diff --git a/nss-3.94-HACL-p256.patch b/nss-3.94-HACL-p256.patch deleted file mode 100644 index a7286a1..0000000 --- a/nss-3.94-HACL-p256.patch +++ /dev/null @@ -1,4306 +0,0 @@ - -# HG changeset patch -# User Karthikeyan Bhargavan -# Date 1694025109 0 -# Node ID 88262a8e60126b5168d0b96306ed5fd2de4867bb -# Parent ffb50bee6680491dddbdc9a3fa723c86332f15f9 -Bug 1615555 - P-256 ECDH and ECDSA from HACL*. r=jschanck - -Differential Revision: https://phabricator.services.mozilla.com/D185341 - -diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile ---- a/lib/freebl/Makefile -+++ b/lib/freebl/Makefile -@@ -602,17 +602,17 @@ ifndef NSS_DISABLE_CHACHAPOLY - EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c - DEFINES += -DHACL_CAN_COMPILE_VEC128 - endif - endif # x86_64 - - VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c - endif # NSS_DISABLE_CHACHAPOLY - --VERIFIED_SRCS += Hacl_Hash_SHA3.c -+VERIFIED_SRCS += Hacl_Hash_SHA3.c Hacl_P256.c - - ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH))) - # All 64-bit architectures get the 64 bit version. - ECL_SRCS += curve25519_64.c - VERIFIED_SRCS += Hacl_Curve25519_51.c - else - # All other architectures get the generic 32 bit implementation - ECL_SRCS += curve25519_32.c -diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h ---- a/lib/freebl/blapi.h -+++ b/lib/freebl/blapi.h -@@ -1886,11 +1886,16 @@ extern SECStatus EC_DecodeParams(const S - extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, - const ECParams *srcParams); - - /* - * use the internal table to get the size in bytes of a single EC point - */ - extern int EC_GetPointSize(const ECParams *params); - -+/* -+ * use the internal table to get the size in bytes of a single EC coordinate -+ */ -+extern int EC_GetScalarSize(const ECParams *params); -+ - SEC_END_PROTOS - - #endif /* _BLAPI_H_ */ -diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c ---- a/lib/freebl/ec.c -+++ b/lib/freebl/ec.c -@@ -16,17 +16,25 @@ - #include "ec.h" - #include "ecl.h" - - #define EC_DOUBLECHECK PR_FALSE - - static const ECMethod kMethods[] = { - { ECCurve25519, - ec_Curve25519_pt_mul, -- ec_Curve25519_pt_validate } -+ ec_Curve25519_pt_validate, -+ NULL, NULL }, -+ { -+ ECCurve_NIST_P256, -+ ec_secp256r1_pt_mul, -+ ec_secp256r1_pt_validate, -+ ec_secp256r1_sign_digest, -+ ec_secp256r1_verify_digest, -+ } - }; - - static const ECMethod * - ec_get_method_from_name(ECCurveName name) - { - unsigned long i; - for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); ++i) { - if (kMethods[i].name == name) { -@@ -282,17 +290,21 @@ ec_NewKey(ECParams *ecParams, ECPrivateK - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->mul == NULL) { - /* unknown curve */ - rv = SECFailure; - goto cleanup; - } - rv = method->mul(&key->publicValue, &key->privateValue, NULL); -- goto done; -+ if (rv != SECSuccess) { -+ goto cleanup; -+ } else { -+ goto done; -+ } - } - - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_read_unsigned_octets(&k, key->privateValue.data, - (mp_size)len)); - - rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue)); - if (rv != SECSuccess) { -@@ -367,16 +379,17 @@ ec_GenerateRandomPrivateKey(const unsign - CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len)); - CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len)); - CHECK_MPI_OK(mp_set_int(&one, 1)); - CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1)); - CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal)); - CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal)); - CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len)); - memset(privKeyBytes + len, 0, len); -+ - cleanup: - mp_clear(&privKeyVal); - mp_clear(&order_1); - mp_clear(&one); - if (err < MP_OKAY) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } -@@ -435,28 +448,34 @@ EC_ValidatePublicKey(ECParams *ecParams, - ECGroup *group = NULL; - SECStatus rv = SECFailure; - mp_err err = MP_OKAY; - unsigned int len; - - if (!ecParams || ecParams->name == ECCurve_noName || - !publicValue || !publicValue->len) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* Uses curve specific code for point validation. */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->validate == NULL) { - /* unknown curve */ - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } -- return method->validate(publicValue); -+ rv = method->validate(publicValue); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ } -+ return rv; - } - - /* NOTE: We only support uncompressed points for now */ - len = (((unsigned int)ecParams->fieldID.size) + 7) >> 3; - if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); - return SECFailure; - } else if (publicValue->len != (2 * len + 1)) { -@@ -505,16 +524,17 @@ EC_ValidatePublicKey(ECParams *ecParams, - } - - rv = SECSuccess; - - cleanup: - ECGroup_free(group); - mp_clear(&Px); - mp_clear(&Py); -+ - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - return rv; - } - - /* -@@ -531,61 +551,66 @@ SECStatus - ECDH_Derive(SECItem *publicValue, - ECParams *ecParams, - SECItem *privateValue, - PRBool withCofactor, - SECItem *derivedSecret) - { - SECStatus rv = SECFailure; - unsigned int len = 0; -- SECItem pointQ = { siBuffer, NULL, 0 }; -- mp_int k; /* to hold the private value */ - mp_err err = MP_OKAY; --#if EC_DEBUG -- int i; --#endif - - if (!publicValue || !publicValue->len || - !ecParams || ecParams->name == ECCurve_noName || - !privateValue || !privateValue->len || !derivedSecret) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* - * Make sure the point is on the requested curve to avoid - * certain small subgroup attacks. - */ - if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_KEY); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* Perform curve specific multiplication using ECMethod */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method; - memset(derivedSecret, 0, sizeof(*derivedSecret)); -- derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetPointSize(ecParams)); -+ derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetScalarSize(ecParams)); - if (derivedSecret == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->validate == NULL || - method->mul == NULL) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -- return SECFailure; -+ rv = SECFailure; -+ goto done; - } - rv = method->mul(derivedSecret, privateValue, publicValue); - if (rv != SECSuccess) { -- SECITEM_ZfreeItem(derivedSecret, PR_FALSE); -+ PORT_SetError(SEC_ERROR_BAD_KEY); - } -- return rv; -+ goto done; - } - -+ SECItem pointQ = { siBuffer, NULL, 0 }; -+ mp_int k; /* to hold the private value */ -+#if EC_DEBUG -+ int i; -+#endif -+ - /* - * We fail if the public value is the point at infinity, since - * this produces predictable results. - */ - if (ec_point_at_infinity(publicValue)) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } -@@ -633,84 +658,108 @@ ECDH_Derive(SECItem *publicValue, - for (i = 0; i < derivedSecret->len; i++) - printf("%02x:", derivedSecret->data[i]); - printf("\n"); - #endif - - cleanup: - mp_clear(&k); - -- if (err) { -- MP_TO_SEC_ERROR(err); -- } -- - if (pointQ.data) { - PORT_ZFree(pointQ.data, pointQ.len); - } - -+done: -+ -+ if (err) { -+ MP_TO_SEC_ERROR(err); -+ } -+ if (rv != SECSuccess) { -+ SECITEM_ZfreeItem(derivedSecret, PR_FALSE); -+ } - return rv; - } - - /* Computes the ECDSA signature (a concatenation of two values r and s) - * on the digest using the given key and the random value kb (used in - * computing s). - */ - - static SECStatus - ec_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, - const SECItem *digest, const unsigned char *kb, const int kblen) - { - SECStatus rv = SECFailure; -+ ECParams *ecParams = NULL; -+ mp_err err = MP_OKAY; -+ int flen = 0; /* length in bytes of the field size */ -+ unsigned olen; /* length in bytes of the base point order */ -+ -+ /* Check args */ -+ if (!key || !signature || !digest || !kb || (kblen <= 0)) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ ecParams = &(key->ecParams); -+ flen = (ecParams->fieldID.size + 7) >> 3; -+ olen = ecParams->order.len; -+ if (signature->data == NULL) { -+ /* a call to get the signature length only */ -+ signature->len = 2 * olen; -+ rv = SECSuccess; -+ goto done; -+ } -+ if (signature->len < 2 * olen) { -+ PORT_SetError(SEC_ERROR_OUTPUT_LEN); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ /* Perform curve specific signature using ECMethod */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ if (method == NULL || method->sign_digest == NULL) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -+ rv = SECFailure; -+ goto done; -+ } -+ rv = method->sign_digest(key, signature, digest, kb, kblen); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ } -+ goto done; -+ } -+ - mp_int x1; - mp_int d, k; /* private key, random integer */ - mp_int r, s; /* tuple (r, s) is the signature */ - mp_int t; /* holding tmp values */ - mp_int n; - mp_int ar; /* blinding value */ -- mp_err err = MP_OKAY; -- ECParams *ecParams = NULL; - SECItem kGpoint = { siBuffer, NULL, 0 }; -- int flen = 0; /* length in bytes of the field size */ -- unsigned olen; /* length in bytes of the base point order */ -+ unsigned char *t2 = NULL; - unsigned obits; /* length in bits of the base point order */ -- unsigned char *t2 = NULL; - - #if EC_DEBUG - char mpstr[256]; - #endif - - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&x1) = 0; - MP_DIGITS(&d) = 0; - MP_DIGITS(&k) = 0; - MP_DIGITS(&r) = 0; - MP_DIGITS(&s) = 0; - MP_DIGITS(&n) = 0; - MP_DIGITS(&t) = 0; - MP_DIGITS(&ar) = 0; - -- /* Check args */ -- if (!key || !signature || !digest || !kb || (kblen < 0)) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- goto cleanup; -- } -- -- ecParams = &(key->ecParams); -- flen = (ecParams->fieldID.size + 7) >> 3; -- olen = ecParams->order.len; -- if (signature->data == NULL) { -- /* a call to get the signature length only */ -- goto finish; -- } -- if (signature->len < 2 * olen) { -- PORT_SetError(SEC_ERROR_OUTPUT_LEN); -- goto cleanup; -- } -- - CHECK_MPI_OK(mp_init(&x1)); - CHECK_MPI_OK(mp_init(&d)); - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_init(&r)); - CHECK_MPI_OK(mp_init(&s)); - CHECK_MPI_OK(mp_init(&n)); - CHECK_MPI_OK(mp_init(&t)); - CHECK_MPI_OK(mp_init(&ar)); -@@ -846,21 +895,21 @@ ec_SignDigestWithSeed(ECPrivateKey *key, - } - - /* - ** - ** Signature is tuple (r, s) - */ - CHECK_MPI_OK(mp_to_fixlen_octets(&r, signature->data, olen)); - CHECK_MPI_OK(mp_to_fixlen_octets(&s, signature->data + olen, olen)); --finish: -+ - signature->len = 2 * olen; -- - rv = SECSuccess; - err = MP_OKAY; -+ - cleanup: - mp_clear(&x1); - mp_clear(&d); - mp_clear(&k); - mp_clear(&r); - mp_clear(&s); - mp_clear(&n); - mp_clear(&t); -@@ -869,16 +918,17 @@ cleanup: - if (t2) { - PORT_ZFree(t2, 2 * ecParams->order.len); - } - - if (kGpoint.data) { - PORT_ZFree(kGpoint.data, kGpoint.len); - } - -+done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - - #if EC_DEBUG - printf("ECDSA signing with seed %s\n", - (rv == SECSuccess) ? "succeeded" : "failed"); -@@ -887,22 +937,22 @@ cleanup: - return rv; - } - - SECStatus - ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, - const SECItem *digest, const unsigned char *kb, const int kblen) - { - #if EC_DEBUG || EC_DOUBLECHECK -- - SECItem *signature2 = SECITEM_AllocItem(NULL, NULL, signature->len); - SECStatus signSuccess = ec_SignDigestWithSeed(key, signature, digest, kb, kblen); - SECStatus signSuccessDouble = ec_SignDigestWithSeed(key, signature2, digest, kb, kblen); -- int signaturesEqual = NSS_SecureMemcmp(signature, signature2, signature->len); -+ int signaturesEqual = NSS_SecureMemcmp(signature->data, signature2->data, signature->len); - SECStatus rv; -+ - if ((signaturesEqual == 0) && (signSuccess == SECSuccess) && (signSuccessDouble == SECSuccess)) { - rv = SECSuccess; - } else { - rv = SECFailure; - } - - #if EC_DEBUG - printf("ECDSA signing with seed %s after signing twice\n", (rv == SECSuccess) ? "succeeded" : "failed"); -@@ -961,60 +1011,78 @@ cleanup: - ** of this function is undefined. In cases where a public key might - ** not be valid, use EC_ValidatePublicKey to check. - */ - SECStatus - ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, - const SECItem *digest) - { - SECStatus rv = SECFailure; -+ ECParams *ecParams = NULL; -+ mp_err err = MP_OKAY; -+ -+ /* Check args */ -+ if (!key || !signature || !digest) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ ecParams = &(key->ecParams); -+ -+ /* Perform curve specific signature verification using ECMethod */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ if (method == NULL || method->verify_digest == NULL) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -+ rv = SECFailure; -+ goto done; -+ } -+ rv = method->verify_digest(key, signature, digest); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ } -+ goto done; -+ } -+ - mp_int r_, s_; /* tuple (r', s') is received signature) */ - mp_int c, u1, u2, v; /* intermediate values used in verification */ - mp_int x1; - mp_int n; -- mp_err err = MP_OKAY; -- ECParams *ecParams = NULL; - SECItem pointC = { siBuffer, NULL, 0 }; - int slen; /* length in bytes of a half signature (r or s) */ - int flen; /* length in bytes of the field size */ - unsigned olen; /* length in bytes of the base point order */ - unsigned obits; /* length in bits of the base point order */ - - #if EC_DEBUG - char mpstr[256]; - printf("ECDSA verification called\n"); - #endif - -+ flen = (ecParams->fieldID.size + 7) >> 3; -+ olen = ecParams->order.len; -+ if (signature->len == 0 || signature->len % 2 != 0 || -+ signature->len > 2 * olen) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ goto cleanup; -+ } -+ slen = signature->len / 2; -+ - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&r_) = 0; - MP_DIGITS(&s_) = 0; - MP_DIGITS(&c) = 0; - MP_DIGITS(&u1) = 0; - MP_DIGITS(&u2) = 0; - MP_DIGITS(&x1) = 0; - MP_DIGITS(&v) = 0; - MP_DIGITS(&n) = 0; - -- /* Check args */ -- if (!key || !signature || !digest) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- goto cleanup; -- } -- -- ecParams = &(key->ecParams); -- flen = (ecParams->fieldID.size + 7) >> 3; -- olen = ecParams->order.len; -- if (signature->len == 0 || signature->len % 2 != 0 || -- signature->len > 2 * olen) { -- PORT_SetError(SEC_ERROR_INPUT_LEN); -- goto cleanup; -- } -- slen = signature->len / 2; -- - /* - * The incoming point has been verified in sftk_handlePublicKeyObject. - */ - - SECITEM_AllocItem(NULL, &pointC, EC_GetPointSize(ecParams)); - if (pointC.data == NULL) { - goto cleanup; - } -@@ -1151,16 +1219,18 @@ cleanup: - mp_clear(&u1); - mp_clear(&u2); - mp_clear(&x1); - mp_clear(&v); - mp_clear(&n); - - if (pointC.data) - SECITEM_ZfreeItem(&pointC, PR_FALSE); -+ -+done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - - #if EC_DEBUG - printf("ECDSA verification %s\n", - (rv == SECSuccess) ? "succeeded" : "failed"); -diff --git a/lib/freebl/ec.h