From 459516ecb1169e2904991508947e1070909169d8 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 28 Sep 2023 13:47:34 +0200 Subject: [PATCH 01/22] Add Blake2 params + serialization functions to spec --- specs/Spec.Blake2.fst | 97 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/specs/Spec.Blake2.fst b/specs/Spec.Blake2.fst index 13d9b5a5ac..9d6ca6db30 100644 --- a/specs/Spec.Blake2.fst +++ b/specs/Spec.Blake2.fst @@ -79,6 +79,103 @@ let create_row (#a:alg) x0 x1 x2 x3 : row a = inline_for_extraction unfold let state (a:alg) = lseq (row a) 4 +noeq +type blake2s_params = { + digest_length: uint8; + key_length: uint8; + fanout: uint8; + depth: uint8; + leaf_length: uint32; + node_offset: uint32; + xof_length: uint16; + node_depth: uint8; + inner_length: uint8; + salt: lseq uint8 8; + personal: lseq uint8 8; +} + +noeq +type blake2b_params = { + digest_length: uint8; + key_length: uint8; + fanout: uint8; + depth: uint8; + leaf_length: uint32; + node_offset: uint32; + xof_length: uint32; + node_depth: uint8; + inner_length: uint8; + // Blake2b also contains 14 reserved bytes here, + // but they seem unused and to only contain zeros + salt: lseq uint8 16; + personal: lseq uint8 16; +} + +inline_for_extraction +let blake_params (a: alg) = + match a with + | Blake2S -> blake2s_params + | Blake2B -> blake2b_params + +/// Serialize blake2s parameters to be xor'ed with the state during initialization +/// As the state is represented using uint32, we need to serialize to uint32 instead +/// of the more standard bytes representation +let serialize_blake2s_params (p: blake2s_params) : lseq uint32 8 = + let s0 = (u32 (v p.digest_length)) ^. + (u32 (v p.key_length) <<. (size 8)) ^. + (u32 (v p.fanout) <<. (size 16)) ^. + (u32 (v p.depth) <<. (size 24)) in + let s1 = p.leaf_length in + let s2 = p.node_offset in + let s3 = (u32 (v p.xof_length)) ^. + (u32 (v p.node_depth) <<. (size 16)) ^. + (u32 (v p.inner_length) <<. (size 24)) in + let salt_u32: lseq uint32 2 = uints_from_bytes_le p.salt in + let s4 = salt_u32.[0] in + let s5 = salt_u32.[1] in + let personal_u32: lseq uint32 2 = uints_from_bytes_le p.personal in + let s6 = personal_u32.[0] in + let s7 = personal_u32.[1] in + [@inline_let] + let l = [s0; s1; s2; s3; s4; s5; s6; s7] in + assert_norm (List.Tot.length l == 8); + createL l + +/// Serialize blake2b parameters to be xor'ed with the state during initialization +/// As the state is represented using uint64, we need to serialize to uint64 instead +/// of the more standard bytes representation +let serialize_blake2b_params (p: blake2b_params) : lseq uint64 8 = + let s0 = (u64 (v p.digest_length)) ^. + (u64 (v p.key_length) <<. (size 8)) ^. + (u64 (v p.fanout) <<. (size 16)) ^. + (u64 (v p.depth) <<. (size 24)) ^. + (u64 (v p.leaf_length) <<. (size 32)) in + let s1 = (u64 (v p.node_offset)) ^. + (u64 (v p.xof_length) <<. (size 32)) in + // The serialization corresponding to s2 contains node_depth and inner_length, + // followed by the 14 reserved bytes which always seem to be zeros, and can hence + // be ignored when building the corresponding uint64 using xor's + let s2 = (u64 (v p.node_depth)) ^. + (u64 (v p.inner_length) <<. (size 8)) in + // s3 corresponds to the remaining of the reserved bytes + let s3 = u64 0 in + let salt_u64: lseq uint64 2 = uints_from_bytes_le p.salt in + let s4 = salt_u64.[0] in + let s5 = salt_u64.[1] in + let personal_u64: lseq uint64 2 = uints_from_bytes_le p.personal in + let s6 = personal_u64.[0] in + let s7 = personal_u64.[1] in + [@inline_let] + let l = [s0; s1; s2; s3; s4; s5; s6; s7] in + assert_norm (List.Tot.length l == 8); + createL l + +inline_for_extraction +let serialize_blake_params (a: alg) (p: blake_params a): lseq (word_t a) 8 = + match a with + | Blake2S -> serialize_blake2s_params p + | Blake2B -> serialize_blake2b_params p + inline_for_extraction type pub_word_t (a:alg) = uint_t (wt a) PUB From 248531d7a525aab0aff35fb81a8b351be44987ef Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 28 Sep 2023 14:49:31 +0200 Subject: [PATCH 02/22] Add serialized params to Blake2 spec initialization --- specs/Spec.Blake2.fst | 108 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 95 insertions(+), 13 deletions(-) diff --git a/specs/Spec.Blake2.fst b/specs/Spec.Blake2.fst index 9d6ca6db30..838684806b 100644 --- a/specs/Spec.Blake2.fst +++ b/specs/Spec.Blake2.fst @@ -94,6 +94,22 @@ type blake2s_params = { personal: lseq uint8 8; } +(* Need these two helpers to cleanly work around field shadowing *) + +inline_for_extraction +let set_blake2s_digest_length + (p: blake2s_params) + (nn: size_nat{1 <= nn /\ nn <= max_output Blake2S}) + : blake2s_params = + {p with digest_length = u8 nn} + +inline_for_extraction +let set_blake2s_key_length + (p: blake2s_params) + (kk: size_nat{kk <= max_key Blake2S}) + : blake2s_params = + {p with key_length = u8 kk} + noeq type blake2b_params = { digest_length: uint8; @@ -105,18 +121,70 @@ type blake2b_params = { xof_length: uint32; node_depth: uint8; inner_length: uint8; - // Blake2b also contains 14 reserved bytes here, - // but they seem unused and to only contain zeros + // Blake2b also contains 14 reserved bytes here, but they seem + // unused and to only contain zeros, hence we do not expose them salt: lseq uint8 16; personal: lseq uint8 16; } inline_for_extraction -let blake_params (a: alg) = +let blake2_params (a: alg) = match a with | Blake2S -> blake2s_params | Blake2B -> blake2b_params +inline_for_extraction +let set_digest_length (#a: alg) + (p: blake2_params a) + (nn: size_nat{1 <= nn /\ nn <= max_output a}) + : blake2_params a = + match a with + | Blake2S -> set_blake2s_digest_length p nn + | Blake2B -> {p with digest_length = u8 nn} + +inline_for_extraction +let set_key_length (#a: alg) + (p: blake2_params a) + (kk: size_nat{kk <= max_key a}) + : blake2_params a = + match a with + | Blake2S -> set_blake2s_key_length p kk + | Blake2B -> {p with key_length = u8 kk} + +let blake2s_default_params: blake2s_params = + { digest_length = u8 32; + key_length = u8 0; + fanout = u8 1; + depth = u8 1; + leaf_length = u32 0; + node_offset = u32 0; + xof_length = u16 0; + node_depth = u8 0; + inner_length = u8 0; + salt = create 8 (u8 0); + personal = create 8 (u8 0); + } + +let blake2b_default_params: blake2b_params = + { digest_length = u8 64; + key_length = u8 0; + fanout = u8 1; + depth = u8 1; + leaf_length = u32 0; + node_offset = u32 0; + xof_length = u32 0; + node_depth = u8 0; + inner_length = u8 0; + salt = create 16 (u8 0); + personal = create 16 (u8 0); + } + +inline_for_extraction +let blake2_default_params (a: alg) : blake2_params a = + match a with + | Blake2S -> blake2s_default_params + | Blake2B -> blake2b_default_params + /// Serialize blake2s parameters to be xor'ed with the state during initialization /// As the state is represented using uint32, we need to serialize to uint32 instead /// of the more standard bytes representation @@ -171,7 +239,7 @@ let serialize_blake2b_params (p: blake2b_params) : lseq uint64 8 = createL l inline_for_extraction -let serialize_blake_params (a: alg) (p: blake_params a): lseq (word_t a) 8 = +let serialize_blake_params (#a: alg) (p: blake2_params a): lseq (word_t a) 8 = match a with | Blake2S -> serialize_blake2s_params p | Blake2B -> serialize_blake2b_params p @@ -536,11 +604,12 @@ let blake2_update_blocks a prev m s = val blake2_init_hash: a:alg + -> p:blake2_params a -> kk:size_nat{kk <= max_key a} -> nn:size_nat{1 <= nn /\ nn <= max_output a} -> Tot (state a) -let blake2_init_hash a kk nn = +let blake2_init_hash a p kk nn = let iv0 = secret (ivTable a).[0] in let iv1 = secret (ivTable a).[1] in let iv2 = secret (ivTable a).[2] in @@ -551,9 +620,20 @@ let blake2_init_hash a kk nn = let iv7 = secret (ivTable a).[7] in let r0 = create_row #a iv0 iv1 iv2 iv3 in let r1 = create_row #a iv4 iv5 iv6 iv7 in - let s0' = (nat_to_word a 0x01010000) ^. ((nat_to_word a kk) <<. (size 8)) ^. (nat_to_word a nn) in - let iv0' = iv0 ^. s0' in - let r0' = create_row #a iv0' iv1 iv2 iv3 in + let p: blake2_params a = + set_key_length (set_digest_length p nn) kk + in + let s = serialize_blake_params p in + let iv0' = iv0 ^. s.[0] in + let iv1' = iv1 ^. s.[1] in + let iv2' = iv2 ^. s.[2] in + let iv3' = iv3 ^. s.[3] in + let iv4' = iv4 ^. s.[4] in + let iv5' = iv5 ^. s.[5] in + let iv6' = iv6 ^. s.[6] in + let iv7' = iv7 ^. s.[7] in + let r0' = create_row #a iv0' iv1' iv2' iv3' in + let r1' = create_row #a iv4' iv5' iv6' iv7' in let s_iv = createL [r0';r1;r0;r1] in s_iv @@ -610,16 +690,19 @@ let blake2_finish a s nn = val blake2: a:alg -> d:bytes + -> p:blake2_params a -> kk:size_nat{kk <= max_key a /\ (if kk = 0 then length d <= max_limb a else length d + (size_block a) <= max_limb a)} -> k:lbytes kk -> nn:size_nat{1 <= nn /\ nn <= max_output a} -> Tot (lbytes nn) -let blake2 a d kk k nn = - let s = blake2_init_hash a kk nn in +let blake2 a d p kk k nn = + let s = blake2_init_hash a p kk nn in let s = blake2_update a kk k d s in blake2_finish a s nn +(* TODO: Add blake2_params arguments to both functions below *) + val blake2s: d:bytes -> kk:size_nat{kk <= 32 /\ (if kk = 0 then length d < pow2 64 else length d + 64 < pow2 64)} @@ -627,8 +710,7 @@ val blake2s: -> nn:size_nat{1 <= nn /\ nn <= 32} -> Tot (lbytes nn) -let blake2s d kk k n = blake2 Blake2S d kk k n - +let blake2s d kk k n = blake2 Blake2S d blake2s_default_params kk k n val blake2b: d:bytes @@ -637,4 +719,4 @@ val blake2b: -> nn:size_nat{1 <= nn /\ nn <= 64} -> Tot (lbytes nn) -let blake2b d kk k n = blake2 Blake2B d kk k n +let blake2b d kk k n = blake2 Blake2B d blake2b_default_params kk k n From a4976f3c3e821359206c9b325d58ac5741f1a5b7 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 28 Sep 2023 14:49:36 +0200 Subject: [PATCH 03/22] Start updating Blake2 proof with blake2 params --- code/blake2/Hacl.Impl.Blake2.Generic.fst | 83 ++++++++++++++++++++++-- 1 file changed, 79 insertions(+), 4 deletions(-) diff --git a/code/blake2/Hacl.Impl.Blake2.Generic.fst b/code/blake2/Hacl.Impl.Blake2.Generic.fst index 91a14c5fa4..124834192b 100644 --- a/code/blake2/Hacl.Impl.Blake2.Generic.fst +++ b/code/blake2/Hacl.Impl.Blake2.Generic.fst @@ -549,7 +549,74 @@ let blake2_init_st (al:Spec.alg) (ms:m_spec) = Stack unit (requires (fun h -> live h hash)) (ensures (fun h0 _ h1 -> modifies (loc hash) h0 h1 /\ - state_v h1 hash == Spec.blake2_init_hash al (v kk) (v nn))) + state_v h1 hash == Spec.blake2_init_hash al (Spec.blake2_default_params al) (v kk) (v nn))) + +val lemma_serialize_default_params (al:Spec.alg) + (kk:size_t{v kk <= Spec.max_key al}) + (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output al}) + : Lemma ( + let open Spec in + let p = set_key_length (set_digest_length (blake2_default_params al) (v nn)) (v kk) in + let s = serialize_blake_params p in + let kk_shift_8 = shift_left (size_to_word al kk) (size 8) in + Seq.index s 0 == (Spec.nat_to_word al 0x01010000) ^. kk_shift_8 ^. (size_to_word al nn) /\ + (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == Spec.nat_to_word al 0) + ) + +let lemma_serialize_default2s_params + (kk:size_t{v kk <= Spec.max_key Spec.Blake2S}) + (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2S}) + : Lemma ( + let open Spec in + let p = set_key_length (set_digest_length (blake2s_default_params) (v nn)) (v kk) in + let s = serialize_blake_params p in + let kk_shift_8 = shift_left (size_to_word Spec.Blake2S kk) (size 8) in + Seq.index s 0 == (u32 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2S nn) /\ + (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == u32 0) + ) + = + let open Spec in + let p = set_key_length (set_digest_length (blake2s_default_params) (v nn)) (v kk) in + let s = serialize_blake_params p in + let kk_shift_8 = shift_left (size_to_word Spec.Blake2S kk) (size 8) in + let aux () : Lemma (Seq.index s 0 == (u32 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2S nn)) = + admit() + in + let aux_zero (i:nat{i >= 1 /\ i < 8}) : Lemma (Seq.index s i == u32 0) = + admit() + in + aux (); + Classical.forall_intro aux_zero + +let lemma_serialize_default2b_params + (kk:size_t{v kk <= Spec.max_key Spec.Blake2B}) + (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2B}) + : Lemma ( + let open Spec in + let p = set_key_length (set_digest_length (blake2b_default_params) (v nn)) (v kk) in + let s = serialize_blake_params p in + let kk_shift_8 = shift_left (size_to_word Spec.Blake2B kk) (size 8) in + Seq.index s 0 == (u64 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2B nn) /\ + (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == u64 0) + ) + = + let open Spec in + let p = set_key_length (set_digest_length (blake2b_default_params) (v nn)) (v kk) in + let s = serialize_blake_params p in + let kk_shift_8 = shift_left (size_to_word Spec.Blake2B kk) (size 8) in + let aux () : Lemma (Seq.index s 0 == (u64 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2B nn)) = + admit() + in + let aux_zero (i:nat{i >= 1 /\ i < 8}) : Lemma (Seq.index s i == u64 0) = + admit() + in + aux (); + Classical.forall_intro aux_zero + +let lemma_serialize_default_params al kk nn = + match al with + | Spec.Blake2S -> lemma_serialize_default2s_params kk nn + | Spec.Blake2B -> lemma_serialize_default2b_params kk nn inline_for_extraction noextract val blake2_init: @@ -575,11 +642,19 @@ let blake2_init #al #ms hash kk nn = create_row #al #ms r3 iv4 iv5 iv6 iv7; let kk_shift_8 = shift_left (size_to_word al kk) (size 8) in let iv0' = iv0 ^. (Spec.nat_to_word al 0x01010000) ^. kk_shift_8 ^. (size_to_word al nn) in + (**) logxor_lemma iv1 (Spec.nat_to_word al 0); + (**) logxor_lemma iv2 (Spec.nat_to_word al 0); + (**) logxor_lemma iv3 (Spec.nat_to_word al 0); + (**) logxor_lemma iv4 (Spec.nat_to_word al 0); + (**) logxor_lemma iv5 (Spec.nat_to_word al 0); + (**) logxor_lemma iv6 (Spec.nat_to_word al 0); + (**) logxor_lemma iv7 (Spec.nat_to_word al 0); create_row #al #ms r0 iv0' iv1 iv2 iv3; create_row #al #ms r1 iv4 iv5 iv6 iv7; let h1 = ST.get() in assert(modifies (loc hash) h0 h1); - Lib.Sequence.eq_intro (state_v h1 hash) (Spec.blake2_init_hash al (v kk) (v nn)) + (**) lemma_serialize_default_params al kk nn; + Lib.Sequence.eq_intro (state_v h1 hash) (Spec.blake2_init_hash al (Spec.blake2_default_params al) (v kk) (v nn)) #push-options "--z3rlimit 100 --max_fuel 0 --max_ifuel 0" let _ : squash (inversion Spec.alg) = allow_inversion Spec.alg @@ -778,7 +853,7 @@ let blake2_st (al:Spec.alg) (ms:m_spec) = (requires (fun h -> live h output /\ live h d /\ live h k /\ disjoint output d /\ disjoint output k /\ disjoint d k)) (ensures (fun h0 _ h1 -> modifies1 output h0 h1 - /\ h1.[|output|] == Spec.blake2 al h0.[|d|] (v kk) h0.[|k|] (v nn))) + /\ h1.[|output|] == Spec.blake2 al h0.[|d|] (Spec.blake2_default_params al) (v kk) h0.[|k|] (v nn))) inline_for_extraction noextract val blake2: @@ -797,7 +872,7 @@ let blake2 #al #ms blake2_init blake2_update blake2_finish nn output ll d kk k = let stzero = zero_element al ms in let h0 = ST.get() in [@inline_let] - let spec _ h1 = h1.[|output|] == Spec.blake2 al h0.[|d|] (v kk) h0.[|k|] (v nn) in + let spec _ h1 = h1.[|output|] == Spec.blake2 al h0.[|d|] (Spec.blake2_default_params al) (v kk) h0.[|k|] (v nn) in salloc1 h0 stlen stzero (Ghost.hide (loc output)) spec (fun h -> assert (max_size_t <= Spec.max_limb al); From e099be980792bc677a6a50214ac3f72f6e1742bf Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 28 Sep 2023 14:52:12 +0200 Subject: [PATCH 04/22] Renaming for consistency --- code/blake2/Hacl.Impl.Blake2.Generic.fst | 11 ++++++----- specs/Spec.Blake2.fst | 4 ++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/code/blake2/Hacl.Impl.Blake2.Generic.fst b/code/blake2/Hacl.Impl.Blake2.Generic.fst index 124834192b..5b3cb992d9 100644 --- a/code/blake2/Hacl.Impl.Blake2.Generic.fst +++ b/code/blake2/Hacl.Impl.Blake2.Generic.fst @@ -557,7 +557,7 @@ val lemma_serialize_default_params (al:Spec.alg) : Lemma ( let open Spec in let p = set_key_length (set_digest_length (blake2_default_params al) (v nn)) (v kk) in - let s = serialize_blake_params p in + let s = serialize_blake2_params p in let kk_shift_8 = shift_left (size_to_word al kk) (size 8) in Seq.index s 0 == (Spec.nat_to_word al 0x01010000) ^. kk_shift_8 ^. (size_to_word al nn) /\ (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == Spec.nat_to_word al 0) @@ -569,7 +569,7 @@ let lemma_serialize_default2s_params : Lemma ( let open Spec in let p = set_key_length (set_digest_length (blake2s_default_params) (v nn)) (v kk) in - let s = serialize_blake_params p in + let s = serialize_blake2s_params p in let kk_shift_8 = shift_left (size_to_word Spec.Blake2S kk) (size 8) in Seq.index s 0 == (u32 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2S nn) /\ (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == u32 0) @@ -577,7 +577,7 @@ let lemma_serialize_default2s_params = let open Spec in let p = set_key_length (set_digest_length (blake2s_default_params) (v nn)) (v kk) in - let s = serialize_blake_params p in + let s = serialize_blake2s_params p in let kk_shift_8 = shift_left (size_to_word Spec.Blake2S kk) (size 8) in let aux () : Lemma (Seq.index s 0 == (u32 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2S nn)) = admit() @@ -588,13 +588,14 @@ let lemma_serialize_default2s_params aux (); Classical.forall_intro aux_zero + let lemma_serialize_default2b_params (kk:size_t{v kk <= Spec.max_key Spec.Blake2B}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2B}) : Lemma ( let open Spec in let p = set_key_length (set_digest_length (blake2b_default_params) (v nn)) (v kk) in - let s = serialize_blake_params p in + let s = serialize_blake2b_params p in let kk_shift_8 = shift_left (size_to_word Spec.Blake2B kk) (size 8) in Seq.index s 0 == (u64 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2B nn) /\ (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == u64 0) @@ -602,7 +603,7 @@ let lemma_serialize_default2b_params = let open Spec in let p = set_key_length (set_digest_length (blake2b_default_params) (v nn)) (v kk) in - let s = serialize_blake_params p in + let s = serialize_blake2b_params p in let kk_shift_8 = shift_left (size_to_word Spec.Blake2B kk) (size 8) in let aux () : Lemma (Seq.index s 0 == (u64 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2B nn)) = admit() diff --git a/specs/Spec.Blake2.fst b/specs/Spec.Blake2.fst index 838684806b..06b7c1bf99 100644 --- a/specs/Spec.Blake2.fst +++ b/specs/Spec.Blake2.fst @@ -239,7 +239,7 @@ let serialize_blake2b_params (p: blake2b_params) : lseq uint64 8 = createL l inline_for_extraction -let serialize_blake_params (#a: alg) (p: blake2_params a): lseq (word_t a) 8 = +let serialize_blake2_params (#a: alg) (p: blake2_params a): lseq (word_t a) 8 = match a with | Blake2S -> serialize_blake2s_params p | Blake2B -> serialize_blake2b_params p @@ -623,7 +623,7 @@ let blake2_init_hash a p kk nn = let p: blake2_params a = set_key_length (set_digest_length p nn) kk in - let s = serialize_blake_params p in + let s = serialize_blake2_params p in let iv0' = iv0 ^. s.[0] in let iv1' = iv1 ^. s.[1] in let iv2' = iv2 ^. s.[2] in From b9554db54a04ad154d81fb979b4d028146d6576b Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 28 Sep 2023 18:07:28 +0200 Subject: [PATCH 05/22] Fix blake2 serialization spec + add several getters/helpers --- specs/Spec.Blake2.fst | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/specs/Spec.Blake2.fst b/specs/Spec.Blake2.fst index 06b7c1bf99..60dc984d30 100644 --- a/specs/Spec.Blake2.fst +++ b/specs/Spec.Blake2.fst @@ -79,6 +79,18 @@ let create_row (#a:alg) x0 x1 x2 x3 : row a = inline_for_extraction unfold let state (a:alg) = lseq (row a) 4 +inline_for_extraction +let salt_length (a:alg) : size_nat = + match a with + | Blake2S -> 8 + | Blake2B -> 16 + +inline_for_extraction +let personal_length (a:alg) : size_nat = + match a with + | Blake2S -> 8 + | Blake2B -> 16 + noeq type blake2s_params = { digest_length: uint8; @@ -90,11 +102,11 @@ type blake2s_params = { xof_length: uint16; node_depth: uint8; inner_length: uint8; - salt: lseq uint8 8; - personal: lseq uint8 8; + salt: lseq uint8 (salt_length Blake2S); + personal: lseq uint8 (personal_length Blake2S); } -(* Need these two helpers to cleanly work around field shadowing *) +(* Need these helpers to cleanly work around field shadowing *) inline_for_extraction let set_blake2s_digest_length @@ -110,6 +122,12 @@ let set_blake2s_key_length : blake2s_params = {p with key_length = u8 kk} +inline_for_extraction +let get_blake2s_salt (p:blake2s_params) = p.salt + +inline_for_extraction +let get_blake2s_personal (p:blake2s_params) = p.personal + noeq type blake2b_params = { digest_length: uint8; @@ -123,8 +141,8 @@ type blake2b_params = { inner_length: uint8; // Blake2b also contains 14 reserved bytes here, but they seem // unused and to only contain zeros, hence we do not expose them - salt: lseq uint8 16; - personal: lseq uint8 16; + salt: lseq uint8 (salt_length Blake2B); + personal: lseq uint8 (personal_length Blake2B); } inline_for_extraction @@ -151,6 +169,18 @@ let set_key_length (#a: alg) | Blake2S -> set_blake2s_key_length p kk | Blake2B -> {p with key_length = u8 kk} +inline_for_extraction +let get_salt (#a: alg) (p: blake2_params a) : lseq uint8 (salt_length a) = + match a with + | Blake2S -> get_blake2s_salt p + | Blake2B -> p.salt + +inline_for_extraction +let get_personal (#a: alg) (p: blake2_params a) : lseq uint8 (personal_length a) = + match a with + | Blake2S -> get_blake2s_personal p + | Blake2B -> p.personal + let blake2s_default_params: blake2s_params = { digest_length = u8 32; key_length = u8 0; @@ -634,7 +664,7 @@ let blake2_init_hash a p kk nn = let iv7' = iv7 ^. s.[7] in let r0' = create_row #a iv0' iv1' iv2' iv3' in let r1' = create_row #a iv4' iv5' iv6' iv7' in - let s_iv = createL [r0';r1;r0;r1] in + let s_iv = createL [r0';r1';r0;r1] in s_iv val blake2_key_block: From bea20ca69d767ee691fae76486a79f3f1fe95449 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 28 Sep 2023 18:07:58 +0200 Subject: [PATCH 06/22] WIP: Implement Low* Blake2 serialization, with a missing lemma about from_bytes_le_zeroes --- code/blake2/Hacl.Impl.Blake2.Core.fsti | 108 +++++++++ code/blake2/Hacl.Impl.Blake2.Generic.fst | 286 +++++++++++++++++------ 2 files changed, 325 insertions(+), 69 deletions(-) diff --git a/code/blake2/Hacl.Impl.Blake2.Core.fsti b/code/blake2/Hacl.Impl.Blake2.Core.fsti index 91d9b8f174..6119a5457c 100644 --- a/code/blake2/Hacl.Impl.Blake2.Core.fsti +++ b/code/blake2/Hacl.Impl.Blake2.Core.fsti @@ -53,6 +53,114 @@ val row_v_lemma: #a:Spec.alg -> #m:m_spec -> h0:mem -> h1:mem -> r1:row_p a m -> row_v h0 r1 == row_v h1 r2)) [SMTPat (row_v h0 r1); SMTPat (row_v h1 r2)] +noextract inline_for_extraction +let salt_len (a:Spec.alg) : size_t = + match a with + | Spec.Blake2S -> 8ul + | Spec.Blake2B -> 16ul + +noextract inline_for_extraction +let personal_len (a:Spec.alg) : size_t = + match a with + | Spec.Blake2S -> 8ul + | Spec.Blake2B -> 16ul + +noeq +type blake2s_params = { + digest_length: uint8; + key_length: uint8; + fanout: uint8; + depth: uint8; + leaf_length: uint32; + node_offset: uint32; + xof_length: uint16; + node_depth: uint8; + inner_length: uint8; + salt: lbuffer uint8 8ul; + personal: lbuffer uint8 8ul; +} + +let blake2s_params_inv (h: mem) (p: blake2s_params): GTot prop = + live h p.salt /\ live h p.personal + +let blake2s_params_loc (p: blake2s_params) = + loc p.salt `union` loc p.personal + +let blake2s_params_v (h: mem) (p: blake2s_params): GTot Spec.blake2s_params = + Spec.Mkblake2s_params + p.digest_length + p.key_length + p.fanout + p.depth + p.leaf_length + p.node_offset + p.xof_length + p.node_depth + p.inner_length + (as_seq h p.salt) + (as_seq h p.personal) + +noeq +type blake2b_params = { + digest_length: uint8; + key_length: uint8; + fanout: uint8; + depth: uint8; + leaf_length: uint32; + node_offset: uint32; + xof_length: uint32; + node_depth: uint8; + inner_length: uint8; + // Blake2b also contains 14 reserved bytes here, but they seem + // unused and to only contain zeros, hence we do not expose them + salt: lbuffer uint8 16ul; + personal: lbuffer uint8 16ul; +} + +let blake2b_params_inv (h: mem) (p: blake2b_params): GTot prop = + live h p.salt /\ live h p.personal + +let blake2b_params_loc (p: blake2b_params) = + loc p.salt `union` loc p.personal + +let blake2b_params_v (h: mem) (p: blake2b_params): GTot Spec.blake2b_params = + Spec.Mkblake2b_params + p.digest_length + p.key_length + p.fanout + p.depth + p.leaf_length + p.node_offset + p.xof_length + p.node_depth + p.inner_length + (as_seq h p.salt) + (as_seq h p.personal) + +noextract inline_for_extraction +let blake2_params (a:Spec.alg) = + match a with + | Spec.Blake2S -> blake2s_params + | Spec.Blake2B -> blake2b_params + +noextract inline_for_extraction +let blake2_params_inv (a:Spec.alg) (h: mem) (p: blake2_params a) = + match a with + | Spec.Blake2S -> blake2s_params_inv h p + | Spec.Blake2B -> blake2b_params_inv h p + +noextract inline_for_extraction +let blake2_params_loc (a:Spec.alg) (p: blake2_params a) = + match a with + | Spec.Blake2S -> blake2s_params_loc p + | Spec.Blake2B -> blake2b_params_loc p + +noextract inline_for_extraction +let blake2_params_v (a:Spec.alg) (h: mem) (p: blake2_params a) : GTot (Spec.blake2_params a) = + match a with + | Spec.Blake2S -> blake2s_params_v h p + | Spec.Blake2B -> blake2b_params_v h p + noextract inline_for_extraction unfold let state_p (a:Spec.alg) (m:m_spec) = lbuffer (element_t a m) (4ul *. row_len a m) diff --git a/code/blake2/Hacl.Impl.Blake2.Generic.fst b/code/blake2/Hacl.Impl.Blake2.Generic.fst index 5b3cb992d9..cbd0133a90 100644 --- a/code/blake2/Hacl.Impl.Blake2.Generic.fst +++ b/code/blake2/Hacl.Impl.Blake2.Generic.fst @@ -551,73 +551,210 @@ let blake2_init_st (al:Spec.alg) (ms:m_spec) = (ensures (fun h0 _ h1 -> modifies (loc hash) h0 h1 /\ state_v h1 hash == Spec.blake2_init_hash al (Spec.blake2_default_params al) (v kk) (v nn))) -val lemma_serialize_default_params (al:Spec.alg) +inline_for_extraction noextract +val serialize_params (al:Spec.alg) (kk:size_t{v kk <= Spec.max_key al}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output al}) - : Lemma ( - let open Spec in - let p = set_key_length (set_digest_length (blake2_default_params al) (v nn)) (v kk) in - let s = serialize_blake2_params p in - let kk_shift_8 = shift_left (size_to_word al kk) (size 8) in - Seq.index s 0 == (Spec.nat_to_word al 0x01010000) ^. kk_shift_8 ^. (size_to_word al nn) /\ - (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == Spec.nat_to_word al 0) + (p: Spec.blake2_params al) + (b: lbuffer (word_t al) 8ul) + : Stack unit + (requires fun h -> + live h b /\ + as_seq h b == Seq.create 8 (Spec.nat_to_word al 0) /\ + // TODO: Should be removed, and should take a Low* blake2_params as arguments. + Spec.get_salt p == Seq.create (Spec.salt_length al) (u8 0) /\ + Spec.get_personal p == Seq.create (Spec.personal_length al) (u8 0) ) + (ensures fun h0 _ h1 -> + modifies (loc b) h0 h1 /\ + as_seq h1 b == Spec.serialize_blake2_params + (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) -let lemma_serialize_default2s_params +#push-options "--z3rlimit 100 --fuel 0" +inline_for_extraction noextract +let serialize_params_blake2s (kk:size_t{v kk <= Spec.max_key Spec.Blake2S}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2S}) - : Lemma ( - let open Spec in - let p = set_key_length (set_digest_length (blake2s_default_params) (v nn)) (v kk) in - let s = serialize_blake2s_params p in - let kk_shift_8 = shift_left (size_to_word Spec.Blake2S kk) (size 8) in - Seq.index s 0 == (u32 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2S nn) /\ - (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == u32 0) + (p: Spec.blake2_params Spec.Blake2S) + (b: lbuffer (word_t Spec.Blake2S) 8ul) + : Stack unit + (requires fun h -> live h b /\ + as_seq h b == Seq.create 8 (u32 0) /\ + Spec.get_salt p == Seq.create 8 (u8 0) /\ + Spec.get_personal p == Seq.create 8 (u8 0) ) - = - let open Spec in - let p = set_key_length (set_digest_length (blake2s_default_params) (v nn)) (v kk) in - let s = serialize_blake2s_params p in - let kk_shift_8 = shift_left (size_to_word Spec.Blake2S kk) (size 8) in - let aux () : Lemma (Seq.index s 0 == (u32 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2S nn)) = - admit() - in - let aux_zero (i:nat{i >= 1 /\ i < 8}) : Lemma (Seq.index s i == u32 0) = - admit() - in - aux (); - Classical.forall_intro aux_zero - + (ensures fun h0 _ h1 -> + modifies (loc b) h0 h1 /\ + as_seq h1 b == Spec.serialize_blake2_params + (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) + = [@inline_let] + let kk_shift_8 = shift_left (to_u32 kk) (size 8) in + [@inline_let] + let fanout_shift_16 = shift_left (to_u32 p.fanout) (size 16) in + [@inline_let] + let depth_shift_24 = shift_left (to_u32 p.depth) (size 24) in + [@inline_let] + let v0 = (to_u32 nn) ^. kk_shift_8 ^. fanout_shift_16 ^. depth_shift_24 in + [@inline_let] + let v1 = p.leaf_length in + [@inline_let] + let v2 = p.node_offset in + [@inline_let] + let node_depth_shift_16 = shift_left (to_u32 p.node_depth) (size 16) in + [@inline_let] + let inner_length_shift_16 = shift_left (to_u32 p.inner_length) (size 24) in + [@inline_let] + let v3 = (to_u32 p.xof_length) ^. node_depth_shift_16 ^. inner_length_shift_16 in + b.(0ul) <- v0; + b.(1ul) <- v1; + b.(2ul) <- v2; + b.(3ul) <- v3; + + assume (Lib.ByteSequence.uints_from_bytes_le #U32 #SEC #2 (Seq.create 8 (u8 0)) == Seq.create 2 (u32 0)); + + let h1 = ST.get () in + let aux () : Lemma (as_seq h1 b `Seq.equal` Spec.serialize_blake2s_params + (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) = + let open Lib.Sequence in + let open Lib.ByteSequence in + let s0 = (u32 (v nn)) ^. + (u32 (v kk) <<. (size 8)) ^. + (u32 (v p.fanout) <<. (size 16)) ^. + (u32 (v p.depth) <<. (size 24)) in + let s1 = p.leaf_length in + let s2 = p.node_offset in + let s3 = (u32 (v p.xof_length)) ^. + (u32 (v p.node_depth) <<. (size 16)) ^. + (u32 (v p.inner_length) <<. (size 24)) in + let salt_u32: lseq uint32 2 = uints_from_bytes_le p.salt in + let s4 = salt_u32.[0] in + let s5 = salt_u32.[1] in + let personal_u32: lseq uint32 2 = uints_from_bytes_le p.personal in + let s6 = personal_u32.[0] in + let s7 = personal_u32.[1] in + [@inline_let] + let l = [s0; s1; s2; s3; s4; s5; s6; s7] in + assert_norm (List.Tot.length l == 8); + + // There seems to be something not triggering with createL, requiring the + // following lemma calls, and assert_norms to relate List.index to the + // actual elements + + assert_norm (List.Tot.index l 0 == s0); + assert_norm (List.Tot.index l 1 == s1); + assert_norm (List.Tot.index l 2 == s2); + assert_norm (List.Tot.index l 3 == s3); + assert_norm (List.Tot.index l 4 == s4); + assert_norm (List.Tot.index l 5 == s5); + assert_norm (List.Tot.index l 6 == s6); + assert_norm (List.Tot.index l 7 == s7); + of_list_index l 0; + of_list_index l 1; + of_list_index l 2; + of_list_index l 3; + of_list_index l 4; + of_list_index l 5; + of_list_index l 6; + of_list_index l 7 + in + aux() -let lemma_serialize_default2b_params +inline_for_extraction noextract +let serialize_params_blake2b (kk:size_t{v kk <= Spec.max_key Spec.Blake2B}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2B}) - : Lemma ( - let open Spec in - let p = set_key_length (set_digest_length (blake2b_default_params) (v nn)) (v kk) in - let s = serialize_blake2b_params p in - let kk_shift_8 = shift_left (size_to_word Spec.Blake2B kk) (size 8) in - Seq.index s 0 == (u64 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2B nn) /\ - (forall (i:nat{i >= 1 /\ i < 8}). Seq.index s i == u64 0) + (p: Spec.blake2_params Spec.Blake2B) + (b: lbuffer (word_t Spec.Blake2B) 8ul) + : Stack unit + (requires fun h -> live h b /\ + as_seq h b == Seq.create 8 (u64 0) /\ + Spec.get_salt p == Seq.create 16 (u8 0) /\ + Spec.get_personal p == Seq.create 16 (u8 0) ) - = - let open Spec in - let p = set_key_length (set_digest_length (blake2b_default_params) (v nn)) (v kk) in - let s = serialize_blake2b_params p in - let kk_shift_8 = shift_left (size_to_word Spec.Blake2B kk) (size 8) in - let aux () : Lemma (Seq.index s 0 == (u64 0x01010000) ^. kk_shift_8 ^. (size_to_word Spec.Blake2B nn)) = - admit() - in - let aux_zero (i:nat{i >= 1 /\ i < 8}) : Lemma (Seq.index s i == u64 0) = - admit() - in - aux (); - Classical.forall_intro aux_zero - -let lemma_serialize_default_params al kk nn = + (ensures fun h0 _ h1 -> + modifies (loc b) h0 h1 /\ + as_seq h1 b == Spec.serialize_blake2_params + (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) + = [@inline_let] + let kk_shift_8 = shift_left (to_u64 kk) (size 8) in + [@inline_let] + let fanout_shift_16 = shift_left (to_u64 p.fanout) (size 16) in + [@inline_let] + let depth_shift_24 = shift_left (to_u64 p.depth) (size 24) in + [@inline_let] + let leaf_length_shift_32 = shift_left (to_u64 p.leaf_length) (size 32) in + [@inline_let] + let v0 = (to_u64 nn) ^. kk_shift_8 ^. fanout_shift_16 ^. depth_shift_24 ^. leaf_length_shift_32 in + [@inline_let] + let xof_length_shift_32 = shift_left (to_u64 p.xof_length) (size 32) in + [@inline_let] + let v1 = (to_u64 p.node_offset) ^. xof_length_shift_32 in + [@inline_let] + let inner_length_shift_8 = shift_left (to_u64 p.inner_length) (size 8) in + [@inline_let] + let v2 = (to_u64 p.node_depth) ^. inner_length_shift_8 in + b.(0ul) <- v0; + b.(1ul) <- v1; + b.(2ul) <- v2; + + assume (Lib.ByteSequence.uints_from_bytes_le #U64 #SEC #2 (Seq.create 16 (u8 0)) == Seq.create 2 (u64 0)); + + let h1 = ST.get () in + let aux () : Lemma (as_seq h1 b `Seq.equal` Spec.serialize_blake2b_params + (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) = + let open Lib.Sequence in + let open Lib.ByteSequence in + let s0 = (u64 (v nn)) ^. + (u64 (v kk) <<. (size 8)) ^. + (u64 (v p.fanout) <<. (size 16)) ^. + (u64 (v p.depth) <<. (size 24)) ^. + (u64 (v p.leaf_length) <<. (size 32)) in + let s1 = (u64 (v p.node_offset)) ^. + (u64 (v p.xof_length) <<. (size 32)) in + // The serialization corresponding to s2 contains node_depth and inner_length, + // followed by the 14 reserved bytes which always seem to be zeros, and can hence + // be ignored when building the corresponding uint64 using xor's + let s2 = (u64 (v p.node_depth)) ^. + (u64 (v p.inner_length) <<. (size 8)) in + // s3 corresponds to the remaining of the reserved bytes + let s3 = u64 0 in + let salt_u64: lseq uint64 2 = uints_from_bytes_le p.salt in + let s4 = salt_u64.[0] in + let s5 = salt_u64.[1] in + let personal_u64: lseq uint64 2 = uints_from_bytes_le p.personal in + let s6 = personal_u64.[0] in + let s7 = personal_u64.[1] in + [@inline_let] + let l = [s0; s1; s2; s3; s4; s5; s6; s7] in + assert_norm (List.Tot.length l == 8); + + // There seems to be something not triggering with createL, requiring the + // following lemma calls, and assert_norms to relate List.index to the + // actual elements + + assert_norm (List.Tot.index l 0 == s0); + assert_norm (List.Tot.index l 1 == s1); + assert_norm (List.Tot.index l 2 == s2); + assert_norm (List.Tot.index l 3 == s3); + assert_norm (List.Tot.index l 4 == s4); + assert_norm (List.Tot.index l 5 == s5); + assert_norm (List.Tot.index l 6 == s6); + assert_norm (List.Tot.index l 7 == s7); + of_list_index l 0; + of_list_index l 1; + of_list_index l 2; + of_list_index l 3; + of_list_index l 4; + of_list_index l 5; + of_list_index l 6; + of_list_index l 7 + in + aux() + +let serialize_params al kk nn p b = match al with - | Spec.Blake2S -> lemma_serialize_default2s_params kk nn - | Spec.Blake2B -> lemma_serialize_default2b_params kk nn + | Spec.Blake2S -> serialize_params_blake2s kk nn p b + | Spec.Blake2B -> serialize_params_blake2b kk nn p b inline_for_extraction noextract val blake2_init: @@ -626,7 +763,9 @@ val blake2_init: -> blake2_init_st al ms let blake2_init #al #ms hash kk nn = + push_frame (); let h0 = ST.get() in + let tmp = create 8ul (Spec.nat_to_word al 0) in let r0 = rowi hash 0ul in let r1 = rowi hash 1ul in let r2 = rowi hash 2ul in @@ -641,21 +780,30 @@ let blake2_init #al #ms hash kk nn = let iv7 = get_iv al 7ul in create_row #al #ms r2 iv0 iv1 iv2 iv3; create_row #al #ms r3 iv4 iv5 iv6 iv7; - let kk_shift_8 = shift_left (size_to_word al kk) (size 8) in - let iv0' = iv0 ^. (Spec.nat_to_word al 0x01010000) ^. kk_shift_8 ^. (size_to_word al nn) in - (**) logxor_lemma iv1 (Spec.nat_to_word al 0); - (**) logxor_lemma iv2 (Spec.nat_to_word al 0); - (**) logxor_lemma iv3 (Spec.nat_to_word al 0); - (**) logxor_lemma iv4 (Spec.nat_to_word al 0); - (**) logxor_lemma iv5 (Spec.nat_to_word al 0); - (**) logxor_lemma iv6 (Spec.nat_to_word al 0); - (**) logxor_lemma iv7 (Spec.nat_to_word al 0); - create_row #al #ms r0 iv0' iv1 iv2 iv3; - create_row #al #ms r1 iv4 iv5 iv6 iv7; + serialize_params al kk nn (Spec.blake2_default_params al) tmp; + let tmp0 = tmp.(0ul) in + let tmp1 = tmp.(1ul) in + let tmp2 = tmp.(2ul) in + let tmp3 = tmp.(3ul) in + let tmp4 = tmp.(4ul) in + let tmp5 = tmp.(5ul) in + let tmp6 = tmp.(6ul) in + let tmp7 = tmp.(7ul) in + let iv0' = iv0 ^. tmp0 in + let iv1' = iv1 ^. tmp1 in + let iv2' = iv2 ^. tmp2 in + let iv3' = iv3 ^. tmp3 in + let iv4' = iv4 ^. tmp4 in + let iv5' = iv5 ^. tmp5 in + let iv6' = iv6 ^. tmp6 in + let iv7' = iv7 ^. tmp7 in + create_row #al #ms r0 iv0' iv1' iv2' iv3'; + create_row #al #ms r1 iv4' iv5' iv6' iv7'; let h1 = ST.get() in - assert(modifies (loc hash) h0 h1); - (**) lemma_serialize_default_params al kk nn; - Lib.Sequence.eq_intro (state_v h1 hash) (Spec.blake2_init_hash al (Spec.blake2_default_params al) (v kk) (v nn)) + assert (disjoint hash tmp); + assert(modifies (loc hash `union` loc tmp) h0 h1); + Lib.Sequence.eq_intro (state_v h1 hash) (Spec.blake2_init_hash al (Spec.blake2_default_params al) (v kk) (v nn)); + pop_frame () #push-options "--z3rlimit 100 --max_fuel 0 --max_ifuel 0" let _ : squash (inversion Spec.alg) = allow_inversion Spec.alg From 913b98a491648ba5506f1653bdbf7a9c81e7f89d Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 29 Sep 2023 10:43:41 +0200 Subject: [PATCH 07/22] Propagate blake2_default_params to downstream modules --- code/streaming/Hacl.Streaming.Blake2.fst | 6 +++--- specs/Spec.Agile.Hash.fst | 6 +++--- specs/lemmas/Spec.Blake2.Incremental.fst | 2 +- specs/lemmas/Spec.Blake2.Incremental.fsti | 4 +++- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/code/streaming/Hacl.Streaming.Blake2.fst b/code/streaming/Hacl.Streaming.Blake2.fst index 96612f2fcf..4e58c5f915 100644 --- a/code/streaming/Hacl.Streaming.Blake2.fst +++ b/code/streaming/Hacl.Streaming.Blake2.fst @@ -264,7 +264,7 @@ let blake2_prevlen (a : alg) noextract let init_s (a : alg) (kk : size_nat{kk <= max_key a}) : Tot (t a) = - Spec.blake2_init_hash a kk (output_size a) + Spec.blake2_init_hash a (Spec.blake2_default_params a) kk (output_size a) noextract let update_multi_s (#a : alg) (acc : t a) @@ -294,7 +294,7 @@ let spec_s (a : alg) (kk : size_nat{kk <= max_key a}) (key : lbytes kk) (input : S.seq uint8{if kk = 0 then S.length input <= max_input_length a else S.length input + Spec.size_block a <= max_input_length a}) = - Spec.blake2 a input kk key (output_size a) + Spec.blake2 a input (Spec.blake2_default_params a) kk key (output_size a) /// Interlude for spec proofs /// ------------------------- @@ -461,7 +461,7 @@ val spec_is_incremental : input:S.seq uint8 { if kk = 0 then S.length input <= max_input_length a else S.length input + (Spec.size_block a) <= max_input_length a } -> Lemma( blake2_hash_incremental_s a kk k input == - Spec.blake2 a input kk k (output_size a)) + Spec.blake2 a input (Spec.blake2_default_params a) kk k (output_size a)) #restart-solver #push-options "--z3cliopt smt.arith.nl=false" diff --git a/specs/Spec.Agile.Hash.fst b/specs/Spec.Agile.Hash.fst index 1894556760..100ce238e8 100644 --- a/specs/Spec.Agile.Hash.fst +++ b/specs/Spec.Agile.Hash.fst @@ -17,8 +17,8 @@ let init a = Spec.MD5.init | SHA1 -> Spec.SHA1.init - | Blake2S -> Spec.Blake2.blake2_init_hash Spec.Blake2.Blake2S 0 32 - | Blake2B -> Spec.Blake2.blake2_init_hash Spec.Blake2.Blake2B 0 64 + | Blake2S -> Spec.Blake2.blake2_init_hash Spec.Blake2.Blake2S Spec.Blake2.blake2s_default_params 0 32 + | Blake2B -> Spec.Blake2.blake2_init_hash Spec.Blake2.Blake2B Spec.Blake2.blake2b_default_params 0 64 | SHA3_224 | SHA3_256 | SHA3_384 | SHA3_512 | Shake128 | Shake256 -> Lib.Sequence.create 25 (u64 0) @@ -83,7 +83,7 @@ let finish (a:hash_alg) (hashw:words_state a) (l: output_length a): Tot (bytes_h // Same deal with the SHA3 family. let hash' a input l = if is_blake a then - Spec.Blake2.blake2 (to_blake_alg a) input 0 Seq.empty (Spec.Blake2.max_output (to_blake_alg a)) + Spec.Blake2.blake2 (to_blake_alg a) input (Spec.Blake2.blake2_default_params (to_blake_alg a)) 0 Seq.empty (Spec.Blake2.max_output (to_blake_alg a)) else if is_md a then (* As defined in the NIST standard; pad, then update, then finish. *) let padding = pad a (S.length input) in diff --git a/specs/lemmas/Spec.Blake2.Incremental.fst b/specs/lemmas/Spec.Blake2.Incremental.fst index db3fa2241c..d95869dd3e 100644 --- a/specs/lemmas/Spec.Blake2.Incremental.fst +++ b/specs/lemmas/Spec.Blake2.Incremental.fst @@ -135,7 +135,7 @@ let blake2_is_hash_incremental a input = let a' = to_blake_alg a in let n_blocks, l_last = Spec.Blake2.split a' (S.length input) in let blocks, last = Lib.UpdateMulti.split_at_last_lazy (block_length a) input in - let s_i = Spec.Blake2.blake2_init_hash a' 0 (Spec.Blake2.max_output (to_blake_alg a)) in + let s_i = Spec.Blake2.blake2_init_hash a' (Spec.Blake2.blake2_default_params a') 0 (Spec.Blake2.max_output (to_blake_alg a)) in let s_i': words_state a = init a in assert (s_i == s_i'); diff --git a/specs/lemmas/Spec.Blake2.Incremental.fsti b/specs/lemmas/Spec.Blake2.Incremental.fsti index 70e6b8d7c1..f4d035707e 100644 --- a/specs/lemmas/Spec.Blake2.Incremental.fsti +++ b/specs/lemmas/Spec.Blake2.Incremental.fsti @@ -10,5 +10,7 @@ val blake2_is_hash_incremental (a : blake_alg) (input : bytes {S.length input `less_than_max_input_length` a}) : Lemma ( - S.equal (Spec.Blake2.blake2 (to_blake_alg a) input 0 Seq.empty (Spec.Blake2.max_output (to_blake_alg a))) + S.equal (Spec.Blake2.blake2 (to_blake_alg a) input + (Spec.Blake2.blake2_default_params (to_blake_alg a)) + 0 Seq.empty (Spec.Blake2.max_output (to_blake_alg a))) (hash_incremental a input ())) From 9d2401179170643df40187937c053dd8835ea82e Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 29 Sep 2023 12:11:43 +0200 Subject: [PATCH 08/22] Use a Low* version of blake2_params in Blake2 implementation --- code/blake2/Hacl.Impl.Blake2.Core.fsti | 66 ++++++++++++++++++++++-- code/blake2/Hacl.Impl.Blake2.Generic.fst | 63 ++++++++++++---------- 2 files changed, 100 insertions(+), 29 deletions(-) diff --git a/code/blake2/Hacl.Impl.Blake2.Core.fsti b/code/blake2/Hacl.Impl.Blake2.Core.fsti index 6119a5457c..4a0a72b9a2 100644 --- a/code/blake2/Hacl.Impl.Blake2.Core.fsti +++ b/code/blake2/Hacl.Impl.Blake2.Core.fsti @@ -80,6 +80,26 @@ type blake2s_params = { personal: lbuffer uint8 8ul; } +inline_for_extraction noextract +let get_blake2s_salt (p: blake2s_params) = p.salt + +inline_for_extraction noextract +let get_blake2s_personal (p: blake2s_params) = p.personal + +inline_for_extraction noextract +let set_blake2s_digest_length + (p: blake2s_params) + (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2S}) + : blake2s_params = + {p with digest_length = to_u8 nn} + +inline_for_extraction noextract +let set_blake2s_key_length + (p: blake2s_params) + (kk: size_t{v kk <= Spec.max_key Spec.Blake2S}) + : blake2s_params = + {p with key_length = to_u8 kk} + let blake2s_params_inv (h: mem) (p: blake2s_params): GTot prop = live h p.salt /\ live h p.personal @@ -143,24 +163,64 @@ let blake2_params (a:Spec.alg) = | Spec.Blake2S -> blake2s_params | Spec.Blake2B -> blake2b_params +inline_for_extraction noextract +let set_digest_length (#a: Spec.alg) + (p: blake2_params a) + (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output a}) + : blake2_params a = + match a with + | Spec.Blake2S -> set_blake2s_digest_length p nn + | Spec.Blake2B -> {p with digest_length = to_u8 nn} + +inline_for_extraction noextract +let set_key_length (#a: Spec.alg) + (p: blake2_params a) + (kk: size_t{v kk <= Spec.max_key a}) + : blake2_params a = + match a with + | Spec.Blake2S -> set_blake2s_key_length p kk + | Spec.Blake2B -> {p with key_length = to_u8 kk} + +inline_for_extraction noextract +let get_salt (#a: Spec.alg) (p: blake2_params a) : lbuffer uint8 (salt_len a) = + match a with + | Spec.Blake2S -> get_blake2s_salt p + | Spec.Blake2B -> p.salt + +inline_for_extraction noextract +let get_personal (#a: Spec.alg) (p: blake2_params a) : lbuffer uint8 (personal_len a) = + match a with + | Spec.Blake2S -> get_blake2s_personal p + | Spec.Blake2B -> p.personal + noextract inline_for_extraction -let blake2_params_inv (a:Spec.alg) (h: mem) (p: blake2_params a) = +let blake2_params_inv (#a:Spec.alg) (h: mem) (p: blake2_params a) = match a with | Spec.Blake2S -> blake2s_params_inv h p | Spec.Blake2B -> blake2b_params_inv h p noextract inline_for_extraction -let blake2_params_loc (a:Spec.alg) (p: blake2_params a) = +let blake2_params_loc (#a:Spec.alg) (p: blake2_params a) = match a with | Spec.Blake2S -> blake2s_params_loc p | Spec.Blake2B -> blake2b_params_loc p noextract inline_for_extraction -let blake2_params_v (a:Spec.alg) (h: mem) (p: blake2_params a) : GTot (Spec.blake2_params a) = +let blake2_params_v (#a:Spec.alg) (h: mem) (p: blake2_params a) : GTot (Spec.blake2_params a) = match a with | Spec.Blake2S -> blake2s_params_v h p | Spec.Blake2B -> blake2b_params_v h p +noextract inline_for_extraction +val alloc_default_params: a:Spec.alg -> + StackInline (blake2_params a) + (requires (fun h -> True)) + (ensures (fun h0 p h1 -> + stack_allocated (get_salt p) h0 h1 (Lib.Sequence.create (Spec.salt_length a) (u8 0)) /\ + stack_allocated (get_personal p) h0 h1 (Lib.Sequence.create (Spec.personal_length a) (u8 0)) /\ + blake2_params_inv h1 p /\ + blake2_params_v h1 p == Spec.blake2_default_params a)) + noextract inline_for_extraction unfold let state_p (a:Spec.alg) (m:m_spec) = lbuffer (element_t a m) (4ul *. row_len a m) diff --git a/code/blake2/Hacl.Impl.Blake2.Generic.fst b/code/blake2/Hacl.Impl.Blake2.Generic.fst index cbd0133a90..9f5ae63653 100644 --- a/code/blake2/Hacl.Impl.Blake2.Generic.fst +++ b/code/blake2/Hacl.Impl.Blake2.Generic.fst @@ -555,39 +555,37 @@ inline_for_extraction noextract val serialize_params (al:Spec.alg) (kk:size_t{v kk <= Spec.max_key al}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output al}) - (p: Spec.blake2_params al) + (p: blake2_params al) (b: lbuffer (word_t al) 8ul) : Stack unit (requires fun h -> live h b /\ - as_seq h b == Seq.create 8 (Spec.nat_to_word al 0) /\ - // TODO: Should be removed, and should take a Low* blake2_params as arguments. - Spec.get_salt p == Seq.create (Spec.salt_length al) (u8 0) /\ - Spec.get_personal p == Seq.create (Spec.personal_length al) (u8 0) + LowStar.Buffer.loc_disjoint (loc b) (blake2_params_loc p) /\ + as_seq h b == Seq.create 8 (Spec.nat_to_word al 0) ) (ensures fun h0 _ h1 -> modifies (loc b) h0 h1 /\ as_seq h1 b == Spec.serialize_blake2_params - (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) + (Spec.set_key_length (Spec.set_digest_length (blake2_params_v h0 p) (v nn)) (v kk))) #push-options "--z3rlimit 100 --fuel 0" inline_for_extraction noextract let serialize_params_blake2s (kk:size_t{v kk <= Spec.max_key Spec.Blake2S}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2S}) - (p: Spec.blake2_params Spec.Blake2S) + (p: blake2_params Spec.Blake2S) (b: lbuffer (word_t Spec.Blake2S) 8ul) : Stack unit (requires fun h -> live h b /\ - as_seq h b == Seq.create 8 (u32 0) /\ - Spec.get_salt p == Seq.create 8 (u8 0) /\ - Spec.get_personal p == Seq.create 8 (u8 0) + LowStar.Buffer.loc_disjoint (loc b) (blake2_params_loc p) /\ + as_seq h b == Seq.create 8 (u32 0) ) (ensures fun h0 _ h1 -> modifies (loc b) h0 h1 /\ as_seq h1 b == Spec.serialize_blake2_params - (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) - = [@inline_let] + (Spec.set_key_length (Spec.set_digest_length (blake2_params_v h0 p) (v nn)) (v kk))) + = let h0 = ST.get () in + [@inline_let] let kk_shift_8 = shift_left (to_u32 kk) (size 8) in [@inline_let] let fanout_shift_16 = shift_left (to_u32 p.fanout) (size 16) in @@ -614,7 +612,7 @@ let serialize_params_blake2s let h1 = ST.get () in let aux () : Lemma (as_seq h1 b `Seq.equal` Spec.serialize_blake2s_params - (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) = + (Spec.set_key_length (Spec.set_digest_length (blake2_params_v h0 p) (v nn)) (v kk))) = let open Lib.Sequence in let open Lib.ByteSequence in let s0 = (u32 (v nn)) ^. @@ -626,10 +624,10 @@ let serialize_params_blake2s let s3 = (u32 (v p.xof_length)) ^. (u32 (v p.node_depth) <<. (size 16)) ^. (u32 (v p.inner_length) <<. (size 24)) in - let salt_u32: lseq uint32 2 = uints_from_bytes_le p.salt in + let salt_u32: lseq uint32 2 = uints_from_bytes_le (as_seq h0 (get_salt p)) in let s4 = salt_u32.[0] in let s5 = salt_u32.[1] in - let personal_u32: lseq uint32 2 = uints_from_bytes_le p.personal in + let personal_u32: lseq uint32 2 = uints_from_bytes_le (as_seq h0 (get_personal p)) in let s6 = personal_u32.[0] in let s7 = personal_u32.[1] in [@inline_let] @@ -640,6 +638,12 @@ let serialize_params_blake2s // following lemma calls, and assert_norms to relate List.index to the // actual elements + let s = as_seq h1 b in + assume (Seq.index s 4 == s4); + assume (Seq.index s 5 == s5); + assume (Seq.index s 6 == s6); + assume (Seq.index s 7 == s7); + assert_norm (List.Tot.index l 0 == s0); assert_norm (List.Tot.index l 1 == s1); assert_norm (List.Tot.index l 2 == s2); @@ -663,19 +667,19 @@ inline_for_extraction noextract let serialize_params_blake2b (kk:size_t{v kk <= Spec.max_key Spec.Blake2B}) (nn: size_t{1 <= v nn /\ v nn <= Spec.max_output Spec.Blake2B}) - (p: Spec.blake2_params Spec.Blake2B) + (p: blake2_params Spec.Blake2B) (b: lbuffer (word_t Spec.Blake2B) 8ul) : Stack unit (requires fun h -> live h b /\ - as_seq h b == Seq.create 8 (u64 0) /\ - Spec.get_salt p == Seq.create 16 (u8 0) /\ - Spec.get_personal p == Seq.create 16 (u8 0) + LowStar.Buffer.loc_disjoint (loc b) (blake2_params_loc p) /\ + as_seq h b == Seq.create 8 (u64 0) ) (ensures fun h0 _ h1 -> modifies (loc b) h0 h1 /\ as_seq h1 b == Spec.serialize_blake2_params - (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) - = [@inline_let] + (Spec.set_key_length (Spec.set_digest_length (blake2_params_v h0 p) (v nn)) (v kk))) + = let h0 = ST.get () in + [@inline_let] let kk_shift_8 = shift_left (to_u64 kk) (size 8) in [@inline_let] let fanout_shift_16 = shift_left (to_u64 p.fanout) (size 16) in @@ -701,7 +705,7 @@ let serialize_params_blake2b let h1 = ST.get () in let aux () : Lemma (as_seq h1 b `Seq.equal` Spec.serialize_blake2b_params - (Spec.set_key_length (Spec.set_digest_length p (v nn)) (v kk))) = + (Spec.set_key_length (Spec.set_digest_length (blake2_params_v h0 p) (v nn)) (v kk))) = let open Lib.Sequence in let open Lib.ByteSequence in let s0 = (u64 (v nn)) ^. @@ -718,10 +722,10 @@ let serialize_params_blake2b (u64 (v p.inner_length) <<. (size 8)) in // s3 corresponds to the remaining of the reserved bytes let s3 = u64 0 in - let salt_u64: lseq uint64 2 = uints_from_bytes_le p.salt in + let salt_u64: lseq uint64 2 = uints_from_bytes_le (as_seq h0 (get_salt p)) in let s4 = salt_u64.