[2U] = (uint64_t)0xb5c0fbcfec4d3b2fU;
p12[3U] = (uint64_t)0xe9b5dba58189dbbcU;
p22[0U] = (uint64_t)0x3956c25bf348b538U;
p22[1U] = (uint64_t)0x59f111f1b605d019U;
p22[2U] = (uint64_t)0x923f82a4af194f9bU;
p22[3U] = (uint64_t)0xab1c5ed5da6d8118U;
uint64_t *p13 = p21;
uint64_t *p23 = p21 + (uint32_t)4U;
p13[0U] = (uint64_t)0xd807aa98a3030242U;
p13[1U] = (uint64_t)0x12835b0145706fbeU;
p13[2U] = (uint64_t)0x243185be4ee4b28cU;
p13[3U] = (uint64_t)0x550c7dc3d5ffb4e2U;
p23[0U] = (uint64_t)0x72be5d74f27b896fU;
p23[1U] = (uint64_t)0x80deb1fe3b1696b1U;
p23[2U] = (uint64_t)0x9bdc06a725c71235U;
p23[3U] = (uint64_t)0xc19bf174cf692694U;
uint64_t *p14 = p20;
uint64_t *p24 = p20 + (uint32_t)8U;
uint64_t *p15 = p14;
uint64_t *p25 = p14 + (uint32_t)4U;
p15[0U] = (uint64_t)0xe49b69c19ef14ad2U;
p15[1U] = (uint64_t)0xefbe4786384f25e3U;
p15[2U] = (uint64_t)0x0fc19dc68b8cd5b5U;
p15[3U] = (uint64_t)0x240ca1cc77ac9c65U;
p25[0U] = (uint64_t)0x2de92c6f592b0275U;
p25[1U] = (uint64_t)0x4a7484aa6ea6e483U;
p25[2U] = (uint64_t)0x5cb0a9dcbd41fbd4U;
p25[3U] = (uint64_t)0x76f988da831153b5U;
uint64_t *p16 = p24;
uint64_t *p26 = p24 + (uint32_t)4U;
p16[0U] = (uint64_t)0x983e5152ee66dfabU;
p16[1U] = (uint64_t)0xa831c66d2db43210U;
p16[2U] = (uint64_t)0xb00327c898fb213fU;
p16[3U] = (uint64_t)0xbf597fc7beef0ee4U;
p26[0U] = (uint64_t)0xc6e00bf33da88fc2U;
p26[1U] = (uint64_t)0xd5a79147930aa725U;
p26[2U] = (uint64_t)0x06ca6351e003826fU;
p26[3U] = (uint64_t)0x142929670a0e6e70U;
uint64_t *p17 = p3;
uint64_t *p27 = p3 + (uint32_t)8U;
uint64_t *p18 = p17;
uint64_t *p28 = p17 + (uint32_t)4U;
p18[0U] = (uint64_t)0x27b70a8546d22ffcU;
p18[1U] = (uint64_t)0x2e1b21385c26c926U;
p18[2U] = (uint64_t)0x4d2c6dfc5ac42aedU;
p18[3U] = (uint64_t)0x53380d139d95b3dfU;
p28[0U] = (uint64_t)0x650a73548baf63deU;
p28[1U] = (uint64_t)0x766a0abb3c77b2a8U;
p28[2U] = (uint64_t)0x81c2c92e47edaee6U;
p28[3U] = (uint64_t)0x92722c851482353bU;
uint64_t *p19 = p27;
uint64_t *p29 = p27 + (uint32_t)4U;
p19[0U] = (uint64_t)0xa2bfe8a14cf10364U;
p19[1U] = (uint64_t)0xa81a664bbc423001U;
p19[2U] = (uint64_t)0xc24b8b70d0f89791U;
p19[3U] = (uint64_t)0xc76c51a30654be30U;
p29[0U] = (uint64_t)0xd192e819d6ef5218U;
p29[1U] = (uint64_t)0xd69906245565a910U;
p29[2U] = (uint64_t)0xf40e35855771202aU;
p29[3U] = (uint64_t)0x106aa07032bbd1b8U;
uint64_t *p110 = p4;
uint64_t *p210 = p4 + (uint32_t)8U;
uint64_t *p111 = p110;
uint64_t *p211 = p110 + (uint32_t)4U;
p111[0U] = (uint64_t)0x19a4c116b8d2d0c8U;
p111[1U] = (uint64_t)0x1e376c085141ab53U;
p111[2U] = (uint64_t)0x2748774cdf8eeb99U;
p111[3U] = (uint64_t)0x34b0bcb5e19b48a8U;
p211[0U] = (uint64_t)0x391c0cb3c5c95a63U;
p211[1U] = (uint64_t)0x4ed8aa4ae3418acbU;
p211[2U] = (uint64_t)0x5b9cca4f7763e373U;
p211[3U] = (uint64_t)0x682e6ff3d6b2b8a3U;
uint64_t *p112 = p210;
uint64_t *p212 = p210 + (uint32_t)4U;
p112[0U] = (uint64_t)0x748f82ee5defb2fcU;
p112[1U] = (uint64_t)0x78a5636f43172f60U;
p112[2U] = (uint64_t)0x84c87814a1f0ab72U;
p112[3U] = (uint64_t)0x8cc702081a6439ecU;
p212[0U] = (uint64_t)0x90befffa23631e28U;
p212[1U] = (uint64_t)0xa4506cebde82bde9U;
p212[2U] = (uint64_t)0xbef9a3f7b2c67915U;
p212[3U] = (uint64_t)0xc67178f2e372532bU;
uint64_t *p113 = p5;
uint64_t *p213 = p5 + (uint32_t)8U;
uint64_t *p1 = p113;
uint64_t *p214 = p113 + (uint32_t)4U;
p1[0U] = (uint64_t)0xca273eceea26619cU;
p1[1U] = (uint64_t)0xd186b8c721c0c207U;
p1[2U] = (uint64_t)0xeada7dd6cde0eb1eU;
p1[3U] = (uint64_t)0xf57d4f7fee6ed178U;
p214[0U] = (uint64_t)0x06f067aa72176fbaU;
p214[1U] = (uint64_t)0x0a637dc5a2c898a6U;
p214[2U] = (uint64_t)0x113f9804bef90daeU;
p214[3U] = (uint64_t)0x1b710b35131c471bU;
uint64_t *p114 = p213;
uint64_t *p215 = p213 + (uint32_t)4U;
p114[0U] = (uint64_t)0x28db77f523047d84U;
p114[1U] = (uint64_t)0x32caab7b40c72493U;
p114[2U] = (uint64_t)0x3c9ebe0a15c9bebcU;
p114[3U] = (uint64_t)0x431d67c49c100d4cU;
p215[0U] = (uint64_t)0x4cc5d4becb3e42b6U;
p215[1U] = (uint64_t)0x597f299cfc657e2aU;
p215[2U] = (uint64_t)0x5fcb6fab3ad6faecU;
p215[3U] = (uint64_t)0x6c44198c4a475817U;
uint64_t *p115 = h_01;
uint64_t *p2 = h_01 + (uint32_t)4U;
p115[0U] = (uint64_t)0xcbbb9d5dc1059ed8U;
p115[1U] = (uint64_t)0x629a292a367cd507U;
p115[2U] = (uint64_t)0x9159015a3070dd17U;
p115[3U] = (uint64_t)0x152fecd8f70e5939U;
p2[0U] = (uint64_t)0x67332667ffc00b31U;
p2[1U] = (uint64_t)0x8eb44a8768581511U;
p2[2U] = (uint64_t)0xdb0c2e0d64f98fa7U;
p2[3U] = (uint64_t)0x47b5481dbefa4fa4U;
n1[0U] = (uint64_t)0U;
}
static void Hacl_Impl_SHA2_384_update(uint64_t *state, uint8_t *data)
{
KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)16U);
uint64_t data_w[16U];
for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
data_w[_i] = (uint64_t)(uint32_t)0U;
Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(data_w, data, (uint32_t)16U);
uint64_t *hash_w = state + (uint32_t)160U;
uint64_t *ws_w = state + (uint32_t)80U;
uint64_t *k_w = state;
uint64_t *counter_w = state + (uint32_t)168U;
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint64_t b = data_w[i];
ws_w[i] = b;
}
for (uint32_t i = (uint32_t)16U; i < (uint32_t)80U; i = i + (uint32_t)1U)
{
uint64_t t16 = ws_w[i - (uint32_t)16U];
uint64_t t15 = ws_w[i - (uint32_t)15U];
uint64_t t7 = ws_w[i - (uint32_t)7U];
uint64_t t2 = ws_w[i - (uint32_t)2U];
ws_w[i] =
((t2 >> (uint32_t)19U | t2 << ((uint32_t)64U - (uint32_t)19U))
^ ((t2 >> (uint32_t)61U | t2 << ((uint32_t)64U - (uint32_t)61U)) ^ t2 >> (uint32_t)6U))
+
t7
+
((t15 >> (uint32_t)1U | t15 << ((uint32_t)64U - (uint32_t)1U))
^ ((t15 >> (uint32_t)8U | t15 << ((uint32_t)64U - (uint32_t)8U)) ^ t15 >> (uint32_t)7U))
+ t16;
}
uint64_t hash_0[8U] = { 0U };
memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]);
for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i = i + (uint32_t)1U)
{
uint64_t a = hash_0[0U];
uint64_t b = hash_0[1U];
uint64_t c = hash_0[2U];
uint64_t d = hash_0[3U];
uint64_t e = hash_0[4U];
uint64_t f1 = hash_0[5U];
uint64_t g = hash_0[6U];
uint64_t h = hash_0[7U];
uint64_t k_t = k_w[i];
uint64_t ws_t = ws_w[i];
uint64_t
t1 =
h
+
((e >> (uint32_t)14U | e << ((uint32_t)64U - (uint32_t)14U))
^
((e >> (uint32_t)18U | e << ((uint32_t)64U - (uint32_t)18U))
^ (e >> (uint32_t)41U | e << ((uint32_t)64U - (uint32_t)41U))))
+ ((e & f1) ^ (~e & g))
+ k_t
+ ws_t;
uint64_t
t2 =
((a >> (uint32_t)28U | a << ((uint32_t)64U - (uint32_t)28U))
^
((a >> (uint32_t)34U | a << ((uint32_t)64U - (uint32_t)34U))
^ (a >> (uint32_t)39U | a << ((uint32_t)64U - (uint32_t)39U))))
+ ((a & b) ^ ((a & c) ^ (b & c)));
uint64_t x1 = t1 + t2;
uint64_t x5 = d + t1;
uint64_t *p1 = hash_0;
uint64_t *p2 = hash_0 + (uint32_t)4U;
p1[0U] = x1;
p1[1U] = a;
p1[2U] = b;
p1[3U] = c;
p2[0U] = x5;
p2[1U] = e;
p2[2U] = f1;
p2[3U] = g;
}
for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U)
{
uint64_t xi = hash_w[i];
uint64_t yi = hash_0[i];
hash_w[i] = xi + yi;
}
uint64_t c0 = counter_w[0U];
uint64_t one1 = (uint64_t)(uint32_t)1U;
counter_w[0U] = c0 + one1;
}
static void Hacl_Impl_SHA2_384_update_multi(uint64_t *state, uint8_t *data, uint32_t n1)
{
for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U)
{
uint8_t *b = data + i * (uint32_t)128U;
Hacl_Impl_SHA2_384_update(state, b);
}
}
static void Hacl_Impl_SHA2_384_update_last(uint64_t *state, uint8_t *data, uint64_t len)
{
uint8_t blocks[256U] = { 0U };
uint32_t nb;
if (len < (uint64_t)112U)
nb = (uint32_t)1U;
else
nb = (uint32_t)2U;
uint8_t *final_blocks;
if (len < (uint64_t)112U)
final_blocks = blocks + (uint32_t)128U;
else
final_blocks = blocks;
memcpy(final_blocks, data, (uint32_t)len * sizeof data[0U]);
uint64_t n1 = state[168U];
uint8_t *padding = final_blocks + (uint32_t)len;
FStar_UInt128_t
encodedlen =
FStar_UInt128_shift_left(FStar_UInt128_add(FStar_UInt128_mul_wide(n1, (uint64_t)(uint32_t)128U),
FStar_UInt128_uint64_to_uint128(len)),
(uint32_t)3U);
uint32_t
pad0len =
((uint32_t)128U - ((uint32_t)len + (uint32_t)16U + (uint32_t)1U) % (uint32_t)128U)
% (uint32_t)128U;
uint8_t *buf1 = padding;
uint8_t *buf2 = padding + (uint32_t)1U + pad0len;
buf1[0U] = (uint8_t)0x80U;
store128_be(buf2, encodedlen);
Hacl_Impl_SHA2_384_update_multi(state, final_blocks, nb);
}
static void Hacl_Impl_SHA2_384_finish(uint64_t *state, uint8_t *hash1)
{
uint64_t *hash_w = state + (uint32_t)160U;
Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(hash1, hash_w, (uint32_t)6U);
}
static void Hacl_Impl_SHA2_384_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)169U);
uint64_t state[169U];
for (uint32_t _i = 0U; _i < (uint32_t)169U; ++_i)
state[_i] = (uint64_t)(uint32_t)0U;
uint32_t n1 = len / (uint32_t)128U;
uint32_t r = len % (uint32_t)128U;
uint8_t *input_blocks = input;
uint8_t *input_last = input + n1 * (uint32_t)128U;
Hacl_Impl_SHA2_384_init(state);
Hacl_Impl_SHA2_384_update_multi(state, input_blocks, n1);
Hacl_Impl_SHA2_384_update_last(state, input_last, (uint64_t)r);
Hacl_Impl_SHA2_384_finish(state, hash1);
}
uint32_t Hacl_SHA2_384_size_hash = (uint32_t)48U;
uint32_t Hacl_SHA2_384_size_block = (uint32_t)128U;
uint32_t Hacl_SHA2_384_size_state = (uint32_t)169U;
void Hacl_SHA2_384_init(uint64_t *state)
{
Hacl_Impl_SHA2_384_init(state);
}
void Hacl_SHA2_384_update(uint64_t *state, uint8_t *data_8)
{
Hacl_Impl_SHA2_384_update(state, data_8);
}
void Hacl_SHA2_384_update_multi(uint64_t *state, uint8_t *data, uint32_t n1)
{
Hacl_Impl_SHA2_384_update_multi(state, data, n1);
}
void Hacl_SHA2_384_update_last(uint64_t *state, uint8_t *data, uint64_t len)
{
Hacl_Impl_SHA2_384_update_last(state, data, len);
}
void Hacl_SHA2_384_finish(uint64_t *state, uint8_t *hash1)
{
Hacl_Impl_SHA2_384_finish(state, hash1);
}
void Hacl_SHA2_384_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
Hacl_Impl_SHA2_384_hash(hash1, input, len);
}