b/lib/freebl/ec.h ---- a/lib/freebl/ec.h -+++ b/lib/freebl/ec.h -@@ -10,12 +10,14 @@ - #define ANSI_X962_CURVE_OID_TOTAL_LEN 10 - #define SECG_CURVE_OID_TOTAL_LEN 7 - #define PKIX_NEWCURVES_OID_TOTAL_LEN 11 - - struct ECMethodStr { - ECCurveName name; - SECStatus (*mul)(SECItem *result, SECItem *scalar, SECItem *point); - SECStatus (*validate)(const SECItem *point); -+ SECStatus (*sign_digest)(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const unsigned int kblen); -+ SECStatus (*verify_digest)(ECPublicKey *key, const SECItem *signature, const SECItem *digest); - }; - typedef struct ECMethodStr ECMethod; - - #endif /* __ec_h_ */ -diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c ---- a/lib/freebl/ecdecode.c -+++ b/lib/freebl/ecdecode.c -@@ -150,17 +150,17 @@ EC_FillParams(PLArenaPool *arena, const - #endif - - switch (tag) { - case SEC_OID_ANSIX962_EC_PRIME256V1: - /* Populate params for prime256v1 aka secp256r1 - * (the NIST P-256 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_X9_62_PRIME_256V1, -- ec_field_GFp, params)); -+ ec_field_plain, params)); - break; - - case SEC_OID_SECG_EC_SECP384R1: - /* Populate params for secp384r1 - * (the NIST P-384 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_384R1, - ec_field_GFp, params)); -@@ -171,17 +171,18 @@ EC_FillParams(PLArenaPool *arena, const - * (the NIST P-521 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, - ec_field_GFp, params)); - break; - - case SEC_OID_CURVE25519: - /* Populate params for Curve25519 */ -- CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain, -+ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, -+ ec_field_plain, - params)); - break; - - default: - break; - }; - - cleanup: -@@ -245,8 +246,23 @@ EC_GetPointSize(const ECParams *params) - return sizeInBytes * 2 + 1; - } - if (name == ECCurve25519) { - /* Only X here */ - return curveParams->scalarSize; - } - return curveParams->pointSize - 1; - } -+ -+int -+EC_GetScalarSize(const ECParams *params) -+{ -+ ECCurveName name = params->name; -+ const ECCurveBytes *curveParams; -+ -+ if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve) || -+ ((curveParams = ecCurve_map[name]) == NULL)) { -+ /* unknown curve, calculate scalar size from field size in params */ -+ int sizeInBytes = (params->fieldID.size + 7) / 8; -+ return sizeInBytes; -+ } -+ return curveParams->scalarSize; -+} -diff --git a/lib/freebl/ecl/ecl.h b/lib/freebl/ecl/ecl.h ---- a/lib/freebl/ecl/ecl.h -+++ b/lib/freebl/ecl/ecl.h -@@ -41,9 +41,18 @@ mp_err ECPoints_mul(const ECGroup *group - * Returns MP_YES if the public key is valid, MP_NO if the public key - * is invalid, or an error code if the validation could not be - * performed. */ - mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const mp_int *py); - - SECStatus ec_Curve25519_pt_mul(SECItem *X, SECItem *k, SECItem *P); - SECStatus ec_Curve25519_pt_validate(const SECItem *px); - -+SECStatus ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); -+SECStatus ec_secp256r1_pt_validate(const SECItem *px); -+ -+SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen); -+SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest); -+ - #endif /* __ecl_h_ */ -diff --git a/lib/freebl/ecl/ecp_secp256r1.c b/lib/freebl/ecl/ecp_secp256r1.c -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/ecl/ecp_secp256r1.c -@@ -0,0 +1,229 @@ -+/* P-256 from HACL* */ -+ -+#ifdef FREEBL_NO_DEPEND -+#include "../stubs.h" -+#endif -+ -+#include "ecl-priv.h" -+#include "secitem.h" -+#include "secerr.h" -+#include "secmpi.h" -+#include "../verified/Hacl_P256.h" -+ -+/* -+ * Point Validation for P-256. -+ */ -+ -+SECStatus -+ec_secp256r1_pt_validate(const SECItem *pt) -+{ -+ SECStatus res = SECSuccess; -+ if (!pt || !pt->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (pt->len != 65) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_validate_public_key(pt->data + 1); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ } -+ return res; -+} -+ -+/* -+ * Scalar multiplication for P-256. -+ * If P == NULL, the base point is used. -+ * Returns X = k*P -+ */ -+ -+SECStatus -+ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) -+{ -+ SECStatus res = SECSuccess; -+ if (!P) { -+ uint8_t derived[64] = { 0 }; -+ -+ if (!X || !k || !X->data || !k->data || -+ X->len < 65 || k->len != 32) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_dh_initiator(derived, k->data); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ X->len = 65; -+ X->data[0] = EC_POINT_FORM_UNCOMPRESSED; -+ memcpy(X->data + 1, derived, 64); -+ -+ } else { -+ uint8_t full_key[32] = { 0 }; -+ uint8_t *key; -+ uint8_t derived[64] = { 0 }; -+ -+ if (!X || !k || !P || !X->data || !k->data || !P->data || -+ X->len < 32 || P->len != 65 || -+ P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ /* We consider keys of up to size 32, or of size 33 with a single leading 0 */ -+ if (k->len < 32) { -+ memcpy(full_key + 32 - k->len, k->data, k->len); -+ key = full_key; -+ } else if (k->len == 32) { -+ key = k->data; -+ } else if (k->len == 33 && k->data[0] == 0) { -+ key = k->data + 1; -+ } else { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_dh_responder(derived, P->data + 1, key); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ X->len = 32; -+ memcpy(X->data, derived, 32); -+ } -+ -+ return res; -+} -+ -+/* -+ * ECDSA Signature for P-256 -+ */ -+ -+SECStatus -+ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen) -+{ -+ SECStatus res = SECSuccess; -+ -+ if (!key || !signature || !digest || !kb || -+ !key->privateValue.data || -+ !signature->data || !digest->data || -+ key->ecParams.name != ECCurve_NIST_P256) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->privateValue.len != 32 || -+ kblen == 0 || -+ digest->len == 0 || -+ signature->len < 64) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ res = SECFailure; -+ return res; -+ } -+ -+ uint8_t hash[32] = { 0 }; -+ if (digest->len < 32) { -+ memcpy(hash + 32 - digest->len, digest->data, digest->len); -+ } else { -+ memcpy(hash, digest->data, 32); -+ } -+ -+ uint8_t nonce[32] = { 0 }; -+ if (kblen < 32) { -+ memcpy(nonce + 32 - kblen, kb, kblen); -+ } else { -+ memcpy(nonce, kb, 32); -+ } -+ -+ bool b = Hacl_P256_ecdsa_sign_p256_without_hash( -+ signature->data, 32, hash, -+ key->privateValue.data, nonce); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ signature->len = 64; -+ return res; -+} -+ -+/* -+ * ECDSA Signature Verification for P-256 -+ */ -+ -+SECStatus -+ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest) -+{ -+ SECStatus res = SECSuccess; -+ -+ if (!key || !signature || !digest || -+ !key->publicValue.data || -+ !signature->data || !digest->data || -+ key->ecParams.name != ECCurve_NIST_P256) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->publicValue.len != 65 || -+ digest->len == 0 || -+ signature->len != 64) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; -+ } -+ -+ uint8_t hash[32] = { 0 }; -+ if (digest->len < 32) { -+ memcpy(hash + 32 - digest->len, digest->data, digest->len); -+ } else { -+ memcpy(hash, digest->data, 32); -+ } -+ -+ bool b = Hacl_P256_ecdsa_verif_without_hash( -+ 32, hash, -+ key->publicValue.data + 1, -+ signature->data, signature->data + 32); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ res = SECFailure; -+ return res; -+ } -+ -+ return res; -+} -diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp ---- a/lib/freebl/freebl.gyp -+++ b/lib/freebl/freebl.gyp -@@ -838,24 +838,26 @@ - 'MP_IS_LITTLE_ENDIAN', - ], - }], - # Poly1305_256 requires the flag to run - ['target_arch=="x64"', { - 'defines':[ - 'HACL_CAN_COMPILE_VEC128', - 'HACL_CAN_COMPILE_VEC256', -+ 'HACL_CAN_COMPILE_INTRINSICS', - ], - }], - # MSVC has no __int128 type. Use emulated int128 and leave - # have_int128_support as-is for Curve25519 impl. selection. - [ 'have_int128_support==1 and (OS!="win" or cc_is_clang==1 or cc_is_gcc==1)', { - 'defines': [ - # The Makefile does version-tests on GCC, but we're not doing that here. - 'HAVE_INT128_SUPPORT', -+ 'HACL_CAN_COMPILE_UINT128' - ], - }, { - 'defines': [ - 'KRML_VERIFIED_UINT128', - ], - }], - [ 'OS=="linux"', { - 'defines': [ -diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi ---- a/lib/freebl/freebl_base.gypi -+++ b/lib/freebl/freebl_base.gypi -@@ -29,18 +29,20 @@ - 'ecl/ecp_256.c', - 'ecl/ecp_256_32.c', - 'ecl/ecp_384.c', - 'ecl/ecp_521.c', - 'ecl/ecp_aff.c', - 'ecl/ecp_jac.c', - 'ecl/ecp_jm.c', - 'ecl/ecp_mont.c', -+ 'ecl/ecp_secp256r1.c', - 'ecl/ecp_secp384r1.c', - 'ecl/ecp_secp521r1.c', -+ 'verified/Hacl_P256.c', - 'fipsfreebl.c', - 'blinit.c', - 'freeblver.c', - 'gcm.c', - 'hmacct.c', - 'jpake.c', - 'ldvector.c', - 'md2.c', -diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn ---- a/lib/freebl/manifest.mn -+++ b/lib/freebl/manifest.mn -@@ -102,17 +102,17 @@ PRIVATE_EXPORTS = \ - MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h - MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c - - - ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h - ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ - ecp_aff.c ecp_jac.c ecp_mont.c \ - ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ -- ecp_256_32.c ecp_25519.c ecp_secp384r1.c ecp_secp521r1.c -+ ecp_256_32.c ecp_25519.c ecp_secp256r1.c ecp_secp384r1.c ecp_secp521r1.c - SHA_SRCS = sha_fast.c - MPCPU_SRCS = mpcpucache.c - VERIFIED_SRCS = $(NULL) - - CSRCS = \ - freeblver.c \ - ldvector.c \ - sysrand.c \ -diff --git a/lib/freebl/verified/Hacl_P256.c b/lib/freebl/verified/Hacl_P256.c -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/Hacl_P256.c -@@ -0,0 +1,1832 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#include "internal/Hacl_P256.h" -+ -+#include "internal/Hacl_P256_PrecompTable.h" -+#include "internal/Hacl_Krmllib.h" -+#include "internal/Hacl_Bignum_Base.h" -+#include "lib_intrinsics.h" -+ -+static inline uint64_t -+bn_is_zero_mask4(uint64_t *f) -+{ -+ uint64_t bn_zero[4U] = { 0U }; -+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t uu____0 = FStar_UInt64_eq_mask(f[i], bn_zero[i]); -+ mask = uu____0 & mask;); -+ uint64_t mask1 = mask; -+ uint64_t res = mask1; -+ return res; -+} -+ -+static inline bool -+bn_is_zero_vartime4(uint64_t *f) -+{ -+ uint64_t m = bn_is_zero_mask4(f); -+ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+static inline uint64_t -+bn_is_eq_mask4(uint64_t *a, uint64_t *b) -+{ -+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); -+ mask = uu____0 & mask;); -+ uint64_t mask1 = mask; -+ return mask1; -+} -+ -+static inline bool -+bn_is_eq_vartime4(uint64_t *a, uint64_t *b) -+{ -+ uint64_t m = bn_is_eq_mask4(a, b); -+ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+static inline void -+bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x, uint64_t *y) -+{ -+ uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t uu____0 = x[i]; -+ uint64_t x1 = uu____0 ^ (mask & (y[i] ^ uu____0)); -+ os[i] = x1;); -+} -+ -+static inline void -+bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c0 = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); -+ } -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline uint64_t -+bn_sub4(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c0 = c; -+ return c0; -+} -+ -+static inline void -+bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c0 = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); -+ } -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ // TODO: remove unused variable -+ (void)c1; -+ uint64_t c2 = (uint64_t)0U - c00; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & tmp[i]) | (~c2 & res[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+bn_mul4(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t bj = y[i0]; -+ uint64_t *res_j = res + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); -+ uint64_t a_i0 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); -+ uint64_t a_i1 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); -+ uint64_t a_i2 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); -+ } uint64_t r = c; -+ res[(uint32_t)4U + i0] = r;); -+} -+ -+static inline void -+bn_sqr4(uint64_t *res, uint64_t *x) -+{ -+ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *ab = x; -+ uint64_t a_j = x[i0]; -+ uint64_t *res_j = res + i0; -+ uint64_t c = (uint64_t)0U; -+ for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) { -+ uint64_t a_i = ab[(uint32_t)4U * i]; -+ uint64_t *res_i0 = res_j + (uint32_t)4U * i; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); -+ uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); -+ uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); -+ uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); -+ } -+ for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) { -+ uint64_t a_i = ab[i]; -+ uint64_t *res_i = res_j + i; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); -+ } -+ uint64_t r = c; -+ res[i0 + i0] = r;); -+ uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); -+ // TODO: remove unused variable -+ (void)c0; -+ uint64_t tmp[8U] = { 0U }; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(x[i], x[i]); -+ uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); -+ uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); -+ tmp[(uint32_t)2U * i] = lo; -+ tmp[(uint32_t)2U * i + (uint32_t)1U] = hi;); -+ uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); -+ // TODO: remove unused variable -+ (void)c1; -+} -+ -+static inline void -+bn_to_bytes_be4(uint8_t *res, uint64_t *f) -+{ -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ store64_be(res + i * (uint32_t)8U, f[(uint32_t)4U - i - (uint32_t)1U]);); -+} -+ -+static inline void -+bn_from_bytes_be4(uint64_t *res, uint8_t *b) -+{ -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t u = load64_be(b + ((uint32_t)4U - i - (uint32_t)1U) * (uint32_t)8U); -+ uint64_t x = u; -+ os[i] = x;); -+} -+ -+static inline void -+bn2_to_bytes_be4(uint8_t *res, uint64_t *x, uint64_t *y) -+{ -+ bn_to_bytes_be4(res, x); -+ bn_to_bytes_be4(res + (uint32_t)32U, y); -+} -+ -+static inline void -+make_prime(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xffffffffffffffffU; -+ n[1U] = (uint64_t)0xffffffffU; -+ n[2U] = (uint64_t)0x0U; -+ n[3U] = (uint64_t)0xffffffff00000001U; -+} -+ -+static inline void -+make_order(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xf3b9cac2fc632551U; -+ n[1U] = (uint64_t)0xbce6faada7179e84U; -+ n[2U] = (uint64_t)0xffffffffffffffffU; -+ n[3U] = (uint64_t)0xffffffff00000000U; -+} -+ -+static inline void -+make_a_coeff(uint64_t *a) -+{ -+ a[0U] = (uint64_t)0xfffffffffffffffcU; -+ a[1U] = (uint64_t)0x3ffffffffU; -+ a[2U] = (uint64_t)0x0U; -+ a[3U] = (uint64_t)0xfffffffc00000004U; -+} -+ -+static inline void -+make_b_coeff(uint64_t *b) -+{ -+ b[0U] = (uint64_t)0xd89cdf6229c4bddfU; -+ b[1U] = (uint64_t)0xacf005cd78843090U; -+ b[2U] = (uint64_t)0xe5a220abf7212ed6U; -+ b[3U] = (uint64_t)0xdc30061d04874834U; -+} -+ -+static inline void -+make_g_x(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x79e730d418a9143cU; -+ n[1U] = (uint64_t)0x75ba95fc5fedb601U; -+ n[2U] = (uint64_t)0x79fb732b77622510U; -+ n[3U] = (uint64_t)0x18905f76a53755c6U; -+} -+ -+static inline void -+make_g_y(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xddf25357ce95560aU; -+ n[1U] = (uint64_t)0x8b4ab8e4ba19e45cU; -+ n[2U] = (uint64_t)0xd2e88688dd21f325U; -+ n[3U] = (uint64_t)0x8571ff1825885d85U; -+} -+ -+static inline void -+make_fmont_R2(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x3U; -+ n[1U] = (uint64_t)0xfffffffbffffffffU; -+ n[2U] = (uint64_t)0xfffffffffffffffeU; -+ n[3U] = (uint64_t)0x4fffffffdU; -+} -+ -+static inline void -+make_fzero(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0U; -+ n[1U] = (uint64_t)0U; -+ n[2U] = (uint64_t)0U; -+ n[3U] = (uint64_t)0U; -+} -+ -+static inline void -+make_fone(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x1U; -+ n[1U] = (uint64_t)0xffffffff00000000U; -+ n[2U] = (uint64_t)0xffffffffffffffffU; -+ n[3U] = (uint64_t)0xfffffffeU; -+} -+ -+static inline uint64_t -+bn_is_lt_prime_mask4(uint64_t *f) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_prime(tmp); -+ uint64_t c = bn_sub4(tmp, f, tmp); -+ return (uint64_t)0U - c; -+} -+ -+static inline uint64_t -+feq_mask(uint64_t *a, uint64_t *b) -+{ -+ uint64_t r = bn_is_eq_mask4(a, b); -+ return r; -+} -+ -+static inline void -+fadd0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ bn_add_mod4(res, n, x, y); -+} -+ -+static inline void -+fsub0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ bn_sub_mod4(res, n, x, y); -+} -+ -+static inline void -+fnegate_conditional_vartime(uint64_t *f, bool is_negate) -+{ -+ uint64_t zero[4U] = { 0U }; -+ if (is_negate) { -+ fsub0(f, zero, f); -+ } -+} -+ -+static inline void -+mont_reduction(uint64_t *res, uint64_t *x) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ uint64_t c0 = (uint64_t)0U; -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t qj = (uint64_t)1U * x[i0]; -+ uint64_t *res_j0 = x + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); -+ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); -+ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); -+ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); -+ } uint64_t r = c; -+ uint64_t c1 = r; -+ uint64_t *resb = x + (uint32_t)4U + i0; -+ uint64_t res_j = x[(uint32_t)4U + i0]; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); -+ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+fmul0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_mul4(tmp, x, y); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+fsqr0(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_sqr4(tmp, x); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+from_mont(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ memcpy(tmp, a, (uint32_t)4U * sizeof(uint64_t)); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+to_mont(uint64_t *res, uint64_t *a) -+{ -+ uint64_t r2modn[4U] = { 0U }; -+ make_fmont_R2(r2modn); -+ fmul0(res, a, r2modn); -+} -+ -+static inline void -+fmul_by_b_coeff(uint64_t *res, uint64_t *x) -+{ -+ uint64_t b_coeff[4U] = { 0U }; -+ make_b_coeff(b_coeff); -+ fmul0(res, b_coeff, x); -+} -+ -+static inline void -+fcube(uint64_t *res, uint64_t *x) -+{ -+ fsqr0(res, x); -+ fmul0(res, res, x); -+} -+ -+static inline void -+finv(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *x30 = tmp; -+ uint64_t *x2 = tmp + (uint32_t)4U; -+ uint64_t *tmp1 = tmp + (uint32_t)8U; -+ uint64_t *tmp2 = tmp + (uint32_t)12U; -+ memcpy(x2, a, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, a); -+ memcpy(x30, x2, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(x30, x30); -+ } -+ fmul0(x30, x30, a); -+ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x30); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x30); -+ memcpy(x30, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i, (uint32_t)0U, (uint32_t)15U, (uint32_t)1U, fsqr0(x30, x30);); -+ fmul0(x30, x30, tmp1); -+ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x2); -+ memcpy(x2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, tmp1); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, tmp1); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)30U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, x30); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(x2, x2);); -+ fmul0(tmp1, x2, a); -+ memcpy(res, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+fsqrt(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ uint64_t *tmp1 = tmp; -+ uint64_t *tmp2 = tmp + (uint32_t)4U; -+ memcpy(tmp1, a, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(tmp1, tmp1); -+ } -+ fmul0(tmp1, tmp1, a); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, tmp2); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, tmp2); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ fmul0(tmp2, tmp2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)96U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ fmul0(tmp2, tmp2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)94U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ memcpy(res, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+make_base_point(uint64_t *p) -+{ -+ uint64_t *x = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z = p + (uint32_t)8U; -+ make_g_x(x); -+ make_g_y(y); -+ make_fone(z); -+} -+ -+static inline void -+make_point_at_inf(uint64_t *p) -+{ -+ uint64_t *x = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z = p + (uint32_t)8U; -+ make_fzero(x); -+ make_fone(y); -+ make_fzero(z); -+} -+ -+static inline bool -+is_point_at_inf_vartime(uint64_t *p) -+{ -+ uint64_t *pz = p + (uint32_t)8U; -+ return bn_is_zero_vartime4(pz); -+} -+ -+static inline void -+to_aff_point(uint64_t *res, uint64_t *p) -+{ -+ uint64_t zinv[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t *pz = p + (uint32_t)8U; -+ uint64_t *x = res; -+ uint64_t *y = res + (uint32_t)4U; -+ finv(zinv, pz); -+ fmul0(x, px, zinv); -+ fmul0(y, py, zinv); -+ from_mont(x, x); -+ from_mont(y, y); -+} -+ -+static inline void -+to_aff_point_x(uint64_t *res, uint64_t *p) -+{ -+ uint64_t zinv[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *pz = p + (uint32_t)8U; -+ finv(zinv, pz); -+ fmul0(res, px, zinv); -+ from_mont(res, res); -+} -+ -+static inline void -+to_proj_point(uint64_t *res, uint64_t *p) -+{ -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t *rx = res; -+ uint64_t *ry = res + (uint32_t)4U; -+ uint64_t *rz = res + (uint32_t)8U; -+ to_mont(rx, px); -+ to_mont(ry, py); -+ make_fone(rz); -+} -+ -+static inline bool -+is_on_curve_vartime(uint64_t *p) -+{ -+ uint64_t rp[4U] = { 0U }; -+ uint64_t tx[4U] = { 0U }; -+ uint64_t ty[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ to_mont(tx, px); -+ to_mont(ty, py); -+ uint64_t tmp[4U] = { 0U }; -+ fcube(rp, tx); -+ make_a_coeff(tmp); -+ fmul0(tmp, tmp, tx); -+ fadd0(rp, tmp, rp); -+ make_b_coeff(tmp); -+ fadd0(rp, tmp, rp); -+ fsqr0(ty, ty); -+ uint64_t r = feq_mask(ty, rp); -+ bool r0 = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ return r0; -+} -+ -+static inline void -+aff_point_store(uint8_t *res, uint64_t *p) -+{ -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ bn2_to_bytes_be4(res, px, py); -+} -+ -+static inline void -+point_store(uint8_t *res, uint64_t *p) -+{ -+ uint64_t aff_p[8U] = { 0U }; -+ to_aff_point(aff_p, p); -+ aff_point_store(res, aff_p); -+} -+ -+static inline bool -+aff_point_load_vartime(uint64_t *p, uint8_t *b) -+{ -+ uint8_t *p_x = b; -+ uint8_t *p_y = b + (uint32_t)32U; -+ uint64_t *bn_p_x = p; -+ uint64_t *bn_p_y = p + (uint32_t)4U; -+ bn_from_bytes_be4(bn_p_x, p_x); -+ bn_from_bytes_be4(bn_p_y, p_y); -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t lessX = bn_is_lt_prime_mask4(px); -+ uint64_t lessY = bn_is_lt_prime_mask4(py); -+ uint64_t res = lessX & lessY; -+ bool is_xy_valid = res == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ if (!is_xy_valid) { -+ return false; -+ } -+ return is_on_curve_vartime(p); -+} -+ -+static inline bool -+load_point_vartime(uint64_t *p, uint8_t *b) -+{ -+ uint64_t p_aff[8U] = { 0U }; -+ bool res = aff_point_load_vartime(p_aff, b); -+ if (res) { -+ to_proj_point(p, p_aff); -+ } -+ return res; -+} -+ -+static inline bool -+aff_point_decompress_vartime(uint64_t *x, uint64_t *y, uint8_t *s) -+{ -+ uint8_t s0 = s[0U]; -+ uint8_t s01 = s0; -+ if (!(s01 == (uint8_t)0x02U || s01 == (uint8_t)0x03U)) { -+ return false; -+ } -+ uint8_t *xb = s + (uint32_t)1U; -+ bn_from_bytes_be4(x, xb); -+ uint64_t is_x_valid = bn_is_lt_prime_mask4(x); -+ bool is_x_valid1 = is_x_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ bool is_y_odd = s01 == (uint8_t)0x03U; -+ if (!is_x_valid1) { -+ return false; -+ } -+ uint64_t y2M[4U] = { 0U }; -+ uint64_t xM[4U] = { 0U }; -+ uint64_t yM[4U] = { 0U }; -+ to_mont(xM, x); -+ uint64_t tmp[4U] = { 0U }; -+ fcube(y2M, xM); -+ make_a_coeff(tmp); -+ fmul0(tmp, tmp, xM); -+ fadd0(y2M, tmp, y2M); -+ make_b_coeff(tmp); -+ fadd0(y2M, tmp, y2M); -+ fsqrt(yM, y2M); -+ from_mont(y, yM); -+ fsqr0(yM, yM); -+ uint64_t r = feq_mask(yM, y2M); -+ bool is_y_valid = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ bool is_y_valid0 = is_y_valid; -+ if (!is_y_valid0) { -+ return false; -+ } -+ uint64_t is_y_odd1 = y[0U] & (uint64_t)1U; -+ bool is_y_odd2 = is_y_odd1 == (uint64_t)1U; -+ fnegate_conditional_vartime(y, is_y_odd2 != is_y_odd); -+ return true; -+} -+ -+static inline void -+point_double(uint64_t *res, uint64_t *p) -+{ -+ uint64_t tmp[20U] = { 0U }; -+ uint64_t *x = p; -+ uint64_t *z = p + (uint32_t)8U; -+ uint64_t *x3 = res; -+ uint64_t *y3 = res + (uint32_t)4U; -+ uint64_t *z3 = res + (uint32_t)8U; -+ uint64_t *t0 = tmp; -+ uint64_t *t1 = tmp + (uint32_t)4U; -+ uint64_t *t2 = tmp + (uint32_t)8U; -+ uint64_t *t3 = tmp + (uint32_t)12U; -+ uint64_t *t4 = tmp + (uint32_t)16U; -+ uint64_t *x1 = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z1 = p + (uint32_t)8U; -+ fsqr0(t0, x1); -+ fsqr0(t1, y); -+ fsqr0(t2, z1); -+ fmul0(t3, x1, y); -+ fadd0(t3, t3, t3); -+ fmul0(t4, y, z1); -+ fmul0(z3, x, z); -+ fadd0(z3, z3, z3); -+ fmul_by_b_coeff(y3, t2); -+ fsub0(y3, y3, z3); -+ fadd0(x3, y3, y3); -+ fadd0(y3, x3, y3); -+ fsub0(x3, t1, y3); -+ fadd0(y3, t1, y3); -+ fmul0(y3, x3, y3); -+ fmul0(x3, x3, t3); -+ fadd0(t3, t2, t2); -+ fadd0(t2, t2, t3); -+ fmul_by_b_coeff(z3, z3); -+ fsub0(z3, z3, t2); -+ fsub0(z3, z3, t0); -+ fadd0(t3, z3, z3); -+ fadd0(z3, z3, t3); -+ fadd0(t3, t0, t0); -+ fadd0(t0, t3, t0); -+ fsub0(t0, t0, t2); -+ fmul0(t0, t0, z3); -+ fadd0(y3, y3, t0); -+ fadd0(t0, t4, t4); -+ fmul0(z3, t0, z3); -+ fsub0(x3, x3, z3); -+ fmul0(z3, t0, t1); -+ fadd0(z3, z3, z3); -+ fadd0(z3, z3, z3); -+} -+ -+static inline void -+point_add(uint64_t *res, uint64_t *p, uint64_t *q) -+{ -+ uint64_t tmp[36U] = { 0U }; -+ uint64_t *t0 = tmp; -+ uint64_t *t1 = tmp + (uint32_t)24U; -+ uint64_t *x3 = t1; -+ uint64_t *y3 = t1 + (uint32_t)4U; -+ uint64_t *z3 = t1 + (uint32_t)8U; -+ uint64_t *t01 = t0; -+ uint64_t *t11 = t0 + (uint32_t)4U; -+ uint64_t *t2 = t0 + (uint32_t)8U; -+ uint64_t *t3 = t0 + (uint32_t)12U; -+ uint64_t *t4 = t0 + (uint32_t)16U; -+ uint64_t *t5 = t0 + (uint32_t)20U; -+ uint64_t *x1 = p; -+ uint64_t *y1 = p + (uint32_t)4U; -+ uint64_t *z10 = p + (uint32_t)8U; -+ uint64_t *x20 = q; -+ uint64_t *y20 = q + (uint32_t)4U; -+ uint64_t *z20 = q + (uint32_t)8U; -+ fmul0(t01, x1, x20); -+ fmul0(t11, y1, y20); -+ fmul0(t2, z10, z20); -+ fadd0(t3, x1, y1); -+ fadd0(t4, x20, y20); -+ fmul0(t3, t3, t4); -+ fadd0(t4, t01, t11); -+ uint64_t *y10 = p + (uint32_t)4U; -+ uint64_t *z11 = p + (uint32_t)8U; -+ uint64_t *y2 = q + (uint32_t)4U; -+ uint64_t *z21 = q + (uint32_t)8U; -+ fsub0(t3, t3, t4); -+ fadd0(t4, y10, z11); -+ fadd0(t5, y2, z21); -+ fmul0(t4, t4, t5); -+ fadd0(t5, t11, t2); -+ fsub0(t4, t4, t5); -+ uint64_t *x10 = p; -+ uint64_t *z1 = p + (uint32_t)8U; -+ uint64_t *x2 = q; -+ uint64_t *z2 = q + (uint32_t)8U; -+ fadd0(x3, x10, z1); -+ fadd0(y3, x2, z2); -+ fmul0(x3, x3, y3); -+ fadd0(y3, t01, t2); -+ fsub0(y3, x3, y3); -+ fmul_by_b_coeff(z3, t2); -+ fsub0(x3, y3, z3); -+ fadd0(z3, x3, x3); -+ fadd0(x3, x3, z3); -+ fsub0(z3, t11, x3); -+ fadd0(x3, t11, x3); -+ fmul_by_b_coeff(y3, y3); -+ fadd0(t11, t2, t2); -+ fadd0(t2, t11, t2); -+ fsub0(y3, y3, t2); -+ fsub0(y3, y3, t01); -+ fadd0(t11, y3, y3); -+ fadd0(y3, t11, y3); -+ fadd0(t11, t01, t01); -+ fadd0(t01, t11, t01); -+ fsub0(t01, t01, t2); -+ fmul0(t11, t4, y3); -+ fmul0(t2, t01, y3); -+ fmul0(y3, x3, z3); -+ fadd0(y3, y3, t2); -+ fmul0(x3, t3, x3); -+ fsub0(x3, x3, t11); -+ fmul0(z3, t4, z3); -+ fmul0(t11, t3, t01); -+ fadd0(z3, z3, t11); -+ memcpy(res, t1, (uint32_t)12U * sizeof(uint64_t)); -+} -+ -+static inline void -+point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) -+{ -+ uint64_t table[192U] = { 0U }; -+ uint64_t tmp[12U] = { 0U }; -+ uint64_t *t0 = table; -+ uint64_t *t1 = table + (uint32_t)12U; -+ make_point_at_inf(t0); -+ memcpy(t1, p, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR7(i, -+ (uint32_t)0U, -+ (uint32_t)7U, -+ (uint32_t)1U, -+ uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)12U; -+ point_double(tmp, t11); -+ memcpy(table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t)); -+ uint64_t *t2 = table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; -+ point_add(tmp, p, t2); -+ memcpy(table + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t));); -+ make_point_at_inf(res); -+ uint64_t tmp0[12U] = { 0U }; -+ for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) { -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)256U - (uint32_t)4U * i0 - (uint32_t)4U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar, k, (uint32_t)4U); -+ memcpy(tmp0, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i1, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i1 + (uint32_t)1U)); -+ const uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)12U; -+ KRML_MAYBE_FOR12(i, -+ (uint32_t)0U, -+ (uint32_t)12U, -+ (uint32_t)1U, -+ uint64_t *os = tmp0; -+ uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); -+ os[i] = x;);); -+ point_add(res, res, tmp0); -+ } -+} -+ -+static inline void -+precomp_get_consttime(const uint64_t *table, uint64_t bits_l, uint64_t *tmp) -+{ -+ memcpy(tmp, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i0, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i0 + (uint32_t)1U)); -+ const uint64_t *res_j = table + (i0 + (uint32_t)1U) * (uint32_t)12U; -+ KRML_MAYBE_FOR12(i, -+ (uint32_t)0U, -+ (uint32_t)12U, -+ (uint32_t)1U, -+ uint64_t *os = tmp; -+ uint64_t x = (c & res_j[i]) | (~c & tmp[i]); -+ os[i] = x;);); -+} -+ -+static inline void -+point_mul_g(uint64_t *res, uint64_t *scalar) -+{ -+ uint64_t q1[12U] = { 0U }; -+ make_base_point(q1); -+ /* -+ uint64_t -+ q2[12U] = -+ { -+ (uint64_t)1499621593102562565U, (uint64_t)16692369783039433128U, -+ (uint64_t)15337520135922861848U, (uint64_t)5455737214495366228U, -+ (uint64_t)17827017231032529600U, (uint64_t)12413621606240782649U, -+ (uint64_t)2290483008028286132U, (uint64_t)15752017553340844820U, -+ (uint64_t)4846430910634234874U, (uint64_t)10861682798464583253U, -+ (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U -+ }; -+ uint64_t -+ q3[12U] = -+ { -+ (uint64_t)14619254753077084366U, (uint64_t)13913835116514008593U, -+ (uint64_t)15060744674088488145U, (uint64_t)17668414598203068685U, -+ (uint64_t)10761169236902342334U, (uint64_t)15467027479157446221U, -+ (uint64_t)14989185522423469618U, (uint64_t)14354539272510107003U, -+ (uint64_t)14298211796392133693U, (uint64_t)13270323784253711450U, -+ (uint64_t)13380964971965046957U, (uint64_t)8686204248456909699U -+ }; -+ uint64_t -+ q4[12U] = -+ { -+ (uint64_t)7870395003430845958U, (uint64_t)18001862936410067720U, -+ (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, -+ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, -+ (uint64_t)7139806720777708306U, (uint64_t)8253938546650739833U, -+ (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, -+ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U -+ }; -+ */ -+ uint64_t *r1 = scalar; -+ uint64_t *r2 = scalar + (uint32_t)1U; -+ uint64_t *r3 = scalar + (uint32_t)2U; -+ uint64_t *r4 = scalar + (uint32_t)3U; -+ make_point_at_inf(res); -+ uint64_t tmp[12U] = { 0U }; -+ KRML_MAYBE_FOR16(i, -+ (uint32_t)0U, -+ (uint32_t)16U, -+ (uint32_t)1U, -+ KRML_MAYBE_FOR4(i0, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r4, k, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4, bits_l, tmp); -+ point_add(res, res, tmp); -+ uint32_t k0 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r3, k0, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4, bits_l0, tmp); -+ point_add(res, res, tmp); -+ uint32_t k1 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l1 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r2, k1, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4, bits_l1, tmp); -+ point_add(res, res, tmp); -+ uint32_t k2 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l2 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r1, k2, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_basepoint_table_w4, bits_l2, tmp); -+ point_add(res, res, tmp);); -+} -+ -+static inline void -+point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t *q2) -+{ -+ uint64_t q1[12U] = { 0U }; -+ make_base_point(q1); -+ uint64_t table2[384U] = { 0U }; -+ uint64_t tmp[12U] = { 0U }; -+ uint64_t *t0 = table2; -+ uint64_t *t1 = table2 + (uint32_t)12U; -+ make_point_at_inf(t0); -+ memcpy(t1, q2, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)12U; -+ point_double(tmp, t11); -+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t)); -+ uint64_t *t2 = table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; -+ point_add(tmp, q2, t2); -+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t));); -+ uint64_t tmp0[12U] = { 0U }; -+ uint32_t i0 = (uint32_t)255U; -+ uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, i0, (uint32_t)5U); -+ uint32_t bits_l32 = (uint32_t)bits_c; -+ const uint64_t -+ *a_bits_l = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l32 * (uint32_t)12U; -+ memcpy(res, (uint64_t *)a_bits_l, (uint32_t)12U * sizeof(uint64_t)); -+ uint32_t i1 = (uint32_t)255U; -+ uint64_t bits_c0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, i1, (uint32_t)5U); -+ uint32_t bits_l320 = (uint32_t)bits_c0; -+ const uint64_t *a_bits_l0 = table2 + bits_l320 * (uint32_t)12U; -+ memcpy(tmp0, (uint64_t *)a_bits_l0, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp0); -+ uint64_t tmp1[12U] = { 0U }; -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)51U; i++) { -+ KRML_MAYBE_FOR5(i2, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, k, (uint32_t)5U); -+ uint32_t bits_l321 = (uint32_t)bits_l; -+ const uint64_t *a_bits_l1 = table2 + bits_l321 * (uint32_t)12U; -+ memcpy(tmp1, (uint64_t *)a_bits_l1, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp1); -+ uint32_t k0 = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; -+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, k0, (uint32_t)5U); -+ uint32_t bits_l322 = (uint32_t)bits_l0; -+ const uint64_t -+ *a_bits_l2 = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l322 * (uint32_t)12U; -+ memcpy(tmp1, (uint64_t *)a_bits_l2, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp1); -+ } -+} -+ -+static inline uint64_t -+bn_is_lt_order_mask4(uint64_t *f) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_order(tmp); -+ uint64_t c = bn_sub4(tmp, f, tmp); -+ return (uint64_t)0U - c; -+} -+ -+static inline uint64_t -+bn_is_lt_order_and_gt_zero_mask4(uint64_t *f) -+{ -+ uint64_t is_lt_order = bn_is_lt_order_mask4(f); -+ uint64_t is_eq_zero = bn_is_zero_mask4(f); -+ return is_lt_order & ~is_eq_zero; -+} -+ -+static inline void -+qmod_short(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_order(tmp); -+ uint64_t c = bn_sub4(tmp, x, tmp); -+ bn_cmovznz4(res, c, tmp, x); -+} -+ -+static inline void -+qadd(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_order(n); -+ bn_add_mod4(res, n, x, y); -+} -+ -+static inline void -+qmont_reduction(uint64_t *res, uint64_t *x) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_order(n); -+ uint64_t c0 = (uint64_t)0U; -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t qj = (uint64_t)0xccd1c8aaee00bc4fU * x[i0]; -+ uint64_t *res_j0 = x + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); -+ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); -+ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); -+ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); -+ } uint64_t r = c; -+ uint64_t c1 = r; -+ uint64_t *resb = x + (uint32_t)4U + i0; -+ uint64_t res_j = x[(uint32_t)4U + i0]; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); -+ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+from_qmont(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ memcpy(tmp, x, (uint32_t)4U * sizeof(uint64_t)); -+ qmont_reduction(res, tmp); -+} -+ -+static inline void -+qmul(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_mul4(tmp, x, y); -+ qmont_reduction(res, tmp); -+} -+ -+static inline void -+qsqr(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_sqr4(tmp, x); -+ qmont_reduction(res, tmp); -+} -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *sk = tmp; -+ uint64_t *pk = tmp + (uint32_t)4U; -+ bn_from_bytes_be4(sk, private_key); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = sk; -+ uint64_t uu____0 = oneq[i]; -+ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid; -+ point_mul_g(pk, sk); -+ point_store(public_key, pk); -+ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_r( -+ uint8_t *shared_secret, -+ uint8_t *their_pubkey, -+ uint8_t *private_key) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *sk = tmp; -+ uint64_t *pk = tmp + (uint32_t)4U; -+ bool is_pk_valid = load_point_vartime(pk, their_pubkey); -+ bn_from_bytes_be4(sk, private_key); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = sk; -+ uint64_t uu____0 = oneq[i]; -+ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid; -+ uint64_t ss_proj[12U] = { 0U }; -+ if (is_pk_valid) { -+ point_mul(ss_proj, sk, pk); -+ point_store(shared_secret, ss_proj); -+ } -+ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_pk_valid; -+} -+ -+static inline void -+qinv(uint64_t *res, uint64_t *r) -+{ -+ uint64_t tmp[28U] = { 0U }; -+ uint64_t *x6 = tmp; -+ uint64_t *x_11 = tmp + (uint32_t)4U; -+ uint64_t *x_101 = tmp + (uint32_t)8U; -+ uint64_t *x_111 = tmp + (uint32_t)12U; -+ uint64_t *x_1111 = tmp + (uint32_t)16U; -+ uint64_t *x_10101 = tmp + (uint32_t)20U; -+ uint64_t *x_101111 = tmp + (uint32_t)24U; -+ memcpy(x6, r, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_11, x6, r); -+ qmul(x_101, x6, x_11); -+ qmul(x_111, x6, x_101); -+ memcpy(x6, x_101, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_1111, x_101, x6); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_10101, x6, r); -+ memcpy(x6, x_10101, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_101111, x_101, x6); -+ qmul(x6, x_10101, x6); -+ uint64_t tmp1[4U] = { 0U }; -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(x6, x6);); -+ qmul(x6, x6, x_11); -+ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x6); -+ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, qsqr(x6, x6);); -+ qmul(x6, x6, tmp1); -+ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) { -+ qsqr(tmp1, tmp1); -+ } -+ qmul(tmp1, tmp1, x6); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ qsqr(tmp1, tmp1); -+ } -+ qmul(tmp1, tmp1, x6); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_10101); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR9(i, (uint32_t)0U, (uint32_t)9U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR10(i, (uint32_t)0U, (uint32_t)10U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR7(i, (uint32_t)0U, (uint32_t)7U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_10101); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ memcpy(res, x6, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+qmul_mont(uint64_t *sinv, uint64_t *b, uint64_t *res) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ from_qmont(tmp, b); -+ qmul(res, sinv, tmp); -+} -+ -+static inline bool -+ecdsa_verify_msg_as_qelem( -+ uint64_t *m_q, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s) -+{ -+ uint64_t tmp[28U] = { 0U }; -+ uint64_t *pk = tmp; -+ uint64_t *r_q = tmp + (uint32_t)12U; -+ uint64_t *s_q = tmp + (uint32_t)16U; -+ uint64_t *u1 = tmp + (uint32_t)20U; -+ uint64_t *u2 = tmp + (uint32_t)24U; -+ bool is_pk_valid = load_point_vartime(pk, public_key); -+ bn_from_bytes_be4(r_q, signature_r); -+ bn_from_bytes_be4(s_q, signature_s); -+ uint64_t is_r_valid = bn_is_lt_order_and_gt_zero_mask4(r_q); -+ uint64_t is_s_valid = bn_is_lt_order_and_gt_zero_mask4(s_q); -+ bool -+ is_rs_valid = -+ is_r_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_s_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ if (!(is_pk_valid && is_rs_valid)) { -+ return false; -+ } -+ uint64_t sinv[4U] = { 0U }; -+ qinv(sinv, s_q); -+ qmul_mont(sinv, m_q, u1); -+ qmul_mont(sinv, r_q, u2); -+ uint64_t res[12U] = { 0U }; -+ point_mul_double_g(res, u1, u2, pk); -+ if (is_point_at_inf_vartime(res)) { -+ return false; -+ } -+ uint64_t x[4U] = { 0U }; -+ to_aff_point_x(x, res); -+ qmod_short(x, x); -+ bool res1 = bn_is_eq_vartime4(x, r_q); -+ return res1; -+} -+ -+static inline bool -+ecdsa_sign_msg_as_qelem( -+ uint8_t *signature, -+ uint64_t *m_q, -+ uint8_t *private_key, -+ uint8_t *nonce) -+{ -+ uint64_t rsdk_q[16U] = { 0U }; -+ uint64_t *r_q = rsdk_q; -+ uint64_t *s_q = rsdk_q + (uint32_t)4U; -+ uint64_t *d_a = rsdk_q + (uint32_t)8U; -+ uint64_t *k_q = rsdk_q + (uint32_t)12U; -+ bn_from_bytes_be4(d_a, private_key); -+ uint64_t is_b_valid0 = bn_is_lt_order_and_gt_zero_mask4(d_a); -+ uint64_t oneq0[4U] = { 0U }; -+ oneq0[0U] = (uint64_t)1U; -+ oneq0[1U] = (uint64_t)0U; -+ oneq0[2U] = (uint64_t)0U; -+ oneq0[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = d_a; -+ uint64_t uu____0 = oneq0[i]; -+ uint64_t x = uu____0 ^ (is_b_valid0 & (d_a[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid0; -+ bn_from_bytes_be4(k_q, nonce); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(k_q); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = k_q; -+ uint64_t uu____1 = oneq[i]; -+ uint64_t x = uu____1 ^ (is_b_valid & (k_q[i] ^ uu____1)); -+ os[i] = x;); -+ uint64_t is_nonce_valid = is_b_valid; -+ uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; -+ uint64_t p[12U] = { 0U }; -+ point_mul_g(p, k_q); -+ to_aff_point_x(r_q, p); -+ qmod_short(r_q, r_q); -+ uint64_t kinv[4U] = { 0U }; -+ qinv(kinv, k_q); -+ qmul(s_q, r_q, d_a); -+ from_qmont(m_q, m_q); -+ qadd(s_q, m_q, s_q); -+ qmul(s_q, kinv, s_q); -+ bn2_to_bytes_be4(signature, r_q, s_q); -+ uint64_t is_r_zero = bn_is_zero_mask4(r_q); -+ uint64_t is_s_zero = bn_is_zero_mask4(s_q); -+ uint64_t m = are_sk_nonce_valid & (~is_r_zero & ~is_s_zero); -+ bool res = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ return res; -+} -+ -+/******************************************************************************* -+ -+ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. -+ -+ This module implements signing and verification, key validation, conversions -+ between various point representations, and ECDH key agreement. -+ -+*******************************************************************************/ -+ -+/*****************/ -+/* ECDSA signing */ -+/*****************/ -+ -+/** -+Create an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-sign combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs -+ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to -+ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL -+ need to perform the left-padding themselves. -+ -+ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. -+ -+ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `nonce` are valid values: -+ • 0 < `private_key` < the order of the curve -+ • 0 < `nonce` < the order of the curve -+*/ -+bool -+Hacl_P256_ecdsa_sign_p256_without_hash( -+ uint8_t *signature, -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *private_key, -+ uint8_t *nonce) -+{ -+ uint64_t m_q[4U] = { 0U }; -+ uint8_t mHash[32U] = { 0U }; -+ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); -+ uint8_t *mHash32 = mHash; -+ bn_from_bytes_be4(m_q, mHash32); -+ qmod_short(m_q, m_q); -+ bool res = ecdsa_sign_msg_as_qelem(signature, m_q, private_key, nonce); -+ return res; -+} -+ -+/**********************/ -+/* ECDSA verification */ -+/**********************/ -+ -+/** -+Verify an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-verify combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ The function returns `true` if the signature is valid and `false` otherwise. -+ -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `public_key` is valid -+*/ -+bool -+Hacl_P256_ecdsa_verif_without_hash( -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s) -+{ -+ uint64_t m_q[4U] = { 0U }; -+ uint8_t mHash[32U] = { 0U }; -+ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); -+ uint8_t *mHash32 = mHash; -+ bn_from_bytes_be4(m_q, mHash32); -+ qmod_short(m_q, m_q); -+ bool res = ecdsa_verify_msg_as_qelem(m_q, public_key, signature_r, signature_s); -+ return res; -+} -+ -+/******************/ -+/* Key validation */ -+/******************/ -+ -+/** -+Public key validation. -+ -+ The function returns `true` if a public key is valid and `false` otherwise. -+ -+ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The public key (x || y) is valid (with respect to SP 800-56A): -+ • the public key is not the “point at infinity”, represented as O. -+ • the affine x and y coordinates of the point represented by the public key are -+ in the range [0, p – 1] where p is the prime defining the finite field. -+ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. -+ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ -+*/ -+bool -+Hacl_P256_validate_public_key(uint8_t *public_key) -+{ -+ uint64_t point_jac[12U] = { 0U }; -+ bool res = load_point_vartime(point_jac, public_key); -+ return res; -+} -+ -+/** -+Private key validation. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve -+*/ -+bool -+Hacl_P256_validate_private_key(uint8_t *private_key) -+{ -+ uint64_t bn_sk[4U] = { 0U }; -+ bn_from_bytes_be4(bn_sk, private_key); -+ uint64_t res = bn_is_lt_order_and_gt_zero_mask4(bn_sk); -+ return res == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+/******************************************************************************* -+ Parsing and Serializing public keys. -+ -+ A public key is a point (x, y) on the P-256 NIST curve. -+ -+ The point can be represented in the following three ways. -+ • raw = [ x || y ], 64 bytes -+ • uncompressed = [ 0x04 || x || y ], 65 bytes -+ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes -+ -+*******************************************************************************/ -+ -+/** -+Convert a public key from uncompressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+bool -+Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw) -+{ -+ uint8_t pk0 = pk[0U]; -+ if (pk0 != (uint8_t)0x04U) { -+ return false; -+ } -+ memcpy(pk_raw, pk + (uint32_t)1U, (uint32_t)64U * sizeof(uint8_t)); -+ return true; -+} -+ -+/** -+Convert a public key from compressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ -+ The function also checks whether (x, y) is a valid point. -+*/ -+bool -+Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw) -+{ -+ uint64_t xa[4U] = { 0U }; -+ uint64_t ya[4U] = { 0U }; -+ uint8_t *pk_xb = pk + (uint32_t)1U; -+ bool b = aff_point_decompress_vartime(xa, ya, pk); -+ if (b) { -+ memcpy(pk_raw, pk_xb, (uint32_t)32U * sizeof(uint8_t)); -+ bn_to_bytes_be4(pk_raw + (uint32_t)32U, ya); -+ } -+ return b; -+} -+ -+/** -+Convert a public key from raw to its uncompressed form. -+ -+ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void -+Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk) -+{ -+ pk[0U] = (uint8_t)0x04U; -+ memcpy(pk + (uint32_t)1U, pk_raw, (uint32_t)64U * sizeof(uint8_t)); -+} -+ -+/** -+Convert a public key from raw to its compressed form. -+ -+ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void -+Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk) -+{ -+ uint8_t *pk_x = pk_raw; -+ uint8_t *pk_y = pk_raw + (uint32_t)32U; -+ uint64_t bn_f[4U] = { 0U }; -+ bn_from_bytes_be4(bn_f, pk_y); -+ uint64_t is_odd_f = bn_f[0U] & (uint64_t)1U; -+ pk[0U] = (uint8_t)is_odd_f + (uint8_t)0x02U; -+ memcpy(pk + (uint32_t)1U, pk_x, (uint32_t)32U * sizeof(uint8_t)); -+} -+ -+/******************/ -+/* ECDH agreement */ -+/******************/ -+ -+/** -+Compute the public key from the private key. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve. -+*/ -+bool -+Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key) -+{ -+ return Hacl_Impl_P256_DH_ecp256dh_i(public_key, private_key); -+} -+ -+/** -+Execute the diffie-hellmann key exchange. -+ -+ The function returns `true` for successful creation of an ECDH shared secret and -+ `false` otherwise. -+ -+ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `their_pubkey` are valid. -+*/ -+bool -+Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key) -+{ -+ return Hacl_Impl_P256_DH_ecp256dh_r(shared_secret, their_pubkey, private_key); -+} -+ -diff --git a/lib/freebl/verified/Hacl_P256.h b/lib/freebl/verified/Hacl_P256.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/Hacl_P256.h -@@ -0,0 +1,237 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_P256_H -+#define __Hacl_P256_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+#include "lib_intrinsics.h" -+ -+/******************************************************************************* -+ -+ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. -+ -+ This module implements signing and verification, key validation, conversions -+ between various point representations, and ECDH key agreement. -+ -+*******************************************************************************/ -+ -+/*****************/ -+/* ECDSA signing */ -+/*****************/ -+ -+/** -+Create an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-sign combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs -+ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to -+ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL -+ need to perform the left-padding themselves. -+ -+ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. -+ -+ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `nonce` are valid values: -+ • 0 < `private_key` < the order of the curve -+ • 0 < `nonce` < the order of the curve -+*/ -+bool -+Hacl_P256_ecdsa_sign_p256_without_hash( -+ uint8_t *signature, -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *private_key, -+ uint8_t *nonce); -+ -+/**********************/ -+/* ECDSA verification */ -+/**********************/ -+ -+/** -+Verify an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-verify combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ The function returns `true` if the signature is valid and `false` otherwise. -+ -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `public_key` is valid -+*/ -+bool -+Hacl_P256_ecdsa_verif_without_hash( -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s); -+ -+/******************/ -+/* Key validation */ -+/******************/ -+ -+/** -+Public key validation. -+ -+ The function returns `true` if a public key is valid and `false` otherwise. -+ -+ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The public key (x || y) is valid (with respect to SP 800-56A): -+ • the public key is not the “point at infinity”, represented as O. -+ • the affine x and y coordinates of the point represented by the public key are -+ in the range [0, p – 1] where p is the prime defining the finite field. -+ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. -+ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ -+*/ -+bool Hacl_P256_validate_public_key(uint8_t *public_key); -+ -+/** -+Private key validation. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve -+*/ -+bool Hacl_P256_validate_private_key(uint8_t *private_key); -+ -+/******************************************************************************* -+ Parsing and Serializing public keys. -+ -+ A public key is a point (x, y) on the P-256 NIST curve. -+ -+ The point can be represented in the following three ways. -+ • raw = [ x || y ], 64 bytes -+ • uncompressed = [ 0x04 || x || y ], 65 bytes -+ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes -+ -+*******************************************************************************/ -+ -+/** -+Convert a public key from uncompressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw); -+ -+/** -+Convert a public key from compressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ -+ The function also checks whether (x, y) is a valid point. -+*/ -+bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw); -+ -+/** -+Convert a public key from raw to its uncompressed form. -+ -+ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk); -+ -+/** -+Convert a public key from raw to its compressed form. -+ -+ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk); -+ -+/******************/ -+/* ECDH agreement */ -+/******************/ -+ -+/** -+Compute the public key from the private key. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve. -+*/ -+bool Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key); -+ -+/** -+Execute the diffie-hellmann key exchange. -+ -+ The function returns `true` for successful creation of an ECDH shared secret and -+ `false` otherwise. -+ -+ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `their_pubkey` are valid. -+*/ -+bool -+Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key); -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_P256_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_Bignum_Base.h b/lib/freebl/verified/internal/Hacl_Bignum_Base.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_Bignum_Base.h -@@ -0,0 +1,114 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_Bignum_Base_H -+#define __internal_Hacl_Bignum_Base_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "internal/Hacl_Krmllib.h" -+#include "Hacl_Krmllib.h" -+#include "internal/lib_intrinsics.h" -+ -+static inline uint32_t -+Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) -+{ -+ uint32_t out0 = out[0U]; -+ uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; -+ out[0U] = (uint32_t)res; -+ return (uint32_t)(res >> (uint32_t)32U); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) -+{ -+ uint64_t out0 = out[0U]; -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), -+ FStar_UInt128_uint64_to_uint128(c_in)), -+ FStar_UInt128_uint64_to_uint128(out0)); -+ out[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Lib_bn_get_bits_u64(uint32_t len, uint64_t *b, uint32_t i, uint32_t l) -+{ -+ uint32_t i1 = i / (uint32_t)64U; -+ uint32_t j = i % (uint32_t)64U; -+ uint64_t p1 = b[i1] >> j; -+ uint64_t ite; -+ if (i1 + (uint32_t)1U < len && (uint32_t)0U < j) { -+ ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); -+ } else { -+ ite = p1; -+ } -+ return ite & (((uint64_t)1U << l) - (uint64_t)1U); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) -+{ -+ uint64_t c = (uint64_t)0U; -+ for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) { -+ uint64_t t1 = a[(uint32_t)4U * i]; -+ uint64_t t20 = b[(uint32_t)4U * i]; -+ uint64_t *res_i0 = res + (uint32_t)4U * i; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); -+ uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); -+ uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); -+ uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); -+ } -+ for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) { -+ uint64_t t1 = a[i]; -+ uint64_t t2 = b[i]; -+ uint64_t *res_i = res + i; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); -+ } -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_Bignum_Base_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h -@@ -0,0 +1,83 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_IntTypes_Intrinsics_H -+#define __Hacl_IntTypes_Intrinsics_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+ -+static inline uint32_t -+Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) -+{ -+ uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; -+ uint32_t c = (uint32_t)(res >> (uint32_t)32U); -+ r[0U] = (uint32_t)res; -+ return c; -+} -+ -+static inline uint32_t -+Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) -+{ -+ uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; -+ uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; -+ r[0U] = (uint32_t)res; -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ uint64_t res = x + cin + y; -+ uint64_t -+ c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; -+ r[0U] = res; -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ uint64_t res = x - y - cin; -+ uint64_t -+ c = -+ ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; -+ r[0U] = res; -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_IntTypes_Intrinsics_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h -@@ -0,0 +1,72 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_IntTypes_Intrinsics_128_H -+#define __Hacl_IntTypes_Intrinsics_128_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), -+ FStar_UInt128_uint64_to_uint128(cin)), -+ FStar_UInt128_uint64_to_uint128(y)); -+ uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); -+ r[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), -+ FStar_UInt128_uint64_to_uint128(y)), -+ FStar_UInt128_uint64_to_uint128(cin)); -+ uint64_t -+ c = -+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) & (uint64_t)1U; -+ r[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_P256.h b/lib/freebl/verified/internal/Hacl_P256.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_P256.h -@@ -0,0 +1,56 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_P256_H -+#define __internal_Hacl_P256_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "internal/Hacl_P256_PrecompTable.h" -+#include "internal/Hacl_Krmllib.h" -+#include "internal/Hacl_Bignum_Base.h" -+#include "../Hacl_P256.h" -+//#include "lib_intrinsics.h" -+ -+bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key); -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_r( -+ uint8_t *shared_secret, -+ uint8_t *their_pubkey, -+ uint8_t *private_key); -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_P256_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h b/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h -@@ -0,0 +1,508 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_P256_PrecompTable_H -+#define __internal_Hacl_P256_PrecompTable_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_basepoint_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, -+ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, -+ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, -+ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, -+ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, -+ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, -+ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, -+ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, -+ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, -+ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, -+ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, -+ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, -+ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, -+ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, -+ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, -+ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, -+ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, -+ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, -+ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, -+ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, -+ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, -+ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, -+ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, -+ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, -+ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, -+ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, -+ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, -+ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, -+ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, -+ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, -+ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, -+ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, -+ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, -+ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, -+ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, -+ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, -+ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, -+ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, -+ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, -+ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, -+ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, -+ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, -+ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, -+ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, -+ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, -+ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, -+ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, -+ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, -+ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, -+ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, -+ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, -+ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, -+ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, -+ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, -+ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, -+ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, -+ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, -+ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, -+ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, -+ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, -+ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, -+ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, -+ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, -+ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, -+ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, -+ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, -+ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, -+ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1499621593102562565U, -+ (uint64_t)16692369783039433128U, (uint64_t)15337520135922861848U, -+ (uint64_t)5455737214495366228U, (uint64_t)17827017231032529600U, -+ (uint64_t)12413621606240782649U, (uint64_t)2290483008028286132U, -+ (uint64_t)15752017553340844820U, (uint64_t)4846430910634234874U, -+ (uint64_t)10861682798464583253U, (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U, -+ (uint64_t)9866710912401645115U, (uint64_t)1162548847543228595U, (uint64_t)7649967190445130486U, -+ (uint64_t)5212340432230915749U, (uint64_t)7572620550182916491U, (uint64_t)14876145112448665096U, -+ (uint64_t)2063227348838176167U, (uint64_t)3519435548295415847U, (uint64_t)8390400282019023103U, -+ (uint64_t)17666843593163037841U, (uint64_t)9450204148816496323U, (uint64_t)8483374507652916768U, -+ (uint64_t)6254661047265818424U, (uint64_t)16382127809582285023U, (uint64_t)125359443771153172U, -+ (uint64_t)1374336701588437897U, (uint64_t)11362596098420127726U, (uint64_t)2101654420738681387U, -+ (uint64_t)12772780342444840510U, (uint64_t)12546934328908550060U, -+ (uint64_t)8331880412333790397U, (uint64_t)11687262051473819904U, (uint64_t)8926848496503457587U, -+ (uint64_t)9603974142010467857U, (uint64_t)13199952163826973175U, (uint64_t)2189856264898797734U, -+ (uint64_t)11356074861870267226U, (uint64_t)2027714896422561895U, (uint64_t)5261606367808050149U, -+ (uint64_t)153855954337762312U, (uint64_t)6375919692894573986U, (uint64_t)12364041207536146533U, -+ (uint64_t)1891896010455057160U, (uint64_t)1568123795087313171U, (uint64_t)18138710056556660101U, -+ (uint64_t)6004886947510047736U, (uint64_t)4811859325589542932U, (uint64_t)3618763430148954981U, -+ (uint64_t)11434521746258554122U, (uint64_t)10086341535864049427U, -+ (uint64_t)8073421629570399570U, (uint64_t)12680586148814729338U, (uint64_t)9619958020761569612U, -+ (uint64_t)15827203580658384478U, (uint64_t)12832694810937550406U, -+ (uint64_t)14977975484447400910U, (uint64_t)5478002389061063653U, -+ (uint64_t)14731136312639060880U, (uint64_t)4317867687275472033U, (uint64_t)6642650962855259884U, -+ (uint64_t)2514254944289495285U, (uint64_t)14231405641534478436U, (uint64_t)4045448346091518946U, -+ (uint64_t)8985477013445972471U, (uint64_t)8869039454457032149U, (uint64_t)4356978486208692970U, -+ (uint64_t)10805288613335538577U, (uint64_t)12832353127812502042U, -+ (uint64_t)4576590051676547490U, (uint64_t)6728053735138655107U, (uint64_t)17814206719173206184U, -+ (uint64_t)79790138573994940U, (uint64_t)17920293215101822267U, (uint64_t)13422026625585728864U, -+ (uint64_t)5018058010492547271U, (uint64_t)110232326023384102U, (uint64_t)10834264070056942976U, -+ (uint64_t)15222249086119088588U, (uint64_t)15119439519142044997U, -+ (uint64_t)11655511970063167313U, (uint64_t)1614477029450566107U, (uint64_t)3619322817271059794U, -+ (uint64_t)9352862040415412867U, (uint64_t)14017522553242747074U, -+ (uint64_t)13138513643674040327U, (uint64_t)3610195242889455765U, (uint64_t)8371069193996567291U, -+ (uint64_t)12670227996544662654U, (uint64_t)1205961025092146303U, -+ (uint64_t)13106709934003962112U, (uint64_t)4350113471327723407U, -+ (uint64_t)15060941403739680459U, (uint64_t)13639127647823205030U, -+ (uint64_t)10790943339357725715U, (uint64_t)498760574280648264U, (uint64_t)17922071907832082887U, -+ (uint64_t)15122670976670152145U, (uint64_t)6275027991110214322U, (uint64_t)7250912847491816402U, -+ (uint64_t)15206617260142982380U, (uint64_t)3385668313694152877U, -+ (uint64_t)17522479771766801905U, (uint64_t)2965919117476170655U, (uint64_t)1553238516603269404U, -+ (uint64_t)5820770015631050991U, (uint64_t)4999445222232605348U, (uint64_t)9245650860833717444U, -+ (uint64_t)1508811811724230728U, (uint64_t)5190684913765614385U, (uint64_t)15692927070934536166U, -+ (uint64_t)12981978499190500902U, (uint64_t)5143491963193394698U, (uint64_t)7705698092144084129U, -+ (uint64_t)581120653055084783U, (uint64_t)13886552864486459714U, (uint64_t)6290301270652587255U, -+ (uint64_t)8663431529954393128U, (uint64_t)17033405846475472443U, (uint64_t)5206780355442651635U, -+ (uint64_t)12580364474736467688U, (uint64_t)17934601912005283310U, -+ (uint64_t)15119491731028933652U, (uint64_t)17848231399859044858U, -+ (uint64_t)4427673319524919329U, (uint64_t)2673607337074368008U, (uint64_t)14034876464294699949U, -+ (uint64_t)10938948975420813697U, (uint64_t)15202340615298669183U, -+ (uint64_t)5496603454069431071U, (uint64_t)2486526142064906845U, (uint64_t)4507882119510526802U, -+ (uint64_t)13888151172411390059U, (uint64_t)15049027856908071726U, -+ (uint64_t)9667231543181973158U, (uint64_t)6406671575277563202U, (uint64_t)3395801050331215139U, -+ (uint64_t)9813607433539108308U, (uint64_t)2681417728820980381U, (uint64_t)18407064643927113994U, -+ (uint64_t)7707177692113485527U, (uint64_t)14218149384635317074U, (uint64_t)3658668346206375919U, -+ (uint64_t)15404713991002362166U, (uint64_t)10152074687696195207U, -+ (uint64_t)10926946599582128139U, (uint64_t)16907298600007085320U, -+ (uint64_t)16544287219664720279U, (uint64_t)11007075933432813205U, -+ (uint64_t)8652245965145713599U, (uint64_t)7857626748965990384U, (uint64_t)5602306604520095870U, -+ (uint64_t)2525139243938658618U, (uint64_t)14405696176872077447U, -+ (uint64_t)18432270482137885332U, (uint64_t)9913880809120071177U, -+ (uint64_t)16896141737831216972U, (uint64_t)7484791498211214829U, -+ (uint64_t)15635259968266497469U, (uint64_t)8495118537612215624U, (uint64_t)4915477980562575356U, -+ (uint64_t)16453519279754924350U, (uint64_t)14462108244565406969U, -+ (uint64_t)14837837755237096687U, (uint64_t)14130171078892575346U, -+ (uint64_t)15423793222528491497U, (uint64_t)5460399262075036084U, -+ (uint64_t)16085440580308415349U, (uint64_t)26873200736954488U, (uint64_t)5603655807457499550U, -+ (uint64_t)3342202915871129617U, (uint64_t)1604413932150236626U, (uint64_t)9684226585089458974U, -+ (uint64_t)1213229904006618539U, (uint64_t)6782978662408837236U, (uint64_t)11197029877749307372U, -+ (uint64_t)14085968786551657744U, (uint64_t)17352273610494009342U, -+ (uint64_t)7876582961192434984U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)14619254753077084366U, -+ (uint64_t)13913835116514008593U, (uint64_t)15060744674088488145U, -+ (uint64_t)17668414598203068685U, (uint64_t)10761169236902342334U, -+ (uint64_t)15467027479157446221U, (uint64_t)14989185522423469618U, -+ (uint64_t)14354539272510107003U, (uint64_t)14298211796392133693U, -+ (uint64_t)13270323784253711450U, (uint64_t)13380964971965046957U, -+ (uint64_t)8686204248456909699U, (uint64_t)17434630286744937066U, (uint64_t)1355903775279084720U, -+ (uint64_t)7554695053550308662U, (uint64_t)11354971222741863570U, (uint64_t)564601613420749879U, -+ (uint64_t)8466325837259054896U, (uint64_t)10752965181772434263U, -+ (uint64_t)11405876547368426319U, (uint64_t)13791894568738930940U, -+ (uint64_t)8230587134406354675U, (uint64_t)12415514098722758608U, -+ (uint64_t)18414183046995786744U, (uint64_t)15508000368227372870U, -+ (uint64_t)5781062464627999307U, (uint64_t)15339429052219195590U, -+ (uint64_t)16038703753810741903U, (uint64_t)9587718938298980714U, (uint64_t)4822658817952386407U, -+ (uint64_t)1376351024833260660U, (uint64_t)1120174910554766702U, (uint64_t)1730170933262569274U, -+ (uint64_t)5187428548444533500U, (uint64_t)16242053503368957131U, (uint64_t)3036811119519868279U, -+ (uint64_t)1760267587958926638U, (uint64_t)170244572981065185U, (uint64_t)8063080791967388171U, -+ (uint64_t)4824892826607692737U, (uint64_t)16286391083472040552U, -+ (uint64_t)11945158615253358747U, (uint64_t)14096887760410224200U, -+ (uint64_t)1613720831904557039U, (uint64_t)14316966673761197523U, -+ (uint64_t)17411006201485445341U, (uint64_t)8112301506943158801U, (uint64_t)2069889233927989984U, -+ (uint64_t)10082848378277483927U, (uint64_t)3609691194454404430U, (uint64_t)6110437205371933689U, -+ (uint64_t)9769135977342231601U, (uint64_t)11977962151783386478U, -+ (uint64_t)18088718692559983573U, (uint64_t)11741637975753055U, (uint64_t)11110390325701582190U, -+ (uint64_t)1341402251566067019U, (uint64_t)3028229550849726478U, (uint64_t)10438984083997451310U, -+ (uint64_t)12730851885100145709U, (uint64_t)11524169532089894189U, -+ (uint64_t)4523375903229602674U, (uint64_t)2028602258037385622U, (uint64_t)17082839063089388410U, -+ (uint64_t)6103921364634113167U, (uint64_t)17066180888225306102U, -+ (uint64_t)11395680486707876195U, (uint64_t)10952892272443345484U, -+ (uint64_t)8792831960605859401U, (uint64_t)14194485427742325139U, -+ (uint64_t)15146020821144305250U, (uint64_t)1654766014957123343U, (uint64_t)7955526243090948551U, -+ (uint64_t)3989277566080493308U, (uint64_t)12229385116397931231U, -+ (uint64_t)13430548930727025562U, (uint64_t)3434892688179800602U, (uint64_t)8431998794645622027U, -+ (uint64_t)12132530981596299272U, (uint64_t)2289461608863966999U, -+ (uint64_t)18345870950201487179U, (uint64_t)13517947207801901576U, -+ (uint64_t)5213113244172561159U, (uint64_t)17632986594098340879U, (uint64_t)4405251818133148856U, -+ (uint64_t)11783009269435447793U, (uint64_t)9332138983770046035U, -+ (uint64_t)12863411548922539505U, (uint64_t)3717030292816178224U, -+ (uint64_t)10026078446427137374U, (uint64_t)11167295326594317220U, -+ (uint64_t)12425328773141588668U, (uint64_t)5760335125172049352U, (uint64_t)9016843701117277863U, -+ (uint64_t)5657892835694680172U, (uint64_t)11025130589305387464U, (uint64_t)1368484957977406173U, -+ (uint64_t)17361351345281258834U, (uint64_t)1907113641956152700U, -+ (uint64_t)16439233413531427752U, (uint64_t)5893322296986588932U, -+ (uint64_t)14000206906171746627U, (uint64_t)14979266987545792900U, -+ (uint64_t)6926291766898221120U, (uint64_t)7162023296083360752U, (uint64_t)14762747553625382529U, -+ (uint64_t)12610831658612406849U, (uint64_t)10462926899548715515U, -+ (uint64_t)4794017723140405312U, (uint64_t)5234438200490163319U, (uint64_t)8019519110339576320U, -+ (uint64_t)7194604241290530100U, (uint64_t)12626770134810813246U, -+ (uint64_t)10793074474236419890U, (uint64_t)11323224347913978783U, -+ (uint64_t)16831128015895380245U, (uint64_t)18323094195124693378U, -+ (uint64_t)2361097165281567692U, (uint64_t)15755578675014279498U, -+ (uint64_t)14289876470325854580U, (uint64_t)12856787656093616839U, -+ (uint64_t)3578928531243900594U, (uint64_t)3847532758790503699U, (uint64_t)8377953190224748743U, -+ (uint64_t)3314546646092744596U, (uint64_t)800810188859334358U, (uint64_t)4626344124229343596U, -+ (uint64_t)6620381605850876621U, (uint64_t)11422073570955989527U, -+ (uint64_t)12676813626484814469U, (uint64_t)16725029886764122240U, -+ (uint64_t)16648497372773830008U, (uint64_t)9135702594931291048U, -+ (uint64_t)16080949688826680333U, (uint64_t)11528096561346602947U, -+ (uint64_t)2632498067099740984U, (uint64_t)11583842699108800714U, (uint64_t)8378404864573610526U, -+ (uint64_t)1076560261627788534U, (uint64_t)13836015994325032828U, -+ (uint64_t)11234295937817067909U, (uint64_t)5893659808396722708U, -+ (uint64_t)11277421142886984364U, (uint64_t)8968549037166726491U, -+ (uint64_t)14841374331394032822U, (uint64_t)9967344773947889341U, (uint64_t)8799244393578496085U, -+ (uint64_t)5094686877301601410U, (uint64_t)8780316747074726862U, (uint64_t)9119697306829835718U, -+ (uint64_t)15381243327921855368U, (uint64_t)2686250164449435196U, -+ (uint64_t)16466917280442198358U, (uint64_t)13791704489163125216U, -+ (uint64_t)16955859337117924272U, (uint64_t)17112836394923783642U, -+ (uint64_t)4639176427338618063U, (uint64_t)16770029310141094964U, -+ (uint64_t)11049953922966416185U, (uint64_t)12012669590884098968U, -+ (uint64_t)4859326885929417214U, (uint64_t)896380084392586061U, (uint64_t)7153028362977034008U, -+ (uint64_t)10540021163316263301U, (uint64_t)9318277998512936585U, -+ (uint64_t)18344496977694796523U, (uint64_t)11374737400567645494U, -+ (uint64_t)17158800051138212954U, (uint64_t)18343197867863253153U, -+ (uint64_t)18204799297967861226U, (uint64_t)15798973531606348828U, -+ (uint64_t)9870158263408310459U, (uint64_t)17578869832774612627U, (uint64_t)8395748875822696932U, -+ (uint64_t)15310679007370670872U, (uint64_t)11205576736030808860U, -+ (uint64_t)10123429210002838967U, (uint64_t)5910544144088393959U, -+ (uint64_t)14016615653353687369U, (uint64_t)11191676704772957822U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)7870395003430845958U, -+ (uint64_t)18001862936410067720U, (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, -+ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, (uint64_t)7139806720777708306U, -+ (uint64_t)8253938546650739833U, (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, -+ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U, (uint64_t)8392845221328116213U, -+ (uint64_t)14630296398338540788U, (uint64_t)4268947906723414372U, (uint64_t)9231207002243517909U, -+ (uint64_t)14261219637616504262U, (uint64_t)7786881626982345356U, -+ (uint64_t)11412720751765882139U, (uint64_t)14119585051365330009U, -+ (uint64_t)15281626286521302128U, (uint64_t)6350171933454266732U, -+ (uint64_t)16559468304937127866U, (uint64_t)13200760478271693417U, -+ (uint64_t)6733381546280350776U, (uint64_t)3801404890075189193U, (uint64_t)2741036364686993903U, -+ (uint64_t)3218612940540174008U, (uint64_t)10894914335165419505U, -+ (uint64_t)11862941430149998362U, (uint64_t)4223151729402839584U, (uint64_t)2913215088487087887U, -+ (uint64_t)14562168920104952953U, (uint64_t)2170089393468287453U, -+ (uint64_t)10520900655016579352U, (uint64_t)7040362608949989273U, (uint64_t)8376510559381705307U, -+ (uint64_t)9142237200448131532U, (uint64_t)5696859948123854080U, (uint64_t)925422306716081180U, -+ (uint64_t)11155545953469186421U, (uint64_t)1888208646862572812U, -+ (uint64_t)11151095998248845721U, (uint64_t)15793503271680275267U, -+ (uint64_t)7729877044494854851U, (uint64_t)6235134673193032913U, (uint64_t)7364280682182401564U, -+ (uint64_t)5479679373325519985U, (uint64_t)17966037684582301763U, -+ (uint64_t)14140891609330279185U, (uint64_t)5814744449740463867U, (uint64_t)5652588426712591652U, -+ (uint64_t)774745682988690912U, (uint64_t)13228255573220500373U, (uint64_t)11949122068786859397U, -+ (uint64_t)8021166392900770376U, (uint64_t)7994323710948720063U, (uint64_t)9924618472877849977U, -+ (uint64_t)17618517523141194266U, (uint64_t)2750424097794401714U, -+ (uint64_t)15481749570715253207U, (uint64_t)14646964509921760497U, -+ (uint64_t)1037442848094301355U, (uint64_t)6295995947389299132U, (uint64_t)16915049722317579514U, -+ (uint64_t)10493877400992990313U, (uint64_t)18391008753060553521U, (uint64_t)483942209623707598U, -+ (uint64_t)2017775662838016613U, (uint64_t)5933251998459363553U, (uint64_t)11789135019970707407U, -+ (uint64_t)5484123723153268336U, (uint64_t)13246954648848484954U, (uint64_t)4774374393926023505U, -+ (uint64_t)14863995618704457336U, (uint64_t)13220153167104973625U, -+ (uint64_t)5988445485312390826U, (uint64_t)17580359464028944682U, (uint64_t)7297100131969874771U, -+ (uint64_t)379931507867989375U, (uint64_t)10927113096513421444U, (uint64_t)17688881974428340857U, -+ (uint64_t)4259872578781463333U, (uint64_t)8573076295966784472U, (uint64_t)16389829450727275032U, -+ (uint64_t)1667243868963568259U, (uint64_t)17730726848925960919U, -+ (uint64_t)11408899874569778008U, (uint64_t)3576527582023272268U, -+ (uint64_t)16492920640224231656U, (uint64_t)7906130545972460130U, -+ (uint64_t)13878604278207681266U, (uint64_t)41446695125652041U, (uint64_t)8891615271337333503U, -+ (uint64_t)2594537723613594470U, (uint64_t)7699579176995770924U, (uint64_t)147458463055730655U, -+ (uint64_t)12120406862739088406U, (uint64_t)12044892493010567063U, -+ (uint64_t)8554076749615475136U, (uint64_t)1005097692260929999U, (uint64_t)2687202654471188715U, -+ (uint64_t)9457588752176879209U, (uint64_t)17472884880062444019U, (uint64_t)9792097892056020166U, -+ (uint64_t)2525246678512797150U, (uint64_t)15958903035313115662U, -+ (uint64_t)11336038170342247032U, (uint64_t)11560342382835141123U, -+ (uint64_t)6212009033479929024U, (uint64_t)8214308203775021229U, (uint64_t)8475469210070503698U, -+ (uint64_t)13287024123485719563U, (uint64_t)12956951963817520723U, -+ (uint64_t)10693035819908470465U, (uint64_t)11375478788224786725U, -+ (uint64_t)16934625208487120398U, (uint64_t)10094585729115874495U, -+ (uint64_t)2763884524395905776U, (uint64_t)13535890148969964883U, -+ (uint64_t)13514657411765064358U, (uint64_t)9903074440788027562U, -+ (uint64_t)17324720726421199990U, (uint64_t)2273931039117368789U, (uint64_t)3442641041506157854U, -+ (uint64_t)1119853641236409612U, (uint64_t)12037070344296077989U, (uint64_t)581736433335671746U, -+ (uint64_t)6019150647054369174U, (uint64_t)14864096138068789375U, (uint64_t)6652995210998318662U, -+ (uint64_t)12773883697029175304U, (uint64_t)12751275631451845119U, -+ (uint64_t)11449095003038250478U, (uint64_t)1025805267334366480U, (uint64_t)2764432500300815015U, -+ (uint64_t)18274564429002844381U, (uint64_t)10445634195592600351U, -+ (uint64_t)11814099592837202735U, (uint64_t)5006796893679120289U, (uint64_t)6908397253997261914U, -+ (uint64_t)13266696965302879279U, (uint64_t)7768715053015037430U, (uint64_t)3569923738654785686U, -+ (uint64_t)5844853453464857549U, (uint64_t)1837340805629559110U, (uint64_t)1034657624388283114U, -+ (uint64_t)711244516069456460U, (uint64_t)12519286026957934814U, (uint64_t)2613464944620837619U, -+ (uint64_t)10003023321338286213U, (uint64_t)7291332092642881376U, (uint64_t)9832199564117004897U, -+ (uint64_t)3280736694860799890U, (uint64_t)6416452202849179874U, (uint64_t)7326961381798642069U, -+ (uint64_t)8435688798040635029U, (uint64_t)16630141263910982958U, -+ (uint64_t)17222635514422533318U, (uint64_t)9482787389178881499U, (uint64_t)836561194658263905U, -+ (uint64_t)3405319043337616649U, (uint64_t)2786146577568026518U, (uint64_t)7625483685691626321U, -+ (uint64_t)6728084875304656716U, (uint64_t)1140997959232544268U, (uint64_t)12847384827606303792U, -+ (uint64_t)1719121337754572070U, (uint64_t)12863589482936438532U, (uint64_t)3880712899640530862U, -+ (uint64_t)2748456882813671564U, (uint64_t)4775988900044623019U, (uint64_t)8937847374382191162U, -+ (uint64_t)3767367347172252295U, (uint64_t)13468672401049388646U, -+ (uint64_t)14359032216842397576U, (uint64_t)2002555958685443975U, -+ (uint64_t)16488678606651526810U, (uint64_t)11826135409597474760U, -+ (uint64_t)15296495673182508601U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_basepoint_table_w5[384U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, -+ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, -+ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, -+ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, -+ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, -+ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, -+ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, -+ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, -+ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, -+ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, -+ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, -+ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, -+ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, -+ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, -+ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, -+ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, -+ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, -+ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, -+ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, -+ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, -+ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, -+ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, -+ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, -+ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, -+ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, -+ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, -+ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, -+ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, -+ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, -+ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, -+ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, -+ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, -+ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, -+ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, -+ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, -+ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, -+ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, -+ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, -+ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, -+ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, -+ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, -+ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, -+ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, -+ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, -+ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, -+ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, -+ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, -+ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, -+ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, -+ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, -+ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, -+ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, -+ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, -+ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, -+ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, -+ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, -+ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, -+ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, -+ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, -+ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, -+ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, -+ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, -+ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, -+ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, -+ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, -+ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, -+ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, -+ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U, -+ (uint64_t)13240193491554624643U, (uint64_t)12365034249541329920U, -+ (uint64_t)2924326828590977357U, (uint64_t)5687195797140589099U, (uint64_t)16880427227292834531U, -+ (uint64_t)9691471435758991112U, (uint64_t)16642385273732487288U, -+ (uint64_t)12173806747523009914U, (uint64_t)13142722756877876849U, -+ (uint64_t)8370377548305121979U, (uint64_t)17988526053752025426U, (uint64_t)4818750752684100334U, -+ (uint64_t)5669241919350361655U, (uint64_t)4964810303238518540U, (uint64_t)16709712747671533191U, -+ (uint64_t)4461414404267448242U, (uint64_t)3971798785139504238U, (uint64_t)6276818948740422136U, -+ (uint64_t)1426735892164275762U, (uint64_t)7943622674892418919U, (uint64_t)9864274225563929680U, -+ (uint64_t)57815533745003233U, (uint64_t)10893588105168960233U, (uint64_t)15739162732907069535U, -+ (uint64_t)3923866849462073470U, (uint64_t)12279826158399226875U, (uint64_t)1533015761334846582U, -+ (uint64_t)15860156818568437510U, (uint64_t)8252625373831297988U, (uint64_t)9666953804812706358U, -+ (uint64_t)8767785238646914634U, (uint64_t)14382179044941403551U, -+ (uint64_t)10401039907264254245U, (uint64_t)8584860003763157350U, (uint64_t)3120462679504470266U, -+ (uint64_t)8670255778748340069U, (uint64_t)5313789577940369984U, (uint64_t)16977072364454789224U, -+ (uint64_t)12199578693972188324U, (uint64_t)18211098771672599237U, -+ (uint64_t)12868831556008795030U, (uint64_t)5310155061431048194U, -+ (uint64_t)18114153238435112606U, (uint64_t)14482365809278304512U, -+ (uint64_t)12520721662723001511U, (uint64_t)405943624021143002U, (uint64_t)8146944101507657423U, -+ (uint64_t)181739317780393495U, (uint64_t)81743892273670099U, (uint64_t)14759561962550473930U, -+ (uint64_t)4592623849546992939U, (uint64_t)6916440441743449719U, (uint64_t)1304610503530809833U, -+ (uint64_t)5464930909232486441U, (uint64_t)15414883617496224671U, (uint64_t)8129283345256790U, -+ (uint64_t)18294252198413739489U, (uint64_t)17394115281884857288U, -+ (uint64_t)7808348415224731235U, (uint64_t)13195566655747230608U, (uint64_t)8568194219353949094U, -+ (uint64_t)15329813048672122440U, (uint64_t)9604275495885785744U, (uint64_t)1577712551205219835U, -+ (uint64_t)15964209008022052790U, (uint64_t)15087297920782098160U, -+ (uint64_t)3946031512438511898U, (uint64_t)10050061168984440631U, -+ (uint64_t)11382452014533138316U, (uint64_t)6313670788911952792U, -+ (uint64_t)12015989229696164014U, (uint64_t)5946702628076168852U, (uint64_t)5219995658774362841U, -+ (uint64_t)12230141881068377972U, (uint64_t)12361195202673441956U, -+ (uint64_t)4732862275653856711U, (uint64_t)17221430380805252370U, -+ (uint64_t)15397525953897375810U, (uint64_t)16557437297239563045U, -+ (uint64_t)10101683801868971351U, (uint64_t)1402611372245592868U, (uint64_t)1931806383735563658U, -+ (uint64_t)10991705207471512479U, (uint64_t)861333583207471392U, (uint64_t)15207766844626322355U, -+ (uint64_t)9224628129811432393U, (uint64_t)3497069567089055613U, (uint64_t)11956632757898590316U, -+ (uint64_t)8733729372586312960U, (uint64_t)18091521051714930927U, (uint64_t)77582787724373283U, -+ (uint64_t)9922437373519669237U, (uint64_t)3079321456325704615U, (uint64_t)12171198408512478457U, -+ (uint64_t)17179130884012147596U, (uint64_t)6839115479620367181U, (uint64_t)4421032569964105406U, -+ (uint64_t)10353331468657256053U, (uint64_t)17400988720335968824U, -+ (uint64_t)17138855889417480540U, (uint64_t)4507980080381370611U, -+ (uint64_t)10703175719793781886U, (uint64_t)12598516658725890426U, -+ (uint64_t)8353463412173898932U, (uint64_t)17703029389228422404U, (uint64_t)9313111267107226233U, -+ (uint64_t)5441322942995154196U, (uint64_t)8952817660034465484U, (uint64_t)17571113341183703118U, -+ (uint64_t)7375087953801067019U, (uint64_t)13381466302076453648U, (uint64_t)3218165271423914596U, -+ (uint64_t)16956372157249382685U, (uint64_t)509080090049418841U, (uint64_t)13374233893294084913U, -+ (uint64_t)2988537624204297086U, (uint64_t)4979195832939384620U, (uint64_t)3803931594068976394U, -+ (uint64_t)10731535883829627646U, (uint64_t)12954845047607194278U, -+ (uint64_t)10494298062560667399U, (uint64_t)4967351022190213065U, -+ (uint64_t)13391917938145756456U, (uint64_t)951370484866918160U, (uint64_t)13531334179067685307U, -+ (uint64_t)12868421357919390599U, (uint64_t)15918857042998130258U, -+ (uint64_t)17769743831936974016U, (uint64_t)7137921979260368809U, -+ (uint64_t)12461369180685892062U, (uint64_t)827476514081935199U, (uint64_t)15107282134224767230U, -+ (uint64_t)10084765752802805748U, (uint64_t)3303739059392464407U, -+ (uint64_t)17859532612136591428U, (uint64_t)10949414770405040164U, -+ (uint64_t)12838613589371008785U, (uint64_t)5554397169231540728U, -+ (uint64_t)18375114572169624408U, (uint64_t)15649286703242390139U, -+ (uint64_t)2957281557463706877U, (uint64_t)14000350446219393213U, -+ (uint64_t)14355199721749620351U, (uint64_t)2730856240099299695U, -+ (uint64_t)17528131000714705752U, (uint64_t)2537498525883536360U, (uint64_t)6121058967084509393U, -+ (uint64_t)16897667060435514221U, (uint64_t)12367869599571112440U, -+ (uint64_t)3388831797050807508U, (uint64_t)16791449724090982798U, (uint64_t)2673426123453294928U, -+ (uint64_t)11369313542384405846U, (uint64_t)15641960333586432634U, -+ (uint64_t)15080962589658958379U, (uint64_t)7747943772340226569U, (uint64_t)8075023376199159152U, -+ (uint64_t)8485093027378306528U, (uint64_t)13503706844122243648U, (uint64_t)8401961362938086226U, -+ (uint64_t)8125426002124226402U, (uint64_t)9005399361407785203U, (uint64_t)6847968030066906634U, -+ (uint64_t)11934937736309295197U, (uint64_t)5116750888594772351U, (uint64_t)2817039227179245227U, -+ (uint64_t)17724206901239332980U, (uint64_t)4985702708254058578U, (uint64_t)5786345435756642871U, -+ (uint64_t)17772527414940936938U, (uint64_t)1201320251272957006U, -+ (uint64_t)15787430120324348129U, (uint64_t)6305488781359965661U, -+ (uint64_t)12423900845502858433U, (uint64_t)17485949424202277720U, -+ (uint64_t)2062237315546855852U, (uint64_t)10353639467860902375U, (uint64_t)2315398490451287299U, -+ (uint64_t)15394572894814882621U, (uint64_t)232866113801165640U, (uint64_t)7413443736109338926U, -+ (uint64_t)902719806551551191U, (uint64_t)16568853118619045174U, (uint64_t)14202214862428279177U, -+ (uint64_t)11719595395278861192U, (uint64_t)5890053236389907647U, (uint64_t)9996196494965833627U, -+ (uint64_t)12967056942364782577U, (uint64_t)9034128755157395787U, -+ (uint64_t)17898204904710512655U, (uint64_t)8229373445062993977U, -+ (uint64_t)13580036169519833644U -+ }; -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_P256_PrecompTable_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/lib_intrinsics.h b/lib/freebl/verified/internal/lib_intrinsics.