[0] in let s5 = salt_u64.[1] in - let personal_u64: lseq uint64 2 = uints_from_bytes_le p.personal in + let personal_u64: lseq uint64 2 = uints_from_bytes_le (as_seq h0 (get_personal p)) in let s6 = personal_u64.[0] in let s7 = personal_u64.[1] in [@inline_let] @@ -732,6 +736,12 @@ let serialize_params_blake2b // following lemma calls, and assert_norms to relate List.index to the // actual elements + let s = as_seq h1 b in + assume (Seq.index s 4 == s4); + assume (Seq.index s 5 == s5); + assume (Seq.index s 6 == s6); + assume (Seq.index s 7 == s7); + assert_norm (List.Tot.index l 0 == s0); assert_norm (List.Tot.index l 1 == s1); assert_norm (List.Tot.index l 2 == s2); @@ -780,7 +790,8 @@ let blake2_init #al #ms hash kk nn = let iv7 = get_iv al 7ul in create_row #al #ms r2 iv0 iv1 iv2 iv3; create_row #al #ms r3 iv4 iv5 iv6 iv7; - serialize_params al kk nn (Spec.blake2_default_params al) tmp; + let p = alloc_default_params al in + serialize_params al kk nn p tmp; let tmp0 = tmp.(0ul) in let tmp1 = tmp.(1ul) in let tmp2 = tmp.(2ul) in @@ -801,7 +812,7 @@ let blake2_init #al #ms hash kk nn = create_row #al #ms r1 iv4' iv5' iv6' iv7'; let h1 = ST.get() in assert (disjoint hash tmp); - assert(modifies (loc hash `union` loc tmp) h0 h1); + assert (modifies (loc hash `union` loc tmp) h0 h1); Lib.Sequence.eq_intro (state_v h1 hash) (Spec.blake2_init_hash al (Spec.blake2_default_params al) (v kk) (v nn)); pop_frame () From 529ecb5cfdb133d16477b38ac00b95889295e924 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 29 Sep 2023 17:47:11 +0200 Subject: [PATCH 09/22] Finish proving Low* serialization of blake2 params --- code/blake2/Hacl.Impl.Blake2.Core.fst | 28 +++++++++++++++++++ code/blake2/Hacl.Impl.Blake2.Core.fsti | 21 ++++++++------ code/blake2/Hacl.Impl.Blake2.Generic.fst | 35 ++++++++++++------------ 3 files changed, 59 insertions(+), 25 deletions(-) diff --git a/code/blake2/Hacl.Impl.Blake2.Core.fst b/code/blake2/Hacl.Impl.Blake2.Core.fst index ee7f745ee7..2fb68ad886 100644 --- a/code/blake2/Hacl.Impl.Blake2.Core.fst +++ b/code/blake2/Hacl.Impl.Blake2.Core.fst @@ -31,6 +31,34 @@ let row_v #a #m h r = let row_v_lemma #a #m h0 h1 r1 r2 = () +let create_default_params a salt personal = + match a with + | Spec.Blake2S -> + Mkblake2s_params + (u8 32) + (u8 0) + (u8 1) + (u8 1) + (u32 0) + (u32 0) + (u16 0) + (u8 0) + (u8 0) + salt + personal + | Spec.Blake2B -> + Mkblake2b_params + (u8 64) + (u8 0) + (u8 1) + (u8 1) + (u32 0) + (u32 0) + (u32 0) + (u8 0) + (u8 0) + salt + personal #push-options "--z3rlimit 50" let g_rowi_disjoint #a #m st idx1 idx2 = diff --git a/code/blake2/Hacl.Impl.Blake2.Core.fsti b/code/blake2/Hacl.Impl.Blake2.Core.fsti index 4a0a72b9a2..50ed6d7b02 100644 --- a/code/blake2/Hacl.Impl.Blake2.Core.fsti +++ b/code/blake2/Hacl.Impl.Blake2.Core.fsti @@ -212,14 +212,19 @@ let blake2_params_v (#a:Spec.alg) (h: mem) (p: blake2_params a) : GTot (Spec.bla | Spec.Blake2B -> blake2b_params_v h p noextract inline_for_extraction -val alloc_default_params: a:Spec.alg -> - StackInline (blake2_params a) - (requires (fun h -> True)) - (ensures (fun h0 p h1 -> - stack_allocated (get_salt p) h0 h1 (Lib.Sequence.create (Spec.salt_length a) (u8 0)) /\ - stack_allocated (get_personal p) h0 h1 (Lib.Sequence.create (Spec.personal_length a) (u8 0)) /\ - blake2_params_inv h1 p /\ - blake2_params_v h1 p == Spec.blake2_default_params a)) +val create_default_params: a:Spec.alg -> + salt: lbuffer uint8 (salt_len a) -> + personal: lbuffer uint8 (personal_len a) -> + Stack (blake2_params a) + (requires fun h -> live h salt /\ live h personal /\ + as_seq h salt == Seq.create (Spec.salt_length a) (u8 0) /\ + as_seq h personal == Seq.create (Spec.personal_length a) (u8 0) + ) + (ensures (fun h0 p h1 -> + h0 == h1 /\ + blake2_params_loc p == loc salt `union` loc personal /\ + blake2_params_inv h1 p /\ + blake2_params_v h1 p == Spec.blake2_default_params a)) noextract inline_for_extraction unfold let state_p (a:Spec.alg) (m:m_spec) = diff --git a/code/blake2/Hacl.Impl.Blake2.Generic.fst b/code/blake2/Hacl.Impl.Blake2.Generic.fst index 9f5ae63653..775664ffdc 100644 --- a/code/blake2/Hacl.Impl.Blake2.Generic.fst +++ b/code/blake2/Hacl.Impl.Blake2.Generic.fst @@ -560,6 +560,7 @@ val serialize_params (al:Spec.alg) : Stack unit (requires fun h -> live h b /\ + blake2_params_inv h p /\ LowStar.Buffer.loc_disjoint (loc b) (blake2_params_loc p) /\ as_seq h b == Seq.create 8 (Spec.nat_to_word al 0) ) @@ -577,6 +578,7 @@ let serialize_params_blake2s (b: lbuffer (word_t Spec.Blake2S) 8ul) : Stack unit (requires fun h -> live h b /\ + blake2_params_inv h p /\ LowStar.Buffer.loc_disjoint (loc b) (blake2_params_loc p) /\ as_seq h b == Seq.create 8 (u32 0) ) @@ -603,13 +605,17 @@ let serialize_params_blake2s let inner_length_shift_16 = shift_left (to_u32 p.inner_length) (size 24) in [@inline_let] let v3 = (to_u32 p.xof_length) ^. node_depth_shift_16 ^. inner_length_shift_16 in + + uints_from_bytes_le (sub b 4ul 2ul) p.salt; + uints_from_bytes_le (sub b 6ul 2ul) p.personal; + + // AF: Putting these writes *after* modifications on a subbuffer of b helps with modifies-reasoning: + // By putting them before, F* struggles with proving that b[0..3] is not modified by uints_from_bytes_le b.(0ul) <- v0; b.(1ul) <- v1; b.(2ul) <- v2; b.(3ul) <- v3; - assume (Lib.ByteSequence.uints_from_bytes_le #U32 #SEC #2 (Seq.create 8 (u8 0)) == Seq.create 2 (u32 0)); - let h1 = ST.get () in let aux () : Lemma (as_seq h1 b `Seq.equal` Spec.serialize_blake2s_params (Spec.set_key_length (Spec.set_digest_length (blake2_params_v h0 p) (v nn)) (v kk))) = @@ -638,12 +644,6 @@ let serialize_params_blake2s // following lemma calls, and assert_norms to relate List.index to the // actual elements - let s = as_seq h1 b in - assume (Seq.index s 4 == s4); - assume (Seq.index s 5 == s5); - assume (Seq.index s 6 == s6); - assume (Seq.index s 7 == s7); - assert_norm (List.Tot.index l 0 == s0); assert_norm (List.Tot.index l 1 == s1); assert_norm (List.Tot.index l 2 == s2); @@ -671,6 +671,7 @@ let serialize_params_blake2b (b: lbuffer (word_t Spec.Blake2B) 8ul) : Stack unit (requires fun h -> live h b /\ + blake2_params_inv #Spec.Blake2B h p /\ LowStar.Buffer.loc_disjoint (loc b) (blake2_params_loc p) /\ as_seq h b == Seq.create 8 (u64 0) ) @@ -697,11 +698,14 @@ let serialize_params_blake2b let inner_length_shift_8 = shift_left (to_u64 p.inner_length) (size 8) in [@inline_let] let v2 = (to_u64 p.node_depth) ^. inner_length_shift_8 in + + uints_from_bytes_le (sub b 4ul 2ul) p.salt; + uints_from_bytes_le (sub b 6ul 2ul) p.personal; + b.(0ul) <- v0; b.(1ul) <- v1; b.(2ul) <- v2; - - assume (Lib.ByteSequence.uints_from_bytes_le #U64 #SEC #2 (Seq.create 16 (u8 0)) == Seq.create 2 (u64 0)); + b.(3ul) <- (u64 0); let h1 = ST.get () in let aux () : Lemma (as_seq h1 b `Seq.equal` Spec.serialize_blake2b_params @@ -736,12 +740,6 @@ let serialize_params_blake2b // following lemma calls, and assert_norms to relate List.index to the // actual elements - let s = as_seq h1 b in - assume (Seq.index s 4 == s4); - assume (Seq.index s 5 == s5); - assume (Seq.index s 6 == s6); - assume (Seq.index s 7 == s7); - assert_norm (List.Tot.index l 0 == s0); assert_norm (List.Tot.index l 1 == s1); assert_norm (List.Tot.index l 2 == s2); @@ -760,6 +758,7 @@ let serialize_params_blake2b of_list_index l 7 in aux() +#pop-options let serialize_params al kk nn p b = match al with @@ -790,7 +789,9 @@ let blake2_init #al #ms hash kk nn = let iv7 = get_iv al 7ul in create_row #al #ms r2 iv0 iv1 iv2 iv3; create_row #al #ms r3 iv4 iv5 iv6 iv7; - let p = alloc_default_params al in + let salt = create (salt_len al) (u8 0) in + let personal = create (personal_len al) (u8 0) in + let p = create_default_params al salt personal in serialize_params al kk nn p tmp; let tmp0 = tmp.(0ul) in let tmp1 = tmp.(1ul) in From 0ec0846cae8d1dee7d5947bc878346289a6c5008 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 29 Sep 2023 17:59:19 +0200 Subject: [PATCH 10/22] Add dist --- dist/gcc-compatible/Hacl_Hash_Blake2.c | 149 +++++++++++++++--- dist/gcc-compatible/Hacl_Hash_Blake2b_256.c | 65 +++++++- dist/gcc-compatible/Hacl_Hash_Blake2s_128.c | 64 +++++++- dist/gcc-compatible/ctypes.depend | 18 +-- .../internal/Hacl_Hash_Blake2.h | 32 ++++ .../lib/Hacl_Hash_Blake2_bindings.ml | 56 +++++++ dist/gcc-compatible/libevercrypt.def | 6 +- dist/msvc-compatible/Hacl_Hash_Blake2.c | 149 +++++++++++++++--- dist/msvc-compatible/Hacl_Hash_Blake2b_256.c | 65 +++++++- dist/msvc-compatible/Hacl_Hash_Blake2s_128.c | 64 +++++++- .../internal/Hacl_Hash_Blake2.h | 32 ++++ dist/msvc-compatible/libevercrypt.def | 6 +- .../Hacl_Hash_Blake2.c | 149 +++++++++++++++--- .../Hacl_Hash_Blake2b_256.c | 65 +++++++- .../Hacl_Hash_Blake2s_128.c | 64 +++++++- .../internal/Hacl_Hash_Blake2.h | 40 +++++ dist/portable-gcc-compatible/libevercrypt.def | 6 +- dist/wasm/EverCrypt_Hash.wasm | Bin 49374 -> 48520 bytes dist/wasm/Hacl_HMAC.wasm | Bin 29842 -> 28240 bytes dist/wasm/Hacl_Hash_Blake2.wasm | Bin 20644 -> 21888 bytes dist/wasm/Hacl_Hash_Blake2b_256.wasm | Bin 4552 -> 4671 bytes dist/wasm/Hacl_Hash_Blake2s_128.wasm | Bin 3629 -> 3748 bytes dist/wasm/Hacl_Streaming_Blake2.wasm | Bin 12128 -> 10780 bytes dist/wasm/Hacl_Streaming_Blake2b_256.wasm | Bin 4495 -> 4583 bytes dist/wasm/Hacl_Streaming_Blake2s_128.wasm | Bin 4260 -> 4347 bytes dist/wasm/layouts.json | 2 +- 26 files changed, 935 insertions(+), 97 deletions(-) diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2.c b/dist/gcc-compatible/Hacl_Hash_Blake2.c index 194e7157b5..127e16b5af 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2.c @@ -480,6 +480,7 @@ blake2b_update_block( void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + (uint32_t)4U; uint64_t *r2 = hash + (uint32_t)8U; @@ -500,16 +501,72 @@ void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; - uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = (uint8_t)64U, .key_length1 = (uint8_t)0U, .fanout1 = (uint8_t)1U, + .depth1 = (uint8_t)1U, .leaf_length1 = (uint32_t)0U, .node_offset1 = (uint32_t)0U, + .xof_length1 = (uint32_t)0U, .node_depth1 = (uint8_t)0U, .inner_length1 = (uint8_t)0U, + .salt1 = salt, .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << (uint32_t)8U + ^ + ((uint64_t)p.fanout1 + << (uint32_t)16U + ^ ((uint64_t)p.depth1 << (uint32_t)24U ^ (uint64_t)p.leaf_length1 << (uint32_t)32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << (uint32_t)32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << (uint32_t)8U; + tmp[3U] = (uint64_t)0U; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void @@ -1127,6 +1184,7 @@ blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, u void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + (uint32_t)4U; uint32_t *r2 = hash + (uint32_t)8U; @@ -1147,16 +1205,71 @@ void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << (uint32_t)8U; - uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = (uint8_t)32U, .key_length = (uint8_t)0U, .fanout = (uint8_t)1U, + .depth = (uint8_t)1U, .leaf_length = (uint32_t)0U, .node_offset = (uint32_t)0U, + .xof_length = (uint16_t)0U, .node_depth = (uint8_t)0U, .inner_length = (uint8_t)0U, + .salt = salt, .personal = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = + nn + ^ + (kk + << (uint32_t)8U + ^ ((uint32_t)p.fanout << (uint32_t)16U ^ (uint32_t)p.depth << (uint32_t)24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << (uint32_t)16U ^ (uint32_t)p.inner_length << (uint32_t)24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c b/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c index d0df7cd872..baf8e38f6e 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c @@ -215,6 +215,7 @@ blake2b_update_block( void Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + (uint32_t)1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + (uint32_t)2U; @@ -229,10 +230,66 @@ Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; - uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = (uint8_t)64U, .key_length1 = (uint8_t)0U, .fanout1 = (uint8_t)1U, + .depth1 = (uint8_t)1U, .leaf_length1 = (uint32_t)0U, .node_offset1 = (uint32_t)0U, + .xof_length1 = (uint32_t)0U, .node_depth1 = (uint8_t)0U, .inner_length1 = (uint8_t)0U, + .salt1 = salt, .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << (uint32_t)8U + ^ + ((uint64_t)p.fanout1 + << (uint32_t)16U + ^ ((uint64_t)p.depth1 << (uint32_t)24U ^ (uint64_t)p.leaf_length1 << (uint32_t)32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << (uint32_t)32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << (uint32_t)8U; + tmp[3U] = (uint64_t)0U; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c b/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c index 5bf06711ee..2870be7c9e 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c @@ -215,6 +215,7 @@ blake2s_update_block( void Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + (uint32_t)1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + (uint32_t)2U; @@ -229,10 +230,65 @@ Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << (uint32_t)8U; - uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = (uint8_t)32U, .key_length = (uint8_t)0U, .fanout = (uint8_t)1U, + .depth = (uint8_t)1U, .leaf_length = (uint32_t)0U, .node_offset = (uint32_t)0U, + .xof_length = (uint16_t)0U, .node_depth = (uint8_t)0U, .inner_length = (uint8_t)0U, + .salt = salt, .personal = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = + nn + ^ + (kk + << (uint32_t)8U + ^ ((uint32_t)p.fanout << (uint32_t)16U ^ (uint32_t)p.depth << (uint32_t)24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << (uint32_t)16U ^ (uint32_t)p.inner_length << (uint32_t)24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/gcc-compatible/ctypes.depend b/dist/gcc-compatible/ctypes.depend index 86af86df75..fc088212c7 100644 --- a/dist/gcc-compatible/ctypes.depend +++ b/dist/gcc-compatible/ctypes.depend @@ -1,4 +1,4 @@ -CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2b_256_stubs.cmx lib/Hacl_Hash_Blake2b_256_bindings.cmx lib/Hacl_Hash_Blake2s_128_stubs.cmx lib/Hacl_Hash_Blake2s_128_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_Poly1305_32_stubs.cmx lib/Hacl_Poly1305_32_bindings.cmx lib/Hacl_Poly1305_128_stubs.cmx lib/Hacl_Poly1305_128_bindings.cmx lib/Hacl_Poly1305_256_stubs.cmx lib/Hacl_Poly1305_256_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_128_stubs.cmx lib/Hacl_Chacha20Poly1305_128_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_Chacha20Poly1305_256_stubs.cmx lib/Hacl_Chacha20Poly1305_256_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_32_stubs.cmx lib/Hacl_Chacha20Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/Hacl_Streaming_Poly1305_32_stubs.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_Streaming_Blake2_stubs.cmx lib/Hacl_Streaming_Blake2_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx +CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2b_256_stubs.cmx lib/Hacl_Hash_Blake2b_256_bindings.cmx lib/Hacl_Hash_Blake2s_128_stubs.cmx lib/Hacl_Hash_Blake2s_128_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_Poly1305_32_stubs.cmx lib/Hacl_Poly1305_32_bindings.cmx lib/Hacl_Poly1305_128_stubs.cmx lib/Hacl_Poly1305_128_bindings.cmx lib/Hacl_Poly1305_256_stubs.cmx lib/Hacl_Poly1305_256_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_128_stubs.cmx lib/Hacl_Chacha20Poly1305_128_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_Chacha20Poly1305_256_stubs.cmx lib/Hacl_Chacha20Poly1305_256_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_32_stubs.cmx lib/Hacl_Chacha20Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_Streaming_Poly1305_32_stubs.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_Streaming_Blake2_stubs.cmx lib/Hacl_Streaming_Blake2_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Streaming_Types_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmo: lib_gen/Hacl_Streaming_Types_gen.cmx: lib/Hacl_Streaming_Types_bindings.cmx @@ -183,14 +183,14 @@ lib/Hacl_Bignum4096_bindings.cmx: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_s lib/Hacl_Bignum4096_bindings.cmo: lib/Hacl_Bignum_bindings.cmo lib/Hacl_Bignum_stubs.cmo lib_gen/Hacl_Bignum4096_gen.cmx: lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.exe: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_c_stubs.o lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.cmx -lib/Hacl_Chacha20_Vec32_bindings.cmx: -lib/Hacl_Chacha20_Vec32_bindings.cmo: -lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx -lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx lib/EverCrypt_Ed25519_bindings.cmx: lib/EverCrypt_Ed25519_bindings.cmo: lib_gen/EverCrypt_Ed25519_gen.cmx: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.exe: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.cmx +lib/Hacl_Chacha20_Vec32_bindings.cmx: +lib/Hacl_Chacha20_Vec32_bindings.cmo: +lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx +lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx lib/Hacl_Bignum4096_32_bindings.cmx: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmo: lib/Hacl_Bignum_bindings.cmo lib/Hacl_Bignum_stubs.cmo lib_gen/Hacl_Bignum4096_32_gen.cmx: lib/Hacl_Bignum4096_32_bindings.cmx @@ -283,14 +283,14 @@ lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Imp lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx -lib/EverCrypt_Poly1305_bindings.cmx: -lib/EverCrypt_Poly1305_bindings.cmo: -lib_gen/EverCrypt_Poly1305_gen.cmx: lib/EverCrypt_Poly1305_bindings.cmx -lib_gen/EverCrypt_Poly1305_gen.exe: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx +lib/EverCrypt_Poly1305_bindings.cmx: +lib/EverCrypt_Poly1305_bindings.cmo: +lib_gen/EverCrypt_Poly1305_gen.cmx: lib/EverCrypt_Poly1305_bindings.cmx +lib_gen/EverCrypt_Poly1305_gen.exe: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmo: lib/Hacl_Streaming_Types_bindings.cmo lib/Hacl_Streaming_Types_stubs.cmo lib_gen/Hacl_Streaming_Poly1305_32_gen.cmx: lib/Hacl_Streaming_Poly1305_32_bindings.cmx diff --git a/dist/gcc-compatible/internal/Hacl_Hash_Blake2.h b/dist/gcc-compatible/internal/Hacl_Hash_Blake2.h index 8f308bd92d..e5d2f501d7 100644 --- a/dist/gcc-compatible/internal/Hacl_Hash_Blake2.h +++ b/dist/gcc-compatible/internal/Hacl_Hash_Blake2.h @@ -38,6 +38,38 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2.h" +typedef struct Hacl_Impl_Blake2_Core_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Impl_Blake2_Core_blake2s_params; + +typedef struct Hacl_Impl_Blake2_Core_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Impl_Blake2_Core_blake2b_params; + typedef struct K___uint32_t_uint32_t_s { uint32_t fst; diff --git a/dist/gcc-compatible/lib/Hacl_Hash_Blake2_bindings.ml b/dist/gcc-compatible/lib/Hacl_Hash_Blake2_bindings.ml index 48b3e443f8..5428592335 100644 --- a/dist/gcc-compatible/lib/Hacl_Hash_Blake2_bindings.ml +++ b/dist/gcc-compatible/lib/Hacl_Hash_Blake2_bindings.ml @@ -2,6 +2,62 @@ open Ctypes module Bindings(F:Cstubs.FOREIGN) = struct open F + type hacl_Impl_Blake2_Core_blake2s_params = + [ `hacl_Impl_Blake2_Core_blake2s_params ] structure + let (hacl_Impl_Blake2_Core_blake2s_params : + [ `hacl_Impl_Blake2_Core_blake2s_params ] structure typ) = + structure "Hacl_Impl_Blake2_Core_blake2s_params_s" + let hacl_Impl_Blake2_Core_blake2s_params_digest_length = + field hacl_Impl_Blake2_Core_blake2s_params "digest_length" uint8_t + let hacl_Impl_Blake2_Core_blake2s_params_key_length = + field hacl_Impl_Blake2_Core_blake2s_params "key_length" uint8_t + let hacl_Impl_Blake2_Core_blake2s_params_fanout = + field hacl_Impl_Blake2_Core_blake2s_params "fanout" uint8_t + let hacl_Impl_Blake2_Core_blake2s_params_depth = + field hacl_Impl_Blake2_Core_blake2s_params "depth" uint8_t + let hacl_Impl_Blake2_Core_blake2s_params_leaf_length = + field hacl_Impl_Blake2_Core_blake2s_params "leaf_length" uint32_t + let hacl_Impl_Blake2_Core_blake2s_params_node_offset = + field hacl_Impl_Blake2_Core_blake2s_params "node_offset" uint32_t + let hacl_Impl_Blake2_Core_blake2s_params_xof_length = + field hacl_Impl_Blake2_Core_blake2s_params "xof_length" uint16_t + let hacl_Impl_Blake2_Core_blake2s_params_node_depth = + field hacl_Impl_Blake2_Core_blake2s_params "node_depth" uint8_t + let hacl_Impl_Blake2_Core_blake2s_params_inner_length = + field hacl_Impl_Blake2_Core_blake2s_params "inner_length" uint8_t + let hacl_Impl_Blake2_Core_blake2s_params_salt = + field hacl_Impl_Blake2_Core_blake2s_params "salt" (ptr uint8_t) + let hacl_Impl_Blake2_Core_blake2s_params_personal = + field hacl_Impl_Blake2_Core_blake2s_params "personal" (ptr uint8_t) + let _ = seal hacl_Impl_Blake2_Core_blake2s_params + type hacl_Impl_Blake2_Core_blake2b_params = + [ `hacl_Impl_Blake2_Core_blake2b_params ] structure + let (hacl_Impl_Blake2_Core_blake2b_params : + [ `hacl_Impl_Blake2_Core_blake2b_params ] structure typ) = + structure "Hacl_Impl_Blake2_Core_blake2b_params_s" + let hacl_Impl_Blake2_Core_blake2b_params_digest_length1 = + field hacl_Impl_Blake2_Core_blake2b_params "digest_length1" uint8_t + let hacl_Impl_Blake2_Core_blake2b_params_key_length1 = + field hacl_Impl_Blake2_Core_blake2b_params "key_length1" uint8_t + let hacl_Impl_Blake2_Core_blake2b_params_fanout1 = + field hacl_Impl_Blake2_Core_blake2b_params "fanout1" uint8_t + let hacl_Impl_Blake2_Core_blake2b_params_depth1 = + field hacl_Impl_Blake2_Core_blake2b_params "depth1" uint8_t + let hacl_Impl_Blake2_Core_blake2b_params_leaf_length1 = + field hacl_Impl_Blake2_Core_blake2b_params "leaf_length1" uint32_t + let hacl_Impl_Blake2_Core_blake2b_params_node_offset1 = + field hacl_Impl_Blake2_Core_blake2b_params "node_offset1" uint32_t + let hacl_Impl_Blake2_Core_blake2b_params_xof_length1 = + field hacl_Impl_Blake2_Core_blake2b_params "xof_length1" uint32_t + let hacl_Impl_Blake2_Core_blake2b_params_node_depth1 = + field hacl_Impl_Blake2_Core_blake2b_params "node_depth1" uint8_t + let hacl_Impl_Blake2_Core_blake2b_params_inner_length1 = + field hacl_Impl_Blake2_Core_blake2b_params "inner_length1" uint8_t + let hacl_Impl_Blake2_Core_blake2b_params_salt1 = + field hacl_Impl_Blake2_Core_blake2b_params "salt1" (ptr uint8_t) + let hacl_Impl_Blake2_Core_blake2b_params_personal1 = + field hacl_Impl_Blake2_Core_blake2b_params "personal1" (ptr uint8_t) + let _ = seal hacl_Impl_Blake2_Core_blake2b_params let hacl_Blake2b_32_blake2b_init = foreign "Hacl_Blake2b_32_blake2b_init" ((ptr uint64_t) @-> (uint32_t @-> (uint32_t @-> (returning void)))) diff --git a/dist/gcc-compatible/libevercrypt.def b/dist/gcc-compatible/libevercrypt.def index 19f3e25ac2..b418214c97 100644 --- a/dist/gcc-compatible/libevercrypt.def +++ b/dist/gcc-compatible/libevercrypt.def @@ -487,13 +487,13 @@ EXPORTS Hacl_Bignum4096_bn_to_bytes_le Hacl_Bignum4096_lt_mask Hacl_Bignum4096_eq_mask - Hacl_Chacha20_Vec32_chacha20_encrypt_32 - Hacl_Chacha20_Vec32_chacha20_decrypt_32 EverCrypt_Ed25519_secret_to_public EverCrypt_Ed25519_expand_keys EverCrypt_Ed25519_sign_expanded EverCrypt_Ed25519_sign EverCrypt_Ed25519_verify + Hacl_Chacha20_Vec32_chacha20_encrypt_32 + Hacl_Chacha20_Vec32_chacha20_decrypt_32 Hacl_Bignum4096_32_add Hacl_Bignum4096_32_sub Hacl_Bignum4096_32_add_mod @@ -658,11 +658,11 @@ EXPORTS Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR Hacl_HPKE_Curve51_CP32_SHA256_sealBase Hacl_HPKE_Curve51_CP32_SHA256_openBase - EverCrypt_Poly1305_poly1305 Hacl_HPKE_Curve64_CP256_SHA256_setupBaseS Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR Hacl_HPKE_Curve64_CP256_SHA256_sealBase Hacl_HPKE_Curve64_CP256_SHA256_openBase + EverCrypt_Poly1305_poly1305 Hacl_Streaming_Poly1305_32_create_in Hacl_Streaming_Poly1305_32_init Hacl_Streaming_Poly1305_32_update diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2.c b/dist/msvc-compatible/Hacl_Hash_Blake2.c index 194e7157b5..127e16b5af 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2.c @@ -480,6 +480,7 @@ blake2b_update_block( void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + (uint32_t)4U; uint64_t *r2 = hash + (uint32_t)8U; @@ -500,16 +501,72 @@ void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; - uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = (uint8_t)64U, .key_length1 = (uint8_t)0U, .fanout1 = (uint8_t)1U, + .depth1 = (uint8_t)1U, .leaf_length1 = (uint32_t)0U, .node_offset1 = (uint32_t)0U, + .xof_length1 = (uint32_t)0U, .node_depth1 = (uint8_t)0U, .inner_length1 = (uint8_t)0U, + .salt1 = salt, .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << (uint32_t)8U + ^ + ((uint64_t)p.fanout1 + << (uint32_t)16U + ^ ((uint64_t)p.depth1 << (uint32_t)24U ^ (uint64_t)p.leaf_length1 << (uint32_t)32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << (uint32_t)32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << (uint32_t)8U; + tmp[3U] = (uint64_t)0U; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void @@ -1127,6 +1184,7 @@ blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, u void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + (uint32_t)4U; uint32_t *r2 = hash + (uint32_t)8U; @@ -1147,16 +1205,71 @@ void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << (uint32_t)8U; - uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = (uint8_t)32U, .key_length = (uint8_t)0U, .fanout = (uint8_t)1U, + .depth = (uint8_t)1U, .leaf_length = (uint32_t)0U, .node_offset = (uint32_t)0U, + .xof_length = (uint16_t)0U, .node_depth = (uint8_t)0U, .inner_length = (uint8_t)0U, + .salt = salt, .personal = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = + nn + ^ + (kk + << (uint32_t)8U + ^ ((uint32_t)p.fanout << (uint32_t)16U ^ (uint32_t)p.depth << (uint32_t)24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << (uint32_t)16U ^ (uint32_t)p.inner_length << (uint32_t)24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c b/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c index d0df7cd872..baf8e38f6e 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c @@ -215,6 +215,7 @@ blake2b_update_block( void Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + (uint32_t)1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + (uint32_t)2U; @@ -229,10 +230,66 @@ Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; - uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = (uint8_t)64U, .key_length1 = (uint8_t)0U, .fanout1 = (uint8_t)1U, + .depth1 = (uint8_t)1U, .leaf_length1 = (uint32_t)0U, .node_offset1 = (uint32_t)0U, + .xof_length1 = (uint32_t)0U, .node_depth1 = (uint8_t)0U, .inner_length1 = (uint8_t)0U, + .salt1 = salt, .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << (uint32_t)8U + ^ + ((uint64_t)p.fanout1 + << (uint32_t)16U + ^ ((uint64_t)p.depth1 << (uint32_t)24U ^ (uint64_t)p.leaf_length1 << (uint32_t)32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << (uint32_t)32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << (uint32_t)8U; + tmp[3U] = (uint64_t)0U; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c b/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c index 5bf06711ee..2870be7c9e 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c @@ -215,6 +215,7 @@ blake2s_update_block( void Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + (uint32_t)1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + (uint32_t)2U; @@ -229,10 +230,65 @@ Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << (uint32_t)8U; - uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = (uint8_t)32U, .key_length = (uint8_t)0U, .fanout = (uint8_t)1U, + .depth = (uint8_t)1U, .leaf_length = (uint32_t)0U, .node_offset = (uint32_t)0U, + .xof_length = (uint16_t)0U, .node_depth = (uint8_t)0U, .inner_length = (uint8_t)0U, + .salt = salt, .personal = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = + nn + ^ + (kk + << (uint32_t)8U + ^ ((uint32_t)p.fanout << (uint32_t)16U ^ (uint32_t)p.depth << (uint32_t)24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << (uint32_t)16U ^ (uint32_t)p.inner_length << (uint32_t)24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/msvc-compatible/internal/Hacl_Hash_Blake2.h b/dist/msvc-compatible/internal/Hacl_Hash_Blake2.h index 8f308bd92d..e5d2f501d7 100644 --- a/dist/msvc-compatible/internal/Hacl_Hash_Blake2.h +++ b/dist/msvc-compatible/internal/Hacl_Hash_Blake2.h @@ -38,6 +38,38 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2.h" +typedef struct Hacl_Impl_Blake2_Core_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Impl_Blake2_Core_blake2s_params; + +typedef struct Hacl_Impl_Blake2_Core_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Impl_Blake2_Core_blake2b_params; + typedef struct K___uint32_t_uint32_t_s { uint32_t fst; diff --git a/dist/msvc-compatible/libevercrypt.def b/dist/msvc-compatible/libevercrypt.def index 19f3e25ac2..b418214c97 100644 --- a/dist/msvc-compatible/libevercrypt.def +++ b/dist/msvc-compatible/libevercrypt.def @@ -487,13 +487,13 @@ EXPORTS Hacl_Bignum4096_bn_to_bytes_le Hacl_Bignum4096_lt_mask Hacl_Bignum4096_eq_mask - Hacl_Chacha20_Vec32_chacha20_encrypt_32 - Hacl_Chacha20_Vec32_chacha20_decrypt_32 EverCrypt_Ed25519_secret_to_public EverCrypt_Ed25519_expand_keys EverCrypt_Ed25519_sign_expanded EverCrypt_Ed25519_sign EverCrypt_Ed25519_verify + Hacl_Chacha20_Vec32_chacha20_encrypt_32 + Hacl_Chacha20_Vec32_chacha20_decrypt_32 Hacl_Bignum4096_32_add Hacl_Bignum4096_32_sub Hacl_Bignum4096_32_add_mod @@ -658,11 +658,11 @@ EXPORTS Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR Hacl_HPKE_Curve51_CP32_SHA256_sealBase Hacl_HPKE_Curve51_CP32_SHA256_openBase - EverCrypt_Poly1305_poly1305 Hacl_HPKE_Curve64_CP256_SHA256_setupBaseS Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR Hacl_HPKE_Curve64_CP256_SHA256_sealBase Hacl_HPKE_Curve64_CP256_SHA256_openBase + EverCrypt_Poly1305_poly1305 Hacl_Streaming_Poly1305_32_create_in Hacl_Streaming_Poly1305_32_init Hacl_Streaming_Poly1305_32_update diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c index afd7e8cb6c..45fe3d718f 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c @@ -486,6 +486,7 @@ blake2b_update_block( void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + (uint32_t)4U; uint64_t *r2 = hash + (uint32_t)8U; @@ -506,16 +507,72 @@ void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; - uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = (uint8_t)64U, .key_length1 = (uint8_t)0U, .fanout1 = (uint8_t)1U, + .depth1 = (uint8_t)1U, .leaf_length1 = (uint32_t)0U, .node_offset1 = (uint32_t)0U, + .xof_length1 = (uint32_t)0U, .node_depth1 = (uint8_t)0U, .inner_length1 = (uint8_t)0U, + .salt1 = salt, .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << (uint32_t)8U + ^ + ((uint64_t)p.fanout1 + << (uint32_t)16U + ^ ((uint64_t)p.depth1 << (uint32_t)24U ^ (uint64_t)p.leaf_length1 << (uint32_t)32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << (uint32_t)32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << (uint32_t)8U; + tmp[3U] = (uint64_t)0U; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } /* SNIPPET_END: Hacl_Blake2b_32_blake2b_init */ @@ -1173,6 +1230,7 @@ blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, u void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + (uint32_t)4U; uint32_t *r2 = hash + (uint32_t)8U; @@ -1193,16 +1251,71 @@ void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << (uint32_t)8U; - uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = (uint8_t)32U, .key_length = (uint8_t)0U, .fanout = (uint8_t)1U, + .depth = (uint8_t)1U, .leaf_length = (uint32_t)0U, .node_offset = (uint32_t)0U, + .xof_length = (uint16_t)0U, .node_depth = (uint8_t)0U, .inner_length = (uint8_t)0U, + .salt = salt, .personal = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = + nn + ^ + (kk + << (uint32_t)8U + ^ ((uint32_t)p.fanout << (uint32_t)16U ^ (uint32_t)p.depth << (uint32_t)24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << (uint32_t)16U ^ (uint32_t)p.inner_length << (uint32_t)24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } /* SNIPPET_END: Hacl_Blake2s_32_blake2s_init */ diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c index 76e234b52f..b783f2edd3 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c @@ -221,6 +221,7 @@ blake2b_update_block( void Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + (uint32_t)1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + (uint32_t)2U; @@ -235,10 +236,66 @@ Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << (uint32_t)8U; - uint64_t iv0_ = iv0 ^ ((uint64_t)0x01010000U ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = (uint8_t)64U, .key_length1 = (uint8_t)0U, .fanout1 = (uint8_t)1U, + .depth1 = (uint8_t)1U, .leaf_length1 = (uint32_t)0U, .node_offset1 = (uint32_t)0U, + .xof_length1 = (uint32_t)0U, .node_depth1 = (uint8_t)0U, .inner_length1 = (uint8_t)0U, + .salt1 = salt, .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint64_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal1 + i * (uint32_t)8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << (uint32_t)8U + ^ + ((uint64_t)p.fanout1 + << (uint32_t)16U + ^ ((uint64_t)p.depth1 << (uint32_t)24U ^ (uint64_t)p.leaf_length1 << (uint32_t)32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << (uint32_t)32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << (uint32_t)8U; + tmp[3U] = (uint64_t)0U; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } /* SNIPPET_END: Hacl_Blake2b_256_blake2b_init */ diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c index 83d3e3f918..adf231859a 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c @@ -221,6 +221,7 @@ blake2s_update_block( void Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + (uint32_t)1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + (uint32_t)2U; @@ -235,10 +236,65 @@ Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << (uint32_t)8U; - uint32_t iv0_ = iv0 ^ ((uint32_t)0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = (uint8_t)32U, .key_length = (uint8_t)0U, .fanout = (uint8_t)1U, + .depth = (uint8_t)1U, .leaf_length = (uint32_t)0U, .node_offset = (uint32_t)0U, + .xof_length = (uint16_t)0U, .node_depth = (uint8_t)0U, .inner_length = (uint8_t)0U, + .salt = salt, .personal = personal + }; + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)4U; + uint8_t *bj = p.salt + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + (uint32_t)0U, + (uint32_t)2U, + (uint32_t)1U, + uint32_t *os = tmp + (uint32_t)6U; + uint8_t *bj = p.personal + i * (uint32_t)4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = + nn + ^ + (kk + << (uint32_t)8U + ^ ((uint32_t)p.fanout << (uint32_t)16U ^ (uint32_t)p.depth << (uint32_t)24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << (uint32_t)16U ^ (uint32_t)p.inner_length << (uint32_t)24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } /* SNIPPET_END: Hacl_Blake2s_128_blake2s_init */ diff --git a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2.h b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2.h index 292b760678..39f2f322cb 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2.h +++ b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2.h @@ -38,6 +38,46 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2.h" +/* SNIPPET_START: Hacl_Impl_Blake2_Core_blake2s_params */ + +typedef struct Hacl_Impl_Blake2_Core_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Impl_Blake2_Core_blake2s_params; + +/* SNIPPET_END: Hacl_Impl_Blake2_Core_blake2s_params */ + +/* SNIPPET_START: Hacl_Impl_Blake2_Core_blake2b_params */ + +typedef struct Hacl_Impl_Blake2_Core_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Impl_Blake2_Core_blake2b_params; + +/* SNIPPET_END: Hacl_Impl_Blake2_Core_blake2b_params */ + /* SNIPPET_START: K___uint32_t_uint32_t */ typedef struct K___uint32_t_uint32_t_s diff --git a/dist/portable-gcc-compatible/libevercrypt.def b/dist/portable-gcc-compatible/libevercrypt.def index 19f3e25ac2..b418214c97 100644 --- a/dist/portable-gcc-compatible/libevercrypt.def +++ b/dist/portable-gcc-compatible/libevercrypt.def @@ -487,13 +487,13 @@ EXPORTS Hacl_Bignum4096_bn_to_bytes_le Hacl_Bignum4096_lt_mask Hacl_Bignum4096_eq_mask - Hacl_Chacha20_Vec32_chacha20_encrypt_32 - Hacl_Chacha20_Vec32_chacha20_decrypt_32 EverCrypt_Ed25519_secret_to_public EverCrypt_Ed25519_expand_keys EverCrypt_Ed25519_sign_expanded EverCrypt_Ed25519_sign EverCrypt_Ed25519_verify + Hacl_Chacha20_Vec32_chacha20_encrypt_32 + Hacl_Chacha20_Vec32_chacha20_decrypt_32 Hacl_Bignum4096_32_add Hacl_Bignum4096_32_sub Hacl_Bignum4096_32_add_mod @@ -658,11 +658,11 @@ EXPORTS Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR Hacl_HPKE_Curve51_CP32_SHA256_sealBase Hacl_HPKE_Curve51_CP32_SHA256_openBase - EverCrypt_Poly1305_poly1305 Hacl_HPKE_Curve64_CP256_SHA256_setupBaseS Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR Hacl_HPKE_Curve64_CP256_SHA256_sealBase Hacl_HPKE_Curve64_CP256_SHA256_openBase + EverCrypt_Poly1305_poly1305 Hacl_Streaming_Poly1305_32_create_in Hacl_Streaming_Poly1305_32_init Hacl_Streaming_Poly1305_32_update diff --git a/dist/wasm/EverCrypt_Hash.wasm b/dist/wasm/EverCrypt_Hash.wasm index 6b1a6c3fcd7de9879f50ecfa716db8f695b4acdf..98595b1b0de2f204a3ef5b1d1e23c3f298c2016c 100644 GIT binary patch delta 2677 zcma)8Yitx%6rMY~v#;65^hMikr+bH%Zl`S9efB|H+HHBYlrD%EACYy@LXomy7i+O# zD;7gi{m~pTDu`4FDM*nzMvR((G2#QOVf%0{@nYWd(Qpt zneU!^?|lEHVb2xT#UxUj3Bxet`0&sWbLXfl25wR~+5J8-o!W~d4N4U|z-9`|5)byo zmnBl&@s^&%rmkQioVMhN8baDmGrbKrL_Kyo#^!<0qx5Y>@v)1=^bulpwo4T>Cm^+}|`KNQW z?ZT(Kh8Xeu2o|3cVlFo^!k5S0%3;@sMpKlDQo#j>a%6|Um>37CUmFqN`<#F+Km%x< zVT24=nJYVk#ViH{^`T7oF+$;3ZbfF6WTBP{hLNn%i&x+JW2cY}zvLEG=SU9S<|vCC zJ(N&Jn8VMus5#0=oMfULHB~bV{|q$dbzsdLpt7Rm?KY5Fut{=8h#HV0DTQf>vNSBz zLaMM43u+SEe7IOxj|J82Er&H?2BHn3YL9zm_*~3H^n>^gmfA>}56%{4vmX%nuIO*9 zxG7IFZsH|51f4WSL|ijOir`v-3|FX=cyQqwLUAEk*(ANoV$n?^Tv>u}E-oqa3!+xK z0MjuD#khC~t8jxT!^>V9qH)ds0d1~qH&*6ISuObqzAdVTzslal`keCkob9TdQKPiH zn2CPHDwpK7Cal?*KaA~r^)gKOc|=a=PU(sq{+yv|sgaPrJ*c$LV(Zc&{`-2ei-HL3apd zX(xW%UaK;?sNYIz6kF$h!q&K9bV;%DS?sEf)G43bTW`RQTN^WDx2CIIwGMU<8A*d8 zZN5wj>fF>u9TPhxkXoW3YYe0Tq|H9~d23Sfr0%(CJXCGj1#Nvv z@NA7>zZuS?N|d&~S4f&ebEU%9U0Ud`$Qit z%EnQhvT<~pQgb0?+J*h?Q679zS3-DRQzH7pEtH78G_3@;KdCewxP=mtBfDVZn4b2= zF)eMh_dsgg$9}}a*ti?qWe)K4@XD%JzgA1-=rNx*qxH2g_Sa`5q3`&NQi;$?8o}#I ztJX@bS|djmvX!#rqAvB|2-nY*ltBfW(JN)rOzq%g(JVYT*?4e%wku=fW_ACM9-H~q z|HFOi_)^1Qhn?rCdPyv|+jOwZZq>n3yF~{}>}DM-wwrX&Zs&B+W;g0!k=>w!Ry(VM z7CX^F)Xwk}Uk%A9anwjT_0m2!gf9!rJ^?#VhS{f_igI!_$*6VH+zFaLv4iGQH+2aV zM&A5P`RR=pZghE+kvIFupe#A4LsiB(t&EF0sjF8KsDR3-*B>?DW5PrkA;QhJtN9xS zPz?1&OOtseE48ZZw&@Ft$BTvUmF(1xQ51&W;s--ql+IWsjI6V5RandcH4duM>M)>+ zt3$skuMVqJf$@33*h*Dm9ag9!>u{wivkq6OLbFs*gMF&j`tW>kpDN56c0F8T~KLC5zj~V>hYy8;t+Uxh@+PwVc9S0|Dx5R*nZ4B!KP>bzQ zyF#H!Lk>vAg_4LAwMk8cZfTVu)l^NBAG9Efs#aCi$Vz`iYE_yx5mji@p4l-gP@01J zW9NM5oSE;Q^WD+8d+e_Ahv!l}Bo-f~gb+G6Gd)c=BeAE4s-hkH#^MvPv59!;7pJ1p=UtR(rjFFVV~Vceek?JNd0idUPW`@FZKw$ZTG-G?b%Ri zbHRu9GMKZeknbpiw;Wy=ba>#mj+KPFYcH;zt|+&{g9Hzg0wdVD;8icZom{H07Pu-Kh#-t@d{nc_iKX;=(8 zVpvA@@(?0}&Pp5DTwO2I^Q{fH-)4GSI*p z0z~7D$v_ip3J@=EHm2^ewy>4}$>gocEp4nVK(e@z479WM0LkGUtcu~=AZThM#Db6&;FC_UwOMGxPQ%_%8KrK^jEninaj4O1n*Gk}4W@u_XThBY$dMT{~rR_o| zA+2z_(Md=voSvl?y}Xz8>L_hrGSJWZbyRXgGO&?t)KR!i$-ri|Sx1?+Bm-O7R-LdZ zzAYJfj6J5403S#O9%qm1B*?cX1A}Z(Cw2S@*3J5AQHpN1p%!)PW}9k>7tNMhlEr%1 zHj(RL10vVMwu@X3djfL?nKvBsU*}JEZ@O8*$#28Q*w4n&Q8hM zB{{n!XP4ycTH=J%Wx6w3prE`_{w27X8-Sr@<-5|jgE`7kCg)Q9>D%K-DUY{10g4dsh=xR?UMEoU)cKAhR&i^)!wXHdA z^cGAON8lGZ@8NJ8FDZkoxtYq(6c}w@0T;t=xL)D`M_xb9yn(zh&b)8r)zVye2iH7& zsBRYJUr}hjxyb*hP==4y;dY@5C*G%pVO-^7m#IyLi#0KYrFc0Opu_PZv1bm^LeVTv z#x=!t%HOOoRs2^Rj^ibD$_JKv6`0pc8f-W$ofXx%wj@@)L5DLH8v4I)(9K^}bSTPk zhq)p&sVL9c#X<98SaT?6U5HEIgU0L1DQ5!yu4$WyRyEhlFpLnWxG%Lu4;C-A9B(f^PTQ96iuv`tF+eq z+CXCpnuWoBI~vc`%*EXEM|dt< z&T^TbxxIBhgw$IPmku6zT zx!=5WaBIp^sk;x$Qg+E43ah<)%>)d+5r~JkZ zgBN`8)+<@2`pU1x&02i*e)bwx!D{fkmAI7^;#Qis&$lS>#r?f?eFO#aGMB zZ+`E7jsMHJ{jaY}d8$iORWT5~otjI6wVG3cHJU?$)tX&`4$UUPdd(`qI?W zp(zryX;gw%$hp|BfY%(oxS6I!d~C%$%bx!#%Vs|2@#dK~-`uHuE}RQD-@Jxr-bgRu zZsrz3r7j5-fM1&aj<6L+HcspmoZZAA-fH!80c=ftf|rgJaVK*M9#>NERX_Aig{%g< zkERM~9`uDS_z;vRD3p<~QfMP#g-}Pra-k27SlnAC6q0b2&`82Qp^}9CLMMf_ip`}$ zDjC)_qA~}5a%|krY|Jh`InPhy|2KmFB2K35EwrfW89<+6K*c|hDVN(V!(+n}u<`PY O1dErCn?0AC9RC5rMPbVT diff --git a/dist/wasm/Hacl_HMAC.wasm b/dist/wasm/Hacl_HMAC.wasm index 32bdf4664eb86ba0eaa1148ff829265d6bc3ec25..7a7d027923fe2c020aaefd0818cb81e43702cc5d 100644 GIT binary patch delta 4297 zcmZ`+TXPiG5uPKh%o_P&69YC1!rc;x)s36(0!cf%APL;9i z5B1l-tIgKL(t@%qOFdlM{4zT`nOys0fxi5$S6y2#P&a+Q4RlOQ#ljsEOLO7o*u?zI z!5z;1oDXusk$7a;`B%=9{}-@h(}zCsufKgKqO$(#w6aQ-7_j zs}}Xwdg`x(CH2?2^_w86e|sI*OWE~OKW(#B;CFd|Jw%5D*7@^$U3pZ2fEYDUAq8Jk zHC339Mrzc|P1IzV8-=+M%#9xACRoDULm5LHr$3IYF`s$Q?as?ocjn`aZ- zWIO*HDmvIq&9+sKjk5*c2EOgVZlte17HZ*EYOw>U4Qr!9J_0_U zJiw~B9dD@vh#j`CGo_VQv1Efa?h$RtYms-?VXG*2VD;};A+r;iou14#vC^6C+Dc`1 zN@l0j9ctmDbdPw0CI1Ta%I$=aRL_^dsK|?fP zM0=8k_!OPW<4arnVeCX0 zt4+O#aabaqad-1gkW{~YoF_!I6I!%8Qlg!tNew$iQwDZYU?%}P>4BYsC9qR2tO*j> z{3)KMVJ-G)h`sMMjnc3Y`wY!!=vkUI&@%!(1LzqK^eilao^_#3kU;O8<+F5#&f-;x z*he7tGc+b*C!V7@5qf2WB1Y(Qf;|W9IS+OOmIyuKYQY2v_Hcxw6y>#5$6eL>$hW!1~N>hZ?vvD(y$JOoSj<&e8CCP?qgAwDeoQrtid20&l@)WD6h z9fz?mje5L%B;y4$L+DCF6f)6GLe~U3%#t*nSV9*PI_Eb9`Pm`1g{2%bfl6M>`)ihb zzi#$bAc~O78?_mxR$*!dQ>%xm4VEyqxrLb^U053*5z4LY)DC>j z*={)7F$v(Q=%h}n(T+~z=tP6>z^e%85dug$>a|w5OY&5=#_d6qcX4}6dJp%CXGa*I!+tMX&$C->h)G4!zEMYioB0*I_7!ir{i90g}U%($n(g$fd{9&53ZmC1JpTQ zy(PaJQ>2g#6FjhvKoxOW1M`_gbOw5;g9>HrJ@x0biJ$9lr>UI?q zB(HUNl*eccgJ=xh#r>Qbr$WX=F+CG%;7N3xDL_tnI$s!;9(uYNPiQOZs%A<$-xT0= z&zwf)v?p^MRwi>&TdB-x$()vj*<*}Z!?XB0I4gzz_ZT=UW59eK%%*SuXC#Eikem8G zh@d97Awo7Bg^Qwbp4Zm|$7mi~MlrV`0ehYoq#<#f;_*{FY}5Bx%diQF#!7Frz?CF+dwN&)m4&j z2i+%w}{7KEYs$5DFCX_zx?q|+{%3W306yX=uP2rk`^Wy=3 zuIK`|WAvEp)9^p%p|L+?{`H$3`I9=(?y23P2Nr>}bZ&O3^Kujpg?LbRaoK9vTC zGyg=<6DPkn*zi=*QzXlOex7JCJP|SAHX{avhznwPs@yiPZd8?^i1&&@^7Zs z{Q;!>BmT*ByPp8d&xPQ*^0X}^!p<}$?qQrK)AR^O-y8+tfSAwXXIq~IP{{e=D Bm=OQ~ delta 5498 zcmb_fYj9Lm6247_)Top-N_U63kqAeX=-3=YxUDJNv6pcn(n!BT$wpTYa#+sumo$tn; zdhq`ORcwWwzl{w$|4q*r`8GYD#(e(mNGN#MvKzjAc3{97Gp7H96Am78{ysT2GN)q3 zn7Cx}6gyy3%nrobBnwI~p-hD`E}>-G|Nil<|MZ0>%H4c-#Ihvf59Dx8#0tnXe_%RK zk61yO;Sc0;Zp0cV_xJ<%^1Tr&Bs1-J0`)$=FJfg#p6@b?XGN?#WVSzWKi?m*CQCj~ z#ioPEkk}@uHeyGfzUC!mUr76p7YL~LKA_&&VYwU{ehV&# zl5}$Zd2`0Za;Z?@3eCV1YzqBik{yytt~9V!T;;-6Dr_ZSD^p;rpebyX2kSa1Y`98R zatVNAypjuf;V`e@5*NCfs}1xjUgbhpD|9uWt5cv?K~v~e9<=ME&{I~)YJP}Ub0Oe| zdHHZJv{JJ!H%+oxYPiNZU7J074X?4SxtM&7;@1GbCIx?u4g-Hpu9f1X_;qWfmTRSs zYweKkRCq}}7s|s(=x^$^wk7KTxy}xhBo?_&HT5^Z4;!t`D}S9$ZL$vVZM$hAgGL`F3-s)ZHR%6eWe4LnyGG0!G|G^Na_5gN6d+zr0y%}y=Sq#*HHo9#d- zZ4$QG2F$8Cbygdp_(!z`$~c{k9^zL2$ZXXaTZ05~+R6G2EExbjK zYNrmw&3WI-TlK6y;=6Qlmmbw_e_$JL)1$iGAK1Y=^r-IS7H-om+`=(EjxF4w$FYSw z^{BS;BWi2qZnd@YcD1$gPXDOxigTNLR(F}RD!aLvcWX?ui`VSpHM@8lUA&Dh-bNR1 zql87e5F0;plD+#Gzo#`_1{YN!KwLgW^0jWxT{W&i$G+j>vxQ ziM69#?27^7xI9YysPlZ@ROeD_dP}c*{gSxPb=X5t zlDD%xSBDC3yYnE)lce3`NiywZa-y9aB0l6MIZS-mOLE90IiyJ-CX>Jgx+XcCNaDF_ zlBtJDp3+&F<^rjZdxjY^+v~NiA>tu7*Ae0)UaldNYe;iJOy+_Mbj@`nk;`+{Tz4NK zafq>qc)RUpKcU}X;0e->!*Z1PC~3c$b&U8Jpta*1HQA18Hi*e=a8VPo9V0!N&W{;c z8~ACGUlHEPc5@urk6&eobu2bA-8{R>0G#6MT+T_qq@qeZ}iTMwinH z7{G+tnc0z1di5+=ME00|iBms#(a(I+`XjJq{;XZ&()wj&etlkA3IhqIG7wdK2BJ!W zfrOQTSm^5*9F!94q28 zkg$M(vf>KqWL?mP&6~)XDk&<_XRtO*z?a+)Dil@=B@J z)u_U1R2$NDmy#|pBD2b?c{SXerioBO2zfiG)28vvFl`h$a;BLf5_X`@><}VoNL{j zYe8gSnHA+Iml{LVHAKNr)?tl9X5j$I>r=H}Y0x-oG`LONl)!Cr!<%G-T5fH|UF_mE zyM|_`b8#dM-p+}|`Bds$H}BvQl^4@Bo$lWQC+o2^RcN$G2olsu57`60p zkM#0f>BDs>{Rjr*@Hb>1G_M)=`l8p0)gt|d5_Tgt!3pD-4tAz@^XPoQM?6-j8n}o@ z3su`g9zP4aqy&Y5miS|!9(zf<=)U9_h{%47g+N9;zjzo-1Q)6{Q?Lp5-&~de?hd@;%3LH9WxLR+&mE6JP?ovX|R@V8VGJ0 z2t{rlNNygqMBI&+El`3EFauZW6kOI&&>D~9Z5Sq0{D#kvc1PzQv(q!5A#Hu23J3-h zc$yL|@+4tYPT_i2W*IjZIndM_@^J`CKXGB>e#agD9N6V)b9<+<%jbVG5|G~zV-RWN z1!bW@fp&FxZo`DSugJy zllP3~g_z6>7wDSzY$C7cYKY5Ol40l3Sy^*mBgXTz+ZYIu$0_qr@7BgVs82UM)g z^Ij$Ah|jr|oF_i-RdUW$a!xCOn5+aY(6y5DiAp?IQ^|Rf*R_&~Bg7+`(RAYxuaXgx zH`F@sO=3JRxYjp4>zgER5x;?K$>zszjZ%B%ZH=dQOpXi07yKL-Jd_J0?;7iS#CW_M z?|IhuNZvQri^LcG*o&U^BFP8FdWjg17kkOGULv_{tRE8N@vI+u)(=TOGS-iY@p#sc zJ?qCLpQttdDKQ?;`l)CAl;ktwcZlB|HCujvlxnUCIDL>h8sy8P)Lwp@^!X@t)Ed;G zPcU?Ia%ubcGjgs^yF=a~`J5Oh=XKp1uJ|J9{elL5h4_l|Luq8eRpP4v&_5Gb%-*=7 zdjn!}Z@@)O*c(^PpNXWa?u|`XNxmTdg5(eSPTp64L|XY1UhaPj?c!eoR=&~%U#0## zKp^zw<%1xjCoV21xVgSE|1GX*^tIGz1B69+*l;e;7AqlOw;G*;e> zku)reh#7k<(b8}a|La=CTc+hO|B~ciLjI+Z{L9cJ|MErtaM5M?mw6?8)P_#H_)%A> zs=o9C zlqEfE8kev@)3IE`MO;nV5XFVcb*i&;%MH50tF+2%ES2aq{j|u_Q%vrxK#RabX`N)qwBne$_1xELYvZ< zR+K(1SGz63T`JOMkN0SXT0Pz; zhuS^9M`haT@c~t6yT_UqXnUu}hh)*N+{dE3a$Jk{39AXZ+?{75{1dr+G?{vM0+p%q0FMDMoQSUq){-fZ?AURs7}ytCpvH zI2<_{jvSgGH!>V~Xfhmm|N960Zk|CFE>c0$pueVRl4odg*o?Dy*bcHdIuZ415n9wS zsDo%7lvb|eNQXFnZmqD1$Pyw;Baze4hLN*@Hi#@qWC@YQg94YS%yVRLg%r;t$^6JA zD$tBa!9C`pzZcUk9-fyZM&Z2K_;L3BKTpF#?t8(o^QD}}{L4$=GR|YX1I{Oe^H|e* zp7U@FIWJ1Yc~J(Ow}kWZo*8i7lE;R|k2r71({Rz51I}9v&bulTao%EZ-bK?!oVOU9 z2O}cRTd3Nci-sO>-ePdxRh5wQcy|fs1z6yG3w;O9w^Rm5cf<$Iiw~R^A2<&m-ixE0 z4_;@lo%7}x=gt3%^YN=WPx96ZplwjqyBhPms9LZz8;YqA^MJl!9<;v-^U@h1=A8@7 z+h8}kaEN)A&@AJaM-;8eV|qE}WrGm&gAIy+_izJXUYcZbZb0;%ZU}U_ z6o4)lv1nyaP7k8XX+U&wg6QG|(Zwf3KRWs)nfh{s=zm=&q514M%`0V1LWSsihx~6> uE3b(3;CoCy8OD$-)xX;UxK8zHk4*A7%9kNSbC$)jR-1Ch-^^x$vH-&npdM0e z&;Ti>v<@vLf|k+^Xer%<7TSbwQOgE=i`4lM65gabZDOo$E$h~@ZY>jQnOMujS|--A zMpX)Fg-TSeB|Y$)-_Pi-(lM=>i4mn^TC*^XC>Km)d%`rfCro2|!ZfxnOhXf>t4441_ diff --git a/dist/wasm/Hacl_Streaming_Blake2.wasm b/dist/wasm/Hacl_Streaming_Blake2.wasm index ff2f0e69c58752afc3e308c5bba2882e315a67b9..b23bd5b26e8ee576ae5aa3696c76bdb6a17970fd 100644 GIT binary patch delta 529 zcmaD5Hz$OPA+b1@k%57MasEUuGiK)c`iYJbU@9tramB{f5sX3t9*N00@g9lA8Szdz ziP@<}GLvJOBv>-@GD{|VG8JNz_hE*}Z(?4^#Q*bHLjwcX{T3j}#8fA;c>}8xlaeEY zqk;gZl!BN7t0RLVvm%QEvjU450|WQGCWtz&$-5*hIar|TChzA`Hsb`URzNu}N5(8guE~jPBJP|D>}CucAk}Nl z83YtK6}f?C@c_-@ag>0Y#Q-vkCrbe+=O_U&iw9;F56CPYpjpD3+qh@&ay@`~r+%}W mq$86uP|E=Z0Uj(Knvd)uPLPMd3I~yoCbw}5Z4Q;^761T$>10HD3YIP{Jo*8$^Y~xgO>bg3?h?*yDST-;sUJ{O0S2KR+tb zVEou4BJZoyQaAEaFMZ=`nx>QVpP#(bN3VE4efRBa-b>N_!CRyLgU9cW`g^0nyZg`f z@4a_0J{%kzj<+tC`u+af`-lB^K72TMbF|-ob^2W4gZux9)gGB?uh5!q7i+VH;z42Q z^oOG(Dt++@-V24v_U!n|ULln_*Cph-^{qFu{%9x-3_(6b7)(Ai?XQ14`R$|XqO9|J zOe8J0XmdLzUpCx=nPUn>++veAV=~fliyM3+rnD+I-R2hGim4{I-6G~Vrce^M*y632 z)@7R`Zgq)p+31pwi*zZ#rPC$DO}?pGlW(imcU_TfcDrk}>or@k!mqLg^? z?|91?T)YN@i?`zb<~6>i@h-VVm8%->vRkb1ipIO@7B#MEyw}}gjo0Fos#15GkVB2P z;T91`8t;W#*QLdVmoyH;%Nn8KRgKW_b&a>eb=4}|P_4pE)hgP@U-7niDT}xLqMgUP z!6nU=aGCp+GQU#hSI+#(nO`~cE6@F=zg+Ef839Z2E{hEw_;)QK8OCnNGUPxD9pV1e zX_x2)Xkxvg$n=|q+RMxf`s48JvmRBMWfNWF6ZmJzU(P|A)iBVa3`*s)~QSg{ zsRp)G16!(rEocbY24^1&=-QjpmG0Q@>Fng>MCN?yIq;?Dz?Yr_U+M|IR0ChCfiKm- zmummw>v!dAr7$sNlNSpGgPlJ`&a#XJV E37$*BjsO4v diff --git a/dist/wasm/Hacl_Streaming_Blake2b_256.wasm b/dist/wasm/Hacl_Streaming_Blake2b_256.wasm index 36e0d79281c79379c63478611d2c6c1dd9f0f0f0..2af0b48656281b6f9dc161da70ab639cf0079df4 100644 GIT binary patch delta 443 zcmZvZF-rqM5QS%Mlic0z=I&AmK?v+|jVLOCkU%hy?XTMwa;CL_?Krr;ng!KEvrPq=VVga%(+NBWo(x+3xIstFEwtRJ~)Vz+H1&(#KP^N>1Ff0}ZsSeX3qb-H{-#A#kUa zpv683GlGar6(Dpagp@P|mCj10DPaac=vgdiEKJEsBqm191Jt!gCB`AurC$ceEHWls zVOPO1<;xlb!VQ^DagFA(_=5(6F7sGuQx?D2{F}`UoBzX>X)Tl0o2iCkmkGotp delta 260 zcmaE^+^@{fkXW3{$iTqBc)g*afq{P_zu`o8HMSMaKn~Bw;!MWLLQLw6oRh7XWCgjn zd3gEQ+Cl0V>lqv;uujfka%AE%nq0`F$DWy&S;D|=0%A|*V`gXK0W&$%fa1j&47^}P zqG?5`sSJFaDTyVC@x_@{smzRAv!_p<$UKSjF340SraF$vIxJRviku3Zid@PJj%ygR z1lTv5v9dA)-C)CUfsu1FFXv_u=OE90AZH=(8AhhdOq28ZbCmxu1JyDpusSj*GAptu nFe|W_F)(m*Pj3aemqD3<8|dJF{I^&@E}eW&V9Dm20(^`BB&$Qw diff --git a/dist/wasm/Hacl_Streaming_Blake2s_128.wasm b/dist/wasm/Hacl_Streaming_Blake2s_128.wasm index 0fb085660a7f27b6681bffbc32e4e7cc0f688fd7..fd87a1c919c53009661f73ba7f2f92356e93afbf 100644 GIT binary patch delta 446 zcmZvZF-XHe6o%i+rA=~oZBkGuLg7LeQLGe73q_&lq`SKmE!Yr6XdQGgMG+^5df36i zNw+$bZZ5itvuk%Jbr!)(MMZG@-~ay~y!WpBci)A2YYPDYN1aXwysld$B#OEVGs)4B z9;60g6BD`R`g*7a#$>X&-E4!S?r;&Q`oLU<@l@JPp2TI0Kt2;SYe;0uBlFfc%u6am z3eN7%M!nsDRIJ8MYZKBsRq|X%JN30zbH725zV*~9Idd)#HPA2)sCpq)OM(=hGo?