101
vendors/ocaml-hacl/src/Hacl_SHA2_384.h vendored Normal file
View File

@ -0,0 +1,101 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_SHA2_384_H
#define __Hacl_SHA2_384_H
typedef uint8_t Hacl_Hash_Lib_Create_uint8_t;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_t;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_t;
typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht;
typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p;
typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p;
typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p;
typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p;
typedef uint8_t Hacl_Impl_SHA2_384_uint8_t;
typedef uint32_t Hacl_Impl_SHA2_384_uint32_t;
typedef uint64_t Hacl_Impl_SHA2_384_uint64_t;
typedef uint8_t Hacl_Impl_SHA2_384_uint8_ht;
typedef uint32_t Hacl_Impl_SHA2_384_uint32_ht;
typedef uint64_t Hacl_Impl_SHA2_384_uint64_ht;
typedef FStar_UInt128_t Hacl_Impl_SHA2_384_uint128_ht;
typedef uint64_t *Hacl_Impl_SHA2_384_uint64_p;
typedef uint8_t *Hacl_Impl_SHA2_384_uint8_p;
typedef uint8_t Hacl_SHA2_384_uint8_t;
typedef uint32_t Hacl_SHA2_384_uint32_t;
typedef uint64_t Hacl_SHA2_384_uint64_t;
typedef uint8_t Hacl_SHA2_384_uint8_ht;
typedef uint64_t Hacl_SHA2_384_uint64_ht;
typedef uint64_t *Hacl_SHA2_384_uint64_p;
typedef uint8_t *Hacl_SHA2_384_uint8_p;
extern uint32_t Hacl_SHA2_384_size_hash;
extern uint32_t Hacl_SHA2_384_size_block;
extern uint32_t Hacl_SHA2_384_size_state;
void Hacl_SHA2_384_init(uint64_t *state);
void Hacl_SHA2_384_update(uint64_t *state, uint8_t *data_8);
void Hacl_SHA2_384_update_multi(uint64_t *state, uint8_t *data, uint32_t n1);
void Hacl_SHA2_384_update_last(uint64_t *state, uint8_t *data, uint64_t len);
void Hacl_SHA2_384_finish(uint64_t *state, uint8_t *hash1);
void Hacl_SHA2_384_hash(uint8_t *hash1, uint8_t *input, uint32_t len);
#endif

390
vendors/ocaml-hacl/src/Hacl_SHA2_512.c vendored Normal file
View File

@ -0,0 +1,390 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_SHA2_512.h"
static void
Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(uint64_t *output, uint8_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *x0 = input + (uint32_t)8U * i;
uint64_t inputi = load64_be(x0);
output[i] = inputi;
}
}
static void
Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(uint8_t *output, uint64_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint64_t hd1 = input[i];
uint8_t *x0 = output + (uint32_t)8U * i;
store64_be(x0, hd1);
}
}
static void Hacl_Impl_SHA2_512_init(uint64_t *state)
{
uint64_t *n1 = state + (uint32_t)168U;
uint64_t *k1 = state;
uint64_t *h_01 = state + (uint32_t)160U;
uint64_t *p10 = k1;
uint64_t *p20 = k1 + (uint32_t)16U;
uint64_t *p3 = k1 + (uint32_t)32U;
uint64_t *p4 = k1 + (uint32_t)48U;
uint64_t *p5 = k1 + (uint32_t)64U;
uint64_t *p11 = p10;
uint64_t *p21 = p10 + (uint32_t)8U;
uint64_t *p12 = p11;
uint64_t *p22 = p11 + (uint32_t)4U;
p12[0U] = (uint64_t)0x428a2f98d728ae22U;
p12[1U] = (uint64_t)0x7137449123ef65cdU;
p12[2U] = (uint64_t)0xb5c0fbcfec4d3b2fU;
p12[3U] = (uint64_t)0xe9b5dba58189dbbcU;
p22[0U] = (uint64_t)0x3956c25bf348b538U;
p22[1U] = (uint64_t)0x59f111f1b605d019U;
p22[2U] = (uint64_t)0x923f82a4af194f9bU;
p22[3U] = (uint64_t)0xab1c5ed5da6d8118U;
uint64_t *p13 = p21;
uint64_t *p23 = p21 + (uint32_t)4U;
p13[0U] = (uint64_t)0xd807aa98a3030242U;
p13[1U] = (uint64_t)0x12835b0145706fbeU;
p13[2U] = (uint64_t)0x243185be4ee4b28cU;
p13[3U] = (uint64_t)0x550c7dc3d5ffb4e2U;
p23[0U] = (uint64_t)0x72be5d74f27b896fU;
p23[1U] = (uint64_t)0x80deb1fe3b1696b1U;
p23[2U] = (uint64_t)0x9bdc06a725c71235U;
p23[3U] = (uint64_t)0xc19bf174cf692694U;
uint64_t *p14 = p20;
uint64_t *p24 = p20 + (uint32_t)8U;
uint64_t *p15 = p14;
uint64_t *p25 = p14 + (uint32_t)4U;
p15[0U] = (uint64_t)0xe49b69c19ef14ad2U;
p15[1U] = (uint64_t)0xefbe4786384f25e3U;
p15[2U] = (uint64_t)0x0fc19dc68b8cd5b5U;
p15[3U] = (uint64_t)0x240ca1cc77ac9c65U;
p25[0U] = (uint64_t)0x2de92c6f592b0275U;
p25[1U] = (uint64_t)0x4a7484aa6ea6e483U;
p25[2U] = (uint64_t)0x5cb0a9dcbd41fbd4U;
p25[3U] = (uint64_t)0x76f988da831153b5U;
uint64_t *p16 = p24;
uint64_t *p26 = p24 + (uint32_t)4U;
p16[0U] = (uint64_t)0x983e5152ee66dfabU;
p16[1U] = (uint64_t)0xa831c66d2db43210U;
p16[2U] = (uint64_t)0xb00327c898fb213fU;
p16[3U] = (uint64_t)0xbf597fc7beef0ee4U;
p26[0U] = (uint64_t)0xc6e00bf33da88fc2U;
p26[1U] = (uint64_t)0xd5a79147930aa725U;
p26[2U] = (uint64_t)0x06ca6351e003826fU;
p26[3U] = (uint64_t)0x142929670a0e6e70U;
uint64_t *p17 = p3;
uint64_t *p27 = p3 + (uint32_t)8U;
uint64_t *p18 = p17;
uint64_t *p28 = p17 + (uint32_t)4U;
p18[0U] = (uint64_t)0x27b70a8546d22ffcU;
p18[1U] = (uint64_t)0x2e1b21385c26c926U;
p18[2U] = (uint64_t)0x4d2c6dfc5ac42aedU;
p18[3U] = (uint64_t)0x53380d139d95b3dfU;
p28[0U] = (uint64_t)0x650a73548baf63deU;
p28[1U] = (uint64_t)0x766a0abb3c77b2a8U;
p28[2U] = (uint64_t)0x81c2c92e47edaee6U;
p28[3U] = (uint64_t)0x92722c851482353bU;
uint64_t *p19 = p27;
uint64_t *p29 = p27 + (uint32_t)4U;
p19[0U] = (uint64_t)0xa2bfe8a14cf10364U;
p19[1U] = (uint64_t)0xa81a664bbc423001U;
p19[2U] = (uint64_t)0xc24b8b70d0f89791U;
p19[3U] = (uint64_t)0xc76c51a30654be30U;
p29[0U] = (uint64_t)0xd192e819d6ef5218U;
p29[1U] = (uint64_t)0xd69906245565a910U;
p29[2U] = (uint64_t)0xf40e35855771202aU;
p29[3U] = (uint64_t)0x106aa07032bbd1b8U;
uint64_t *p110 = p4;
uint64_t *p210 = p4 + (uint32_t)8U;
uint64_t *p111 = p110;
uint64_t *p211 = p110 + (uint32_t)4U;
p111[0U] = (uint64_t)0x19a4c116b8d2d0c8U;
p111[1U] = (uint64_t)0x1e376c085141ab53U;
p111[2U] = (uint64_t)0x2748774cdf8eeb99U;
p111[3U] = (uint64_t)0x34b0bcb5e19b48a8U;
p211[0U] = (uint64_t)0x391c0cb3c5c95a63U;
p211[1U] = (uint64_t)0x4ed8aa4ae3418acbU;
p211[2U] = (uint64_t)0x5b9cca4f7763e373U;
p211[3U] = (uint64_t)0x682e6ff3d6b2b8a3U;
uint64_t *p112 = p210;
uint64_t *p212 = p210 + (uint32_t)4U;
p112[0U] = (uint64_t)0x748f82ee5defb2fcU;
p112[1U] = (uint64_t)0x78a5636f43172f60U;
p112[2U] = (uint64_t)0x84c87814a1f0ab72U;
p112[3U] = (uint64_t)0x8cc702081a6439ecU;
p212[0U] = (uint64_t)0x90befffa23631e28U;
p212[1U] = (uint64_t)0xa4506cebde82bde9U;
p212[2U] = (uint64_t)0xbef9a3f7b2c67915U;
p212[3U] = (uint64_t)0xc67178f2e372532bU;
uint64_t *p113 = p5;
uint64_t *p213 = p5 + (uint32_t)8U;
uint64_t *p1 = p113;
uint64_t *p214 = p113 + (uint32_t)4U;
p1[0U] = (uint64_t)0xca273eceea26619cU;
p1[1U] = (uint64_t)0xd186b8c721c0c207U;
p1[2U] = (uint64_t)0xeada7dd6cde0eb1eU;
p1[3U] = (uint64_t)0xf57d4f7fee6ed178U;
p214[0U] = (uint64_t)0x06f067aa72176fbaU;
p214[1U] = (uint64_t)0x0a637dc5a2c898a6U;
p214[2U] = (uint64_t)0x113f9804bef90daeU;
p214[3U] = (uint64_t)0x1b710b35131c471bU;
uint64_t *p114 = p213;
uint64_t *p215 = p213 + (uint32_t)4U;
p114[0U] = (uint64_t)0x28db77f523047d84U;
p114[1U] = (uint64_t)0x32caab7b40c72493U;
p114[2U] = (uint64_t)0x3c9ebe0a15c9bebcU;
p114[3U] = (uint64_t)0x431d67c49c100d4cU;
p215[0U] = (uint64_t)0x4cc5d4becb3e42b6U;
p215[1U] = (uint64_t)0x597f299cfc657e2aU;
p215[2U] = (uint64_t)0x5fcb6fab3ad6faecU;
p215[3U] = (uint64_t)0x6c44198c4a475817U;
uint64_t *p115 = h_01;
uint64_t *p2 = h_01 + (uint32_t)4U;
p115[0U] = (uint64_t)0x6a09e667f3bcc908U;
p115[1U] = (uint64_t)0xbb67ae8584caa73bU;
p115[2U] = (uint64_t)0x3c6ef372fe94f82bU;
p115[3U] = (uint64_t)0xa54ff53a5f1d36f1U;
p2[0U] = (uint64_t)0x510e527fade682d1U;
p2[1U] = (uint64_t)0x9b05688c2b3e6c1fU;
p2[2U] = (uint64_t)0x1f83d9abfb41bd6bU;
p2[3U] = (uint64_t)0x5be0cd19137e2179U;
n1[0U] = (uint64_t)0U;
}
static void Hacl_Impl_SHA2_512_update(uint64_t *state, uint8_t *data)
{
KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)16U);
uint64_t data_w[16U];
for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
data_w[_i] = (uint64_t)(uint32_t)0U;
Hacl_Hash_Lib_LoadStore_uint64s_from_be_bytes(data_w, data, (uint32_t)16U);
uint64_t *hash_w = state + (uint32_t)160U;
uint64_t *ws_w = state + (uint32_t)80U;
uint64_t *k_w = state;
uint64_t *counter_w = state + (uint32_t)168U;
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint64_t b = data_w[i];
ws_w[i] = b;
}
for (uint32_t i = (uint32_t)16U; i < (uint32_t)80U; i = i + (uint32_t)1U)
{
uint64_t t16 = ws_w[i - (uint32_t)16U];
uint64_t t15 = ws_w[i - (uint32_t)15U];
uint64_t t7 = ws_w[i - (uint32_t)7U];
uint64_t t2 = ws_w[i - (uint32_t)2U];
ws_w[i] =
((t2 >> (uint32_t)19U | t2 << ((uint32_t)64U - (uint32_t)19U))
^ ((t2 >> (uint32_t)61U | t2 << ((uint32_t)64U - (uint32_t)61U)) ^ t2 >> (uint32_t)6U))
+
t7
+
((t15 >> (uint32_t)1U | t15 << ((uint32_t)64U - (uint32_t)1U))
^ ((t15 >> (uint32_t)8U | t15 << ((uint32_t)64U - (uint32_t)8U)) ^ t15 >> (uint32_t)7U))
+ t16;
}
uint64_t hash_0[8U] = { 0U };
memcpy(hash_0, hash_w, (uint32_t)8U * sizeof hash_w[0U]);
for (uint32_t i = (uint32_t)0U; i < (uint32_t)80U; i = i + (uint32_t)1U)
{
uint64_t a = hash_0[0U];
uint64_t b = hash_0[1U];
uint64_t c = hash_0[2U];
uint64_t d = hash_0[3U];
uint64_t e = hash_0[4U];
uint64_t f1 = hash_0[5U];
uint64_t g = hash_0[6U];
uint64_t h = hash_0[7U];
uint64_t k_t = k_w[i];
uint64_t ws_t = ws_w[i];
uint64_t
t1 =
h
+
((e >> (uint32_t)14U | e << ((uint32_t)64U - (uint32_t)14U))
^
((e >> (uint32_t)18U | e << ((uint32_t)64U - (uint32_t)18U))
^ (e >> (uint32_t)41U | e << ((uint32_t)64U - (uint32_t)41U))))
+ ((e & f1) ^ (~e & g))
+ k_t
+ ws_t;
uint64_t
t2 =
((a >> (uint32_t)28U | a << ((uint32_t)64U - (uint32_t)28U))
^
((a >> (uint32_t)34U | a << ((uint32_t)64U - (uint32_t)34U))
^ (a >> (uint32_t)39U | a << ((uint32_t)64U - (uint32_t)39U))))
+ ((a & b) ^ ((a & c) ^ (b & c)));
uint64_t x1 = t1 + t2;
uint64_t x5 = d + t1;
uint64_t *p1 = hash_0;
uint64_t *p2 = hash_0 + (uint32_t)4U;
p1[0U] = x1;
p1[1U] = a;
p1[2U] = b;
p1[3U] = c;
p2[0U] = x5;
p2[1U] = e;
p2[2U] = f1;
p2[3U] = g;
}
for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U)
{
uint64_t xi = hash_w[i];
uint64_t yi = hash_0[i];
hash_w[i] = xi + yi;
}
uint64_t c0 = counter_w[0U];
uint64_t one1 = (uint64_t)(uint32_t)1U;
counter_w[0U] = c0 + one1;
}
static void Hacl_Impl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1)
{
for (uint32_t i = (uint32_t)0U; i < n1; i = i + (uint32_t)1U)
{
uint8_t *b = data + i * (uint32_t)128U;
Hacl_Impl_SHA2_512_update(state, b);
}
}
static void Hacl_Impl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len)
{
uint8_t blocks[256U] = { 0U };
uint32_t nb;
if (len < (uint64_t)112U)
nb = (uint32_t)1U;
else
nb = (uint32_t)2U;
uint8_t *final_blocks;
if (len < (uint64_t)112U)
final_blocks = blocks + (uint32_t)128U;
else
final_blocks = blocks;
memcpy(final_blocks, data, (uint32_t)len * sizeof data[0U]);
uint64_t n1 = state[168U];
uint8_t *padding = final_blocks + (uint32_t)len;
FStar_UInt128_t
encodedlen =
FStar_UInt128_shift_left(FStar_UInt128_add(FStar_UInt128_mul_wide(n1, (uint64_t)(uint32_t)128U),
FStar_UInt128_uint64_to_uint128(len)),
(uint32_t)3U);
uint32_t
pad0len = ((uint32_t)256U - ((uint32_t)len + (uint32_t)16U + (uint32_t)1U)) % (uint32_t)128U;
uint8_t *buf1 = padding;
uint8_t *buf2 = padding + (uint32_t)1U + pad0len;
buf1[0U] = (uint8_t)0x80U;
store128_be(buf2, encodedlen);
Hacl_Impl_SHA2_512_update_multi(state, final_blocks, nb);
}
static void Hacl_Impl_SHA2_512_finish(uint64_t *state, uint8_t *hash1)
{
uint64_t *hash_w = state + (uint32_t)160U;
Hacl_Hash_Lib_LoadStore_uint64s_to_be_bytes(hash1, hash_w, (uint32_t)8U);
}
static void Hacl_Impl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
KRML_CHECK_SIZE((uint64_t)(uint32_t)0U, (uint32_t)169U);
uint64_t state[169U];
for (uint32_t _i = 0U; _i < (uint32_t)169U; ++_i)
state[_i] = (uint64_t)(uint32_t)0U;
uint32_t n1 = len / (uint32_t)128U;
uint32_t r = len % (uint32_t)128U;
uint8_t *input_blocks = input;
uint8_t *input_last = input + n1 * (uint32_t)128U;
Hacl_Impl_SHA2_512_init(state);
Hacl_Impl_SHA2_512_update_multi(state, input_blocks, n1);
Hacl_Impl_SHA2_512_update_last(state, input_last, (uint64_t)r);
Hacl_Impl_SHA2_512_finish(state, hash1);
}
uint32_t Hacl_SHA2_512_size_word = (uint32_t)8U;
uint32_t Hacl_SHA2_512_size_hash_w = (uint32_t)8U;
uint32_t Hacl_SHA2_512_size_block_w = (uint32_t)16U;
uint32_t Hacl_SHA2_512_size_hash = (uint32_t)64U;
uint32_t Hacl_SHA2_512_size_block = (uint32_t)128U;
uint32_t Hacl_SHA2_512_size_k_w = (uint32_t)80U;
uint32_t Hacl_SHA2_512_size_ws_w = (uint32_t)80U;
uint32_t Hacl_SHA2_512_size_whash_w = (uint32_t)8U;
uint32_t Hacl_SHA2_512_size_count_w = (uint32_t)1U;
uint32_t Hacl_SHA2_512_size_len_8 = (uint32_t)16U;
uint32_t Hacl_SHA2_512_size_state = (uint32_t)169U;
uint32_t Hacl_SHA2_512_pos_k_w = (uint32_t)0U;
uint32_t Hacl_SHA2_512_pos_ws_w = (uint32_t)80U;
uint32_t Hacl_SHA2_512_pos_whash_w = (uint32_t)160U;
uint32_t Hacl_SHA2_512_pos_count_w = (uint32_t)168U;
void Hacl_SHA2_512_init(uint64_t *state)
{
Hacl_Impl_SHA2_512_init(state);
}
void Hacl_SHA2_512_update(uint64_t *state, uint8_t *data)
{
Hacl_Impl_SHA2_512_update(state, data);
}
void Hacl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1)
{
Hacl_Impl_SHA2_512_update_multi(state, data, n1);
}
void Hacl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len)
{
Hacl_Impl_SHA2_512_update_last(state, data, len);
}
void Hacl_SHA2_512_finish(uint64_t *state, uint8_t *hash1)
{
Hacl_Impl_SHA2_512_finish(state, hash1);
}
void Hacl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len)
{
Hacl_Impl_SHA2_512_hash(hash1, input, len);
}