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/lib_intrinsics.h -@@ -0,0 +1,81 @@ -+#pragma once -+ -+#include -+ -+#if defined(__has_include) -+#if __has_include("config.h") -+#include "config.h" -+#endif -+#endif -+ -+#if !defined(HACL_CAN_COMPILE_INTRINSICS) || \ -+ (defined(__clang__) && (__clang_major__ < 5)) -+ -+#include "Hacl_IntTypes_Intrinsics.h" -+ -+#if defined(HACL_CAN_COMPILE_UINT128) -+ -+#include "Hacl_IntTypes_Intrinsics_128.h" -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) -+ -+#else -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) -+ -+#endif // defined(HACL_CAN_COMPILE_UINT128) -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) -+ -+#else // !defined(HACL_CAN_COMPILE_INTRINSICS) -+ -+#if defined(_MSC_VER) -+#include -+#else -+#include -+#endif -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ -+ (_addcarry_u32(x1, x2, x3, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (_addcarry_u64(x1, x2, x3, (long long unsigned int *)x4)) -+ -+/* -+ GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} -+ in an incorrect order. -+ -+ See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 -+*/ -+#if defined(__GNUC__) && !defined(__clang__) && \ -+ (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (_subborrow_u32(x1, x3, x2, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (_subborrow_u64(x1, x3, x2, (long long unsigned int *)x4)) -+ -+#else -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (_subborrow_u32(x1, x2, x3, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (_subborrow_u64(x1, x2, x3, (long long unsigned int *)x4)) -+ -+#endif // GCC < 7.2 -+ -+#endif // !HACL_CAN_COMPILE_INTRINSICS -diff --git a/lib/freebl/verified/karamel/include/krml/internal/target.h b/lib/freebl/verified/karamel/include/krml/internal/target.h ---- a/lib/freebl/verified/karamel/include/krml/internal/target.h -+++ b/lib/freebl/verified/karamel/include/krml/internal/target.h -@@ -1,21 +1,21 @@ - /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - - #ifndef __KRML_TARGET_H - #define __KRML_TARGET_H - --#include -+#include -+#include -+#include -+#include - #include - #include --#include --#include --#include --#include -+#include - - /* Since KaRaMeL emits the inline keyword unconditionally, we follow the - * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this - * __inline__ to ensure the code compiles with -std=c90 and earlier. */ - #ifdef __GNUC__ - #define inline __inline__ - #endif - -@@ -52,16 +52,29 @@ - #ifndef KRML_HOST_FREE - #define KRML_HOST_FREE free - #endif - - #ifndef KRML_HOST_IGNORE - #define KRML_HOST_IGNORE(x) (void)(x) - #endif - -+#ifndef KRML_NOINLINE -+#if defined(_MSC_VER) -+#define KRML_NOINLINE __declspec(noinline) -+#elif defined(__GNUC__) -+#define KRML_NOINLINE __attribute__((noinline)) -+#else -+#define KRML_NOINLINE -+#warning "The KRML_NOINLINE macro is not defined for this toolchain!" -+#warning "The compiler may defeat side-channel resistance with optimizations." -+#warning "Please locate target.h and try to fill it out with a suitable definition for this compiler." -+#endif -+#endif -+ - #ifndef KRML_PRE_ALIGN - #ifdef _MSC_VER - #define KRML_PRE_ALIGN(X) __declspec(align(X)) - #else - #define KRML_PRE_ALIGN(X) - #endif - #endif - -@@ -75,32 +88,36 @@ - - /* MinGW-W64 does not support C11 aligned_alloc, but it supports - * MSVC's _aligned_malloc. - */ - #ifndef KRML_ALIGNED_MALLOC - #ifdef __MINGW32__ - #include <_mingw.h> - #endif --#if (defined(_MSC_VER) || (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) -+#if ( \ -+ defined(_MSC_VER) || \ -+ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) - #define KRML_ALIGNED_MALLOC(X, Y) _aligned_malloc(Y, X) - #else - #define KRML_ALIGNED_MALLOC(X, Y) aligned_alloc(X, Y) - #endif - #endif - - /* Since aligned allocations with MinGW-W64 are done with - * _aligned_malloc (see above), such pointers must be freed with - * _aligned_free. - */ - #ifndef KRML_ALIGNED_FREE - #ifdef __MINGW32__ - #include <_mingw.h> - #endif --#if (defined(_MSC_VER) || (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) -+#if ( \ -+ defined(_MSC_VER) || \ -+ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) - #define KRML_ALIGNED_FREE(X) _aligned_free(X) - #else - #define KRML_ALIGNED_FREE(X) free(X) - #endif - #endif - - #ifndef KRML_HOST_TIME - -@@ -148,17 +165,18 @@ krml_time(void) - "Maximum allocatable size exceeded, aborting before overflow at " \ - "%s:%d\n", \ - __FILE__, __LINE__); \ - KRML_HOST_EXIT(253); \ - } \ - } while (0) - - #if defined(_MSC_VER) && _MSC_VER < 1900 --#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) -+#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) \ -+ _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) - #else - #define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) - #endif - - #if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 4)) - #define KRML_DEPRECATED(x) __attribute__((deprecated(x))) - #elif defined(__GNUC__) - /* deprecated attribute is not defined in GCC < 4.5. */ -@@ -167,16 +185,17 @@ krml_time(void) - #define KRML_DEPRECATED(x) __declspec(deprecated(x)) - #endif - - /* Macros for prettier unrolling of loops */ - #define KRML_LOOP1(i, n, x) \ - { \ - x \ - i += n; \ -+ (void)i; \ - } - - #define KRML_LOOP2(i, n, x) \ - KRML_LOOP1(i, n, x) \ - KRML_LOOP1(i, n, x) - - #define KRML_LOOP3(i, n, x) \ - KRML_LOOP2(i, n, x) \ -diff --git a/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h ---- a/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h -+++ b/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h -@@ -8,25 +8,35 @@ - - #include - #include - #include "krml/internal/compat.h" - #include "krml/lowstar_endianness.h" - #include "krml/internal/types.h" - #include "krml/internal/target.h" - --extern Prims_int FStar_UInt64_n; -+#if defined(__clang__) -+#pragma clang diagnostic push -+#pragma clang diagnostic ignored "-Wunused-function" -+#endif -+ -+#if defined(__GNUC__) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-function" -+#endif -+ -+extern krml_checked_int_t FStar_UInt64_n; - - extern bool FStar_UInt64_uu___is_Mk(uint64_t projectee); - --extern Prims_int FStar_UInt64___proj__Mk__item__v(uint64_t projectee); -+extern krml_checked_int_t FStar_UInt64___proj__Mk__item__v(uint64_t projectee); - --extern Prims_int FStar_UInt64_v(uint64_t x); -+extern krml_checked_int_t FStar_UInt64_v(uint64_t x); - --extern uint64_t FStar_UInt64_uint_to_t(Prims_int x); -+extern uint64_t FStar_UInt64_uint_to_t(krml_checked_int_t x); - - extern uint64_t FStar_UInt64_zero; - - extern uint64_t FStar_UInt64_one; - - extern uint64_t FStar_UInt64_minus(uint64_t a); - - extern uint32_t FStar_UInt64_n_minus_one; -@@ -58,25 +68,25 @@ FStar_UInt64_gte_mask(uint64_t a, uint64 - extern Prims_string FStar_UInt64_to_string(uint64_t uu___); - - extern Prims_string FStar_UInt64_to_string_hex(uint64_t uu___); - - extern Prims_string FStar_UInt64_to_string_hex_pad(uint64_t uu___); - - extern uint64_t FStar_UInt64_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt32_n; -+extern krml_checked_int_t FStar_UInt32_n; - - extern bool FStar_UInt32_uu___is_Mk(uint32_t projectee); - --extern Prims_int FStar_UInt32___proj__Mk__item__v(uint32_t projectee); -+extern krml_checked_int_t FStar_UInt32___proj__Mk__item__v(uint32_t projectee); - --extern Prims_int FStar_UInt32_v(uint32_t x); -+extern krml_checked_int_t FStar_UInt32_v(uint32_t x); - --extern uint32_t FStar_UInt32_uint_to_t(Prims_int x); -+extern uint32_t FStar_UInt32_uint_to_t(krml_checked_int_t x); - - extern uint32_t FStar_UInt32_zero; - - extern uint32_t FStar_UInt32_one; - - extern uint32_t FStar_UInt32_minus(uint32_t a); - - extern uint32_t FStar_UInt32_n_minus_one; -@@ -108,25 +118,25 @@ FStar_UInt32_gte_mask(uint32_t a, uint32 - extern Prims_string FStar_UInt32_to_string(uint32_t uu___); - - extern Prims_string FStar_UInt32_to_string_hex(uint32_t uu___); - - extern Prims_string FStar_UInt32_to_string_hex_pad(uint32_t uu___); - - extern uint32_t FStar_UInt32_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt16_n; -+extern krml_checked_int_t FStar_UInt16_n; - - extern bool FStar_UInt16_uu___is_Mk(uint16_t projectee); - --extern Prims_int FStar_UInt16___proj__Mk__item__v(uint16_t projectee); -+extern krml_checked_int_t FStar_UInt16___proj__Mk__item__v(uint16_t projectee); - --extern Prims_int FStar_UInt16_v(uint16_t x); -+extern krml_checked_int_t FStar_UInt16_v(uint16_t x); - --extern uint16_t FStar_UInt16_uint_to_t(Prims_int x); -+extern uint16_t FStar_UInt16_uint_to_t(krml_checked_int_t x); - - extern uint16_t FStar_UInt16_zero; - - extern uint16_t FStar_UInt16_one; - - extern uint16_t FStar_UInt16_minus(uint16_t a); - - extern uint32_t FStar_UInt16_n_minus_one; -@@ -158,25 +168,25 @@ FStar_UInt16_gte_mask(uint16_t a, uint16 - extern Prims_string FStar_UInt16_to_string(uint16_t uu___); - - extern Prims_string FStar_UInt16_to_string_hex(uint16_t uu___); - - extern Prims_string FStar_UInt16_to_string_hex_pad(uint16_t uu___); - - extern uint16_t FStar_UInt16_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt8_n; -+extern krml_checked_int_t FStar_UInt8_n; - - extern bool FStar_UInt8_uu___is_Mk(uint8_t projectee); - --extern Prims_int FStar_UInt8___proj__Mk__item__v(uint8_t projectee); -+extern krml_checked_int_t FStar_UInt8___proj__Mk__item__v(uint8_t projectee); - --extern Prims_int FStar_UInt8_v(uint8_t x); -+extern krml_checked_int_t FStar_UInt8_v(uint8_t x); - --extern uint8_t FStar_UInt8_uint_to_t(Prims_int x); -+extern uint8_t FStar_UInt8_uint_to_t(krml_checked_int_t x); - - extern uint8_t FStar_UInt8_zero; - - extern uint8_t FStar_UInt8_one; - - extern uint8_t FStar_UInt8_minus(uint8_t a); - - extern uint32_t FStar_UInt8_n_minus_one; -@@ -210,10 +220,18 @@ extern Prims_string FStar_UInt8_to_strin - extern Prims_string FStar_UInt8_to_string_hex(uint8_t uu___); - - extern Prims_string FStar_UInt8_to_string_hex_pad(uint8_t uu___); - - extern uint8_t FStar_UInt8_of_string(Prims_string uu___); - - typedef uint8_t FStar_UInt8_byte; - -+#if defined(__clang__) -+#pragma clang diagnostic pop -+#endif -+ -+#if defined(__GNUC__) -+#pragma GCC diagnostic pop -+#endif -+ - #define __FStar_UInt_8_16_32_64_H_DEFINED - #endif - diff --git a/nss-3.94-fix-ec-encoding.patch b/nss-3.94-fix-ec-encoding.patch new file mode 100644 index 0000000..f4361c9 --- /dev/null +++ b/nss-3.94-fix-ec-encoding.patch @@ -0,0 +1,107 @@ +diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h +--- a/lib/freebl/blapit.h ++++ b/lib/freebl/blapit.h +@@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate + */ + + /* + ** The ECParams data structures can encode elliptic curve + ** parameters for both GFp and GF2m curves. + */ + + typedef enum { ec_params_explicit, +- ec_params_named ++ ec_params_named, ++ ec_params_edwards_named + } ECParamsType; + + typedef enum { ec_field_GFp = 1, + ec_field_GF2m, + ec_field_plain + } ECFieldType; + + struct ECFieldIDStr { +diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c +--- a/lib/freebl/ecdecode.c ++++ b/lib/freebl/ecdecode.c +@@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const + * (the NIST P-521 curve) + */ + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, + ec_field_GFp, params)); + break; + + case SEC_OID_CURVE25519: + /* Populate params for Curve25519 */ ++ params->type = ec_params_edwards_named; + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, + ec_field_plain, + params)); + break; + + default: + break; + }; +diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c +--- a/lib/softoken/pkcs11.c ++++ b/lib/softoken/pkcs11.c +@@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE + /* special note: We can't just use the first byte to distinguish + * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING. + * Both are 0x04. */ + + /* Handle the non-DER encoded case. + * Some curves are always pressumed to be non-DER. + */ + if (pubKey->u.ec.publicValue.len == keyLen && +- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || ++ (pubKey->u.ec.ecParams.type == ec_params_edwards_named || + pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { + break; /* key was not DER encoded, no need to unwrap */ + } + + /* handle the encoded case */ + if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) && + pubKey->u.ec.publicValue.len > keyLen) { + SECItem publicValue; +@@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE + SEC_ASN1_GET(SEC_OctetStringTemplate), + &pubKey->u.ec.publicValue); + /* nope, didn't decode correctly */ + if ((rv != SECSuccess) || (publicValue.len != keyLen)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* we don't handle compressed points except in the case of ECCurve25519 */ +- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && ++ if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) && + (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* replace our previous with the decoded key */ + pubKey->u.ec.publicValue = publicValue; + break; + } +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + sftk_fatalError = PR_TRUE; + } + PORT_FreeArena(ecParams->arena, PR_TRUE); + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || +- ecParams->fieldID.type == ec_field_plain) { ++ ecParams->type == ec_params_edwards_named) { + PORT_FreeArena(ecParams->arena, PR_TRUE); + crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, + sftk_item_expand(&ecPriv->publicValue)); + } else { + PORT_FreeArena(ecParams->arena, PR_TRUE); + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &ecPriv->publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); diff --git a/nss.spec b/nss.spec index 3a06abd..43412fa 100644 --- a/nss.spec +++ b/nss.spec @@ -131,13 +131,12 @@ Patch4: iquote.patch Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265 +Patch50: nss-3.94-fix-ec-encoding.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch -# NSS reversion patchtes -Patch300: nss-3.94-HACL-p256.patch - %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -299,7 +298,6 @@ popd pushd nss %autopatch -p1 -M 99 -%patch -P 300 -R -p1 popd # https://bugzilla.redhat.com/show_bug.cgi?id=1247353