-w z*@*b2Ai^vI_>KghlA55>UNLJDrU8VW1%d{`)*U;P7{+Q2psGD8G4QD_{W3TvkTKy1 zs|2MIH!k%Ip`Lf3tba=Krweuwp(M`dY;5Ast>=dwNSX t!LGHqWe;fdQ5~nk{F4!Q7Kp?j1Y@u97ZCEm^l9(Y1+|p!56@i}KLOoj0mX|m7o zMAM2=QyKU;QxZ!O@8PyS7e0FDDe)&Kwi diff --git a/dist/wasm/layouts.json b/dist/wasm/layouts.json index d9d2a29ae6..abad000d3e 100644 --- a/dist/wasm/layouts.json +++ b/dist/wasm/layouts.json @@ -1 +1 @@ -{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_Streaming_Poly1305_32_poly1305_32_state":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_Keccak_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Keccak_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Streaming_Keccak_hash_buf"]]],["snd",[8,["Layout","Hacl_Streaming_Keccak_hash_buf"]]]]}],"Hacl_Streaming_Keccak_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Streaming_Blake2s_128_blake2s_128_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2s_128_blake2s_128_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2s_128_blake2s_128_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Streaming_Blake2b_256_blake2b_256_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2b_256_blake2b_256_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2b_256_blake2b_256_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Streaming_Blake2_blake2s_32_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_blake2s_32_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2_blake2s_32_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Streaming_Blake2_blake2b_32_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_blake2b_32_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2_blake2b_32_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Impl_SHA2_Types_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_7p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_6p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_5p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_4p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_3p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_2p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Impl_SHA2_Types_uint8_8p"]]],["snd",[56,["Layout","Hacl_Impl_SHA2_Types_uint8_8p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Impl_SHA2_Types_uint8_4p"]]],["snd",[24,["Layout","Hacl_Impl_SHA2_Types_uint8_4p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_hash_state":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file +{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_Streaming_Poly1305_32_poly1305_32_state":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_Keccak_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Keccak_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Streaming_Keccak_hash_buf"]]],["snd",[8,["Layout","Hacl_Streaming_Keccak_hash_buf"]]]]}],"Hacl_Streaming_Keccak_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Streaming_Blake2s_128_blake2s_128_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2s_128_blake2s_128_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2s_128_blake2s_128_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Streaming_Blake2b_256_blake2b_256_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2b_256_blake2b_256_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2b_256_blake2b_256_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Streaming_Blake2_blake2s_32_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_blake2s_32_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2_blake2s_32_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Streaming_Blake2_blake2b_32_state":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Streaming_Blake2_blake2b_32_block_state"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Streaming_Blake2_blake2b_32_block_state":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Impl_SHA2_Types_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_7p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_6p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_5p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_4p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_3p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Impl_SHA2_Types_uint8_2p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Impl_SHA2_Types_uint8_8p"]]],["snd",[56,["Layout","Hacl_Impl_SHA2_Types_uint8_8p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Impl_SHA2_Types_uint8_4p"]]],["snd",[24,["Layout","Hacl_Impl_SHA2_Types_uint8_4p"]]]]}],"Hacl_Impl_SHA2_Types_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_Blake2_Core_blake2s_params":["LFlat",{"size":24,"fields":[["digest_length",[0,["Int",["A8"]]]],["key_length",[1,["Int",["A8"]]]],["fanout",[2,["Int",["A8"]]]],["depth",[3,["Int",["A8"]]]],["leaf_length",[4,["Int",["A32"]]]],["node_offset",[8,["Int",["A32"]]]],["xof_length",[12,["Int",["A16"]]]],["node_depth",[14,["Int",["A8"]]]],["inner_length",[15,["Int",["A8"]]]],["salt",[16,["Pointer",["Int",["A8"]]]]],["personal",[20,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_Blake2_Core_blake2b_params":["LFlat",{"size":28,"fields":[["digest_length1",[0,["Int",["A8"]]]],["key_length1",[1,["Int",["A8"]]]],["fanout1",[2,["Int",["A8"]]]],["depth1",[3,["Int",["A8"]]]],["leaf_length1",[4,["Int",["A32"]]]],["node_offset1",[8,["Int",["A32"]]]],["xof_length1",[12,["Int",["A32"]]]],["node_depth1",[16,["Int",["A8"]]]],["inner_length1",[17,["Int",["A8"]]]],["salt1",[20,["Pointer",["Int",["A8"]]]]],["personal1",[24,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_hash_state":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file From bf94aa69ae2cddb95adbed47464266f9cbbc6cff Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 5 Oct 2023 13:22:30 +0200 Subject: [PATCH 11/22] Parameterize entire Blake2 spec by blake2 params --- specs/Spec.Blake2.fst | 8 ++++---- specs/tests/Spec.Blake2.Test.fst | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/specs/Spec.Blake2.fst b/specs/Spec.Blake2.fst index 60dc984d30..373a83653d 100644 --- a/specs/Spec.Blake2.fst +++ b/specs/Spec.Blake2.fst @@ -731,22 +731,22 @@ let blake2 a d p kk k nn = let s = blake2_update a kk k d s in blake2_finish a s nn -(* TODO: Add blake2_params arguments to both functions below *) - val blake2s: d:bytes + -> p:blake2_params Blake2S -> kk:size_nat{kk <= 32 /\ (if kk = 0 then length d < pow2 64 else length d + 64 < pow2 64)} -> k:lbytes kk -> nn:size_nat{1 <= nn /\ nn <= 32} -> Tot (lbytes nn) -let blake2s d kk k n = blake2 Blake2S d blake2s_default_params kk k n +let blake2s d p kk k n = blake2 Blake2S d p kk k n val blake2b: d:bytes + -> p:blake2_params Blake2B -> kk:size_nat{kk <= 64 /\ (if kk = 0 then length d < pow2 128 else length d + 128 < pow2 64)} -> k:lbytes kk -> nn:size_nat{1 <= nn /\ nn <= 64} -> Tot (lbytes nn) -let blake2b d kk k n = blake2 Blake2B d blake2b_default_params kk k n +let blake2b d p kk k n = blake2 Blake2B d p kk k n diff --git a/specs/tests/Spec.Blake2.Test.fst b/specs/tests/Spec.Blake2.Test.fst index 73bde7d3a4..3188eb286e 100644 --- a/specs/tests/Spec.Blake2.Test.fst +++ b/specs/tests/Spec.Blake2.Test.fst @@ -851,8 +851,8 @@ let test_one (v:vec) = let expected = tag in let computed = match a with - | BLAKE2S -> Spec.Blake2.blake2s plain (Seq.length key) key 32 - | BLAKE2B -> Spec.Blake2.blake2b plain (Seq.length key) key 64 in + | BLAKE2S -> Spec.Blake2.blake2s plain Spec.Blake2.blake2s_default_params (Seq.length key) key 32 + | BLAKE2B -> Spec.Blake2.blake2b plain Spec.Blake2.blake2b_default_params (Seq.length key) key 64 in IO.print_string ("\n\nTEST Blake2 "^(string_of_int num)^":"); PS.print_compare true (length expected) expected computed From 31d2b58865f5547d21eb2ff2778be5ddc8b51561 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 5 Oct 2023 15:34:41 +0200 Subject: [PATCH 12/22] Refresh dist with latest F*/karamel master --- dist/gcc-compatible/EverCrypt_AEAD.c | 326 +++++++++--------- dist/gcc-compatible/EverCrypt_AutoConfig2.c | 48 +-- dist/gcc-compatible/EverCrypt_DRBG.c | 4 + dist/gcc-compatible/EverCrypt_Hash.c | 5 +- dist/gcc-compatible/EverCrypt_Poly1305.c | 9 +- dist/gcc-compatible/Hacl_Chacha20_Vec128.c | 6 +- dist/gcc-compatible/Hacl_Chacha20_Vec256.c | 6 +- dist/gcc-compatible/Hacl_Chacha20_Vec32.c | 6 +- dist/gcc-compatible/Hacl_Curve25519_64.c | 18 +- dist/gcc-compatible/Hacl_Ed25519.c | 90 +++-- dist/gcc-compatible/Hacl_FFDHE.c | 7 +- dist/gcc-compatible/Hacl_Frodo_KEM.c | 2 +- dist/gcc-compatible/Hacl_HMAC_DRBG.c | 3 + dist/gcc-compatible/Hacl_Hash_Blake2.c | 2 + dist/gcc-compatible/Hacl_Hash_Blake2b_256.c | 1 + dist/gcc-compatible/Hacl_Hash_Blake2s_128.c | 1 + dist/gcc-compatible/Hacl_Hash_MD5.c | 1 - dist/gcc-compatible/Hacl_Hash_SHA1.c | 1 - dist/gcc-compatible/Hacl_Hash_SHA2.c | 4 - dist/gcc-compatible/Hacl_Hash_SHA3.c | 7 +- dist/gcc-compatible/Hacl_K256_ECDSA.c | 28 +- dist/gcc-compatible/Hacl_RSAPSS.c | 45 ++- dist/gcc-compatible/Hacl_RSAPSS.h | 45 ++- dist/gcc-compatible/Hacl_Salsa20.c | 8 +- dist/gcc-compatible/Hacl_Streaming_Blake2.c | 2 - .../Hacl_Streaming_Blake2b_256.c | 1 - .../Hacl_Streaming_Blake2s_128.c | 1 - .../Hacl_Streaming_Poly1305_128.c | 3 +- .../Hacl_Streaming_Poly1305_256.c | 3 +- .../Hacl_Streaming_Poly1305_32.c | 1 - dist/gcc-compatible/INFO.txt | 4 +- .../internal/Hacl_Bignum25519_51.h | 4 + .../dist/minimal/fstar_uint128_gcc64.h | 4 +- dist/msvc-compatible/EverCrypt_AEAD.c | 326 +++++++++--------- dist/msvc-compatible/EverCrypt_AutoConfig2.c | 48 +-- dist/msvc-compatible/EverCrypt_DRBG.c | 4 + dist/msvc-compatible/EverCrypt_Hash.c | 5 +- dist/msvc-compatible/EverCrypt_Poly1305.c | 9 +- dist/msvc-compatible/Hacl_Chacha20_Vec128.c | 6 +- dist/msvc-compatible/Hacl_Chacha20_Vec256.c | 6 +- dist/msvc-compatible/Hacl_Chacha20_Vec32.c | 6 +- dist/msvc-compatible/Hacl_Curve25519_64.c | 18 +- dist/msvc-compatible/Hacl_Ed25519.c | 90 +++-- dist/msvc-compatible/Hacl_FFDHE.c | 7 +- dist/msvc-compatible/Hacl_Frodo_KEM.c | 2 +- dist/msvc-compatible/Hacl_HMAC_DRBG.c | 3 + dist/msvc-compatible/Hacl_Hash_Blake2.c | 2 + dist/msvc-compatible/Hacl_Hash_Blake2b_256.c | 1 + dist/msvc-compatible/Hacl_Hash_Blake2s_128.c | 1 + dist/msvc-compatible/Hacl_Hash_MD5.c | 1 - dist/msvc-compatible/Hacl_Hash_SHA1.c | 1 - dist/msvc-compatible/Hacl_Hash_SHA2.c | 4 - dist/msvc-compatible/Hacl_Hash_SHA3.c | 7 +- dist/msvc-compatible/Hacl_K256_ECDSA.c | 28 +- dist/msvc-compatible/Hacl_RSAPSS.c | 45 ++- dist/msvc-compatible/Hacl_RSAPSS.h | 45 ++- dist/msvc-compatible/Hacl_Salsa20.c | 8 +- dist/msvc-compatible/Hacl_Streaming_Blake2.c | 2 - .../Hacl_Streaming_Blake2b_256.c | 1 - .../Hacl_Streaming_Blake2s_128.c | 1 - .../Hacl_Streaming_Poly1305_128.c | 3 +- .../Hacl_Streaming_Poly1305_256.c | 3 +- .../Hacl_Streaming_Poly1305_32.c | 1 - dist/msvc-compatible/INFO.txt | 4 +- .../internal/Hacl_Bignum25519_51.h | 4 + dist/portable-gcc-compatible/EverCrypt_AEAD.c | 326 +++++++++--------- .../EverCrypt_AutoConfig2.c | 48 +-- dist/portable-gcc-compatible/EverCrypt_DRBG.c | 4 + dist/portable-gcc-compatible/EverCrypt_Hash.c | 5 +- .../EverCrypt_Poly1305.c | 9 +- .../Hacl_Chacha20_Vec128.c | 6 +- .../Hacl_Chacha20_Vec256.c | 6 +- .../Hacl_Chacha20_Vec32.c | 6 +- .../Hacl_Curve25519_64.c | 18 +- dist/portable-gcc-compatible/Hacl_Ed25519.c | 90 +++-- dist/portable-gcc-compatible/Hacl_FFDHE.c | 7 +- dist/portable-gcc-compatible/Hacl_Frodo_KEM.c | 2 +- dist/portable-gcc-compatible/Hacl_HMAC_DRBG.c | 3 + .../Hacl_Hash_Blake2.c | 2 + .../Hacl_Hash_Blake2b_256.c | 1 + .../Hacl_Hash_Blake2s_128.c | 1 + dist/portable-gcc-compatible/Hacl_Hash_MD5.c | 1 - dist/portable-gcc-compatible/Hacl_Hash_SHA1.c | 1 - dist/portable-gcc-compatible/Hacl_Hash_SHA2.c | 4 - dist/portable-gcc-compatible/Hacl_Hash_SHA3.c | 7 +- .../portable-gcc-compatible/Hacl_K256_ECDSA.c | 28 +- dist/portable-gcc-compatible/Hacl_RSAPSS.c | 45 ++- dist/portable-gcc-compatible/Hacl_RSAPSS.h | 45 ++- dist/portable-gcc-compatible/Hacl_Salsa20.c | 8 +- .../Hacl_Streaming_Blake2.c | 2 - .../Hacl_Streaming_Blake2b_256.c | 1 - .../Hacl_Streaming_Blake2s_128.c | 1 - .../Hacl_Streaming_Poly1305_128.c | 3 +- .../Hacl_Streaming_Poly1305_256.c | 3 +- .../Hacl_Streaming_Poly1305_32.c | 1 - dist/portable-gcc-compatible/INFO.txt | 4 +- .../internal/Hacl_Bignum25519_51.h | 4 + dist/wasm/EverCrypt_Hash.wasm | Bin 48520 -> 48471 bytes dist/wasm/Hacl_Bignum256.wasm | Bin 100214 -> 100203 bytes dist/wasm/Hacl_Bignum256_32.wasm | Bin 41067 -> 41054 bytes dist/wasm/Hacl_Bignum32.wasm | Bin 15248 -> 15238 bytes dist/wasm/Hacl_Bignum4096.wasm | Bin 63798 -> 63787 bytes dist/wasm/Hacl_Bignum4096_32.wasm | Bin 32319 -> 32306 bytes dist/wasm/Hacl_Bignum64.wasm | Bin 24421 -> 24411 bytes dist/wasm/Hacl_Chacha20Poly1305_32.wasm | Bin 7661 -> 7657 bytes dist/wasm/Hacl_Curve25519_51.wasm | Bin 7170 -> 7166 bytes dist/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm | Bin 21304 -> 21294 bytes dist/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm | Bin 21432 -> 21422 bytes dist/wasm/Hacl_Hash_SHA3.wasm | Bin 17639 -> 17615 bytes dist/wasm/Hacl_K256_ECDSA.wasm | Bin 98203 -> 98099 bytes dist/wasm/Hacl_NaCl.wasm | Bin 5031 -> 5027 bytes dist/wasm/Hacl_P256.wasm | Bin 83233 -> 83205 bytes dist/wasm/INFO.txt | 4 +- 113 files changed, 1030 insertions(+), 1054 deletions(-) diff --git a/dist/gcc-compatible/EverCrypt_AEAD.c b/dist/gcc-compatible/EverCrypt_AEAD.c index 564dbc2ece..21039bd4c9 100644 --- a/dist/gcc-compatible/EverCrypt_AEAD.c +++ b/dist/gcc-compatible/EverCrypt_AEAD.c @@ -46,6 +46,8 @@ The state may be reused as many times as desired. */ bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee) { + KRML_HOST_IGNORE(a); + KRML_HOST_IGNORE(projectee); return true; } @@ -58,8 +60,7 @@ Return the algorithm used in the AEAD state. */ Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s) { - EverCrypt_AEAD_state_s scrut = *s; - Spec_Cipher_Expansion_impl impl = scrut.impl; + Spec_Cipher_Expansion_impl impl = (*s).impl; switch (impl) { case Spec_Cipher_Expansion_Hacl_CHACHA20: @@ -108,8 +109,8 @@ create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)480U, sizeof (uint8_t)); uint8_t *keys_b = ek; uint8_t *hkeys_b = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b); - uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b, hkeys_b)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); @@ -136,8 +137,8 @@ create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)544U, sizeof (uint8_t)); uint8_t *keys_b = ek; uint8_t *hkeys_b = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b); - uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b, hkeys_b)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); @@ -212,8 +213,7 @@ encrypt_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)304U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -223,8 +223,12 @@ encrypt_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -250,9 +254,7 @@ encrypt_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut0 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -268,7 +270,7 @@ encrypt_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -281,9 +283,7 @@ encrypt_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut0 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -299,7 +299,7 @@ encrypt_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, @@ -336,8 +336,7 @@ encrypt_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)368U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -347,8 +346,12 @@ encrypt_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -374,9 +377,7 @@ encrypt_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut0 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -392,7 +393,7 @@ encrypt_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -405,9 +406,7 @@ encrypt_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut0 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -423,7 +422,7 @@ encrypt_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, @@ -529,23 +528,21 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut0 = aes128_key_expansion(k, keys_b0); - uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -555,8 +552,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -582,9 +583,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -600,7 +599,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -613,9 +612,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -631,12 +628,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; #else @@ -673,23 +670,21 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut0 = aes256_key_expansion(k, keys_b0); - uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -699,8 +694,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -726,9 +725,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -744,7 +741,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -757,9 +754,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -775,12 +770,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; #else @@ -816,23 +811,21 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut0 = aes128_key_expansion(k, keys_b0); - uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -842,8 +835,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -869,9 +866,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -887,7 +882,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -900,9 +895,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -918,12 +911,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; } @@ -957,23 +950,21 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut0 = aes256_key_expansion(k, keys_b0); - uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -983,8 +974,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1010,9 +1005,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -1028,7 +1021,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -1041,9 +1034,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -1059,12 +1050,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; } @@ -1087,12 +1078,12 @@ EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( uint8_t *tag ) { + KRML_HOST_IGNORE(iv_len); uint8_t ek[32U] = { 0U }; EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); EverCrypt_AEAD_state_s *s = &p; - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; EverCrypt_Chacha20Poly1305_aead_encrypt(ek0, iv, ad_len, ad, plain_len, plain, cipher, tag); return EverCrypt_Error_Success; } @@ -1182,8 +1173,7 @@ decrypt_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)304U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -1193,8 +1183,12 @@ decrypt_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1222,7 +1216,7 @@ decrypt_aes128_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut0 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1240,7 +1234,6 @@ decrypt_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } else @@ -1255,7 +1248,7 @@ decrypt_aes128_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut0 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1273,7 +1266,6 @@ decrypt_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1316,8 +1308,7 @@ decrypt_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)368U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -1327,8 +1318,12 @@ decrypt_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1356,7 +1351,7 @@ decrypt_aes256_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut0 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1374,7 +1369,6 @@ decrypt_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } else @@ -1389,7 +1383,7 @@ decrypt_aes256_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut0 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1407,7 +1401,6 @@ decrypt_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1449,8 +1442,7 @@ decrypt_chacha20_poly1305( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint32_t r = EverCrypt_Chacha20Poly1305_aead_decrypt(ek, iv, ad_len, ad, cipher_len, dst, cipher, tag); if (r == (uint32_t)0U) @@ -1508,8 +1500,7 @@ EverCrypt_AEAD_decrypt( { return EverCrypt_Error_InvalidKey; } - EverCrypt_AEAD_state_s scrut = *s; - Spec_Cipher_Expansion_impl i = scrut.impl; + Spec_Cipher_Expansion_impl i = (*s).impl; switch (i) { case Spec_Cipher_Expansion_Vale_AES128: @@ -1557,8 +1548,8 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b0); - uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1569,8 +1560,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1580,8 +1570,12 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1609,7 +1603,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1627,7 +1621,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1642,7 +1635,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1660,7 +1653,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1706,8 +1698,8 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b0); - uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1718,8 +1710,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1729,8 +1720,12 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1758,7 +1753,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1776,7 +1771,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1791,7 +1785,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1809,7 +1803,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1854,8 +1847,8 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b0); - uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1866,8 +1859,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1877,8 +1869,12 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1906,7 +1902,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1924,7 +1920,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1939,7 +1934,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1957,7 +1952,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -2000,8 +1994,8 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b0); - uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -2012,8 +2006,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -2023,8 +2016,12 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -2052,7 +2049,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2070,7 +2067,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -2085,7 +2081,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2103,7 +2099,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -2214,8 +2209,7 @@ Cleanup and free the AEAD state. */ void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s) { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; KRML_HOST_FREE(ek); KRML_HOST_FREE(s); } diff --git a/dist/gcc-compatible/EverCrypt_AutoConfig2.c b/dist/gcc-compatible/EverCrypt_AutoConfig2.c index fe93ef8a1e..b549d0201b 100644 --- a/dist/gcc-compatible/EverCrypt_AutoConfig2.c +++ b/dist/gcc-compatible/EverCrypt_AutoConfig2.c @@ -113,75 +113,59 @@ void EverCrypt_AutoConfig2_recall(void) void EverCrypt_AutoConfig2_init(void) { #if HACL_CAN_COMPILE_VALE - uint64_t scrut = check_aesni(); - if (scrut != (uint64_t)0U) + if (check_aesni() != (uint64_t)0U) { cpu_has_aesni[0U] = true; cpu_has_pclmulqdq[0U] = true; } - uint64_t scrut0 = check_sha(); - if (scrut0 != (uint64_t)0U) + if (check_sha() != (uint64_t)0U) { cpu_has_shaext[0U] = true; } - uint64_t scrut1 = check_adx_bmi2(); - if (scrut1 != (uint64_t)0U) + if (check_adx_bmi2() != (uint64_t)0U) { cpu_has_bmi2[0U] = true; cpu_has_adx[0U] = true; } - uint64_t scrut2 = check_avx(); - if (scrut2 != (uint64_t)0U) + if (check_avx() != (uint64_t)0U) { - uint64_t scrut3 = check_osxsave(); - if (scrut3 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut4 = check_avx_xcr0(); - if (scrut4 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { cpu_has_avx[0U] = true; } } } - uint64_t scrut3 = check_avx2(); - if (scrut3 != (uint64_t)0U) + if (check_avx2() != (uint64_t)0U) { - uint64_t scrut4 = check_osxsave(); - if (scrut4 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut5 = check_avx_xcr0(); - if (scrut5 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { cpu_has_avx2[0U] = true; } } } - uint64_t scrut4 = check_sse(); - if (scrut4 != (uint64_t)0U) + if (check_sse() != (uint64_t)0U) { cpu_has_sse[0U] = true; } - uint64_t scrut5 = check_movbe(); - if (scrut5 != (uint64_t)0U) + if (check_movbe() != (uint64_t)0U) { cpu_has_movbe[0U] = true; } - uint64_t scrut6 = check_rdrand(); - if (scrut6 != (uint64_t)0U) + if (check_rdrand() != (uint64_t)0U) { cpu_has_rdrand[0U] = true; } - uint64_t scrut7 = check_avx512(); - if (scrut7 != (uint64_t)0U) + if (check_avx512() != (uint64_t)0U) { - uint64_t scrut8 = check_osxsave(); - if (scrut8 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut9 = check_avx_xcr0(); - if (scrut9 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { - uint64_t scrut10 = check_avx512_xcr0(); - if (scrut10 != (uint64_t)0U) + if (check_avx512_xcr0() != (uint64_t)0U) { cpu_has_avx512[0U] = true; return; diff --git a/dist/gcc-compatible/EverCrypt_DRBG.c b/dist/gcc-compatible/EverCrypt_DRBG.c index f21313e94d..13e517e51b 100644 --- a/dist/gcc-compatible/EverCrypt_DRBG.c +++ b/dist/gcc-compatible/EverCrypt_DRBG.c @@ -92,6 +92,7 @@ EverCrypt_DRBG_uu___is_SHA1_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA1_s) { return true; @@ -105,6 +106,7 @@ EverCrypt_DRBG_uu___is_SHA2_256_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_256_s) { return true; @@ -118,6 +120,7 @@ EverCrypt_DRBG_uu___is_SHA2_384_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_384_s) { return true; @@ -131,6 +134,7 @@ EverCrypt_DRBG_uu___is_SHA2_512_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_512_s) { return true; diff --git a/dist/gcc-compatible/EverCrypt_Hash.c b/dist/gcc-compatible/EverCrypt_Hash.c index 914a105ff7..b88df9e238 100644 --- a/dist/gcc-compatible/EverCrypt_Hash.c +++ b/dist/gcc-compatible/EverCrypt_Hash.c @@ -399,7 +399,7 @@ void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n) if (has_shaext && has_sse) { uint64_t n1 = (uint64_t)n; - uint64_t scrut = sha256_update(s, blocks, n1, k224_256); + KRML_HOST_IGNORE(sha256_update(s, blocks, n1, k224_256)); return; } Hacl_SHA2_Scalar32_sha256_update_nblocks(n * (uint32_t)64U, blocks, s); @@ -2156,8 +2156,7 @@ Perform a run-time test to determine which algorithm was chosen for the given pi Spec_Hash_Definitions_hash_alg EverCrypt_Hash_Incremental_alg_of_state(EverCrypt_Hash_Incremental_hash_state *s) { - EverCrypt_Hash_Incremental_hash_state scrut = *s; - EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_state_s *block_state = (*s).block_state; return alg_of_state(block_state); } diff --git a/dist/gcc-compatible/EverCrypt_Poly1305.c b/dist/gcc-compatible/EverCrypt_Poly1305.c index 717b952793..82ca9b992c 100644 --- a/dist/gcc-compatible/EverCrypt_Poly1305.c +++ b/dist/gcc-compatible/EverCrypt_Poly1305.c @@ -38,19 +38,16 @@ static void poly1305_vale(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key uint8_t tmp[16U] = { 0U }; if (n_extra == (uint32_t)0U) { - uint64_t scrut = x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U)); } else { uint32_t len16 = n_blocks * (uint32_t)16U; uint8_t *src16 = src; memcpy(tmp, src + len16, n_extra * sizeof (uint8_t)); - uint64_t scrut = x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U)); memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); - uint64_t scrut0 = x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U)); } memcpy(dst, ctx, (uint32_t)16U * sizeof (uint8_t)); #endif diff --git a/dist/gcc-compatible/Hacl_Chacha20_Vec128.c b/dist/gcc-compatible/Hacl_Chacha20_Vec128.c index ed112654b5..1e0c4ec1e4 100644 --- a/dist/gcc-compatible/Hacl_Chacha20_Vec128.c +++ b/dist/gcc-compatible/Hacl_Chacha20_Vec128.c @@ -370,9 +370,8 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)256U; - uint8_t *uu____3 = text + nb * (uint32_t)256U; uint8_t plain[256U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)256U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U }; chacha20_core_128(k, ctx, nb); Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; @@ -676,9 +675,8 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)256U; - uint8_t *uu____3 = cipher + nb * (uint32_t)256U; uint8_t plain[256U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)256U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U }; chacha20_core_128(k, ctx, nb); Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; diff --git a/dist/gcc-compatible/Hacl_Chacha20_Vec256.c b/dist/gcc-compatible/Hacl_Chacha20_Vec256.c index 2df300b620..620f504052 100644 --- a/dist/gcc-compatible/Hacl_Chacha20_Vec256.c +++ b/dist/gcc-compatible/Hacl_Chacha20_Vec256.c @@ -470,9 +470,8 @@ Hacl_Chacha20_Vec256_chacha20_encrypt_256( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)512U; - uint8_t *uu____3 = text + nb * (uint32_t)512U; uint8_t plain[512U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)512U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U }; chacha20_core_256(k, ctx, nb); Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; @@ -968,9 +967,8 @@ Hacl_Chacha20_Vec256_chacha20_decrypt_256( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)512U; - uint8_t *uu____3 = cipher + nb * (uint32_t)512U; uint8_t plain[512U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)512U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U }; chacha20_core_256(k, ctx, nb); Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; diff --git a/dist/gcc-compatible/Hacl_Chacha20_Vec32.c b/dist/gcc-compatible/Hacl_Chacha20_Vec32.c index 6f137f39de..2bf4764ca7 100644 --- a/dist/gcc-compatible/Hacl_Chacha20_Vec32.c +++ b/dist/gcc-compatible/Hacl_Chacha20_Vec32.c @@ -229,9 +229,8 @@ Hacl_Chacha20_Vec32_chacha20_encrypt_32( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = text + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k[16U] = { 0U }; chacha20_core_32(k, ctx, nb); KRML_MAYBE_FOR16(i, @@ -279,9 +278,8 @@ Hacl_Chacha20_Vec32_chacha20_decrypt_32( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = cipher + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k[16U] = { 0U }; chacha20_core_32(k, ctx, nb); KRML_MAYBE_FOR16(i, diff --git a/dist/gcc-compatible/Hacl_Curve25519_64.c b/dist/gcc-compatible/Hacl_Curve25519_64.c index 526fbd22f9..fb0974fed6 100644 --- a/dist/gcc-compatible/Hacl_Curve25519_64.c +++ b/dist/gcc-compatible/Hacl_Curve25519_64.c @@ -35,7 +35,7 @@ static inline void add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) #if HACL_CAN_COMPILE_INLINE_ASM add_scalar(out, f1, f2); #else - uint64_t uu____0 = add_scalar_e(out, f1, f2); + KRML_HOST_IGNORE(add_scalar_e(out, f1, f2)); #endif } @@ -44,7 +44,7 @@ static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2) #if HACL_CAN_COMPILE_INLINE_ASM fadd(out, f1, f2); #else - uint64_t uu____0 = fadd_e(out, f1, f2); + KRML_HOST_IGNORE(fadd_e(out, f1, f2)); #endif } @@ -53,7 +53,7 @@ static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2) #if HACL_CAN_COMPILE_INLINE_ASM fsub(out, f1, f2); #else - uint64_t uu____0 = fsub_e(out, f1, f2); + KRML_HOST_IGNORE(fsub_e(out, f1, f2)); #endif } @@ -62,7 +62,7 @@ static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tm #if HACL_CAN_COMPILE_INLINE_ASM fmul(out, f1, f2, tmp); #else - uint64_t uu____0 = fmul_e(tmp, f1, out, f2); + KRML_HOST_IGNORE(fmul_e(tmp, f1, out, f2)); #endif } @@ -71,7 +71,7 @@ static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *t #if HACL_CAN_COMPILE_INLINE_ASM fmul2(out, f1, f2, tmp); #else - uint64_t uu____0 = fmul2_e(tmp, f1, out, f2); + KRML_HOST_IGNORE(fmul2_e(tmp, f1, out, f2)); #endif } @@ -80,7 +80,7 @@ static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) #if HACL_CAN_COMPILE_INLINE_ASM fmul_scalar(out, f1, f2); #else - uint64_t uu____0 = fmul_scalar_e(out, f1, f2); + KRML_HOST_IGNORE(fmul_scalar_e(out, f1, f2)); #endif } @@ -89,7 +89,7 @@ static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp) #if HACL_CAN_COMPILE_INLINE_ASM fsqr(out, f1, tmp); #else - uint64_t uu____0 = fsqr_e(tmp, f1, out); + KRML_HOST_IGNORE(fsqr_e(tmp, f1, out)); #endif } @@ -98,7 +98,7 @@ static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp) #if HACL_CAN_COMPILE_INLINE_ASM fsqr2(out, f, tmp); #else - uint64_t uu____0 = fsqr2_e(tmp, f, out); + KRML_HOST_IGNORE(fsqr2_e(tmp, f, out)); #endif } @@ -107,7 +107,7 @@ static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2) #if HACL_CAN_COMPILE_INLINE_ASM cswap2(bit, p1, p2); #else - uint64_t uu____0 = cswap2_e(bit, p1, p2); + KRML_HOST_IGNORE(cswap2_e(bit, p1, p2)); #endif } diff --git a/dist/gcc-compatible/Hacl_Ed25519.c b/dist/gcc-compatible/Hacl_Ed25519.c index 9d7c3bd4de..36113197a2 100644 --- a/dist/gcc-compatible/Hacl_Ed25519.c +++ b/dist/gcc-compatible/Hacl_Ed25519.c @@ -711,65 +711,59 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) FStar_UInt128_uint128 c00 = carry0; FStar_UInt128_uint128 carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U); - uint64_t - t100 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c10 = carry1; FStar_UInt128_uint128 carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U); - uint64_t - t101 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c20 = carry2; FStar_UInt128_uint128 carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U); - uint64_t - t102 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c30 = carry3; FStar_UInt128_uint128 carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U); uint64_t - t103 = + t100 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c40 = carry4; - uint64_t t410 = t103; + uint64_t t410 = t100; FStar_UInt128_uint128 carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U); uint64_t - t104 = + t101 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c5 = carry5; - uint64_t t51 = t104; + uint64_t t51 = t101; FStar_UInt128_uint128 carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U); uint64_t - t105 = + t102 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c6 = carry6; - uint64_t t61 = t105; + uint64_t t61 = t102; FStar_UInt128_uint128 carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U); uint64_t - t106 = + t103 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c7 = carry7; - uint64_t t71 = t106; + uint64_t t71 = t103; FStar_UInt128_uint128 carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U); uint64_t - t107 = + t104 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c8 = carry8; - uint64_t t81 = t107; + uint64_t t81 = t104; uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8); uint64_t qmu4_ = t410; uint64_t qmu5_ = t51; @@ -818,19 +812,19 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1); FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0); FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U); - uint64_t t108 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; + uint64_t t105 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c0 = carry9; - uint64_t t010 = t108; + uint64_t t010 = t105; FStar_UInt128_uint128 carry10 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0), (uint32_t)56U); uint64_t - t109 = + t106 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c11 = carry10; - uint64_t t110 = t109; + uint64_t t110 = t106; FStar_UInt128_uint128 carry11 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, @@ -839,14 +833,14 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c11), (uint32_t)56U); uint64_t - t1010 = + t107 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20), c11)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c21 = carry11; - uint64_t t210 = t1010; + uint64_t t210 = t107; FStar_UInt128_uint128 carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, @@ -856,7 +850,7 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c21), (uint32_t)56U); uint64_t - t1011 = + t108 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21), @@ -864,7 +858,7 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c21)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c31 = carry; - uint64_t t310 = t1011; + uint64_t t310 = t108; uint64_t t411 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, @@ -880,24 +874,24 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) uint64_t qmul3 = t310; uint64_t qmul4 = t411; uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U; - uint64_t t1012 = (b5 << (uint32_t)56U) + r0 - qmul0; + uint64_t t109 = (b5 << (uint32_t)56U) + r0 - qmul0; uint64_t c1 = b5; - uint64_t t011 = t1012; + uint64_t t011 = t109; uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U; - uint64_t t1013 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); + uint64_t t1010 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); uint64_t c2 = b6; - uint64_t t111 = t1013; + uint64_t t111 = t1010; uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U; - uint64_t t1014 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); + uint64_t t1011 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); uint64_t c3 = b7; - uint64_t t211 = t1014; + uint64_t t211 = t1011; uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U; - uint64_t t1015 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); + uint64_t t1012 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); uint64_t c4 = b8; - uint64_t t311 = t1015; + uint64_t t311 = t1012; uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U; - uint64_t t1016 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); - uint64_t t412 = t1016; + uint64_t t1013 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); + uint64_t t412 = t1013; uint64_t s0 = t011; uint64_t s1 = t111; uint64_t s2 = t211; @@ -914,21 +908,21 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) uint64_t y3 = m31; uint64_t y4 = m41; uint64_t b10 = (s0 - y0) >> (uint32_t)63U; - uint64_t t1017 = (b10 << (uint32_t)56U) + s0 - y0; + uint64_t t1014 = (b10 << (uint32_t)56U) + s0 - y0; uint64_t b0 = b10; - uint64_t t01 = t1017; + uint64_t t01 = t1014; uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U; - uint64_t t1018 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); + uint64_t t1015 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); uint64_t b1 = b11; - uint64_t t11 = t1018; + uint64_t t11 = t1015; uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U; - uint64_t t1019 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); + uint64_t t1016 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); uint64_t b2 = b12; - uint64_t t21 = t1019; + uint64_t t21 = t1016; uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U; - uint64_t t1020 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); + uint64_t t1017 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); uint64_t b3 = b13; - uint64_t t31 = t1020; + uint64_t t31 = t1017; uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U; uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3); uint64_t b4 = b; diff --git a/dist/gcc-compatible/Hacl_FFDHE.c b/dist/gcc-compatible/Hacl_FFDHE.c index 78aaaab6d2..9cf2ddfb8c 100644 --- a/dist/gcc-compatible/Hacl_FFDHE.c +++ b/dist/gcc-compatible/Hacl_FFDHE.c @@ -127,7 +127,6 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui memset(p_n1, 0U, nLen * sizeof (uint64_t)); uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, p_n[0U], (uint64_t)1U, p_n1); - uint64_t c1; if ((uint32_t)1U < nLen) { uint64_t *a1 = p_n + (uint32_t)1U; @@ -159,12 +158,12 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); } - uint64_t c10 = c; - c1 = c10; + uint64_t c1 = c; + KRML_HOST_IGNORE(c1); } else { - c1 = c0; + KRML_HOST_IGNORE(c0); } KRML_CHECK_SIZE(sizeof (uint64_t), nLen); uint64_t b2[nLen]; diff --git a/dist/gcc-compatible/Hacl_Frodo_KEM.c b/dist/gcc-compatible/Hacl_Frodo_KEM.c index 13db363af5..4265ac0e71 100644 --- a/dist/gcc-compatible/Hacl_Frodo_KEM.c +++ b/dist/gcc-compatible/Hacl_Frodo_KEM.c @@ -30,6 +30,6 @@ void randombytes_(uint32_t len, uint8_t *res) { - bool b = Lib_RandomBuffer_System_randombytes(res, len); + KRML_HOST_IGNORE(Lib_RandomBuffer_System_randombytes(res, len)); } diff --git a/dist/gcc-compatible/Hacl_HMAC_DRBG.c b/dist/gcc-compatible/Hacl_HMAC_DRBG.c index 181a8ef4ab..0a09aaedc7 100644 --- a/dist/gcc-compatible/Hacl_HMAC_DRBG.c +++ b/dist/gcc-compatible/Hacl_HMAC_DRBG.c @@ -71,6 +71,8 @@ uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) bool Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee) { + KRML_HOST_IGNORE(a); + KRML_HOST_IGNORE(projectee); return true; } @@ -1084,6 +1086,7 @@ Hacl_HMAC_DRBG_generate( void Hacl_HMAC_DRBG_free(Spec_Hash_Definitions_hash_alg uu___, Hacl_HMAC_DRBG_state s) { + KRML_HOST_IGNORE(uu___); uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2.c b/dist/gcc-compatible/Hacl_Hash_Blake2.c index 127e16b5af..afc9ac0711 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2.c @@ -602,6 +602,7 @@ Hacl_Blake2b_32_blake2b_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { FStar_UInt128_uint128 @@ -1305,6 +1306,7 @@ Hacl_Blake2s_32_blake2s_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c b/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c index baf8e38f6e..1e9e38dd2b 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c @@ -325,6 +325,7 @@ Hacl_Blake2b_256_blake2b_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { FStar_UInt128_uint128 diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c b/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c index 2870be7c9e..26a465b6d5 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c @@ -324,6 +324,7 @@ Hacl_Blake2s_128_blake2s_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); diff --git a/dist/gcc-compatible/Hacl_Hash_MD5.c b/dist/gcc-compatible/Hacl_Hash_MD5.c index 1b376960f3..222ac824f0 100644 --- a/dist/gcc-compatible/Hacl_Hash_MD5.c +++ b/dist/gcc-compatible/Hacl_Hash_MD5.c @@ -1218,7 +1218,6 @@ void Hacl_Streaming_MD5_legacy_init(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Hash_Core_MD5_legacy_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/gcc-compatible/Hacl_Hash_SHA1.c b/dist/gcc-compatible/Hacl_Hash_SHA1.c index 80edc0043b..5ecb3c0b3a 100644 --- a/dist/gcc-compatible/Hacl_Hash_SHA1.c +++ b/dist/gcc-compatible/Hacl_Hash_SHA1.c @@ -254,7 +254,6 @@ void Hacl_Streaming_SHA1_legacy_init(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Hash_Core_SHA1_legacy_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/gcc-compatible/Hacl_Hash_SHA2.c b/dist/gcc-compatible/Hacl_Hash_SHA2.c index 46fde83fed..c93c3616a4 100644 --- a/dist/gcc-compatible/Hacl_Hash_SHA2.c +++ b/dist/gcc-compatible/Hacl_Hash_SHA2.c @@ -537,7 +537,6 @@ void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha256_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -836,7 +835,6 @@ void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha224_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -962,7 +960,6 @@ void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_MD_state_64 *s) Hacl_Streaming_MD_state_64 scrut = *s; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha512_init(block_state); Hacl_Streaming_MD_state_64 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -1262,7 +1259,6 @@ void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_MD_state_64 *s) Hacl_Streaming_MD_state_64 scrut = *s; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha384_init(block_state); Hacl_Streaming_MD_state_64 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/gcc-compatible/Hacl_Hash_SHA3.c b/dist/gcc-compatible/Hacl_Hash_SHA3.c index 5f4707f461..19d13b1b82 100644 --- a/dist/gcc-compatible/Hacl_Hash_SHA3.c +++ b/dist/gcc-compatible/Hacl_Hash_SHA3.c @@ -125,10 +125,9 @@ Hacl_Hash_SHA3_update_last_sha3( if (input_len == len) { Hacl_Impl_SHA3_absorb_inner(len, input, s); - uint8_t *uu____0 = input + input_len; uint8_t lastBlock_[200U] = { 0U }; uint8_t *lastBlock = lastBlock_; - memcpy(lastBlock, uu____0, (uint32_t)0U * sizeof (uint8_t)); + memcpy(lastBlock, input + input_len, (uint32_t)0U * sizeof (uint8_t)); lastBlock[0U] = suffix; Hacl_Impl_SHA3_loadState(len, lastBlock, s); if (!((suffix & (uint8_t)0x80U) == (uint8_t)0U) && (uint32_t)0U == len - (uint32_t)1U) @@ -167,8 +166,7 @@ hash_buf2; Spec_Hash_Definitions_hash_alg Hacl_Streaming_Keccak_get_alg(Hacl_Streaming_Keccak_state *s) { - Hacl_Streaming_Keccak_state scrut = *s; - Hacl_Streaming_Keccak_hash_buf block_state = scrut.block_state; + Hacl_Streaming_Keccak_hash_buf block_state = (*s).block_state; return block_state.fst; } @@ -809,6 +807,7 @@ Hacl_Impl_SHA3_keccak( uint8_t *output ) { + KRML_HOST_IGNORE(capacity); uint32_t rateInBytes = rate / (uint32_t)8U; uint64_t s[25U] = { 0U }; absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix); diff --git a/dist/gcc-compatible/Hacl_K256_ECDSA.c b/dist/gcc-compatible/Hacl_K256_ECDSA.c index fb53f3fd0d..2ffc10604b 100644 --- a/dist/gcc-compatible/Hacl_K256_ECDSA.c +++ b/dist/gcc-compatible/Hacl_K256_ECDSA.c @@ -498,7 +498,7 @@ mul_pow2_256_minus_q_add( uint64_t r = c; tmp[len + i0] = r;); memcpy(res + (uint32_t)2U, a, len * sizeof (uint64_t)); - uint64_t uu____0 = bn_add(resLen, res, len + (uint32_t)2U, tmp, res); + KRML_HOST_IGNORE(bn_add(resLen, res, len + (uint32_t)2U, tmp, res)); uint64_t c = bn_add(resLen, res, (uint32_t)4U, e, res); return c; } @@ -514,15 +514,23 @@ static inline void modq(uint64_t *out, uint64_t *a) uint64_t *t01 = tmp; uint64_t m[7U] = { 0U }; uint64_t p[5U] = { 0U }; - uint64_t - c0 = mul_pow2_256_minus_q_add((uint32_t)4U, (uint32_t)7U, t01, a + (uint32_t)4U, a, m); - uint64_t - c10 = mul_pow2_256_minus_q_add((uint32_t)3U, (uint32_t)5U, t01, m + (uint32_t)4U, m, p); + KRML_HOST_IGNORE(mul_pow2_256_minus_q_add((uint32_t)4U, + (uint32_t)7U, + t01, + a + (uint32_t)4U, + a, + m)); + KRML_HOST_IGNORE(mul_pow2_256_minus_q_add((uint32_t)3U, + (uint32_t)5U, + t01, + m + (uint32_t)4U, + m, + p)); uint64_t c2 = mul_pow2_256_minus_q_add((uint32_t)1U, (uint32_t)4U, t01, p + (uint32_t)4U, p, r); - uint64_t c00 = c2; + uint64_t c0 = c2; uint64_t c1 = add4(r, tmp, out); - uint64_t mask = (uint64_t)0U - (c00 + c1); + uint64_t mask = (uint64_t)0U - (c0 + c1); KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, @@ -612,7 +620,7 @@ static inline void qmul_shift_384(uint64_t *res, uint64_t *a, uint64_t *b) uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i);); uint64_t c1 = c; - uint64_t uu____0 = c1; + KRML_HOST_IGNORE(c1); uint64_t flag = l[5U] >> (uint32_t)63U; uint64_t mask = (uint64_t)0U - flag; KRML_MAYBE_FOR4(i, @@ -1223,6 +1231,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)118285133003718U, (uint64_t)434519962075150U, (uint64_t)1114612377498854U, (uint64_t)3488596944003813U, (uint64_t)450716531072892U, (uint64_t)66044973203836U }; + KRML_HOST_IGNORE(q2); uint64_t q3[15U] = { @@ -1232,6 +1241,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)265969268774814U, (uint64_t)1913228635640715U, (uint64_t)2831959046949342U, (uint64_t)888030405442963U, (uint64_t)1817092932985033U, (uint64_t)101515844997121U }; + KRML_HOST_IGNORE(q3); uint64_t q4[15U] = { @@ -1241,6 +1251,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)12245672982162U, (uint64_t)2119364213800870U, (uint64_t)2034960311715107U, (uint64_t)3172697815804487U, (uint64_t)4185144850224160U, (uint64_t)2792055915674U }; + KRML_HOST_IGNORE(q4); uint64_t *r1 = scalar; uint64_t *r2 = scalar + (uint32_t)1U; uint64_t *r3 = scalar + (uint32_t)2U; @@ -1605,6 +1616,7 @@ Hacl_K256_ECDSA_ecdsa_sign_hashed_msg( ) { uint64_t oneq[4U] = { (uint64_t)0x1U, (uint64_t)0x0U, (uint64_t)0x0U, (uint64_t)0x0U }; + KRML_HOST_IGNORE(oneq); uint64_t rsdk_q[16U] = { 0U }; uint64_t *r_q = rsdk_q; uint64_t *s_q = rsdk_q + (uint32_t)4U; diff --git a/dist/gcc-compatible/Hacl_RSAPSS.c b/dist/gcc-compatible/Hacl_RSAPSS.c index 19d4e5b4ca..ceb9a6f0ae 100644 --- a/dist/gcc-compatible/Hacl_RSAPSS.c +++ b/dist/gcc-compatible/Hacl_RSAPSS.c @@ -404,9 +404,9 @@ load_skey( Sign a message `msg` and write the signature to `sgnt`. @param a Hash algorithm to use. Allowed values for `a` are ... - * Spec_Hash_Definitions_SHA2_256, - * Spec_Hash_Definitions_SHA2_384, and - * Spec_Hash_Definitions_SHA2_512. + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. @@ -518,7 +518,10 @@ Hacl_RSAPSS_rsapss_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param pkey Pointer to public key created by `Hacl_RSAPSS_new_rsapss_load_pkey`. @@ -637,10 +640,10 @@ Load a public key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. -@return Returns an allocated public key. Note: caller must take care to `free()` the created key. +@return Returns an allocated public key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb) @@ -707,11 +710,11 @@ Load a secret key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. -@return Returns an allocated secret key. Note: caller must take care to `free()` the created key. +@return Returns an allocated secret key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_skey( @@ -804,13 +807,16 @@ uint64_t /** Sign a message `msg` and write the signature to `sgnt`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param salt Pointer to `saltLen` bytes where the salt is read from. @param msgLen Length of message. @@ -873,11 +879,14 @@ Hacl_RSAPSS_rsapss_skey_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param sgntLen Length of signature. @param sgnt Pointer to `sgntLen` bytes where the signature is read from. diff --git a/dist/gcc-compatible/Hacl_RSAPSS.h b/dist/gcc-compatible/Hacl_RSAPSS.h index 8f4de9492d..90bd69ce50 100644 --- a/dist/gcc-compatible/Hacl_RSAPSS.h +++ b/dist/gcc-compatible/Hacl_RSAPSS.h @@ -43,9 +43,9 @@ extern "C" { Sign a message `msg` and write the signature to `sgnt`. @param a Hash algorithm to use. Allowed values for `a` are ... - * Spec_Hash_Definitions_SHA2_256, - * Spec_Hash_Definitions_SHA2_384, and - * Spec_Hash_Definitions_SHA2_512. + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. @@ -75,7 +75,10 @@ Hacl_RSAPSS_rsapss_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param pkey Pointer to public key created by `Hacl_RSAPSS_new_rsapss_load_pkey`. @@ -105,10 +108,10 @@ Load a public key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. -@return Returns an allocated public key. Note: caller must take care to `free()` the created key. +@return Returns an allocated public key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb); @@ -119,11 +122,11 @@ Load a secret key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. -@return Returns an allocated secret key. Note: caller must take care to `free()` the created key. +@return Returns an allocated secret key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_skey( @@ -138,13 +141,16 @@ uint64_t /** Sign a message `msg` and write the signature to `sgnt`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param salt Pointer to `saltLen` bytes where the salt is read from. @param msgLen Length of message. @@ -172,11 +178,14 @@ Hacl_RSAPSS_rsapss_skey_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param sgntLen Length of signature. @param sgnt Pointer to `sgntLen` bytes where the signature is read from. diff --git a/dist/gcc-compatible/Hacl_Salsa20.c b/dist/gcc-compatible/Hacl_Salsa20.c index e157d5ef21..2758f8a4dd 100644 --- a/dist/gcc-compatible/Hacl_Salsa20.c +++ b/dist/gcc-compatible/Hacl_Salsa20.c @@ -181,6 +181,7 @@ salsa20_encrypt( memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); ctx[15U] = (uint32_t)0x6b206574U; uint32_t k[16U] = { 0U }; + KRML_HOST_IGNORE(k); uint32_t rem = len % (uint32_t)64U; uint32_t nb = len / (uint32_t)64U; uint32_t rem1 = len % (uint32_t)64U; @@ -217,9 +218,8 @@ salsa20_encrypt( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = text + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k1[16U] = { 0U }; salsa20_core(k1, ctx, nb); uint32_t bl[16U] = { 0U }; @@ -294,6 +294,7 @@ salsa20_decrypt( memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); ctx[15U] = (uint32_t)0x6b206574U; uint32_t k[16U] = { 0U }; + KRML_HOST_IGNORE(k); uint32_t rem = len % (uint32_t)64U; uint32_t nb = len / (uint32_t)64U; uint32_t rem1 = len % (uint32_t)64U; @@ -330,9 +331,8 @@ salsa20_decrypt( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = cipher + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k1[16U] = { 0U }; salsa20_core(k1, ctx, nb); uint32_t bl[16U] = { 0U }; diff --git a/dist/gcc-compatible/Hacl_Streaming_Blake2.c b/dist/gcc-compatible/Hacl_Streaming_Blake2.c index 4faa859e0e..948d56c2de 100644 --- a/dist/gcc-compatible/Hacl_Streaming_Blake2.c +++ b/dist/gcc-compatible/Hacl_Streaming_Blake2.c @@ -54,7 +54,6 @@ void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_ Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); Hacl_Streaming_Blake2_blake2s_32_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -354,7 +353,6 @@ void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_ Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); Hacl_Streaming_Blake2_blake2b_32_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/gcc-compatible/Hacl_Streaming_Blake2b_256.c b/dist/gcc-compatible/Hacl_Streaming_Blake2b_256.c index d2df234a15..bdb5433f83 100644 --- a/dist/gcc-compatible/Hacl_Streaming_Blake2b_256.c +++ b/dist/gcc-compatible/Hacl_Streaming_Blake2b_256.c @@ -66,7 +66,6 @@ Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); Hacl_Streaming_Blake2b_256_blake2b_256_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/gcc-compatible/Hacl_Streaming_Blake2s_128.c b/dist/gcc-compatible/Hacl_Streaming_Blake2s_128.c index eaace7ce30..f97bf5d054 100644 --- a/dist/gcc-compatible/Hacl_Streaming_Blake2s_128.c +++ b/dist/gcc-compatible/Hacl_Streaming_Blake2s_128.c @@ -66,7 +66,6 @@ Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); Hacl_Streaming_Blake2s_128_blake2s_128_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/gcc-compatible/Hacl_Streaming_Poly1305_128.c b/dist/gcc-compatible/Hacl_Streaming_Poly1305_128.c index c752cfb063..c3f7c19ae1 100644 --- a/dist/gcc-compatible/Hacl_Streaming_Poly1305_128.c +++ b/dist/gcc-compatible/Hacl_Streaming_Poly1305_128.c @@ -58,7 +58,6 @@ Hacl_Streaming_Poly1305_128_init(uint8_t *k, Hacl_Streaming_Poly1305_128_poly130 uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; Lib_IntVector_Intrinsics_vec128 *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_128_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; @@ -312,7 +311,7 @@ Hacl_Streaming_Poly1305_128_finish( { ite1 = r % (uint32_t)16U; } - uint64_t prev_len_last = total_len - (uint64_t)ite1; + KRML_HOST_IGNORE(total_len - (uint64_t)ite1); uint32_t ite2; if (r % (uint32_t)16U == (uint32_t)0U && r > (uint32_t)0U) { diff --git a/dist/gcc-compatible/Hacl_Streaming_Poly1305_256.c b/dist/gcc-compatible/Hacl_Streaming_Poly1305_256.c index c1915ed9b7..e56275a4f3 100644 --- a/dist/gcc-compatible/Hacl_Streaming_Poly1305_256.c +++ b/dist/gcc-compatible/Hacl_Streaming_Poly1305_256.c @@ -58,7 +58,6 @@ Hacl_Streaming_Poly1305_256_init(uint8_t *k, Hacl_Streaming_Poly1305_256_poly130 uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; Lib_IntVector_Intrinsics_vec256 *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_256_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; @@ -312,7 +311,7 @@ Hacl_Streaming_Poly1305_256_finish( { ite1 = r % (uint32_t)16U; } - uint64_t prev_len_last = total_len - (uint64_t)ite1; + KRML_HOST_IGNORE(total_len - (uint64_t)ite1); uint32_t ite2; if (r % (uint32_t)16U == (uint32_t)0U && r > (uint32_t)0U) { diff --git a/dist/gcc-compatible/Hacl_Streaming_Poly1305_32.c b/dist/gcc-compatible/Hacl_Streaming_Poly1305_32.c index 89852727fd..249a622fe1 100644 --- a/dist/gcc-compatible/Hacl_Streaming_Poly1305_32.c +++ b/dist/gcc-compatible/Hacl_Streaming_Poly1305_32.c @@ -53,7 +53,6 @@ Hacl_Streaming_Poly1305_32_init(uint8_t *k, Hacl_Streaming_Poly1305_32_poly1305_ uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_32_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; diff --git a/dist/gcc-compatible/INFO.txt b/dist/gcc-compatible/INFO.txt index 7ed8e74ac6..f1a6a25e9c 100644 --- a/dist/gcc-compatible/INFO.txt +++ b/dist/gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. -F* version: 155853a14336aa0713dba7db5408f4c8ab512a06 -KaRaMeL version: db63c1de17565be0ec4989f58532717a04e3ff40 +F* version: bc622701c668f6b4092760879372968265d4a4e1 +KaRaMeL version: aef72b2b5a44b338b856a177819d1bfa0d7cc5b6 Vale version: 0.3.19 diff --git a/dist/gcc-compatible/internal/Hacl_Bignum25519_51.h b/dist/gcc-compatible/internal/Hacl_Bignum25519_51.h index 9fe5e9fc1b..25a1050313 100644 --- a/dist/gcc-compatible/internal/Hacl_Bignum25519_51.h +++ b/dist/gcc-compatible/internal/Hacl_Bignum25519_51.h @@ -84,6 +84,7 @@ Hacl_Impl_Curve25519_Field51_fmul( FStar_UInt128_uint128 *uu___ ) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f1[0U]; uint64_t f11 = f1[1U]; uint64_t f12 = f1[2U]; @@ -167,6 +168,7 @@ Hacl_Impl_Curve25519_Field51_fmul2( FStar_UInt128_uint128 *uu___ ) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f1[0U]; uint64_t f11 = f1[1U]; uint64_t f12 = f1[2U]; @@ -371,6 +373,7 @@ static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f static inline void Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) { + KRML_HOST_IGNORE(uu___); uint64_t f0 = f[0U]; uint64_t f1 = f[1U]; uint64_t f2 = f[2U]; @@ -446,6 +449,7 @@ Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint static inline void Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f[0U]; uint64_t f11 = f[1U]; uint64_t f12 = f[2U]; diff --git a/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h b/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h index e40304b25b..ae109004fa 100644 --- a/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ b/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -110,7 +110,7 @@ inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { uint64_t mask = FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & - FStar_UInt64_eq_mask(x, y); + FStar_UInt64_eq_mask((uint64_t)x, (uint64_t)y); return ((uint128_t)mask) << 64 | mask; } @@ -118,7 +118,7 @@ inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { uint64_t mask = (FStar_UInt64_gte_mask(x >> 64, y >> 64) & ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | - (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y)); return ((uint128_t)mask) << 64 | mask; } diff --git a/dist/msvc-compatible/EverCrypt_AEAD.c b/dist/msvc-compatible/EverCrypt_AEAD.c index 564dbc2ece..21039bd4c9 100644 --- a/dist/msvc-compatible/EverCrypt_AEAD.c +++ b/dist/msvc-compatible/EverCrypt_AEAD.c @@ -46,6 +46,8 @@ The state may be reused as many times as desired. */ bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee) { + KRML_HOST_IGNORE(a); + KRML_HOST_IGNORE(projectee); return true; } @@ -58,8 +60,7 @@ Return the algorithm used in the AEAD state. */ Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s) { - EverCrypt_AEAD_state_s scrut = *s; - Spec_Cipher_Expansion_impl impl = scrut.impl; + Spec_Cipher_Expansion_impl impl = (*s).impl; switch (impl) { case Spec_Cipher_Expansion_Hacl_CHACHA20: @@ -108,8 +109,8 @@ create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)480U, sizeof (uint8_t)); uint8_t *keys_b = ek; uint8_t *hkeys_b = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b); - uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b, hkeys_b)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); @@ -136,8 +137,8 @@ create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)544U, sizeof (uint8_t)); uint8_t *keys_b = ek; uint8_t *hkeys_b = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b); - uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b, hkeys_b)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); @@ -212,8 +213,7 @@ encrypt_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)304U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -223,8 +223,12 @@ encrypt_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -250,9 +254,7 @@ encrypt_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut0 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -268,7 +270,7 @@ encrypt_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -281,9 +283,7 @@ encrypt_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut0 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -299,7 +299,7 @@ encrypt_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, @@ -336,8 +336,7 @@ encrypt_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)368U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -347,8 +346,12 @@ encrypt_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -374,9 +377,7 @@ encrypt_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut0 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -392,7 +393,7 @@ encrypt_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -405,9 +406,7 @@ encrypt_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut0 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -423,7 +422,7 @@ encrypt_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, @@ -529,23 +528,21 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut0 = aes128_key_expansion(k, keys_b0); - uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -555,8 +552,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -582,9 +583,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -600,7 +599,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -613,9 +612,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -631,12 +628,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; #else @@ -673,23 +670,21 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut0 = aes256_key_expansion(k, keys_b0); - uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -699,8 +694,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -726,9 +725,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -744,7 +741,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -757,9 +754,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -775,12 +770,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; #else @@ -816,23 +811,21 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut0 = aes128_key_expansion(k, keys_b0); - uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -842,8 +835,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -869,9 +866,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -887,7 +882,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -900,9 +895,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -918,12 +911,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; } @@ -957,23 +950,21 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut0 = aes256_key_expansion(k, keys_b0); - uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -983,8 +974,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1010,9 +1005,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -1028,7 +1021,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -1041,9 +1034,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -1059,12 +1050,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; } @@ -1087,12 +1078,12 @@ EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( uint8_t *tag ) { + KRML_HOST_IGNORE(iv_len); uint8_t ek[32U] = { 0U }; EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); EverCrypt_AEAD_state_s *s = &p; - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; EverCrypt_Chacha20Poly1305_aead_encrypt(ek0, iv, ad_len, ad, plain_len, plain, cipher, tag); return EverCrypt_Error_Success; } @@ -1182,8 +1173,7 @@ decrypt_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)304U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -1193,8 +1183,12 @@ decrypt_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1222,7 +1216,7 @@ decrypt_aes128_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut0 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1240,7 +1234,6 @@ decrypt_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } else @@ -1255,7 +1248,7 @@ decrypt_aes128_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut0 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1273,7 +1266,6 @@ decrypt_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1316,8 +1308,7 @@ decrypt_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)368U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -1327,8 +1318,12 @@ decrypt_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1356,7 +1351,7 @@ decrypt_aes256_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut0 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1374,7 +1369,6 @@ decrypt_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } else @@ -1389,7 +1383,7 @@ decrypt_aes256_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut0 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1407,7 +1401,6 @@ decrypt_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1449,8 +1442,7 @@ decrypt_chacha20_poly1305( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint32_t r = EverCrypt_Chacha20Poly1305_aead_decrypt(ek, iv, ad_len, ad, cipher_len, dst, cipher, tag); if (r == (uint32_t)0U) @@ -1508,8 +1500,7 @@ EverCrypt_AEAD_decrypt( { return EverCrypt_Error_InvalidKey; } - EverCrypt_AEAD_state_s scrut = *s; - Spec_Cipher_Expansion_impl i = scrut.impl; + Spec_Cipher_Expansion_impl i = (*s).impl; switch (i) { case Spec_Cipher_Expansion_Vale_AES128: @@ -1557,8 +1548,8 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b0); - uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1569,8 +1560,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1580,8 +1570,12 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1609,7 +1603,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1627,7 +1621,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1642,7 +1635,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1660,7 +1653,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1706,8 +1698,8 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b0); - uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1718,8 +1710,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1729,8 +1720,12 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1758,7 +1753,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1776,7 +1771,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1791,7 +1785,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1809,7 +1803,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1854,8 +1847,8 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b0); - uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1866,8 +1859,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1877,8 +1869,12 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1906,7 +1902,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1924,7 +1920,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1939,7 +1934,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1957,7 +1952,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -2000,8 +1994,8 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b0); - uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -2012,8 +2006,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -2023,8 +2016,12 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -2052,7 +2049,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2070,7 +2067,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -2085,7 +2081,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2103,7 +2099,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -2214,8 +2209,7 @@ Cleanup and free the AEAD state. */ void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s) { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; KRML_HOST_FREE(ek); KRML_HOST_FREE(s); } diff --git a/dist/msvc-compatible/EverCrypt_AutoConfig2.c b/dist/msvc-compatible/EverCrypt_AutoConfig2.c index fe93ef8a1e..b549d0201b 100644 --- a/dist/msvc-compatible/EverCrypt_AutoConfig2.c +++ b/dist/msvc-compatible/EverCrypt_AutoConfig2.c @@ -113,75 +113,59 @@ void EverCrypt_AutoConfig2_recall(void) void EverCrypt_AutoConfig2_init(void) { #if HACL_CAN_COMPILE_VALE - uint64_t scrut = check_aesni(); - if (scrut != (uint64_t)0U) + if (check_aesni() != (uint64_t)0U) { cpu_has_aesni[0U] = true; cpu_has_pclmulqdq[0U] = true; } - uint64_t scrut0 = check_sha(); - if (scrut0 != (uint64_t)0U) + if (check_sha() != (uint64_t)0U) { cpu_has_shaext[0U] = true; } - uint64_t scrut1 = check_adx_bmi2(); - if (scrut1 != (uint64_t)0U) + if (check_adx_bmi2() != (uint64_t)0U) { cpu_has_bmi2[0U] = true; cpu_has_adx[0U] = true; } - uint64_t scrut2 = check_avx(); - if (scrut2 != (uint64_t)0U) + if (check_avx() != (uint64_t)0U) { - uint64_t scrut3 = check_osxsave(); - if (scrut3 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut4 = check_avx_xcr0(); - if (scrut4 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { cpu_has_avx[0U] = true; } } } - uint64_t scrut3 = check_avx2(); - if (scrut3 != (uint64_t)0U) + if (check_avx2() != (uint64_t)0U) { - uint64_t scrut4 = check_osxsave(); - if (scrut4 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut5 = check_avx_xcr0(); - if (scrut5 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { cpu_has_avx2[0U] = true; } } } - uint64_t scrut4 = check_sse(); - if (scrut4 != (uint64_t)0U) + if (check_sse() != (uint64_t)0U) { cpu_has_sse[0U] = true; } - uint64_t scrut5 = check_movbe(); - if (scrut5 != (uint64_t)0U) + if (check_movbe() != (uint64_t)0U) { cpu_has_movbe[0U] = true; } - uint64_t scrut6 = check_rdrand(); - if (scrut6 != (uint64_t)0U) + if (check_rdrand() != (uint64_t)0U) { cpu_has_rdrand[0U] = true; } - uint64_t scrut7 = check_avx512(); - if (scrut7 != (uint64_t)0U) + if (check_avx512() != (uint64_t)0U) { - uint64_t scrut8 = check_osxsave(); - if (scrut8 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut9 = check_avx_xcr0(); - if (scrut9 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { - uint64_t scrut10 = check_avx512_xcr0(); - if (scrut10 != (uint64_t)0U) + if (check_avx512_xcr0() != (uint64_t)0U) { cpu_has_avx512[0U] = true; return; diff --git a/dist/msvc-compatible/EverCrypt_DRBG.c b/dist/msvc-compatible/EverCrypt_DRBG.c index 243d8eb4df..9591823cf4 100644 --- a/dist/msvc-compatible/EverCrypt_DRBG.c +++ b/dist/msvc-compatible/EverCrypt_DRBG.c @@ -92,6 +92,7 @@ EverCrypt_DRBG_uu___is_SHA1_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA1_s) { return true; @@ -105,6 +106,7 @@ EverCrypt_DRBG_uu___is_SHA2_256_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_256_s) { return true; @@ -118,6 +120,7 @@ EverCrypt_DRBG_uu___is_SHA2_384_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_384_s) { return true; @@ -131,6 +134,7 @@ EverCrypt_DRBG_uu___is_SHA2_512_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_512_s) { return true; diff --git a/dist/msvc-compatible/EverCrypt_Hash.c b/dist/msvc-compatible/EverCrypt_Hash.c index 914a105ff7..b88df9e238 100644 --- a/dist/msvc-compatible/EverCrypt_Hash.c +++ b/dist/msvc-compatible/EverCrypt_Hash.c @@ -399,7 +399,7 @@ void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n) if (has_shaext && has_sse) { uint64_t n1 = (uint64_t)n; - uint64_t scrut = sha256_update(s, blocks, n1, k224_256); + KRML_HOST_IGNORE(sha256_update(s, blocks, n1, k224_256)); return; } Hacl_SHA2_Scalar32_sha256_update_nblocks(n * (uint32_t)64U, blocks, s); @@ -2156,8 +2156,7 @@ Perform a run-time test to determine which algorithm was chosen for the given pi Spec_Hash_Definitions_hash_alg EverCrypt_Hash_Incremental_alg_of_state(EverCrypt_Hash_Incremental_hash_state *s) { - EverCrypt_Hash_Incremental_hash_state scrut = *s; - EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_state_s *block_state = (*s).block_state; return alg_of_state(block_state); } diff --git a/dist/msvc-compatible/EverCrypt_Poly1305.c b/dist/msvc-compatible/EverCrypt_Poly1305.c index 717b952793..82ca9b992c 100644 --- a/dist/msvc-compatible/EverCrypt_Poly1305.c +++ b/dist/msvc-compatible/EverCrypt_Poly1305.c @@ -38,19 +38,16 @@ static void poly1305_vale(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key uint8_t tmp[16U] = { 0U }; if (n_extra == (uint32_t)0U) { - uint64_t scrut = x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U)); } else { uint32_t len16 = n_blocks * (uint32_t)16U; uint8_t *src16 = src; memcpy(tmp, src + len16, n_extra * sizeof (uint8_t)); - uint64_t scrut = x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U)); memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); - uint64_t scrut0 = x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U)); } memcpy(dst, ctx, (uint32_t)16U * sizeof (uint8_t)); #endif diff --git a/dist/msvc-compatible/Hacl_Chacha20_Vec128.c b/dist/msvc-compatible/Hacl_Chacha20_Vec128.c index ed112654b5..1e0c4ec1e4 100644 --- a/dist/msvc-compatible/Hacl_Chacha20_Vec128.c +++ b/dist/msvc-compatible/Hacl_Chacha20_Vec128.c @@ -370,9 +370,8 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)256U; - uint8_t *uu____3 = text + nb * (uint32_t)256U; uint8_t plain[256U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)256U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U }; chacha20_core_128(k, ctx, nb); Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; @@ -676,9 +675,8 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)256U; - uint8_t *uu____3 = cipher + nb * (uint32_t)256U; uint8_t plain[256U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)256U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U }; chacha20_core_128(k, ctx, nb); Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; diff --git a/dist/msvc-compatible/Hacl_Chacha20_Vec256.c b/dist/msvc-compatible/Hacl_Chacha20_Vec256.c index 2df300b620..620f504052 100644 --- a/dist/msvc-compatible/Hacl_Chacha20_Vec256.c +++ b/dist/msvc-compatible/Hacl_Chacha20_Vec256.c @@ -470,9 +470,8 @@ Hacl_Chacha20_Vec256_chacha20_encrypt_256( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)512U; - uint8_t *uu____3 = text + nb * (uint32_t)512U; uint8_t plain[512U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)512U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U }; chacha20_core_256(k, ctx, nb); Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; @@ -968,9 +967,8 @@ Hacl_Chacha20_Vec256_chacha20_decrypt_256( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)512U; - uint8_t *uu____3 = cipher + nb * (uint32_t)512U; uint8_t plain[512U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)512U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U }; chacha20_core_256(k, ctx, nb); Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; diff --git a/dist/msvc-compatible/Hacl_Chacha20_Vec32.c b/dist/msvc-compatible/Hacl_Chacha20_Vec32.c index 6f137f39de..2bf4764ca7 100644 --- a/dist/msvc-compatible/Hacl_Chacha20_Vec32.c +++ b/dist/msvc-compatible/Hacl_Chacha20_Vec32.c @@ -229,9 +229,8 @@ Hacl_Chacha20_Vec32_chacha20_encrypt_32( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = text + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k[16U] = { 0U }; chacha20_core_32(k, ctx, nb); KRML_MAYBE_FOR16(i, @@ -279,9 +278,8 @@ Hacl_Chacha20_Vec32_chacha20_decrypt_32( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = cipher + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k[16U] = { 0U }; chacha20_core_32(k, ctx, nb); KRML_MAYBE_FOR16(i, diff --git a/dist/msvc-compatible/Hacl_Curve25519_64.c b/dist/msvc-compatible/Hacl_Curve25519_64.c index 526fbd22f9..fb0974fed6 100644 --- a/dist/msvc-compatible/Hacl_Curve25519_64.c +++ b/dist/msvc-compatible/Hacl_Curve25519_64.c @@ -35,7 +35,7 @@ static inline void add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) #if HACL_CAN_COMPILE_INLINE_ASM add_scalar(out, f1, f2); #else - uint64_t uu____0 = add_scalar_e(out, f1, f2); + KRML_HOST_IGNORE(add_scalar_e(out, f1, f2)); #endif } @@ -44,7 +44,7 @@ static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2) #if HACL_CAN_COMPILE_INLINE_ASM fadd(out, f1, f2); #else - uint64_t uu____0 = fadd_e(out, f1, f2); + KRML_HOST_IGNORE(fadd_e(out, f1, f2)); #endif } @@ -53,7 +53,7 @@ static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2) #if HACL_CAN_COMPILE_INLINE_ASM fsub(out, f1, f2); #else - uint64_t uu____0 = fsub_e(out, f1, f2); + KRML_HOST_IGNORE(fsub_e(out, f1, f2)); #endif } @@ -62,7 +62,7 @@ static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tm #if HACL_CAN_COMPILE_INLINE_ASM fmul(out, f1, f2, tmp); #else - uint64_t uu____0 = fmul_e(tmp, f1, out, f2); + KRML_HOST_IGNORE(fmul_e(tmp, f1, out, f2)); #endif } @@ -71,7 +71,7 @@ static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *t #if HACL_CAN_COMPILE_INLINE_ASM fmul2(out, f1, f2, tmp); #else - uint64_t uu____0 = fmul2_e(tmp, f1, out, f2); + KRML_HOST_IGNORE(fmul2_e(tmp, f1, out, f2)); #endif } @@ -80,7 +80,7 @@ static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) #if HACL_CAN_COMPILE_INLINE_ASM fmul_scalar(out, f1, f2); #else - uint64_t uu____0 = fmul_scalar_e(out, f1, f2); + KRML_HOST_IGNORE(fmul_scalar_e(out, f1, f2)); #endif } @@ -89,7 +89,7 @@ static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp) #if HACL_CAN_COMPILE_INLINE_ASM fsqr(out, f1, tmp); #else - uint64_t uu____0 = fsqr_e(tmp, f1, out); + KRML_HOST_IGNORE(fsqr_e(tmp, f1, out)); #endif } @@ -98,7 +98,7 @@ static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp) #if HACL_CAN_COMPILE_INLINE_ASM fsqr2(out, f, tmp); #else - uint64_t uu____0 = fsqr2_e(tmp, f, out); + KRML_HOST_IGNORE(fsqr2_e(tmp, f, out)); #endif } @@ -107,7 +107,7 @@ static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2) #if HACL_CAN_COMPILE_INLINE_ASM cswap2(bit, p1, p2); #else - uint64_t uu____0 = cswap2_e(bit, p1, p2); + KRML_HOST_IGNORE(cswap2_e(bit, p1, p2)); #endif } diff --git a/dist/msvc-compatible/Hacl_Ed25519.c b/dist/msvc-compatible/Hacl_Ed25519.c index 9d7c3bd4de..36113197a2 100644 --- a/dist/msvc-compatible/Hacl_Ed25519.c +++ b/dist/msvc-compatible/Hacl_Ed25519.c @@ -711,65 +711,59 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) FStar_UInt128_uint128 c00 = carry0; FStar_UInt128_uint128 carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U); - uint64_t - t100 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c10 = carry1; FStar_UInt128_uint128 carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U); - uint64_t - t101 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c20 = carry2; FStar_UInt128_uint128 carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U); - uint64_t - t102 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c30 = carry3; FStar_UInt128_uint128 carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U); uint64_t - t103 = + t100 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c40 = carry4; - uint64_t t410 = t103; + uint64_t t410 = t100; FStar_UInt128_uint128 carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U); uint64_t - t104 = + t101 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c5 = carry5; - uint64_t t51 = t104; + uint64_t t51 = t101; FStar_UInt128_uint128 carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U); uint64_t - t105 = + t102 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c6 = carry6; - uint64_t t61 = t105; + uint64_t t61 = t102; FStar_UInt128_uint128 carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U); uint64_t - t106 = + t103 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c7 = carry7; - uint64_t t71 = t106; + uint64_t t71 = t103; FStar_UInt128_uint128 carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U); uint64_t - t107 = + t104 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c8 = carry8; - uint64_t t81 = t107; + uint64_t t81 = t104; uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8); uint64_t qmu4_ = t410; uint64_t qmu5_ = t51; @@ -818,19 +812,19 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1); FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0); FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U); - uint64_t t108 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; + uint64_t t105 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c0 = carry9; - uint64_t t010 = t108; + uint64_t t010 = t105; FStar_UInt128_uint128 carry10 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0), (uint32_t)56U); uint64_t - t109 = + t106 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c11 = carry10; - uint64_t t110 = t109; + uint64_t t110 = t106; FStar_UInt128_uint128 carry11 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, @@ -839,14 +833,14 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c11), (uint32_t)56U); uint64_t - t1010 = + t107 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20), c11)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c21 = carry11; - uint64_t t210 = t1010; + uint64_t t210 = t107; FStar_UInt128_uint128 carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, @@ -856,7 +850,7 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c21), (uint32_t)56U); uint64_t - t1011 = + t108 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21), @@ -864,7 +858,7 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c21)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c31 = carry; - uint64_t t310 = t1011; + uint64_t t310 = t108; uint64_t t411 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, @@ -880,24 +874,24 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) uint64_t qmul3 = t310; uint64_t qmul4 = t411; uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U; - uint64_t t1012 = (b5 << (uint32_t)56U) + r0 - qmul0; + uint64_t t109 = (b5 << (uint32_t)56U) + r0 - qmul0; uint64_t c1 = b5; - uint64_t t011 = t1012; + uint64_t t011 = t109; uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U; - uint64_t t1013 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); + uint64_t t1010 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); uint64_t c2 = b6; - uint64_t t111 = t1013; + uint64_t t111 = t1010; uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U; - uint64_t t1014 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); + uint64_t t1011 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); uint64_t c3 = b7; - uint64_t t211 = t1014; + uint64_t t211 = t1011; uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U; - uint64_t t1015 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); + uint64_t t1012 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); uint64_t c4 = b8; - uint64_t t311 = t1015; + uint64_t t311 = t1012; uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U; - uint64_t t1016 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); - uint64_t t412 = t1016; + uint64_t t1013 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); + uint64_t t412 = t1013; uint64_t s0 = t011; uint64_t s1 = t111; uint64_t s2 = t211; @@ -914,21 +908,21 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) uint64_t y3 = m31; uint64_t y4 = m41; uint64_t b10 = (s0 - y0) >> (uint32_t)63U; - uint64_t t1017 = (b10 << (uint32_t)56U) + s0 - y0; + uint64_t t1014 = (b10 << (uint32_t)56U) + s0 - y0; uint64_t b0 = b10; - uint64_t t01 = t1017; + uint64_t t01 = t1014; uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U; - uint64_t t1018 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); + uint64_t t1015 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); uint64_t b1 = b11; - uint64_t t11 = t1018; + uint64_t t11 = t1015; uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U; - uint64_t t1019 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); + uint64_t t1016 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); uint64_t b2 = b12; - uint64_t t21 = t1019; + uint64_t t21 = t1016; uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U; - uint64_t t1020 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); + uint64_t t1017 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); uint64_t b3 = b13; - uint64_t t31 = t1020; + uint64_t t31 = t1017; uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U; uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3); uint64_t b4 = b; diff --git a/dist/msvc-compatible/Hacl_FFDHE.c b/dist/msvc-compatible/Hacl_FFDHE.c index 53b87f7332..bc77dbdcd5 100644 --- a/dist/msvc-compatible/Hacl_FFDHE.c +++ b/dist/msvc-compatible/Hacl_FFDHE.c @@ -127,7 +127,6 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui memset(p_n1, 0U, nLen * sizeof (uint64_t)); uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, p_n[0U], (uint64_t)1U, p_n1); - uint64_t c1; if ((uint32_t)1U < nLen) { uint64_t *a1 = p_n + (uint32_t)1U; @@ -159,12 +158,12 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); } - uint64_t c10 = c; - c1 = c10; + uint64_t c1 = c; + KRML_HOST_IGNORE(c1); } else { - c1 = c0; + KRML_HOST_IGNORE(c0); } KRML_CHECK_SIZE(sizeof (uint64_t), nLen); uint64_t *b2 = (uint64_t *)alloca(nLen * sizeof (uint64_t)); diff --git a/dist/msvc-compatible/Hacl_Frodo_KEM.c b/dist/msvc-compatible/Hacl_Frodo_KEM.c index 13db363af5..4265ac0e71 100644 --- a/dist/msvc-compatible/Hacl_Frodo_KEM.c +++ b/dist/msvc-compatible/Hacl_Frodo_KEM.c @@ -30,6 +30,6 @@ void randombytes_(uint32_t len, uint8_t *res) { - bool b = Lib_RandomBuffer_System_randombytes(res, len); + KRML_HOST_IGNORE(Lib_RandomBuffer_System_randombytes(res, len)); } diff --git a/dist/msvc-compatible/Hacl_HMAC_DRBG.c b/dist/msvc-compatible/Hacl_HMAC_DRBG.c index 93e47dc94b..b3acf3547e 100644 --- a/dist/msvc-compatible/Hacl_HMAC_DRBG.c +++ b/dist/msvc-compatible/Hacl_HMAC_DRBG.c @@ -71,6 +71,8 @@ uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) bool Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee) { + KRML_HOST_IGNORE(a); + KRML_HOST_IGNORE(projectee); return true; } @@ -1104,6 +1106,7 @@ Hacl_HMAC_DRBG_generate( void Hacl_HMAC_DRBG_free(Spec_Hash_Definitions_hash_alg uu___, Hacl_HMAC_DRBG_state s) { + KRML_HOST_IGNORE(uu___); uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2.c b/dist/msvc-compatible/Hacl_Hash_Blake2.c index 127e16b5af..afc9ac0711 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2.c @@ -602,6 +602,7 @@ Hacl_Blake2b_32_blake2b_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { FStar_UInt128_uint128 @@ -1305,6 +1306,7 @@ Hacl_Blake2s_32_blake2s_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c b/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c index baf8e38f6e..1e9e38dd2b 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c @@ -325,6 +325,7 @@ Hacl_Blake2b_256_blake2b_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { FStar_UInt128_uint128 diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c b/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c index 2870be7c9e..26a465b6d5 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c @@ -324,6 +324,7 @@ Hacl_Blake2s_128_blake2s_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); diff --git a/dist/msvc-compatible/Hacl_Hash_MD5.c b/dist/msvc-compatible/Hacl_Hash_MD5.c index 1b376960f3..222ac824f0 100644 --- a/dist/msvc-compatible/Hacl_Hash_MD5.c +++ b/dist/msvc-compatible/Hacl_Hash_MD5.c @@ -1218,7 +1218,6 @@ void Hacl_Streaming_MD5_legacy_init(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Hash_Core_MD5_legacy_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/msvc-compatible/Hacl_Hash_SHA1.c b/dist/msvc-compatible/Hacl_Hash_SHA1.c index 80edc0043b..5ecb3c0b3a 100644 --- a/dist/msvc-compatible/Hacl_Hash_SHA1.c +++ b/dist/msvc-compatible/Hacl_Hash_SHA1.c @@ -254,7 +254,6 @@ void Hacl_Streaming_SHA1_legacy_init(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Hash_Core_SHA1_legacy_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/msvc-compatible/Hacl_Hash_SHA2.c b/dist/msvc-compatible/Hacl_Hash_SHA2.c index 46fde83fed..c93c3616a4 100644 --- a/dist/msvc-compatible/Hacl_Hash_SHA2.c +++ b/dist/msvc-compatible/Hacl_Hash_SHA2.c @@ -537,7 +537,6 @@ void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha256_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -836,7 +835,6 @@ void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha224_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -962,7 +960,6 @@ void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_MD_state_64 *s) Hacl_Streaming_MD_state_64 scrut = *s; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha512_init(block_state); Hacl_Streaming_MD_state_64 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -1262,7 +1259,6 @@ void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_MD_state_64 *s) Hacl_Streaming_MD_state_64 scrut = *s; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha384_init(block_state); Hacl_Streaming_MD_state_64 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/msvc-compatible/Hacl_Hash_SHA3.c b/dist/msvc-compatible/Hacl_Hash_SHA3.c index 5f4707f461..19d13b1b82 100644 --- a/dist/msvc-compatible/Hacl_Hash_SHA3.c +++ b/dist/msvc-compatible/Hacl_Hash_SHA3.c @@ -125,10 +125,9 @@ Hacl_Hash_SHA3_update_last_sha3( if (input_len == len) { Hacl_Impl_SHA3_absorb_inner(len, input, s); - uint8_t *uu____0 = input + input_len; uint8_t lastBlock_[200U] = { 0U }; uint8_t *lastBlock = lastBlock_; - memcpy(lastBlock, uu____0, (uint32_t)0U * sizeof (uint8_t)); + memcpy(lastBlock, input + input_len, (uint32_t)0U * sizeof (uint8_t)); lastBlock[0U] = suffix; Hacl_Impl_SHA3_loadState(len, lastBlock, s); if (!((suffix & (uint8_t)0x80U) == (uint8_t)0U) && (uint32_t)0U == len - (uint32_t)1U) @@ -167,8 +166,7 @@ hash_buf2; Spec_Hash_Definitions_hash_alg Hacl_Streaming_Keccak_get_alg(Hacl_Streaming_Keccak_state *s) { - Hacl_Streaming_Keccak_state scrut = *s; - Hacl_Streaming_Keccak_hash_buf block_state = scrut.block_state; + Hacl_Streaming_Keccak_hash_buf block_state = (*s).block_state; return block_state.fst; } @@ -809,6 +807,7 @@ Hacl_Impl_SHA3_keccak( uint8_t *output ) { + KRML_HOST_IGNORE(capacity); uint32_t rateInBytes = rate / (uint32_t)8U; uint64_t s[25U] = { 0U }; absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix); diff --git a/dist/msvc-compatible/Hacl_K256_ECDSA.c b/dist/msvc-compatible/Hacl_K256_ECDSA.c index 19395653ea..c5dda43f7c 100644 --- a/dist/msvc-compatible/Hacl_K256_ECDSA.c +++ b/dist/msvc-compatible/Hacl_K256_ECDSA.c @@ -498,7 +498,7 @@ mul_pow2_256_minus_q_add( uint64_t r = c; tmp[len + i0] = r;); memcpy(res + (uint32_t)2U, a, len * sizeof (uint64_t)); - uint64_t uu____0 = bn_add(resLen, res, len + (uint32_t)2U, tmp, res); + KRML_HOST_IGNORE(bn_add(resLen, res, len + (uint32_t)2U, tmp, res)); uint64_t c = bn_add(resLen, res, (uint32_t)4U, e, res); return c; } @@ -514,15 +514,23 @@ static inline void modq(uint64_t *out, uint64_t *a) uint64_t *t01 = tmp; uint64_t m[7U] = { 0U }; uint64_t p[5U] = { 0U }; - uint64_t - c0 = mul_pow2_256_minus_q_add((uint32_t)4U, (uint32_t)7U, t01, a + (uint32_t)4U, a, m); - uint64_t - c10 = mul_pow2_256_minus_q_add((uint32_t)3U, (uint32_t)5U, t01, m + (uint32_t)4U, m, p); + KRML_HOST_IGNORE(mul_pow2_256_minus_q_add((uint32_t)4U, + (uint32_t)7U, + t01, + a + (uint32_t)4U, + a, + m)); + KRML_HOST_IGNORE(mul_pow2_256_minus_q_add((uint32_t)3U, + (uint32_t)5U, + t01, + m + (uint32_t)4U, + m, + p)); uint64_t c2 = mul_pow2_256_minus_q_add((uint32_t)1U, (uint32_t)4U, t01, p + (uint32_t)4U, p, r); - uint64_t c00 = c2; + uint64_t c0 = c2; uint64_t c1 = add4(r, tmp, out); - uint64_t mask = (uint64_t)0U - (c00 + c1); + uint64_t mask = (uint64_t)0U - (c0 + c1); KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, @@ -612,7 +620,7 @@ static inline void qmul_shift_384(uint64_t *res, uint64_t *a, uint64_t *b) uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i);); uint64_t c1 = c; - uint64_t uu____0 = c1; + KRML_HOST_IGNORE(c1); uint64_t flag = l[5U] >> (uint32_t)63U; uint64_t mask = (uint64_t)0U - flag; KRML_MAYBE_FOR4(i, @@ -1223,6 +1231,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)118285133003718U, (uint64_t)434519962075150U, (uint64_t)1114612377498854U, (uint64_t)3488596944003813U, (uint64_t)450716531072892U, (uint64_t)66044973203836U }; + KRML_HOST_IGNORE(q2); uint64_t q3[15U] = { @@ -1232,6 +1241,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)265969268774814U, (uint64_t)1913228635640715U, (uint64_t)2831959046949342U, (uint64_t)888030405442963U, (uint64_t)1817092932985033U, (uint64_t)101515844997121U }; + KRML_HOST_IGNORE(q3); uint64_t q4[15U] = { @@ -1241,6 +1251,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)12245672982162U, (uint64_t)2119364213800870U, (uint64_t)2034960311715107U, (uint64_t)3172697815804487U, (uint64_t)4185144850224160U, (uint64_t)2792055915674U }; + KRML_HOST_IGNORE(q4); uint64_t *r1 = scalar; uint64_t *r2 = scalar + (uint32_t)1U; uint64_t *r3 = scalar + (uint32_t)2U; @@ -1605,6 +1616,7 @@ Hacl_K256_ECDSA_ecdsa_sign_hashed_msg( ) { uint64_t oneq[4U] = { (uint64_t)0x1U, (uint64_t)0x0U, (uint64_t)0x0U, (uint64_t)0x0U }; + KRML_HOST_IGNORE(oneq); uint64_t rsdk_q[16U] = { 0U }; uint64_t *r_q = rsdk_q; uint64_t *s_q = rsdk_q + (uint32_t)4U; diff --git a/dist/msvc-compatible/Hacl_RSAPSS.c b/dist/msvc-compatible/Hacl_RSAPSS.c index ce2fb517bd..084f10b38b 100644 --- a/dist/msvc-compatible/Hacl_RSAPSS.c +++ b/dist/msvc-compatible/Hacl_RSAPSS.c @@ -404,9 +404,9 @@ load_skey( Sign a message `msg` and write the signature to `sgnt`. @param a Hash algorithm to use. Allowed values for `a` are ... - * Spec_Hash_Definitions_SHA2_256, - * Spec_Hash_Definitions_SHA2_384, and - * Spec_Hash_Definitions_SHA2_512. + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. @@ -518,7 +518,10 @@ Hacl_RSAPSS_rsapss_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param pkey Pointer to public key created by `Hacl_RSAPSS_new_rsapss_load_pkey`. @@ -637,10 +640,10 @@ Load a public key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. -@return Returns an allocated public key. Note: caller must take care to `free()` the created key. +@return Returns an allocated public key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb) @@ -707,11 +710,11 @@ Load a secret key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. -@return Returns an allocated secret key. Note: caller must take care to `free()` the created key. +@return Returns an allocated secret key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_skey( @@ -804,13 +807,16 @@ uint64_t /** Sign a message `msg` and write the signature to `sgnt`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param salt Pointer to `saltLen` bytes where the salt is read from. @param msgLen Length of message. @@ -875,11 +881,14 @@ Hacl_RSAPSS_rsapss_skey_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param sgntLen Length of signature. @param sgnt Pointer to `sgntLen` bytes where the signature is read from. diff --git a/dist/msvc-compatible/Hacl_RSAPSS.h b/dist/msvc-compatible/Hacl_RSAPSS.h index 8f4de9492d..90bd69ce50 100644 --- a/dist/msvc-compatible/Hacl_RSAPSS.h +++ b/dist/msvc-compatible/Hacl_RSAPSS.h @@ -43,9 +43,9 @@ extern "C" { Sign a message `msg` and write the signature to `sgnt`. @param a Hash algorithm to use. Allowed values for `a` are ... - * Spec_Hash_Definitions_SHA2_256, - * Spec_Hash_Definitions_SHA2_384, and - * Spec_Hash_Definitions_SHA2_512. + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. @@ -75,7 +75,10 @@ Hacl_RSAPSS_rsapss_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param pkey Pointer to public key created by `Hacl_RSAPSS_new_rsapss_load_pkey`. @@ -105,10 +108,10 @@ Load a public key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. -@return Returns an allocated public key. Note: caller must take care to `free()` the created key. +@return Returns an allocated public key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb); @@ -119,11 +122,11 @@ Load a secret key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. -@return Returns an allocated secret key. Note: caller must take care to `free()` the created key. +@return Returns an allocated secret key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_skey( @@ -138,13 +141,16 @@ uint64_t /** Sign a message `msg` and write the signature to `sgnt`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param salt Pointer to `saltLen` bytes where the salt is read from. @param msgLen Length of message. @@ -172,11 +178,14 @@ Hacl_RSAPSS_rsapss_skey_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param sgntLen Length of signature. @param sgnt Pointer to `sgntLen` bytes where the signature is read from. diff --git a/dist/msvc-compatible/Hacl_Salsa20.c b/dist/msvc-compatible/Hacl_Salsa20.c index e157d5ef21..2758f8a4dd 100644 --- a/dist/msvc-compatible/Hacl_Salsa20.c +++ b/dist/msvc-compatible/Hacl_Salsa20.c @@ -181,6 +181,7 @@ salsa20_encrypt( memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); ctx[15U] = (uint32_t)0x6b206574U; uint32_t k[16U] = { 0U }; + KRML_HOST_IGNORE(k); uint32_t rem = len % (uint32_t)64U; uint32_t nb = len / (uint32_t)64U; uint32_t rem1 = len % (uint32_t)64U; @@ -217,9 +218,8 @@ salsa20_encrypt( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = text + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k1[16U] = { 0U }; salsa20_core(k1, ctx, nb); uint32_t bl[16U] = { 0U }; @@ -294,6 +294,7 @@ salsa20_decrypt( memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); ctx[15U] = (uint32_t)0x6b206574U; uint32_t k[16U] = { 0U }; + KRML_HOST_IGNORE(k); uint32_t rem = len % (uint32_t)64U; uint32_t nb = len / (uint32_t)64U; uint32_t rem1 = len % (uint32_t)64U; @@ -330,9 +331,8 @@ salsa20_decrypt( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = cipher + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k1[16U] = { 0U }; salsa20_core(k1, ctx, nb); uint32_t bl[16U] = { 0U }; diff --git a/dist/msvc-compatible/Hacl_Streaming_Blake2.c b/dist/msvc-compatible/Hacl_Streaming_Blake2.c index 4faa859e0e..948d56c2de 100644 --- a/dist/msvc-compatible/Hacl_Streaming_Blake2.c +++ b/dist/msvc-compatible/Hacl_Streaming_Blake2.c @@ -54,7 +54,6 @@ void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_ Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); Hacl_Streaming_Blake2_blake2s_32_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -354,7 +353,6 @@ void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_ Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); Hacl_Streaming_Blake2_blake2b_32_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/msvc-compatible/Hacl_Streaming_Blake2b_256.c b/dist/msvc-compatible/Hacl_Streaming_Blake2b_256.c index d2df234a15..bdb5433f83 100644 --- a/dist/msvc-compatible/Hacl_Streaming_Blake2b_256.c +++ b/dist/msvc-compatible/Hacl_Streaming_Blake2b_256.c @@ -66,7 +66,6 @@ Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); Hacl_Streaming_Blake2b_256_blake2b_256_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/msvc-compatible/Hacl_Streaming_Blake2s_128.c b/dist/msvc-compatible/Hacl_Streaming_Blake2s_128.c index eaace7ce30..f97bf5d054 100644 --- a/dist/msvc-compatible/Hacl_Streaming_Blake2s_128.c +++ b/dist/msvc-compatible/Hacl_Streaming_Blake2s_128.c @@ -66,7 +66,6 @@ Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); Hacl_Streaming_Blake2s_128_blake2s_128_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/msvc-compatible/Hacl_Streaming_Poly1305_128.c b/dist/msvc-compatible/Hacl_Streaming_Poly1305_128.c index c752cfb063..c3f7c19ae1 100644 --- a/dist/msvc-compatible/Hacl_Streaming_Poly1305_128.c +++ b/dist/msvc-compatible/Hacl_Streaming_Poly1305_128.c @@ -58,7 +58,6 @@ Hacl_Streaming_Poly1305_128_init(uint8_t *k, Hacl_Streaming_Poly1305_128_poly130 uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; Lib_IntVector_Intrinsics_vec128 *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_128_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; @@ -312,7 +311,7 @@ Hacl_Streaming_Poly1305_128_finish( { ite1 = r % (uint32_t)16U; } - uint64_t prev_len_last = total_len - (uint64_t)ite1; + KRML_HOST_IGNORE(total_len - (uint64_t)ite1); uint32_t ite2; if (r % (uint32_t)16U == (uint32_t)0U && r > (uint32_t)0U) { diff --git a/dist/msvc-compatible/Hacl_Streaming_Poly1305_256.c b/dist/msvc-compatible/Hacl_Streaming_Poly1305_256.c index c1915ed9b7..e56275a4f3 100644 --- a/dist/msvc-compatible/Hacl_Streaming_Poly1305_256.c +++ b/dist/msvc-compatible/Hacl_Streaming_Poly1305_256.c @@ -58,7 +58,6 @@ Hacl_Streaming_Poly1305_256_init(uint8_t *k, Hacl_Streaming_Poly1305_256_poly130 uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; Lib_IntVector_Intrinsics_vec256 *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_256_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; @@ -312,7 +311,7 @@ Hacl_Streaming_Poly1305_256_finish( { ite1 = r % (uint32_t)16U; } - uint64_t prev_len_last = total_len - (uint64_t)ite1; + KRML_HOST_IGNORE(total_len - (uint64_t)ite1); uint32_t ite2; if (r % (uint32_t)16U == (uint32_t)0U && r > (uint32_t)0U) { diff --git a/dist/msvc-compatible/Hacl_Streaming_Poly1305_32.c b/dist/msvc-compatible/Hacl_Streaming_Poly1305_32.c index 89852727fd..249a622fe1 100644 --- a/dist/msvc-compatible/Hacl_Streaming_Poly1305_32.c +++ b/dist/msvc-compatible/Hacl_Streaming_Poly1305_32.c @@ -53,7 +53,6 @@ Hacl_Streaming_Poly1305_32_init(uint8_t *k, Hacl_Streaming_Poly1305_32_poly1305_ uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_32_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; diff --git a/dist/msvc-compatible/INFO.txt b/dist/msvc-compatible/INFO.txt index 7ed8e74ac6..f1a6a25e9c 100644 --- a/dist/msvc-compatible/INFO.txt +++ b/dist/msvc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. -F* version: 155853a14336aa0713dba7db5408f4c8ab512a06 -KaRaMeL version: db63c1de17565be0ec4989f58532717a04e3ff40 +F* version: bc622701c668f6b4092760879372968265d4a4e1 +KaRaMeL version: aef72b2b5a44b338b856a177819d1bfa0d7cc5b6 Vale version: 0.3.19 diff --git a/dist/msvc-compatible/internal/Hacl_Bignum25519_51.h b/dist/msvc-compatible/internal/Hacl_Bignum25519_51.h index 9fe5e9fc1b..25a1050313 100644 --- a/dist/msvc-compatible/internal/Hacl_Bignum25519_51.h +++ b/dist/msvc-compatible/internal/Hacl_Bignum25519_51.h @@ -84,6 +84,7 @@ Hacl_Impl_Curve25519_Field51_fmul( FStar_UInt128_uint128 *uu___ ) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f1[0U]; uint64_t f11 = f1[1U]; uint64_t f12 = f1[2U]; @@ -167,6 +168,7 @@ Hacl_Impl_Curve25519_Field51_fmul2( FStar_UInt128_uint128 *uu___ ) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f1[0U]; uint64_t f11 = f1[1U]; uint64_t f12 = f1[2U]; @@ -371,6 +373,7 @@ static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f static inline void Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) { + KRML_HOST_IGNORE(uu___); uint64_t f0 = f[0U]; uint64_t f1 = f[1U]; uint64_t f2 = f[2U]; @@ -446,6 +449,7 @@ Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint static inline void Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f[0U]; uint64_t f11 = f[1U]; uint64_t f12 = f[2U]; diff --git a/dist/portable-gcc-compatible/EverCrypt_AEAD.c b/dist/portable-gcc-compatible/EverCrypt_AEAD.c index 84bf62f0e1..98dfe7d2cb 100644 --- a/dist/portable-gcc-compatible/EverCrypt_AEAD.c +++ b/dist/portable-gcc-compatible/EverCrypt_AEAD.c @@ -52,6 +52,8 @@ The state may be reused as many times as desired. */ bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_state_s projectee) { + KRML_HOST_IGNORE(a); + KRML_HOST_IGNORE(projectee); return true; } @@ -68,8 +70,7 @@ Return the algorithm used in the AEAD state. */ Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s) { - EverCrypt_AEAD_state_s scrut = *s; - Spec_Cipher_Expansion_impl impl = scrut.impl; + Spec_Cipher_Expansion_impl impl = (*s).impl; switch (impl) { case Spec_Cipher_Expansion_Hacl_CHACHA20: @@ -126,8 +127,8 @@ create_in_aes128_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)480U, sizeof (uint8_t)); uint8_t *keys_b = ek; uint8_t *hkeys_b = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b); - uint64_t scrut0 = aes128_keyhash_init(keys_b, hkeys_b); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b, hkeys_b)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }); @@ -158,8 +159,8 @@ create_in_aes256_gcm(EverCrypt_AEAD_state_s **dst, uint8_t *k) uint8_t *ek = (uint8_t *)KRML_HOST_CALLOC((uint32_t)544U, sizeof (uint8_t)); uint8_t *keys_b = ek; uint8_t *hkeys_b = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b); - uint64_t scrut0 = aes256_keyhash_init(keys_b, hkeys_b); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b, hkeys_b)); EverCrypt_AEAD_state_s *p = (EverCrypt_AEAD_state_s *)KRML_HOST_MALLOC(sizeof (EverCrypt_AEAD_state_s)); p[0U] = ((EverCrypt_AEAD_state_s){ .