129
vendors/ocaml-hacl/src/Hacl_SHA2_512.h vendored Normal file
View File

@ -0,0 +1,129 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_SHA2_512_H
#define __Hacl_SHA2_512_H
typedef uint8_t Hacl_Hash_Lib_Create_uint8_t;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_t;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_t;
typedef uint8_t Hacl_Hash_Lib_Create_uint8_ht;
typedef uint32_t Hacl_Hash_Lib_Create_uint32_ht;
typedef uint64_t Hacl_Hash_Lib_Create_uint64_ht;
typedef uint8_t *Hacl_Hash_Lib_Create_uint8_p;
typedef uint32_t *Hacl_Hash_Lib_Create_uint32_p;
typedef uint64_t *Hacl_Hash_Lib_Create_uint64_p;
typedef uint8_t *Hacl_Hash_Lib_LoadStore_uint8_p;
typedef uint8_t Hacl_Impl_SHA2_512_uint8_t;
typedef uint32_t Hacl_Impl_SHA2_512_uint32_t;
typedef uint64_t Hacl_Impl_SHA2_512_uint64_t;
typedef uint8_t Hacl_Impl_SHA2_512_uint8_ht;
typedef uint32_t Hacl_Impl_SHA2_512_uint32_ht;
typedef uint64_t Hacl_Impl_SHA2_512_uint64_ht;
typedef FStar_UInt128_t Hacl_Impl_SHA2_512_uint128_ht;
typedef uint64_t *Hacl_Impl_SHA2_512_uint64_p;
typedef uint8_t *Hacl_Impl_SHA2_512_uint8_p;
typedef uint8_t Hacl_SHA2_512_uint8_t;
typedef uint32_t Hacl_SHA2_512_uint32_t;
typedef uint64_t Hacl_SHA2_512_uint64_t;
typedef uint8_t Hacl_SHA2_512_uint8_ht;
typedef uint32_t Hacl_SHA2_512_uint32_ht;
typedef uint64_t Hacl_SHA2_512_uint64_ht;
typedef FStar_UInt128_t Hacl_SHA2_512_uint128_ht;
typedef uint64_t *Hacl_SHA2_512_uint64_p;
typedef uint8_t *Hacl_SHA2_512_uint8_p;
extern uint32_t Hacl_SHA2_512_size_word;
extern uint32_t Hacl_SHA2_512_size_hash_w;
extern uint32_t Hacl_SHA2_512_size_block_w;
extern uint32_t Hacl_SHA2_512_size_hash;
extern uint32_t Hacl_SHA2_512_size_block;
extern uint32_t Hacl_SHA2_512_size_k_w;
extern uint32_t Hacl_SHA2_512_size_ws_w;
extern uint32_t Hacl_SHA2_512_size_whash_w;
extern uint32_t Hacl_SHA2_512_size_count_w;
extern uint32_t Hacl_SHA2_512_size_len_8;
extern uint32_t Hacl_SHA2_512_size_state;
extern uint32_t Hacl_SHA2_512_pos_k_w;
extern uint32_t Hacl_SHA2_512_pos_ws_w;
extern uint32_t Hacl_SHA2_512_pos_whash_w;
extern uint32_t Hacl_SHA2_512_pos_count_w;
void Hacl_SHA2_512_init(uint64_t *state);
void Hacl_SHA2_512_update(uint64_t *state, uint8_t *data);
void Hacl_SHA2_512_update_multi(uint64_t *state, uint8_t *data, uint32_t n1);
void Hacl_SHA2_512_update_last(uint64_t *state, uint8_t *data, uint64_t len);
void Hacl_SHA2_512_finish(uint64_t *state, uint8_t *hash1);
void Hacl_SHA2_512_hash(uint8_t *hash1, uint8_t *input, uint32_t len);
#endif

385
vendors/ocaml-hacl/src/Hacl_Salsa20.c vendored Normal file
View File

@ -0,0 +1,385 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Salsa20.h"
static void
Hacl_Lib_Create_make_h32_4(uint32_t *b, uint32_t s0, uint32_t s1, uint32_t s2, uint32_t s3)
{
b[0U] = s0;
b[1U] = s1;
b[2U] = s2;
b[3U] = s3;
}
static void
Hacl_Lib_Create_make_h32_8(
uint32_t *b,
uint32_t s0,
uint32_t s1,
uint32_t s2,
uint32_t s3,
uint32_t s4,
uint32_t s5,
uint32_t s6,
uint32_t s7
)
{
Hacl_Lib_Create_make_h32_4(b, s0, s1, s2, s3);
Hacl_Lib_Create_make_h32_4(b + (uint32_t)4U, s4, s5, s6, s7);
}
static void
Hacl_Lib_Create_make_h32_16(
uint32_t *b,
uint32_t s0,
uint32_t s1,
uint32_t s2,
uint32_t s3,
uint32_t s4,
uint32_t s5,
uint32_t s6,
uint32_t s7,
uint32_t s8,
uint32_t s9,
uint32_t s10,
uint32_t s11,
uint32_t s12,
uint32_t s13,
uint32_t s14,
uint32_t s15
)
{
Hacl_Lib_Create_make_h32_8(b, s0, s1, s2, s3, s4, s5, s6, s7);
Hacl_Lib_Create_make_h32_8(b + (uint32_t)8U, s8, s9, s10, s11, s12, s13, s14, s15);
}
static void
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *x0 = input + (uint32_t)4U * i;
uint32_t inputi = load32_le(x0);
output[i] = inputi;
}
}
static void
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint32_t hd1 = input[i];
uint8_t *x0 = output + (uint32_t)4U * i;
store32_le(x0, hd1);
}
}
inline static void Hacl_Impl_Salsa20_setup(uint32_t *st, uint8_t *k, uint8_t *n1, uint64_t c)
{
uint32_t tmp[10U] = { 0U };
uint32_t *k_ = tmp;
uint32_t *n_ = tmp + (uint32_t)8U;
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(k_, k, (uint32_t)8U);
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(n_, n1, (uint32_t)2U);
uint32_t c0 = (uint32_t)c;
uint32_t c1 = (uint32_t)(c >> (uint32_t)32U);
uint32_t k0 = k_[0U];
uint32_t k1 = k_[1U];
uint32_t k2 = k_[2U];
uint32_t k3 = k_[3U];
uint32_t k4 = k_[4U];
uint32_t k5 = k_[5U];
uint32_t k6 = k_[6U];
uint32_t k7 = k_[7U];
uint32_t n0 = n_[0U];
uint32_t n11 = n_[1U];
Hacl_Lib_Create_make_h32_16(st,
(uint32_t)0x61707865U,
k0,
k1,
k2,
k3,
(uint32_t)0x3320646eU,
n0,
n11,
c0,
c1,
(uint32_t)0x79622d32U,
k4,
k5,
k6,
k7,
(uint32_t)0x6b206574U);
}
inline static void
Hacl_Impl_Salsa20_line(uint32_t *st, uint32_t a, uint32_t b, uint32_t d, uint32_t s)
{
uint32_t sa = st[a];
uint32_t sb = st[b];
uint32_t sd = st[d];
uint32_t sbd = sb + sd;
uint32_t sbds = sbd << s | sbd >> ((uint32_t)32U - s);
st[a] = sa ^ sbds;
}
inline static void
Hacl_Impl_Salsa20_quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
{
Hacl_Impl_Salsa20_line(st, b, a, d, (uint32_t)7U);
Hacl_Impl_Salsa20_line(st, c, b, a, (uint32_t)9U);
Hacl_Impl_Salsa20_line(st, d, c, b, (uint32_t)13U);
Hacl_Impl_Salsa20_line(st, a, d, c, (uint32_t)18U);
}
inline static void Hacl_Impl_Salsa20_double_round(uint32_t *st)
{
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U);
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U, (uint32_t)1U);
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)10U, (uint32_t)14U, (uint32_t)2U, (uint32_t)6U);
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)15U, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U);
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)0U, (uint32_t)1U, (uint32_t)2U, (uint32_t)3U);
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)5U, (uint32_t)6U, (uint32_t)7U, (uint32_t)4U);
Hacl_Impl_Salsa20_quarter_round(st, (uint32_t)10U, (uint32_t)11U, (uint32_t)8U, (uint32_t)9U);
Hacl_Impl_Salsa20_quarter_round(st,
(uint32_t)15U,
(uint32_t)12U,
(uint32_t)13U,
(uint32_t)14U);
}
inline static void Hacl_Impl_Salsa20_rounds(uint32_t *st)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
Hacl_Impl_Salsa20_double_round(st);
}
inline static void Hacl_Impl_Salsa20_sum_states(uint32_t *st, uint32_t *st_)
{
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint32_t xi = st[i];
uint32_t yi = st_[i];
st[i] = xi + yi;
}
}
inline static void Hacl_Impl_Salsa20_copy_state(uint32_t *st, uint32_t *st_)
{
memcpy(st, st_, (uint32_t)16U * sizeof st_[0U]);
}
inline static void Hacl_Impl_Salsa20_salsa20_core(uint32_t *k, uint32_t *st, uint64_t ctr)
{
uint32_t c0 = (uint32_t)ctr;
uint32_t c1 = (uint32_t)(ctr >> (uint32_t)32U);
st[8U] = c0;
st[9U] = c1;
Hacl_Impl_Salsa20_copy_state(k, st);
Hacl_Impl_Salsa20_rounds(k);
Hacl_Impl_Salsa20_sum_states(k, st);
}
inline static void
Hacl_Impl_Salsa20_salsa20_block(uint8_t *stream_block, uint32_t *st, uint64_t ctr)
{
uint32_t st_[16U] = { 0U };
Hacl_Impl_Salsa20_salsa20_core(st_, st, ctr);
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(stream_block, st_, (uint32_t)16U);
}
inline static void Hacl_Impl_Salsa20_init(uint32_t *st, uint8_t *k, uint8_t *n1)
{
Hacl_Impl_Salsa20_setup(st, k, n1, (uint64_t)0U);
}
static void
Hacl_Impl_Salsa20_update_last(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint32_t *st,
uint64_t ctr
)
{
uint8_t block[64U] = { 0U };
Hacl_Impl_Salsa20_salsa20_block(block, st, ctr);
uint8_t *mask = block;
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t xi = plain[i];
uint8_t yi = mask[i];
output[i] = xi ^ yi;
}
}
static void
Hacl_Impl_Salsa20_update(uint8_t *output, uint8_t *plain, uint32_t *st, uint64_t ctr)
{
uint32_t b[48U] = { 0U };
uint32_t *k = b;
uint32_t *ib = b + (uint32_t)16U;
uint32_t *ob = b + (uint32_t)32U;
Hacl_Impl_Salsa20_salsa20_core(k, st, ctr);
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U);
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U)
{
uint32_t xi = ib[i];
uint32_t yi = k[i];
ob[i] = xi ^ yi;
}
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, ob, (uint32_t)16U);
}
static void
Hacl_Impl_Salsa20_salsa20_counter_mode_blocks(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint32_t *st,
uint64_t ctr
)
{
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
{
uint8_t *b = plain + (uint32_t)64U * i;
uint8_t *o = output + (uint32_t)64U * i;
Hacl_Impl_Salsa20_update(o, b, st, ctr + (uint64_t)i);
}
}
static void
Hacl_Impl_Salsa20_salsa20_counter_mode(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint32_t *st,
uint64_t ctr
)
{
uint32_t blocks_len = len >> (uint32_t)6U;
uint32_t part_len = len & (uint32_t)0x3fU;
uint8_t *output_ = output;
uint8_t *plain_ = plain;
uint8_t *output__ = output + (uint32_t)64U * blocks_len;
uint8_t *plain__ = plain + (uint32_t)64U * blocks_len;
Hacl_Impl_Salsa20_salsa20_counter_mode_blocks(output_, plain_, blocks_len, st, ctr);
if (part_len > (uint32_t)0U)
Hacl_Impl_Salsa20_update_last(output__, plain__, part_len, st, ctr + (uint64_t)blocks_len);
}
static void
Hacl_Impl_Salsa20_salsa20(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint8_t *k,
uint8_t *n1,
uint64_t ctr
)
{
uint32_t buf[16U] = { 0U };
uint32_t *st = buf;
Hacl_Impl_Salsa20_init(st, k, n1);
Hacl_Impl_Salsa20_salsa20_counter_mode(output, plain, len, st, ctr);
}
inline static void Hacl_Impl_HSalsa20_setup(uint32_t *st, uint8_t *k, uint8_t *n1)
{
uint32_t tmp[12U] = { 0U };
uint32_t *k_ = tmp;
uint32_t *n_ = tmp + (uint32_t)8U;
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(k_, k, (uint32_t)8U);
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(n_, n1, (uint32_t)4U);
uint32_t k0 = k_[0U];
uint32_t k1 = k_[1U];
uint32_t k2 = k_[2U];
uint32_t k3 = k_[3U];
uint32_t k4 = k_[4U];
uint32_t k5 = k_[5U];
uint32_t k6 = k_[6U];
uint32_t k7 = k_[7U];
uint32_t n0 = n_[0U];
uint32_t n11 = n_[1U];
uint32_t n2 = n_[2U];
uint32_t n3 = n_[3U];
Hacl_Lib_Create_make_h32_16(st,
(uint32_t)0x61707865U,
k0,
k1,
k2,
k3,
(uint32_t)0x3320646eU,
n0,
n11,
n2,
n3,
(uint32_t)0x79622d32U,
k4,
k5,
k6,
k7,
(uint32_t)0x6b206574U);
}
static void
Hacl_Impl_HSalsa20_crypto_core_hsalsa20(uint8_t *output, uint8_t *nonce, uint8_t *key)
{
uint32_t tmp[24U] = { 0U };
uint32_t *st = tmp;
uint32_t *hs = tmp + (uint32_t)16U;
Hacl_Impl_HSalsa20_setup(st, key, nonce);
Hacl_Impl_Salsa20_rounds(st);
uint32_t hs0 = st[0U];
uint32_t hs1 = st[5U];
uint32_t hs2 = st[10U];
uint32_t hs3 = st[15U];
uint32_t hs4 = st[6U];
uint32_t hs5 = st[7U];
uint32_t hs6 = st[8U];
uint32_t hs7 = st[9U];
Hacl_Lib_Create_make_h32_8(hs, hs0, hs1, hs2, hs3, hs4, hs5, hs6, hs7);
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, hs, (uint32_t)8U);
}
void
Hacl_Salsa20_salsa20(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint8_t *k,
uint8_t *n1,
uint64_t ctr
)
{
Hacl_Impl_Salsa20_salsa20(output, plain, len, k, n1, ctr);
}
void Hacl_Salsa20_hsalsa20(uint8_t *output, uint8_t *key, uint8_t *nonce)
{
Hacl_Impl_HSalsa20_crypto_core_hsalsa20(output, nonce, key);
}

