cryspen · franziskuskiefer · Jul 8, 2024 · Jul 3, 2024 · Jul 4, 2024 · Jul 4, 2024
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -e
+
+SED=$(which gsed &>/dev/null && echo gsed || echo sed)
+
+# Extract the C code
+cargo clean
+./c.sh --config cg.yaml --out cg --mlkem768 --no-glue --no-unrolling
+
+# Fixup code
+# TODO: This should go away as soon as the code generation is fixed.
+sed -i -E 's/static inline/__attribute__((target("avx2")))\nstatic inline/g' cg/libcrux_sha3_avx2.h
+sed -i -E 's/static inline/__attribute__((target("avx2")))\nstatic inline/g' cg/libcrux_mlkem768_avx2.h
+
+sed -i -E 's/.*libcrux_ml_kem_types_MlKemCiphertext_s.*//g' cg/libcrux_core.h
+sed -i -E 's/.*Eurydice_error_t_cg_array.*//g' cg/libcrux_core.h
+sed -i -E 's/.*libcrux_ml_kem_types_MlKemCiphertext;//g' cg/libcrux_core.h
+sed -i -E 's/.*libcrux_ml_kem_ind_cca_MlKem_s.*//g' cg/libcrux_mlkem768_portable.h
+sed -i -E 's/.*libcrux_ml_kem_ind_cca_MlKem;//g' cg/libcrux_mlkem768_portable.h
+
+sed -i -E 's/static inline/__attribute__((noinline,unused)) static/g' cg/libcrux_ct_ops.h
+
+clang-format --style=Google -i cg/*.h
+
+if [[ -n "$BORINGSSL_HOME" ]]; then
+    echo "Copying the files into $BORINGSSL_HOME/third_party/libcrux/"
+
+    cp cg/*.h $BORINGSSL_HOME/third_party/libcrux/
+    cp cg/code_gen.txt $BORINGSSL_HOME/third_party/libcrux/
+    cp -r cg/karamel $BORINGSSL_HOME/third_party/libcrux/
+    cp -r cg/intrinsics $BORINGSSL_HOME/third_party/libcrux/
+    libcrux_rev=$(git rev-parse HEAD)
+    echo "libcrux: $libcrux_rev" >> $BORINGSSL_HOME/third_party/libcrux/code_gen.txt
+fi
@@ -79,8 +79,11 @@ if [[ "$eurydice_glue" = 1 ]]; then
     cp $EURYDICE_HOME/include/eurydice_glue.h .
 fi
 
-clang-format --style=Google -i *.c *.h
-clang-format --style=Google -i internal/*.h
+find . -type f -name "*.c" -exec clang-format --style=Google -i "{}" \;
+find . -type f -name "*.h" -exec clang-format --style=Google -i "{}" \;
+if [ -d "internal" ]; then
+    clang-format --style=Google -i internal/*.h
+fi
 clang-format --style=Google -i intrinsics/*.h
 
 # Write out infos about the used tools

@@ -1,12 +1,17 @@
 files:
   # INTRINSICS
-
   - name: libcrux_intrinsics_avx2
     library: true
     inline_static: true
     api:
       - [libcrux_intrinsics, avx2]
 
+  # Constant time ops
+  - name: libcrux_ct_ops
+    inline_static: true
+    api:
+      - [libcrux_ml_kem, constant_time_ops]
+
   # SHA3 (no mention of libcrux_mlkem in this section, please)
 
   - name: libcrux_sha3_avx2

@@ -1,5 +1,5 @@
 This code was generated with the following tools:
-Charon: d799ceb29f648614b276f60d227794ee535473d2
-Eurydice: b38d5dd3b4099cce6bbb9d91c80fb2bf0aaff1f7
-Karamel: 409fe4552f8f46351241cba1decfaa4d9fa6ffea
-F*: 
+Charon: aeeae1d46704810bf498db552a75dff15aa3abcc
+Eurydice: ffeb01ce4cf0646e5cadec836bc042f98b8a16a8
+Karamel: 42a431696cd32d41155d7e484720eb71fd5dc7b1
+F*: a32b316e521fa4f239b610ec8f1d15e78d62cbe8-dirty
@@ -14,6 +14,9 @@ extern "C" {
 
 // SLICES, ARRAYS, ETC.
 
+// The MSVC C++ compiler does not support compound literals.
+// This CLITERAL is used to turn `(type){...}` into `type{...}` when using a C++
+// compiler.
 #if defined(__cplusplus)
 #define CLITERAL(type) type
 #else
@@ -30,6 +33,10 @@ extern "C" {
 // - if you need to use `len` for a C style function (e.g. memcpy, memcmp), you
 // need to multiply it
 //   by sizeof t, where t is the type of the elements.
+//
+// Empty slices have `len == 0` and `ptr` always needs to be valid pointer that
+// is not NULL (otherwise the construction in EURYDICE_SLICE computes `NULL +
+// start`).
 typedef struct {
   void *ptr;
   size_t len;