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }); @@ -242,8 +243,7 @@ encrypt_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)304U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -253,8 +253,12 @@ encrypt_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -280,9 +284,7 @@ encrypt_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut0 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -298,7 +300,7 @@ encrypt_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -311,9 +313,7 @@ encrypt_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut0 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -329,7 +329,7 @@ encrypt_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, @@ -370,8 +370,7 @@ encrypt_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)368U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -381,8 +380,12 @@ encrypt_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -408,9 +411,7 @@ encrypt_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut0 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -426,7 +427,7 @@ encrypt_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -439,9 +440,7 @@ encrypt_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut0 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -457,7 +456,7 @@ encrypt_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, @@ -571,23 +570,21 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut0 = aes128_key_expansion(k, keys_b0); - uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -597,8 +594,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -624,9 +625,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -642,7 +641,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -655,9 +654,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -673,12 +670,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; #else @@ -719,23 +716,21 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut0 = aes256_key_expansion(k, keys_b0); - uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -745,8 +740,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -772,9 +771,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -790,7 +787,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -803,9 +800,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -821,12 +816,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm_no_check( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; #else @@ -866,23 +861,21 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut0 = aes128_key_expansion(k, keys_b0); - uint64_t scrut1 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -892,8 +885,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -919,9 +916,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -937,7 +932,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -950,9 +945,7 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm128_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm128_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -968,12 +961,12 @@ EverCrypt_AEAD_encrypt_expand_aes128_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; } @@ -1011,23 +1004,21 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut0 = aes256_key_expansion(k, keys_b0); - uint64_t scrut1 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; - EverCrypt_Error_error_code r; if (s == NULL) { - r = EverCrypt_Error_InvalidKey; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidKey); } else if (iv_len == (uint32_t)0U) { - r = EverCrypt_Error_InvalidIVLength; + KRML_HOST_IGNORE(EverCrypt_Error_InvalidIVLength); } else { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1037,8 +1028,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1064,9 +1059,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -1082,7 +1075,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } else { @@ -1095,9 +1088,7 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( uint64_t auth_num = (uint64_t)ad_len / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; - uint64_t - scrut2 = - gcm256_encrypt_opt(auth_b_, + KRML_HOST_IGNORE(gcm256_encrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, keys_b, @@ -1113,12 +1104,12 @@ EverCrypt_AEAD_encrypt_expand_aes256_gcm( inout_b, (uint64_t)plain_len, scratch_b1, - tag); + tag)); } memcpy(cipher + (uint32_t)(uint64_t)plain_len / (uint32_t)16U * (uint32_t)16U, inout_b, (uint32_t)(uint64_t)plain_len % (uint32_t)16U * sizeof (uint8_t)); - r = EverCrypt_Error_Success; + KRML_HOST_IGNORE(EverCrypt_Error_Success); } return EverCrypt_Error_Success; } @@ -1145,12 +1136,12 @@ EverCrypt_AEAD_encrypt_expand_chacha20_poly1305( uint8_t *tag ) { + KRML_HOST_IGNORE(iv_len); uint8_t ek[32U] = { 0U }; EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Hacl_CHACHA20, .ek = ek }; memcpy(ek, k, (uint32_t)32U * sizeof (uint8_t)); EverCrypt_AEAD_state_s *s = &p; - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek0 = scrut.ek; + uint8_t *ek0 = (*s).ek; EverCrypt_Chacha20Poly1305_aead_encrypt(ek0, iv, ad_len, ad, plain_len, plain, cipher, tag); return EverCrypt_Error_Success; } @@ -1248,8 +1239,7 @@ decrypt_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)304U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -1259,8 +1249,12 @@ decrypt_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1288,7 +1282,7 @@ decrypt_aes128_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut0 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1306,7 +1300,6 @@ decrypt_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } else @@ -1321,7 +1314,7 @@ decrypt_aes128_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut0 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1339,7 +1332,6 @@ decrypt_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1386,8 +1378,7 @@ decrypt_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint8_t *scratch_b = ek + (uint32_t)368U; uint8_t *ek1 = ek; uint8_t *keys_b = ek1; @@ -1397,8 +1388,12 @@ decrypt_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1426,7 +1421,7 @@ decrypt_aes256_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut0 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1444,7 +1439,6 @@ decrypt_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } else @@ -1459,7 +1453,7 @@ decrypt_aes256_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut0 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1477,7 +1471,6 @@ decrypt_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut0; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1523,8 +1516,7 @@ decrypt_chacha20_poly1305( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; uint32_t r = EverCrypt_Chacha20Poly1305_aead_decrypt(ek, iv, ad_len, ad, cipher_len, dst, cipher, tag); if (r == (uint32_t)0U) @@ -1586,8 +1578,7 @@ EverCrypt_AEAD_decrypt( { return EverCrypt_Error_InvalidKey; } - EverCrypt_AEAD_state_s scrut = *s; - Spec_Cipher_Expansion_impl i = scrut.impl; + Spec_Cipher_Expansion_impl i = (*s).impl; switch (i) { case Spec_Cipher_Expansion_Vale_AES128: @@ -1639,8 +1630,8 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b0); - uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1651,8 +1642,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1662,8 +1652,12 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1691,7 +1685,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1709,7 +1703,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1724,7 +1717,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1742,7 +1735,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1792,8 +1784,8 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b0); - uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1804,8 +1796,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1815,8 +1806,12 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1844,7 +1839,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1862,7 +1857,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -1877,7 +1871,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -1895,7 +1889,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm_no_check( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -1944,8 +1937,8 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint8_t ek[480U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)176U; - uint64_t scrut = aes128_key_expansion(k, keys_b0); - uint64_t scrut0 = aes128_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes128_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes128_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES128, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -1956,8 +1949,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)304U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -1967,8 +1959,12 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -1996,7 +1992,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2014,7 +2010,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -2029,7 +2024,7 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm128_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2047,7 +2042,6 @@ EverCrypt_AEAD_decrypt_expand_aes128_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -2094,8 +2088,8 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint8_t ek[544U] = { 0U }; uint8_t *keys_b0 = ek; uint8_t *hkeys_b0 = ek + (uint32_t)240U; - uint64_t scrut = aes256_key_expansion(k, keys_b0); - uint64_t scrut0 = aes256_keyhash_init(keys_b0, hkeys_b0); + KRML_HOST_IGNORE(aes256_key_expansion(k, keys_b0)); + KRML_HOST_IGNORE(aes256_keyhash_init(keys_b0, hkeys_b0)); EverCrypt_AEAD_state_s p = { .impl = Spec_Cipher_Expansion_Vale_AES256, .ek = ek }; EverCrypt_AEAD_state_s *s = &p; if (s == NULL) @@ -2106,8 +2100,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( { return EverCrypt_Error_InvalidIVLength; } - EverCrypt_AEAD_state_s scrut1 = *s; - uint8_t *ek0 = scrut1.ek; + uint8_t *ek0 = (*s).ek; uint8_t *scratch_b = ek0 + (uint32_t)368U; uint8_t *ek1 = ek0; uint8_t *keys_b = ek1; @@ -2117,8 +2110,12 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint32_t bytes_len = len * (uint32_t)16U; uint8_t *iv_b = iv; memcpy(tmp_iv, iv + bytes_len, iv_len % (uint32_t)16U * sizeof (uint8_t)); - uint64_t - uu____0 = compute_iv_stdcall(iv_b, (uint64_t)iv_len, (uint64_t)len, tmp_iv, tmp_iv, hkeys_b); + KRML_HOST_IGNORE(compute_iv_stdcall(iv_b, + (uint64_t)iv_len, + (uint64_t)len, + tmp_iv, + tmp_iv, + hkeys_b)); uint8_t *inout_b = scratch_b; uint8_t *abytes_b = scratch_b + (uint32_t)16U; uint8_t *scratch_b1 = scratch_b + (uint32_t)32U; @@ -2146,7 +2143,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint64_t len128x6_ = len128x6 / (uint64_t)16U; uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2164,7 +2161,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } else @@ -2179,7 +2175,7 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( uint64_t len128_num_ = len128_num / (uint64_t)16U; uint64_t len128x6_ = (uint64_t)0U; uint64_t - scrut2 = + c0 = gcm256_decrypt_opt(auth_b_, (uint64_t)ad_len, auth_num, @@ -2197,7 +2193,6 @@ EverCrypt_AEAD_decrypt_expand_aes256_gcm( (uint64_t)cipher_len, scratch_b1, tag); - uint64_t c0 = scrut2; c = c0; } memcpy(dst + (uint32_t)(uint64_t)cipher_len / (uint32_t)16U * (uint32_t)16U, @@ -2320,8 +2315,7 @@ Cleanup and free the AEAD state. */ void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s) { - EverCrypt_AEAD_state_s scrut = *s; - uint8_t *ek = scrut.ek; + uint8_t *ek = (*s).ek; KRML_HOST_FREE(ek); KRML_HOST_FREE(s); } diff --git a/dist/portable-gcc-compatible/EverCrypt_AutoConfig2.c b/dist/portable-gcc-compatible/EverCrypt_AutoConfig2.c index 2a15801007..4db92b52bb 100644 --- a/dist/portable-gcc-compatible/EverCrypt_AutoConfig2.c +++ b/dist/portable-gcc-compatible/EverCrypt_AutoConfig2.c @@ -207,75 +207,59 @@ void EverCrypt_AutoConfig2_recall(void) void EverCrypt_AutoConfig2_init(void) { #if HACL_CAN_COMPILE_VALE - uint64_t scrut = check_aesni(); - if (scrut != (uint64_t)0U) + if (check_aesni() != (uint64_t)0U) { cpu_has_aesni[0U] = true; cpu_has_pclmulqdq[0U] = true; } - uint64_t scrut0 = check_sha(); - if (scrut0 != (uint64_t)0U) + if (check_sha() != (uint64_t)0U) { cpu_has_shaext[0U] = true; } - uint64_t scrut1 = check_adx_bmi2(); - if (scrut1 != (uint64_t)0U) + if (check_adx_bmi2() != (uint64_t)0U) { cpu_has_bmi2[0U] = true; cpu_has_adx[0U] = true; } - uint64_t scrut2 = check_avx(); - if (scrut2 != (uint64_t)0U) + if (check_avx() != (uint64_t)0U) { - uint64_t scrut3 = check_osxsave(); - if (scrut3 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut4 = check_avx_xcr0(); - if (scrut4 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { cpu_has_avx[0U] = true; } } } - uint64_t scrut3 = check_avx2(); - if (scrut3 != (uint64_t)0U) + if (check_avx2() != (uint64_t)0U) { - uint64_t scrut4 = check_osxsave(); - if (scrut4 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut5 = check_avx_xcr0(); - if (scrut5 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { cpu_has_avx2[0U] = true; } } } - uint64_t scrut4 = check_sse(); - if (scrut4 != (uint64_t)0U) + if (check_sse() != (uint64_t)0U) { cpu_has_sse[0U] = true; } - uint64_t scrut5 = check_movbe(); - if (scrut5 != (uint64_t)0U) + if (check_movbe() != (uint64_t)0U) { cpu_has_movbe[0U] = true; } - uint64_t scrut6 = check_rdrand(); - if (scrut6 != (uint64_t)0U) + if (check_rdrand() != (uint64_t)0U) { cpu_has_rdrand[0U] = true; } - uint64_t scrut7 = check_avx512(); - if (scrut7 != (uint64_t)0U) + if (check_avx512() != (uint64_t)0U) { - uint64_t scrut8 = check_osxsave(); - if (scrut8 != (uint64_t)0U) + if (check_osxsave() != (uint64_t)0U) { - uint64_t scrut9 = check_avx_xcr0(); - if (scrut9 != (uint64_t)0U) + if (check_avx_xcr0() != (uint64_t)0U) { - uint64_t scrut10 = check_avx512_xcr0(); - if (scrut10 != (uint64_t)0U) + if (check_avx512_xcr0() != (uint64_t)0U) { cpu_has_avx512[0U] = true; return; diff --git a/dist/portable-gcc-compatible/EverCrypt_DRBG.c b/dist/portable-gcc-compatible/EverCrypt_DRBG.c index f2213a176d..857eb4f079 100644 --- a/dist/portable-gcc-compatible/EverCrypt_DRBG.c +++ b/dist/portable-gcc-compatible/EverCrypt_DRBG.c @@ -126,6 +126,7 @@ EverCrypt_DRBG_uu___is_SHA1_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA1_s) { return true; @@ -143,6 +144,7 @@ EverCrypt_DRBG_uu___is_SHA2_256_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_256_s) { return true; @@ -160,6 +162,7 @@ EverCrypt_DRBG_uu___is_SHA2_384_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_384_s) { return true; @@ -177,6 +180,7 @@ EverCrypt_DRBG_uu___is_SHA2_512_s( EverCrypt_DRBG_state_s projectee ) { + KRML_HOST_IGNORE(uu___); if (projectee.tag == SHA2_512_s) { return true; diff --git a/dist/portable-gcc-compatible/EverCrypt_Hash.c b/dist/portable-gcc-compatible/EverCrypt_Hash.c index aec51b8796..2bb707f765 100644 --- a/dist/portable-gcc-compatible/EverCrypt_Hash.c +++ b/dist/portable-gcc-compatible/EverCrypt_Hash.c @@ -425,7 +425,7 @@ void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint32_t n) if (has_shaext && has_sse) { uint64_t n1 = (uint64_t)n; - uint64_t scrut = sha256_update(s, blocks, n1, k224_256); + KRML_HOST_IGNORE(sha256_update(s, blocks, n1, k224_256)); return; } Hacl_SHA2_Scalar32_sha256_update_nblocks(n * (uint32_t)64U, blocks, s); @@ -2274,8 +2274,7 @@ Perform a run-time test to determine which algorithm was chosen for the given pi Spec_Hash_Definitions_hash_alg EverCrypt_Hash_Incremental_alg_of_state(EverCrypt_Hash_Incremental_hash_state *s) { - EverCrypt_Hash_Incremental_hash_state scrut = *s; - EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_state_s *block_state = (*s).block_state; return alg_of_state(block_state); } diff --git a/dist/portable-gcc-compatible/EverCrypt_Poly1305.c b/dist/portable-gcc-compatible/EverCrypt_Poly1305.c index b989683735..dd9b7172ce 100644 --- a/dist/portable-gcc-compatible/EverCrypt_Poly1305.c +++ b/dist/portable-gcc-compatible/EverCrypt_Poly1305.c @@ -40,19 +40,16 @@ static void poly1305_vale(uint8_t *dst, uint8_t *src, uint32_t len, uint8_t *key uint8_t tmp[16U] = { 0U }; if (n_extra == (uint32_t)0U) { - uint64_t scrut = x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, src, (uint64_t)len, (uint64_t)1U)); } else { uint32_t len16 = n_blocks * (uint32_t)16U; uint8_t *src16 = src; memcpy(tmp, src + len16, n_extra * sizeof (uint8_t)); - uint64_t scrut = x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, src16, (uint64_t)len16, (uint64_t)0U)); memcpy(ctx + (uint32_t)24U, key, (uint32_t)32U * sizeof (uint8_t)); - uint64_t scrut0 = x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U); - KRML_HOST_IGNORE((void *)(uint8_t)0U); + KRML_HOST_IGNORE(x64_poly1305(ctx, tmp, (uint64_t)n_extra, (uint64_t)1U)); } memcpy(dst, ctx, (uint32_t)16U * sizeof (uint8_t)); #endif diff --git a/dist/portable-gcc-compatible/Hacl_Chacha20_Vec128.c b/dist/portable-gcc-compatible/Hacl_Chacha20_Vec128.c index f56683dd19..51394d21f7 100644 --- a/dist/portable-gcc-compatible/Hacl_Chacha20_Vec128.c +++ b/dist/portable-gcc-compatible/Hacl_Chacha20_Vec128.c @@ -384,9 +384,8 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)256U; - uint8_t *uu____3 = text + nb * (uint32_t)256U; uint8_t plain[256U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)256U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U }; chacha20_core_128(k, ctx, nb); Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; @@ -694,9 +693,8 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)256U; - uint8_t *uu____3 = cipher + nb * (uint32_t)256U; uint8_t plain[256U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)256U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U }; chacha20_core_128(k, ctx, nb); Lib_IntVector_Intrinsics_vec128 st0 = k[0U]; diff --git a/dist/portable-gcc-compatible/Hacl_Chacha20_Vec256.c b/dist/portable-gcc-compatible/Hacl_Chacha20_Vec256.c index 15a3fceeb0..b9e95cfa8f 100644 --- a/dist/portable-gcc-compatible/Hacl_Chacha20_Vec256.c +++ b/dist/portable-gcc-compatible/Hacl_Chacha20_Vec256.c @@ -484,9 +484,8 @@ Hacl_Chacha20_Vec256_chacha20_encrypt_256( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)512U; - uint8_t *uu____3 = text + nb * (uint32_t)512U; uint8_t plain[512U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)512U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U }; chacha20_core_256(k, ctx, nb); Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; @@ -986,9 +985,8 @@ Hacl_Chacha20_Vec256_chacha20_decrypt_256( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)512U; - uint8_t *uu____3 = cipher + nb * (uint32_t)512U; uint8_t plain[512U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)512U, rem * sizeof (uint8_t)); KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U }; chacha20_core_256(k, ctx, nb); Lib_IntVector_Intrinsics_vec256 st0 = k[0U]; diff --git a/dist/portable-gcc-compatible/Hacl_Chacha20_Vec32.c b/dist/portable-gcc-compatible/Hacl_Chacha20_Vec32.c index 85b87011ff..7b0e3139ed 100644 --- a/dist/portable-gcc-compatible/Hacl_Chacha20_Vec32.c +++ b/dist/portable-gcc-compatible/Hacl_Chacha20_Vec32.c @@ -243,9 +243,8 @@ Hacl_Chacha20_Vec32_chacha20_encrypt_32( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = text + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k[16U] = { 0U }; chacha20_core_32(k, ctx, nb); KRML_MAYBE_FOR16(i, @@ -297,9 +296,8 @@ Hacl_Chacha20_Vec32_chacha20_decrypt_32( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = cipher + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k[16U] = { 0U }; chacha20_core_32(k, ctx, nb); KRML_MAYBE_FOR16(i, diff --git a/dist/portable-gcc-compatible/Hacl_Curve25519_64.c b/dist/portable-gcc-compatible/Hacl_Curve25519_64.c index 1c9e6f9417..5c575ec1d2 100644 --- a/dist/portable-gcc-compatible/Hacl_Curve25519_64.c +++ b/dist/portable-gcc-compatible/Hacl_Curve25519_64.c @@ -37,7 +37,7 @@ static inline void add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) #if HACL_CAN_COMPILE_INLINE_ASM add_scalar(out, f1, f2); #else - uint64_t uu____0 = add_scalar_e(out, f1, f2); + KRML_HOST_IGNORE(add_scalar_e(out, f1, f2)); #endif } @@ -50,7 +50,7 @@ static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2) #if HACL_CAN_COMPILE_INLINE_ASM fadd(out, f1, f2); #else - uint64_t uu____0 = fadd_e(out, f1, f2); + KRML_HOST_IGNORE(fadd_e(out, f1, f2)); #endif } @@ -63,7 +63,7 @@ static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2) #if HACL_CAN_COMPILE_INLINE_ASM fsub(out, f1, f2); #else - uint64_t uu____0 = fsub_e(out, f1, f2); + KRML_HOST_IGNORE(fsub_e(out, f1, f2)); #endif } @@ -76,7 +76,7 @@ static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tm #if HACL_CAN_COMPILE_INLINE_ASM fmul(out, f1, f2, tmp); #else - uint64_t uu____0 = fmul_e(tmp, f1, out, f2); + KRML_HOST_IGNORE(fmul_e(tmp, f1, out, f2)); #endif } @@ -89,7 +89,7 @@ static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *t #if HACL_CAN_COMPILE_INLINE_ASM fmul2(out, f1, f2, tmp); #else - uint64_t uu____0 = fmul2_e(tmp, f1, out, f2); + KRML_HOST_IGNORE(fmul2_e(tmp, f1, out, f2)); #endif } @@ -102,7 +102,7 @@ static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2) #if HACL_CAN_COMPILE_INLINE_ASM fmul_scalar(out, f1, f2); #else - uint64_t uu____0 = fmul_scalar_e(out, f1, f2); + KRML_HOST_IGNORE(fmul_scalar_e(out, f1, f2)); #endif } @@ -115,7 +115,7 @@ static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp) #if HACL_CAN_COMPILE_INLINE_ASM fsqr(out, f1, tmp); #else - uint64_t uu____0 = fsqr_e(tmp, f1, out); + KRML_HOST_IGNORE(fsqr_e(tmp, f1, out)); #endif } @@ -128,7 +128,7 @@ static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp) #if HACL_CAN_COMPILE_INLINE_ASM fsqr2(out, f, tmp); #else - uint64_t uu____0 = fsqr2_e(tmp, f, out); + KRML_HOST_IGNORE(fsqr2_e(tmp, f, out)); #endif } @@ -141,7 +141,7 @@ static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2) #if HACL_CAN_COMPILE_INLINE_ASM cswap2(bit, p1, p2); #else - uint64_t uu____0 = cswap2_e(bit, p1, p2); + KRML_HOST_IGNORE(cswap2_e(bit, p1, p2)); #endif } diff --git a/dist/portable-gcc-compatible/Hacl_Ed25519.c b/dist/portable-gcc-compatible/Hacl_Ed25519.c index 48cba9fdfb..745c2d2a4e 100644 --- a/dist/portable-gcc-compatible/Hacl_Ed25519.c +++ b/dist/portable-gcc-compatible/Hacl_Ed25519.c @@ -805,65 +805,59 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) FStar_UInt128_uint128 c00 = carry0; FStar_UInt128_uint128 carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U); - uint64_t - t100 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z11, c00)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c10 = carry1; FStar_UInt128_uint128 carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U); - uint64_t - t101 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z21, c10)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c20 = carry2; FStar_UInt128_uint128 carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U); - uint64_t - t102 = - FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) - & (uint64_t)0xffffffffffffffU; + KRML_HOST_IGNORE(FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z31, c20)) + & (uint64_t)0xffffffffffffffU); FStar_UInt128_uint128 c30 = carry3; FStar_UInt128_uint128 carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U); uint64_t - t103 = + t100 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c40 = carry4; - uint64_t t410 = t103; + uint64_t t410 = t100; FStar_UInt128_uint128 carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U); uint64_t - t104 = + t101 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c5 = carry5; - uint64_t t51 = t104; + uint64_t t51 = t101; FStar_UInt128_uint128 carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U); uint64_t - t105 = + t102 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c6 = carry6; - uint64_t t61 = t105; + uint64_t t61 = t102; FStar_UInt128_uint128 carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U); uint64_t - t106 = + t103 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c7 = carry7; - uint64_t t71 = t106; + uint64_t t71 = t103; FStar_UInt128_uint128 carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U); uint64_t - t107 = + t104 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c8 = carry8; - uint64_t t81 = t107; + uint64_t t81 = t104; uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8); uint64_t qmu4_ = t410; uint64_t qmu5_ = t51; @@ -912,19 +906,19 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1); FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0); FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U); - uint64_t t108 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; + uint64_t t105 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c0 = carry9; - uint64_t t010 = t108; + uint64_t t010 = t105; FStar_UInt128_uint128 carry10 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0), (uint32_t)56U); uint64_t - t109 = + t106 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c11 = carry10; - uint64_t t110 = t109; + uint64_t t110 = t106; FStar_UInt128_uint128 carry11 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, @@ -933,14 +927,14 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c11), (uint32_t)56U); uint64_t - t1010 = + t107 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20), c11)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c21 = carry11; - uint64_t t210 = t1010; + uint64_t t210 = t107; FStar_UInt128_uint128 carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, @@ -950,7 +944,7 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c21), (uint32_t)56U); uint64_t - t1011 = + t108 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21), @@ -958,7 +952,7 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) c21)) & (uint64_t)0xffffffffffffffU; FStar_UInt128_uint128 c31 = carry; - uint64_t t310 = t1011; + uint64_t t310 = t108; uint64_t t411 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04, @@ -974,24 +968,24 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) uint64_t qmul3 = t310; uint64_t qmul4 = t411; uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U; - uint64_t t1012 = (b5 << (uint32_t)56U) + r0 - qmul0; + uint64_t t109 = (b5 << (uint32_t)56U) + r0 - qmul0; uint64_t c1 = b5; - uint64_t t011 = t1012; + uint64_t t011 = t109; uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U; - uint64_t t1013 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); + uint64_t t1010 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1); uint64_t c2 = b6; - uint64_t t111 = t1013; + uint64_t t111 = t1010; uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U; - uint64_t t1014 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); + uint64_t t1011 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2); uint64_t c3 = b7; - uint64_t t211 = t1014; + uint64_t t211 = t1011; uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U; - uint64_t t1015 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); + uint64_t t1012 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3); uint64_t c4 = b8; - uint64_t t311 = t1015; + uint64_t t311 = t1012; uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U; - uint64_t t1016 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); - uint64_t t412 = t1016; + uint64_t t1013 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4); + uint64_t t412 = t1013; uint64_t s0 = t011; uint64_t s1 = t111; uint64_t s2 = t211; @@ -1008,21 +1002,21 @@ static inline void barrett_reduction(uint64_t *z, uint64_t *t) uint64_t y3 = m31; uint64_t y4 = m41; uint64_t b10 = (s0 - y0) >> (uint32_t)63U; - uint64_t t1017 = (b10 << (uint32_t)56U) + s0 - y0; + uint64_t t1014 = (b10 << (uint32_t)56U) + s0 - y0; uint64_t b0 = b10; - uint64_t t01 = t1017; + uint64_t t01 = t1014; uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U; - uint64_t t1018 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); + uint64_t t1015 = (b11 << (uint32_t)56U) + s1 - (y1 + b0); uint64_t b1 = b11; - uint64_t t11 = t1018; + uint64_t t11 = t1015; uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U; - uint64_t t1019 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); + uint64_t t1016 = (b12 << (uint32_t)56U) + s2 - (y2 + b1); uint64_t b2 = b12; - uint64_t t21 = t1019; + uint64_t t21 = t1016; uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U; - uint64_t t1020 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); + uint64_t t1017 = (b13 << (uint32_t)56U) + s3 - (y3 + b2); uint64_t b3 = b13; - uint64_t t31 = t1020; + uint64_t t31 = t1017; uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U; uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3); uint64_t b4 = b; diff --git a/dist/portable-gcc-compatible/Hacl_FFDHE.c b/dist/portable-gcc-compatible/Hacl_FFDHE.c index 0847499f79..5e299d7db1 100644 --- a/dist/portable-gcc-compatible/Hacl_FFDHE.c +++ b/dist/portable-gcc-compatible/Hacl_FFDHE.c @@ -137,7 +137,6 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui memset(p_n1, 0U, nLen * sizeof (uint64_t)); uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64((uint64_t)0U, p_n[0U], (uint64_t)1U, p_n1); - uint64_t c1; if ((uint32_t)1U < nLen) { uint64_t *a1 = p_n + (uint32_t)1U; @@ -169,12 +168,12 @@ static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *pk_n, ui uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, (uint64_t)0U, res_i); } - uint64_t c10 = c; - c1 = c10; + uint64_t c1 = c; + KRML_HOST_IGNORE(c1); } else { - c1 = c0; + KRML_HOST_IGNORE(c0); } KRML_CHECK_SIZE(sizeof (uint64_t), nLen); uint64_t b2[nLen]; diff --git a/dist/portable-gcc-compatible/Hacl_Frodo_KEM.c b/dist/portable-gcc-compatible/Hacl_Frodo_KEM.c index 7c39cb4c3a..a999768215 100644 --- a/dist/portable-gcc-compatible/Hacl_Frodo_KEM.c +++ b/dist/portable-gcc-compatible/Hacl_Frodo_KEM.c @@ -32,7 +32,7 @@ void randombytes_(uint32_t len, uint8_t *res) { - bool b = Lib_RandomBuffer_System_randombytes(res, len); + KRML_HOST_IGNORE(Lib_RandomBuffer_System_randombytes(res, len)); } /* SNIPPET_END: randombytes_ */ diff --git a/dist/portable-gcc-compatible/Hacl_HMAC_DRBG.c b/dist/portable-gcc-compatible/Hacl_HMAC_DRBG.c index 79683742b7..b38a0a494f 100644 --- a/dist/portable-gcc-compatible/Hacl_HMAC_DRBG.c +++ b/dist/portable-gcc-compatible/Hacl_HMAC_DRBG.c @@ -97,6 +97,8 @@ uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a) bool Hacl_HMAC_DRBG_uu___is_State(Spec_Hash_Definitions_hash_alg a, Hacl_HMAC_DRBG_state projectee) { + KRML_HOST_IGNORE(a); + KRML_HOST_IGNORE(projectee); return true; } @@ -1130,6 +1132,7 @@ Hacl_HMAC_DRBG_generate( void Hacl_HMAC_DRBG_free(Spec_Hash_Definitions_hash_alg uu___, Hacl_HMAC_DRBG_state s) { + KRML_HOST_IGNORE(uu___); uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c index 45fe3d718f..3a7260ee3f 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c @@ -616,6 +616,7 @@ Hacl_Blake2b_32_blake2b_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { FStar_UInt128_uint128 @@ -1359,6 +1360,7 @@ Hacl_Blake2s_32_blake2s_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c index b783f2edd3..468a948be0 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c @@ -339,6 +339,7 @@ Hacl_Blake2b_256_blake2b_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { FStar_UInt128_uint128 diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c index adf231859a..fe6084037e 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c @@ -338,6 +338,7 @@ Hacl_Blake2s_128_blake2s_update_multi( uint32_t nb ) { + KRML_HOST_IGNORE(len); for (uint32_t i = (uint32_t)0U; i < nb; i++) { uint64_t totlen = prev + (uint64_t)((i + (uint32_t)1U) * (uint32_t)64U); diff --git a/dist/portable-gcc-compatible/Hacl_Hash_MD5.c b/dist/portable-gcc-compatible/Hacl_Hash_MD5.c index d0df70b5d9..759e83f26b 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_MD5.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_MD5.c @@ -1260,7 +1260,6 @@ void Hacl_Streaming_MD5_legacy_init(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Hash_Core_MD5_legacy_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Hash_SHA1.c b/dist/portable-gcc-compatible/Hacl_Hash_SHA1.c index d31c794e12..063db46168 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_SHA1.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_SHA1.c @@ -292,7 +292,6 @@ void Hacl_Streaming_SHA1_legacy_init(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Hash_Core_SHA1_legacy_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Hash_SHA2.c b/dist/portable-gcc-compatible/Hacl_Hash_SHA2.c index 1ef836f11f..012d9f03bd 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_SHA2.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_SHA2.c @@ -619,7 +619,6 @@ void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha256_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -946,7 +945,6 @@ void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_MD_state_32 *s) Hacl_Streaming_MD_state_32 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha224_init(block_state); Hacl_Streaming_MD_state_32 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -1100,7 +1098,6 @@ void Hacl_Streaming_SHA2_init_512(Hacl_Streaming_MD_state_64 *s) Hacl_Streaming_MD_state_64 scrut = *s; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha512_init(block_state); Hacl_Streaming_MD_state_64 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -1428,7 +1425,6 @@ void Hacl_Streaming_SHA2_init_384(Hacl_Streaming_MD_state_64 *s) Hacl_Streaming_MD_state_64 scrut = *s; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_SHA2_Scalar32_sha384_init(block_state); Hacl_Streaming_MD_state_64 tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Hash_SHA3.c b/dist/portable-gcc-compatible/Hacl_Hash_SHA3.c index 56243f71f0..40f3b8cd15 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_SHA3.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_SHA3.c @@ -139,10 +139,9 @@ Hacl_Hash_SHA3_update_last_sha3( if (input_len == len) { Hacl_Impl_SHA3_absorb_inner(len, input, s); - uint8_t *uu____0 = input + input_len; uint8_t lastBlock_[200U] = { 0U }; uint8_t *lastBlock = lastBlock_; - memcpy(lastBlock, uu____0, (uint32_t)0U * sizeof (uint8_t)); + memcpy(lastBlock, input + input_len, (uint32_t)0U * sizeof (uint8_t)); lastBlock[0U] = suffix; Hacl_Impl_SHA3_loadState(len, lastBlock, s); if (!((suffix & (uint8_t)0x80U) == (uint8_t)0U) && (uint32_t)0U == len - (uint32_t)1U) @@ -189,8 +188,7 @@ hash_buf2; Spec_Hash_Definitions_hash_alg Hacl_Streaming_Keccak_get_alg(Hacl_Streaming_Keccak_state *s) { - Hacl_Streaming_Keccak_state scrut = *s; - Hacl_Streaming_Keccak_hash_buf block_state = scrut.block_state; + Hacl_Streaming_Keccak_hash_buf block_state = (*s).block_state; return block_state.fst; } @@ -939,6 +937,7 @@ Hacl_Impl_SHA3_keccak( uint8_t *output ) { + KRML_HOST_IGNORE(capacity); uint32_t rateInBytes = rate / (uint32_t)8U; uint64_t s[25U] = { 0U }; absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix); diff --git a/dist/portable-gcc-compatible/Hacl_K256_ECDSA.c b/dist/portable-gcc-compatible/Hacl_K256_ECDSA.c index 60010c2b8e..7f7f9b1b9b 100644 --- a/dist/portable-gcc-compatible/Hacl_K256_ECDSA.c +++ b/dist/portable-gcc-compatible/Hacl_K256_ECDSA.c @@ -556,7 +556,7 @@ mul_pow2_256_minus_q_add( uint64_t r = c; tmp[len + i0] = r;); memcpy(res + (uint32_t)2U, a, len * sizeof (uint64_t)); - uint64_t uu____0 = bn_add(resLen, res, len + (uint32_t)2U, tmp, res); + KRML_HOST_IGNORE(bn_add(resLen, res, len + (uint32_t)2U, tmp, res)); uint64_t c = bn_add(resLen, res, (uint32_t)4U, e, res); return c; } @@ -576,15 +576,23 @@ static inline void modq(uint64_t *out, uint64_t *a) uint64_t *t01 = tmp; uint64_t m[7U] = { 0U }; uint64_t p[5U] = { 0U }; - uint64_t - c0 = mul_pow2_256_minus_q_add((uint32_t)4U, (uint32_t)7U, t01, a + (uint32_t)4U, a, m); - uint64_t - c10 = mul_pow2_256_minus_q_add((uint32_t)3U, (uint32_t)5U, t01, m + (uint32_t)4U, m, p); + KRML_HOST_IGNORE(mul_pow2_256_minus_q_add((uint32_t)4U, + (uint32_t)7U, + t01, + a + (uint32_t)4U, + a, + m)); + KRML_HOST_IGNORE(mul_pow2_256_minus_q_add((uint32_t)3U, + (uint32_t)5U, + t01, + m + (uint32_t)4U, + m, + p)); uint64_t c2 = mul_pow2_256_minus_q_add((uint32_t)1U, (uint32_t)4U, t01, p + (uint32_t)4U, p, r); - uint64_t c00 = c2; + uint64_t c0 = c2; uint64_t c1 = add4(r, tmp, out); - uint64_t mask = (uint64_t)0U - (c00 + c1); + uint64_t mask = (uint64_t)0U - (c0 + c1); KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, @@ -694,7 +702,7 @@ static inline void qmul_shift_384(uint64_t *res, uint64_t *a, uint64_t *b) uint64_t *res_i = res1 + i; c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, (uint64_t)0U, res_i);); uint64_t c1 = c; - uint64_t uu____0 = c1; + KRML_HOST_IGNORE(c1); uint64_t flag = l[5U] >> (uint32_t)63U; uint64_t mask = (uint64_t)0U - flag; KRML_MAYBE_FOR4(i, @@ -1401,6 +1409,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)118285133003718U, (uint64_t)434519962075150U, (uint64_t)1114612377498854U, (uint64_t)3488596944003813U, (uint64_t)450716531072892U, (uint64_t)66044973203836U }; + KRML_HOST_IGNORE(q2); uint64_t q3[15U] = { @@ -1410,6 +1419,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)265969268774814U, (uint64_t)1913228635640715U, (uint64_t)2831959046949342U, (uint64_t)888030405442963U, (uint64_t)1817092932985033U, (uint64_t)101515844997121U }; + KRML_HOST_IGNORE(q3); uint64_t q4[15U] = { @@ -1419,6 +1429,7 @@ static inline void point_mul_g(uint64_t *out, uint64_t *scalar) (uint64_t)12245672982162U, (uint64_t)2119364213800870U, (uint64_t)2034960311715107U, (uint64_t)3172697815804487U, (uint64_t)4185144850224160U, (uint64_t)2792055915674U }; + KRML_HOST_IGNORE(q4); uint64_t *r1 = scalar; uint64_t *r2 = scalar + (uint32_t)1U; uint64_t *r3 = scalar + (uint32_t)2U; @@ -1811,6 +1822,7 @@ Hacl_K256_ECDSA_ecdsa_sign_hashed_msg( ) { uint64_t oneq[4U] = { (uint64_t)0x1U, (uint64_t)0x0U, (uint64_t)0x0U, (uint64_t)0x0U }; + KRML_HOST_IGNORE(oneq); uint64_t rsdk_q[16U] = { 0U }; uint64_t *r_q = rsdk_q; uint64_t *s_q = rsdk_q + (uint32_t)4U; diff --git a/dist/portable-gcc-compatible/Hacl_RSAPSS.c b/dist/portable-gcc-compatible/Hacl_RSAPSS.c index 7cc4ece283..edcd40dc20 100644 --- a/dist/portable-gcc-compatible/Hacl_RSAPSS.c +++ b/dist/portable-gcc-compatible/Hacl_RSAPSS.c @@ -446,9 +446,9 @@ load_skey( Sign a message `msg` and write the signature to `sgnt`. @param a Hash algorithm to use. Allowed values for `a` are ... - * Spec_Hash_Definitions_SHA2_256, - * Spec_Hash_Definitions_SHA2_384, and - * Spec_Hash_Definitions_SHA2_512. + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. @@ -564,7 +564,10 @@ Hacl_RSAPSS_rsapss_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param pkey Pointer to public key created by `Hacl_RSAPSS_new_rsapss_load_pkey`. @@ -687,10 +690,10 @@ Load a public key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. -@return Returns an allocated public key. Note: caller must take care to `free()` the created key. +@return Returns an allocated public key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb) @@ -761,11 +764,11 @@ Load a secret key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. -@return Returns an allocated secret key. Note: caller must take care to `free()` the created key. +@return Returns an allocated secret key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_skey( @@ -862,13 +865,16 @@ uint64_t /** Sign a message `msg` and write the signature to `sgnt`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param salt Pointer to `saltLen` bytes where the salt is read from. @param msgLen Length of message. @@ -935,11 +941,14 @@ Hacl_RSAPSS_rsapss_skey_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param sgntLen Length of signature. @param sgnt Pointer to `sgntLen` bytes where the signature is read from. diff --git a/dist/portable-gcc-compatible/Hacl_RSAPSS.h b/dist/portable-gcc-compatible/Hacl_RSAPSS.h index cceb67551e..b23ab98e52 100644 --- a/dist/portable-gcc-compatible/Hacl_RSAPSS.h +++ b/dist/portable-gcc-compatible/Hacl_RSAPSS.h @@ -45,9 +45,9 @@ extern "C" { Sign a message `msg` and write the signature to `sgnt`. @param a Hash algorithm to use. Allowed values for `a` are ... - * Spec_Hash_Definitions_SHA2_256, - * Spec_Hash_Definitions_SHA2_384, and - * Spec_Hash_Definitions_SHA2_512. + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. @@ -81,7 +81,10 @@ Hacl_RSAPSS_rsapss_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param pkey Pointer to public key created by `Hacl_RSAPSS_new_rsapss_load_pkey`. @@ -115,10 +118,10 @@ Load a public key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. -@return Returns an allocated public key. Note: caller must take care to `free()` the created key. +@return Returns an allocated public key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_pkey(uint32_t modBits, uint32_t eBits, uint8_t *nb, uint8_t *eb); @@ -133,11 +136,11 @@ Load a secret key from key parts. @param modBits Count of bits in modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. -@return Returns an allocated secret key. Note: caller must take care to `free()` the created key. +@return Returns an allocated secret key upon success, otherwise, `NULL` if key part arguments are invalid or memory allocation fails. Note: caller must take care to `free()` the created key. */ uint64_t *Hacl_RSAPSS_new_rsapss_load_skey( @@ -156,13 +159,16 @@ uint64_t /** Sign a message `msg` and write the signature to `sgnt`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. @param dBits Count of bits in `d` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. -@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. +@param db Pointer to `ceil(modBits / 8)` bytes where the `d` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param salt Pointer to `saltLen` bytes where the salt is read from. @param msgLen Length of message. @@ -194,11 +200,14 @@ Hacl_RSAPSS_rsapss_skey_sign( /** Verify the signature `sgnt` of a message `msg`. -@param a Hash algorithm to use. +@param a Hash algorithm to use. Allowed values for `a` are ... + - Spec_Hash_Definitions_SHA2_256, + - Spec_Hash_Definitions_SHA2_384, and + - Spec_Hash_Definitions_SHA2_512. @param modBits Count of bits in the modulus (`n`). @param eBits Count of bits in `e` value. -@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`) is read from. -@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value is read from. +@param nb Pointer to `ceil(modBits / 8)` bytes where the modulus (`n`), in big-endian byte order, is read from. +@param eb Pointer to `ceil(modBits / 8)` bytes where the `e` value, in big-endian byte order, is read from. @param saltLen Length of salt. @param sgntLen Length of signature. @param sgnt Pointer to `sgntLen` bytes where the signature is read from. diff --git a/dist/portable-gcc-compatible/Hacl_Salsa20.c b/dist/portable-gcc-compatible/Hacl_Salsa20.c index c72e472dab..23a01b3399 100644 --- a/dist/portable-gcc-compatible/Hacl_Salsa20.c +++ b/dist/portable-gcc-compatible/Hacl_Salsa20.c @@ -203,6 +203,7 @@ salsa20_encrypt( memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); ctx[15U] = (uint32_t)0x6b206574U; uint32_t k[16U] = { 0U }; + KRML_HOST_IGNORE(k); uint32_t rem = len % (uint32_t)64U; uint32_t nb = len / (uint32_t)64U; uint32_t rem1 = len % (uint32_t)64U; @@ -239,9 +240,8 @@ salsa20_encrypt( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = text + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, text + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k1[16U] = { 0U }; salsa20_core(k1, ctx, nb); uint32_t bl[16U] = { 0U }; @@ -320,6 +320,7 @@ salsa20_decrypt( memcpy(ctx + (uint32_t)11U, k10, (uint32_t)4U * sizeof (uint32_t)); ctx[15U] = (uint32_t)0x6b206574U; uint32_t k[16U] = { 0U }; + KRML_HOST_IGNORE(k); uint32_t rem = len % (uint32_t)64U; uint32_t nb = len / (uint32_t)64U; uint32_t rem1 = len % (uint32_t)64U; @@ -356,9 +357,8 @@ salsa20_decrypt( if (rem1 > (uint32_t)0U) { uint8_t *uu____2 = out + nb * (uint32_t)64U; - uint8_t *uu____3 = cipher + nb * (uint32_t)64U; uint8_t plain[64U] = { 0U }; - memcpy(plain, uu____3, rem * sizeof (uint8_t)); + memcpy(plain, cipher + nb * (uint32_t)64U, rem * sizeof (uint8_t)); uint32_t k1[16U] = { 0U }; salsa20_core(k1, ctx, nb); uint32_t bl[16U] = { 0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Streaming_Blake2.c b/dist/portable-gcc-compatible/Hacl_Streaming_Blake2.c index 7d4057d1e8..28f01b27aa 100644 --- a/dist/portable-gcc-compatible/Hacl_Streaming_Blake2.c +++ b/dist/portable-gcc-compatible/Hacl_Streaming_Blake2.c @@ -60,7 +60,6 @@ void Hacl_Streaming_Blake2_blake2s_32_no_key_init(Hacl_Streaming_Blake2_blake2s_ Hacl_Streaming_Blake2_blake2s_32_state scrut = *s1; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2_blake2s_32_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2s_32_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); Hacl_Streaming_Blake2_blake2s_32_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; @@ -380,7 +379,6 @@ void Hacl_Streaming_Blake2_blake2b_32_no_key_init(Hacl_Streaming_Blake2_blake2b_ Hacl_Streaming_Blake2_blake2b_32_state scrut = *s1; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2_blake2b_32_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2b_32_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); Hacl_Streaming_Blake2_blake2b_32_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Streaming_Blake2b_256.c b/dist/portable-gcc-compatible/Hacl_Streaming_Blake2b_256.c index 966c6e722a..25ca85c04c 100644 --- a/dist/portable-gcc-compatible/Hacl_Streaming_Blake2b_256.c +++ b/dist/portable-gcc-compatible/Hacl_Streaming_Blake2b_256.c @@ -72,7 +72,6 @@ Hacl_Streaming_Blake2b_256_blake2b_256_no_key_init( Hacl_Streaming_Blake2b_256_blake2b_256_state scrut = *s; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2b_256_blake2b_256_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2b_256_blake2b_init(block_state.snd, (uint32_t)0U, (uint32_t)64U); Hacl_Streaming_Blake2b_256_blake2b_256_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Streaming_Blake2s_128.c b/dist/portable-gcc-compatible/Hacl_Streaming_Blake2s_128.c index 677dd24514..ea6c5dc089 100644 --- a/dist/portable-gcc-compatible/Hacl_Streaming_Blake2s_128.c +++ b/dist/portable-gcc-compatible/Hacl_Streaming_Blake2s_128.c @@ -72,7 +72,6 @@ Hacl_Streaming_Blake2s_128_blake2s_128_no_key_init( Hacl_Streaming_Blake2s_128_blake2s_128_state scrut = *s; uint8_t *buf = scrut.buf; Hacl_Streaming_Blake2s_128_blake2s_128_block_state block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Blake2s_128_blake2s_init(block_state.snd, (uint32_t)0U, (uint32_t)32U); Hacl_Streaming_Blake2s_128_blake2s_128_state tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; diff --git a/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_128.c b/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_128.c index 91e44a04d5..b5dd285b82 100644 --- a/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_128.c +++ b/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_128.c @@ -64,7 +64,6 @@ Hacl_Streaming_Poly1305_128_init(uint8_t *k, Hacl_Streaming_Poly1305_128_poly130 uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; Lib_IntVector_Intrinsics_vec128 *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_128_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; @@ -326,7 +325,7 @@ Hacl_Streaming_Poly1305_128_finish( { ite1 = r % (uint32_t)16U; } - uint64_t prev_len_last = total_len - (uint64_t)ite1; + KRML_HOST_IGNORE(total_len - (uint64_t)ite1); uint32_t ite2; if (r % (uint32_t)16U == (uint32_t)0U && r > (uint32_t)0U) { diff --git a/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_256.c b/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_256.c index 97167c4ffe..94c0832404 100644 --- a/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_256.c +++ b/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_256.c @@ -64,7 +64,6 @@ Hacl_Streaming_Poly1305_256_init(uint8_t *k, Hacl_Streaming_Poly1305_256_poly130 uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; Lib_IntVector_Intrinsics_vec256 *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_256_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; @@ -326,7 +325,7 @@ Hacl_Streaming_Poly1305_256_finish( { ite1 = r % (uint32_t)16U; } - uint64_t prev_len_last = total_len - (uint64_t)ite1; + KRML_HOST_IGNORE(total_len - (uint64_t)ite1); uint32_t ite2; if (r % (uint32_t)16U == (uint32_t)0U && r > (uint32_t)0U) { diff --git a/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_32.c b/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_32.c index 7c761178e3..1a16122a44 100644 --- a/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_32.c +++ b/dist/portable-gcc-compatible/Hacl_Streaming_Poly1305_32.c @@ -59,7 +59,6 @@ Hacl_Streaming_Poly1305_32_init(uint8_t *k, Hacl_Streaming_Poly1305_32_poly1305_ uint8_t *k_ = scrut.p_key; uint8_t *buf = scrut.buf; uint64_t *block_state = scrut.block_state; - KRML_HOST_IGNORE((void *)(uint8_t)0U); Hacl_Poly1305_32_poly1305_init(block_state, k); memcpy(k_, k, (uint32_t)32U * sizeof (uint8_t)); uint8_t *k_1 = k_; diff --git a/dist/portable-gcc-compatible/INFO.txt b/dist/portable-gcc-compatible/INFO.txt index 7ed8e74ac6..f1a6a25e9c 100644 --- a/dist/portable-gcc-compatible/INFO.txt +++ b/dist/portable-gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. -F* version: 155853a14336aa0713dba7db5408f4c8ab512a06 -KaRaMeL version: db63c1de17565be0ec4989f58532717a04e3ff40 +F* version: bc622701c668f6b4092760879372968265d4a4e1 +KaRaMeL version: aef72b2b5a44b338b856a177819d1bfa0d7cc5b6 Vale version: 0.3.19 diff --git a/dist/portable-gcc-compatible/internal/Hacl_Bignum25519_51.h b/dist/portable-gcc-compatible/internal/Hacl_Bignum25519_51.h index e08b99c8c4..c7ad888bf8 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_Bignum25519_51.h +++ b/dist/portable-gcc-compatible/internal/Hacl_Bignum25519_51.h @@ -94,6 +94,7 @@ Hacl_Impl_Curve25519_Field51_fmul( FStar_UInt128_uint128 *uu___ ) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f1[0U]; uint64_t f11 = f1[1U]; uint64_t f12 = f1[2U]; @@ -181,6 +182,7 @@ Hacl_Impl_Curve25519_Field51_fmul2( FStar_UInt128_uint128 *uu___ ) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f1[0U]; uint64_t f11 = f1[1U]; uint64_t f12 = f1[2U]; @@ -393,6 +395,7 @@ static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f static inline void Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) { + KRML_HOST_IGNORE(uu___); uint64_t f0 = f[0U]; uint64_t f1 = f[1U]; uint64_t f2 = f[2U]; @@ -472,6 +475,7 @@ Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint static inline void Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___) { + KRML_HOST_IGNORE(uu___); uint64_t f10 = f[0U]; uint64_t f11 = f[1U]; uint64_t f12 = f[2U]; diff --git a/dist/wasm/EverCrypt_Hash.wasm b/dist/wasm/EverCrypt_Hash.wasm index 98595b1b0de2f204a3ef5b1d1e23c3f298c2016c..0d1f9daf2450d87d624f62f0651e7f78bdba8f4d 100644 GIT binary patch delta 2206 zcma)7YfMyE5WeT`?!EiC%Pz=b*@fM+0=q2W?gG1jpuqLnDoCxdH6?)%gGz%)MXM(A zsKvz8XoG{PQX;V!YizONF>R_ppoy(bX=D0G{LvsgF$usYmV6R~ zdzKiO5W81c;xoK~6V@sQ~ z0>?%v+mu^0WM8i*!k$+bQxOv*6rX>OJ_;;sy3XH&;c zX%n1Ix^H;S`UN}b_`ziRwFj$gkh|1w0^P21zdrT%2Y+;$sH~4mt&~v7>9Red!B4IR z?7&uUh_$61F_2RDJ$)Je!|oN>j!AzAPPtRbQ*g;$feo3?&I6|>8PRx6DwKGFh#EY6 zWx#WtxY?GBN`jqg4;H|9=9}29t=?jI!J7<&-XQV9O>ZgjVdxOc@!gOKWt09NW$e}^ zcL=7kt=O^Y>|*?j;4a&8-Ab2JnHro+@R$%B%i%r)h{ke`kSw+)kVjy3AQj%pOlO0^ zRt5WO3CHkXnfQmwLogWDQ2)L>#J&!O~~Pwp4#cQUd-1^uSU{@*fm+at2vs zWxs`#u$vnO35up#zm1f!*S1y|P>j{rsVE%V)^qK}?L9_P0afhEB4ngjgpBki*xx>~0QQYXXW2I%djfm?_$>STCq%0EPYCv0UkLm9evxW@ zzeu&df0jL8;_PRZP%bRw*clOW?2HIGb|%5T@vSGYpBg?4)x%G@q#I3Cg{m4CQDJDKYq2`lSvRgVcIz_tc(uj_DP<|^bPH;a_^8~+Jl|^OR_lDL zgesFUuq!Gx5-B= z;Hyq+p%NB%gJ!cOz;Azb$z$(okz)DRPK-Y)> z)hy%kd4gAV{OWgX@XBeDTgwo^MFl%$zK3Bi}l zvnpo7=K)^_1HKd3CuiLDm;rfY5iCmLJ#hy77HZ*ftg{1`f6d)pWYX!JFvS?=QJoh7 z55d9|@-he*<%JM1!b>4wm=^=De)L_+%OPL^FNlD3yd(lX%ZnmYCwI>0brI$~_U*N6 G=6?Ya<4XMi delta 2131 zcma)-X>1cm6vubg-u1PP7fJ%L<1ntV%?96zlh`39=7tc$(YqCqQ^FO;1WZsu33kGv zMnwpCA*cd@TdFE8q#T0^YE>1f5<*2qR6?p~B|ue=5B<;&sA`iI=3uQ zng7oG=4tl35%%rBSqqcQv>}FJ(3w5C9P`2I>MU?ZHv@F~neZ3YalMB+iqJv(Zr%j#dJfL$ zEpS&i4UX$Y^gImdgUAVY^p$7^ZB@TH1_8NXnZbkHaES|W$?ctt2L=tZ&`h{xs6Y}J zj9yd*l|~8PFP9<&7&=u38Nbg>F;}JI!u3J{`KvHu%!av2z@o#XqsKSfEXmaRrp@b`GTUU{ z4ay7%6zJIH$~xV;tt~A~qoVl@$;<|36}(mOr)IVB9_g_B$eAAI=nZPvUAim_&4n=^ zW-!8nQ!5ra%!%J0eELT>huOpxCPl-HSY&!