84
vendors/ocaml-hacl/src/Hacl_Salsa20.h vendored Normal file
View File

@ -0,0 +1,84 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __Hacl_Salsa20_H
#define __Hacl_Salsa20_H
typedef uint32_t Hacl_Impl_Xor_Lemmas_u32;
typedef uint8_t Hacl_Impl_Xor_Lemmas_u8;
typedef uint32_t Hacl_Lib_Create_h32;
typedef uint8_t *Hacl_Lib_LoadStore32_uint8_p;
typedef uint32_t Hacl_Impl_Salsa20_u32;
typedef uint32_t Hacl_Impl_Salsa20_h32;
typedef uint8_t *Hacl_Impl_Salsa20_uint8_p;
typedef uint32_t *Hacl_Impl_Salsa20_state;
typedef uint32_t Hacl_Impl_Salsa20_idx;
typedef struct
{
void *k;
void *n;
}
Hacl_Impl_Salsa20_log_t_;
typedef void *Hacl_Impl_Salsa20_log_t;
typedef uint32_t Hacl_Impl_HSalsa20_h32;
typedef uint32_t Hacl_Impl_HSalsa20_u32;
typedef uint8_t *Hacl_Impl_HSalsa20_uint8_p;
typedef uint32_t *Hacl_Impl_HSalsa20_state;
typedef uint8_t *Hacl_Salsa20_uint8_p;
typedef uint32_t Hacl_Salsa20_uint32_t;
typedef uint32_t *Hacl_Salsa20_state;
void
Hacl_Salsa20_salsa20(
uint8_t *output,
uint8_t *plain,
uint32_t len,
uint8_t *k,
uint8_t *n1,
uint64_t ctr
);
void Hacl_Salsa20_hsalsa20(uint8_t *output, uint8_t *key, uint8_t *nonce);
#endif

104
vendors/ocaml-hacl/src/Hacl_Unverified_Random.c vendored Normal file
View File

@ -0,0 +1,104 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_Unverified_Random.h"
#include <stdio.h>
#if HACL_IS_WINDOWS
#include <windows.h>
#include <wincrypt.h>
#include <malloc.h>
bool read_random_bytes(uint64_t len, uint8_t * buf) {
HCRYPTPROV ctxt;
if (! (CryptAcquireContext(&ctxt, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))) {
DWORD error = GetLastError();
printf("Cannot acquire crypto context: 0x%lx\n", error);
return false;
}
bool pass = true;
if (! (CryptGenRandom(ctxt, len, buf))) {
printf("Cannot read random bytes\n");
pass = false;
}
CryptReleaseContext(ctxt, 0);
return pass;
}
void * hacl_aligned_malloc(size_t alignment, size_t size) {
void * res = _aligned_malloc(size, alignment);
if (res == NULL) {
printf("Cannot allocate %" PRIu64 " bytes aligned to %" PRIu64 "\n", (uint64_t) size, (uint64_t) alignment);
}
return res;
}
void hacl_aligned_free(void * ptr) {
_aligned_free(ptr);
}
#else // ! HACL_IS_WINDOWS
/* assume POSIX here */
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
bool read_random_bytes(uint64_t len, uint8_t * buf) {
int fd = open("/dev/urandom", O_RDONLY);
if (fd == -1) {
printf("Cannot open /dev/urandom\n");
return false;
}
bool pass = true;
uint64_t res = read(fd, buf, len);
if (res != len) {
printf("Error on reading, expected %" PRIu64 " bytes, got %" PRIu64 " bytes\n", len, res);
pass = false;
}
close(fd);
return pass;
}
void * hacl_aligned_malloc(size_t alignment, size_t size) {
void * res = NULL;
if (posix_memalign(&res, alignment, size)) {
printf("Cannot allocate %" PRIu64 " bytes aligned to %" PRIu64 "\n", (uint64_t) size, (uint64_t) alignment);
return NULL;
}
return res;
}
void hacl_aligned_free(void * ptr) {
free(ptr);
}
#endif // HACL_IS_WINDOWS
void randombytes(uint8_t * x,uint64_t len) {
if (! (read_random_bytes(len, x)))
exit(1);
}

43
vendors/ocaml-hacl/src/Hacl_Unverified_Random.h vendored Normal file
View File

@ -0,0 +1,43 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef __HACL_UNVERIFIED_RANDOM
#define __HACL_UNVERIFIED_RANDOM
#include <inttypes.h>
#include <stdbool.h>
#include <stddef.h>
#if ((defined(_WIN32) || defined(_WIN64)) && (! (defined(__CYGWIN__))))
#define HACL_IS_WINDOWS 1
#else
#define HACL_IS_WINDOWS 0
#endif
bool read_random_bytes(uint64_t len, uint8_t * buf);
void * hacl_aligned_malloc(size_t alignment, size_t size);
void hacl_aligned_free(void * ptr);
void randombytes(uint8_t * x,uint64_t len);
#endif // __HACL_UNVERIFIED_RANDOM

463
vendors/ocaml-hacl/src/NaCl.c vendored Normal file
View File

@ -0,0 +1,463 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "NaCl.h"
static void Hacl_SecretBox_ZeroPad_set_zero_bytes(uint8_t *b)
{
uint8_t zero1 = (uint8_t)0U;
b[0U] = zero1;
b[1U] = zero1;
b[2U] = zero1;
b[3U] = zero1;
b[4U] = zero1;
b[5U] = zero1;
b[6U] = zero1;
b[7U] = zero1;
b[8U] = zero1;
b[9U] = zero1;
b[10U] = zero1;
b[11U] = zero1;
b[12U] = zero1;
b[13U] = zero1;
b[14U] = zero1;
b[15U] = zero1;
b[16U] = zero1;
b[17U] = zero1;
b[18U] = zero1;
b[19U] = zero1;
b[20U] = zero1;
b[21U] = zero1;
b[22U] = zero1;
b[23U] = zero1;
b[24U] = zero1;
b[25U] = zero1;
b[26U] = zero1;
b[27U] = zero1;
b[28U] = zero1;
b[29U] = zero1;
b[30U] = zero1;
b[31U] = zero1;
}
static uint32_t
Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
uint32_t mlen_ = (uint32_t)mlen;
uint8_t subkey[32U] = { 0U };
Hacl_Salsa20_hsalsa20(subkey, k1, n1);
Hacl_Salsa20_salsa20(c, m, mlen_ + (uint32_t)32U, subkey, n1 + (uint32_t)16U, (uint64_t)0U);
Hacl_Poly1305_64_crypto_onetimeauth(mac, c + (uint32_t)32U, mlen, c);
Hacl_SecretBox_ZeroPad_set_zero_bytes(c);
Hacl_SecretBox_ZeroPad_set_zero_bytes(subkey);
return (uint32_t)0U;
}
static uint32_t
Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached_decrypt(
uint8_t *m,
uint8_t *c,
uint64_t clen,
uint8_t *n1,
uint8_t *subkey,
uint8_t verify
)
{
uint32_t clen_ = (uint32_t)clen;
if (verify == (uint8_t)0U)
{
Hacl_Salsa20_salsa20(m, c, clen_ + (uint32_t)32U, subkey, n1 + (uint32_t)16U, (uint64_t)0U);
Hacl_SecretBox_ZeroPad_set_zero_bytes(subkey);
Hacl_SecretBox_ZeroPad_set_zero_bytes(m);
return (uint32_t)0U;
}
else
return (uint32_t)0xffffffffU;
}
static uint32_t
Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t clen,
uint8_t *n1,
uint8_t *k1
)
{
uint8_t tmp[112U] = { 0U };
uint8_t *subkey = tmp;
uint8_t *mackey = tmp + (uint32_t)32U;
uint8_t *mackey_ = tmp + (uint32_t)64U;
uint8_t *cmac = tmp + (uint32_t)96U;
Hacl_Salsa20_hsalsa20(subkey, k1, n1);
Hacl_Salsa20_salsa20(mackey, mackey_, (uint32_t)32U, subkey, n1 + (uint32_t)16U, (uint64_t)0U);
Hacl_Poly1305_64_crypto_onetimeauth(cmac, c + (uint32_t)32U, clen, mackey);
uint8_t result = Hacl_Policies_cmp_bytes(mac, cmac, (uint32_t)16U);
uint8_t verify = result;
uint32_t
z =
Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached_decrypt(m,
c,
clen,
n1,
subkey,
verify);
return z;
}
static uint32_t
Hacl_SecretBox_ZeroPad_crypto_secretbox_easy(
uint8_t *c,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
uint8_t cmac[16U] = { 0U };
uint32_t res = Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, cmac, m, mlen, n1, k1);
memcpy(c + (uint32_t)16U, cmac, (uint32_t)16U * sizeof cmac[0U]);
return res;
}
static uint32_t
Hacl_SecretBox_ZeroPad_crypto_secretbox_open_easy(
uint8_t *m,
uint8_t *c,
uint64_t clen,
uint8_t *n1,
uint8_t *k1
)
{
uint8_t *mac = c;
return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, clen, n1, k1);
}
static uint32_t Hacl_Box_ZeroPad_crypto_box_beforenm(uint8_t *k1, uint8_t *pk, uint8_t *sk)
{
uint8_t tmp[48U] = { 0U };
uint8_t *hsalsa_k = tmp;
uint8_t *hsalsa_n = tmp + (uint32_t)32U;
Hacl_Curve25519_crypto_scalarmult(hsalsa_k, sk, pk);
Hacl_Salsa20_hsalsa20(k1, hsalsa_k, hsalsa_n);
return (uint32_t)0U;
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_detached_afternm(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, mac, m, mlen, n1, k1);
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_detached(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
uint8_t key[80U] = { 0U };
uint8_t *k1 = key;
uint8_t *subkey = key + (uint32_t)32U;
uint8_t *hsalsa_n = key + (uint32_t)64U;
Hacl_Curve25519_crypto_scalarmult(k1, sk, pk);
Hacl_Salsa20_hsalsa20(subkey, k1, hsalsa_n);
uint32_t z = Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, mac, m, mlen, n1, subkey);
return z;
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_open_detached(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
uint8_t key[80U] = { 0U };
uint8_t *k1 = key;
uint8_t *subkey = key + (uint32_t)32U;
uint8_t *hsalsa_n = key + (uint32_t)64U;
Hacl_Curve25519_crypto_scalarmult(k1, sk, pk);
Hacl_Salsa20_hsalsa20(subkey, k1, hsalsa_n);
uint32_t
z = Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, mlen, n1, subkey);
return z;
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_easy_afternm(
uint8_t *c,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
uint8_t cmac[16U] = { 0U };
uint32_t z = Hacl_Box_ZeroPad_crypto_box_detached_afternm(c, cmac, m, mlen, n1, k1);
memcpy(c + (uint32_t)16U, cmac, (uint32_t)16U * sizeof cmac[0U]);
return z;
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_easy(
uint8_t *c,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
uint8_t cmac[16U] = { 0U };
uint32_t res = Hacl_Box_ZeroPad_crypto_box_detached(c, cmac, m, mlen, n1, pk, sk);
memcpy(c + (uint32_t)16U, cmac, (uint32_t)16U * sizeof cmac[0U]);
return res;
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_open_easy(
uint8_t *m,
uint8_t *c,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
uint8_t *mac = c + (uint32_t)16U;
return Hacl_Box_ZeroPad_crypto_box_open_detached(m, c, mac, mlen, n1, pk, sk);
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_open_detached_afternm(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, mlen, n1, k1);
}
static uint32_t
Hacl_Box_ZeroPad_crypto_box_open_easy_afternm(
uint8_t *m,
uint8_t *c,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
uint8_t *mac = c + (uint32_t)16U;
uint32_t t = Hacl_Box_ZeroPad_crypto_box_open_detached_afternm(m, c, mac, mlen, n1, k1);
return t;
}
Prims_int NaCl_crypto_box_NONCEBYTES = (krml_checked_int_t)24;
Prims_int NaCl_crypto_box_PUBLICKEYBYTES = (krml_checked_int_t)32;
Prims_int NaCl_crypto_box_SECRETKEYBYTES = (krml_checked_int_t)32;
Prims_int NaCl_crypto_box_MACBYTES = (krml_checked_int_t)16;
Prims_int NaCl_crypto_secretbox_NONCEBYTES = (krml_checked_int_t)24;
Prims_int NaCl_crypto_secretbox_KEYBYTES = (krml_checked_int_t)32;
Prims_int NaCl_crypto_secretbox_MACBYTES = (krml_checked_int_t)16;
uint32_t
NaCl_crypto_secretbox_detached(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_SecretBox_ZeroPad_crypto_secretbox_detached(c, mac, m, mlen, n1, k1);
}
uint32_t
NaCl_crypto_secretbox_open_detached(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t clen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_detached(m, c, mac, clen, n1, k1);
}
uint32_t
NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1)
{
return Hacl_SecretBox_ZeroPad_crypto_secretbox_easy(c, m, mlen, n1, k1);
}
uint32_t
NaCl_crypto_secretbox_open_easy(
uint8_t *m,
uint8_t *c,
uint64_t clen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_SecretBox_ZeroPad_crypto_secretbox_open_easy(m, c, clen, n1, k1);
}
uint32_t NaCl_crypto_box_beforenm(uint8_t *k1, uint8_t *pk, uint8_t *sk)
{
return Hacl_Box_ZeroPad_crypto_box_beforenm(k1, pk, sk);
}
uint32_t
NaCl_crypto_box_detached_afternm(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_Box_ZeroPad_crypto_box_detached_afternm(c, mac, m, mlen, n1, k1);
}
uint32_t
NaCl_crypto_box_detached(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
return Hacl_Box_ZeroPad_crypto_box_detached(c, mac, m, mlen, n1, pk, sk);
}
uint32_t
NaCl_crypto_box_open_detached(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
return Hacl_Box_ZeroPad_crypto_box_open_detached(m, c, mac, mlen, n1, pk, sk);
}
uint32_t
NaCl_crypto_box_easy_afternm(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1)
{
return Hacl_Box_ZeroPad_crypto_box_easy_afternm(c, m, mlen, n1, k1);
}
uint32_t
NaCl_crypto_box_easy(
uint8_t *c,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
return Hacl_Box_ZeroPad_crypto_box_easy(c, m, mlen, n1, pk, sk);
}
uint32_t
NaCl_crypto_box_open_easy(
uint8_t *m,
uint8_t *c,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
)
{
return Hacl_Box_ZeroPad_crypto_box_open_easy(m, c, mlen, n1, pk, sk);
}
uint32_t
NaCl_crypto_box_open_detached_afternm(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_Box_ZeroPad_crypto_box_open_detached_afternm(m, c, mac, mlen, n1, k1);
}
uint32_t
NaCl_crypto_box_open_easy_afternm(
uint8_t *m,
uint8_t *c,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
)
{
return Hacl_Box_ZeroPad_crypto_box_open_easy_afternm(m, c, mlen, n1, k1);
}