@@ -128,13 +128,10 @@ typedef __m256i core_core_arch_x86___m256i;
 #define libcrux_intrinsics_avx2_mm256_andnot_si256(a, b) \
   (_mm256_andnot_si256(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_xor_si256(a, b) (_mm256_xor_si256(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm_movemask_epi8(a) (_mm_movemask_epi8(a))
 
-
 // Shift operations
 #define libcrux_intrinsics_avx2_mm256_srai_epi16(a, b, _) \
   (_mm256_srai_epi16(b, a))
@@ -151,7 +148,6 @@ typedef __m256i core_core_arch_x86___m256i;
 #define libcrux_intrinsics_avx2_mm256_slli_epi64_(a, b) \
   (_mm256_slli_epi64(b, a))
 
-
 #define libcrux_intrinsics_avx2_mm256_slli_epi64(a, b, c) \
   (libcrux_intrinsics_avx2_mm256_slli_epi64_(a, b))
 
@@ -163,11 +159,9 @@ typedef __m256i core_core_arch_x86___m256i;
 
 #define libcrux_intrinsics_avx2_mm256_sllv_epi32(a, b) (_mm256_sllv_epi32(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_srli_epi64_(a, b) \
   (_mm256_srli_epi64(b, a))
 
-
 #define libcrux_intrinsics_avx2_mm256_srli_epi64(a, b, c) \
   (libcrux_intrinsics_avx2_mm256_srli_epi64_(a, b))
 
@@ -176,26 +170,20 @@ typedef __m256i core_core_arch_x86___m256i;
 #define libcrux_intrinsics_avx2_mm256_unpacklo_epi32(a, b) \
   (_mm256_unpacklo_epi32(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_unpacklo_epi64(a, b) \
   (_mm256_unpacklo_epi64(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_unpackhi_epi32(a, b) \
   (_mm256_unpackhi_epi32(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_unpackhi_epi64(a, b) \
   (_mm256_unpackhi_epi64(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_packs_epi32(a, b) \
   (_mm256_packs_epi32(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm_packs_epi16(a, b) (_mm_packs_epi16(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_shuffle_epi32(a, b, _) \
   (_mm256_shuffle_epi32(b, a))
 
@@ -217,14 +205,11 @@ typedef __m256i core_core_arch_x86___m256i;
 #define libcrux_intrinsics_avx2_mm256_shuffle_epi8(a, b) \
   (_mm256_shuffle_epi8(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm256_permutevar8x32_epi32(a, b) \
   (_mm256_permutevar8x32_epi32(a, b))
 
-
 #define libcrux_intrinsics_avx2_mm_shuffle_epi8(a, b) (_mm_shuffle_epi8(a, b))
 
-
 #if defined(__cplusplus)
 }
 #endif

@@ -5,20 +5,19 @@
 #define __KRML_TARGET_H
 
 #ifndef KRML_HOST_PRINTF
-#  define KRML_HOST_PRINTF printf
+#define KRML_HOST_PRINTF printf
 #endif
 
-#if                                                                          \
-    ((defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L) ||           \
-     (defined(__cplusplus) && __cplusplus > 199711L)) &&                     \
+#if ((defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L) || \
+     (defined(__cplusplus) && __cplusplus > 199711L)) &&           \
     (!defined(KRML_HOST_EPRINTF))
-#  define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
+#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
 #elif !(defined KRML_HOST_EPRINTF) && defined(_MSC_VER)
-#  define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
+#define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__)
 #endif
 
 #ifndef KRML_HOST_EXIT
-#  define KRML_HOST_EXIT exit
+#define KRML_HOST_EXIT exit
 #endif
 
 #endif
@@ -45,74 +45,8 @@ static inline uint32_t core_num__u8_6__count_ones(uint8_t x0);
 
 static inline uint8_t core_num__u8_6__wrapping_sub(uint8_t x0, uint8_t x1);
 
-static inline uint8_t libcrux_ml_kem_constant_time_ops_inz(uint8_t value) {
-  uint16_t value0 = (uint16_t)value;
-  uint16_t uu____0 = value0;
-  uint16_t result = (((uint32_t)uu____0 |
-                      (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) &
-                     0xFFFFU) >>
-                        8U &
-                    1U;
-  return (uint8_t)result;
-}
-
-static inline uint8_t libcrux_ml_kem_constant_time_ops_is_non_zero(
-    uint8_t value) {
-  return libcrux_ml_kem_constant_time_ops_inz(value);
-}
-
-static inline uint8_t libcrux_ml_kem_constant_time_ops_compare(
-    Eurydice_slice lhs, Eurydice_slice rhs) {
-  uint8_t r = 0U;
-  for (size_t i = (size_t)0U;
-       i < core_slice___Slice_T___len(lhs, uint8_t, size_t); i++) {
-    size_t i0 = i;
-    uint8_t uu____0 =
-        Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t);
-    r = (uint32_t)r |
-        ((uint32_t)uu____0 ^
-         (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t));
-  }
-  return libcrux_ml_kem_constant_time_ops_is_non_zero(r);
-}
-
-static inline uint8_t
-libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time(
-    Eurydice_slice lhs, Eurydice_slice rhs) {
-  return libcrux_ml_kem_constant_time_ops_compare(lhs, rhs);
-}
-
 #define LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE ((size_t)32U)
 