^1YZ=cK~o`6Dv$~fwhV2y1u9dEIHhHS)J5=ZpTTkT&VJM}C_ zrEsWNg8iihXgVA#twNX@OXQ!@&spRkmmNQ`^salXk|~xj;237HMs(7Tl+(K(wo2f4 z8L5i8reW~UA=lalXWJtr*XlyHs1+Nr zd8pfA$3@tVZP+ZvtW+YghFnR#s2N?eJ)I`!+FyO@e7KV8h3_+IIM)`TeH&O_c9Pqf zJR0>-QtcIEDY%{44B3?XX;e~L`rtDl$PcIp@&k`ZzJDBn5~c|90}~*)cXS-Vz`JR3^VkFkuAb_JkrV2EM@}gF zh2ax@w1zF%BG<4uUc>z-oh&Vm*q~Qgaci)G_G2qHgYM)16h{R6aRisE_32mY^XjQM zJ6Za_Z5b*0P_`wp!TZQJUf)ly$9#fuXdN8ZVy=>5Ouf4ge}c*I>D8zN8!$(c8iy8Z zuvSjKFaM%g`5A-U`V#VUeItV1TT8SF1{)zYWLvvTFq!1HO{^D;s#q)-RIy0Vt74&` zQ^f*-SH)6+Q^gWNtBU!8Miuh}Ruyvvq>2RjZRi6usoILC4&maVowyiVu|>orfA&ol zRl~uvKfv7!rzsLMHp`?7#$FLPPHgicobuez6R`;PpDOY?ypUM?z#6qN7CfMJ?Gr>&OP7HeRJ=>d!v8vjdu4$ z>1^_LwC8q|##HAVIMUi`<%U}NyWy6wJE$e<4(N&0Qf@dp93vb`q=&DiVFN~DB#*)< z9-WSVMxS@~%XagS=UDlcg*?u;EiMQbp}>w5M~ZCgYl)J0{p(}HEQ`m$`sj?s7>xCK zoa17g?@%+3$2g4lcmgKag*NsBZxqMeM+?;Yn~X$>+&xNbnR)QQlNc z##E1|NpPCa(=lBaEtb`arL500kdH#-OIt~a75bRrxXPO0J66(5dP-1%O))M=zpJG| zIVzK9;wwoR?I$ra$+I#9W@EM?Fq`KHff6B5(uaU0UO=D}rHhKDtQSOV~Nj8)sWz7R4cCrOHt$TG6^p8c{!GAX)92LN}pGX^p#rrDy+mR zk84q@=U1EgH8Q_O&#%QAto1lnjF?WS!wO*|)2r16CQ+w6*(-;VT#rSlQhnF+I#@Q@ zRIlXldMx_rY{+cbMr_17mA;YV0<%G2G}u<=lU;8|(4Y$_)s5I-{GjG0#8r4R8ifQl zC%6esyakQC6*oFvhe zB(2*cvEY%%KEWrgy^YXf#P1}dzDcI;2#L`sMtP&g!f6O`}OR8iFFb>P0uM+ zM~e7-K&d-m)Ey+Ta8TYkL^wpYtA6Y0OzL5kdf22MA+c~oQjZdjnxe-DDWzPp(gBHM znnVW~6vqi7Yqy3F$ML=}LKzq*GB84JhQ>*up`376!h%Y@4&^-3nS zOQm+1)T<;Gu1e-L!ZnlGO}G%ixDvqV)-X;5Fs>6s)#(7n^}aB|0SwpT8yOlB3_kK- z0vI<5H#Cf!0^=6p7V)nt#61KtdPLCez)J9M1bI~K4ne|qq}#iC_O8V45$>73@2fge z#ODX(io^#-;zJS(59OstghwXzaVGVNg7L&;J|(g6R5G6to|(+&g!=)E#{rDz8ph24 z#tVX|x)s29p~nV0A_rgh-x5OnPL|;Js=v3?=hS{j%BMPgbidd2wJ$II?~c${gq1x+Uk&IN%=UCN xP<2jD@3*b3RyZU#ezZkj+8otKWvZq$JKgP3B>iO@Er|BVr}E27?`)%g{sXnDAFTiY delta 2109 zcmYjSS#VTE6n%GQGC`u4GFV!aDbM{uDa*1-HlrWr&6kucVb8`6flLBqgRsrKfteSA zU<5+d$SRAn2LcF*vhN@fW#2LI>%ZULUKmpKruyE~r*GeL-ka`!Tf+afgxfp9)Sm1N zcXWoSU`pQRjfsSlABgwzg7Ki&Hy-wScZ4b^KiK>82*r3HKEc5BN0l_-jX@a1gE5$g zq-)=y_gmL~+9%!p73F-$1;IiTxS?U8Lf84&aX^yws*VnD9R3ncdRie3?9&5t1>0Fj z(QKhnlnc_`71THH3q>D}{t*vD{3M1ad4%3)eRhsF5+ftdP^mnUN4X9c$$mvW_H!h& z`;Ervh~x7ZsWQfo&@vv2F&LZTaTw=*-PX+GFs zdt`AKSqKktoHr>yi*j<@bB18$;5U%EFgX5A*)k+S}N9pUNCiA*#QHyzsUdwf2WxbeD z?>d>!W4;?gy)K|sH=xGkw&nuVDR?0o#0e~naU&Xe5gK?g7Gbf^OVkkKrC6%6Wmtk` zDUJyk^Er;VXz`laLn9h|PLSwHkk-4LB*Jn^@e0BU(wdWGcqzq88J)8 z5tlmu6Y?f>xY*504^`jNKMGIX`M(I|9G`)t5)~$N9QUe*O+cHuG({I&_ z@=sRlcEUETb-QTYLD)gOQ$f6oAi*x_@@E^x_!oja3foN(c(-)BN6+pNY%gK2>3g55 zBSn1PuN3Y#3J;J(I3R1hgM@>I+LoanQq)6+dYB}_VWGAY+70svVV^al&6;sUo3Y)R zag-pcc33lx_B11yG2@sr!_yzUfc6{z)tYgfa7>$VT+BE@I6>T@Anqhc&?$m`vr&wH zC&;6)lLUcJO1G!<>?y%c6Hc4H&!{?5#OJe0;aO4W$w7FIB*Zycbe?eDP%mVt7ZvrQ zG2;?RgiFG_Ot@^AR|sdU85gV>SF{<&tr=GdqUwY-xhzVbt)X{AIsGuAqp^;v@^ZSC rClXFDAoqQCI-a7>(jPR@_}sVU-_N<|1^LM_oJ_}k`X+t3iFW@F3U)Q6 diff --git a/dist/wasm/Hacl_Bignum256_32.wasm b/dist/wasm/Hacl_Bignum256_32.wasm index 3e0b1f72cdc53751cff986719649b8c477deb9ce..31bd866e0dfe5a127efe86d53e7ca1685b4fc6e3 100644 GIT binary patch delta 1236 zcmYk6$#2t85XNmcO;=H*R;VfmzTr@TI3Ts9`}Vr;>7I1owUhKFzSn)T0^P6wRsLhDl1Po$hTAhBbMxXSsS|~KQMAZs*JX z*SgVd_uoxD+`o_e_a*hOuyXqEMXyi{>SIb@yybrMp+7{8pZP7^Y!#3A4pxigfbBZ+$;4ED0cBd+|$>pRM?X(wTS_0ak1U0Zx}4 z+J|I^9SG0}a~h8s)@L)C$kX7d}Wow5yj~N+Wz+6lk!2+9E#G-3v3G-Nt zo0-9qEaKqQU}D(jvWpBRoUYi^AeL=vkf|YrTxu9A2szYn5><1ls|hHF9II&#~22G@*=A7vS>F83WSo%>uExxsLI|>RJLO#tz=YXsfOZfd7?_Llw>kD uU+ub}mw$6IKA-Skk)|DITR-1Cv|7&wv(u5or;yGoqFYyQi>#}&7ykhymoX;* delta 1080 zcmYk5%WD%+6vpRH9&J-?3N2FVqTh8<6j%0zb=A8OihWGmv`P9-)8{08Ow*>%WF{4* zf*>**anofN5)iU*Clx^uSN;QnYr(Bs&z)Dh7`W%mxxeqb=broPO8s-Ce*7JY|Erx@ z%Dwk5EK9kimSgrkFXeH|?NjWILGU|yDI_!2cHOJ1^q1-Gyu!pJ%Rsk)3s zH};q-Sd!^gELWuwtdf~EtOaJ)v4S%Y$qJJ(%QS&oH}%G|kRA-TBS$%sJ_o>}qzq;;{U+TY32V$?)H= zOH1NdAlJM5?|f0P=o+poIpxZWSHo4Pq8qqD)$UH|DYx>{5vK+mGh8md)-BEcvk z5G|po66Kr?AfiI)6fda`azD6A|*yB_rDihJ=8{Pom&ZN!XDOzXtlo$}H$?ERdkKC~;R zIpjc49C3H~?B%Ki62>O3S#g$$E79urBEb>&0tu$;63t7x#O?(3L+UaIFpyV){Gt;1 zMHp)icuQl zXOh*D5NxSJ(}iIfRv{$!a9ZUVMojFTFpe>up1`xbw!;J)PGYiPn8G+FwITDTFou*_ zrX6@(neuz_yns&m{?mp&gXe}m!}M9q7U&kHG3(JYOt%c(_Thm7{Dlwalva26c3v9# z99|gu9MiMN7U=VMiL6I|#q@bYf9=zQ1^OGG&MEI=77Tn5Zw!2q;W^}d_yuyXfSgBP zl8ko@epw=^=PJo_b;6;y+*Q*Nz9(9d+@lqf+V2o&{7ZZ%F``4y;yr_Pe^w>lNh7i< z*MWWSx=BY$n4+w-Ho>hG6A zLF^CYCpP~z?hfv~pk$JoaR$xq*74I-Eoh-uw9-ZQd);C8PeZlShBhTyg+Lp%D?#C4 z55f=wp&ligI2%A%g;EJ#QU~OA(1{Lo+SH{SblFNK=n}ecDMQ`pR*lQlgC1R2?L2>Z z=lLtROue{5cl*$bKAZaWD@j*zRY%v*k82qk;N*Z!*Ku7l2f5ZDQ*9bTI~3Ykl*Kt^ zV@NrAHDoJcWvq<06V{@_u7$cblB9Skd{ zKjc7A6j68W=*i|7Vn$9>!=kJvs>Gn*j2K7U48$0(J(^8rk1?8r)IO&$RZ@XcP6>D6 z(2=IQG_9mIdi`OwPdbcy8c%hC6V4_z5aV2g9f0ir5=iROF`hSJ9GPM8z diff --git a/dist/wasm/Hacl_Bignum4096.wasm b/dist/wasm/Hacl_Bignum4096.wasm index a3db37774c90287d829923c700de1e0df1b8a2eb..9a09191cb9b63e254e61057cc02a56ae4218effd 100644 GIT binary patch delta 2068 zcmY*aX;Tze6zw}Bqn4>MDXfadEaxVvREXcA0xAmK;)05R8wf7A>wpWOD9X^7nO36F zsO^SJBqpe+xFMRj?`uA!k`Jj$#jVO;U{xylnET#qM^e@B?mh4HefOO1xqabP_{6L5 znZDgA-qEjn-LI)F&5e!L2cd=@Znz=r_GyT?Jv&{})^i{R@*oW2 z!T$QTPuz5*J648eA)Pa9i!;MH$h2=*dEIhs>vMrg(jJx3G|S>4u-+s?F$6JG;G!M__~;$k|;B-uj4As8=sJP~UL0lBZ#U;}&&u1>#~9 z`}WoM{p_c`29==1^jU0E1s6-3#kMv6^)o7wOu9sgoT`Kyk`nHg@N`&8d?`wuP|UGn zT!u29fl{7{8JOwuEVaaVHfF1=9J5fK;5h=$@pvxgYHjmShEk8`i}v|i`vT0zf&?$b zLcPDp>@Sx6#d?1U7Gp_*qj`vGLIviDIkLS-J-s+8R3;C~p*UA!I?7brmAn*|O*U03 zHM|Vd-z3ZR<640gSgNQixJsO?79XnZ-pO}$ncWT5`evoL2Fpzz)LV%v1+PMlxPVnL zu0<`cMh&mQYOL|NPAxHBi?u3ShdQiFaJ_)_9>)+99o?I_0kx>{>D`ZASv`)EXo{28 zoFIvipagpakF@R$ga#x0D>BMAs1>V>^o@j-s8xchu#wanNTBHJ*RF|@GNP}Y`I=DW zDlMA`O{COpk~eQNVKebJ3gRsU3AT{OTZ1UZ-xB0f*fxT|+oaR&dUv~EI|w^W&%UZ7 zMLgcA)a^9tc9BHbCHL$m>?Ye)Kk_|E>Rv_NYpBg65t@a%kFd`a-B0k9a$)TWoY=3O z*hI#P0|b$^S({LW16|DsCCxaPG$Z6D-S|%2P-Yw=9MonU5;Ix|EyUj|hz}DaI4pvG z2%;GONRUfmtptHvrQ0KV_lRIe2}e!e$5b6D;&Gc&*k%+SC%A2d<8spp!U;n?nWVNW zYP+GHB8hNHn5PM+4f71)SYXDG86j6;DLX9=RJB{1V`S2Mza8Lq|Wl5PkXyyP8$ z8RrS-v>E5cj7~x)@dX9(MS=tuMbJ+{6yu)>aw+T*LEuZ$?Pa}tS+FaFE2i(Os*V)# z_!_w)@tTo%og~6_x#t0%($z~I3JjC zk07c#12gXFwc1`N)3o~k)6@*pEWS@N7w${-H-kZ?!5n`euBkLI>|tQoBf{JRyEcmhA_=W248Fd-p&q?J}p{Mu@U0>(?OzQWe2^|Ao)~BXET;JGe gg+uaDk2L6yGe=}9_Vs`JXF;R~ddsiNxBvb7KLQ^hssI20 delta 2074 zcmYjSX>V0k6urBTQlN??5L1nswId-AzZeTejEUU$jmS{umX>*bEn^F1=<9vuy$eMU zh06yS1rbVHN(+^WGL;!*o@WH&FCbC*rhA`rc{I5%XYX~^*=MiyPR?m~8EJhPY0k-_ zbuI5@Exq2oc2gqZe3((y$%|A)ydG5@y)G@g@AZsy`7BCt&c!Fl4X!=x)44DDazFIr zyr8=7l1YOo zlp?x|C8=hwkjKGM-9;#hX2hdToQqM+<59#DFdh?po~T2dCt;FilQ9vKQ#?h$DLzld zR3mE|ic#eAbP+S%$ew}en33X{m}%x`+4Qd{;366fVoOtzzfC1GV!6zeJ6b+=D8hE zW)`dBa?H1RSZ@&)D!drw;sO@OxdIiu1m(OGOR&`EWje%pIhJcyiDjrvaa_Q-&sC@r z9bOH4s6e^T2@)*{GFq!iB2-g~R}fZ^(VHa8ODQj9c|J)5UwA7CD=lvo!L!CB$vU%2 zM=ZA1)DRY-LIp2G4fXdV2sKjd^^sgnX`Qjx)_p@(>l(spQnhR3P_8AcCH__+UPq8% z9r^rS7{&Q}f_#dtCkVV=I^AGqHwYFGg12qc8?_Kt2RS*tJPl-alj_`Lb#5k!uvu1b zA#AZrwh}g~Fk$@=3f*dit|6;*8$p_0OIGVPGlo(#(o(mlr3z;LRWHUrhFW(Jwi~TG zMC(q%PU4>w;#~v@c1f2%hf$n&6Xa8D4?*BP(rvAotrcu9VXy7GPU}b!pX*g&y;ayi z5}`rXc>4(ZEVVIB-LKUBmfA!Tp-HICgl5Y;K&T7NXbjCbV9eMNnsJaIs&u1asznn?orC5>}>Z-zCdyje1}^KK9Xzaf%tn(3PY z-Xh$x;%;jpsp9h;wc(Dn;VwypyRzmU;htsQPct7V^MPePB#H1)n2!jLEb}qpc4*jr z`qW+;kBwuOLdTvEMAqfdu_tC!#WAr)AB7@w4?ZP4CH|8z7V?<73CJ~^(e0!6T_;mt zpJ#*&elC{q3-$9EwR>-#ljc-n9-SAazR6`#@Lxj?4Qc85S7rC?E7ggF6UmTQJ}YSW S*ALqM$%=GBw;=D;-~R(>Q92C( diff --git a/dist/wasm/Hacl_Bignum4096_32.wasm b/dist/wasm/Hacl_Bignum4096_32.wasm index d937d02cadb5b167e7fbcbd852dd8f020dc3d18c..d9692ee2fcbdf0ece96fa71da58067427ba90b80 100644 GIT binary patch delta 1224 zcmYk6NlzO=5QV!9SXht*i5wDy#4AOL5^;#czC*L`X1CeFn9VlJc-X;=xkR}|(cE+8 zWQBwukXwF6l>CI8gOpTz#)A)*=asv^_o}f@zi%c zcfS*TQsA#fjgoQO+I}0TMJ?5#j_U2N+pnw!G$_#^1RAJO32G|nLX%3%p~5aD-f&s6 zEKJ1sk(wbMMGKnIVp6NJ&}u3fqc*gnElKTYS5+s}fe!Yg&iwsd`TG^Rs2ggPdeDs? zlX~@6ochqGRX=*spQHgU4wy8ELCqXuuOX(IG>k@cqLD)xTlQQiB&7{;95$7q~;4|4Cp{N4pixAzH5C}GkhBPO%$ zPGJ&LNt(vAjy8iC-R>;L!5=r*tcjqLC8)CmIZOEqh3xMMn!~8F`U@>Kq!2>(@9Ih$ zjU{zqgq=_!O$>3SkP;)g>j<;rNC>ls?$TMLyBrGBJoJ^(0v0mLmq{s+Nzoz}6*3=g zl{9Dx^H{vq+m>hS&i2#kwwUVk4tNV3UJvVap4$jVQLVLDsRYO}Dr)ySh3c+_N$$|aX-I@BX1 z9qJKNk8$ilPhjHMg`Q|=L{CVB54wo_D1zVqyBmnA2SKNN@TcmZcszNQ?ogg#m4$10 z?pR*n%(1*+%S&8(mRC5(rE7VmEqP~*PW9+aXKyQo6kTHu{LZU1cvO64l@&@9=>fIi zqqO9BH|f2EM+`9ls8gywIoXqyI+Zt3XI delta 1071 zcmYk6OG_J36vyu!lUTKCph7_e{}-XOxbsylEqFHtsgL+h)MzwnbY^@^qVbhvCelTB zrObzLQ39oYfG!K&b=6&|bk|isfY6>hGZ|eB%sHI%`~UB`XXf)Q|8mPeIWhk6x*GeL zZhHU0aafyHS-jraY;9=nliU#f=taMKk$cuSfB`XxL3et%A7Z3o6eH5%W06tGo-zhb zVZ_wwRlERmf4}T&yO)xb>Up)>NJU&1BQAzJ9u2G7aXgVWh6)zOEivJK&-d7qn3QaY zkdtCcGLayq#C;`3VW2dPX~_y=h7dCaMV`eBX7geWbF#ZA<}t61uz)GhLvj`sE) znBM>D^D2C7z9HAIM zPn6ZHTA1wJ!nl8o*32ml{Z#&AcT=Y@*v~U$Cc*>lOc!R!gZ{26?4Pe$xE)# sUQA8yFQX&MS~@Xt{lnz(rf*gH187>M)x9abZEjb~9mfO2U8DT1i$6vyZEl|oZBD3}S}Zdy#Ysb&-%7JAq;WIb;&fjo(qVN<%(Sg{rJ8_ryIwHR*s{1e z=xNdd&C$Z;48Ma6*H6>9B{I-5%B|4KZe2BtTcfqylQW-fU_aZy51ZS-Kaks^4cfZg zP7NV$kM=6-fOhB*<&IM9=yE4?@|t#*yLFbfE@z<`GSN)76_Hw|i!8sRqAb^MMWT_Y zGL&vpfYW1VQyVr=LhgchMA6iZpi6|i#sOp_TLZ}EZUP`j0OULafRIxQpgX$zEth*p zmmZ$yp6G#|QSOCa-u8N|Y8E>cNAy4lx*QU{&D;vzUt*qK7lqZ=yA>_#om2E9j zww*lg2U6Dak?&6k`K=Hapn&@$p9|3+g)R?JLx=}rpvnee00u>QuoMToJOo2LTSHNR ze3yrb?O~qn;TVSDQ67O2-uy^CKT76DdGi5`LLkbcdttOE2x6#kk?E1@*+mdknLH*x zMR*MQp+IeW3>Vp?xR-%!`3WjhJQn?)CgTL%`1o_1fC(s)l~Vi|6L_MG#e$|7mQb=2 zi{h{FSUVBLUOR=N1mkpW?l1`xRe3T>1P>;MxD=&41tmNcQ!v%#X=(^@2qBe~VH(P! z>|lxm$K@~~OrFPbLMcjIo=)O(I(Zx-BoQJM7~)tp5HsV|aUFZQMvOK}NdiQfNG)kwOyyi7S= zrkyS)iLhMOtRSq=%9U~DDy3Ydm8(f2tQO@O!WykyOIT`{tRzQ6S?fWWPnya)g4kMM zNPMBNtTV}%aV!aOEbHS~q-NfSuMCzAg!LYl4T7bDP(l2)Dsd%2f=WlMZPcL%z9Gm} zDYZ=mDQ}XES9!BlQrk?}tSxL&jiigqTb0?Z+Uz!x2-{@McEWb8td1*pDCG{V+({B) zrzo9Wgk4&?o3O=jsaB)BE4w``8w{2`1hG|NNPMfX>@mrAaV)+#mc4N-QZrb-H(2%& z_Ig;HePX+YP(%EKs_}k;1pCF>k0uK7PXxJC?Epc_2V~<1z1f3OJ48679UNADq>0N% zl-VQN>`{^kM`g`1!ZEEpUaNHYgp!`n(vu_+PKxvt;gpu1CLA_cjvFkeJuLeSmNNvg zRbxn;RanlL>9COUri9tR`a`2p!(@RdCr^k*|YXAPu3sIFC zn7d#YUMqW2=_#JpKxC*9}sRBmUlEu2M;`$ z7YxjY1hI9|@cUiCd}xwC$nzc$PS3~rr{+-yMJfE3U_@UK5^VV>T0!|f`0BsX$hPXh z;ztA@KNe*Cq@7~^NE*gJgpWz(a`vmQ;S+Uloy)4{-ZrHXx>i?reDl?mqvheSb%p6vyXfLqdpUp`cb_LH%D@9#rWU4WtNHX1T)6awjC*1Xz|!B!R$YHtY_k zB5{@bRt%uw3a4TKxo=buHlv!Gr3kx52|U~ytI^a zo692B>+xr4jjA@KrM};we0d~dy_r;6*YTD5oQ9<-PQ9wbE#LFi`@m0O&cM6Ki2vKB zX<9Qhx;fL@Sav#$Xz0+o6*0kxTc+#`ikk%H9bmh}QPu0!eR_Cd>AP!ZyR z=;3z)$qp>eMQ*&l{Z>XE^7IaKZ5qe9vcX*2>RR)3@+6a|gFLyRvY|!FvXjSyK+1ML z^8HC+zZK>J6!2i=^AHTi5SNFlAe z8ig1g<1rZH&5zadL75MF^WzZ2xEP1}BIF6iW0Y`_>9Oj$MKNAw@`(Ht@FEG?*Ud5|r=^6!T2Xz)Y9JY6x>FN>%0{3@64Bf-?gVa=DC9 zMxMi2gc20H93^oXC67XkBtnd0>=In9n{9M+lx~jJ%_WI2S9J3T^R#Y0VHRm-v(+fj z=Bp9YJ!%dwAWTDvCh##~Di)AVJ|P&-6s$S73n}3{SOfM`S){x#A}l23evzEqazZ)r zXR5?;f&_7~`MHV0`~^X-I5{paCP;m;?0Shey+njd2}||2mFK1xbVz zvSuY=rB<#=C|4`xYOP#D5@C%f*AmuhY{j)oL8M+sOGg|Cx`eV$&2QqEcajLdi}E4ip;kU3+&1Ly%b2O&K94+fmkqkd1hI9+ z(E3B6du)``%eyT4GFU1Q7|MMT>rh8TZ diff --git a/dist/wasm/Hacl_Chacha20Poly1305_32.wasm b/dist/wasm/Hacl_Chacha20Poly1305_32.wasm index 57b13d122acc1359ed36e6b0bacc393afd4bd45a..eb45d058f670de2e077ee014b939dcfe4bf2427d 100644 GIT binary patch delta 68 zcmV-K0K5O~JLx;H#{vP7v&aJX7zvq#fPer30)7^=$Q!2t3Kbw6K>=$){{eB6eH|?W a9UvW(tsNN)9zg&FK>-UPA0Qu-(H$H|@f4o` delta 92 zcmaE9{nmQJaVEy8n@=!(m*AY+($K)b#8fA~`GoXxMm`xw#%#y`jD?D_3Ze?KlPhI) t)#ViAfFf=nQI>iI76n!XHU$O+Mn^^gE=74q23AK#ZbbzJg~?}SWdL#=7_a~U diff --git a/dist/wasm/Hacl_Curve25519_51.wasm b/dist/wasm/Hacl_Curve25519_51.wasm index 0ddac4a401efa55adb1289142bf33887f2593393..12a0dd5c375c47fdf0842e4043e0be5386fc7b75 100644 GIT binary patch delta 65 zcmZp&_-DSspM~k~y3K(se?&PyHZ?RbFfr8$ZVr^N_5%Rr&J?Bq delta 69 zcmexo-ej@CpM|M${pLWHKcbvpn;IGzn3(E>Hit=xF!BjIGG;seXDn0{QQ%P!nOq{R V%P*=R3KVezi;5|TP2M2w2LKQr6qx`3 diff --git a/dist/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm b/dist/wasm/Hacl_HPKE_Curve51_CP32_SHA256.wasm index 000976b0d7efa99286a8a02cc418b3c1e56f1721..48ad5d97c3492949fa30acb4c09c5c634bf722db 100644 GIT binary patch literal 21294 zcmbVU2bdK_*6lFBzz~L<<(4QSh>}$dzpZOp)>Ri>-Cg$|M;KR!AviPW>bfxGU{0uD z#w;i*pn^zHP(cM1K}AtS5JdsSh=Ko{>Zl*0ZMCxUNI~s9@Q6gxI7`|I*6RA!QZekg_3xS6p-kRxn`1@ZrNMtDB|TCFhh? z534Ba+uQSg!=zVF&;JdR9(}zaZPGMNgg7oKs~qNqX^WgtN-NI)*U%D#Qjj)jk~2wZ zMa8gzUaho2+q8jQPRa1nfrHBid9~A)#c9jx%F^Lpo%C?~^zgv*$_5TDIcLPV=ayBL zRGoiGnOE54gwlZ(CC7}Yys)fipFTYfE$P#v<1f2Ps>%jdmQ|Nj4=Wiy;+%@}2YPig z9NT9(4lJ!GtsF9 zT3K@J&_U;y4jo!nRaLL5dRS#ykG{CFUj1a6*6C@6mku42%+jD$9L#y812J*;Q-)Ps z+@n|bJ|(?+?)z&4C8cGhgG$PV4y?R*c(vE?|2x4TY!xSHWV5y2pwjBnk}9mIIvnMN z$mANYpty09rnM)q>5uXvuc*#k7GbT<@rq9Ae{6hB`t&F{=9FGNO9q?}VQ+95sz(ez zy0ofnfLHu`P5ul^M?_7fsg4Ma&7?7-YK&%cM21%vSyK)nvZirluxODOC+mx&!)Qxss#@W-HDYNa zZ4gV_-w{hYX=h_;FKrkLm$nyT!K;g<9fuH0I~Plb#5f}sk#Aw zU8*9#T%)eiMY>k%<^gg*ROdq7>?WP08&*pooiN)4Y{k?Ea@KOSAJ{XNc91q#-K9G` zj-wYcz^{cuQ$3`I>M1?rq*&~!UeXI!p?AFU#a_Op_mMvKGW3;RybQfSe=ru0S9clu za0r*7kGl+qB*q!B9x8oQKk?LI(oY>8i8=!F9g&*va3Jgfr##Fx-P}j&E(M3IefS^g zXX~z99VJJpNJ4eAMCuq2{Q*ROND& zG2YR;M^H<2X%DWgMp>j?)nbUR@jmID|L`xH$fr7-z(Bh73?=%9-kK^0#Ou&n?XP zceIzG?W6qI8?GYaDn%hf;SpEjKTMN?w)5=?b=yqG%q7E>yv(Pl$;4%!NV{7s1wst6ou(dx&=9Y7<|3LqCRh*$a_?DC~j6`3tASN}yO zjYPO3Q{ny>$W+RuuIWM_rMnayvMQyw{!0f_IxT#wRvB z@NmE}jWeBa&L$i0%kgRg$(mZSi9Skn63Hf|$tL>5h72AKII_v66VBOWQ+zo^kfBl~ zgNuvQWiZ37K57s%XQ#*IzFh7{yKo(N39ry-D-bEJ)QIWJ%XpPWOwJJKYK@rYOxtTT z`Vfd$^IDCV-b~%=G$KPCpzEDqAp&rnU&Js@|>L!i8#2B7a)XhX{ z8iSnfN9#Rxi!ZnM>Q-NF^-&kM#VbcwzNO#p%k40XSAGXwvHh3>litb8!&v~qtEBrhvbA)-Mz)$B z(8$))gBqENdPoCXQ!_O(RW-{;Sv{;d>sro7d{owKu5@;KrH}Z;CK2J{fLr#XrW4NC ztBhqo=F2o+J+A2*TDm!Y)IiN8-P|)k z$d8tIYOybinV3t^&yrk{_c3RwFH2zpI#vDgtE=>}1S&mc2 z6Txc-nI6_;Ig!XcdQ$}d7 zkV38Uqk3w!FRK~at0uI1@zu>f$zJp2H5c0J^kiuG>!~#ijV%`%j5&_bUQ0rIBgZKt zw6&yA>wH<~t2cdlGpX3OG_n=@wnnyM*K1@e_8odh1@TJC)w{mD>!RMEfyAfpd)lzJ zHGJQf_nqNJ4e%y_tNTD37FxqizHD-aA8HWBhMQ@<1%H@=d_%{7nGX#g`SOvkA4+&v z*s2jva8B^CMtm^gUEvdr?4!&!jXuU0?+Tx4WbX=}IZNIZwrj*Y4ets&G~%6xcZHoA zk&kzU&z&Xj3SSVZT}<3Befg5v@s(Lo-o*Xdm#<+L*VH%kWOm@Mr@m!&u;sD?#vDg> ze4S*+cR5ZO*|D1x>U*6XKXBq7{ivP#$(Nsewa1q|jI{=PhTTV3zU?0!$Y>bG!Hx;w z%3$%=Q)2@J%a#ik#vDhmqXTz{jmvS$2zERv)Pz7L1ZrX+69aeinWT|T<;fb^RGy-d zP36lpGB=;gHLy3ID>O1UpDP0v%vIz{9_y|SP~g{aHP>LNZZ%g2#O8d4ivw8+Ahv6{)GDo0_J(As{w%aB;xV-Do=DoK1IAAV2u(W=+@5 z(oLiBbka>v(@hJA4INw@aCEnrPB>@N-5Ll|jQNG_L>}Qm?>3mSq|Kc@yQFUqNmb`Miv%7?kTY`NTlF~?B}Gm}bqB*!Tu zU1pO)J<2H`3!*ksP_7;iVI1ibbY-OY>!~Lh zDO)a57;_wv&PyVFD#s}!()pxN3j$dXsHX#YI;q)(8rhnCMk8CZi!`z|yI3Prvr9Cv zHM>+JQ?t+NnthI3NzE=}%`WF^mZw*4bAO-OGX0Qm<$>eq_fhp;iS_pjMM@b(#&`z=jPj z4mh?~O(&eQ*9Y+!xB#TGq-shO;gm&RSd- z7Y9mTO9?Z_jbc zNc|n8P&)(J8K}<#`8=uWFEp}My-Ooo)n964tNJUAOjUoafvxIqG%{8Ft*+|t$dy#} zZdUd8T+R3C)$B%Ax=Rli2i&Fq!F0kI`;oD<9|PGEsGl^QtLi;LR9n@ApsNW}o3|$* zHkk$&2OQn#Fz$qNHr<$zcjB=jSJ%=e_Ba}kC*Alo-MEn0(80w4M>oNA!a196VkoQd zRxlFqA&pSglVHhI$Hc#WqnI4Z=-L;`y3&S{rucIqgjX5ys_1qPU!80CJ-ag*)~?6tT#l$%5MpgBz=o8Hqkvgv(`MmD`~)ySmxZ5r70zFi}e-gkt2 z(7aQVx{o>T3X$G3xYQZxrQQ`1n*@N118&`Sn@%`mvoh9wPbgP}>RwIfKHj@8j6!uk z>F!U{-4_xYI=DFC=pHbgaL%TCFvLAWJ*4Sc*e#tI^7DmRt&EO!>z`c`VeQWqWXWTqAqB&(Y{R zlk#(k)I84ogiiSK-P!|6@<(KF_m-0(PS(>E$vl`iye@-Kt^2;=`DZgAJlk(4N zU{n4DjZDhFs8fE0CUq&lk}3ZZm-+NWxlHs zD}nKB(8#{idQT(1L*ui|`x@~*8Q*DbbYuMR6B_{P5&MBDI;*ZwaFf zcoGWbqfl)PWh?9H<9I#j%D13TLiq%SaXoFLD|Q)kVA4-{71(n11Y?e)o<2$H>9ZWC zjJ(=T3biAY9U;D!NqBU?|qG_v*drAD@%zS77(A!%Ui=^Ksg z6Oyi{?=-2ar`@cl@43|P(@WhQ5}SmBivup-}p4& zxB_Cs2OkF<-vrYM=WM=-1v$5ng1DY=nUQeyQBRX{#|zcu0-0QJw0AIS%u`be@IiVl z{D<$d3IzZ70bsI;MGKeLXvNE9t9Yp!iK-{{@+e;Fs6weDg?&Ab(iol7m=)Pv539%Y zZnKNnjeRbP7i)~bpUhwsFGbYOShY(7JP+zm{)HMCR2alBJTQLwAxAQgDwbkfU5%w7 zqiG1DCWr{HE}~)%A);cp{Y?|&WHzUCX(q+0Ip%30zG{h$X(g=?PwU?i4|Fj$p0?78 z@lY|-4)NgC#nXmEh^LKhEf>@L&#IpDAh^3=+w6W|Xim@onu`go5 ztBa*0hY(9g7fYwaI3t$*q$7ke9iY5v3FXcHn6XP7i;rpej~6Z0NG0B?t8|5uB|ZiZ zkglp5{0>AU2d0!a9e@xC;!p=cY~w(8IY_$4%9|cg-t?%l%A20jLwd%_8z^C{@}{?R zlipY@l{3-}v!#?beK>2mIuPthaPG4A)#mD8IT*gV%9}&v5Ot^=>XbMAq#v%rVe!fr zd-;}rxEyXT!x50Q;4<_B{gGHaUfpFloI|(_hr7!_{fjZqi1jErT%j~lkG$0K!40OtuQ&f|g18Fid%I{p)N7gRBsd-X@@pdf%zf5N;c z$w}CZKmU%DJXub*dvS`K#O0lYIZj1fcy)VmGKa7iC%ahwk{D;~#Q-^3orW)DPnXjX z$6w<(YUR5oXUG{gjx*(S#&J60_#5KDtBd0d4k3;+TpWK-j5Ff+hnxX1%vo9k!&@m2 zVv1mRBlXcPLEDOE&X%*HFb=U?l}f1%=NvR8HXn$o2E~i1lW#F)Qs&+hpNsZJL-#M! z&&Q?n(6-++osTx(C-cTrjOL#`!WtLDzCoqMw;S{mev?O-z$P#R6=|;NgHHn`AoSoJ|JJOMf+mWbWw* zvKCR7lMKR@WM!9Wfruf42L@x{$gVJ*aLy*X(wEZ&$toAgFnpSG70h_=Zjdiipo6(O z(a%5!17!6x*J{K}X7)k{gE9NTC3G-Ad`xEsLk9z7zbT!n5i^}xe4|G8YZd5Vj2|EN zp@RXk`k84OS^dm(XG#4G1TwI+`WXmiuJ*M|M&0gHKXZpKci@u~U+(0$ly}7|M_0b3 z&+ugi4C5mLT8KNjLulrQ85t0%<$FyzTA(Cp7XW< zG8ps)aeU?KL0=wBzKwrKBU@Gw!eGo6)+~)|X+5lwDK02qU}(#0wnnDFAbB}UJ*GL` zyMo7AVsp6CIq8)`!vbs)5iSn6M4W3n;f%e?SoS<$Zu8X>nvM^B+&2hZq6X?I(m~sj zY%DY^z=jSk4mi5`rW4NDbPIgkTcK*fhPJhAP_!)eAY}m^#VqbRF4W={LkAxW{;bRv znNB!o(=GO;xttaW_?TgQU%dpTxYxz{nWeG(CDzY8>+{XYbG|&s#9RhDmgJJW4=WJ2 zEQev7n9tJ{F=7sc^8y#dmRk^vIgZ3!o+RdrIZhc@Xay(80jZ-W8yO0kU_6FEq0HnOz$3PQ$wbgfWJX9|3*kEcy2NYa;ax6ZczRzGZfN zXI7Lqad-Q&8+LI`L4feB&JO(b)DO%Kwp@0=nB&Nf-AQ)*nB$aemV4&{rOa-vltFgX zaBrZ2X{R86852PEB4hcj-8l4P_tBLvl_72!55qWEs3gY1dNAg|oD=yy7h5h^7;_xK zj!(X|g9s+&lo2d+G2;UTJEZXV1TTC z<{pi#eg--ij9L8*bTB|HTR!MP2LojFGY@FQvgLywgfSSi4|)$dOO`aGEi(c&D~JTT z7kQYa@Q8^zZ`nfJG8=YrB|wDmFgFZSV9Lk1yKK2ifHB8W3A2+*cs$1`qY@yKnH^}6 zjDi5BjfCY2@|Pz9$X?`02KrPSD7y01EW|DIU8ImnJgFnaUk_RrM9P+n6viA!r1O(V z7v?x+L<(KZ{6IkuvnWu|!7NT{7D5;xTeA?t0NI*-RwG-pkhfsW)a)`1Y|Sp$$kZ$p zFQ{3_S{9{h_C?n03a(~FdNt6n0Gq6aivzBRR+>&YV?Q#M2F1&)Kta|5I#;u=P(QPZ zbgR;I5U~IoI=DFC=vJFfIA_znO05iJEnsUCU(|9+T0*skY-`eN=ms`yaB;w~LB*mw z;hfC|&C6UK5|IZ&q!CJX9TYz9cJwAoT0z!=F5Y&S7|^#wqSiB<_33b+VF5Pbz{LR< z&O4?P&e`F-%W%{NO{Xl~d!&1xbnmC>plbm(bZ~LN(Lvp!JK>y7_W}BOI+-V#?9*ve zAe$2X40JF+n^E?>KX2B^>SwlSWZ#B<#5W%FJGE#pRDHQZD zUj_;~n6Hwmh7bnGRyBk$K(?yC)yP&g+^rP{uSfIv)q;pk0HiUj=TnM^xVQTZBVF5Oo z1{Vh$-FVXp=WMzO_)ZCGU`^-rGm~gMnRHOCB-d(^R;m~}xL_~_j&6$SgmX6CWuZW( z-#ij54{3y|z8scJbcV|ic%?>GKXa8vJCSePQ3z$A&$x#4kie|NM=+sW z7ee+T*YnHI8)7ze<)eeRWhxBg42JmOdRPy}9GLVb?h0EjgJH~ZWboAF%TK6YQcf8e z3?aqDE9hWuO}_lRO(UD$5W-;0ruQ8h+4P3I1!E??@6y1g z_Y93pdPDJo^oFbjr0!#md--kTeO&5&>80Kq5}O2oivunJ?l+xq#%5)#8;X}}LiM1g zb06WFb5`G!i{3f zr96x|j+9@Nr2Ntxr;JPgEGZNOFwgxw5(dbo z{0fas%0u{qA)E3qX=G9!iWj6jWGx_dDZh#-znV*hv?W>Us*u>^1Y8_&Iq|CLgfliP zW8F}^%nuc0Eud>^b8rn){tePW+LF*g!UAmQ;NpOzTWdPuoJ|M83sN4c7SOqrhlpi~ zr`{&t+iAYHv~tAo!3TpeaD1_r1-U@KtmQ%8l1_OK2Ru?9ml+Ailz$g~%=Ww=L_r6$ zA<@sgr_n}aqYqB#U@&I&Gtj{Ru@V^12O8OTTAMVo`Wfh8U}^O;o81`oGg~yW`WXmh z%$)r21VWh&p_a)gNMJU23i6k2A!IM|DeLL8cs=OKS5MnR*$%_Fo_5d`8;dzG|4v>7 zwp=~InB%CY?MXdB^^$VR$SVk8wufq0D7${HpMeYpeXgFMgZV0{r>`}#^#mad#%w)( ztC6iI$XhUGpO7@L_4K_)_6bSX6J#wQb@lWU>uC>{3TaESRA^X$O~S#&0he$!1#u@O zF_{Sm#mmQ`f~*B}uAasgfNmW1EReP&bdazB8#=f+;ONGiPB>@NO(V~nzBo2q8sEmKjpVmG2}6{mzT%8Ig;Rqo(RuZrl`qJ(ls8snParCDFE052{2dWCpt z-PfxR{Y_i^+)rEa#E0@FEG}01cWvS?TH0gp_maJEs6nK|Gdl0)i-Owp)G0q6_An1Pht2QX?3hlUGu~Dn_!0bIS zd(Wu8`yHO{K$snK<7aNt>nc#arFSyeNA`_@^pZYWC4`#=d&*T$Oq&r$-<;_@_!mem zsSR;kUHq@MiLSUIgg|NDLIn{J_Y*pxqeq>pf0PF;|5DZOXLg4Peh=qh`#H_G5yt)GIz#%NIL%cXx?41}Vv$->* zBQ#z6P{5cvL-v(@ne(0CydOgBES(V|PJ!PHv5VlOi9_rvof%?h%y9rh#H$Oj3x^P5 z7Z+l;#5g0w1EmYZfd?gLNGE%SbjR#HFnf>G8FCO1X2;z4*{t-s3i#7m$zX5UCkE0} zdb=|OzU7KXQ$`$pa;Ed(ug{REcrb1gb@0F1Xo8#c#f?;7=^Kmj(m@nbX~@mRx#A9# tLwKMZnlpPL4w!y&Xndd?#sdYCLVcj550(Zwfff}_&_B@Ub@Yn7{{!l*TBZO1 literal 21304 zcmbVU2bdK_*6r|sfgubz%PlbwL^4*8>kMdJ}-lRC$j4KEv1UKtK59~5{c#ec;LP8l(D=#b&n%~I{sbIPlS zRF?PI-}8RMq*qVR{|%EKeY_xT(lkwkI4&+9KEw;t7I~qRRi6K^!KDZ#mo{mVH%VD# z<&geft+YYgw1Hht>Cm$N1Iq_^wbPa*Y0K*2WkbC>>EZV2;r{29_a9h#&WLl*EgxQ5 zb^gWWUQv@{%KBH99x-D01?4?^_wI2}Y408#ckU{!D(^qMyt=e{Na@fK=Tx5G->aM9 z*gng#e_3VO@IfOgtG#-4_4qNzA9-{e*D5W)5JC5^F0DGRtY>M@-hI5{CMOK}_bJt7 z!%L4EJmCDY!Gp`Is_Io$4;fzGqYtjES3jAib$XhiWrGJKvovTG2XkIoe@xuH-;m0S zdi3hvyR=u&J$E%wT2@{*ptO8&|KS%6t@axJeOfYY_`@LP*z=5T7?x=hoig@ znOx)LN*Xt5T6+SU{wOcWJXjOd2z)#%MN2WO#LvHRTW@YZ^xeix!D-vc5PvjJA}fsuf;aBbGMO z2C=mL9kH~Nb~cvw(uT2cX}cj7yt-K0aR{-rbFp+tj5A^pX{VI5l0d?edTMvf*fEa9 z=VjW}mD)r0h_?H(vSfksuD$NmK$lODE}E1@~d9OEgNl zR7HM;MqQlkb#q_YOYk3N97Y_|@5h-d)ZU07V|m@Rx#}T3 z;Bhp)kOh7%6r1WPJykF16(`1gPwg-J<4W|7S3ln?wERBO$6ks9WPe_Y{Xu^qHUO{g zQuN^vE=3=ADGo}EGh#hh`lv(1Q-{hS>aa-E;h696)O?2lVJA4{p|0uX{)6sPaLC$+ zKguDt_9_%ws;`9V23)-G-jPA*}uc7t3D~-B z630=i(1kr!PPK8ICMPqFlM%=1hy$-Kj#D{=I8JqO{53Joh~o@7Rh=nks=vwKqNO~$ zFz4UVUWB%f_CL^Gj&^|dS#o9+#vxXyf66~?IHhPxY<@PTDvK9Wr_f@~k#nL?4PAe< z*BH71rk`}>Xn%CwL{$24o{3Twzf)!sA{QJBVk1QZGjHdvtTD|3SM)ywd+-m;Wc#k=f!3 zH4>RL3gO}|;=&yXWGdxJM-2*P>r`K+`q8(z5WI$$Y4kY|DK6KD`OE8gg+|QI5a>#cnCHyf zt29~*#LIcLM$B*K?ll^bp$^cs&aVjQI*mTTSY4oL8j+zM(Dlv|k0a^^jkaJ64=d_M zB6SmkyxEW5^VBWA+~TWSeYw>~VcZt499@N$KHZn;FpO7zJ6*B;m;;mE!OO#z%LN#7 z95piCcUR=jJg1CYn?VY7moInWqDR}ehr>#OL-bDHt@{F-6!-XYkMBz9UX5%q-KUW) zr~5Us1@(YNrlcO!z!ud^jZ9fR;KQ$prlua5xsiJmzNmZ%OC zp}k59wZf0;sg=I0WN5FM(CWokSMT9YZ)0Bf<#iX@8}wvo`0J@R85&zIG#GOnp}n4j z_Ew%#Mrf-@q2Bi8ZC}0P%R5QMzN?X~*!MKD6}ws^Te0ucJIci?sZbyI@_~!`Lk%Q8 zeLvEMwXNYAU)DIok2SzM0j};7ZCGRt*ZQ*78Gfok7#psm^=J6Q6y&=){v+6FFF*I? zb6-D|@UHNMMm)he!Iv8G$%J=>^%~h{nGG6!fid0{zS79v6~1oWp=RT zvIE8(M|S*>WXDf=P8r#;jTGuYAceXlkV^tJF_4LYyZKDg$fojS zjch7U(a5Iqr5c%=&r}WU&F3D62r5S#NEE)KY* zU2QtyjQz-1+BJb}@zu4Oj-L>4Z`5@`RIH|vZd#h|x`5cw!NmbbcfIL^b2i-#f&AjD z8#P@!OLr5EZzkQ%X}X&NVnYWP2OQlkrW4NDbhieA6k~p2JCR3t(7O$$ENOFR&o1fd zflLn~mZpb^Z`bH+ASUV^8m$8&>75#F1PXy>Xv6|%N#CUr%a#v%cWcD5Wl7(ok$up+ z*IBZp?;}$82a%`;0(pR?@SushVA;+LWG3w5pdX?qb`Miv%7?kTY`IE+F~?B}Gm}bq zB+n@$U1pI&J<2H`3!*lXt5A;z@_3+T2Qr(1K7k?D?Bkr9|1yuvIf2Z9VI1j`bY-OY z>#3(0DO)a57;_wv&PgJDI?pL1(z&Ei^8%R{sAmFsCaKwHHL^APoJO{0=WAqZc7aBw zW}nx<*6c!!OwGQaYjzR2lA2x2nq9)xEJ?3saX@Uc8ZHjFtbWmS!WsLKv9y;0xj#@Z zYdTl6OM|GcT1L8MX}YBWv7v*D1CDOF>4bAO-7A6AQm<+@es0Grp;iQvQ!B}~GR=l= zV8aF%2OQgLrW4NDY_A9MC=ZFq!)_vtP_l0Xf`>1YEpM`<)mysD+!rd;D%Q%|4Cn21 zIID17TsUxXz=iXU>4bB3IPWqX^`53vcJ-@C_de;~Pt&aqh|TKZ;((+3z;wbno9;vO z^K>##GTGJhQ6L`$?rrEAjXuTp@O1iEBfd!_!zUWqx1npDB~PbMHR78@o=)qC)Ms@1 zJcwGVF9P`@P+tb}C98UU92UCbEy#{*Lm(Sq7+3XIbj4<14$S#AH;XM-)iCBbs(M3G z)f@AiGE#pNDbzQCd=se6fox8y`df``Rd3PAR`qup*{c3tBU9BsXke@QM~zHXZ`D=( z6S_4INw@aCDcLPB>@N zO$=oP-U>znKBN(X>-fH;T!jOb*>Agi|#7(WLsN8f`MEK9xvaM*7RcXcaz! z3FV4VT^Y)iAu{-?m3y39Hod27 zWYYWgkPn)7Xj1nv$DJY4dj^*}BfZo+Lt>KvaB;w``!3T7XKYr+y6+C6+R# z-Wx`tx{q}CrRnYsi47fG9B_2^n@%`q(>)O4o}nJpbS*61%#fciJVd^S(tI;RV#5a? z2OQtSrW4NDe2;|UM_yD?$!piitB-6)uH!Nz;rOA)Ec!i)KfjsskA?DBs6Wj1;PSXe z_H>`E(N>f4PY|g&ocT$e@=t~GRH&W~w_S|6HC^#-*Q63bi1V1v{qv^SaNa{K8NcCMo}dMmFUaX=GD= zu|_uKmuO^C{zVOJ%D<$MN%@y`$}iQVF6Eao<(G4*%hO9;780ABfQthzCtfj~aK>h3 ztozka=7eg6rgJI3k}3Zh>0V3Itqh3`9b6o6bg!FEIA_znp;P`%P3KbnEuHeK$hRuZ z_f|-3_~7G!<9pk5D*9zD@16XV_u`btWk$j=<==%Lv%TO4QSXKFUKo9B@^7_9Yk+)k zzONDABk`8`fkvzZ#`B>@_MO&88u1+(pJmo)#P?);r}eQL3aG}le&7^#(MghOZ_>$)NLWLNjSJT;1cc^(+Ov6R>r!24P{-Z zwre_9Pc=Evjn08?G@feR&er6J4INw@aCBpg1)Q_##^!hn8JFWWw~sG*g&LpZEo1`u zCZzes=ZFm-d>n9mmzYjCXY)-wgOR-yQ$S-SFAeZKs6Y7^3Sm%TP{8oO*!e?_WFA!_CAPX6 z3%)NIs2YN(2_nL)i>QP{h^WMEf78S`na#;vnn{Ujj(J*$uUcYbT1hL!)B1PB196Ov zr>(SNJe19}Lp*qO@wDL(;%VdJX`dKp#Iu{UQ5`UkAQmMGvF!dkV(BOyZ7h2T-mMN) z3UlmBu3(($U4TS7MwI%ihuv>X;4^NK43XI%CEzaV$Qj;Xhuq__-qSR$Zkl zq%83gy=#o^Gk;8Gj{`afU;@aitbVI0DxILuuNjvM2QSR*-1^_9N1 zLMqe|a)dfkj$}n?wad|Rw2l^O{3j@9jzRhy3(jLxoW}r}bLvm7>G+S+U696P?$zZ5%&+EzJJCTB%q9Abr{_Qlv!`XaIU08CXLFJ@=uOhOMO%(?D; z@xRbsW9ZH^{d{CPA8q?>Qw7?5ugsgzK(wuLrV{P-=;x!-AURhJ#_JF$XNJm9HB5$K zYlrJ-WN4wSt&%FcmTDQstsRDWMqq34>bACuL)h9Xx3w1}#>v`TY5rTPpoqB;N|=k> z8{v!5w$CvCLEApT{1&ZT-0UnVqJc^VepW;Swak^i*2<{qT10cZ zFSq046JPG&*Q$5MD@RwMDw*NS3>d~|1OyRxaK|wR*zV@#VapW@j5&^SnUQ?23h7JA zDcMz5GWU`~K?QRkE_&X3188B;7sT;Zs0Vy`Ao)uEL5*x(&D6+N7UVFnw6*oHMy9$T zf5DKguUQ(I3WM(DEcKY?bZ-qFXNk?`N@u563Ly)yNkq6f;1cl((+OwnRmQUC_;Q=C zpl!ht8`>p4MG?)@q=UdE*;oi!fDIj79B_1VO(&eQ>E`*;S3%kWwzifHvX=QC^emvG zqQzauXSKq`(7^|TJCxac(+THnx&^*8m(wBvA2W<^uAhe~Zg#PVW?`&>iA6LoXc5gK zUluVj7sHMvxuD?F3KT9&U>GOni*!Yd(9a;8m$)Fd+=5`taU|xFBr#vkbIQ0vOG%-Y z@hDpE%W}r{iixe@^Zu*8yy`;3N65={X!z?vu7c3ma-qSP;|T55B(&G^oH9atofPT~ zifG>SsCe_EjeC(qBL<5N*J=SW& z+SU+qm`|PIIt`47<}+>RL^PjMW@57^*1s4L&6ntg>LpIW;&|fhy@VKMLn5O2N+X`& zoB(1NjPW6bcZH1_*~c1)VK8PzG!Vl8*}DS7FhKUM@U2ExM6*RB-f4JOfI0@2dRJU$4_QO1rrwvmu;|%YYHlatvWmK*HgbRJJ@pB0b`CMJGLd+ z@oSz_Ms`3hvrWrokR24uCTaq=HkF}$n=|Tawj4$O3H6XSg`v zZU@s$Cv`EIcOS@Je)JWzEud>0Z!^BXp@`-t(ox^yHt)uO*wDen0Y`VU>4bAO9b_+~ z0|jjh=$wd#x)wE^bkoyxw`paGp@Rzscewk+>K0sW`eof)A$X}FW8{Gld4vbOI{|oC zF?aUtl7<*&Mk1nt7zW6SXztd?ifAB)!I%}%Knw%KvgLyw#4tcsM03AJEL%S4K^=oJ z`=Ixrvt&s_-!dam4+W7x{2~vt6do~A7c5&STxP*8t^_C%9_EH&3QYMJcb6@9F=5Pc zRKl#J5+2WU%BTcrWo89hDWjl*X(M5Uf(GWv0NNLMih({I2a2vjH4BByTo);{5>M$! z@z;ak1(CAlB84%>5$W6{(r5FWG9raIW^SM$ikTlMh+!5aH48NikgZv$VSsGSLJk9D zYZe+8AXBr8HLx|iL?ctPkiDR0p>3I;s@a!WvrD;}rRmi`$O3G#8ZHjFB3foT;f(#r zSQ=z64+RR^7SOqxeU&1b6{K5{rh}3N*wDen0Y|sebiz5C?llT#plt!06VbeZ|3jO4 zlWcFM+0YGa*x=%TV}q1McfvWF4Z@cvOv&QnJ;{=N8!{hvJ9>vDt)Oi|7jHXE42WDJ zQL7ow>U1~|vH+WK;NpM_=Y7)&=j?DkU^wbSO{Xl~N2FUrx;1IKj{;&t2Nwq%9V9Ng z6VBOmpP-+olX;TKKAj+jS(}JxAcg_@6lKr*^E!>Jh~_hm?Ay@Koh47FFEp|u8pvhV z23jnmHc&(Z4a`>ov@h~Ct9oM`7P{gs$c_sNmrXE?&!2DTip{_rAluB%V#`%Ej5&^~ z-jq}|lrSl$jMU#k3I$QjcY%T!=KG|op@spnRSh)^kge*i8riCb#sy=hs-b=XuvPuD zMy9GEds*$PU&)nx)UusbT@zw8HDPKs+mV%_z4UN#z+L*$VcZF4>_^7Z#^9^5K#dJa z=c;-fMKt3{H$F`VAq%j{G`Kk6=q8v>IA_yA_JTVxv@M`>BAQ7wo=iGOSCVTrNy}9X z9b7ON14lQ-biz5C?$S`8)o&gN_>e}Z>Z!0~s$;HQzfZZ0(hK)t;pG}x5zQ4EZ9={= z!=RRdNaHHfU#%4d(7;?1Li-}u@*B|WVm5RYqJzR^8VutMh63VRSP#S;nDhqj3R^CN zVa#!4@U-L`P)J`=P8pXOYM5!Ef(qv5Fv|aw16mmL1#x^83SyXBlW#z8)5xYb)G!#c z>3zFKHoc*7!I(+!J2kNBJwqdt-jKZ@z31r)dQN&eZ2P|6$LX%H#1EK9Sg9bgNp->?jh3&=WIHtUY7al5l!b5 z1+%oG;8F5Dn&z7o5*t4FIN4av!tq0o*^KiE{Q1q4 zpF`<|6VW`Wkv-j^lEIi2(LgN&kp{IgYMxGcXkeZRp?#5OnexxYZ0IVK@=&7f7L?f?2d<$}iS^F6AMHS(2nY)G$Cc z<)MZFvMCQa43JIvr5c%(hx!FWHszOVWKtfo7oM}$+Eyx?~xB;m4xqIEgvy_@WEgV9A7MGK`ziQYkAPPq*LC*0gsf&Wk$j= z_F$~ZeWTOwxH5&0f5)XKYVKBx@U_75_WZ!A6)yRryAcldZ z716A7V-(SRrjZrVKqX`5 z<9gaeS8Oci!2I9vDzN413C0{pJ#9?t3DTF8Q$}7v4YM&+TSD2gqlgAt81%V%f*9ue zq@I4z$kr3oFc`D-v{fTpPtdqv%swG$VC(5;jqDSWt|w?)KRJ~#*+^EmV^#E7GOgM7Y7{O1k*`f zOeWnWIo1=TEud>}%Xg9%(M%@av@h9w5Wb}ADHqohE;AC2 zBATiB<3;MSoLrW(BAUxFYc2b!`V~3BKjw6@jl~Nl*3@{lgOP1V`6C;T3PxHrO~Xj| z6D|eRH2lSv`qF@E8mnQ!Pre|n8(|xud~x|)!fs@<(XJRHgpte;f87JkO5>=$Y9dV> zZT+39DsfWwmtv#|X(^e(@5?yartAi-`Gpu`lttTAHH!}={noK4{pom$t+_PU+bYdf z3v5nHs7H4F3p*)4NN;rIOG`%C5>d8HMcInoh_Y3j62>Si%2rmsgD<@*qg_P_`HnQk zHNi`>K3)zlE&6yxcxm0os}B)QTm0}(Tk*sf{`yRb(!X#Mf6>w&d%v6PhC>ZX9iGtz zH(x~Tfu>|PE^RkNy*rkNS9cMFLs*`;jPIBjC!6HH?%P8IKW>Ac=5fm7BDI(7)fq{) zH>U4|5Iaj}glHr?1w*7{$DFzQNN0xF8FO?)hZv-gbZyIPu_GM{Bu%EYD3{x7yq;0dXzL&2jm$RQ5nSjgczvrsFP6del4{8|Ehy`u!A~C z4n6>RfSrhjLuiTRzWCWbaP%A#$en(pcpNwGDPX7MS~4Ej8QKCeZAQzYew<0g)>1*2?% zC|jg9rzH?Kr=^K9Hp+^!CFOj)6g!_HDYn+qT1t3|w3enkMOsU9o+7QK6;F}Y`~@v{ zhBU^Rg2ax`kapPl_R<~&ic=u_3`x;+5S%peLy-vXrUO-b#H_G5yt*sjfkRkahj?+Y z*gY{$W^-pqM~J%ipo%edhU_VOGUxY#^WF%tlXOCeI0b$)#4du9CJwQybYh5|FvmU! z5w9-9E*wILU0jIW661^z_mwVC2=14hA$!>~q&sHsf!TYc&XE0pFgxbP4``*=mE(_T zC4>9R9x;%fvcEe+;9H@1G-brmJ8wD<{`w4wN(SOKQ3wC4jV8EBU(!hF-{8W9&hsk5 z0doL17w3vQP!8mQa?lQTkRHlG@qq%-U@?Al>rj25qz@J-Xj6d}7f;YX)#r8eioO2> Dg^5>E diff --git a/dist/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm b/dist/wasm/Hacl_HPKE_Curve51_CP32_SHA512.wasm index 09384397f7e7afcef3fc29b26a851df6f9b33048..eb594dd6facc8e778f23f12f4fb6bbab92b1da93 100644 GIT binary patch literal 21422 zcmbVU2bdK_*6lFBzz_z89ORZLB8ZYz48N^wTGmw;UEN*xA4eEhhaorvy1FjRkTFNh z5woDEV8FnLf(j_8hyfEKh@yaEKv4P5sjjN-C(YCE{}$)fsk*n$t?GNL`@MJed1ckZ zeb4j!*|jw_UhC8SvHsZ8{c--d_)j=)oNLFuV}o&KOk*I}8nb$^);R91uOY|XK+;th z4{GytJF#$1jjX9QZs?FdF1TtkqHft>P+3*k@bb!Vc=_ER(~l@A$Kdd8SD z&n&Mhtv>sLa<8z(F=az4OOF^+b#8f|{{4F&SlYjLmz}#xtILN}m5(kRJ+gGvm@_KR z9^y63aO{-jIHatytZMj}%F$k zQ0zM=Xl_%#(a^HdWu?{Fp3&hrFPv0^x+rK-(y~>3R7j2IkMkn0sKHzodA)A&_M9;2 z$oK;H?_GMt34QyN4n8Krs&Gw5j~R7%S#|kfuf^{*{fk%9^|xj%tK_6!%ik~@IjVew zHf+@}UK8>$^c#J9OD$HkeIXVQ1Y;)_jElT(o~If`qKc%bxUjv(kwkta|8cOQxFGUW zp=v0F(r^Hb8%yKJ8|Zmb6#2tcQFs^{-k^fRw6!#5cV&e%?&+nBa%O1k*Yk^tq_Juu zo@y#hB`9tPV%1EVMcz@2NfjfY=F+^lP__6S5tT@ZjtGt|r8%Q&j%F)FhF2F^35O6_ zNgNq0S|`TI`r_y?+D1xLTfDYIEbXN|V(IWZV(BOyZ7iLnJ!9e0c0(+9b+L5h5Mt@* zV(FY1XT&1XQ7LIFfrQ14)b5zEOB{>O%e1R2wTJ8x?eKA_V85sAp}OLAFGR9eB*)t8 z)fNbmAP&_{R08&vZnAeZ+|NLJ~wN0n~wBl|=R&ehGH(p7q5wFJ@? zvz^0MOua8>tx$V`J!5J6X>-*}dcor;dLaY+dMGs2TY9TL(kD)eI#2bLzPJkg;+5BV z`Ig>a`rFGeK>G4B^acI?SUg_cW$4c#T!#McG8~W?XT*A-^j8DLQwPaFb#Nr=5X^T- zYQBSkum_y-AlGzrAF8_)9J2P|e`KJoy9#xf9Ht@()!`DUBS7>A5d9%VbOewgI@~oK z(UH1K!6A$2C~2#X#?UdC_gFa=JNn0XNAp(wAQ@yg^iOgu$knl!<2b~HSGS>qIE2*? zaqK8su9{nUqCq4c!@NuQqf;Oh4&{qWuy2L$u4$-i$U+p#jD%e5gfwS zj&NIhPGX#~wN)}gRZF!REu*8C5hJ&D4BE@l=GLBzHn*H>Jr8YeIoJAcw0p)&Js-{Q z(aoh^fOhYArT@V$Untd)+2RWIUu4o)ggZ7B?tg(yrCjKmF7$D_OTi(lQfhoTTh;oY zXdLfbg&OZi4b%i5Boh$4+m!J>vEhM-1CD8;>4bAO*(6_%R+C9qV#%iXDAB1To0=w@ z;u9M(csSt5rkPGSXOmsz%L#%Em1-GQT%<0B8E*AalbAU>JudO(5%dERsYdI8 zNO74)OkZBc%Qa$hhCo+n#58BxUa8TiK)jk)X~gtq>Rzo885#gxq;>#^Q>f+XT<><<{^xJ&7 z4TkZ`Z>KA^A9G;RJ9v56a=8Fwj-y0w^W7D>Gsh{TOlFWm-Q~+&xaiT29pO2}!9jYb z@78^RO^SPbxyN^vbgxFXmhRKYR@40&*?M|FBU4ciYG7+>rbec!X897MbWiJTA# zE-EujikqlsVTv1E5&u)q`SKia{LDMwk7|8Y=Sv+E^Lg~MBx{*U{FixTFYsjn4CBOn zfvyM`b0C}-xgfS&V#1i?NX!LEVlK>a%D6&{NTFWRoAk0TFEhATOmKC1pTQRUve*T; zgsuz@e?7I7!Lj9ngE7Yu+~Op-S96>)f_se=YMCE3QpVyvq7WJF~>L~T*;%|6#+{8 zO0MQgEY+>%ih$Uh(Qt9VE$u4P31{p_#?r11WQ(t^(RBQPfP15^4Wc47opjUFbk_#N zh7K+cIJ)ahC!DkCt`FoVU)`YTI$F9LX?zpuZc5YL7!VsexH#bGZZ@58&ZfI15TqFM z3)_i2DsHN7g(-{L+}*Q_`nEuB3nCV$hly|3Xd@7l>JE+80g?1hjWz*=Kr=LAiL&q_fdIAepb0yF;m!4sT=u}2%)jSfJ(vGKZ1Q#Sp9Z zG0x3@naAeifjkbwIMOHR%1H6oQ%^Edwp^qz<~SmKJc;zF9H)#(=aE7^9mvyxdM1!( zlB#`HBU`o4X=JN*zDBlc>ohV|`@9CWY8Pl^s`dq4wJ(w@soI6C+C^N=qV#GO2E-<> z;o^YH>z7O?oUtDnOM5wx`vdigrgK%hIEWgmC8S%Drdu2k8#=f+;OLf`PB>@Ny&6b8 z^_phm2Y0*@YFQu!YB|}Kr`gaAY}nx9fMa{zbiz5C?TtVl;V}_;*iEDniuTPw@CatI zWd(~`y`{U%ouNXl)YbAf<9RzB&q`bv7Y}?KaPhojIu-r0Hv3)1qu$ee&zncS3bjfT zzE8sU(}b%6VzU8oa=;OOU^*53vIsv!KaVK$K%>D6f zcZ+2BL?iotbd9s*5%sA?e7DFWYAumkN2kw%sEt}5$ofEi9?0h`>@VW5&=u!Ec3c|* z*#N`1u)m}$HUo2D&ab#xY`MaQF~?EZ8hXk-g} zi$=DvztzYV_IDbY!v0k8z1s^JR#)j z+StmTNaIPQo0O)T7!n&gxH#bGCYw$;XVXmyWf|TRMgl&h5ej=MESc(gH2i(H%GM#Y7Ze=X|?ocib)jgWdeb9Gr7=`LS(%qM)yEh~@bZ~LN(cN!4;hatP zK#2Q>dQj7~wp%(gjPOarEb`4t^UVy24Ig|QaC{G$PB>@tJsgT3c~P;xMRxNVBi(U* zag~{JbzX5ZHJhG~;LmSn{iC5g8tTurJ-9rkkv-t&X!N7W`ng2vanAgN&iW@qc`{T_ zh4K`$eqPLmu6$YlbSO{5FwXjC=!&ht9GLW3ZWUWD>tW1sWc|}g)<2iylyULrlS0*n zQWr+KAM!n~`&`m52xUQ%^e<>+lm11GY|<~($R_SP^*>rE}q+g-wT++X#lYS-nR;Kyh3W*ILd>n9mZ<|gq=vH5S7RqO#S|7@K7S!kQ zdeD_`L0^RO1q|bY+CW!qGv>ggU-B}r$;GS>ZbC~HIYi>51yuR(>{LAsg((AD6{*6r*LJOkk) zM1J*GA#icP(bX2jop8>k8(+Y?$bDuwE>d6$3fCDK*BAvgHP@g}O)HRT1&4e4qsTmUQ2{O#ji-aOWjxf+bVNLOb@8<4 z5aMa?;^~waXT-Ccv{#)mk02H$3bE||J7Vb~U2H6Sh+-@XbL@#&@akge!Xd=c#l_M! zG0uo(FX;lAOlRnD+CYc1H)iY}$KvO^PCcXtbS?2YxR3NuJ>j=6BH1^k!|4o!NDznG z57HY4ddYs$E7sxkh7PB9wbkMDk>1iL*5N=GV|6(Fq^I=5YN?}PzTC^PKPs42I49l6tBF_%eVA{Mp~<9KvNd*j)yyVT^G`tcS_L3Z-GIqXIga!_^UT1glBQUXGL_b+ky~qadL<8mV&( zIFCtj9t~s;siR!e@gJ+ZppnVkt3OI-1v!lR6Xrcmj>BgB`FEt`@p8P~ixcEHF7G(Z zaU$ZvtJ{m?IfT79-o^5l#5iLw2Fvm4Bz!%4vYd=K{u;+oFW)seMNYACoGK?Xj*}6` z-w+30T^y%y2yvX^;`n=FoDs)A&b96K^GG8=RQf1dtEu*-#qcG2CY%N~h)>d%{ zTU+I}c1&WNv9;$)6{IoeK@#(C_eS`9wCw}T1!&vHm;az`A6_m*+dR7b7ft)%G8S#~ z*fI{gT;t1m$tOFt{HlMvkBA|4NkXpmiA}x0!vVL138s@0narY@=*w^gmCJdFnr1T9 zG*d`6B~1oR3$P)BhXamms_BGtHW?H!gVaSNbB{+5xrn-iWRS5WE4x_BMGP4{FczGo4v{oksQx7N}y3AD{N2iUG1}nj1B;YMPszCDk;L%fQmA zX&{@q!dDc{sM~z1X>RxBc6@r`%N_i_^3HhW=*qYB8NSSbVSGeD8F2@99CKjOyLoxo za>{Z6HANK|C)t=CFeCXr8LGBVYQBRQ$N|$6~p=bd%bZ~LN(akfRaL%TC+Q+>W z8W(J62g?S1OPvQ{3+O0qao6!#Ep;(;@WJ4(%51*rgmX4soiDBAq)5QW45OOnd6?o} z7prL&#A29OP4j|Q)4b@*i%iUguwzNqGL`s`Xs73CNL?1eFiy;u=!zI2q(L|@b3tsm z1;Lo(NX$h^V!o2&lyQX?lR_=go3zxIr3~&>6I@;1C#lzbdCdif50RJZ;PBUjZUw=y z<${AT#}V9XNpP>{IAsL)1}W5=RMV{RWd&n<%f!YvHM`ummADkP`)5E zwp?g1<~TxInS=&OOv))EwD(A%R{65ZS5U>gpVTZwF+jFvp^5>rH49k`kgeH|=^Z&W z&1zp(yQn|WK;mbQHQLa8`Bb4k_2pA%xK;xrl3Aw>otow|tv)gNvt9#Z_&N9D3;bac z?yROs7ObF(+2A`h4OB5eJi|G`R~qpth4+Px8rkQXO&VD>4OB7kv-bt4Vu0*@;Tw&t znr4eeyw~u)0F{j4wvpi_6NFI$-&Kbj@wPu*?4Y=dE3SCAuY)%k(H zp8ART!IsMp7;_x?u`S7upL3j&?Q(Bgp_|#Jbu-A18tzVQ05uK7FyjM=U}OTnzMF`C z>_58lB{QThlVBJJ3(dp?SP#P-m~#rh@M6ma3uBHW*h$IPcaX%SoHBxiN@h}^ppLmH zP*BBOoP2$EiAFY=A&bG7O=jp~fNU~fu93L`K?Z{%djq;sBXa|S{smhCk;_G?ukWtm z*LT-)H4wTatAU~g*qqUDalqXYrkhR*WHRqS(7*iPD~Mb`=f1wXfohr?Nq1wK?uLNa z(80w4M|YFygmX3>^e;7mg2)AQPEA9Bi@J?;kgz1HyH!g}3>{oB_^UfmEOWutreD_m z70MS#vzT8XL>}S$yE_3`)aLG(2WA>mLf_A=bjfChYu$3#rR&7{;{# zNy07(3Vwp=a1nB%C0*-0%tmgAIB3lPoB4zy%OK@QVi!U_d3%o71bF!CfL zeJYL=UHPgOQkQuyQivv=)RE$^2jvSQWy?hhV~!)zc}b+t<~U_U3YE;fKtUZdKTuG` z)Fo95SqzY^TF7F6Y}LM?k*!*YT`*>G7rddY1WobG{T7V55TpVz8%S|Vo zv*})^at0z7u(gjbY6S%@p;|$<6=^nf0~nA`yl*<;oE^^xj7NQ_`JOkA zd==^=P53bhKTZ=uDh5X z>aq!j@e#C{uGkFB0kW^TS!}t&hB3!c*qf5Vh9oBCl#%^gNTHyP`8H5c#eA0(He@kC zwy+_K0kVa?RU=#25W8T^6gFfq0JgBVYh(%=`j=I{`k7qGXD+|6uy=4ZJJPH91&Qe{ zJzN}cm%b*9JK>yt>1*-*SfIv-q;rKmA%vP{VhFm4VQTZBXaP2v1{Vh$-6Ycq=WM#k z_;v{bVNK`MG*f9jjdakkB-d)H)~y&ixL_~_j_xAU3FmCOi$j5Szf~ky9?}SfeF-d? z>X>WSZ&xm*1jBu3c$r34O>?*0_@N5X4-E=crJw4k3b(Yxp(jwJ{sI z^3g%+G989-215vO4XlS@4orGIcZDsN!7%1HGI)COH7F!7DW{AKhAL)ysGx?qX(u%e zL^0?zC03!Jin%5E9`sg?Y<@!)gE5=mw`*kc8)6rXnf$&}1DoG7G&1=O{R{FNA{UUl z4?OPS7nApLt@ozadQV7fG5{_PxD2?@bix_Cm9cQ>U#<+*1Dei#(DxvP1v5!EGff9U z3$USsivx~smg$6ZHXYm)RhIuB02u7Y|);|}sp(|h3L+UaghH=(I3Gpnq0&`%}=ebpExvYmV$C35(ldNBm z9GH=S_CW@W4!`j>g3g2)AQ zB{mCJFzMeS9fU3k9Rw}Fh7K+cIJ%Xl6VBOmkiQ`5p>YA7OL{0;ko517@4YnNyIMwK z_~3)V7&yLI*n(W3U)J)Vbx9|^hcli@kL!$#qnhReI5OSyekKJ~%!i4Z<|B<(BOQH^ zLKTBCtEPb}28gA=fIiX4zU5k@kyX<`6$4AFrdjL8sHRz`kyX<`E@S58=O~cPd>Crc zjDjErpU^@Kvmt~CM!sZ0eHE_V1b1+_6L zC}?0(P8o>>SzZ3$(|uhldV#h}j>6jU+aB?a}pMz)|Ji@}&JsI3~=f`ZruWA-UY z16xqrHL_1hx}YF(0jVpfUszB(xKs#TlBGh?0&Fr4E)KYit0{;(DUiv`IOtzK4;4f% zpmPN^p#XFfscwPLC82|$1=!HR#Q{e*$#lXwn{ILe3u=m{>tyS9s#eoXBj2<%ACxY@ zh7UdtI6kOdbSE@0*?bVdqzkIR6cnyAGLCAROL7eg)ujb;X@OPKT!v}u+0WQ7FA)4= zQYZOS^upAd8n1pZw!=7oZ1Zu!SSzb(8VP^YC6BCzzX8)&nhfyplP^Zhf**lFUN^%& zKmy|ux|rQaXCq=UMhGLB!N_Wg@#8OzRSRk1XdCZTR*93cza1kjNK5TZixh1MyFqJy zGsYNY(Uz!|@u{TWLKddKVMwvHl2&?KrIl*UH<)dpBe6faQ@8WS|0z$XaCGrY8^+lN zakfdt*_Pdivu&Ie#waV!wpPi5FTpCKUBw9{k2J?s!Ar{lUIAWO5AX`{(r$p)7Ojz7P>0iBxzj*0{-QP`i!?_004v*=)+b<&aOjEKOm$n!4A*n>j|v4;zB-^4g0#QmTH;&0xdwkx&cUd2Ye)*G|;!R&pa#_m^o zdI4c}%#9zxNw2Fw^^<TFlKbhkdsYB!to+j#0 zIg~QBR7^!He|3)3!%smWgB1S%60s@{@-k+W#8GJwe~Cve9ez=Y=ZO9lDXzLHFI7`) zWLgZ@jNQ0Q%}k-hMhGLB!JH$_@FP@>;~$|iv^!@>;=}_duFvMAZ4TPzsqAQBetW8g zp^c5QXj`a~c#%7wBPq6)(lS0rT0*KE6z65_VHrue2%2p+DSVp<~h<%N_dX6lU6)O+DTiUBklORTJ97n!Ks22i%*e` z*!xb>2_=eiAo~?2yUsvR42r&usFQB679?(EUt6BI9TkS7$>v2Q=|)2 zUVBi|m^wxFls%dCUE#bJLhL5p5F*Zj-wd(4;H-&5>>=G4VmHjO4?@JN3$Z(g5Mp;1 zV$Z}lBgB2BJLH19}s58-1u3o^tuZ8(^|=3KiMM&(ntEa zQv|*hiicB19Q|{q^Wd*fk*IhWZWImhzxrr`oAkxa)c_d~%k$Df6jFQ0&Be*$j+6s< rq#T$tdm)aPfpTDcq#VQ}1tLRzq@<6QCOLr?6;0MZ;OBMmioE{=J>iNt literal 21432 zcmbVU2bdK_*6r|sff;aM$b#GwMLL4mApkTs)0Ry6-pkhE&{&T9Us{2VZ`u*SHygF6)*11)6Z+E}<&OWca zdZ_Ptp8r5yZLQb#G=Gdg<}`n-KQ{gojvedTaqpO5tQpf72)4$o5v(by1+9)KA6!*-$mmh$RP^cBuXMk%ex+Tv?JBFT7(A+?rmSXo*@)4n zSDiiBYntKMIm>Zyc~$wSp`)v6yk<@H_z_1RdU!|IDyujbK@YAet3Io|Pg$RS{k_6g z1Bd_n_?q%jWrqzrA1CV-CDU|BPcx!?*cr(z%@eEbk@YL> zMB$UQvEVS;eryqs|*q;}!pZ zCpZK9&IwxD)Ngi1c};m)HMXZF9P5P>YEc)tRwb?5G)9Hgdj421@(P>GWsx`P9&gW} zqYsM@xL;}6A%pt%DLej%2&=-G){Gu8puD=`c(2v(H9gKN>GoT*mRE67uk~*j4j)l5 zOdGao8m|fY82ZhAxuFg#s(lU%2!b&aa$_T}yXUE9k*Go`EH3D%aU_vn#eW>EEY3xq zDo{9C`GEd zc&df8kf69Jh}90VL*yOKm{c(WYAG#?3skG$5mAYh=!oFhT3RxymT0y?WO#Lvm2e1= zmBf+3qHSWFtS^oZqwSXXC6KVVnc5jMc8z24c}&|osa<53XseH-g8iBymi?7iX?iyCH&%<@MI)s#HqhaX7t@1%4wGo9ZKdRA1>ECq})e_LjYI68+-U z*Lw{uzrXaiN3oCW&7;^G^!s81@am4DKZkG>{oPUQml$Wny1(>S2Z*N*lmpa3k*I?) z-@&Q*4g$hXaLNN+)6M+{-KF4=wGV%k18nV8Dzwx93DqGoKphIA!$5Rcis(=vLv)C1 zI-jj^pDv8Z~sVC&&pljuYiL#&I0tI0JiVB?{vZE7d>cpEjH_ zG$l4a4O5lJi)qr(VosOSqfZRoV6;~ox-(2a=_=5EAN?WPXQI6kZC;iCh4$BIqf*pa zXs<)NG1_O#>8cX1L!!Q_N~+XQ8H%kPrlS#kz1ZF*W4H{rYZ)O!xwS(v&q!=7UftFX z=Mc7bxZB!MiE+l(R?BczBQWB8!a194qAy3N3rSXD$tL-z(a9v6 zoF<#(6B{ykIN->pm`*rnlTG#ISSgP@sgbJULUj?$aKDe5Hka-U8B(^jNxHLT}z~{W02ST(L0{H!Iv9+b)zpg`Y4Q>;+3PTp{39C zWhM;cmETNPY(M6}q_^;R*mAi5V~(RnX8P_#Zq0Mb$hBFdP`CMV8xB3%x-}eG92}r` z`gYwH*rd3_mpgn{N_T2xi|HOLQJb-(6pYB?Y9 zQCf4j(mCmsKHw9ZM1+e2ZrKl-PB>$)GM4?2FW33%VNKV<(#`dw=IRmBJ(8xI>k}I~ zxH#bG=9x}7XVX3EG0#C#h4EXg{i68~jBkT3FO5e(zR ze1@(F7;_+;XSpD@Tw=nQ<4DX!Nn$>i=ag|mi%FrL*PHZ$FE22-7fo>W4L*b|@nwk% zZYfkbXfWnDLVGm{?TtLAjL=q+LcQtBo4$I>m$#CdeOn`2v+rnRYj%}J zwr1a@ca)1)QmNkadFMOeq zy)S&}EO}qppb_siyf19ji1!-a7rxSne7rAw?JRj;_=ZSr(y9BcFW)jfzB5Z|ICa1G z<$D;$b@c;XnIHJ;sm;s}wp@O|nB&Ng@00xaG0!O@KemuU{iO5bXHNW!A9Ye&ec9@( z+CXXp1Y3t)!~UbIp#!)ekPBcK2Rn|g3>JSqH9kPFY`I`z%y9&JLEtWA6Y`ugf}KbT zbzvYE25M3ulLB`Gnyisc<|!K4WS**#P3DU4bAO-8F&y?5k@vT_;O-9gVLi-Sug@>jGj!2Nwq%-3_J_&e?P~27(l0 zeqlS2N5w7FO)zCqo4b29h)o24y2sBG0mN<+0 zHjP-geAv5PBNi@;`VNik!`_|Fl0|(Nk-9tJjrpEH?qMz5Yr<~0aAyZH8-{V%_t6#m zhdD6m{oG%+TrI$u0H$=38JQIDe0D`>6QeGku zyw0LlZ|E*_XQ)&wb+x?7c-~CMvl0j6;(?C?E}pkcr=nlhX1~pN)H|AQp?T!1RI4=M zyCi%!O}Hu`HX8sZ2OQyhrc==`i|~E)^AcqqXf)X7!{`qJ`5+6;`mwX*CF&E6_->Jxs5M0DQ#!2;qIT-DKt2o9=Yf3A!d@4Lg|0XUvg2AG z$a)yYh5ZFxu^E^HbAHLqV#^gaj5&_NUY`{9hCHW??B7TV^;IBW1?uZSzD^4J8;xvX zZ_>yX_O}|@!v0PpQ`p~YU<>;PjZ9&0)`k5exst-(!ovQEtNAItnk`67cl2;^z#aY1 zrW4NCkBp`L63C~4+N$YXVb_LHV^tS|t}aY%UTsKhG7T;cIJygr1)QTyx^W?I$Kyk; zuAQyy2{fKax`}DJ2_dnegNp->?n2WE=WM!3p)ALH!bre}G(urdh9y%S6L0@sF(s5K zq5G(CszyJURKG~0jV9Hn5vhwwe@Ph4z;je6mxk)HP%aCR!P8?lbTveGc_^2|FwWpB z=!#Wi4orF_cZDsN!7%1HGWhb)ZNyc1P8r8MgB0rOP_7Pflh6CS;~L$`qTsCR+EA_y z-Q(tU8rl55UL%{|H)v$@`$mmSe&3{l&F`5Snf$&vQ8M~FS@Y_SVI8=9Nx)Qs_JHseccaiR{G~Jycv7v*D1CH))(+THn zx_d(0H`KkFuC1k;9rBZg`^a}+ns0VUZ1~{gfaAO0biz5C?}1SK$cu`rcy`^rBBVRc z7pKgWtM`g`P;=<{ApZPj);|==L!tg)+k?x)8rci{T#YuHtbc?^&Ew3E>a2e(l*dB# zcqorE>*vR8=!$nhb8mA$SrEzs7{*!u1YNNem;;kO$*p3`Wj%~Jj;vphWc^clP8o+^ zPYSg#l!alG{~_Pgy3Zy3qEHqkN&k#SHtC<$$R_=B8rh^@tdU9j=QXfN|AIy)>0i`I zzeJO|q+iOUU&f^_OD}b4NNlnKE)KY?c*%6a8Jm@{?w3QE7pmo&&L#Z{CjBdYY&D38N2904X6J!jBfPR+ECVp>a$Qj zV?li$uLoTX71X*=*1<3?sP%NkHe(J<`UQ`HEmu%5<~Ry!T~bhA<~d~~)&^3jjiGD| z@f}V2Q}eHMpDU=ZL-{%>sBbi~1+_^dTTtI>WDDv$jqFpB2DYGn(8xX|>4N%Ele&W1 z!h-sVOZ_Rm)GZ;g$vC(;;4r!231v;FwrV<8P_;SG)#X4}hbLRNv$Z*5 zLkAZJ9Nh)R0?yfV<8r)H9|s)Yg{BkE*?g07 zd3TYVDJYyXGOh>(H96m)KuyWXl-vMs9~7CVrsnXmdL#UYZ?zySpy=NCaOT1NC8DKP|N6~#;i!^W>`L^ce`E4Ze(#`yjo)f{$vItf+?h& z#tLAX@@gsg_GE}^0isrj2(K=pVh$mqVz>V# ziE%QU6Th^UV$}xov=v{q!^X6i_K2s$?}!Id85_@z(w^~9MAHfJ;MK*`kwb{5ql>3= zVw@4rPSR0z!90Rklqkfq^Y4hIt8}%o>>`S>D9o`dV!^A6r7MRJOIH_5x5PLjmffT) zv@%^JkaiH`^uUZg<5+x5!+$)q_{k#iR=dmY5VpkE!98Sm)eC-mB9c8*Vw^5Ohy-z{ zy`aBwpttNLy<;&>Da1IX)mDttM@pqnEXJWo#)xsCk-=Iiqfz~&m*79lm=fdk=ggIA zPehOe=#G9LZLao}eKAA67-v7(Pwg-JJ2B1yasW=^z{I|_~)<774$Ya|D$0W!c=NToVN4pE27p{yvaeK}kX*U=)4 z{{$V)5lEjS!Fgng^9Uewq56|+I{u?{7lbmIdv&yQQ3EmbXUuzy9D~jH%kN0bK{Ckh z#j$b>mv;>2I1X{))$PR~4q-0_xmb=*j5GG)1R11Gj2fwv@ap0?nL~)o&s)!fUq@l%}DQCJj$NxfmwV^x9^z)hNY_#n+PnBr% z4KwdPL(sN5nkux{p`Xu6L*-0046nnXqZuJ1)JPeLtsSMKkr53=Q!UkYEj2QdTRRf- zjK9Toaf#QpO3bEi1`oN_7Ud4Xxj&v|DkOj zU&f$mA6~|yZ5~}}eQa}`FXtv7?_9v|`^WhR8G4r_W(Zq=O~Js!0k?+nrW4LsbH*|t zgBhkEbvZYY)LckO%_NdR?~;&R=o1?nR`Zp(nZuXl0nOo zkX@uTBZdqf7>t1=Iv26lANMD`K$IVHR5?htp9LO~OA7Y;q|%>k4#=nLZb zD%Cx{+>?Agf3HTiu4ZdwD+}TnSlZgUUn5gp5W`@|*4G@3Ooc%ObEnqh8K59^0o#t24I-C%59$`sQQzXu@kyXu;$|01Y8J(cm{?NtjF!|q>&vrD%;#XolB{DY@n7b{+G1Z8!!SP=ea%Q6P{k_oQ9!AGf=eREQ6!gLnnOvE_n;F~p}j4(AaXJ!I-E8W8O__7RnePTeFbH z0NI-TKqFhTtLYu#{V7*csXp}OLl^Z&8c6)`0ci{j8(Tw&V?J?)Ycw!QnNPK$lhmxG z=)~qvtcEd$pQ9TZm^cXwtWq%yE1A3qBE&ROzZ^!G&S2c5c`ec8 z;naoRWeW`Bx`HNQv(69v_0-SI54K!>z?kF6k1a`l{F3LCkslDxY|-Kw zYFr@W0w`f*Jio)6fPP#A(ACfZK<_dUhH4bAO9Yip7fr8QnbWT!3m5Z85x|wOZo3zfv z(7^?Rzq$j(S{Ix){j%<_kiXQDG4eo&Ji?cFw*v6aV(#wQMGa}ptVB`+X$+8+)ZDI- zmDE5QgE1?qfiwn)h0BLMNMnGkq~>moSh#%HgH#4%_F?Z{XUU?5)@4?p?$h7d-yg{R ztc3?m*bNsh^e%H?7}o-H3HNi$pr*m34{?9la>of{j-wXlB(?Bxo>N9GKshrf(7G8l zkCK|OQb7^(XaFUQJjO^Lk0V7_LsbjC%X}9ploOBXNb%Q$`~{J+g>)xJzg&2rK$ zPt!ry0&M8u;(()DVLIWQP4^1rGf=vK%}Hur!~e-my-v2*(`@JlHf(Tlz_CHsqC4T7 z%?1_BBc^C^c#pDZ--PJL-H_g5Q7Z^t(8U`M69bADKE|$MJgd_2K-2sM1M~?hpEv0>8d*urryAM!qidZdFHxUqWF<8a&wLzc>5N)WNevV+Uj$IX z$d@ea4RKiLYN)WGci9NT_!9ILU9lOM17u%wv)FQl4P%a@us0@!4P8viDI@zgkwQTt z^KGCYjrlGqY-nSEY+*wi17r((vqrYCp?JZVDQswA0Bm9Zq>(9Xh+tOv>KAe)pSf&h zVb_LOO>LN3%~m94XpbH)4!EPQ3*$~WV?Q#Mb^*R53)Hxfbgr<+Q&Ka5bQ98akhK7t zOoNL9j&7pqgmX3>L@>A=L+JuKC#jiC<0+(rkR>^*$y&T(=-`6E7&yAArW4NDbQgsJ z0e_oFz=t$KVNZi4Qyp_{|Lw}f)M2hiz@*o3SJ-kH3}cQXgJ&e)g+d3Da>_Vn zNMmM%3X+)Xw~^F98H3Is4zN-|8gpavW#~;B+5Cn!24gnAZ`R1>Hxw@zGx>e11~$KE zX=L&nA{gZN?V8km;Bg1P484$?G8PUI%=A#*qv_lS zefLsbFq?F<({xa^02?~EIN<2+Go5hGrh^7%sjnW;bWU9`N2?1SB;SK+zBwVW;e(F@ zjt?pq-KjM(S<8d)#f#FC8oW2J_i&(0IW4J~%Sa!=pWn>-c@$zeNzJ1g*$X^0GZ?dy z8fa%A*`RVpEznsHMa&Z+lrZunv;L`=4P6aoJ@hX1FpRT)AziT*m;;kO&8=d~Wj%~J zj;yawvVKvXQ^w&e-DXkwlXqx=u~p3{9U=^>3-oFqN8F+euyp^X8uNe^)hkWKm} z8kwYr76wB$>6d9_k{%)$Bt4Wa2*f4*awh!>E_FqEsmnuRlNE4rz-7fNrW4NCtc-O- z1T#NWP`ZGw#1{7JO!_xS2enJGvrx4F8#=f+;OJJGPB>@NK?8%NhtLIdF6kj_sq@u4 zrp-4WuzZR#LOZjZsqbsYX^( z1I>(?lb@qNJM(_1l{0FcmefEIvp$3pM!sM{eHpI@T@5X0Lns?y7#Gw=x?*QB2j>5Z z$H0~=C>V1b1+^h5C>ZOn#HZ3<=6uO&55#-Ps?6r?fVB?a}pMz)}!jlq~L zsLdMLf`Z}&WA-UY16xo(X=I<0bU{Js0#a8{TUk)GIV=@wmt?7swE&xpgNp+$j@eP~$17nLs+IT@pH|T7V55TpVz86HO;oGMRK2=2%b=x`3{; zt>4Kx7St5-O-b`X?gDK1;NyVfgXBeb!a17{DwuRZx_ z)LepT8`;m;FU<-5F{zV%EL=3Hw$^JLjM;IlKc?l_V2st)w1|X1@6v#_hQ9_=B+aR< zv5FS_91QY$2kZlMFfO5s*^P8IN)}^;Fp?SKFMpt5X&Du%R?^DR7Hv~jiIcLwA|tIx zO92gjd&be0up6}I*JF%P7Hx@Y9bc97TgZa+Hw-DZHqu6KtF%#V`3AEc#3c6Tcj~wO z_&?wz@e4byi=h&`kS zLNpSd21BHT$6R*zkRA-N2j=L75b^3l+?_)Rad#Kuo{4crhEI)wWLdn#2QOq&r$|Geou z_~)dNG=}1>DgI}_11T<6`{WrGP$|Uygg9ux*ke)gej~K}|Em3eWe2s8?7t8406(6? zpZ0+yh*uMJupCUSS}LZ(H-2>;X=F5d%_Ad?gT{;*CD;r8BZw7O6x89jrFb3DzbD02 z;|oxz;;@lmamTa+yKziAm_mt-5JobCxsL3BpQ9>@e~!w~Zkr{E6E8S%ed294eu)aS z>0hC0WqyUKm7$G|vS?eWlI>kbQf#fIb$lIZ4ZU7H1$%89x{jngam9(_Y|A*?BF?s{ z?P&+Z?P+J?jE%D5Y)63~4`bWwNQ$k4bdX|RM>EDo>k?7MIXi|Z0E4i-Bn z#>s5%D$*4)uU)8XOkG8Gm0g+j-Qc_%LhLTx5hAVwzZqgr!L=q1ad+v?5W8cJJrE*Z zU5Gt7gb;hW5PK!Y86oZ|J)s%gE4hkvvsaPcn7tIUm!_^FdjVl~%#9z|O0O%&AKOX> z_m*8^Abn(ScNKwerQ*dYBaVJ~(|PdMSCOcA2yPTj@V~}rf}8ZkEtUR_E*x~8R{<_D z`*3q{WpS63eR)aQ?^kvZBg%g9B?U6VLi{M#f%=k?zO+D7n+mkBaH9SxKd-A-==~q^ CfQDrN diff --git a/dist/wasm/Hacl_Hash_SHA3.wasm b/dist/wasm/Hacl_Hash_SHA3.wasm index e318aff08a7d65bf76da26645fd115f889cc1e55..272eaf6c3adc8c541c5bd9f379632cbfc7900b7a 100644 GIT binary patch delta 444 zcma*ju}Z{15C-7c&Cc$|$Z_GC6G3LRu@L15+MO^>5X8=R5JGx8FIT1$w)G)|RQdvz za!+Ape`w>zEZBH(Of$vs?f>sbE8bi2T%ufmbywJ?N3TuOfRqnv!Eg-Vkbr@cnr&S% zR8Eub)}x!l$Ps5G z!ig|G-<#iBvV?(4oT7wO&wa;$TXS;pHw>L+on<# delta 359 zcmX@#$@sjJaf2Hx(}drfJy<(AIrlX*G%zqR)v-<%5RzqN-~5HoS4n(9BSet1-jP9r zfkBZ?fkBa7fqn8>LFvf?Mtq_y^^T0JO!Wxp$e_SES<6^QmrH?DfkA;$flEM8k=v1h zTaibBM}f_eL6Jp~Re?o;)r^6G`y*5pWg|Hq85}us92s-6KsIqHa5?h00SR8W zB1Z-{utf??5Ec`w0vFhDCaB>M)7gQhvjUySs=x*^eG1g=>>v;E10|76=a_tvRhW@u zvZAo93@6Z~tU#^IiYyAu3M?S4|Dg`UuC>X~P6|WIX{Z)9kZqHb4W%|OHP#XY0G}d6 AjsO4v diff --git a/dist/wasm/Hacl_K256_ECDSA.wasm b/dist/wasm/Hacl_K256_ECDSA.wasm index 3f9a5db6e56bf1031581ea79b097df0764720c8e..65006f8833992c3a80a4befa6ff203820c74b744 100644 GIT binary patch delta 4400 zcmZWsTX0lW7VX`6*dag~jY)_+)=olR5b`7t@}gULi6AeZC^9oX5F#RoASB&{?yIQa ztA&OE5d;)RQ8Z{6Ux;7xGgJCy%~bg@A2a35{Q5IfH9BkGdy~G_RCU!kd*6N6S$pl> z_ndR$=Yo-+3N95ChhP6;pc5X(nC3Zi9tC=C84#6lX; zB1BNs844AD?d;zlDhMZ{$^6XWy{VD^zIjZN!gnU&hFE?~24azcEw}+i(V1F`QoRvH zn21ocT+8Ai+=#NlAuT6lMcyJ*#PXNtFN%fgLm`B8D#{U}kMB2xLaBHXb@qzS&4B!}cLIP4cBNFo^^k#LyWxFfB@0!FzG42$td8joZ~r`|BK|NWmc z-TyvIiOR!?Daml6Fjc`d(ePZH25`Z zbqmdwRkPnRi_qc_^@a-c zE89e4%rh3uQ{ym?pX<%I8GYnF=D^KP%F$a8_dK}8n8b`p%w6R*gS^g7(0GuC4r);oF!3wnp!RCnSI+?m$9aF^RucVi9iW}{$@ zb%^1wwH(&Et4}tk-h+GeUfio2Tp~U9;XW^y`}BSi*+?QAe?es97?B6CjE{U)oA3ZO zW&TnzEr|!MjUU34+{1^1k&obE-Hb={QEbMej&8AGNVj6ESp(RDfwVqG=VOj;!!|dI z$C=*aZo6;C{dfrXTQc-L?c>TT;JH3A2 zX}Lydx&7`A71*gyGV@)`d{;1YeF{&~<0rfuyRm~wjybT~`h5?c@;umMV(&60yF4a4 z^l2={(<$8>E6{z|m(eSJ+Ye&UlYF1G&pxiZFVH@Nw5)vwnTcU~K`v&|pbo{L2_&-m zYpLx>@@p7c$e4ryB?!b%+xY({X>I}~n?ivg7ieNq_e-qAKCi=)9S)1ftoMN6fOy=7 z#W073pq%DV8A96#9uS|QADWp`bK~>_qA3A?Q=*-f7~(A2P|5#&T9B6Ue^9R@aQubR z?m}r>h|}Cc454icIb#d?p|()c5q(B5WaWO=9V2?s9i#f3J67oP?g)KBz>tFy>$vz# zS`WF?i5CyzIf>Pq=djqcf}ZCkHqAUQicM?ic|l@P^SmTDB>J-8u;?p-7Y9UN6}%*x z5s*j5{hD&}Dkl;1yuwM;CNFbhpP$z(!`HZZkMF|V*=R=wY#+BmG1#?jM~=F+r^$wT z%@Qt|%$+bg-LyO+I1oG=2M<_Ivv9+ALF@%!8lH3CadioVWpJ!LPR z3W^^xGpGGzZUm=fYm7f;GhP73umGnFEBmL_Qe5=LKhy{ooELpdypzz|g15!nw%!)KV6@*cxOalIC!6VM zsJ|1uB?0?g0bTEkqwf(1?}@vIT@=o6QPTRp;C*qofDZ&01Rsd)WfzPVH?yLUK{45P zjMy~St(OFsL_ZXKDEg5#@rYm~Ai!n8WnX|1SAY>?%xO*lhR`+vE{_S|hq?k>7X8>4 z;1j_oz5t(yj+y{h4DL!$fD$u(0e&y|SOWH^0=hn>0H2uvpLqg&E}Y?W3h;&C3r~PA z1*3v5T>(aO0uY)4T*(fvlkz&sqE`i1MZXe!C3;P;m#7~RHHmBDq*D5|;Oo)n*UQ@J zB|kpPlk#=pM6q`=9{tx7vO8Q@ikql$cHl`Ke5YZWPRDeek@=>iBKz`ADNfGBOm9D! zsbIFsWHs;!i_r2@twM3ms74j49jzgc8n?!?P=i@%J65~ptwWui8tM@MXb1u{qJhWh z#!WhQjJDJC5YNza?NHs!qjYmxTj*?Yc!X|sLEE@mn|o|%2T%`K+t63xR}@Z6^7Z>+mmCTg zmScwLm)Jx7D3)?%qF&m=i$fKvJngEqnou>=t|p*eF)d%aS^Of78?~5)T1V?hr_R-` z9(AZsYXchGG#k-q+Rdh1&=r0s^$iE7GP?Q1vNL8qr(XF$6e)2=4-*K4Iw3)K01TOG_#=>j`&Rb*D*Q@pJU zUEZOq%T$Qaat~eZP=PL8NKLw_Nq0~aUT_xDMe+k$;5D>8|1)-U+>0@@h!5I`Xay@Sa4==UmT2;<(YkHf+cYmGPL|WJR0H>+Sf% z=3rzCnpvS1mZueM4$H$~$jW2ZJhWq8nx$z)r=#;R->umKs=mOjSr=+q&RV}_a~*2! z_IuZO%?d+YSGHtc`Kc^wak`K%*Em?1(r&M0%yL@~uai8kggCe*bBCyBRiHc+~xNa76s;ZP9&y$o;kN9*GXFO#RTX2oWc`1*1@w7^?@P z5R^HkDD}icQSevkL^P%qh@oO$BohC@?eCA2MN^4%dG64z%;4V#4okY!89^7~lsdB2 ziEZ6NH;Ke#t#L}6GA<;F3ki(j!c`7!xiF@ltw4iy-QNMfAUCLb&hP& zy8MMoxhi-5iNs*zsk71Oj|X#Ko@p$vPDRs_%FQ^ne=vP^W!a|6mPoVHbMAodCJbWe zBZd?)q<)4WjXq*X6(SNspUcdK6!7mG96f zNfQftgLzzG@K@x%svldj3ag5^S7Wu0dzIl{MZc>;xK~p$7pnu@zLAH!WVNpGn`$lA z8mN;XuPao^U*eC@=--tCu;U?UOn_Rt_1-;p8stvdq8?t%}ZteKrnlpEy~78#5gYy7HtHts*i2xXe+F!G z0oa{b&ZPk5UAPl>xq3H&-R%Lp2Y2J1tlo=zJz)3YJ_B|?s*8Ib2s?NX59k&=nCouw zy8RKa+qYp8?#Cv}gO2ZavCZ%HZJ}=8Y{_l*yWK4HS2VrD#ji5D-S74t*x`5k4$CY? z$?JA+sKpL_lzHxCo;$;N>SK76njpQ$@i?{VlVT?3(>L;b##5ShV4uc*$$!04 zrgZNS>=7r@NxObAZ~a1doEH7j#FprBk4%q*O>@uYk%?L7*KQUf>klk59 zR(zNl&vV8+b6WIF6Uv4)D*@QR)I3khin;>+suT0-_%U}S(ZZ8R_X+mN@Sjrme!>1A z&^|BFJ`2QYF%V5CTcG`gK!K?RO79mvz|+Di|D-p@^eJyl=+oX>mII-{0%a-BGJj{nr<-KBZY^&V_tW-4iWIK-&UK>zk zZ@p{@SB=JANlY>>^MZVc%fo`h0hf7?%e+P6w8$k*C>xiD3tR@KUOOBXeTBgEh~P-b z@lnCi!0{2!@ey;(Y0)uFD4XM>1;>G@Iqp0v`l{d+fguN{)rqNfsKRL8dDJFcs!CjK zGcHz9$4);cI2LsJalvthvra$eAvk6TI4vTei7gSq@j|BuriNhYanWDXTu<1>6Jhov zCKkyb%_HH2Jmm1lbcQQH8&=?i`O2r(NWAhjA;bZ}KmhTi;A8-Cz=JqokvJ_vq=_vN z;>iNUz|`C>J1P3QK|Ey}PlX}ACMFj#RuSW=|HnuhVmw7>H8EE4wBU5HiutN_Qa<17 zrqdq2(-wx)BEB=W!7JjKLJUqI=@lK8lf(v42$8QC13cUZTSQhVOV*qCS zmcg6&reW4W!Jz27f_FvVvtGU^xL9PNdq^-8^zucIhKq)q(;^Ktp=`Z8RG=X+^=KFp zeLtY#lHgK6!zIznM#B|zcO^_im5BijzZ1MKA^8IVRUeRs4~>QoeHuOz&hQaw_*n3< zPs1mIPdplaFSso5{vW1+0Z79YgV%D|qv2D*r=p(;J`??1u$#``qw_RA7dMm9F9cr< z&A3t4O{)6$eqN$SL{oA9(meF+BeFAEIl&m8$m{6D{K)OR6HmeFk{ykvSUUwaWP(NdJ4)LwU=K1l*AqNz~ z+=cIJb4>iHw?)kt^E1l}A1K8jKRx`j8$VWE|6*qR$X zVItp$7GNe{z{88P!j|or#R|2vJhL&!WqCOCS$RyFhYrlkvNW?X-_-?J;MHs)SzqYY ztP@jN&Z$AoX1ZkAdoXqm*DMxcToTpH*L6+8EOimLH@R4pA$u3TZ+N(y&rIH4A{@Me zc|*dNYSFEWnRgHK?g{5j#url)??k5F>NZ$LRjm9-{$2!$JC46&tW187#tUkPN(e)%qeY3T+Uok4r`K3sQ@C7Dcc~7SE39V`av^-w zH=+jW%L*FHMNTvwP)!@&oo9_s$B{y2V$kxXnT*;Bvr zj*?hK(*IiVZc<1w(+OB@pagBgq%=(REtKr@>rw_$Wz7K~6fU&^#FBzR1Oe(%78>QC zf#z*_1+rmV%e3W>66?MfGujRuB^pBTkOFK@LN=G%(KZ8duCUZIIV%EGf zYxb|>Yn@#<>_$46XJi6qN$2i+!G6W_elRY(Cwk3S4Gb z&mv^P@_ur*Dk@V3)#)M!0qjyaFuXd1q#ES^73y&52sLVO&?Zl6E(C2bngu-y%P{Ei jgra8Pn>;}lb>xu-l(bAbRebz`K`pfWH!C|%na}zk=AmGM diff --git a/dist/wasm/Hacl_P256.wasm b/dist/wasm/Hacl_P256.wasm index 113d780fc88014d7bf47007aee3d6843061bec5e..650f87dd9d791f5b2b45ca6ad8763e8b005061d9 100644 GIT binary patch delta 905 zcmYk4%}*0i5WwHtZkN^-sIm|(6lO$7DOl?hsj7{ss_da)1s+*@v0?D)D(6{iI= zYzd}dadXs?+`WBGjAp=~BFH2dtKDEsWjGC4l~*xqs{>t`f`5WVDB=vv;4I8)mVqTG z;T+7VY+STd76eY!8n59z%xm1hGH@t^l8QueLFKY6V+AVi`rG%|eejgt5fsb-y+N|V zrpn@sVGvkk#J=;m-+uK?w$1M!BpJ?nEcv5Edk1u&0t$A5q*>7EZXJEpx({B`J#B*7 z=JSZ=pd}Gkz>HYZ?)n8TMw5{8xROn-2~a&Q)%iTYyW(m82s4nuEM##KCJD@^Aq7*a zh&jkbLYQ~(BJUs7LDyJAj{!NAKfs)4Dv+drWyPeA0XjvYhgHz2X(PE{4 zClE#=10<3DMXq9rzR%gHoO6B*aXIP9vl?Y(m?v`#E7YK(is_REGZaw+x*ivywHYkI zA}rZ|dScN9xa(mrG_mhd8evy_?BVe^`SF&GK#!B`GhdVdP2r!3NB%Ipgh`qN!yQeL%34!is>Cksy7eTlA^sMAlWUaNVVzW?hA HA5#7T-aXJ_ delta 932 zcmYk4%TE(g6vpqJPHFA%sJ2A|0^c#gP+g$WXf#HcG4g1EGRUhyc`Hzi{{T9JVtv4h z%)+%RHkx2&!G^86Ga=E93o!AoaAQ1o3aN`bnRD+s_dDnJ-O^_G{bqQ#6xFu=_^+eI z9pl%l^>q=_oTMA`{yuU2wcSlEcHWZDs0k@Fd4``hn$b)xXdwW8hd-ew4&QQ7wdS01 zHAi!$bIXnRANDN$tgQ-%kO8l>5F0mzFabusMo8F2ZKra`NzTvXX6JdbXm6tMOJQ$ba!` zG|uU%_MwELG+GNSw~nqu`j9utdvPW-SfXyWW49Qjf(Ph_9LK-j3S)j!88BS&2psZX3KPsle~lP$q?Ikg79`=CL=^YJ1Hm^ zcvQhxQ}#&V8$@3vurcU;IcQB{fQ=bA#-rRTQch_Ed+OaEKl)3|xwpihd}$+i@OwY6 H$jixpyZG3? diff --git a/dist/wasm/INFO.txt b/dist/wasm/INFO.txt index 7ed8e74ac6..f1a6a25e9c 100644 --- a/dist/wasm/INFO.txt +++ b/dist/wasm/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. -F* version: 155853a14336aa0713dba7db5408f4c8ab512a06 -KaRaMeL version: db63c1de17565be0ec4989f58532717a04e3ff40 +F* version: bc622701c668f6b4092760879372968265d4a4e1 +KaRaMeL version: aef72b2b5a44b338b856a177819d1bfa0d7cc5b6 Vale version: 0.3.19 From 0710bf080cb6be933a86353b6b9effffcd91ed2b Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 5 Oct 2023 16:40:01 +0200 Subject: [PATCH 13/22] Stabilize Hacl.Spec.BignumQ proof --- code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst | 43 +++++++++++++++-------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst b/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst index cf1453dccf..c1eb27b304 100644 --- a/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst +++ b/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst @@ -885,6 +885,21 @@ let lemma_barrett_reduce'' (u:nat) (z:nat) (x:nat) (q:nat) : Lemma } ) +val lemma_barrett_reduce''': + x:nat{x < pow2 512} -> + (r:nat) -> + (qml:nat) -> + (u:nat) -> + (z:nat) -> + Lemma + (requires + r == x % pow2 264 /\ + qml = (((((x / pow2 248) * (pow2 512 / S.q)) / pow2 264) * S.q) % pow2 264) /\ + u == (if r < qml then pow2 264 + r - qml else r - qml) /\ + z == (if u < S.q then u else u - S.q)) + (ensures z = x % S.q) + + #restart-solver #reset-options "--z3rlimit 60 --fuel 0 --ifuel 0 --split_queries always" @@ -892,7 +907,7 @@ let aux (a b c:int) : Lemma (requires 0 <= b /\ c < a) (ensures 0 <= a + b -c) = () -let lemma_barrett_reduce' x = +let lemma_barrett_reduce''' x r qml u z = assert_norm (S.q == 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed); assert_norm (0x100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 == pow2 512); assert_norm (pow2 248 = 0x100000000000000000000000000000000000000000000000000000000000000); @@ -903,6 +918,7 @@ let lemma_barrett_reduce' x = assert_norm (pow2 264 = 0x1000000000000000000000000000000000000000000000000000000000000000000); let q:nat = ((x / pow2 248) * m) / pow2 264 in + let a' = (x % pow2 264) - (q * l) % pow2 264 in assert_norm (2 * l < pow2 264); calc (<) { @@ -931,27 +947,26 @@ let lemma_barrett_reduce' x = Math.Lemmas.modulo_lemma (x - ((x * m) / pow2 512) * l) (pow2 264); Math.Lemmas.lemma_mod_sub x l ((x*m)/pow2 512); lemma_1 x (q*l) (pow2 264); - let r = x % pow2 264 in FStar.Math.Lemmas.modulo_range_lemma x (pow2 264); assert (0 <= r); - let qml = (((((x / pow2 248) * m) / pow2 264) * l) % pow2 264) in FStar.Math.Lemmas.modulo_range_lemma ((((x / pow2 248) * m) / pow2 264) * l) (pow2 264); assert (qml < pow2 264); - let u : nat = - if r < qml - then let s = pow2 264 + r - qml in - aux (pow2 264) r qml; - assert (0 <= s); - s - else let _ = assert (r >= qml) in - let s = r - qml in - assert (s >= 0); - s in - let z : nat = if u < l then u else u - l in assert (u < 2 * l); Math.Lemmas.modulo_lemma u (pow2 264); assert (u == x - q * l); lemma_barrett_reduce'' u z x q; assert (z == x % S.q) + +let lemma_barrett_reduce' x = + let m = pow2 512 / S.q in + let l = S.q in + let r = x % pow2 264 in + let qml = (((((x / pow2 248) * m) / pow2 264) * l) % pow2 264) in + let u : nat = + if r < qml + then pow2 264 + r - qml + else r - qml in + let z : nat = if u < l then u else u - l in + lemma_barrett_reduce''' x r qml u z From 15740116c24cdf2b69fa61b01608db8416fc2543 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 6 Oct 2023 13:01:28 +0200 Subject: [PATCH 14/22] Do not rely on record internals for constructors --- code/blake2/Hacl.Impl.Blake2.Core.fst | 48 ++++++++++++--------------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/code/blake2/Hacl.Impl.Blake2.Core.fst b/code/blake2/Hacl.Impl.Blake2.Core.fst index 2fb68ad886..bfca0eb338 100644 --- a/code/blake2/Hacl.Impl.Blake2.Core.fst +++ b/code/blake2/Hacl.Impl.Blake2.Core.fst @@ -33,32 +33,28 @@ let row_v_lemma #a #m h0 h1 r1 r2 = () let create_default_params a salt personal = match a with - | Spec.Blake2S -> - Mkblake2s_params - (u8 32) - (u8 0) - (u8 1) - (u8 1) - (u32 0) - (u32 0) - (u16 0) - (u8 0) - (u8 0) - salt - personal - | Spec.Blake2B -> - Mkblake2b_params - (u8 64) - (u8 0) - (u8 1) - (u8 1) - (u32 0) - (u32 0) - (u32 0) - (u8 0) - (u8 0) - salt - personal + | Spec.Blake2S -> { + digest_length = u8 32; + key_length = u8 0; + fanout = u8 1; + depth = u8 1; + leaf_length = u32 0; + node_offset = u32 0; + xof_length = u16 0; + node_depth = u8 0; + inner_length = u8 0; + salt; personal } <: blake2s_params + | Spec.Blake2B -> { + digest_length = u8 64; + key_length = u8 0; + fanout = u8 1; + depth = u8 1; + leaf_length = u32 0; + node_offset = u32 0; + xof_length = u32 0; + node_depth = u8 0; + inner_length = u8 0; + salt; personal } #push-options "--z3rlimit 50" let g_rowi_disjoint #a #m st idx1 idx2 = From 869a14dfba7fe0d4aedec32faca308993d6b0707 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Wed, 11 Oct 2023 13:45:08 +0200 Subject: [PATCH 15/22] refresh dist --- dist/gcc-compatible/INFO.txt | 2 +- dist/gcc-compatible/ctypes.depend | 10 +++++----- dist/karamel/include/krml/internal/builtin.h | 2 ++ .../krmllib/dist/minimal/Makefile.basic | 6 +++--- .../dist/minimal/fstar_uint128_gcc64.h | 4 ++-- dist/msvc-compatible/INFO.txt | 2 +- dist/portable-gcc-compatible/INFO.txt | 2 +- dist/wasm/EverCrypt_Hash.wasm | Bin 49373 -> 48519 bytes dist/wasm/Hacl_HMAC.wasm | Bin 29855 -> 28253 bytes dist/wasm/INFO.txt | 2 +- 10 files changed, 16 insertions(+), 14 deletions(-) diff --git a/dist/gcc-compatible/INFO.txt b/dist/gcc-compatible/INFO.txt index 60cb7b003a..66d2d19a43 100644 --- a/dist/gcc-compatible/INFO.txt +++ b/dist/gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: bc622701c668f6b4092760879372968265d4a4e1 -Karamel version: 7cffd27cfefbd220e986e561e8d350f043609f76 +KaRaMeL version: da83fc312e2f3833f5746dfb702a456048a7a3da Vale version: 0.3.19 diff --git a/dist/gcc-compatible/ctypes.depend b/dist/gcc-compatible/ctypes.depend index 31393b5e24..fc088212c7 100644 --- a/dist/gcc-compatible/ctypes.depend +++ b/dist/gcc-compatible/ctypes.depend @@ -1,4 +1,4 @@ -CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2b_256_stubs.cmx lib/Hacl_Hash_Blake2b_256_bindings.cmx lib/Hacl_Hash_Blake2s_128_stubs.cmx lib/Hacl_Hash_Blake2s_128_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_Poly1305_32_stubs.cmx lib/Hacl_Poly1305_32_bindings.cmx lib/Hacl_Poly1305_128_stubs.cmx lib/Hacl_Poly1305_128_bindings.cmx lib/Hacl_Poly1305_256_stubs.cmx lib/Hacl_Poly1305_256_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_128_stubs.cmx lib/Hacl_Chacha20Poly1305_128_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_Chacha20Poly1305_256_stubs.cmx lib/Hacl_Chacha20Poly1305_256_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_32_stubs.cmx lib/Hacl_Chacha20Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_Streaming_Poly1305_32_stubs.