156
vendors/ocaml-hacl/src/NaCl.h vendored Normal file
View File

@ -0,0 +1,156 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#ifndef __NaCl_H
#define __NaCl_H
#include "Hacl_Salsa20.h"
#include "Hacl_Curve25519.h"
#include "Hacl_Poly1305_64.h"
#include "Hacl_Policies.h"
extern Prims_int NaCl_crypto_box_NONCEBYTES;
extern Prims_int NaCl_crypto_box_PUBLICKEYBYTES;
extern Prims_int NaCl_crypto_box_SECRETKEYBYTES;
extern Prims_int NaCl_crypto_box_MACBYTES;
extern Prims_int NaCl_crypto_secretbox_NONCEBYTES;
extern Prims_int NaCl_crypto_secretbox_KEYBYTES;
extern Prims_int NaCl_crypto_secretbox_MACBYTES;
uint32_t
NaCl_crypto_secretbox_detached(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
);
uint32_t
NaCl_crypto_secretbox_open_detached(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t clen,
uint8_t *n1,
uint8_t *k1
);
uint32_t
NaCl_crypto_secretbox_easy(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1);
uint32_t
NaCl_crypto_secretbox_open_easy(
uint8_t *m,
uint8_t *c,
uint64_t clen,
uint8_t *n1,
uint8_t *k1
);
uint32_t NaCl_crypto_box_beforenm(uint8_t *k1, uint8_t *pk, uint8_t *sk);
uint32_t
NaCl_crypto_box_detached_afternm(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
);
uint32_t
NaCl_crypto_box_detached(
uint8_t *c,
uint8_t *mac,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
);
uint32_t
NaCl_crypto_box_open_detached(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
);
uint32_t
NaCl_crypto_box_easy_afternm(uint8_t *c, uint8_t *m, uint64_t mlen, uint8_t *n1, uint8_t *k1);
uint32_t
NaCl_crypto_box_easy(
uint8_t *c,
uint8_t *m,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
);
uint32_t
NaCl_crypto_box_open_easy(
uint8_t *m,
uint8_t *c,
uint64_t mlen,
uint8_t *n1,
uint8_t *pk,
uint8_t *sk
);
uint32_t
NaCl_crypto_box_open_detached_afternm(
uint8_t *m,
uint8_t *c,
uint8_t *mac,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
);
uint32_t
NaCl_crypto_box_open_easy_afternm(
uint8_t *m,
uint8_t *c,
uint64_t mlen,
uint8_t *n1,
uint8_t *k1
);
#endif

392
vendors/ocaml-hacl/src/hacl.ml vendored Normal file
View File

@ -0,0 +1,392 @@
(* Copyright 2018 Vincent Bernardoff, Marco Stronati.
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. *)
open EndianBigstring
module Rand = struct
external write : Bigstring.t -> unit =
"ml_randombytes" [@@noalloc]
let gen len =
let buf = Bigstring.create len in
write buf ;
buf
end
module Hash = struct
module type S = sig
val init : Bigstring.t -> unit
val update : Bigstring.t -> Bigstring.t -> unit
val update_last : Bigstring.t -> Bigstring.t -> int -> unit
val finish : Bigstring.t -> Bigstring.t -> unit
val bytes : int
val blockbytes : int
val statebytes : int
end
module Make(S: S) = struct
type state = {
state : Bigstring.t ;
buf : Bigstring.t ;
mutable pos : int ;
}
let init () =
let state = Bigstring.create S.statebytes in
let buf = Bigstring.create S.blockbytes in
S.init state ;
{ state ; buf ; pos = 0 }
let rec update ({ state ; buf ; pos } as st) m p l =
if pos + l < S.blockbytes then begin
Bigstring.blit m p buf pos l ;
st.pos <- st.pos + l
end
else begin
let nb_consumed = S.blockbytes - pos in
Bigstring.blit m p buf pos nb_consumed ;
S.update state buf ;
st.pos <- 0 ;
update st m (p + nb_consumed) (l - nb_consumed)
end
let update st msg =
update st msg 0 (Bigstring.length msg)
let finish { state ; buf ; pos } =
S.update_last state buf pos ;
S.finish state buf ;
Bigstring.sub buf 0 S.bytes
let digest msg =
let st = init () in
update st msg ;
finish st
end
module SHA256 = Make(struct
(* state -> unit *)
external init : Bigstring.t -> unit =
"ml_Hacl_SHA2_256_init" [@@noalloc]
(* state -> data -> unit *)
external update : Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_SHA2_256_update" [@@noalloc]
(* state -> data -> datalen -> unit *)
external update_last : Bigstring.t -> Bigstring.t -> int -> unit =
"ml_Hacl_SHA2_256_update_last" [@@noalloc]
(* state -> hash *)
external finish : Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_SHA2_256_finish" [@@noalloc]
let bytes = 32
let blockbytes = 64
let statebytes = 137 * 4
end)
module SHA512 = Make(struct
(* state -> unit *)
external init : Bigstring.t -> unit =
"ml_Hacl_SHA2_512_init" [@@noalloc]
(* state -> data -> unit *)
external update : Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_SHA2_512_update" [@@noalloc]
(* state -> data -> datalen -> unit *)
external update_last : Bigstring.t -> Bigstring.t -> int -> unit =
"ml_Hacl_SHA2_512_update_last" [@@noalloc]
(* state -> hash *)
external finish : Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_SHA2_512_finish" [@@noalloc]
let bytes = 64
let blockbytes = 128
let statebytes = 169 * 4
end)
module HMAC_SHA256 = struct
(* mac -> key -> data *)
external hmac :
Bigstring.t -> Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_HMAC_SHA2_256_hmac" [@@noalloc]
let write_hmac ~key ~msg buf =
if Bigstring.length buf < 32 then
invalid_arg (Printf.sprintf "Hash.write_hmac_sha156: invalid len \
%d" 32) ;
hmac buf key msg
let hmac ~key ~msg =
let buf = Bigstring.create 32 in
write_hmac ~key ~msg buf ;
buf
end
end
module Nonce = struct
type t = Bigstring.t
let bytes = 24
let gen () =
Rand.gen bytes
let rec incr_byte b step byteno =
let res = BigEndian.get_uint16 b byteno + step in
let lo = res land 0xffff in
let hi = res asr 16 in
BigEndian.set_int16 b byteno lo ;
if hi = 0 || byteno = 0 then ()
else incr_byte b hi (byteno - 2)
let increment ?(step = 1) nonce =
let new_nonce = Bigstring.create 24 in
Bigstring.blit nonce 0 new_nonce 0 24 ;
incr_byte new_nonce step 22 ;
new_nonce
end
module Secretbox = struct
type key = Bigstring.t
let keybytes = 32
let zerobytes = 32
let boxzerobytes = 16
let unsafe_of_bytes buf =
if Bigstring.length buf <> keybytes then
invalid_arg (Printf.sprintf "Secretbox.unsafe_of_bytes: buffer \
must be %d bytes long" keybytes) ;
buf
let blit_of_bytes buf pos =
if Bigstring.length buf < keybytes then
invalid_arg (Printf.sprintf "Secretbox.blit_of_bytes: buffer \
must be at least %d bytes long" keybytes) ;
let key = Bigstring.create keybytes in
Bigstring.blit buf pos key 0 keybytes ;
key
let genkey () = Rand.gen 32
(* c -> m -> n -> k -> unit *)
external box :
Bigstring.t -> Bigstring.t -> Bigstring.t -> Bigstring.t -> unit =
"ml_NaCl_crypto_secretbox_easy" [@@noalloc]
(* m -> c -> mac -> n -> k -> int *)
external box_open :
Bigstring.t -> Bigstring.t -> Bigstring.t ->
Bigstring.t -> Bigstring.t -> int =
"ml_NaCl_crypto_secretbox_open_detached" [@@noalloc]
let box ~key ~nonce ~msg ~cmsg =
box cmsg msg nonce key
let box_open ~key ~nonce ~cmsg ~msg =
let mac = Bigstring.sub cmsg boxzerobytes boxzerobytes in
match box_open msg cmsg mac nonce key with
| 0 -> true
| _ -> false
end
type secret
type public
module Box = struct
type combined
type _ key =
| Sk : Bigstring.t -> secret key
| Pk : Bigstring.t -> public key
| Ck : Bigstring.t -> combined key
let skbytes = 32
let pkbytes = 32
let ckbytes = 32
let zerobytes = 32
let boxzerobytes = 16
let unsafe_to_bytes : type a. a key -> Bigstring.t = function
| Pk buf -> buf
| Sk buf -> buf
| Ck buf -> buf
let blit_to_bytes :
type a. a key -> ?pos:int -> Bigstring.t -> unit = fun key ?(pos=0) buf ->
match key with
| Pk pk -> Bigstring.blit pk 0 buf pos pkbytes
| Sk sk -> Bigstring.blit sk 0 buf pos skbytes
| Ck ck -> Bigstring.blit ck 0 buf pos ckbytes
let equal :
type a. a key -> a key -> bool = fun a b -> match a, b with
| Pk a, Pk b -> Bigstring.equal a b
| Sk a, Sk b -> Bigstring.equal a b
| Ck a, Ck b -> Bigstring.equal a b
let unsafe_sk_of_bytes buf =
if Bigstring.length buf <> skbytes then
invalid_arg (Printf.sprintf "Box.unsafe_sk_of_bytes: buffer must \
be %d bytes long" skbytes) ;
Sk buf
let unsafe_pk_of_bytes buf =
if Bigstring.length buf <> pkbytes then
invalid_arg (Printf.sprintf "Box.unsafe_pk_of_bytes: buffer must \
be %d bytes long" pkbytes) ;
Pk buf
let unsafe_ck_of_bytes buf =
if Bigstring.length buf <> ckbytes then
invalid_arg (Printf.sprintf "Box.unsafe_ck_of_bytes: buffer must \
be %d bytes long" ckbytes) ;
Ck buf
let of_seed ?(pos=0) buf =
let buflen = Bigstring.length buf in
if pos < 0 || pos + skbytes > buflen then
invalid_arg (Printf.sprintf "Box.of_seed: invalid pos (%d) or \
buffer size (%d)" pos buflen) ;
let sk = Bigstring.create skbytes in
Bigstring.blit buf pos sk 0 skbytes ;
Sk sk
let basepoint =
Bigstring.init 32 (function 0 -> '\x09' | _ -> '\x00')
(* pk -> sk -> basepoint -> unit *)
external scalarmult :
Bigstring.t -> Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_Curve25519_crypto_scalarmult" [@@noalloc]
let neuterize (Sk sk) =
let pk = Bigstring.create pkbytes in
scalarmult pk sk basepoint ;
Pk pk
let keypair () =
let sk = Sk (Rand.gen skbytes) in
neuterize sk, sk
(* ck -> pk -> sk -> unit *)
external box_beforenm :
Bigstring.t -> Bigstring.t -> Bigstring.t -> unit =
"ml_NaCl_crypto_box_beforenm" [@@noalloc]
let dh (Pk pk) (Sk sk) =
let combined = Bigstring.create ckbytes in
box_beforenm combined pk sk ;
Ck combined
(* cmsg -> msg -> nonce -> k -> unit *)
external box_easy_afternm :
Bigstring.t -> Bigstring.t -> Bigstring.t -> Bigstring.t -> unit =
"ml_NaCl_crypto_box_easy_afternm" [@@noalloc]
let box ~k:(Ck k) ~nonce ~msg ~cmsg =
box_easy_afternm cmsg msg nonce k
(* msg -> cmsg -> n -> k -> int *)
external box_open_easy_afternm :
Bigstring.t -> Bigstring.t -> Bigstring.t -> Bigstring.t -> int =
"ml_NaCl_crypto_box_open_easy_afternm" [@@noalloc]
let box_open ~k:(Ck k) ~nonce ~cmsg ~msg =
match box_open_easy_afternm msg cmsg nonce k with
| 0 -> true
| _ -> false
end
module Sign = struct
type _ key =
| Sk : Bigstring.t -> secret key
| Pk : Bigstring.t -> public key
let bytes = 64
let pkbytes = 32
let skbytes = 32
let unsafe_to_bytes : type a. a key -> Bigstring.t = function
| Pk buf -> buf
| Sk buf -> buf
let unsafe_sk_of_bytes seed =
if Bigstring.length seed <> skbytes then
invalid_arg (Printf.sprintf "Sign.unsafe_sk_of_bytes: sk must \
be at least %d bytes long" skbytes) ;
Sk seed
let unsafe_pk_of_bytes pk =
if Bigstring.length pk <> pkbytes then
invalid_arg (Printf.sprintf "Sign.unsafe_pk_of_bytes: pk must be \
at least %d bytes long" pkbytes) ;
Pk pk
let blit_to_bytes :
type a. a key -> ?pos:int -> Bigstring.t -> unit = fun key ?(pos=0) buf ->
match key with
| Pk pk -> Bigstring.blit pk 0 buf pos pkbytes
| Sk sk -> Bigstring.blit sk 0 buf pos skbytes
let equal :
type a. a key -> a key -> bool = fun a b -> match a, b with
| Pk a, Pk b -> Bigstring.equal a b
| Sk a, Sk b -> Bigstring.equal a b
(* pk -> sk -> unit *)
external neuterize :
Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_Ed25519_secret_to_public" [@@noalloc]
let neuterize : type a. a key -> public key = function
| Pk pk -> Pk pk
| Sk sk ->
let pk = Bigstring.create pkbytes in
neuterize pk sk ;
Pk pk
let keypair () =
let sk = Sk (Rand.gen skbytes) in
neuterize sk, sk
(* sig -> sk -> m -> unit *)
external sign :
Bigstring.t -> Bigstring.t -> Bigstring.t -> unit =
"ml_Hacl_Ed25519_sign" [@@noalloc]
let sign ~sk:(Sk sk) ~msg ~signature =
if Bigstring.length signature < bytes then
invalid_arg (Printf.sprintf "Sign.write_sign: output buffer must \
be at least %d bytes long" bytes) ;
sign signature sk msg
(* pk -> m -> sig -> bool *)
external verify :
Bigstring.t -> Bigstring.t -> Bigstring.t -> bool =
"ml_Hacl_Ed25519_verify" [@@noalloc]
let verify ~pk:(Pk pk) ~msg ~signature =
verify pk msg signature
end