-static inline void libcrux_ml_kem_constant_time_ops_select(Eurydice_slice lhs,
-                                                           Eurydice_slice rhs,
-                                                           uint8_t selector,
-                                                           uint8_t ret[32U]) {
-  uint8_t mask = core_num__u8_6__wrapping_sub(
-      libcrux_ml_kem_constant_time_ops_is_non_zero(selector), 1U);
-  uint8_t out[32U] = {0U};
-  for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE;
-       i++) {
-    size_t i0 = i;
-    uint8_t uu____0 =
-        (uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t) &
-        (uint32_t)mask;
-    uint8_t *uu____1 =
-        &Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t);
-    out[i0] = (uint32_t)uu____0 | ((uint32_t)uu____1[0U] & (uint32_t)~mask);
-  }
-  memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
-}
-
-static inline void
-libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time(
-    Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector,
-    uint8_t ret[32U]) {
-  uint8_t ret0[32U];
-  libcrux_ml_kem_constant_time_ops_select(lhs, rhs, selector, ret0);
-  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
-}
-
 #define LIBCRUX_ML_KEM_CONSTANTS_BITS_PER_COEFFICIENT ((size_t)12U)
 
 #define LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT ((size_t)256U)

@@ -0,0 +1,91 @@
+/*
+  This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
+  KaRaMeL invocation: /home/franziskus/eurydice//eurydice --config ../cg.yaml
+  -funroll-loops 0 ../../libcrux_ml_kem.llbc ../../libcrux_sha3.llbc F* version:
+  <unknown> KaRaMeL version: 42a43169
+ */
+
+#ifndef __libcrux_ct_ops_H
+#define __libcrux_ct_ops_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include "eurydice_glue.h"
+#include "libcrux_core.h"
+
+__attribute__((noinline, unused)) static uint8_t
+libcrux_ml_kem_constant_time_ops_inz(uint8_t value) {
+  uint16_t value0 = (uint16_t)value;
+  uint16_t uu____0 = value0;
+  uint16_t result = (((uint32_t)uu____0 |
+                      (uint32_t)core_num__u16_7__wrapping_add(~value0, 1U)) &
+                     0xFFFFU) >>
+                        8U &
+                    1U;
+  return (uint8_t)result;
+}
+
+__attribute__((noinline, unused)) static uint8_t
+libcrux_ml_kem_constant_time_ops_is_non_zero(uint8_t value) {
+  return libcrux_ml_kem_constant_time_ops_inz(value);
+}
+
+__attribute__((noinline, unused)) static uint8_t
+libcrux_ml_kem_constant_time_ops_compare(Eurydice_slice lhs,
+                                         Eurydice_slice rhs) {
+  uint8_t r = 0U;
+  for (size_t i = (size_t)0U;
+       i < core_slice___Slice_T___len(lhs, uint8_t, size_t); i++) {
+    size_t i0 = i;
+    uint8_t uu____0 =
+        Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t);
+    r = (uint32_t)r |
+        ((uint32_t)uu____0 ^
+         (uint32_t)Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t));
+  }
+  return libcrux_ml_kem_constant_time_ops_is_non_zero(r);
+}
+
+__attribute__((noinline, unused)) static uint8_t
+libcrux_ml_kem_constant_time_ops_compare_ciphertexts_in_constant_time(
+    Eurydice_slice lhs, Eurydice_slice rhs) {
+  return libcrux_ml_kem_constant_time_ops_compare(lhs, rhs);
+}
+
+__attribute__((noinline, unused)) static void
+libcrux_ml_kem_constant_time_ops_select_ct(Eurydice_slice lhs,
+                                           Eurydice_slice rhs, uint8_t selector,
+                                           uint8_t ret[32U]) {
+  uint8_t mask = core_num__u8_6__wrapping_sub(
+      libcrux_ml_kem_constant_time_ops_is_non_zero(selector), 1U);
+  uint8_t out[32U] = {0U};
+  for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_CONSTANTS_SHARED_SECRET_SIZE;
+       i++) {
+    size_t i0 = i;
+    uint8_t uu____0 =
+        (uint32_t)Eurydice_slice_index(lhs, i0, uint8_t, uint8_t *, uint8_t) &
+        (uint32_t)mask;
+    uint8_t *uu____1 =
+        &Eurydice_slice_index(rhs, i0, uint8_t, uint8_t *, uint8_t);
+    out[i0] = (uint32_t)uu____0 | ((uint32_t)uu____1[0U] & (uint32_t)~mask);
+  }
+  memcpy(ret, out, (size_t)32U * sizeof(uint8_t));
+}
+
+__attribute__((noinline, unused)) static void
+libcrux_ml_kem_constant_time_ops_select_shared_secret_in_constant_time(
+    Eurydice_slice lhs, Eurydice_slice rhs, uint8_t selector,
+    uint8_t ret[32U]) {
+  uint8_t ret0[32U];
+  libcrux_ml_kem_constant_time_ops_select_ct(lhs, rhs, selector, ret0);
+  memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t));
+}
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __libcrux_ct_ops_H_DEFINED
+#endif