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_Streaming_Blake2_stubs.cmx lib/Hacl_Streaming_Blake2_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx +CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2_stubs.cmx lib/Hacl_Hash_Blake2_bindings.cmx lib/Hacl_Hash_Blake2b_256_stubs.cmx lib/Hacl_Hash_Blake2b_256_bindings.cmx lib/Hacl_Hash_Blake2s_128_stubs.cmx lib/Hacl_Hash_Blake2s_128_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_Poly1305_32_stubs.cmx lib/Hacl_Poly1305_32_bindings.cmx lib/Hacl_Poly1305_128_stubs.cmx lib/Hacl_Poly1305_128_bindings.cmx lib/Hacl_Poly1305_256_stubs.cmx lib/Hacl_Poly1305_256_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_128_stubs.cmx lib/Hacl_Chacha20Poly1305_128_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_Chacha20Poly1305_256_stubs.cmx lib/Hacl_Chacha20Poly1305_256_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_Chacha20Poly1305_32_stubs.cmx lib/Hacl_Chacha20Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_Streaming_Poly1305_32_stubs.cmx lib/Hacl_Streaming_Poly1305_32_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_Streaming_Blake2_stubs.cmx lib/Hacl_Streaming_Blake2_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Streaming_Types_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmo: lib_gen/Hacl_Streaming_Types_gen.cmx: lib/Hacl_Streaming_Types_bindings.cmx @@ -183,14 +183,14 @@ lib/Hacl_Bignum4096_bindings.cmx: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_s lib/Hacl_Bignum4096_bindings.cmo: lib/Hacl_Bignum_bindings.cmo lib/Hacl_Bignum_stubs.cmo lib_gen/Hacl_Bignum4096_gen.cmx: lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.exe: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_c_stubs.o lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.cmx -lib/Hacl_Chacha20_Vec32_bindings.cmx: -lib/Hacl_Chacha20_Vec32_bindings.cmo: -lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx -lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx lib/EverCrypt_Ed25519_bindings.cmx: lib/EverCrypt_Ed25519_bindings.cmo: lib_gen/EverCrypt_Ed25519_gen.cmx: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.exe: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.cmx +lib/Hacl_Chacha20_Vec32_bindings.cmx: +lib/Hacl_Chacha20_Vec32_bindings.cmo: +lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx +lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx lib/Hacl_Bignum4096_32_bindings.cmx: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmo: lib/Hacl_Bignum_bindings.cmo lib/Hacl_Bignum_stubs.cmo lib_gen/Hacl_Bignum4096_32_gen.cmx: lib/Hacl_Bignum4096_32_bindings.cmx diff --git a/dist/karamel/include/krml/internal/builtin.h b/dist/karamel/include/krml/internal/builtin.h index 53ea9040c0..6098f30bec 100644 --- a/dist/karamel/include/krml/internal/builtin.h +++ b/dist/karamel/include/krml/internal/builtin.h @@ -7,6 +7,8 @@ /* For alloca, when using KaRaMeL's -falloca */ #if (defined(_WIN32) || defined(_WIN64)) # include +#elif (defined(sun)) +# include #endif /* If some globals need to be initialized before the main, then karamel will diff --git a/dist/karamel/krmllib/dist/minimal/Makefile.basic b/dist/karamel/krmllib/dist/minimal/Makefile.basic index 8e39de6d05..d7a1fdfd70 100644 --- a/dist/karamel/krmllib/dist/minimal/Makefile.basic +++ b/dist/karamel/krmllib/dist/minimal/Makefile.basic @@ -12,9 +12,9 @@ ifeq (,$(KRML_HOME)) endif CFLAGS += -I. -I $(KRML_HOME)/include -I $(KRML_HOME)/krmllib/dist/minimal -CFLAGS += -Wall -Wextra -Werror -std=c11 \ - -Wno-unknown-warning-option \ - -Wno-infinite-recursion \ +CFLAGS += -Wall -Wextra -Werror -std=c11 -Wno-unused-variable \ + -Wno-unknown-warning-option -Wno-unused-but-set-variable -Wno-unused-function \ + -Wno-unused-parameter -Wno-infinite-recursion \ -g -fwrapv -D_BSD_SOURCE -D_DEFAULT_SOURCE ifeq ($(OS),Windows_NT) CFLAGS += -D__USE_MINGW_ANSI_STDIO diff --git a/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h b/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h index ae109004fa..e40304b25b 100644 --- a/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ b/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -110,7 +110,7 @@ inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { uint64_t mask = FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & - FStar_UInt64_eq_mask((uint64_t)x, (uint64_t)y); + FStar_UInt64_eq_mask(x, y); return ((uint128_t)mask) << 64 | mask; } @@ -118,7 +118,7 @@ inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { uint64_t mask = (FStar_UInt64_gte_mask(x >> 64, y >> 64) & ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | - (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y)); + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); return ((uint128_t)mask) << 64 | mask; } diff --git a/dist/msvc-compatible/INFO.txt b/dist/msvc-compatible/INFO.txt index 60cb7b003a..66d2d19a43 100644 --- a/dist/msvc-compatible/INFO.txt +++ b/dist/msvc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: bc622701c668f6b4092760879372968265d4a4e1 -Karamel version: 7cffd27cfefbd220e986e561e8d350f043609f76 +KaRaMeL version: da83fc312e2f3833f5746dfb702a456048a7a3da Vale version: 0.3.19 diff --git a/dist/portable-gcc-compatible/INFO.txt b/dist/portable-gcc-compatible/INFO.txt index 60cb7b003a..66d2d19a43 100644 --- a/dist/portable-gcc-compatible/INFO.txt +++ b/dist/portable-gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: bc622701c668f6b4092760879372968265d4a4e1 -Karamel version: 7cffd27cfefbd220e986e561e8d350f043609f76 +KaRaMeL version: da83fc312e2f3833f5746dfb702a456048a7a3da Vale version: 0.3.19 diff --git a/dist/wasm/EverCrypt_Hash.wasm b/dist/wasm/EverCrypt_Hash.wasm index 8fdc7b27e028cff8b53492b41b29a176bc2bb191..421d79d0e9efe2ed5cd9a6fe8ef00d1ba286d3eb 100644 GIT binary patch delta 2653 zcma)8YfKzf6rMZ#-kIGUUS(Mr_D(^Tq0sJwXx^68MEh0jtU_oeY zt10!>V;iFwZEGy4ZG#rK+;h%% z&;91?%zn1Tbk85Whf5CLN;r-qhqp~ka92L$=>#9id$#8_Vm-bGcWSj|{ANB~YDwPM zn`lW6_9Pm6lN-9jdGM;;E8pCA^G42-_0Qm7A{4HYVU6G&PZ%lE#q~xF<64`DgcEBG z+O;e{?IOyxiEy++o>zn$^Q+Pw%ZIuLng&MtHE2Hb9mEXp)ro$T#)4fZ7U z!aMrcB{z0+S#X232xcuAWD)#q36X5WZ?|R;FQRIa1CLrm#0T$KD@iV{GAK6G2Wo9W z_}J!w&9*{t*#mIWCP6dWS&INe_Dncx^Fq5-fSBDv6nN5B1RLxUSq!80ASr+&_6kyn zs|>`ELoR__M}QPzlglj0pF&uD|6BSN5N=XS=oGMuY%bZI{DO~3)BW1X% zrf4V(XPgQj4g(byTku|75Y9OZNC;QI5#A?cz%_!OL||AbA?0vD2$Cpb*?pnvTm_sH zo|P-BsxPgnt*ehU#2cHMmtS^y%Zk>v_A5F%yH>7R4eyE_{Pr}EU1g*W+FV6^y&u|L zxi;eo#}pmIjLXJ11a#<0_TH4ZZGB>JqptH6EPNKj9jt2oKzBFSX<%y)&K0)`THU|8 zS35s{YwH9jpPIzsb3>=cN6fIaBS$;nIcc`Wxj2v~y*selvFLBl_dzPWfiPUgQM{}xH zvsaw6@%Pzx#{v+ne~;g8+Z`K2AI4+Vscm}H43*I=_&rvKVW@7XHnP0ht_H$qsmjBI zK1}pyxrd}4W(n+XT+APJY9||?BIyBTm=5dlkyN-CMw@;79*6cw^RRM(RQ+ zyM`EL*AS!Z8qz7XA2$6&{;M7B?8sFncCjP@;b? z+&Nv!zbR-%`)xcv{+UCiMpo-HbP`*b~@t|}ht z(SKRe+z)Tpw2%K<)TXC(c5UX+g|hz(%`1mvrgiP2AW#lz+e9Y=Euw>g%SAf_mx(q8 zmWx&fT15*3D?~E`&7z5cCXr{LQ6vn+Avx2@-|g0p&8#MARX&=1gytL>r8(3`JraeT z&%LdEaqN+cLw;@Nb3=%atMvC=Tk-*`4R#P>O)>5n(_Psfbw=#-A6)BbGS5;FNM?o$u@FVGk%|Sl5ri zkggzuL0v-zm+30<=n!eCt|NnGx{?fb=~^mmG56Rv<0@V`OJ@kZ^@7n)o~Sb8JZP1I+soNVZ$D36J&K!EOZs zV}pPeNKxo9C?LR<(ncYbd1Oi-K}u6arIlz}SNYNYsbZ=95w&VcijqjBke=DGw?SzF z>JQ)ho$uWF=Il4eXXaaXr9U0aakIqm0B4NxbBD*r*_u=C{!{(#Q~l;^hkwE?cPEHj zqN&n8Y0SGku`Lzv9vDi+J5z~W$@+NLV0w5YkscYY`SMge9)B)565sL7b&0R1lJT|7 z{eSA@Jt)-4Jos&Ml;`0o`(p3#aFXSlHY8F>*YNg4eIy$H#?Ui~kt8d?%a$q(SPFO{ zc3MJwUM4r3 zKe9LQYOHe9azCzhC|to&$0A;XmmGC`5v|I1ohDw3&pXS^_4N&`&OnhU3uI8Zv4Jfn zRL+BV+8N{_yy>jr_4pCtFfNp9cmuAGuSt<8-j{vobFGw47vL^eozz@`zi|1S+jb|( zmiUe|Yr(f<VK{jrUzvsjXUvxrx+s@xf=~^kB)pUJT}zOMPV+$}KkUPA1t3x~kZ+ zJu$qUt-_acKh0h3xbwS1M4-tg0T9Jdq4ho)Z-Qn(BNlGM6yH_qJCx)u`JODjecemO<7_IEb%j0 zG-rtxXz??TXjRANRNJ7<&k99*_DBbG_}K!XW{FPd^s{2o1@%Brg3%U>G81i0QD&p9 zIm%=RL#v((L%W^}gR1Ak&_y|wskRZZ6e8;Q_+c9?RbhB|xJ4|3AS~0b2^xAqLoaCP zg$%urp%*grLbG~!p-{o`VvGE^c%q!CH~3DEnc;hdp|Rz#Ty(>7!&n;`+e1OdSUu>a zAY-f^^v(W2k5~aK6f$;Ymgt9mg?wCU#a8Hrl`%4+7goi{wO&{gV;sw! zK6p~k^}$xksccHMO&t|a!OG5zwNG`aZ?mZ*M~;Z6p&Opouj@86yA925L$k-w>@hTZ z49%WdP0XFA*yH7rX$<1xYdBrv$K<@aWS+2rt&VK6&(@zW9N^FiC)mOHJRO&&gbWNg z$mJ$af!8=^28oJF5z9P<&Ico~s!W)L1Ke6 zI&UjYtQn!;gtw5U)+KKB2rixZkc0=N2 z+Kl*%#DQ+B;D;3s8g<64%Load;%reJ&;k*a7~Sh5||Gq-~*SZ(MynfnzY-g^*OWGyqZpH zGeeud@;u&79YV)Q8fOL~v=3nW#&XR*@;yGQkx30T%%#viGKg1FRbN#?Ml!wEkWBA2 zBnS5Dl3MP*I}b0X;~@Rkfhcwy{7mZ@3(b|1p~-@dgAcJ_{7}|{=;5?Bbo3D{ICspb z_uMg~-m}ND7GzRn!E6f89(yzk?w>Ry@1Haz@14w8aPg%_uweR(VZrp7&$Q`@tOXgG zESNs?5DPpnXDzsSHvPu=hdA)bD~GUV(kQoPGE*)plgFsN-Qd>S+mmhYJn%r?Zjlf9 znf5M#0&4F-N0fp7TtP>~!jb)zd9I4Dh&YH^4I4W`L!# z)c{?x#Q@7?vjLuvO$O+ca}1!$k^wqoZh&_5UGA6Aqoppd<#|yrJT?VIQ~RL^yx{hf zYSUM?NnfB#aQezEbZbA%uNE$F>1O6;N6BwAUsu?i8Do$`F9D`9PlNLd1pTyfPIepL zBbCAqc3sCY_fW9rN8YiJSp|B7%*oV~%!9G+3uVcopze$T7wg^_Frd3*z&hO@n$>i+ zR(HsNi*%0+xKek?fc?5p613}wYjmp&T9KI(Z1nE32rF2?s=vFAkJA?*qh6WF+gV|9 jI?p4;oCqghSenRWL-eUU?c>HDw diff --git a/dist/wasm/Hacl_HMAC.wasm b/dist/wasm/Hacl_HMAC.wasm index 033e7523a05ee2ad4575a4696b36b47f7cef8808..8f4944c7de1e65392fed09831fc8df9b5b1fc343 100644 GIT binary patch delta 4287 zcmZ`+Npw`#5&chUIf})ilYnd#1XT!xMug@8kos#t5}FYR5Sk~{tyUu>Fg6HU#tg;= z8~HOB2kh8@&4zPwj`lgMvdSVp*(TX%m6LTA$*uQZcYh`E(U<zlu; zzy3wN?M$vLD#vluqxH96rl-f_>%ZHrZ-4Gp*Ee>n+ksyOJ0_>2;~kSL^W)9Y$%Wa9 z9p3$ncQVGqvG4`&9~n>opTUlwy&Dky#*c4>Rod_WxN#`6r2Xgrdc3ygq@`Vpc}FuJ zc<LatMQm-&za(Fo;3NEvwp`CA+Fd7t~np?#Fs?8rlQFek@#GVsU+6rh3_7s_pk zi>MHYR0QVpfj9*46no_zdAmxego*{W1eV2A5M8Ko5FnRQ3Gb)<-hqxi!(~)PgnC6+#p#uNcxoRs^G740DF)Q3as~sEnPWO34p&7S0uX7x=CZzgb=bzq!=$843PyGq+F+w^EB6OsrTNT1Ao-*1$)!B>N(p*Ws!NcX*tgUC{}*PM=$wNJ+PLEhXGK#jR7K z3bpW2I?7$Nhr5wv4?uc+>2yO<3!1nq`DjxU4fhDhp%yGoAef$mqtJ_V%-N8N?Q@Cx zV%#scB_5!DVAFuD*nR;xrYm-k2I-h2GziOM)R(B(<21-8=!CA=AsV87u^FNPQ?Vy$ zh)>a}EIv)AL7J-A;Z1UY&(JV1d4zg-lzM5zE+&tmw8m*%*Ubb?n7SF4u*R_v;|Mmf z2@{Z{ZYJ!)8zV`6`vgx)#ZKyq-I1u+DVox-(==^hrv!Eiuv0$RX-EP)ZDEa(z~)Z# z3=Qi_pFySfy{1tbHkCe0vl@Di<_z?#K+ght)(1TYNucK}v@sIsopXGa&d^y~=_9E0 zGc+cZPCQTZy2`^8HdQ_^*z>@i_hE-2NtK6fDHtQc9u9MaBD_G6RFy|j<%|9*kD0mPrL%=&mUl7nlHe z$PVt*<6=!=Km@2L#>H}5VvGc&OeOa46-!>F`tV^SP^lcO{je;hqQv1Vqy2n<4(P*& z!C*#8IhB~hS3%{N43$|J2UVL6U-c$AfEiH@Os>VasKdCZO&q>@9KHr>@MKxg-%VBx z5>^BDrvbqx4&OmYvMdMfvKS-1EC>0JEKA{GI&1*+Et3v&qpZduEK8#vBfDgbU^WO{ zafm|3x=HAoK!=%;q!UT#LPF>5+?|^qVpmv7(fg_BwQOIr_-B&z^lA`A$pupj)lqd& zGqqByPOOdE3{$HxwSuYD$J7Q%nA&V&#z-gD#z%y5TRXJ_Uvst_&UQ3>Xev9YlWMi1 z(ejeDXy+EU$GG=!uV}XRQJ=-_Gm1X$*DeF-+}35l zXa>-}#YNh;31!eI2Kl&Fpm$rv38Of{Lt1f?PFlrDqd3W@L=i_Tw~Et7ahivzn|l43 z$QVgwxhnh7O~-uiGU>QqTBR=h4EbI;H}T?>|HV}_TY!3#HCuDLF)(TfgBg9XhU)c+ z!Z*Mh2NPt(`*C?+)hLac_J~okz$4h!5#P3s>IoB}QQJd|k!c7Imdz4;25OFsTj>ko~=H}M$|Mnbk3qGmV(6-8papzli@ zr3I`PMQt+z_5v?TGol!N7Nr@*#B`A&iEea`V!T94x*MUH6TWF3+@hu%Eu+1!&`K6x zkj`#$mN~!|H^~8hk1hg}FHxA^r!ZYg?7|0V50~k(9NLO2bVX{`48%hH3{#}t#XZUX@3E+l81b9rPd{b<73^x-oSW|Dkep}$C;#(5L_S=eXE70jE zZrdnsEB;ut4R;jbx}=qNtn!ZHPZWI&vebd5Pd16G{HeIByPD#jqI*e-dlu!M;?G3u zEuG2um1X$c>ONO|Uwf`AT2FeeTkX2yFGTyUrwEq`&a+BS@dK@Vs0f!)KD5e*iXUm^ zV@0@(^08GuR{W(X<4+XfGRh}b`9$$oitZ}4#I zo-1G9f+OTq=Yo@#6TJ%pn%8r%Z9N2l7Xt9Y4*)92DS+>+oB)6l052rm9t8SQ(M!eO zD{}Y;C5!P&5MTLo{y~Xs+aN5Hf?WVD^D9BjK+!^;SHK|)9(3`s}=$>f0v&pd`! z11JcF3seCM){0e#1>*x$6nqtEt58|1uGLys|Fx?>y85HPy4uxmpL^%d;Hv++)}6U~ zpZ)muIdjfF-+cW?I{sI>&8qKiC(E+vz|d_k-$n^atR0g`BnF1get+omF+@YZFQqp| za%op!@uWxU8{@I!_O5uWC|=*zG&8oKv!lDGzN4pm>UW!Bu~#$=9sH71Wn-S}!G6r8r?)~{aJvBMfQYT$?y4jyv;HaR}B zsC?R}gk*D;9k3~G2jZ=g10|SL?twBcspQ&!|M%Pf><>+pDLf@&SrYLFq8yD_0h#I# z+{^byte{Nu2d4A%h&4{`^9Szd`y*CJX4r{j)(7~3h?OZbeV180D`MR#v;Bbw`N4=a zS@QTEj^tSuUQ_d|0AADbtRPCEE~dv(4ACUq58xv48PbtO_)rlqcerm3sE)UK1J z&Z?4?{3x&F0;C`2rNe#DO3b>9on*6AbG0*!6_BmHk!w{`f0OtzqqTbFud%6B z);M-}{49wfE|wNor&y@zuvJpud)8^9vjoJ)yy)Sxm zQ;Tz{X?y}xVmlDZn1s!?4pVAMpHedv|G>6D8K+axqrBcfI2(8aCM2!?KpVH|fsOkE z?cA;hw!*- zLDEiS_M84JJHIs&kX^(W?2XHA;&t*AzIeAOM>qA;goD0^cn|4$oVS;FFY+nk9{9Au zggpi^)kfd~U618n@;0{T>Rf6cf7f1;XGojLGi18Sc&AdazhmczP%|U~9P|+Z! z(BPsbpdBLbWO}ZOw&4)TVdBFiKhf`0?|Ba3^1N2ycb_9jD@PUJD9ZO65CT>ATM2@U zo@^#i&`pjy8{6;5Kc>;g(xZW+x*vVS)05FKQmgZi_#Mko;|s(uko=U`lH-JhIHBoI zq|f#^sqVETIQoh=b)(A(oq7|dYx)x3ih124LB559*oR}UoCeXz9W@{c8US_rj!(uw z1h(w&v};_(fQ%H^&CEz6DZzA-qKZ#aR7sMQu#%K04p)+-gasreiWZk7DPaLgiK3w; zNlI8iQljWzNsRmD%D#Ic zFXRQ13x^eTl?$PiW+_18Tn&^OF6E^mgHp@2iZZ*7>s*vtMX3c!Z5m1)G)1ZN z=HfajE6J#n$Mh#2znWJgzrkGXVy*_?fn`>VV_aekG1m|Sky(S)51A!JN?x0;^+~

gXIWCD}Hw)L(hoekKFMVkrvKwO| z@D|T65e8|&<*UsV#KZl=7Z$@@w7-IVB*zTp&K^QVl5F7}8=LI_$B)9kCqQ{>V?Y&?D zShYhY1q2rdf{OzIIDo-gx-bx27zl+f4kQ-`{SsH_MGJhP1GK@Fx&${l6!gvK@NMWQ zRQ!g|leW&OxY+SLPudy5BoGdwaF~)E^r)KUnBM-{MLW$^kA&(D`8f#6S8=6-0pOND z4la7a-0$gJ^u=$D1mtJL7zB>Iq*V9k_~MsPm)lrhRx)~$_@qM{rp$YV_!ZJKYVk=^ z`bolug_zp0aDk4k1yApEc&5D_JVkuU zz@8>P?ZKWhu%{FjVhR>6&=vM{64rB7*uZI$Vdr{YPQmNMcn-TA@pZ3+*GYb^67j49+S@ma5sGp3L;S_s5cA#j1Ng`7qBo5<9W%ozU5ipB6*wmO`xTE9lw2(+9&U5Je@Nb=ZVkz80Wn#=Ski* z*7u0H`WWp7yQ@@p7jFB2gdp#F&;1WL(lpl$wgzmM2yF?Uh=G$NIo*w zkBRYk){i~w$0VPqHSsAi9?$xzXZ@7qGvaf^@7^?9e*Y%b+zN2|Abm8*7jIJg_#M*c zqx4a0P=`Lj(DzbH+s~glGx8?NIg(!yJv|u>BciWqttF`PI`MUq n-w|8#rFJX1p&4(aPxwnx-Mhcw=_}q1W^}os8R@E1(2?_B9%VUW diff --git a/dist/wasm/INFO.txt b/dist/wasm/INFO.txt index 60cb7b003a..66d2d19a43 100644 --- a/dist/wasm/INFO.txt +++ b/dist/wasm/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: bc622701c668f6b4092760879372968265d4a4e1 -Karamel version: 7cffd27cfefbd220e986e561e8d350f043609f76 +KaRaMeL version: da83fc312e2f3833f5746dfb702a456048a7a3da Vale version: 0.3.19 From 35d3dcf2437eb3848b918684be1bb5027e013169 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 19 Oct 2023 13:51:21 +0200 Subject: [PATCH 16/22] dist refresh --- dist/gcc-compatible/Hacl_Hash_Blake2.c | 139 +++++++++++++++--- dist/gcc-compatible/Hacl_Hash_Blake2b_256.c | 61 +++++++- dist/gcc-compatible/Hacl_Hash_Blake2s_128.c | 58 +++++++- dist/gcc-compatible/INFO.txt | 2 +- .../krmllib/dist/minimal/Makefile.basic | 6 +- .../dist/minimal/fstar_uint128_gcc64.h | 4 +- dist/msvc-compatible/Hacl_Hash_Blake2.c | 139 +++++++++++++++--- dist/msvc-compatible/Hacl_Hash_Blake2b_256.c | 61 +++++++- dist/msvc-compatible/Hacl_Hash_Blake2s_128.c | 58 +++++++- dist/msvc-compatible/INFO.txt | 2 +- .../Hacl_Hash_Blake2.c | 139 +++++++++++++++--- .../Hacl_Hash_Blake2b_256.c | 61 +++++++- .../Hacl_Hash_Blake2s_128.c | 58 +++++++- dist/portable-gcc-compatible/INFO.txt | 2 +- dist/wasm/Hacl_Streaming_Blake2.wasm | Bin 12272 -> 10796 bytes dist/wasm/Hacl_Streaming_Blake2b_256.wasm | Bin 4491 -> 4583 bytes dist/wasm/Hacl_Streaming_Blake2s_128.wasm | Bin 4256 -> 4347 bytes dist/wasm/INFO.txt | 2 +- 18 files changed, 705 insertions(+), 87 deletions(-) diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2.c b/dist/gcc-compatible/Hacl_Hash_Blake2.c index 44c2a29fa7..5793e305aa 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2.c @@ -480,6 +480,7 @@ blake2b_update_block( void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -500,16 +501,68 @@ void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void @@ -1116,6 +1169,7 @@ blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, u void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -1136,16 +1190,65 @@ void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c b/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c index a265226bf3..bf65cab9e2 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2b_256.c @@ -215,6 +215,7 @@ blake2b_update_block( void Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; @@ -229,10 +230,62 @@ Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c b/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c index 0f3dea1fa2..556ef95694 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2s_128.c @@ -215,6 +215,7 @@ blake2s_update_block( void Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; @@ -229,10 +230,59 @@ Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/gcc-compatible/INFO.txt b/dist/gcc-compatible/INFO.txt index f00405610a..d0592218c4 100644 --- a/dist/gcc-compatible/INFO.txt +++ b/dist/gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: f7c80bf6814f1af74719e05a2126d2d21a01c50d -Karamel version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 +KaRaMeL version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 Vale version: 0.3.19 diff --git a/dist/karamel/krmllib/dist/minimal/Makefile.basic b/dist/karamel/krmllib/dist/minimal/Makefile.basic index d7a1fdfd70..8e39de6d05 100644 --- a/dist/karamel/krmllib/dist/minimal/Makefile.basic +++ b/dist/karamel/krmllib/dist/minimal/Makefile.basic @@ -12,9 +12,9 @@ ifeq (,$(KRML_HOME)) endif CFLAGS += -I. -I $(KRML_HOME)/include -I $(KRML_HOME)/krmllib/dist/minimal -CFLAGS += -Wall -Wextra -Werror -std=c11 -Wno-unused-variable \ - -Wno-unknown-warning-option -Wno-unused-but-set-variable -Wno-unused-function \ - -Wno-unused-parameter -Wno-infinite-recursion \ +CFLAGS += -Wall -Wextra -Werror -std=c11 \ + -Wno-unknown-warning-option \ + -Wno-infinite-recursion \ -g -fwrapv -D_BSD_SOURCE -D_DEFAULT_SOURCE ifeq ($(OS),Windows_NT) CFLAGS += -D__USE_MINGW_ANSI_STDIO diff --git a/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h b/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h index e40304b25b..ae109004fa 100644 --- a/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ b/dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -110,7 +110,7 @@ inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { uint64_t mask = FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & - FStar_UInt64_eq_mask(x, y); + FStar_UInt64_eq_mask((uint64_t)x, (uint64_t)y); return ((uint128_t)mask) << 64 | mask; } @@ -118,7 +118,7 @@ inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { uint64_t mask = (FStar_UInt64_gte_mask(x >> 64, y >> 64) & ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | - (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y)); return ((uint128_t)mask) << 64 | mask; } diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2.c b/dist/msvc-compatible/Hacl_Hash_Blake2.c index 44c2a29fa7..5793e305aa 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2.c @@ -480,6 +480,7 @@ blake2b_update_block( void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -500,16 +501,68 @@ void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void @@ -1116,6 +1169,7 @@ blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, u void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -1136,16 +1190,65 @@ void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } void diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c b/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c index a265226bf3..bf65cab9e2 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2b_256.c @@ -215,6 +215,7 @@ blake2b_update_block( void Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; @@ -229,10 +230,62 @@ Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c b/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c index 0f3dea1fa2..556ef95694 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2s_128.c @@ -215,6 +215,7 @@ blake2s_update_block( void Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; @@ -229,10 +230,59 @@ Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } void diff --git a/dist/msvc-compatible/INFO.txt b/dist/msvc-compatible/INFO.txt index f00405610a..d0592218c4 100644 --- a/dist/msvc-compatible/INFO.txt +++ b/dist/msvc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: f7c80bf6814f1af74719e05a2126d2d21a01c50d -Karamel version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 +KaRaMeL version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 Vale version: 0.3.19 diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c index d4b2dd848f..50206f3e39 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2.c @@ -486,6 +486,7 @@ blake2b_update_block( void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -506,16 +507,68 @@ void Hacl_Blake2b_32_blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } /* SNIPPET_END: Hacl_Blake2b_32_blake2b_init */ @@ -1162,6 +1215,7 @@ blake2s_update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, u void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -1182,16 +1236,65 @@ void Hacl_Blake2s_32_blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } /* SNIPPET_END: Hacl_Blake2s_32_blake2s_init */ diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c index e7e72dd585..9f3bf9cc20 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_256.c @@ -221,6 +221,7 @@ blake2b_update_block( void Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; @@ -235,10 +236,62 @@ Hacl_Blake2b_256_blake2b_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk uint64_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } /* SNIPPET_END: Hacl_Blake2b_256_blake2b_init */ diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c index a75495e2fc..eccbcf6a37 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_128.c @@ -221,6 +221,7 @@ blake2s_update_block( void Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; @@ -235,10 +236,59 @@ Hacl_Blake2s_128_blake2s_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk uint32_t iv7 = Hacl_Impl_Blake2_Constants_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Impl_Blake2_Core_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } /* SNIPPET_END: Hacl_Blake2s_128_blake2s_init */ diff --git a/dist/portable-gcc-compatible/INFO.txt b/dist/portable-gcc-compatible/INFO.txt index f00405610a..d0592218c4 100644 --- a/dist/portable-gcc-compatible/INFO.txt +++ b/dist/portable-gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: f7c80bf6814f1af74719e05a2126d2d21a01c50d -Karamel version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 +KaRaMeL version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 Vale version: 0.3.19 diff --git a/dist/wasm/Hacl_Streaming_Blake2.wasm b/dist/wasm/Hacl_Streaming_Blake2.wasm index 80055201f3ed61f597becdb1ed9f91e914c65ad2..1f8674d6a350c84ef69ad1e14a17764f66aaf9b1 100644 GIT binary patch delta 535 zcmewmzb1r>A+b1@k%57MasEUuGiK)c`iYJbU@9tramB{f5sX3t9*N00@g9lA8Szdz ziP@<}GLvJOBv>-@GD{|VG8JNz_hE*}Z(?4^#NTD7S%Jljfq{Eo6GR=?aRL={F*_)5 zIdXWiI5;wBFfb?p#j+H*vJ^OgiaBx|8FN59T?Pg#pd6PYW0oS<b2$!0t%dp+(5H$J^GQY3_gU3JwLDoA%obisL-#}o8L{qf=%VVjzko=nOAzP!Wu_s-I~FYLnYqXJ$aBto^V5UVxTt!= zhmKOp`QcHqQ+E<4`S5CzB%|b?XU?M!-gTb;^7H%7+x5NP$AkF(!!HK$?x6SC{u}XI zpC1eldk2TZ?fFt1$DiyU#-D!mp!d;WKYnlWX70qO?dD|HfT{RR31|{VB%0|Zl{BUH)%6eK3`8Ke1mR;s?0aD!4_?W zD&R01L==Up!P``$Mn@?eHag11fjY{=q1{oM>U3SSI^7hlPN8UZ+J+`Ke8@Z0FynZ9 zes7kkFr)vGG)~{;)0_zu8zrgwhGe4@(6{9%MF6GIEL+Otrn>J1U3huaE zAa53Sk-W>pE?p3^uyuCRi?k?VFJ*&eT9&Z=Y_LKr6835~Sfe!wyPOUZUZ-^lyOK`u z7*r+fARE-ECShMFxxo!8(UOEyB3}Y6(W(SmqOydosUn)DKs1CenwECX!fw)%8Q+tz zn>OqXDoDx-hnZi&`W38S(fSpwU(xy%XMU3xS2sH?#7+6TM8>=C-Zcuz5N3U%{<$P^ z^_o(5ppkLetA%u9(^yHC(eFk=H(XI^dbYQt-7 zdg}eS7(NrSR&t|S;*9XZnDfbxrr%f08F=HZIpBHoz!M?uL<@M)Iq)rWh!x;oX*#msC2l&Jj@QDWaL<4-H z0Y1_G1>bkaC}cG^D$OkeCAmp{)C@YM zk(5r&pi>%2=|m%-QyNL>)Iz5;lG3U1Qm#oO7oLRMmQG0sbV@>?QxXE5k`U+=4RneI zIz>H!$U@vHcE$?s{srGI72c-;0Km0}9bMBx_=8eL%_SEeX@v)K=uX*Tj%1w=y*ok)95v>eSC*4*FFEpD`~ux&TRi{( delta 256 zcmaE^+^x*dkXW3{$iTqBc)g*afq{P_zu`o8HMSMaKn~Bw;!MWLLQLw6oRh7XWCgjn zd3gEQ+Cl0V>lqv;uujfka%AE%nq0`F$DWy&S;D|=0%A|*V`gXK0W&$%fa1j&47^}P zqG?5`sSJFaDTyVC@x_@{smzRA)2C0K$UKSjCdgDKraJb?IxJRPik!*}j%ygR1lTv5 zv9dA)?YH5$z{t6omvb|SbCBmgkh75Y3?tKJrpfvIIm&;Sfod5PSREM@nH5oj0mX|m7o zMAM2=QyKU;QxZ!O)BZJRy$H!%VL#$`i; diff --git a/dist/wasm/INFO.txt b/dist/wasm/INFO.txt index f00405610a..d0592218c4 100644 --- a/dist/wasm/INFO.txt +++ b/dist/wasm/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: f7c80bf6814f1af74719e05a2126d2d21a01c50d -Karamel version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 +KaRaMeL version: f3c3c7a3e7d6aea1c1d05b705eea99688f44f153 Vale version: 0.3.19 From 720a5bd0a3c8230147bad88aa429a4d77b003f99 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 9 Nov 2023 15:37:33 +0100 Subject: [PATCH 17/22] Stabilize BignumQ.Lemmas --- code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst b/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst index fe200b4689..c7ca8ec1c9 100644 --- a/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst +++ b/code/ed25519/Hacl.Spec.BignumQ.Lemmas.fst @@ -897,7 +897,7 @@ let aux (a b c:int) : Lemma (requires 0 <= b /\ c < a) (ensures 0 <= a + b -c) = () -#push-options "--z3rlimit 50 --fuel 0 --ifuel 0" +#push-options "--z3rlimit 100 --fuel 0 --ifuel 0 --split_queries always" let lemma_barrett_reduce' x = assert_norm (S.q == 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed); assert_norm (0x100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 == pow2 512); @@ -951,7 +951,7 @@ let lemma_barrett_reduce' x = aux (pow2 264) r qml; assert (s >= 0); assert (s < 2 * l) by ( - Tactics.set_rlimit 150; + Tactics.set_rlimit 250; () ); s @@ -959,7 +959,7 @@ let lemma_barrett_reduce' x = let s = r - qml in assert (s >= 0); assert (s < 2 * l) by ( - Tactics.set_rlimit 150; + Tactics.set_rlimit 250; () ); s From 047b1ed28c2003c0745dc4e3d4edad768d9b0910 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Thu, 9 Nov 2023 16:14:56 +0100 Subject: [PATCH 18/22] Split Spec.Blake2 into a second Definitions file --- specs/Spec.Blake2.Definitions.fst | 277 ++++++++++++++++++++++++++++++ specs/Spec.Blake2.fst | 271 +---------------------------- 2 files changed, 279 insertions(+), 269 deletions(-) create mode 100644 specs/Spec.Blake2.Definitions.fst diff --git a/specs/Spec.Blake2.Definitions.fst b/specs/Spec.Blake2.Definitions.fst new file mode 100644 index 0000000000..adeeba9822 --- /dev/null +++ b/specs/Spec.Blake2.Definitions.fst @@ -0,0 +1,277 @@ +module Spec.Blake2.Definitions + +open FStar.Mul +open Lib.IntTypes +open Lib.RawIntTypes +open Lib.Sequence +open Lib.ByteSequence + +#set-options "--z3rlimit 50" + +type alg = + | Blake2S + | Blake2B + +let alg_inversion_lemma (a:alg) : Lemma (a == Blake2S \/ a == Blake2B) = () + +inline_for_extraction +let wt (a:alg) : t:inttype{unsigned t} = + match a with + | Blake2S -> U32 + | Blake2B -> U64 + +inline_for_extraction +let rounds (a:alg) = + match a with + | Blake2S -> 10 + | Blake2B -> 12 + +(* Algorithm parameters *) +inline_for_extraction let size_hash_w : size_nat = 8 +inline_for_extraction let size_block_w : size_nat = 16 +inline_for_extraction let size_word (a:alg) : size_nat = numbytes (wt a) +inline_for_extraction let size_block (a:alg) : size_nat = size_block_w * (size_word a) +inline_for_extraction let size_ivTable : size_nat = 8 +inline_for_extraction let size_sigmaTable : size_nat = 160 + +inline_for_extraction let max_key (a:alg) = + match a with + | Blake2S -> 32 + | Blake2B -> 64 +inline_for_extraction let max_output (a:alg) = + match a with + | Blake2S -> 32 + | Blake2B -> 64 + + +(* Definition of base types *) +inline_for_extraction +unfold let limb_inttype (a:alg) = + match (wt a) with + | U32 -> U64 + | U64 -> U128 + +inline_for_extraction +unfold type word_t (a:alg) = uint_t (wt a) SEC + +inline_for_extraction +let zero (a:alg) : word_t a= + match a with + | Blake2S -> u32 0 + | Blake2B -> u64 0 + +inline_for_extraction +unfold let row (a:alg) = lseq (word_t a) 4 + +inline_for_extraction +let zero_row (a:alg) : row a = create 4 (zero a) + +inline_for_extraction +let load_row (#a:alg) (s:lseq (word_t a) 4) : row a = + createL [s.[0]; s.[1]; s.[2]; s.[3]] + +inline_for_extraction +let create_row (#a:alg) x0 x1 x2 x3 : row a = + createL [x0;x1;x2;x3] + +inline_for_extraction +unfold let state (a:alg) = lseq (row a) 4 + +inline_for_extraction +let salt_length (a:alg) : size_nat = + match a with + | Blake2S -> 8 + | Blake2B -> 16 + +inline_for_extraction +let personal_length (a:alg) : size_nat = + match a with + | Blake2S -> 8 + | Blake2B -> 16 + +noeq +type blake2s_params = { + digest_length: uint8; + key_length: uint8; + fanout: uint8; + depth: uint8; + leaf_length: uint32; + node_offset: uint32; + xof_length: uint16; + node_depth: uint8; + inner_length: uint8; + salt: lseq uint8 (salt_length Blake2S); + personal: lseq uint8 (personal_length Blake2S); +} + +(* Need these helpers to cleanly work around field shadowing *) + +inline_for_extraction +let set_blake2s_digest_length + (p: blake2s_params) + (nn: size_nat{1 <= nn /\ nn <= max_output Blake2S}) + : blake2s_params = + {p with digest_length = u8 nn} + +inline_for_extraction +let set_blake2s_key_length + (p: blake2s_params) + (kk: size_nat{kk <= max_key Blake2S}) + : blake2s_params = + {p with key_length = u8 kk} + +inline_for_extraction +let get_blake2s_salt (p:blake2s_params) = p.salt + +inline_for_extraction +let get_blake2s_personal (p:blake2s_params) = p.personal + +noeq +type blake2b_params = { + digest_length: uint8; + key_length: uint8; + fanout: uint8; + depth: uint8; + leaf_length: uint32; + node_offset: uint32; + xof_length: uint32; + node_depth: uint8; + inner_length: uint8; + // Blake2b also contains 14 reserved bytes here, but they seem + // unused and to only contain zeros, hence we do not expose them + salt: lseq uint8 (salt_length Blake2B); + personal: lseq uint8 (personal_length Blake2B); +} + +inline_for_extraction +let blake2_params (a: alg) = + match a with + | Blake2S -> blake2s_params + | Blake2B -> blake2b_params + +inline_for_extraction +let set_digest_length (#a: alg) + (p: blake2_params a) + (nn: size_nat{1 <= nn /\ nn <= max_output a}) + : blake2_params a = + match a with + | Blake2S -> set_blake2s_digest_length p nn + | Blake2B -> {p with digest_length = u8 nn} + +inline_for_extraction +let set_key_length (#a: alg) + (p: blake2_params a) + (kk: size_nat{kk <= max_key a}) + : blake2_params a = + match a with + | Blake2S -> set_blake2s_key_length p kk + | Blake2B -> {p with key_length = u8 kk} + +inline_for_extraction +let get_salt (#a: alg) (p: blake2_params a) : lseq uint8 (salt_length a) = + match a with + | Blake2S -> get_blake2s_salt p + | Blake2B -> p.salt + +inline_for_extraction +let get_personal (#a: alg) (p: blake2_params a) : lseq uint8 (personal_length a) = + match a with + | Blake2S -> get_blake2s_personal p + | Blake2B -> p.personal + +let blake2s_default_params: blake2s_params = + { digest_length = u8 32; + key_length = u8 0; + fanout = u8 1; + depth = u8 1; + leaf_length = u32 0; + node_offset = u32 0; + xof_length = u16 0; + node_depth = u8 0; + inner_length = u8 0; + salt = create 8 (u8 0); + personal = create 8 (u8 0); + } + +let blake2b_default_params: blake2b_params = + { digest_length = u8 64; + key_length = u8 0; + fanout = u8 1; + depth = u8 1; + leaf_length = u32 0; + node_offset = u32 0; + xof_length = u32 0; + node_depth = u8 0; + inner_length = u8 0; + salt = create 16 (u8 0); + personal = create 16 (u8 0); + } + +inline_for_extraction +let blake2_default_params (a: alg) : blake2_params a = + match a with + | Blake2S -> blake2s_default_params + | Blake2B -> blake2b_default_params + +inline_for_extraction +type pub_word_t (a:alg) = uint_t (wt a) PUB + +inline_for_extraction +type limb_t (a:alg) : Type0 = uint_t (limb_inttype a) SEC + +inline_for_extraction +let max_limb (a:alg) = maxint (limb_inttype a) + +inline_for_extraction +let nat_to_word (a:alg) (x:size_nat) : word_t a = + match (wt a) with + | U32 -> u32 x + | U64 -> u64 x + +inline_for_extraction +let nat_to_limb (a:alg) (x:nat{x <= max_limb a}) : xl:limb_t a{uint_v xl == x} = + match (wt a) with + | U32 -> u64 x + | U64 -> let h = u64 (x / pow2 64) in + let l = u64 (x % pow2 64) in + (to_u128 h <<. 64ul) +! to_u128 l + +inline_for_extraction +let word_to_limb (a:alg) (x:word_t a{uint_v x <= max_limb a}) : xl:limb_t a{uint_v xl == uint_v x} = + match (wt a) with + | U32 -> to_u64 x + | U64 -> to_u128 x + +inline_for_extraction +let limb_to_word (a:alg) (x:limb_t a) : word_t a = + match (wt a) with + | U32 -> to_u32 x + | U64 -> to_u64 x + +unfold let rtable_t (a:alg) = lseq (rotval (wt a)) 4 + +type sigma_elt_t = n:size_t{size_v n < 16} +type list_sigma_t = l:list sigma_elt_t{List.Tot.length l == 160} + +(* Algorithms types *) +type block_s (a:alg) = lseq uint8 (size_block a) +type block_w (a:alg) = lseq (word_t a) 16 +type idx_t = n:size_nat{n < 16} + +let row_idx = n:nat {n < 4} + +inline_for_extraction +let ( ^| ) (#a:alg) (r1:row a) (r2:row a) : row a = + map2 ( ^. ) r1 r2 + +inline_for_extraction +let ( +| ) (#a:alg) (r1:row a) (r2:row a) : row a = + map2 ( +. ) r1 r2 + +inline_for_extraction +let ( >>>| ) (#a:alg) (r1:row a) (r:rotval (wt a)) : row a = + map #(word_t a) (rotate_right_i r) r1 + +inline_for_extraction +let rotr (#a:alg) (r1:row a) (r:row_idx) : row a = + createi 4 (fun i -> r1.[(i+r)%4]) diff --git a/specs/Spec.Blake2.fst b/specs/Spec.Blake2.fst index 215456a284..cc1f03c29f 100644 --- a/specs/Spec.Blake2.fst +++ b/specs/Spec.Blake2.fst @@ -8,212 +8,9 @@ open Lib.ByteSequence open Lib.LoopCombinators module UpdateMulti = Lib.UpdateMulti -#set-options "--z3rlimit 50" - -type alg = - | Blake2S - | Blake2B - -let alg_inversion_lemma (a:alg) : Lemma (a == Blake2S \/ a == Blake2B) = () - -inline_for_extraction -let wt (a:alg) : t:inttype{unsigned t} = - match a with - | Blake2S -> U32 - | Blake2B -> U64 - -inline_for_extraction -let rounds (a:alg) = - match a with - | Blake2S -> 10 - | Blake2B -> 12 - -(* Algorithm parameters *) -inline_for_extraction let size_hash_w : size_nat = 8 -inline_for_extraction let size_block_w : size_nat = 16 -inline_for_extraction let size_word (a:alg) : size_nat = numbytes (wt a) -inline_for_extraction let size_block (a:alg) : size_nat = size_block_w * (size_word a) -inline_for_extraction let size_ivTable : size_nat = 8 -inline_for_extraction let size_sigmaTable : size_nat = 160 - -inline_for_extraction let max_key (a:alg) = - match a with - | Blake2S -> 32 - | Blake2B -> 64 -inline_for_extraction let max_output (a:alg) = - match a with - | Blake2S -> 32 - | Blake2B -> 64 - - -(* Definition of base types *) -inline_for_extraction -unfold let limb_inttype (a:alg) = - match (wt a) with - | U32 -> U64 - | U64 -> U128 - -inline_for_extraction -unfold type word_t (a:alg) = uint_t (wt a) SEC - -inline_for_extraction -let zero (a:alg) : word_t a= - match a with - | Blake2S -> u32 0 - | Blake2B -> u64 0 - -inline_for_extraction -unfold let row (a:alg) = lseq (word_t a) 4 - -inline_for_extraction -let zero_row (a:alg) : row a = create 4 (zero a) - -inline_for_extraction -let load_row (#a:alg) (s:lseq (word_t a) 4) : row a = - createL [s.[0]; s.[1]; s.[2]; s.[3]] - -inline_for_extraction -let create_row (#a:alg) x0 x1 x2 x3 : row a = - createL [x0;x1;x2;x3] - -inline_for_extraction -unfold let state (a:alg) = lseq (row a) 4 - -inline_for_extraction -let salt_length (a:alg) : size_nat = - match a with - | Blake2S -> 8 - | Blake2B -> 16 - -inline_for_extraction -let personal_length (a:alg) : size_nat = - match a with - | Blake2S -> 8 - | Blake2B -> 16 - -noeq -type blake2s_params = { - digest_length: uint8; - key_length: uint8; - fanout: uint8; - depth: uint8; - leaf_length: uint32; - node_offset: uint32; - xof_length: uint16; - node_depth: uint8; - inner_length: uint8; - salt: lseq uint8 (salt_length Blake2S); - personal: lseq uint8 (personal_length Blake2S); -} - -(* Need these helpers to cleanly work around field shadowing *) - -inline_for_extraction -let set_blake2s_digest_length - (p: blake2s_params) - (nn: size_nat{1 <= nn /\ nn <= max_output Blake2S}) - : blake2s_params = - {p with digest_length = u8 nn} - -inline_for_extraction -let set_blake2s_key_length - (p: blake2s_params) - (kk: size_nat{kk <= max_key Blake2S}) - : blake2s_params = - {p with key_length = u8 kk} - -inline_for_extraction -let get_blake2s_salt (p:blake2s_params) = p.salt - -inline_for_extraction -let get_blake2s_personal (p:blake2s_params) = p.personal - -noeq -type blake2b_params = { - digest_length: uint8; - key_length: uint8; - fanout: uint8; - depth: uint8; - leaf_length: uint32; - node_offset: uint32; - xof_length: uint32; - node_depth: uint8; - inner_length: uint8; - // Blake2b also contains 14 reserved bytes here, but they seem - // unused and to only contain zeros, hence we do not expose them - salt: lseq uint8 (salt_length Blake2B); - personal: lseq uint8 (personal_length Blake2B); -} - -inline_for_extraction -let blake2_params (a: alg) = - match a with - | Blake2S -> blake2s_params - | Blake2B -> blake2b_params - -inline_for_extraction -let set_digest_length (#a: alg) - (p: blake2_params a) - (nn: size_nat{1 <= nn /\ nn <= max_output a}) - : blake2_params a = - match a with - | Blake2S -> set_blake2s_digest_length p nn - | Blake2B -> {p with digest_length = u8 nn} - -inline_for_extraction -let set_key_length (#a: alg) - (p: blake2_params a) - (kk: size_nat{kk <= max_key a}) - : blake2_params a = - match a with - | Blake2S -> set_blake2s_key_length p kk - | Blake2B -> {p with key_length = u8 kk} - -inline_for_extraction -let get_salt (#a: alg) (p: blake2_params a) : lseq uint8 (salt_length a) = - match a with - | Blake2S -> get_blake2s_salt p - | Blake2B -> p.salt +include Spec.Blake2.Definitions -inline_for_extraction -let get_personal (#a: alg) (p: blake2_params a) : lseq uint8 (personal_length a) = - match a with - | Blake2S -> get_blake2s_personal p - | Blake2B -> p.personal - -let blake2s_default_params: blake2s_params = - { digest_length = u8 32; - key_length = u8 0; - fanout = u8 1; - depth = u8 1; - leaf_length = u32 0; - node_offset = u32 0; - xof_length = u16 0; - node_depth = u8 0; - inner_length = u8 0; - salt = create 8 (u8 0); - personal = create 8 (u8 0); - } - -let blake2b_default_params: blake2b_params = - { digest_length = u8 64; - key_length = u8 0; - fanout = u8 1; - depth = u8 1; - leaf_length = u32 0; - node_offset = u32 0; - xof_length = u32 0; - node_depth = u8 0; - inner_length = u8 0; - salt = create 16 (u8 0); - personal = create 16 (u8 0); - } - -inline_for_extraction -let blake2_default_params (a: alg) : blake2_params a = - match a with - | Blake2S -> blake2s_default_params - | Blake2B -> blake2b_default_params +#set-options "--z3rlimit 50" /// Serialize blake2s parameters to be xor'ed with the state during initialization /// As the state is represented using uint32, we need to serialize to uint32 instead @@ -274,42 +71,6 @@ let serialize_blake2_params (#a: alg) (p: blake2_params a): lseq (word_t a) 8 = | Blake2S -> serialize_blake2s_params p | Blake2B -> serialize_blake2b_params p -inline_for_extraction -type pub_word_t (a:alg) = uint_t (wt a) PUB - -inline_for_extraction -type limb_t (a:alg) : Type0 = uint_t (limb_inttype a) SEC - -inline_for_extraction -let max_limb (a:alg) = maxint (limb_inttype a) - -inline_for_extraction -let nat_to_word (a:alg) (x:size_nat) : word_t a = - match (wt a) with - | U32 -> u32 x - | U64 -> u64 x - -inline_for_extraction -let nat_to_limb (a:alg) (x:nat{x <= max_limb a}) : xl:limb_t a{uint_v xl == x} = - match (wt a) with - | U32 -> u64 x - | U64 -> let h = u64 (x / pow2 64) in - let l = u64 (x % pow2 64) in - (to_u128 h <<. 64ul) +! to_u128 l - -inline_for_extraction -let word_to_limb (a:alg) (x:word_t a{uint_v x <= max_limb a}) : xl:limb_t a{uint_v xl == uint_v x} = - match (wt a) with - | U32 -> to_u64 x - | U64 -> to_u128 x - -inline_for_extraction -let limb_to_word (a:alg) (x:limb_t a) : word_t a = - match (wt a) with - | U32 -> to_u32 x - | U64 -> to_u64 x - -unfold let rtable_t (a:alg) = lseq (rotval (wt a)) 4 [@"opaque_to_smt"] inline_for_extraction @@ -366,9 +127,6 @@ let ivTable (a:alg) : lseq (pub_word_t a) 8 = | Blake2S -> of_list list_iv_S | Blake2B -> of_list list_iv_B -type sigma_elt_t = n:size_t{size_v n < 16} -type list_sigma_t = l:list sigma_elt_t{List.Tot.length l == 160} - [@"opaque_to_smt"] let list_sigma: list_sigma_t = [@inline_let] @@ -403,31 +161,6 @@ let sigmaTable:lseq sigma_elt_t size_sigmaTable = assert_norm (List.Tot.length list_sigma == size_sigmaTable); of_list list_sigma - -(* Algorithms types *) -type block_s (a:alg) = lseq uint8 (size_block a) -type block_w (a:alg) = lseq (word_t a) 16 -type idx_t = n:size_nat{n < 16} - -let row_idx = n:nat {n < 4} - -inline_for_extraction -let ( ^| ) (#a:alg) (r1:row a) (r2:row a) : row a = - map2 ( ^. ) r1 r2 - -inline_for_extraction -let ( +| ) (#a:alg) (r1:row a) (r2:row a) : row a = - map2 ( +. ) r1 r2 - -inline_for_extraction -let ( >>>| ) (#a:alg) (r1:row a) (r:rotval (wt a)) : row a = - map #(word_t a) (rotate_right_i r) r1 - -inline_for_extraction -let rotr (#a:alg) (r1:row a) (r:row_idx) : row a = - createi 4 (fun i -> r1.[(i+r)%4]) - - (* Functions *) let g1 (a:alg) (wv:state a) (i:row_idx) (j:row_idx) (r:rotval (wt a)) : Tot (state a) = wv.[i] <- (wv.[i] ^| wv.[j]) >>>| r From d44167ec1d125f54d0f9b34b87687f0892067794 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 10 Nov 2023 11:36:48 +0100 Subject: [PATCH 19/22] rlimit --- specs/lemmas/Spec.Blake2.Incremental.fst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/specs/lemmas/Spec.Blake2.Incremental.fst b/specs/lemmas/Spec.Blake2.Incremental.fst index d95869dd3e..fa2bdeff28 100644 --- a/specs/lemmas/Spec.Blake2.Incremental.fst +++ b/specs/lemmas/Spec.Blake2.Incremental.fst @@ -51,6 +51,7 @@ val blake2b_update_incremental let s:words_state Blake2B = update_multi Blake2B s 0 bs in update_last Blake2B s (S.length bs) l)) +#push-options "--z3rlimit 400 --split_queries always" /// Unclear why this proof needs to be spelled out more than the one for blake2s let blake2b_update_incremental input s = let a = Blake2B in @@ -82,6 +83,7 @@ let blake2b_update_incremental input s = in aux (); assert (s_m' == s_m) +#pop-options val blake2s_update_incremental (input : bytes {S.length input `less_than_max_input_length` Blake2S}) From fedd27fdb5b295090cf7e336ab63619e439be80d Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 10 Nov 2023 15:50:39 +0100 Subject: [PATCH 20/22] Add param tests for Blake2s --- specs/tests/Spec.Blake2.Test.fst | 106 ++++++++++++++++++++++--------- 1 file changed, 75 insertions(+), 31 deletions(-) diff --git a/specs/tests/Spec.Blake2.Test.fst b/specs/tests/Spec.Blake2.Test.fst index 3188eb286e..36318c50c5 100644 --- a/specs/tests/Spec.Blake2.Test.fst +++ b/specs/tests/Spec.Blake2.Test.fst @@ -6,6 +6,7 @@ open Lib.RawIntTypes open Lib.Sequence open Lib.ByteSequence module PS = Lib.PrintSequence +module S = Spec.Blake2 #set-options "--z3rlimit 50 --fuel 0 --ifuel 0" @@ -797,62 +798,105 @@ let test16_expected : lbytes 64 = assert_norm (FStar.List.length l = 64); of_list l +(* Parameters are not present in the Blake2 RFC, instead, they are specified in the Blake2 paper. + Hence, there are no official test vectors corresponding to them. The tests below aim to + cover the different possible parameters, and the results were generated using the Blake2 + implementation in Python 3's hashlib *) + +let test17_params : S.blake2s_params = + { S.blake2s_default_params with fanout = u8 5; node_depth = u8 3 } + +let test17_expected : lbytes 32 = + let l = List.Tot.map u8_from_UInt8 [ + 0xA7uy; 0x4Euy; 0xDBuy; 0x2Duy; 0x8Fuy; 0xBBuy; 0x84uy; 0xFBuy; + 0x83uy; 0xEDuy; 0x64uy; 0x06uy; 0x82uy; 0x28uy; 0x7Cuy; 0x92uy; + 0x6Auy; 0xF5uy; 0xC3uy; 0x04uy; 0x09uy; 0xD1uy; 0xA8uy; 0xD4uy; + 0x66uy; 0x2Duy; 0x4Fuy; 0x34uy; 0xEBuy; 0xC4uy; 0xA0uy; 0x7Fuy + ] in + assert_norm (List.Tot.length l = 32); + of_list l + +let test18_params : S.blake2s_params = + { S.blake2s_default_params with leaf_length = u32 43; depth = u8 4; inner_length = u8 9 } + +let test18_expected : lbytes 32 = + let l = List.Tot.map u8_from_UInt8 [ + 0x68uy; 0x1Auy; 0xDCuy; 0x05uy; 0x69uy; 0xD8uy; 0xE9uy; 0x1Buy; + 0x36uy; 0xDFuy; 0x5Fuy; 0x1Duy; 0x85uy; 0x64uy; 0x42uy; 0x2Fuy; + 0x4Duy; 0x79uy; 0xD7uy; 0x31uy; 0xCBuy; 0x7Duy; 0xBCuy; 0xB7uy; + 0xC8uy; 0xEBuy; 0xB4uy; 0x80uy; 0xA6uy; 0xCEuy; 0x3Buy; 0x91uy + ] in + assert_norm (List.Tot.length l = 32); + of_list l + +let test19_params : S.blake2s_params = + let s = create 8 (u8_from_UInt8 0x11uy) in + { S.blake2s_default_params with salt = s; personal = s } + +let test19_expected : lbytes 32 = + let l = List.Tot.map u8_from_UInt8 [ + 0xD3uy; 0x93uy; 0xA6uy; 0xDEuy; 0xB6uy; 0xE3uy; 0x98uy; 0xB3uy; + 0x46uy; 0x11uy; 0xF0uy; 0x82uy; 0xCBuy; 0x2Fuy; 0xC0uy; 0x2Buy; + 0x5Cuy; 0xE1uy; 0x3Buy; 0xF7uy; 0x0Cuy; 0x64uy; 0x70uy; 0xD2uy; + 0x64uy; 0x1Fuy; 0x3Auy; 0xD1uy; 0x48uy; 0x93uy; 0xF5uy; 0x8Buy + ] in + assert_norm (List.Tot.length l = 32); + of_list l let emp_key : lbytes 0 = let l = List.Tot.map u8_from_UInt8 [] in assert_norm (List.Tot.length l == 0); of_list l - -type blake2_alg = - | BLAKE2B - | BLAKE2S - -let blake2_length (a:blake2_alg) = - allow_inversion blake2_alg; +let blake2_length (a:S.alg) = + allow_inversion S.alg; match a with - | BLAKE2B -> 64 - | BLAKE2S -> 32 + | S.Blake2B -> 64 + | S.Blake2S -> 32 noeq type vec = | Vec : - a:blake2_alg + a:S.alg -> num:nat + -> params: S.blake2_params a -> plain:bytes{length plain <= max_size_t} -> key:bytes{length key <= blake2_length a} -> hash:bytes{length hash = blake2_length a} -> vec let test_vectors : list vec = [ - Vec BLAKE2S 1 test1_plaintext emp_key test1_expected; - Vec BLAKE2S 2 test2_plaintext test2_key test2_expected; - Vec BLAKE2S 3 test3_plaintext test3_key test3_expected; - Vec BLAKE2S 4 test4_plaintext test4_key test4_expected; - Vec BLAKE2S 7 test7_plaintext test7_key test7_expected; - Vec BLAKE2S 8 test8_plaintext test8_key test8_expected; - Vec BLAKE2S 9 test9_plaintext test9_key test9_expected; - Vec BLAKE2S 10 test10_plaintext test10_key test10_expected; - Vec BLAKE2S 11 test11_plaintext test11_key test11_expected; - - Vec BLAKE2B 0 test0_plaintext test0_key test0_expected; - Vec BLAKE2B 5 test5_plaintext emp_key test5_expected; - Vec BLAKE2B 6 test6_plaintext test6_key test6_expected; - Vec BLAKE2B 12 test12_plaintext test12_key test12_expected; - Vec BLAKE2B 13 test13_plaintext test13_key test13_expected; - Vec BLAKE2B 14 test14_plaintext test14_key test14_expected; - Vec BLAKE2B 15 test15_plaintext test15_key test15_expected; - Vec BLAKE2B 16 test16_plaintext test16_key test16_expected + Vec S.Blake2S 1 S.blake2s_default_params test1_plaintext emp_key test1_expected; + Vec S.Blake2S 2 S.blake2s_default_params test2_plaintext test2_key test2_expected; + Vec S.Blake2S 3 S.blake2s_default_params test3_plaintext test3_key test3_expected; + Vec S.Blake2S 4 S.blake2s_default_params test4_plaintext test4_key test4_expected; + Vec S.Blake2S 7 S.blake2s_default_params test7_plaintext test7_key test7_expected; + Vec S.Blake2S 8 S.blake2s_default_params test8_plaintext test8_key test8_expected; + Vec S.Blake2S 9 S.blake2s_default_params test9_plaintext test9_key test9_expected; + Vec S.Blake2S 10 S.blake2s_default_params test10_plaintext test10_key test10_expected; + Vec S.Blake2S 11 S.blake2s_default_params test11_plaintext test11_key test11_expected; + Vec S.Blake2S 17 test17_params test1_plaintext emp_key test17_expected; + Vec S.Blake2S 18 test18_params test2_plaintext test2_key test18_expected; + Vec S.Blake2S 19 test19_params test2_plaintext emp_key test19_expected; + + Vec S.Blake2B 0 S.blake2b_default_params test0_plaintext test0_key test0_expected; + Vec S.Blake2B 5 S.blake2b_default_params test5_plaintext emp_key test5_expected; + Vec S.Blake2B 6 S.blake2b_default_params test6_plaintext test6_key test6_expected; + Vec S.Blake2B 12 S.blake2b_default_params test12_plaintext test12_key test12_expected; + Vec S.Blake2B 13 S.blake2b_default_params test13_plaintext test13_key test13_expected; + Vec S.Blake2B 14 S.blake2b_default_params test14_plaintext test14_key test14_expected; + Vec S.Blake2B 15 S.blake2b_default_params test15_plaintext test15_key test15_expected; + Vec S.Blake2B 16 S.blake2b_default_params test16_plaintext test16_key test16_expected; ] #set-options "--ifuel 2" let test_one (v:vec) = - let Vec a num plain key tag = v in + let Vec a num params plain key tag = v in let expected = tag in let computed = match a with - | BLAKE2S -> Spec.Blake2.blake2s plain Spec.Blake2.blake2s_default_params (Seq.length key) key 32 - | BLAKE2B -> Spec.Blake2.blake2b plain Spec.Blake2.blake2b_default_params (Seq.length key) key 64 in + | S.Blake2S -> S.blake2s plain params (Seq.length key) key 32 + | S.Blake2B -> S.blake2b plain params (Seq.length key) key 64 in IO.print_string ("\n\nTEST Blake2 "^(string_of_int num)^":"); PS.print_compare true (length expected) expected computed From ed753b761fa12098b115dd529eab541f6961bb50 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Fri, 10 Nov 2023 16:13:33 +0100 Subject: [PATCH 21/22] Add tests for Blake2B params --- specs/tests/Spec.Blake2.Test.fst | 55 +++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/specs/tests/Spec.Blake2.Test.fst b/specs/tests/Spec.Blake2.Test.fst index 36318c50c5..448bc1fff2 100644 --- a/specs/tests/Spec.Blake2.Test.fst +++ b/specs/tests/Spec.Blake2.Test.fst @@ -843,6 +843,57 @@ let test19_expected : lbytes 32 = assert_norm (List.Tot.length l = 32); of_list l +let test20_params : S.blake2b_params = + { S.blake2b_default_params with fanout = u8 5; node_depth = u8 3; node_offset = u32 41 } + +let test20_expected : lbytes 64 = + let l = List.Tot.map u8_from_UInt8 [ + 0x89uy; 0xDCuy; 0x86uy; 0xACuy; 0x37uy; 0xB1uy; 0xA4uy; 0x03uy; + 0xC2uy; 0xA3uy; 0xABuy; 0xC8uy; 0x26uy; 0x6Euy; 0x8Auy; 0x34uy; + 0xEFuy; 0x37uy; 0xD4uy; 0xF3uy; 0xABuy; 0xB7uy; 0xB6uy; 0x51uy; + 0x34uy; 0x55uy; 0x86uy; 0x68uy; 0xCCuy; 0xA8uy; 0x72uy; 0x8Auy; + 0xA7uy; 0x79uy; 0x52uy; 0x11uy; 0x22uy; 0x84uy; 0x37uy; 0xADuy; + 0x45uy; 0x0Buy; 0x96uy; 0xABuy; 0x2Auy; 0x95uy; 0x8Fuy; 0xD2uy; + 0x00uy; 0x68uy; 0xFCuy; 0x2Cuy; 0x84uy; 0x2Auy; 0xC9uy; 0x37uy; + 0x5Duy; 0x19uy; 0xF2uy; 0xF2uy; 0xADuy; 0xCDuy; 0x2Euy; 0x35uy ] in + assert_norm (FStar.List.length l = 64); + of_list l + + +let test21_params : S.blake2b_params = + { S.blake2b_default_params with leaf_length = u32 43; depth = u8 4; inner_length = u8 9 } + +let test21_expected : lbytes 64 = + let l = List.Tot.map u8_from_UInt8 [ + 0x38uy; 0xF8uy; 0x64uy; 0xEFuy; 0xFDuy; 0x75uy; 0x6Cuy; 0xBFuy; + 0x38uy; 0xCEuy; 0xABuy; 0x1Euy; 0x7Fuy; 0x4Euy; 0x93uy; 0x97uy; + 0x98uy; 0x26uy; 0xA2uy; 0x8Euy; 0xABuy; 0x2Buy; 0xDBuy; 0xF7uy; + 0x9Euy; 0x0Euy; 0x79uy; 0x9Auy; 0xFFuy; 0xF3uy; 0x0Euy; 0xB2uy; + 0x59uy; 0xE3uy; 0x60uy; 0xB1uy; 0xC0uy; 0x2Euy; 0xEBuy; 0x79uy; + 0xFDuy; 0x5Euy; 0x10uy; 0x57uy; 0xC8uy; 0x5Euy; 0x80uy; 0x89uy; + 0x1Fuy; 0x60uy; 0x8Euy; 0xB2uy; 0x19uy; 0xFAuy; 0x32uy; 0x6Buy; + 0xA4uy; 0xFFuy; 0xE4uy; 0x52uy; 0x9Fuy; 0x69uy; 0x49uy; 0x43uy ] in + assert_norm (FStar.List.length l = 64); + of_list l + +let test22_params : S.blake2b_params = + let s = create 16 (u8_from_UInt8 0x11uy) in + { S.blake2b_default_params with salt = s; personal = s } + +let test22_expected : lbytes 64 = + let l = List.Tot.map u8_from_UInt8 [ + 0x84uy; 0x9Buy; 0xB0uy; 0x75uy; 0x73uy; 0x9Fuy; 0xADuy; 0xAAuy; + 0x6Auy; 0xB0uy; 0x25uy; 0xE2uy; 0xA7uy; 0xE2uy; 0x04uy; 0x57uy; + 0xBFuy; 0x0Euy; 0x73uy; 0xEDuy; 0x82uy; 0x22uy; 0x69uy; 0x70uy; + 0xB9uy; 0xF5uy; 0xBCuy; 0xB4uy; 0xA5uy; 0xE8uy; 0xA7uy; 0x49uy; + 0x3Auy; 0xD2uy; 0xA4uy; 0x25uy; 0xA8uy; 0x12uy; 0x1Cuy; 0xBDuy; + 0x75uy; 0x18uy; 0xB2uy; 0x08uy; 0x0Buy; 0xF6uy; 0xD2uy; 0xA4uy; + 0x2Euy; 0x44uy; 0x55uy; 0xA0uy; 0x4Cuy; 0xCEuy; 0x80uy; 0xE4uy; + 0xD4uy; 0xDCuy; 0x83uy; 0x6Euy; 0x04uy; 0xA3uy; 0x79uy; 0xD2uy + ] in + assert_norm (FStar.List.length l = 64); + of_list l + let emp_key : lbytes 0 = let l = List.Tot.map u8_from_UInt8 [] in assert_norm (List.Tot.length l == 0); @@ -885,9 +936,11 @@ let test_vectors : list vec = [ Vec S.Blake2B 14 S.blake2b_default_params test14_plaintext test14_key test14_expected; Vec S.Blake2B 15 S.blake2b_default_params test15_plaintext test15_key test15_expected; Vec S.Blake2B 16 S.blake2b_default_params test16_plaintext test16_key test16_expected; + Vec S.Blake2B 20 test20_params test2_plaintext emp_key test20_expected; + Vec S.Blake2B 21 test21_params test1_plaintext test13_key test21_expected; + Vec S.Blake2B 21 test22_params test1_plaintext test13_key test22_expected; ] - #set-options "--ifuel 2" let test_one (v:vec) = From 7d97e192e9351d522d4fc96d3c5241cca00e9a06 Mon Sep 17 00:00:00 2001 From: Aymeric Fromherz Date: Wed, 22 Nov 2023 14:03:00 +0100 Subject: [PATCH 22/22] refresh dist --- dist/gcc-compatible/Hacl_Hash_Blake2b.c | 71 +++++++++++++++--- .../Hacl_Hash_Blake2b_Simd256.c | 3 +- dist/gcc-compatible/Hacl_Hash_Blake2s.c | 69 ++++++++++++++--- .../Hacl_Hash_Blake2s_Simd128.c | 3 +- dist/gcc-compatible/INFO.txt | 2 +- dist/gcc-compatible/clients/krmlrenamings.h | 2 + dist/gcc-compatible/ctypes.depend | 10 +-- dist/gcc-compatible/internal/Hacl_HMAC.h | 32 -------- .../internal/Hacl_Hash_Blake2b.h | 32 ++++++++ .../internal/Hacl_Hash_Blake2b_Simd256.h | 1 + .../internal/Hacl_Hash_Blake2s.h | 1 + .../internal/Hacl_Hash_Blake2s_Simd128.h | 1 + .../lib/Hacl_Hash_Blake2b_bindings.ml | 56 ++++++++++++++ dist/msvc-compatible/Hacl_Hash_Blake2b.c | 71 +++++++++++++++--- .../Hacl_Hash_Blake2b_Simd256.c | 3 +- dist/msvc-compatible/Hacl_Hash_Blake2s.c | 69 ++++++++++++++--- .../Hacl_Hash_Blake2s_Simd128.c | 3 +- dist/msvc-compatible/INFO.txt | 2 +- dist/msvc-compatible/clients/krmlrenamings.h | 2 + dist/msvc-compatible/internal/Hacl_HMAC.h | 32 -------- .../internal/Hacl_Hash_Blake2b.h | 32 ++++++++ .../internal/Hacl_Hash_Blake2b_Simd256.h | 1 + .../internal/Hacl_Hash_Blake2s.h | 1 + .../internal/Hacl_Hash_Blake2s_Simd128.h | 1 + .../Hacl_Hash_Blake2b.c | 71 +++++++++++++++--- .../Hacl_Hash_Blake2b_Simd256.c | 3 +- .../Hacl_Hash_Blake2s.c | 69 ++++++++++++++--- .../Hacl_Hash_Blake2s_Simd128.c | 3 +- dist/portable-gcc-compatible/INFO.txt | 2 +- .../clients/krmlrenamings.h | 2 + .../internal/Hacl_HMAC.h | 40 ---------- .../internal/Hacl_Hash_Blake2b.h | 40 ++++++++++ .../internal/Hacl_Hash_Blake2b_Simd256.h | 1 + .../internal/Hacl_Hash_Blake2s.h | 1 + .../internal/Hacl_Hash_Blake2s_Simd128.h | 1 + dist/wasm/EverCrypt_Hash.wasm | Bin 49305 -> 48469 bytes .../Hacl_AEAD_Chacha20Poly1305_Simd256.wasm | Bin 1910 -> 1910 bytes dist/wasm/Hacl_Ed25519_PrecompTable.wasm | Bin 16451 -> 16451 bytes dist/wasm/Hacl_HMAC.wasm | Bin 29754 -> 28160 bytes dist/wasm/Hacl_HMAC_DRBG.wasm | Bin 25396 -> 25396 bytes dist/wasm/Hacl_Hash_Blake2b.wasm | Bin 15858 -> 16141 bytes dist/wasm/Hacl_Hash_Blake2b_Simd256.wasm | Bin 6794 -> 7187 bytes dist/wasm/Hacl_Hash_Blake2s.wasm | Bin 14005 -> 14331 bytes dist/wasm/Hacl_Hash_Blake2s_Simd128.wasm | Bin 5638 -> 6030 bytes dist/wasm/Hacl_SHA2_Vec128.wasm | Bin 5687 -> 5687 bytes dist/wasm/INFO.txt | 2 +- dist/wasm/layouts.json | 2 +- 47 files changed, 563 insertions(+), 174 deletions(-) diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2b.c b/dist/gcc-compatible/Hacl_Hash_Blake2b.c index 2dceaf4b3e..284da79a33 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2b.