181
vendors/ocaml-hacl/src/hacl.mli vendored Normal file
View File

@ -0,0 +1,181 @@
(* Copyright 2018 Vincent Bernardoff, Marco Stronati.
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. *)
module Rand : sig
val write : Bigstring.t -> unit
(** [write buf] writes random bytes on [buf]. *)
val gen : int -> Bigstring.t
(** [gen len] is a random buffer of length [len]. *)
end
module Hash : sig
module SHA256 : sig
type state
(** Incremental Interface *)
val init : unit -> state
val update : state -> Bigstring.t -> unit
val finish : state -> Bigstring.t
(** Direct Interface *)
val digest : Bigstring.t -> Bigstring.t
end
module SHA512 : sig
type state
(** Incremental Interface *)
val init : unit -> state
val update : state -> Bigstring.t -> unit
val finish : state -> Bigstring.t
(** Direct Interface *)
val digest : Bigstring.t -> Bigstring.t
end
module HMAC_SHA256 : sig
val write_hmac :
key:Bigstring.t -> msg:Bigstring.t -> Bigstring.t -> unit
(** @raise [Invalid_argument] if argument is less than 32 bytes long *)
val hmac :
key:Bigstring.t -> msg:Bigstring.t -> Bigstring.t
end
end
module Nonce : sig
type t = Bigstring.t
val bytes : int
val gen : unit -> t
val increment : ?step:int -> t -> t
end
module Secretbox : sig
type key
val keybytes : int
val zerobytes : int
val boxzerobytes : int
val unsafe_of_bytes : Bigstring.t -> key
(** @raise [Invalid_argument] if argument is not [keybytes] bytes long *)
val blit_of_bytes : Bigstring.t -> int -> key
(** @raise [Invalid_argument] if argument is not [keybytes] bytes long *)
val genkey : unit -> key
val box :
key:key -> nonce:Bigstring.t ->
msg:Bigstring.t -> cmsg:Bigstring.t -> unit
val box_open :
key:key -> nonce:Bigstring.t ->
cmsg:Bigstring.t -> msg:Bigstring.t -> bool
end
type secret
type public
module Box : sig
type combined
type _ key
val skbytes : int
val pkbytes : int
val ckbytes : int
val zerobytes : int
val boxzerobytes : int
val equal : 'a key -> 'a key -> bool
val unsafe_to_bytes : _ key -> Bigstring.t
(** [unsafe_to_bytes k] is the internal [Bigstring.t] where the key
is stored. DO NOT MODIFY. *)
val blit_to_bytes : _ key -> ?pos:int -> Bigstring.t -> unit
val unsafe_sk_of_bytes : Bigstring.t -> secret key
(** @raise [Invalid_argument] if argument is not [skbytes] bytes long *)
val unsafe_pk_of_bytes : Bigstring.t -> public key
(** @raise [Invalid_argument] if argument is not [pkbytes] bytes long *)
val unsafe_ck_of_bytes : Bigstring.t -> combined key
(** @raise [Invalid_argument] if argument is not [ckbytes] bytes long *)
val of_seed : ?pos:int -> Bigstring.t -> secret key
(** @raise [Invalid_argument] if [pos] is outside the buffer or the buffer
is less than [skbytes] bytes long *)
val neuterize : secret key -> public key
val keypair : unit -> public key * secret key
val dh : public key -> secret key -> combined key
val box :
k:combined key -> nonce:Bigstring.t ->
msg:Bigstring.t -> cmsg:Bigstring.t -> unit
val box_open :
k:combined key -> nonce:Bigstring.t ->
cmsg:Bigstring.t -> msg:Bigstring.t -> bool
end
module Sign : sig
type _ key
val bytes : int
val pkbytes : int
val skbytes : int
val equal : 'a key -> 'a key -> bool
val unsafe_sk_of_bytes : Bigstring.t -> secret key
(** @raise [Invalid_argument] if argument is less than [skbytes] bytes long *)
val unsafe_pk_of_bytes : Bigstring.t -> public key
(** @raise [Invalid_argument] if argument is less than [pkbytes] bytes long *)
val unsafe_to_bytes : _ key -> Bigstring.t
(** [unsafe_to_bytes k] is the internal [Bigstring.t] where the key
is stored. DO NOT MODIFY. *)
val blit_to_bytes : _ key -> ?pos:int -> Bigstring.t -> unit
val neuterize : _ key -> public key
val keypair : unit -> public key * secret key
val sign :
sk:secret key -> msg:Bigstring.t -> signature:Bigstring.t -> unit
(** [sign sk msg buf] writes the signature of [msg] with [sk] at
[buf].
@raises [Invalid_argument] if [buf] is smaller than [bytes]
bytes long. *)
val verify :
pk:public key -> msg:Bigstring.t -> signature:Bigstring.t -> bool
end

165
vendors/ocaml-hacl/src/hacl_stubs.c vendored Normal file
View File

@ -0,0 +1,165 @@
/* Copyright 2018 Vincent Bernardoff, Marco Stronati.
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#include <caml/mlvalues.h>
#include <caml/bigarray.h>
#include "Hacl_Unverified_Random.h"
CAMLprim value ml_randombytes(value buf) {
randombytes(Caml_ba_data_val(buf),
Caml_ba_array_val(buf)->dim[0]);
return Val_unit;
}
#include "Hacl_HMAC_SHA2_256.h"
CAMLprim value ml_Hacl_HMAC_SHA2_256_hmac(value mac, value key, value data) {
Hacl_HMAC_SHA2_256_hmac(Caml_ba_data_val(mac),
Caml_ba_data_val(key),
Caml_ba_array_val(key)->dim[0],
Caml_ba_data_val(data),
Caml_ba_array_val(data)->dim[0]);
return Val_unit;
}
#include "Hacl_SHA2_256.h"
CAMLprim value ml_Hacl_SHA2_256_init(value state) {
Hacl_SHA2_256_init(Caml_ba_data_val(state));
return Val_unit;
}
CAMLprim value ml_Hacl_SHA2_256_update(value state, value data) {
Hacl_SHA2_256_update(Caml_ba_data_val(state),
Caml_ba_data_val(data));
return Val_unit;
}
CAMLprim value ml_Hacl_SHA2_256_update_last(value state, value data, value datalen) {
Hacl_SHA2_256_update_last(Caml_ba_data_val(state),
Caml_ba_data_val(data),
Int_val(datalen));
return Val_unit;
}
CAMLprim value ml_Hacl_SHA2_256_finish(value state, value hash) {
Hacl_SHA2_256_finish(Caml_ba_data_val(state),
Caml_ba_data_val(hash));
return Val_unit;
}
#include "Hacl_SHA2_512.h"
CAMLprim value ml_Hacl_SHA2_512_init(value state) {
Hacl_SHA2_512_init(Caml_ba_data_val(state));
return Val_unit;
}
CAMLprim value ml_Hacl_SHA2_512_update(value state, value data) {
Hacl_SHA2_512_update(Caml_ba_data_val(state),
Caml_ba_data_val(data));
return Val_unit;
}
CAMLprim value ml_Hacl_SHA2_512_update_last(value state, value data, value datalen) {
Hacl_SHA2_512_update_last(Caml_ba_data_val(state),
Caml_ba_data_val(data),
Int_val(datalen));
return Val_unit;
}
CAMLprim value ml_Hacl_SHA2_512_finish(value state, value hash) {
Hacl_SHA2_512_finish(Caml_ba_data_val(state),
Caml_ba_data_val(hash));
return Val_unit;
}
#include "Hacl_Curve25519.h"
CAMLprim value ml_Hacl_Curve25519_crypto_scalarmult(value pk, value sk, value basepoint) {
Hacl_Curve25519_crypto_scalarmult(Caml_ba_data_val(pk),
Caml_ba_data_val(sk),
Caml_ba_data_val(basepoint));
return Val_unit;
}
#include "NaCl.h"
CAMLprim value ml_NaCl_crypto_secretbox_easy(value c, value m, value n, value k) {
NaCl_crypto_secretbox_easy(Caml_ba_data_val(c),
Caml_ba_data_val(m),
Caml_ba_array_val(m)->dim[0] - 32,
Caml_ba_data_val(n),
Caml_ba_data_val(k));
return Val_unit;
}
CAMLprim value ml_NaCl_crypto_secretbox_open_detached(value m, value c, value mac,
value n, value k) {
return Val_int(NaCl_crypto_secretbox_open_detached(Caml_ba_data_val(m),
Caml_ba_data_val(c),
Caml_ba_data_val(mac),
Caml_ba_array_val(c)->dim[0] - 32,
Caml_ba_data_val(n),
Caml_ba_data_val(k)));
}
CAMLprim value ml_NaCl_crypto_box_beforenm(value k, value pk, value sk) {
NaCl_crypto_box_beforenm(Caml_ba_data_val(k),
Caml_ba_data_val(pk),
Caml_ba_data_val(sk));
return Val_unit;
}
CAMLprim value ml_NaCl_crypto_box_easy_afternm(value c, value m, value n, value k) {
NaCl_crypto_box_easy_afternm(Caml_ba_data_val(c),
Caml_ba_data_val(m),
Caml_ba_array_val(m)->dim[0] - 32,
Caml_ba_data_val(n),
Caml_ba_data_val(k));
return Val_unit;
}
CAMLprim value ml_NaCl_crypto_box_open_easy_afternm(value m, value c, value n, value k) {
return Val_int(NaCl_crypto_box_open_easy_afternm(Caml_ba_data_val(m),
Caml_ba_data_val(c),
Caml_ba_array_val(c)->dim[0] - 32,
Caml_ba_data_val(n),
Caml_ba_data_val(k)));
}
#include "Hacl_Ed25519.h"
CAMLprim value ml_Hacl_Ed25519_secret_to_public(value pk, value sk) {
Hacl_Ed25519_secret_to_public(Caml_ba_data_val(pk),
Caml_ba_data_val(sk));
return Val_unit;
}
CAMLprim value ml_Hacl_Ed25519_sign(value sig, value sk, value m) {
Hacl_Ed25519_sign(Caml_ba_data_val(sig),
Caml_ba_data_val(sk),
Caml_ba_data_val(m),
Caml_ba_array_val(m)->dim[0]);
return Val_unit;
}
CAMLprim value ml_Hacl_Ed25519_verify(value pk, value m, value sig) {
return Val_bool(Hacl_Ed25519_verify(Caml_ba_data_val(pk),
Caml_ba_data_val(m),
Caml_ba_array_val(m)->dim[0],
Caml_ba_data_val(sig)));
}

26
vendors/ocaml-hacl/src/jbuild vendored Normal file
View File

@ -0,0 +1,26 @@
(jbuild_version 1)
(library
((name hacl)
(public_name hacl)
(libraries (bigstring ocplib-endian.bigstring zarith))
(c_names (hacl_stubs
kremlib
FStar
Hacl_Policies
AEAD_Poly1305_64
Hacl_Chacha20
Hacl_Chacha20Poly1305
Hacl_Curve25519
Hacl_Ed25519
Hacl_Poly1305_32
Hacl_Poly1305_64
Hacl_SHA2_256
Hacl_SHA2_384
Hacl_SHA2_512
Hacl_HMAC_SHA2_256
Hacl_Salsa20
NaCl
Hacl_Unverified_Random))
(c_flags (-O3 -Wall -Werror -Wfatal-errors))
))

39
vendors/ocaml-hacl/src/kremlib.c vendored Normal file
View File

@ -0,0 +1,39 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "kremlib.h"
#include <stdlib.h>
int exit_success = EXIT_SUCCESS;
int exit_failure = EXIT_FAILURE;
void print_string(const char *s) {
printf("%s", s);
}
void print_bytes(uint8_t *b, uint32_t len) {
uint32_t i;
for (i = 0; i < len; i++){
printf("%02x", b[i]);
}
printf("\n");
}