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2b.c @@ -474,6 +474,7 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -494,16 +495,68 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2b_Simd256.c b/dist/gcc-compatible/Hacl_Hash_Blake2b_Simd256.c index b81c4eb24a..7a807b6588 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2b_Simd256.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2b_Simd256.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -231,7 +232,7 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; - Hacl_Impl_Blake2_Core_blake2b_params + Hacl_Hash_Blake2s_blake2b_params p = { .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2s.c b/dist/gcc-compatible/Hacl_Hash_Blake2s.c index 652c3f33c6..1bae785bdc 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2s.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2s.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -474,6 +475,7 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -494,16 +496,65 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) diff --git a/dist/gcc-compatible/Hacl_Hash_Blake2s_Simd128.c b/dist/gcc-compatible/Hacl_Hash_Blake2s_Simd128.c index 9db2c1b987..f0646b283a 100644 --- a/dist/gcc-compatible/Hacl_Hash_Blake2s_Simd128.c +++ b/dist/gcc-compatible/Hacl_Hash_Blake2s_Simd128.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -231,7 +232,7 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); uint8_t salt[8U] = { 0U }; uint8_t personal[8U] = { 0U }; - Hacl_Impl_Blake2_Core_blake2s_params + Hacl_Hash_Blake2s_blake2s_params p = { .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, diff --git a/dist/gcc-compatible/INFO.txt b/dist/gcc-compatible/INFO.txt index 7db2550809..31e8992a23 100644 --- a/dist/gcc-compatible/INFO.txt +++ b/dist/gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: 71f2d632e318996f227063bf9d31ee91a4f48dfe -Karamel version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd +KaRaMeL version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd Vale version: 0.3.19 diff --git a/dist/gcc-compatible/clients/krmlrenamings.h b/dist/gcc-compatible/clients/krmlrenamings.h index 19eb533acb..f1b76ef6bc 100644 --- a/dist/gcc-compatible/clients/krmlrenamings.h +++ b/dist/gcc-compatible/clients/krmlrenamings.h @@ -81,6 +81,7 @@ #define Vale_Stdcalls_X64_Fmul_fmul2_e fmul2_e #define Vale_Stdcalls_X64_Cpuid_check_avx check_avx #define Vale_Stdcalls_X64_AesHash_aes256_keyhash_init aes256_keyhash_init +#define Hacl_Impl_Blake2_Core_blake2s_params Hacl_Hash_Blake2s_blake2s_params #define LowStar_Endianness_load16_le load16_le #define Hacl_Streaming_Poly1305_256_state_t Hacl_MAC_Poly1305_Simd256_state_t #define Hacl_Poly1305_256_poly1305_finish Hacl_MAC_Poly1305_Simd256_poly1305_finish @@ -251,6 +252,7 @@ #define Hacl_Blake2s_128_update_last Hacl_Hash_Blake2s_Simd128_update_last #define Vale_Stdcalls_X64_Fmul_fmul_e fmul_e #define Hacl_SHA2_Scalar32_sha256_init Hacl_Hash_SHA2_sha256_init +#define Hacl_Impl_Blake2_Core_blake2b_params Hacl_Hash_Blake2s_blake2b_params #define Hacl_Impl_SHA3_squeeze Hacl_Hash_SHA3_squeeze0 #define Hacl_Streaming_Poly1305_32_reset Hacl_MAC_Poly1305_reset #define Hacl_Streaming_Blake2s_128_hash_with_key Hacl_Hash_Blake2s_Simd128_hash_with_key diff --git a/dist/gcc-compatible/ctypes.depend b/dist/gcc-compatible/ctypes.depend index 065ce5eb6b..182fa7922c 100644 --- a/dist/gcc-compatible/ctypes.depend +++ b/dist/gcc-compatible/ctypes.depend @@ -1,4 +1,4 @@ -CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx +CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Streaming_Types_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmo: lib_gen/Hacl_Streaming_Types_gen.cmx: lib/Hacl_Streaming_Types_bindings.cmx @@ -207,14 +207,14 @@ lib/Hacl_Bignum4096_bindings.cmx: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_s lib/Hacl_Bignum4096_bindings.cmo: lib/Hacl_Bignum_bindings.cmo lib/Hacl_Bignum_stubs.cmo lib_gen/Hacl_Bignum4096_gen.cmx: lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.exe: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_c_stubs.o lib/Hacl_Bignum4096_bindings.cmx lib_gen/Hacl_Bignum4096_gen.cmx -lib/Hacl_Chacha20_Vec32_bindings.cmx: -lib/Hacl_Chacha20_Vec32_bindings.cmo: -lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx -lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx lib/EverCrypt_Ed25519_bindings.cmx: lib/EverCrypt_Ed25519_bindings.cmo: lib_gen/EverCrypt_Ed25519_gen.cmx: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.exe: lib/EverCrypt_Ed25519_bindings.cmx lib_gen/EverCrypt_Ed25519_gen.cmx +lib/Hacl_Chacha20_Vec32_bindings.cmx: +lib/Hacl_Chacha20_Vec32_bindings.cmo: +lib_gen/Hacl_Chacha20_Vec32_gen.cmx: lib/Hacl_Chacha20_Vec32_bindings.cmx +lib_gen/Hacl_Chacha20_Vec32_gen.exe: lib/Hacl_Chacha20_Vec32_bindings.cmx lib_gen/Hacl_Chacha20_Vec32_gen.cmx lib/Hacl_Bignum4096_32_bindings.cmx: lib/Hacl_Bignum_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmo: lib/Hacl_Bignum_bindings.cmo lib/Hacl_Bignum_stubs.cmo lib_gen/Hacl_Bignum4096_32_gen.cmx: lib/Hacl_Bignum4096_32_bindings.cmx diff --git a/dist/gcc-compatible/internal/Hacl_HMAC.h b/dist/gcc-compatible/internal/Hacl_HMAC.h index c67b64daba..ad344c4c80 100644 --- a/dist/gcc-compatible/internal/Hacl_HMAC.h +++ b/dist/gcc-compatible/internal/Hacl_HMAC.h @@ -42,38 +42,6 @@ extern "C" { #include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_HMAC.h" -typedef struct Hacl_Impl_Blake2_Core_blake2s_params_s -{ - uint8_t digest_length; - uint8_t key_length; - uint8_t fanout; - uint8_t depth; - uint32_t leaf_length; - uint32_t node_offset; - uint16_t xof_length; - uint8_t node_depth; - uint8_t inner_length; - uint8_t *salt; - uint8_t *personal; -} -Hacl_Impl_Blake2_Core_blake2s_params; - -typedef struct Hacl_Impl_Blake2_Core_blake2b_params_s -{ - uint8_t digest_length1; - uint8_t key_length1; - uint8_t fanout1; - uint8_t depth1; - uint32_t leaf_length1; - uint32_t node_offset1; - uint32_t xof_length1; - uint8_t node_depth1; - uint8_t inner_length1; - uint8_t *salt1; - uint8_t *personal1; -} -Hacl_Impl_Blake2_Core_blake2b_params; - typedef struct K___uint32_t_uint32_t_s { uint32_t fst; diff --git a/dist/gcc-compatible/internal/Hacl_Hash_Blake2b.h b/dist/gcc-compatible/internal/Hacl_Hash_Blake2b.h index 21689d6028..7d07e50b85 100644 --- a/dist/gcc-compatible/internal/Hacl_Hash_Blake2b.h +++ b/dist/gcc-compatible/internal/Hacl_Hash_Blake2b.h @@ -38,6 +38,38 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" +typedef struct Hacl_Hash_Blake2s_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Hash_Blake2s_blake2s_params; + +typedef struct Hacl_Hash_Blake2s_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Hash_Blake2s_blake2b_params; + void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); void diff --git a/dist/gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h b/dist/gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h index 4cc0786996..4dd986b21e 100644 --- a/dist/gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/dist/gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2b_Simd256.h" #include "libintvector.h" diff --git a/dist/gcc-compatible/internal/Hacl_Hash_Blake2s.h b/dist/gcc-compatible/internal/Hacl_Hash_Blake2s.h index f814aa95d6..eccd92de89 100644 --- a/dist/gcc-compatible/internal/Hacl_Hash_Blake2s.h +++ b/dist/gcc-compatible/internal/Hacl_Hash_Blake2s.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s.h" void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); diff --git a/dist/gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h b/dist/gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h index 0589aec563..2c42294905 100644 --- a/dist/gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/dist/gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s_Simd128.h" #include "libintvector.h" diff --git a/dist/gcc-compatible/lib/Hacl_Hash_Blake2b_bindings.ml b/dist/gcc-compatible/lib/Hacl_Hash_Blake2b_bindings.ml index 75c75e90fd..4c32a894df 100644 --- a/dist/gcc-compatible/lib/Hacl_Hash_Blake2b_bindings.ml +++ b/dist/gcc-compatible/lib/Hacl_Hash_Blake2b_bindings.ml @@ -5,6 +5,62 @@ module Bindings(F:Cstubs.FOREIGN) = module Hacl_Streaming_Types_applied = (Hacl_Streaming_Types_bindings.Bindings)(Hacl_Streaming_Types_stubs) open Hacl_Streaming_Types_applied + type hacl_Hash_Blake2s_blake2s_params = + [ `hacl_Hash_Blake2s_blake2s_params ] structure + let (hacl_Hash_Blake2s_blake2s_params : + [ `hacl_Hash_Blake2s_blake2s_params ] structure typ) = + structure "Hacl_Hash_Blake2s_blake2s_params_s" + let hacl_Hash_Blake2s_blake2s_params_digest_length = + field hacl_Hash_Blake2s_blake2s_params "digest_length" uint8_t + let hacl_Hash_Blake2s_blake2s_params_key_length = + field hacl_Hash_Blake2s_blake2s_params "key_length" uint8_t + let hacl_Hash_Blake2s_blake2s_params_fanout = + field hacl_Hash_Blake2s_blake2s_params "fanout" uint8_t + let hacl_Hash_Blake2s_blake2s_params_depth = + field hacl_Hash_Blake2s_blake2s_params "depth" uint8_t + let hacl_Hash_Blake2s_blake2s_params_leaf_length = + field hacl_Hash_Blake2s_blake2s_params "leaf_length" uint32_t + let hacl_Hash_Blake2s_blake2s_params_node_offset = + field hacl_Hash_Blake2s_blake2s_params "node_offset" uint32_t + let hacl_Hash_Blake2s_blake2s_params_xof_length = + field hacl_Hash_Blake2s_blake2s_params "xof_length" uint16_t + let hacl_Hash_Blake2s_blake2s_params_node_depth = + field hacl_Hash_Blake2s_blake2s_params "node_depth" uint8_t + let hacl_Hash_Blake2s_blake2s_params_inner_length = + field hacl_Hash_Blake2s_blake2s_params "inner_length" uint8_t + let hacl_Hash_Blake2s_blake2s_params_salt = + field hacl_Hash_Blake2s_blake2s_params "salt" (ptr uint8_t) + let hacl_Hash_Blake2s_blake2s_params_personal = + field hacl_Hash_Blake2s_blake2s_params "personal" (ptr uint8_t) + let _ = seal hacl_Hash_Blake2s_blake2s_params + type hacl_Hash_Blake2s_blake2b_params = + [ `hacl_Hash_Blake2s_blake2b_params ] structure + let (hacl_Hash_Blake2s_blake2b_params : + [ `hacl_Hash_Blake2s_blake2b_params ] structure typ) = + structure "Hacl_Hash_Blake2s_blake2b_params_s" + let hacl_Hash_Blake2s_blake2b_params_digest_length1 = + field hacl_Hash_Blake2s_blake2b_params "digest_length1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_key_length1 = + field hacl_Hash_Blake2s_blake2b_params "key_length1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_fanout1 = + field hacl_Hash_Blake2s_blake2b_params "fanout1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_depth1 = + field hacl_Hash_Blake2s_blake2b_params "depth1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_leaf_length1 = + field hacl_Hash_Blake2s_blake2b_params "leaf_length1" uint32_t + let hacl_Hash_Blake2s_blake2b_params_node_offset1 = + field hacl_Hash_Blake2s_blake2b_params "node_offset1" uint32_t + let hacl_Hash_Blake2s_blake2b_params_xof_length1 = + field hacl_Hash_Blake2s_blake2b_params "xof_length1" uint32_t + let hacl_Hash_Blake2s_blake2b_params_node_depth1 = + field hacl_Hash_Blake2s_blake2b_params "node_depth1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_inner_length1 = + field hacl_Hash_Blake2s_blake2b_params "inner_length1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_salt1 = + field hacl_Hash_Blake2s_blake2b_params "salt1" (ptr uint8_t) + let hacl_Hash_Blake2s_blake2b_params_personal1 = + field hacl_Hash_Blake2s_blake2b_params "personal1" (ptr uint8_t) + let _ = seal hacl_Hash_Blake2s_blake2b_params let hacl_Hash_Blake2b_init = foreign "Hacl_Hash_Blake2b_init" ((ptr uint64_t) @-> (uint32_t @-> (uint32_t @-> (returning void)))) diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2b.c b/dist/msvc-compatible/Hacl_Hash_Blake2b.c index 2dceaf4b3e..284da79a33 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2b.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2b.c @@ -474,6 +474,7 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -494,16 +495,68 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2b_Simd256.c b/dist/msvc-compatible/Hacl_Hash_Blake2b_Simd256.c index b81c4eb24a..7a807b6588 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2b_Simd256.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2b_Simd256.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -231,7 +232,7 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; - Hacl_Impl_Blake2_Core_blake2b_params + Hacl_Hash_Blake2s_blake2b_params p = { .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2s.c b/dist/msvc-compatible/Hacl_Hash_Blake2s.c index 652c3f33c6..1bae785bdc 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2s.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2s.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -474,6 +475,7 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -494,16 +496,65 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) diff --git a/dist/msvc-compatible/Hacl_Hash_Blake2s_Simd128.c b/dist/msvc-compatible/Hacl_Hash_Blake2s_Simd128.c index 9db2c1b987..f0646b283a 100644 --- a/dist/msvc-compatible/Hacl_Hash_Blake2s_Simd128.c +++ b/dist/msvc-compatible/Hacl_Hash_Blake2s_Simd128.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -231,7 +232,7 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); uint8_t salt[8U] = { 0U }; uint8_t personal[8U] = { 0U }; - Hacl_Impl_Blake2_Core_blake2s_params + Hacl_Hash_Blake2s_blake2s_params p = { .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, diff --git a/dist/msvc-compatible/INFO.txt b/dist/msvc-compatible/INFO.txt index 7db2550809..31e8992a23 100644 --- a/dist/msvc-compatible/INFO.txt +++ b/dist/msvc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: 71f2d632e318996f227063bf9d31ee91a4f48dfe -Karamel version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd +KaRaMeL version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd Vale version: 0.3.19 diff --git a/dist/msvc-compatible/clients/krmlrenamings.h b/dist/msvc-compatible/clients/krmlrenamings.h index 19eb533acb..f1b76ef6bc 100644 --- a/dist/msvc-compatible/clients/krmlrenamings.h +++ b/dist/msvc-compatible/clients/krmlrenamings.h @@ -81,6 +81,7 @@ #define Vale_Stdcalls_X64_Fmul_fmul2_e fmul2_e #define Vale_Stdcalls_X64_Cpuid_check_avx check_avx #define Vale_Stdcalls_X64_AesHash_aes256_keyhash_init aes256_keyhash_init +#define Hacl_Impl_Blake2_Core_blake2s_params Hacl_Hash_Blake2s_blake2s_params #define LowStar_Endianness_load16_le load16_le #define Hacl_Streaming_Poly1305_256_state_t Hacl_MAC_Poly1305_Simd256_state_t #define Hacl_Poly1305_256_poly1305_finish Hacl_MAC_Poly1305_Simd256_poly1305_finish @@ -251,6 +252,7 @@ #define Hacl_Blake2s_128_update_last Hacl_Hash_Blake2s_Simd128_update_last #define Vale_Stdcalls_X64_Fmul_fmul_e fmul_e #define Hacl_SHA2_Scalar32_sha256_init Hacl_Hash_SHA2_sha256_init +#define Hacl_Impl_Blake2_Core_blake2b_params Hacl_Hash_Blake2s_blake2b_params #define Hacl_Impl_SHA3_squeeze Hacl_Hash_SHA3_squeeze0 #define Hacl_Streaming_Poly1305_32_reset Hacl_MAC_Poly1305_reset #define Hacl_Streaming_Blake2s_128_hash_with_key Hacl_Hash_Blake2s_Simd128_hash_with_key diff --git a/dist/msvc-compatible/internal/Hacl_HMAC.h b/dist/msvc-compatible/internal/Hacl_HMAC.h index c67b64daba..ad344c4c80 100644 --- a/dist/msvc-compatible/internal/Hacl_HMAC.h +++ b/dist/msvc-compatible/internal/Hacl_HMAC.h @@ -42,38 +42,6 @@ extern "C" { #include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_HMAC.h" -typedef struct Hacl_Impl_Blake2_Core_blake2s_params_s -{ - uint8_t digest_length; - uint8_t key_length; - uint8_t fanout; - uint8_t depth; - uint32_t leaf_length; - uint32_t node_offset; - uint16_t xof_length; - uint8_t node_depth; - uint8_t inner_length; - uint8_t *salt; - uint8_t *personal; -} -Hacl_Impl_Blake2_Core_blake2s_params; - -typedef struct Hacl_Impl_Blake2_Core_blake2b_params_s -{ - uint8_t digest_length1; - uint8_t key_length1; - uint8_t fanout1; - uint8_t depth1; - uint32_t leaf_length1; - uint32_t node_offset1; - uint32_t xof_length1; - uint8_t node_depth1; - uint8_t inner_length1; - uint8_t *salt1; - uint8_t *personal1; -} -Hacl_Impl_Blake2_Core_blake2b_params; - typedef struct K___uint32_t_uint32_t_s { uint32_t fst; diff --git a/dist/msvc-compatible/internal/Hacl_Hash_Blake2b.h b/dist/msvc-compatible/internal/Hacl_Hash_Blake2b.h index 21689d6028..7d07e50b85 100644 --- a/dist/msvc-compatible/internal/Hacl_Hash_Blake2b.h +++ b/dist/msvc-compatible/internal/Hacl_Hash_Blake2b.h @@ -38,6 +38,38 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" +typedef struct Hacl_Hash_Blake2s_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Hash_Blake2s_blake2s_params; + +typedef struct Hacl_Hash_Blake2s_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Hash_Blake2s_blake2b_params; + void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); void diff --git a/dist/msvc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h b/dist/msvc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h index 4cc0786996..4dd986b21e 100644 --- a/dist/msvc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/dist/msvc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2b_Simd256.h" #include "libintvector.h" diff --git a/dist/msvc-compatible/internal/Hacl_Hash_Blake2s.h b/dist/msvc-compatible/internal/Hacl_Hash_Blake2s.h index f814aa95d6..eccd92de89 100644 --- a/dist/msvc-compatible/internal/Hacl_Hash_Blake2s.h +++ b/dist/msvc-compatible/internal/Hacl_Hash_Blake2s.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s.h" void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); diff --git a/dist/msvc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h b/dist/msvc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h index 0589aec563..2c42294905 100644 --- a/dist/msvc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/dist/msvc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s_Simd128.h" #include "libintvector.h" diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b.c index 41a7a2f24f..8d9a5238c8 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b.c @@ -480,6 +480,7 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -500,16 +501,68 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } /* SNIPPET_END: Hacl_Hash_Blake2b_init */ diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_Simd256.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_Simd256.c index 04b2c21676..0a95cde90a 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_Simd256.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2b_Simd256.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" /* SNIPPET_START: update_block */ @@ -237,7 +238,7 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; - Hacl_Impl_Blake2_Core_blake2b_params + Hacl_Hash_Blake2s_blake2b_params p = { .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s.c index 800e61acc5..3cf4f7c820 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" /* SNIPPET_START: update_block */ @@ -480,6 +481,7 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -500,16 +502,65 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } /* SNIPPET_END: Hacl_Hash_Blake2s_init */ diff --git a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_Simd128.c b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_Simd128.c index 5e535917c3..c749929e49 100644 --- a/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_Simd128.c +++ b/dist/portable-gcc-compatible/Hacl_Hash_Blake2s_Simd128.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" /* SNIPPET_START: update_block */ @@ -237,7 +238,7 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); uint8_t salt[8U] = { 0U }; uint8_t personal[8U] = { 0U }; - Hacl_Impl_Blake2_Core_blake2s_params + Hacl_Hash_Blake2s_blake2s_params p = { .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, diff --git a/dist/portable-gcc-compatible/INFO.txt b/dist/portable-gcc-compatible/INFO.txt index 7db2550809..31e8992a23 100644 --- a/dist/portable-gcc-compatible/INFO.txt +++ b/dist/portable-gcc-compatible/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: 71f2d632e318996f227063bf9d31ee91a4f48dfe -Karamel version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd +KaRaMeL version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd Vale version: 0.3.19 diff --git a/dist/portable-gcc-compatible/clients/krmlrenamings.h b/dist/portable-gcc-compatible/clients/krmlrenamings.h index 19eb533acb..f1b76ef6bc 100644 --- a/dist/portable-gcc-compatible/clients/krmlrenamings.h +++ b/dist/portable-gcc-compatible/clients/krmlrenamings.h @@ -81,6 +81,7 @@ #define Vale_Stdcalls_X64_Fmul_fmul2_e fmul2_e #define Vale_Stdcalls_X64_Cpuid_check_avx check_avx #define Vale_Stdcalls_X64_AesHash_aes256_keyhash_init aes256_keyhash_init +#define Hacl_Impl_Blake2_Core_blake2s_params Hacl_Hash_Blake2s_blake2s_params #define LowStar_Endianness_load16_le load16_le #define Hacl_Streaming_Poly1305_256_state_t Hacl_MAC_Poly1305_Simd256_state_t #define Hacl_Poly1305_256_poly1305_finish Hacl_MAC_Poly1305_Simd256_poly1305_finish @@ -251,6 +252,7 @@ #define Hacl_Blake2s_128_update_last Hacl_Hash_Blake2s_Simd128_update_last #define Vale_Stdcalls_X64_Fmul_fmul_e fmul_e #define Hacl_SHA2_Scalar32_sha256_init Hacl_Hash_SHA2_sha256_init +#define Hacl_Impl_Blake2_Core_blake2b_params Hacl_Hash_Blake2s_blake2b_params #define Hacl_Impl_SHA3_squeeze Hacl_Hash_SHA3_squeeze0 #define Hacl_Streaming_Poly1305_32_reset Hacl_MAC_Poly1305_reset #define Hacl_Streaming_Blake2s_128_hash_with_key Hacl_Hash_Blake2s_Simd128_hash_with_key diff --git a/dist/portable-gcc-compatible/internal/Hacl_HMAC.h b/dist/portable-gcc-compatible/internal/Hacl_HMAC.h index 8b9f96bb7d..b0a7106a0a 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_HMAC.h +++ b/dist/portable-gcc-compatible/internal/Hacl_HMAC.h @@ -42,46 +42,6 @@ extern "C" { #include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_HMAC.h" -/* SNIPPET_START: Hacl_Impl_Blake2_Core_blake2s_params */ - -typedef struct Hacl_Impl_Blake2_Core_blake2s_params_s -{ - uint8_t digest_length; - uint8_t key_length; - uint8_t fanout; - uint8_t depth; - uint32_t leaf_length; - uint32_t node_offset; - uint16_t xof_length; - uint8_t node_depth; - uint8_t inner_length; - uint8_t *salt; - uint8_t *personal; -} -Hacl_Impl_Blake2_Core_blake2s_params; - -/* SNIPPET_END: Hacl_Impl_Blake2_Core_blake2s_params */ - -/* SNIPPET_START: Hacl_Impl_Blake2_Core_blake2b_params */ - -typedef struct Hacl_Impl_Blake2_Core_blake2b_params_s -{ - uint8_t digest_length1; - uint8_t key_length1; - uint8_t fanout1; - uint8_t depth1; - uint32_t leaf_length1; - uint32_t node_offset1; - uint32_t xof_length1; - uint8_t node_depth1; - uint8_t inner_length1; - uint8_t *salt1; - uint8_t *personal1; -} -Hacl_Impl_Blake2_Core_blake2b_params; - -/* SNIPPET_END: Hacl_Impl_Blake2_Core_blake2b_params */ - /* SNIPPET_START: K___uint32_t_uint32_t */ typedef struct K___uint32_t_uint32_t_s diff --git a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b.h b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b.h index 2b062daa5f..caabf7fe51 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b.h +++ b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b.h @@ -38,6 +38,46 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" +/* SNIPPET_START: Hacl_Hash_Blake2s_blake2s_params */ + +typedef struct Hacl_Hash_Blake2s_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Hash_Blake2s_blake2s_params; + +/* SNIPPET_END: Hacl_Hash_Blake2s_blake2s_params */ + +/* SNIPPET_START: Hacl_Hash_Blake2s_blake2b_params */ + +typedef struct Hacl_Hash_Blake2s_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Hash_Blake2s_blake2b_params; + +/* SNIPPET_END: Hacl_Hash_Blake2s_blake2b_params */ + /* SNIPPET_START: Hacl_Hash_Blake2b_init */ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); diff --git a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h index 690fe79213..18dae25f0e 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2b_Simd256.h" #include "libintvector.h" diff --git a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s.h b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s.h index ee6beeb92b..e211df3f4e 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s.h +++ b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s.h" /* SNIPPET_START: Hacl_Hash_Blake2s_init */ diff --git a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h index 9c7096bdd5..c6c8059d0f 100644 --- a/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/dist/portable-gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s_Simd128.h" #include "libintvector.h" diff --git a/dist/wasm/EverCrypt_Hash.wasm b/dist/wasm/EverCrypt_Hash.wasm index 101c3f6834aed5d76bde19f1242639e8d080fc39..a5f05d9df8aef198166f523bcfafc86a034516b0 100644 GIT binary patch delta 2618 zcma);e{5UT702Iw_Ir-~p6!<(P8vH-?u*mdFF37#H*FIqPFg7W<(7^~V`Gs4mn2O? zmV_uNgqVsJq|rckXay8Twys;HQgC?{Lo0s-A@K(jktRT5MXa##2mio27@9Ojvh&^z zS*lL7|J?gM_uO;d@#md)ub+9?^8UYhH0EYg&xU^vAt5YjjfcyvNc7@At}TwDy%=ujpUsZgSl8THE{pfJ-Nv|d?Yl$f>2H> z;eyaas^GGaBpYz7hb>|`sfHdgO1v;D#)uD!IM%@5L=E=a+~BkM;g_}m{Me?zpKx9f zByl7+G09PQ!4@Mbj`i?Qn?mYAD2b2&q)MWs0S0m02oF1`{b%>*^9S=0t`V!-Eaax9 zxgfO3Rp7E$$RYdAsr-1?_{`X32s(rY5#2FPGyV73J){W^+ndNuP_&0h7(TLxNHdNN zmSi*rbB;zK7E5rO@hJ@g{#Gu6Dnz1&E#eL?W4U6OB<;9RV`qT5j-avb%8lGRaNoXxiAjXc^%)yr(P`uR>kO}L-*`UHWlb#(VwZ5Y zf$aL1Yp>(-+lLCA|AU`nE4iT5?Il*Y(pRnL-EUdN440vb8}c5_83_>U9F3SO3M_b{ zjwp?ywa6)@P*$b6VgVjE#Mn|9d|XFiq^h~BTrHs`%^auNGk^c~)vsrj3OHL;oAh{@ zDNr6$j8H;3rBb@uqP7gD3aUs2DyBG2dK{Lkda;29sHRVDIBX#;kn692%hXdErxr{z zswQZh@-(5eK%%A%yX>=o1}AGOu*-@y+p)_?un8*trKm!F!yXE1aMWLhYQg^ptIwO^ zpfpt&4w?!1J~L!LEF^u7kwkycP#H%@RMB5yuZ<(Wk-d)J5u6YY7mF z&(`#?dXXop{#oEt9^126qeu2l2u5N>M#;W!NxXin}eqP%rl1A7NN#NLLjxDVkoQ=q6KY6YK zR$4v!Cy_3m|3=Uo;}7xVA5hdb>Tf4kZ2Zv@{7qHx=d=P}wk`38ZL8)!!;@*>x_-mg ziE4Pgz0KJ44SLvKy|07kJ(~Iyp-&OxO&=$#ueu5D>8$6^I`qdne?!WG>NK4;{4=ZW z5Tti_`Qvu|jvdo>vPFNl?>U0gSXPzDR{a-uY`5UFbZ6FvQ*FN6u!aT;R?-Un<6-FD zKMKX!1kMNG$=@}Y_S{UPZ>yI&sPo*c>Zg^|Pkq#>Z1bWd%63?sIRr0_Vcfwa&Ssqc z(%1`xwCeriUyu$1W|CW5~_dIJcQd4@ol zU(uDv*ASS?h(MXY4uaiJtRWDOjp`k60|}Nl zon$GOPMQctpT7=*<-!p_2Dx%9^d(uQ(-9lc2t+o zu7~!2(iL88x6Jj*l0-R7-y=Ji*d^PUxJ52u;%3>##7RcrG+?;CgMoBh)IF{$RKbge;CXKxrg-0QN>aGmPT@^* z)rORWFpL{)HCa%#Q@fGf@!eUZN_cEYc!G&g4z-;j1;}%dX)Dt0Wyc WhO`M6;3WL3;P`!~{*%|*O8yJ9{>>u* delta 3225 zcmbtWYitzP8NGMB@16B7#s;(Yns5Bv0b};zUBB%en}^>IUV)IX*)+>@y*8|&5Wsej zortDMYCa$}Y5*xMMXB64nKY@2(p0J{s-$fcRjvAm^bu96+8?Bes#cYN-n(}_qEC?e zW9OdloVjQ2oO|`n{^IY_{4;rOlE{owLI}MyGd)eV%(;i=hTL;Q<~L^Ep_cc~GplDp zzLmKDpXr^%W5>8TLYLtMb9hC8X-6WJbY=D@LXl|v==f8Ki6mK$9hUNQmgTe%3oUDC z5i28f1t;-k#;(L~S%S0}Z&^Zg6?&{8>cuXrN=tCmx|WvWJ!?7MuzE0Mb)(Bxc+TQP zwECrRBfe`5;x?NH?=mH0E2j!xv;}E7{+L}W@V5@IA3mB)KAjAZO18T7=ESk%qzYe= zS7O>;C|BDz9!nnSI&xxs!jD(Yl@=z4NKID%&|XCS_rs-nkHOV?nV!%x?;Yo$37 z43S#qUTF@6>d88RB2iMuke{y4*8H9TzH9R0fK#PG{Gv0AA!h*&n(g=_r;5j%1?S{) zT8|a-8@@=ip|PpCrM0cSBc^qBZP>VJb9YZ~U;n`1(C`TUSss*LT8^4)9c{reSB2CH zIPNOJ*IgD&yL|Rs$n7+2*t0``G=Z2>Dj2e>GRFdygcOWFU(z``MWw z!9~9(H?`)l+nm{?}jLq@;h@{cF>d5`guZNuw#vlsc#c zSz%i$LadONim-P3&f9-E?QtvhQ12&1i5Nr_qJCmh8VsTl8vVqkG#NxQH2aCHv=~Gy zwEBrhY15{bT-%}DPYRU|T};!6W}8qpKt!9Kp0U9O4KkTbtFjRSu#wLR2)}^v3kbiU@CypR zpzsUk{P1w0TCk~tnx*h}OoU?PWzaT3+Jw!?Onz?8DXU><=-RN_~5 z8pJNxrILX1s6p(8-70BR9)ms@Y+zCJ!Egi1tq-;|5Dy!+HIQQHhaFt&hn-yOhex^A z505cTBMX{s;aTNz80^f3`*@f31F|qXJFD!09@xX@^$5=%;n^cRdxdAO@az?yy*W?( zU7_lVS4b@0xbg&xH;gZ~uEh6zE^I1VSFlX6fo&a&%bt6W0z6(+7Fq5Ur5Pl)h7?dB zo}e}>`J|Dyw|boN<8gt zVSVnWm22=5?=psHm5OC01q=mCxH4MuJ=OvJr7`+*9I1}tmC~E67w+@Lq#sJT#UEmA zQ9NfgYmM=;2I|9?*|m&4NY(#Vc0;18+0#`0mck&gN2<5Sfj0a02_+0f3)I-#UlJvYy|12;m(Pxmh7xN9!FNW_~ zrB@v6ooev=EkBbk*cm*{8CP4=k}%e`g9|qqlhuoLZ#$KWYLxR7&Qrd17iezp{1}Lp zOE+YFTkPw!ph`Io$GLtYCs(7R(<^<$saJO%x6_DzrSEH0igEu2<-umXHg0xnOZmqF@j z!cR|~!Kc${9Nr&c<0xK9ROlztS82{8D;=s|lJG=&3|~K0{Xol)Gs5!YjIg|w;g3O@7P744kGL`mp#dK z{3Pq|zuGS0vsY@R+xdF*8n@Ehuiu~bf0)z%T1Vbfy|U8@gn9JH4gogFb^$iZHUT!s zRsp(XivZoSS%A&5Nq|l{PXJAp1c=F0fDXL9FeJU;(PQ7c2}qz4*;zw4g?Dfs2QhZ*-5VdP!H<43xEe-Y40&o_Ok6*Z&uSy&L~r z=cZLDcCd3FhY|i=-8&WJ)4;F^Wo_=Sc`!8FjsrXz0oU_z1gzun2)K?1Bw#I%NWir` zBmoC`Oacz^peS_kKEH-%C1_P9POz~LmPN6G1+4so^`&X{Kaa3a;)}};R+^m7i^yuq h2q*ia`OCLD^A4mB;74zd0Jn_9GS7J_P zdS1Ml2?NW-a|(>ClZ6;H8QCV=Fv>BqPp)Is-h7(Th!M#A$D|7+b(k$BIHVjIG#D5h v4=^|~=7120mnFb5xt4jEI80IiLoP;EQ9waJ0Hy##_hyy}j4Yd7SdEwfMYJnt delta 200 zcmeyy_l<9YyewlqV|@Z+9aBA!1T*0TbAA0pn~upkjGT;&lg$_v7?~!XlV>qDVql&e z&Zx=AGP#jaj*)fZIVDE6$qN{@8QCX(RNQ=;(TI_eb@D$ZT_CB$Y$?Gm<;bAHz~Fd* u!I3csgh0G30mjL-%*(`Kk^&fVF|vvR3IYN!1sJ+FvrJ%Q-0Z??!~_7Kr!6Z0 diff --git a/dist/wasm/Hacl_Ed25519_PrecompTable.wasm b/dist/wasm/Hacl_Ed25519_PrecompTable.wasm index 46a7380db06358dcdef5459264c6b9f1dc726630..c94538f0c5740cc5e275c8a82bc368902b64046d 100644 GIT binary patch delta 103 zcmX@yz<9WUaf19rOQDIXA`|_&Ci=&5C8d_+=cF1NF)&UnlxHzCV_=#*nNg9Ed19gD z#I>A^EEBgYFtSekt*OAq9iCX68(dmYkY7|HfW(e3DM~D0V4s}MsJ(d$W4|2$i_0N6 delta 83 zcmX@yz<9WUaf19rZ7F8v`ud5E5)=JdCq{;FCFW$N=f#_uFfdM*XH;Nhnph~$Vr;~~ mJlTO!laXa|7NZ;^D@e@HjDc-(C!;na`@~y{o3}9b+W`R5?G`8i diff --git a/dist/wasm/Hacl_HMAC.wasm b/dist/wasm/Hacl_HMAC.wasm index c2e51b851c0e3a3f21be3160b08d2c2ff85f9351..4837783c3caf2566c5fc53b594b01adb3cef5172 100644 GIT binary patch delta 4288 zcmZ`+-BVT96+c_9kw|BX6N8ni`7J>N1V2!e4+Rb%0?L=7sK_^na=9Xk#zfIe5{)s@ zC^=DMqPC5i_)upuuUTgh+d+ojU zT8BUV+sysbEcb?IP8-kj%>DW0&oeTT$@!nw+t=Sa%Haynm8XkU;5pf)+29Nk67zhSKc~mmi+mzul}*Dr1|atKA4;HmMpnC z^=jRkCFa#HyNZ{r@jV~et8=kl@{l9>i22^$Skljy4cHKL_7?0YK!NY=^gL|v&7^F| zsN=xfAFK1dLQWP?iY4MGppZ5SWckXP0@>)l_OKCo^_~uLvU78NZz+dTh!_f|q)1=W zQj8)ZqL|EQV@V3+*%SbI@0Fkgn-sQ$mYYzRnB3`cfl`VR*^JG>*{uBDE!cu0wb_DV zr`?JzvJKm^qzq*YFEinrM4aoB?Th4??7((nN;xuQCo)h@J2jPE48H;uHvCFdy6`J> zSrrVwA`*TjB@Mqa4Br`P`0rFol}25q;UmX4*}u*W=DIKDVmqf3*n>P2zQj&!r-FPn zsIh#tsC9fb%2z|anh0MlCFQFP`J9pRt*@0j>_8pz2>%l0FJ~$3vRj^&>qC6_f%FyZ zs7Jl;RdKs~#rKKtNAT-)n)vmlUc^Z8d+VhE4bq4PKRdNgO~{kIB#h|?uL5-=KmIu+9O4UQ?mcuw~Q?&;@=u(>=9B`?61U+&TN3-M@ zj*&E-s=bTkm>fqhF{KY3(vJ@Gh5IQ3Or1dt+SD1skV~CGUDhBsVvvhXox>0%O`V}| z@12nbzj{c9HC2ags;;rAO4t#MSlCgFI@l3~9U<&U1a_2?!j6Wp&PZX`j>;H%ZL*Is z**jmNAH6QwPvC@w9>=(YKB3Sj2z?>~Jx)oX$3tjmq|ocedBu`3{y^qO$90Qu{ zkW)Bi6MX^`F40dZ_9lsbgGlaK^K26W*h-X5j1iuJ z80-{Ex2XL5vC?e%G4AF=8SA$O|n-h-)%-S@hxYw<7{U6r)GOA zTCvM2TAiYmRlS8rk!|}1A+awi&B}iDGi?^Pos~VrZFlbN(xIA_o#+g4JDs9ax>T{^ z0E>9&a=>bWzl;^H2yMHaZMPhU3mL97(f+L~gh*KPqqpC=%_Gci2ktFkMEq(2Ww_mdG)Bjzv6&D5X6| ztd#N`Q_nG7m_HzFEi%q;fs-2O|5yE!TJ_z>!1%)OjSf&ZK;P8YzyxCo3nBAG;#46% zC6o3&EeT9=%a8~Q5wR!bv=$;v@poDa(Uh8=Mm$xC&R|NWF>Nam3p)5s>+zLvmFOHx z{0wHYk{|$ z5?7n5M3*V)g}oe}fEoo7&&jwfvzo<4S8&C-+gB#8$W`tEW*Oa8=y!sx4oM`Htb&?3 zLPvel^39o$(3$DM#kjQ}1^;Tx4?4=;+8Vco;A0DxiI0tZVsL@X34CP8 zP3Z$%aOBqvt{J5d{?oj)!m(d7N`K9epTl&#*VWdp;CgBWp=sc+dN+36$fvr5)i(@o z7}D8Q+z3~3!^mf5SA(14FqJ`9x)jeKix%izmJf#U8W(bhE@eHER}#Mg_&S$tvi zxgVWnb>q}GI`xZ%E^r0k2J`K!*WEJmox%I~R1?CEKGXuoJO9YwQ7~OmSpC@GF`e~) zokun!9%)8!n9c~AsET*su?fq7H4VD@S4})N^2FeYk>BXwbfx<(Ddl(kldg5&6I7lm z{8JMtT6CnGE?ac6a;k7qVC8xmm{qGPpQ-n=s5f~ir@g-q<&-y-^nRwf+s;)!H+XL3 m2Ln%jG`bNl6!Aqg+#ij~VF9G&f)K`TWqF~9=1GuqKL3Ag=8u^G delta 5458 zcmbtXYj9Q76+Vkx@v2OFs}YbAyH*n74G-mIB4{utJOkzh0rC(oNeBeE31GrAj~l8% z6a>Q|R0S*4s#S;u;{#MQh+43%kIGE_VW<7s={V!B{%dFYt-a4Z_r@82b>`%pwf0); zTWjy^z4mu|zomEoNjEzU?XBcE4jt{k`K6mFL5X#v6NyAm|M}bcKOarh|JQQ5K9om` zLPZmnG&IFyrLEiIv66VhmgbqU`CHrCI~v+L+QpcbG_<$)ruJAYwz0V*wrOW|Lu0%- zw!#~@;l%%iP%>0Ix`sww|7K|D#;J>M`sVrGUT4&(p69&b8wb3@6WfOVRWW%~LUK6U z4Y?F|L-Ea$3niRXCP5jKRPx;K|NHj8yCZkVU3^#6aU>cHSW5yz-1QCiaO(Eb}(=+-y3x%N&!#eXo2J4 zGr7PC;WM?s3FC8jfis5lc)Hs1c&6I&c(&T|xBxcSal;)_$Wgbq_pvY+y4>F0UMlx- z4&SFSITkO+;^kPpT#J`$@p3I*uEFDMnZsjcE{9xaQ7GYMRqq<-4m(`Lb4nZ)#zrPg zaGe_9uGoXfq_Re7^3xWaWbWw}dRq&%Y-g0n1C>^fLju7HOB1y?{xIeFX1 zWZqFBl?q&`8F;Kqk)Ka+BT~gx26j0wx3ED}Yq_l8QUJ$! z1<&DmgZvPeTIg!7Hqa}1rG>6m=xRV$r$MiTrqC;WXzQfV*(+rgFXdG{2k?WuY_JPj znOT=xCb%rCd9_zrn>V|LYg}h8Ccj$oR|9`_8h(uq1HWdPljfxOH8oPpwNl5mZbWw~ zyriDz$iqk&Z0a?xBWnS<)(w>=7r9O~^*6u|8*Q^+{#utdd*^<7`@M*ZAug5{SFc(S zx5jA6xESIjrezh^$~s;r4LnyGG0P@^G^Nd_5gKhVnHvJppPO2wNkI~|F1w*fcmg)r zdd#UgeNG#o1P65^lrcINJ;E))f!V~HFeBL<3~b>odQjuRKr6TEL2U~Lw(?dzsM~ZP zVNUyY-mWM0k-(*$+x4J!1Oq#GhaS|O!N4xwr3ZC4Z{*Fofj4qo593B|)5Extx9LG` z;YZZg!X0XB;hk!0;oZSO-IL(W_N4AHCsp=xGw;=yW{cNs@tQ5(28*}B;%%^a8!XW&aOGLh?8< z20P<&fOx$;ffpYz#ps@Xl5oxs5+5Wzjzx!v4*^dz9)!;pn6Sklrn(4RpzEnTME<_^ zUA^;}x8He)B7NjzdK zBHp&y93XTX3_MBNZ&;2IA0zEHMFYeGfYyF<%w#*J*&wE}!9`8THbDN#^j$UErU8=U z#K%c~rSDYlc?QYlS*;-GKF@dNLYDM4v>h<4d0>exBsl#E!f`Scg-Jb}D_cFOcefM}lLZ_%k=UoC4ao zQ7(J`Xw59Ub{1?RZ&Z&Ys0SSANB%N;qOj%ss9obSdSvLkx|tbiOeCDnL{tfwh$=}Y zlBG-}A7?4aM6v`-Bp>}O$waaQOe7!OE6GH%1WY6!%__-6vII;d-{BM!$r3P;d?y+( zkt_id$#AAK(W{oIHmGXH!4@O{`PnhS)gD!d-I1C$MY~)VE zVR}i5ImE?n;_7Fcl(38A!X5qd}-;$^^;GR^>>%HT5X*V-a0Fy%_F z)G5yfBeJuq)UqnE-z!mU^6syKrYljUD}frUlU})Ac2j*CHD}bz!`|hoIk&IjHNZDH*VvqEWUX3e#W==g z#t^fH80g7bta8LG9UysKy4EEP8b^%=w~3pQxJ@>^N!F|7)@EGA7Pr|Nnmt|+&49PJ zbU^`?dHc-!f_Z8eF~3=!-=Y?28kFbix*|ANtJfQ9&6P&F_RpA4$@DEX``%Tf^(1~L+i zfpF|6?U;|J#y~#~U@QU(;`=4Cz&~(}YU2clu)o-{#E=l}ogfm)F~c6TdxAM6$8hmK zjo9ge>pD4R?tAT_xUErfAL+ju!s8IaDm(!pqQXHcOrX1gPCaFuARIAH5c-W11P?;c zRdLVvk?pIvvhlM+`zr2ptlEHqfMD}Luz4UL57J;QZ5jwR4TNHw2a?T$UWhw?*ul-; z1_EHEZGt-)3VPx*cpF{`75~F$N!z0L^z6|&&yw~$FaiYQ!aq*Q-gtsADkpJ^E1yi5 zD;sF)4fz=eN;+{h<0i*#{Q@}UDRWP!bIQ{{7zxR5h%tyX@}lz9-{QqDqA1%jUs6)} zGV#k4xe-ksEYT8~u=ibTT+u7UuaKTp2M#)qmkGNUVru)s1v>T_JoSvET$LnwqaKuk?fWrJL$!mo6z`w&T<=2RncA74DhWHF=A1pdceAdr<#^gPtc_F6q!UekKJ)6wy zyK3IhS&~6-#;n}AuM^`rZhPYEehsga{9cy@WyE<<>wt=tIqg?+j`*Cdo`1>$!{%$DCDp_@l)QbD$IAth zKM>>OyrFx;iZ78~D`?YDl!(#oIlvOgiTi+>JS`9c$Xk^Un9fzVTz4}y$t?kf}q1wR75 zFh3!_)aWnMqmc)CD*AI@Pe#Lt=r6U_GF15$@mC~&A$H_z?O$?T5wE9D_-j(#zt7+q TDE^IRbh)mG^qKczonPV^I-7|l5`dii8kMo~tl$#IMdjLehk z88sPMCZAx`W@MeXL7v6XjDc<921%~OoXqsRcrz0Q_Q@+5<#;$aJra|1;yrvFoy8^> zFo|v!VG?HMV^vgeJiy?{m;*!t%#%%7Gk94QB^(XlBCEh60*(rB5qUO{8V*MhxX2W? zE}%h<$Oh@KgA`dJ8MF{AVu)mr7zap=CXzwj963P${NPYzWS=a>d5Dp9@?B18M)u7= zIcu3DSfv~pG#D5ZwlYF22J^B6*f;m_{APs99!8g4$oGj6ZqNn+2PPorqmUTTR1V>H z2z`^#_3?>5L+BF}H)IlrIUpF#{z%DfAe92rqCi8{q&Fe7eU(Adri7-=R(=~J+)QYI z!~Mji2zK>fB?+LJV#>J)hxVg8bhgTSgzQ{&*+ps}LGFPVv{u6z#QCTRaw)skDun%| zXpTFfy$hjjjxJc+13i$oZ+fdhG7Akrob3i15Xu^joDl|!qZxSH7|AwOG|4%p5lm97 zil><&F?^C4O`gv}10??vD*qf^KEP@ZGtf=EcA(Hwv(o^@vA+X|li{!o#Nl@aaWtG2 zLB?ETf>?8f3C)^h*VQ0n_&vdjJ;92XLG4_EZfCOh0+3-#86k!(Mh|#dKShwu_5mQn zA_7)30~LRTD*lY2I0T|N46Hb88c65+2v8zri@XYqT}1-h4Tv||&UsNK1#Evg1N-SVtpPbC7&BMXzk(itl z@8Rp{EH=4-Np!OalQ1(MhoXYx0R~6L93T>4oovdQ!ONj2;b;ICSp^mma8!Vc$g_de za5##Xr`EQF2bSx=nkE&@*W{O7hQId+DDLkAO@|~a0YQc zYJyzKuC)qbe<_;dPH68!Xq%%8*7iUTr0tvDDv-=V0}yAs!3Kn~Mk8m0f#PTe-Znv$%|jEKb6j8$8!0R&qQammEJSl(R-gT zaB?@+-rQQfv9|rr>dMyI=KA~_s~hib>?m(C{MRgu-g<9qXG0~zr)Jqmh7(q?l+OP@ z;`aLX`i{y391@r+8{V>t#jz8Z-@d)Ru5#f6i?aFHTWdROtJ@nNtXrmY_lXp{|FiXb zF!Ie^{vHc|nnA_bb=%gi)z0i{RaJ^cwM{l`f3(=c+SW$+V6NDXA-1BLN`V!dWLwMp zppTYL>>cX?SnW2?+_&P zpHCk?`N(&uokWtk$scG^NY#{0>474HOilTe9Vo^yR#O4x28ulLH3bR=iUJBXRi)xU zF^=(?nx)b}F@cGiTA<0Bh{Kom<48A^%_7@WK8sva1xO$eTLML~B~TJu0+VdhK9x}( zjMJCajPS2|{&fIaEpb>`CR*l+mWL(^QS(GmS3^!GO%z0&WC~L!BzdKRNf!{cHh(sfLku5*I=u>>Q+A!~TXj{G&Toj7e-gx-8((@cEA3*GP~M8&>gC*t`3f=sw&de=-%n@pQLe)6=-*l zL9g#B`#0=YSN^bHyRK5bYM9W6BQH9DBduK!VbetsK3x(KP(uW$DWXaXB4%k(!~!kB z$Au1EMj978bOl*l>d;l>(CE-L1ZZ~XI*M56&@xI`?2yJJURdhT3S3;4eq3CUa$Q`N zVq9F4Vmw?In}=nwdC+3>up&=MVf1Lo`(Kw{8u1fFC>Std@mq}e$V_=!9&#dqy1;?M#KA)mGHYtx#YWWn9?RbV2JURa)0}jPort>X50J0DQ#AG=N>8F zD{^B|_OvL%sUqU}r5tzmbizLt7Gs>S?-*X64Z_c--FA%K9bPv_+k<^(T?(gJX)BY>4G#Cf3})1tk_v99m1?H6-FbVkv)wt^-MKmF^t&r}cOG;Px`&Xp z=@mP8S1r7CZ||M%!6D>}FYdknpxcE)?Zw0{cYL^axVzKuz7NItz0P50=V0%Ht{O`` z{)7MJ@!#st_P9{rzGRsd1XM7FDw?QSsbJsf+sO)Q9=uK;%||WVki-cq9sK6p+DIFi z@PO$ojylHI0E{2$)R2h{%f2#HUiwvs<2$Yw^H~Wk4?KO~DTAH^ny1kNg*|3R68c%9 z97!b45*6>)f1m#Kk(FRmIOPJcsuZSi+6A4>NTG%`7cAzZR2VWBY*v@TWxVVHvRNt2 z;hYN&o0mcZ8!oh%BLx>-7uMMVma*Cfpk<~FIxW}+ilc&sA`~4ZcpR!;=+U zpri-Ko__o(Tg2+k(dZK$7rpP`_~__}HL-+E{$5FVmV{?Xc-q3#=AJs*!qN^cv4|5y zNM#yP)i|Lqj)+h;HZ*)C_@z3fszWXKc5%b!4F8`+B9f3Sj7UPVNXk1g(c~;rQb=Q( zv#_L)!A!^^E0rAPIE%a#3RvJQic%`?Vx8bf%YlSD1oStMcjVZxm`i#X4#yJF_CG?C7&$#eR2+suf)G;9}6QO1B z&59j7TQJsYL

L{EQ1+w#C6Gtzp9y$d%=(G`FV%Au$97zQWJ+&0#5a*d2>`!WBs zHO9!SPG)t_mS(`s>OG{KXNS#2(WzOTo7KlB&9bVP!L#Kb6m$GlYs`b&*Pc_*dL^b& zuzG!=r zjcX1%URVwdPwBG;A#Zqa>#TkpifD+UbBbAP3R;_a-(fVFXe_xN6;fCYY!OY?yol)v zRnZbzE_s@)q6Lb=(Ht5#!>C8y%+IyNt7wT{I-mVXWkN9wl9tJ5`P?VCzcC-IZf3Sz q*1{IMiojM-VXL%j^}+#GC{p_2PhFLdr-$Jgw#pBqxWSzpPyYj>1*#VS diff --git a/dist/wasm/Hacl_Hash_Blake2b_Simd256.wasm b/dist/wasm/Hacl_Hash_Blake2b_Simd256.wasm index 2724451529574975575f03f42e29974896d5d9f5..d144e065bcafff0663829218e54e65f227f2eb9a 100644 GIT binary patch delta 697 zcmZva&1(};6vgkGkIc+_FUjPyV-$L)0b>^m7Mn^|eO(Ar{ROz>socqrF=A1jTy{ymXAsP-C0I(-_ zCljbn^DSmhH;(LGPFQ1SLZht5h0NyiexX<@S27RM85@H-$Oz~2JrZ0O%%e{CMt21K zxNaMvGq}|sbwTPYM#IP=jcVQ?>i4%c!Jki+d$Tj_jG&Mnp#eqx-B@5H!k|%Zqy~M_ z%#|zNwP+Nzhuzy9lktZy(=2+++^z4XNe$zUGgfc{Aas-)y6E~&ZKjp0n2!9~84tZR zSOGv9^g`EMr5jkcR%b5sNV)wOy+!!Pr1$*tF)!o@p{Rp;#A4qDbQFYkm_ZveiLfqY zd|5+4h6b9LMa$3X>%13;8d?g@(PfR%ni(Y8eolYo>nx|6Vw*kJ^RnW-NY_RMxZW2n z%B0?c&udy1gRvP}#I%}J%cGZa3eA;!{xGzH78h%9+eg1+kM&zgF1)<9n3w= eul1u|XX$EtX}Nid{w=)`O!d3D$H|Z28T$pe!HD$$ delta 367 zcmbPi(PhfdkXW3{$iTqBIH9qjfkAX4ztzToV~py(4L}|bCl@ylFCV{vppdW#TRTXI zv7W*4BO5pSmL?#FQ*H7FCaKB%%xshEnb?`QRbgEA_?*Pz5(b{h>zS08_~k*u>_w@? zsU-{oKp|kdADFp@vMg=AXW(8ga76G2grrg<#T$2}ai!t&}-ofn+Bw2X6 zm?kk!p1>o*c@yM(CZ;;}$!mG6*c3UH85~zk?&lHRe1i826C?NJy#f~)xi|L-Ze|8@ zoJ8*fIZ9$@7#a6YelMQObeRQY$mAjk38gEnSpuvK3S5p1iX4iZ3LFZYW(*A6+&|ht g!NZ`;!2NOZ8i^T`&q=Of0r`1yz0}0bRZ=q<0iKCtHUIzs diff --git a/dist/wasm/Hacl_Hash_Blake2s.wasm b/dist/wasm/Hacl_Hash_Blake2s.wasm index 0dcaff92fc840a8a399b6410fb14041d83f27baf..f9d6889edb710d8b1845bb009261b1fd960d68cb 100644 GIT binary patch delta 2058 zcmaJ>%WoTH5dZe!WWBq#*Y?_8Z~U0C>)LJN=F!$|leEnjL6nL^#T5=wL{kyh1*sc^ zKmrE}syKkuu2hK&f&<4MP*ene0umQa9MfBma6v+ilwQ0Y*U6p?km>x zm!Fbi7B{!w8f|hba<%Nl}z}L>Q{25 zmox6{1Uq{o?@@}U3OBs2`F`O)kZ<1E*%8I?u7++Yd1HHTdn?%ea7RBfd&}Pv>)lxkjg;ngGlK+suY;ODM-LnkAjnsl!E>MMcqO} zTcbbXHGM6Lh9qhFpbtsH9S0plu*1VvVhBkzL7)Xf>Z5Xfv`IOt-NzIu_6tv1{_*_B zzdmwI%s_@)c49*ovK^sgE;i&L-w_77v7rEkj~$g>-1*iSW->bJ&8G1a7s(Kne+ES*RnSv5}dGgu!BkSc)RkBawj? zU{5$CPV|HeEj&rf(xyh*QoZ(KtIY9^bbtb+H{izT8!l2DZ7LB-I-Y`4yd0^Y*YKiH@j4zd#u0|W6=}?;CYGaui zi^9Su^=6N5Aeyv9rZnO$C0ifNKHo!WL<>pU(bF+`H_Y%`a9>TrG!IPCk1o*SC($A- zo3L!@#aM!|>^_k1XxT|S!mcmds#7^S4Y4c6eG)|hP-L%aL_R?7`OIM4;eGfzt6tQV45GeWW-HX}jPwzdQXudbY$}+8VCTr*Nj$0@`@h(Ap%H)ij>%Ym`^IzN-1YTRa`UFdm!^Cod0fj)&)Gy~*IE z*UrvZA$+I_x0rl!csU$Q?!S4a@zgIr(AVeRY4y_l?`lD_(>^fZkN^$Rpxc>H)NhH)LG_7V{dXavj^J2B9NX23iV#6SyL0jr2Ml%axq!(pq> zbR3}13><2GW`Pge)bnA7dOify^P!DB+VG{=g^HXFW)BS5l`xr1L z#pfwLPw{z*&x`n=2y3XeCUkU6C$)clpwx!&*`p`dbh05*I|au7t8K0{VzsS!*J((T z+L;*0LYCCFV;~1PQac|54mhN?y9B1900mOJxJ2+Alt^ta2Fg$-wO3rOhzgjHA$3f! zNl_E>q^Jolsck`#dKP%pL-na=kv$8wHz6Zuw@B?xrS=viNoIya#FtcjNyV2^d@043 zQhce1FXWASzlwT;b^;)cJNk)as0<)B0vKIU601GNp28kTJ`xaq)o`Dw!aDsN&VF>A z*-#Y%xoXH&lU~flh^saN>`5;Q2UZKN8gbQ-%bDBFZxTEme&70tr{|aLH#97M+WQ2H z54&Ge@qDjuWPAx?8@9u5k2mID^#0_@9~WWlgkK*0F%>yTOMMxyJQi^X9W3Ib5ZkC+ zWUDUft1cR=E?TQuwK1#H=>EVsM`3kW!|MGPR+ZHX?!{5|ILaPJ+2cg^fU9hEDLpz? zm_`E!OrwP{!QeHZC}(sM8o)7k&xsw#QK}dY(ecSCzMSIAE55wq%PYRT;E33 zgl&_|cvqmzJ4XQoGBUm?`MGGKyG_aNE>B8;72bCcEF4vnLUHWg3k2RSc(t^oO^)C! zu?uO@xoXiK9+)mtcBLL4m^M{3KO*i#6<(-}w$-Hr(?xpc7+3D&%Ka-Vcd3e3?nTvd xVE_O#9aY!V*72dx7_+Qu9dF%iH diff --git a/dist/wasm/Hacl_Hash_Blake2s_Simd128.wasm b/dist/wasm/Hacl_Hash_Blake2s_Simd128.wasm index 6d5cdb7834f987142bb56a6a2aec4f62a473dfd3..fd3c1b86281cdfbf43173dd093717f4f2d448d64 100644 GIT binary patch delta 746 zcmZvaKWG#|7{$NYKexLxvv+&{;(0+blYnPolmv-#Hkm*K5nD@-Ll3#lo)Pa-DCnLd z5mE%=NK{aXg=Gpou(LN>Sc$Dwx@cu7_{{}#1nlO`y#3Ah-t6kh_0u_Mb~^+B$g>Ci zK8$VT>b9Mx?-oCk+Ik;%!hkX!W^+-#P%M=*kIf!QLG5Ok_w6AHs`K`^*S^{A0X?o8 zmh?I+Nv{oDU$tshC~&J9bec)Bd<~)rqx{>gZmS1*b0jP%=%3akDI!K#rJ6D5%XYR@ z4z4$Q%|^FPDIz-_5Yv3LefusT?n*#NO#E}ca z8@UF|Ici6|DnJln30s81i9&tGJ5QLt<&7Q5y6V@T55Mm*S2)I`U|YCRR=@JrCSF=Y zoQpVHI{2}JgRs}8Y0OOZ1;370DG|}C{t;Btkx61QNih*s{>6ht3SvQHlT!H!He=K@ zKpiWfio}v0x`-2(For#NbKsk*w$DO@VHvtOqPeOZpuwPLcr5TxRrcBZADbIC{|{RY z*8DFP;ra^OBz&;P?${`9+ksv`J@*M(~~>yunaS!k57janKIbkDz-sj p3fQiGT6i8UB+aGPY_~Bpd+wC^5%orSMSm=g>xJUxpi_E5{sJ0zkAnaJ delta 398 zcmXw#&npE{6vxlKcjnEHJ7eaV8H#Wp@it_qP-^}I|G{g@(8Jrjc_|9R0x7~RVIdo3 zBQ&zJRZ=!ASjgH+Z=s}=dtcd|&$sXScFuQuaIN2gD5)R-KszgG3c;>3ay5R3id(55 z%P^^BH#u&;+4FPjQbNlR)^k+5UKL>U@k`vs9g^eASi`jUAGOkKl+?iD7q}ZcT~gMn zaT3?S6;iv{&`@4Z#zc847S86*hG()G$KVwkF>|EJ_l=3D7L}6nLQIf(bS!V;2jnDs zQv%}BHU_iZq3A&Q#atGx}!N9-4MlU}^{j zQc%RQG6XcfW(e3DM~Due4BA0 zBgbS1?oW*DlM9&VGO|v-$Rh@1zu-v_XO(hf&|qM2Fk$r39@ Kj?Gtvlb8T7_*s4c delta 274 zcmdn4vt4I`6fa{vV|@a1eLaX`oG2?fF-dV^V%NkI!Yqbn3``U6D>5=q+#|`An3I{F z7jI_5z%rSUQGtN_Gi41Id3Na&tYWFe8u?CJYjqC2Ynz qg)vKjeXeZ@wy=!~_6exkRb} diff --git a/dist/wasm/INFO.txt b/dist/wasm/INFO.txt index 7db2550809..31e8992a23 100644 --- a/dist/wasm/INFO.txt +++ b/dist/wasm/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. F* version: 71f2d632e318996f227063bf9d31ee91a4f48dfe -Karamel version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd +KaRaMeL version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd Vale version: 0.3.19 diff --git a/dist/wasm/layouts.json b/dist/wasm/layouts.json index 81273a6674..d62bb7ad74 100644 --- a/dist/wasm/layouts.json +++ b/dist/wasm/layouts.json @@ -1 +1 @@ -{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_MAC_Poly1305_state_t":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Hash_SHA3_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["snd",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"Hacl_Hash_SHA3_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2s_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Hash_Blake2s_Simd128_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_Simd128_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_Simd128_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_Blake2b_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2b_Simd256_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_Simd256_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_Simd256_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_SHA2_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_7p"]]]]}],"Hacl_Hash_SHA2_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_6p"]]]]}],"Hacl_Hash_SHA2_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_5p"]]]]}],"Hacl_Hash_SHA2_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_3p"]]]]}],"Hacl_Hash_SHA2_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_2p"]]]]}],"Hacl_Hash_SHA2_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_8p"]]],["snd",[56,["Layout","Hacl_Hash_SHA2_uint8_8p"]]]]}],"Hacl_Hash_SHA2_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_4p"]]],["snd",[24,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_state_t":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file +{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_MAC_Poly1305_state_t":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Hash_SHA3_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["snd",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"Hacl_Hash_SHA3_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2s_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Hash_Blake2s_Simd128_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_Simd128_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_Simd128_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_Blake2b_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2b_Simd256_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_Simd256_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_Simd256_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_SHA2_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_7p"]]]]}],"Hacl_Hash_SHA2_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_6p"]]]]}],"Hacl_Hash_SHA2_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_5p"]]]]}],"Hacl_Hash_SHA2_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_3p"]]]]}],"Hacl_Hash_SHA2_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_2p"]]]]}],"Hacl_Hash_SHA2_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_8p"]]],["snd",[56,["Layout","Hacl_Hash_SHA2_uint8_8p"]]]]}],"Hacl_Hash_SHA2_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_4p"]]],["snd",[24,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_Blake2s_blake2s_params":["LFlat",{"size":24,"fields":[["digest_length",[0,["Int",["A8"]]]],["key_length",[1,["Int",["A8"]]]],["fanout",[2,["Int",["A8"]]]],["depth",[3,["Int",["A8"]]]],["leaf_length",[4,["Int",["A32"]]]],["node_offset",[8,["Int",["A32"]]]],["xof_length",[12,["Int",["A16"]]]],["node_depth",[14,["Int",["A8"]]]],["inner_length",[15,["Int",["A8"]]]],["salt",[16,["Pointer",["Int",["A8"]]]]],["personal",[20,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_Blake2s_blake2b_params":["LFlat",{"size":28,"fields":[["digest_length1",[0,["Int",["A8"]]]],["key_length1",[1,["Int",["A8"]]]],["fanout1",[2,["Int",["A8"]]]],["depth1",[3,["Int",["A8"]]]],["leaf_length1",[4,["Int",["A32"]]]],["node_offset1",[8,["Int",["A32"]]]],["xof_length1",[12,["Int",["A32"]]]],["node_depth1",[16,["Int",["A8"]]]],["inner_length1",[17,["Int",["A8"]]]],["salt1",[20,["Pointer",["Int",["A8"]]]]],["personal1",[24,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_state_t":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file