569
vendors/ocaml-hacl/src/kremlib.h vendored Normal file
View File

@ -0,0 +1,569 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef __KREMLIB_H
#define __KREMLIB_H
#include "kremlib_base.h"
/* For tests only: we might need this function to be forward-declared, because
* the dependency on WasmSupport appears very late, after SimplifyWasm, and
* sadly, after the topological order has been done. */
void WasmSupport_check_buffer_size(uint32_t s);
/******************************************************************************/
/* Stubs to ease compilation of non-Low* code */
/******************************************************************************/
/* Some types that KreMLin has no special knowledge of; many of them appear in
* signatures of ghost functions, meaning that it suffices to give them (any)
* definition. */
typedef void *FStar_Seq_Base_seq, *Prims_prop, *FStar_HyperStack_mem,
*FStar_Set_set, *Prims_st_pre_h, *FStar_Heap_heap, *Prims_all_pre_h,
*FStar_TSet_set, *Prims_list, *FStar_Map_t, *FStar_UInt63_t_,
*FStar_Int63_t_, *FStar_UInt63_t, *FStar_Int63_t, *FStar_UInt_uint_t,
*FStar_Int_int_t, *FStar_HyperStack_stackref, *FStar_Bytes_bytes,
*FStar_HyperHeap_rid, *FStar_Heap_aref, *FStar_Monotonic_Heap_heap,
*FStar_Monotonic_Heap_aref, *FStar_Monotonic_HyperHeap_rid,
*FStar_Monotonic_HyperStack_mem, *FStar_Char_char_;
typedef const char *Prims_string;
/* For "bare" targets that do not have a C stdlib, the user might want to use
* [-add-include '"mydefinitions.h"'] and override these. */
#ifndef KRML_HOST_PRINTF
# define KRML_HOST_PRINTF printf
#endif
#ifndef KRML_HOST_EXIT
# define KRML_HOST_EXIT exit
#endif
#ifndef KRML_HOST_MALLOC
# define KRML_HOST_MALLOC malloc
#endif
/* In statement position, exiting is easy. */
#define KRML_EXIT \
do { \
KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \
KRML_HOST_EXIT(254); \
} while (0)
/* In expression position, use the comma-operator and a malloc to return an
* expression of the right size. KreMLin passes t as the parameter to the macro.
*/
#define KRML_EABORT(t, msg) \
(KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \
KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t))))
/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of
* *elements*. Do an ugly, run-time check (some of which KreMLin can eliminate).
*/
#define KRML_CHECK_SIZE(elt, size) \
if (((size_t)size) > SIZE_MAX / sizeof(elt)) { \
KRML_HOST_PRINTF( \
"Maximum allocatable size exceeded, aborting before overflow at " \
"%s:%d\n", \
__FILE__, __LINE__); \
KRML_HOST_EXIT(253); \
}
/* A series of GCC atrocities to trace function calls (kremlin's [-d c-calls]
* option). Useful when trying to debug, say, Wasm, to compare traces. */
/* clang-format off */
#ifdef __GNUC__
#define KRML_FORMAT(X) _Generic((X), \
uint8_t : "0x%08" PRIx8, \
uint16_t: "0x%08" PRIx16, \
uint32_t: "0x%08" PRIx32, \
uint64_t: "0x%08" PRIx64, \
int8_t : "0x%08" PRIx8, \
int16_t : "0x%08" PRIx16, \
int32_t : "0x%08" PRIx32, \
int64_t : "0x%08" PRIx64, \
default : "%s")
#define KRML_FORMAT_ARG(X) _Generic((X), \
uint8_t : X, \
uint16_t: X, \
uint32_t: X, \
uint64_t: X, \
int8_t : X, \
int16_t : X, \
int32_t : X, \
int64_t : X, \
default : "unknown")
/* clang-format on */
# define KRML_DEBUG_RETURN(X) \
({ \
__auto_type _ret = (X); \
KRML_HOST_PRINTF("returning: "); \
KRML_HOST_PRINTF(KRML_FORMAT(_ret), KRML_FORMAT_ARG(_ret)); \
KRML_HOST_PRINTF(" \n"); \
_ret; \
})
#endif
#define FStar_Buffer_eqb(b1, b2, n) \
(memcmp((b1), (b2), (n) * sizeof((b1)[0])) == 0)
/* Stubs to make ST happy. Important note: you must generate a use of the macro
* argument, otherwise, you may have FStar_ST_recall(f) as the only use of f;
* KreMLin will think that this is a valid use, but then the C compiler, after
* macro expansion, will error out. */
#define FStar_HyperHeap_root 0
#define FStar_Pervasives_Native_fst(x) (x).fst
#define FStar_Pervasives_Native_snd(x) (x).snd
#define FStar_Seq_Base_createEmpty(x) 0
#define FStar_Seq_Base_create(len, init) 0
#define FStar_Seq_Base_upd(s, i, e) 0
#define FStar_Seq_Base_eq(l1, l2) 0
#define FStar_Seq_Base_length(l1) 0
#define FStar_Seq_Base_append(x, y) 0
#define FStar_Seq_Base_slice(x, y, z) 0
#define FStar_Seq_Properties_snoc(x, y) 0
#define FStar_Seq_Properties_cons(x, y) 0
#define FStar_Seq_Base_index(x, y) 0
#define FStar_HyperStack_is_eternal_color(x) 0
#define FStar_Monotonic_HyperHeap_root 0
#define FStar_Buffer_to_seq_full(x) 0
#define FStar_Buffer_recall(x)
#define FStar_HyperStack_ST_op_Colon_Equals(x, v) KRML_EXIT
#define FStar_HyperStack_ST_op_Bang(x) 0
#define FStar_HyperStack_ST_salloc(x) 0
#define FStar_HyperStack_ST_ralloc(x, y) 0
#define FStar_HyperStack_ST_new_region(x) (0)
#define FStar_Monotonic_RRef_m_alloc(x) \
{ 0 }
#define FStar_HyperStack_ST_recall(x) \
do { \
(void)(x); \
} while (0)
#define FStar_HyperStack_ST_recall_region(x) \
do { \
(void)(x); \
} while (0)
#define FStar_Monotonic_RRef_m_recall(x1, x2) \
do { \
(void)(x1); \
(void)(x2); \
} while (0)
#define FStar_Monotonic_RRef_m_write(x1, x2, x3, x4, x5) \
do { \
(void)(x1); \
(void)(x2); \
(void)(x3); \
(void)(x4); \
(void)(x5); \
} while (0)
/******************************************************************************/
/* Endian-ness macros that can only be implemented in C */
/******************************************************************************/
/* ... for Linux */
#if defined(__linux__) || defined(__CYGWIN__)
# include <endian.h>
/* ... for OSX */
#elif defined(__APPLE__)
# include <libkern/OSByteOrder.h>
# define htole64(x) OSSwapHostToLittleInt64(x)
# define le64toh(x) OSSwapLittleToHostInt64(x)
# define htobe64(x) OSSwapHostToBigInt64(x)
# define be64toh(x) OSSwapBigToHostInt64(x)
# define htole16(x) OSSwapHostToLittleInt16(x)
# define le16toh(x) OSSwapLittleToHostInt16(x)
# define htobe16(x) OSSwapHostToBigInt16(x)
# define be16toh(x) OSSwapBigToHostInt16(x)
# define htole32(x) OSSwapHostToLittleInt32(x)
# define le32toh(x) OSSwapLittleToHostInt32(x)
# define htobe32(x) OSSwapHostToBigInt32(x)
# define be32toh(x) OSSwapBigToHostInt32(x)
/* ... for Solaris */
#elif defined(__sun__)
# include <sys/byteorder.h>
# define htole64(x) LE_64(x)
# define le64toh(x) LE_64(x)
# define htobe64(x) BE_64(x)
# define be64toh(x) BE_64(x)
# define htole16(x) LE_16(x)
# define le16toh(x) LE_16(x)
# define htobe16(x) BE_16(x)
# define be16toh(x) BE_16(x)
# define htole32(x) LE_32(x)
# define le32toh(x) LE_32(x)
# define htobe32(x) BE_32(x)
# define be32toh(x) BE_32(x)
/* ... for the BSDs */
#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
# include <sys/endian.h>
#elif defined(__OpenBSD__)
# include <endian.h>
/* ... for Windows (MSVC)... not targeting XBOX 360! */
#elif defined(_MSC_VER)
# include <stdlib.h>
# define htobe16(x) _byteswap_ushort(x)
# define htole16(x) (x)
# define be16toh(x) _byteswap_ushort(x)
# define le16toh(x) (x)
# define htobe32(x) _byteswap_ulong(x)
# define htole32(x) (x)
# define be32toh(x) _byteswap_ulong(x)
# define le32toh(x) (x)
# define htobe64(x) _byteswap_uint64(x)
# define htole64(x) (x)
# define be64toh(x) _byteswap_uint64(x)
# define le64toh(x) (x)
/* ... for Windows (GCC-like, e.g. mingw or clang) */
#elif (defined(_WIN32) || defined(_WIN64)) && \
(defined(__GNUC__) || defined(__clang__))
# define htobe16(x) __builtin_bswap16(x)
# define htole16(x) (x)
# define be16toh(x) __builtin_bswap16(x)
# define le16toh(x) (x)
# define htobe32(x) __builtin_bswap32(x)
# define htole32(x) (x)
# define be32toh(x) __builtin_bswap32(x)
# define le32toh(x) (x)
# define htobe64(x) __builtin_bswap64(x)
# define htole64(x) (x)
# define be64toh(x) __builtin_bswap64(x)
# define le64toh(x) (x)
/* ... generic big-endian fallback code */
#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
/* byte swapping code inspired by:
* https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h
* */
# define htobe32(x) (x)
# define be32toh(x) (x)
# define htole32(x) \
(__extension__({ \
uint32_t _temp = (x); \
((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \
((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
}))
# define le32toh(x) (htole32((x)))
# define htobe64(x) (x)
# define be64toh(x) (x)
# define htole64(x) \
(__extension__({ \
uint64_t __temp = (x); \
uint32_t __low = htobe32((uint32_t)__temp); \
uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
(((uint64_t)__low) << 32) | __high; \
}))
# define le64toh(x) (htole64((x)))
/* ... generic little-endian fallback code */
#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
# define htole32(x) (x)
# define le32toh(x) (x)
# define htobe32(x) \
(__extension__({ \
uint32_t _temp = (x); \
((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \
((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
}))
# define be32toh(x) (htobe32((x)))
# define htole64(x) (x)
# define le64toh(x) (x)
# define htobe64(x) \
(__extension__({ \
uint64_t __temp = (x); \
uint32_t __low = htobe32((uint32_t)__temp); \
uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
(((uint64_t)__low) << 32) | __high; \
}))
# define be64toh(x) (htobe64((x)))
/* ... couldn't determine endian-ness of the target platform */
#else
# error "Please define __BYTE_ORDER__!"
#endif /* defined(__linux__) || ... */
/* Loads and stores. These avoid undefined behavior due to unaligned memory
* accesses, via memcpy. */
inline static uint16_t load16(uint8_t *b) {
uint16_t x;
memcpy(&x, b, 2);
return x;
}
inline static uint32_t load32(uint8_t *b) {
uint32_t x;
memcpy(&x, b, 4);
return x;
}
inline static uint64_t load64(uint8_t *b) {
uint64_t x;
memcpy(&x, b, 8);
return x;
}
inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); }
inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); }
inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); }
#define load16_le(b) (le16toh(load16(b)))
#define store16_le(b, i) (store16(b, htole16(i)))
#define load16_be(b) (be16toh(load16(b)))
#define store16_be(b, i) (store16(b, htobe16(i)))
#define load32_le(b) (le32toh(load32(b)))
#define store32_le(b, i) (store32(b, htole32(i)))
#define load32_be(b) (be32toh(load32(b)))
#define store32_be(b, i) (store32(b, htobe32(i)))
#define load64_le(b) (le64toh(load64(b)))
#define store64_le(b, i) (store64(b, htole64(i)))
#define load64_be(b) (be64toh(load64(b)))
#define store64_be(b, i) (store64(b, htobe64(i)))
/******************************************************************************/
/* Checked integers to ease the compilation of non-Low* code */
/******************************************************************************/
typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int,
krml_checked_int_t;
inline static bool Prims_op_GreaterThanOrEqual(int32_t x, int32_t y) {
return x >= y;
}
inline static bool Prims_op_LessThanOrEqual(int32_t x, int32_t y) {
return x <= y;
}
inline static bool Prims_op_GreaterThan(int32_t x, int32_t y) { return x > y; }
inline static bool Prims_op_LessThan(int32_t x, int32_t y) { return x < y; }
#define RETURN_OR(x) \
do { \
int64_t __ret = x; \
if (__ret < INT32_MIN || INT32_MAX < __ret) { \
KRML_HOST_PRINTF("Prims.{int,nat,pos} integer overflow at %s:%d\n", \
__FILE__, __LINE__); \
KRML_HOST_EXIT(252); \
} \
return (int32_t)__ret; \
} while (0)
inline static int32_t Prims_pow2(int32_t x) {
RETURN_OR((int64_t)1 << (int64_t)x);
}
inline static int32_t Prims_op_Multiply(int32_t x, int32_t y) {
RETURN_OR((int64_t)x * (int64_t)y);
}
inline static int32_t Prims_op_Addition(int32_t x, int32_t y) {
RETURN_OR((int64_t)x + (int64_t)y);
}
inline static int32_t Prims_op_Subtraction(int32_t x, int32_t y) {
RETURN_OR((int64_t)x - (int64_t)y);
}
inline static int32_t Prims_op_Division(int32_t x, int32_t y) {
RETURN_OR((int64_t)x / (int64_t)y);
}
inline static int32_t Prims_op_Modulus(int32_t x, int32_t y) {
RETURN_OR((int64_t)x % (int64_t)y);
}
inline static int8_t FStar_UInt8_uint_to_t(int8_t x) { return x; }
inline static int16_t FStar_UInt16_uint_to_t(int16_t x) { return x; }
inline static int32_t FStar_UInt32_uint_to_t(int32_t x) { return x; }
inline static int64_t FStar_UInt64_uint_to_t(int64_t x) { return x; }
inline static int8_t FStar_UInt8_v(int8_t x) { return x; }
inline static int16_t FStar_UInt16_v(int16_t x) { return x; }
inline static int32_t FStar_UInt32_v(int32_t x) { return x; }
inline static int64_t FStar_UInt64_v(int64_t x) { return x; }
/* Platform-specific 128-bit arithmetic. These are static functions in a header,
* so that each translation unit gets its own copy and the C compiler can
* optimize. */
#ifndef KRML_NOUINT128
typedef unsigned __int128 FStar_UInt128_t, FStar_UInt128_t_, uint128_t;
static inline void print128(const char *where, uint128_t n) {
KRML_HOST_PRINTF("%s: [%" PRIu64 ",%" PRIu64 "]\n", where,
(uint64_t)(n >> 64), (uint64_t)n);
}
static inline uint128_t load128_le(uint8_t *b) {
uint128_t l = (uint128_t)load64_le(b);
uint128_t h = (uint128_t)load64_le(b + 8);
return (h << 64 | l);
}
static inline void store128_le(uint8_t *b, uint128_t n) {
store64_le(b, (uint64_t)n);
store64_le(b + 8, (uint64_t)(n >> 64));
}
static inline uint128_t load128_be(uint8_t *b) {
uint128_t h = (uint128_t)load64_be(b);
uint128_t l = (uint128_t)load64_be(b + 8);
return (h << 64 | l);
}
static inline void store128_be(uint8_t *b, uint128_t n) {
store64_be(b, (uint64_t)(n >> 64));
store64_be(b + 8, (uint64_t)n);
}
# define FStar_UInt128_add(x, y) ((x) + (y))
# define FStar_UInt128_mul(x, y) ((x) * (y))
# define FStar_UInt128_add_mod(x, y) ((x) + (y))
# define FStar_UInt128_sub(x, y) ((x) - (y))
# define FStar_UInt128_sub_mod(x, y) ((x) - (y))
# define FStar_UInt128_logand(x, y) ((x) & (y))
# define FStar_UInt128_logor(x, y) ((x) | (y))
# define FStar_UInt128_logxor(x, y) ((x) ^ (y))
# define FStar_UInt128_lognot(x) (~(x))
# define FStar_UInt128_shift_left(x, y) ((x) << (y))
# define FStar_UInt128_shift_right(x, y) ((x) >> (y))
# define FStar_UInt128_uint64_to_uint128(x) ((uint128_t)(x))
# define FStar_UInt128_uint128_to_uint64(x) ((uint64_t)(x))
# define FStar_UInt128_mul_wide(x, y) ((uint128_t)(x) * (y))
# define FStar_UInt128_op_Hat_Hat(x, y) ((x) ^ (y))
static inline uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) {
uint64_t mask =
FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) &
FStar_UInt64_eq_mask(x, y);
return ((uint128_t)mask) << 64 | mask;
}
static inline uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) {
uint64_t mask =
(FStar_UInt64_gte_mask(x >> 64, y >> 64) &
~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) |
(FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y));
return ((uint128_t)mask) << 64 | mask;
}
# else /* !defined(KRML_NOUINT128) */
/* This is a bad circular dependency... should fix it properly. */
# include "FStar.h"
typedef FStar_UInt128_uint128 FStar_UInt128_t_, uint128_t;
/* A series of definitions written using pointers. */
static inline void print128_(const char *where, uint128_t *n) {
KRML_HOST_PRINTF("%s: [0x%08" PRIx64 ",0x%08" PRIx64 "]\n", where, n->high, n->low);
}
static inline void load128_le_(uint8_t *b, uint128_t *r) {
r->low = load64_le(b);
r->high = load64_le(b + 8);
}
static inline void store128_le_(uint8_t *b, uint128_t *n) {
store64_le(b, n->low);
store64_le(b + 8, n->high);
}
static inline void load128_be_(uint8_t *b, uint128_t *r) {
r->high = load64_be(b);
r->low = load64_be(b + 8);
}
static inline void store128_be_(uint8_t *b, uint128_t *n) {
store64_be(b, n->high);
store64_be(b + 8, n->low);
}
# ifndef KRML_NOSTRUCT_PASSING
static inline void print128(const char *where, uint128_t n) {
print128_(where, &n);
}
static inline uint128_t load128_le(uint8_t *b) {
uint128_t r;
load128_le_(b, &r);
return r;
}
static inline void store128_le(uint8_t *b, uint128_t n) { store128_le_(b, &n); }
static inline uint128_t load128_be(uint8_t *b) {
uint128_t r;
load128_be_(b, &r);
return r;
}
static inline void store128_be(uint8_t *b, uint128_t n) { store128_be_(b, &n); }
# else /* !defined(KRML_STRUCT_PASSING) */
# define print128 print128_
# define load128_le load128_le_
# define store128_le store128_le_
# define load128_be load128_be_
# define store128_be store128_be_
# endif /* KRML_STRUCT_PASSING */
# endif /* KRML_UINT128 */
#endif /* __KREMLIB_H */

181
vendors/ocaml-hacl/src/kremlib_base.h vendored Normal file
View File

@ -0,0 +1,181 @@
/* MIT License
*
* Copyright (c) 2016-2017 INRIA and Microsoft Corporation
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef __KREMLIB_BASE_H
#define __KREMLIB_BASE_H
#include <inttypes.h>
#include <limits.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
/******************************************************************************/
/* Some macros to ease compatibility */
/******************************************************************************/
/* Define __cdecl and friends when using GCC, so that we can safely compile code
* that contains __cdecl on all platforms. Note that this is in a separate
* header so that Dafny-generated code can include just this file. */
#ifndef _MSC_VER
/* Use the gcc predefined macros if on a platform/architectures that set them.
* Otherwise define them to be empty. */
#ifndef __cdecl
#define __cdecl
#endif
#ifndef __stdcall
#define __stdcall
#endif
#ifndef __fastcall
#define __fastcall
#endif
#endif
#ifdef __GNUC__
# define inline __inline__
#endif
/* GCC-specific attribute syntax; everyone else gets the standard C inline
* attribute. */
#ifdef __GNU_C__
# ifndef __clang__
# define force_inline inline __attribute__((always_inline))
# else
# define force_inline inline
# endif
#else
# define force_inline inline
#endif
/******************************************************************************/
/* Implementing C.fst */
/******************************************************************************/
/* Uppercase issue; we have to define lowercase versions of the C macros (as we
* have no way to refer to an uppercase *variable* in F*). */
extern int exit_success;
extern int exit_failure;
/* This one allows the user to write C.EXIT_SUCCESS. */
typedef int exit_code;
void print_string(const char *s);
void print_bytes(uint8_t *b, uint32_t len);
/* The universal null pointer defined in C.Nullity.fst */
#define C_Nullity_null(X) 0
/* If some globals need to be initialized before the main, then kremlin will
* generate and try to link last a function with this type: */
void kremlinit_globals(void);
/******************************************************************************/
/* Implementation of machine integers (possibly of 128-bit integers) */
/******************************************************************************/
/* Integer types */
typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_;
typedef int64_t FStar_Int64_t, FStar_Int64_t_;
typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_;
typedef int32_t FStar_Int32_t, FStar_Int32_t_;
typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_;
typedef int16_t FStar_Int16_t, FStar_Int16_t_;
typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_;
typedef int8_t FStar_Int8_t, FStar_Int8_t_;
static inline uint32_t rotate32_left(uint32_t x, uint32_t n) {
/* assert (n<32); */
return (x << n) | (x >> (32 - n));
}
static inline uint32_t rotate32_right(uint32_t x, uint32_t n) {
/* assert (n<32); */
return (x >> n) | (x << (32 - n));
}
/* Constant time comparisons */
static inline uint8_t FStar_UInt8_eq_mask(uint8_t x, uint8_t y) {
x = ~(x ^ y);
x &= x << 4;
x &= x << 2;
x &= x << 1;
return (int8_t)x >> 7;
}
static inline uint8_t FStar_UInt8_gte_mask(uint8_t x, uint8_t y) {
return ~(uint8_t)(((int32_t)x - y) >> 31);
}
static inline uint16_t FStar_UInt16_eq_mask(uint16_t x, uint16_t y) {
x = ~(x ^ y);
x &= x << 8;
x &= x << 4;
x &= x << 2;
x &= x << 1;
return (int16_t)x >> 15;
}
static inline uint16_t FStar_UInt16_gte_mask(uint16_t x, uint16_t y) {
return ~(uint16_t)(((int32_t)x - y) >> 31);
}
static inline uint32_t FStar_UInt32_eq_mask(uint32_t x, uint32_t y) {
x = ~(x ^ y);
x &= x << 16;
x &= x << 8;
x &= x << 4;
x &= x << 2;
x &= x << 1;
return ((int32_t)x) >> 31;
}
static inline uint32_t FStar_UInt32_gte_mask(uint32_t x, uint32_t y) {
return ~((uint32_t)(((int64_t)x - y) >> 63));
}
static inline uint64_t FStar_UInt64_eq_mask(uint64_t x, uint64_t y) {
x = ~(x ^ y);
x &= x << 32;
x &= x << 16;
x &= x << 8;
x &= x << 4;
x &= x << 2;
x &= x << 1;
return ((int64_t)x) >> 63;
}
static inline uint64_t FStar_UInt64_gte_mask(uint64_t x, uint64_t y) {
uint64_t low63 =
~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x7fffffffffffffff)) -
(int64_t)(y & UINT64_C(0x7fffffffffffffff))) >>
63));
uint64_t high_bit =
~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x8000000000000000)) -
(int64_t)(y & UINT64_C(0x8000000000000000))) >>
63));
return low63 & high_bit;
}
#endif

14
vendors/ocaml-hacl/test/jbuild vendored Normal file
View File

@ -0,0 +1,14 @@
(jbuild_version 1)
(executable
((name test)
(libraries (hex hacl alcotest))))
(alias
((name runtest-hacl)
(deps (test.exe))
(action (run ${<}))))
(alias
((name runtest)
(deps ((alias runtest-hacl)))))

165
vendors/ocaml-hacl/test/test.ml vendored Normal file
View File

@ -0,0 +1,165 @@
(* Copyright 2018 Vincent Bernardoff, Marco Stronati.
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. *)
open Hacl
let bigstring = Alcotest.testable
(fun ppf t -> Cstruct.(hexdump_pp ppf (of_bigarray t)))
Bigstring.equal
let msg = Bigstring.of_string "Voulez-vous coucher avec moi, ce soir ?"
let msglen = Bigstring.length msg
let of_hex hex =
Cstruct.(to_bigarray (of_hex hex))
let randmsg = of_hex "12c0c5a283401a81163dfd645e57ef6ff58b2f877c4e2d4add10345ec80bef3ffc720060c82e4288a20eccf99d64f18223edb30069fa76de9fe9ae8f875f3a3f75f91dd625652632869766839075e88afc852918da3445bca6d428a4f55d98366065fc70e0306fc6c84ec9e8d1325cc63ba09d5803383d0be40bd7ace7e7551615e4267f94630a0ad62cf798b4a7648390547a3616f42d8b8e58d7223f3c07826670209601be0ef2ea60e662c34b21113680141bead22e8b31015d7fe1a6617101036f03050d8b6854989bdfc13efaa6b2e1960c291f91da346911b1d46f20242bb1eb16f4104f9d684ed0dfca8e13e46b47ba9c39513f5e0746dd828f43da416e10341f3b169691ee823a53500f1ef00c6a52c3f4ecb42f68e1894785d4d192079cc8e53be8bb4ca1e000553504d6132e95490a4b477baaddca598f8947b20fbf732ac608830fb4b11c3cd1e19257e8cb00a22a8fc54ad6e47960086cd5ed24451c1f2ac2cda4514e6e1118ffabd74e7aae3514f3e5d40443ed94bdbbf7af5fa737d2da3b19cac58ca24539313a545164c20c4fae74d01fcb535d4414885ee50cdbb5ff1fcd465fc0c0a0c0f0ebc62687569bd5d36774a6a9c8d9e05b33ac30f13fdd7906aebd27dfd2ee19616a6f3694f2539b89b9ce6d73396816202700f50617f26a7134a6819fe808775bff75df240102fb0352f67eb97e022f66d40403"
let randmsg_len = Bigstring.length randmsg
let sha256 () =
let open Hash.SHA256 in
let resp = of_hex "bd4860cc3f39995c47f94205a86c9e22e2fc8ab91c88c5293b704d454991f757" in
let randresp = of_hex "9f043732d7117fa402d24e7343108976524b097390b0b160df42b0fa5bc6425c" in
let st = init () in
Printf.printf "Init done\n" ;
update st msg ;
print_endline "Update done." ;
let d = finish st in
Printf.printf "Digest size %d\n" (Bigstring.length d) ;
print_endline "Finish done." ;
Alcotest.(check bigstring "sha256" resp d) ;
let d = digest msg in
print_endline "Direct hash done." ;
Alcotest.(check bigstring "sha256" resp d) ;
let st = init () in
Printf.printf "Init done\n" ;
update st randmsg ;
print_endline "Update done." ;
let d = finish st in
Printf.printf "Digest size %d\n" (Bigstring.length d) ;
print_endline "Finish done." ;
Alcotest.(check bigstring "sha256" randresp d) ;
let d = digest randmsg in
print_endline "Direct hash done." ;
Alcotest.(check bigstring "sha256" randresp d)
let sha512 () =
let resp = of_hex "7941f442d956f124d77ee1d1f0ba3db100751090462cdce4aed5fcd240529097bc666bf9c424becde760910df652c7aefec50b02d7f6efe666f79e5242fb755b" in
let digest = Hash.SHA512.digest msg in
Alcotest.(check bigstring "sha512" resp digest)
let hmac_sha256 () =
let key = Bigstring.of_string "key" in
let msg = Bigstring.of_string "The quick brown fox jumps over the lazy dog" in
let resp = of_hex "f7bc83f430538424b13298e6aa6fb143ef4d59a14946175997479dbc2d1a3cd8" in
let digest = Hash.HMAC_SHA256.hmac ~key ~msg in
Alcotest.(check bigstring "hmac_sha256" resp digest)
let hash = [
"hmac_sha256", `Quick, hmac_sha256 ;
"sha256", `Quick, sha256 ;
"sha512", `Quick, sha512 ;
]
let secretbox () =
let open Secretbox in
let key = genkey () in
let nonce = Nonce.gen () in
let orig_msg = Bigstring.create (msglen + zerobytes) in
Bigstring.fill orig_msg '\x00' ;
Bigstring.blit msg 0 orig_msg zerobytes msglen ;
let cmsg = Bigstring.create (msglen + zerobytes) in
box ~key ~nonce ~msg:orig_msg ~cmsg ;
let decrypted_msg = Bigstring.create (msglen + zerobytes) in
assert (box_open ~key ~nonce ~cmsg ~msg:decrypted_msg) ;
Alcotest.check bigstring "secretbox_decrypt" orig_msg decrypted_msg ;
(* in place *)
box ~key ~nonce ~msg:orig_msg ~cmsg:orig_msg ;
assert (box_open ~key ~nonce ~cmsg:orig_msg ~msg:orig_msg) ;
Alcotest.check bigstring "secretbox_decrypt_inplace" decrypted_msg orig_msg
let secretbox = [
"secretbox", `Quick, secretbox ;
]
let box () =
let open Box in
let pk, sk = keypair () in
let k = dh pk sk in
let nonce = Nonce.gen () in
let msg_orig = Bigstring.create (msglen + zerobytes) in
Bigstring.fill msg_orig '\x00' ;
Bigstring.blit msg 0 msg_orig zerobytes msglen ;
let cmsg = Bigstring.create (msglen + zerobytes) in
Bigstring.fill cmsg '\x00' ;
let decrypted_msg = Bigstring.create (msglen + zerobytes) in
box ~k ~nonce ~msg:msg_orig ~cmsg ;
assert (box_open ~k ~nonce ~cmsg ~msg:decrypted_msg) ;
Alcotest.check bigstring "box" msg_orig decrypted_msg ;
(* in place *)
assert (box_open ~k ~nonce ~cmsg ~msg:cmsg) ;
Alcotest.check bigstring "box" msg_orig cmsg
let box = [
"box", `Quick, box ;
]
let keypair () =
let seed = Hacl.Rand.gen 32 in
let sk = Sign.unsafe_sk_of_bytes seed in
let pk = Sign.neuterize sk in
let sk' = Sign.unsafe_sk_of_bytes seed in
let pk' = Sign.neuterize sk' in
Alcotest.(check bool "Sign.of_seed" true (Sign.equal pk pk')) ;
Alcotest.(check bool "Sign.of_seed" true (Sign.equal sk sk')) ;
let pk_bytes = Sign.unsafe_to_bytes pk in
let pk_bytes_length = Bigstring.length pk_bytes in
Alcotest.(check int "Sign.to_bytes" Sign.pkbytes pk_bytes_length)
let sign () =
let pk, sk = Sign.keypair () in
let signature = Bigstring.create Sign.bytes in
Sign.sign ~sk ~msg ~signature ;
assert (Sign.verify ~pk ~msg ~signature)
let public () =
let pk, sk = Sign.keypair () in
let pk' = Sign.unsafe_to_bytes pk in
let ppk = Sign.(unsafe_to_bytes (neuterize pk)) in
let psk = Sign.(unsafe_to_bytes (neuterize sk)) in
Alcotest.check bigstring "public" pk' ppk ;
Alcotest.check bigstring "public" pk' psk
let sign = [
"keypair", `Quick, keypair ;
"sign", `Quick, sign ;
"public", `Quick, public ;
]
let () =
Alcotest.run "hacl" [
"hash", hash ;
"secretbox", secretbox ;
"box", box ;
"sign", sign ;
]