diff --git a/include/Hacl_Bignum256.h b/include/Hacl_Bignum256.h index 72eea53e..a3f2d64e 100644 --- a/include/Hacl_Bignum256.h +++ b/include/Hacl_Bignum256.h @@ -129,7 +129,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res); +bool Hacl_Bignum256_mod_op(uint64_t *n, uint64_t *a, uint64_t *res); /** Write `a ^ b mod n` in `res`. diff --git a/include/Hacl_Bignum256_32.h b/include/Hacl_Bignum256_32.h index 56738938..3ba9774a 100644 --- a/include/Hacl_Bignum256_32.h +++ b/include/Hacl_Bignum256_32.h @@ -128,7 +128,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); +bool Hacl_Bignum256_32_mod_op(uint32_t *n, uint32_t *a, uint32_t *res); /** Write `a ^ b mod n` in `res`. diff --git a/include/Hacl_Bignum32.h b/include/Hacl_Bignum32.h index 84a839a9..123c50b0 100644 --- a/include/Hacl_Bignum32.h +++ b/include/Hacl_Bignum32.h @@ -122,7 +122,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); +bool Hacl_Bignum32_mod_op(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res); /** Write `a ^ b mod n` in `res`. diff --git a/include/Hacl_Bignum4096.h b/include/Hacl_Bignum4096.h index 8f7ffb7c..5cb36d26 100644 --- a/include/Hacl_Bignum4096.h +++ b/include/Hacl_Bignum4096.h @@ -133,7 +133,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res); +bool Hacl_Bignum4096_mod_op(uint64_t *n, uint64_t *a, uint64_t *res); /** Write `a ^ b mod n` in `res`. diff --git a/include/Hacl_Bignum4096_32.h b/include/Hacl_Bignum4096_32.h index 41702e34..864db076 100644 --- a/include/Hacl_Bignum4096_32.h +++ b/include/Hacl_Bignum4096_32.h @@ -132,7 +132,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res); +bool Hacl_Bignum4096_32_mod_op(uint32_t *n, uint32_t *a, uint32_t *res); /** Write `a ^ b mod n` in `res`. diff --git a/include/Hacl_Bignum64.h b/include/Hacl_Bignum64.h index 6261d82a..0e8eda17 100644 --- a/include/Hacl_Bignum64.h +++ b/include/Hacl_Bignum64.h @@ -123,7 +123,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); +bool Hacl_Bignum64_mod_op(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res); /** Write `a ^ b mod n` in `res`. diff --git a/include/Hacl_Ed25519.h b/include/Hacl_Ed25519.h index b2654704..f0dc31e2 100644 --- a/include/Hacl_Ed25519.h +++ b/include/Hacl_Ed25519.h @@ -47,16 +47,16 @@ extern "C" { /** Compute the public key from the private key. - The outparam `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] public_key Points to 32 bytes of valid memory, i.e., `uint8_t[32]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. */ void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key); /** Compute the expanded keys for an Ed25519 signature. - The outparam `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -66,11 +66,10 @@ void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key); /** Create an Ed25519 signature with the (precomputed) expanded keys. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - - The argument `expanded_keys` is obtained through `expand_keys`. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `expanded_keys` nor `msg`. + @param[in] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`, containing the expanded keys obtained by invoking `expand_keys`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -86,9 +85,10 @@ Hacl_Ed25519_sign_expanded( /** Create an Ed25519 signature. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `private_key` nor `msg`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. The function first calls `expand_keys` and then invokes `sign_expanded`. @@ -101,11 +101,12 @@ Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, ui /** Verify an Ed25519 signature. - The function returns `true` if the signature is valid and `false` otherwise. + @param public_key Points to 32 bytes of valid memory containing the public key, i.e., `uint8_t[32]`. + @param msg_len Length of `msg`. + @param msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. + @param signature Points to 64 bytes of valid memory containing the signature, i.e., `uint8_t[64]`. - The argument `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - The argument `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. + @return Returns `true` if the signature is valid and `false` otherwise. */ bool Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature); diff --git a/include/internal/Hacl_Bignum_Base.h b/include/internal/Hacl_Bignum_Base.h index f2e282f4..4e0b35cb 100644 --- a/include/internal/Hacl_Bignum_Base.h +++ b/include/internal/Hacl_Bignum_Base.h @@ -72,9 +72,9 @@ Hacl_Bignum_Convert_bn_from_bytes_be_uint64(uint32_t len, uint8_t *b, uint64_t * memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint64_t *os = res; uint64_t u = load64_be(tmp + (bnLen - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = res; os[i] = x; } } @@ -372,8 +372,8 @@ Hacl_Bignum_Multiplication_bn_sqr_u32(uint32_t aLen, uint32_t *a, uint32_t *res) memset(res, 0U, (aLen + aLen) * sizeof (uint32_t)); for (uint32_t i0 = 0U; i0 < aLen; i0++) { - uint32_t *ab = a; uint32_t a_j = a[i0]; + uint32_t *ab = a; uint32_t *res_j = res + i0; uint32_t c = 0U; for (uint32_t i = 0U; i < i0 / 4U; i++) @@ -400,7 +400,16 @@ Hacl_Bignum_Multiplication_bn_sqr_u32(uint32_t aLen, uint32_t *a, uint32_t *res) uint32_t r = c; res[i0 + i0] = r; } - uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + uint32_t a_copy0[aLen + aLen]; + memset(a_copy0, 0U, (aLen + aLen) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + uint32_t b_copy0[aLen + aLen]; + memset(b_copy0, 0U, (aLen + aLen) * sizeof (uint32_t)); + memcpy(a_copy0, res, (aLen + aLen) * sizeof (uint32_t)); + memcpy(b_copy0, res, (aLen + aLen) * sizeof (uint32_t)); + uint32_t r = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, a_copy0, b_copy0, res); + uint32_t c0 = r; KRML_MAYBE_UNUSED_VAR(c0); KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); uint32_t tmp[aLen + aLen]; @@ -413,7 +422,16 @@ Hacl_Bignum_Multiplication_bn_sqr_u32(uint32_t aLen, uint32_t *a, uint32_t *res) tmp[2U * i] = lo; tmp[2U * i + 1U] = hi; } - uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, tmp, res); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + uint32_t a_copy[aLen + aLen]; + memset(a_copy, 0U, (aLen + aLen) * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen + aLen); + uint32_t b_copy[aLen + aLen]; + memset(b_copy, 0U, (aLen + aLen) * sizeof (uint32_t)); + memcpy(a_copy, res, (aLen + aLen) * sizeof (uint32_t)); + memcpy(b_copy, tmp, (aLen + aLen) * sizeof (uint32_t)); + uint32_t r0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, a_copy, b_copy, res); + uint32_t c1 = r0; KRML_MAYBE_UNUSED_VAR(c1); } @@ -423,8 +441,8 @@ Hacl_Bignum_Multiplication_bn_sqr_u64(uint32_t aLen, uint64_t *a, uint64_t *res) memset(res, 0U, (aLen + aLen) * sizeof (uint64_t)); for (uint32_t i0 = 0U; i0 < aLen; i0++) { - uint64_t *ab = a; uint64_t a_j = a[i0]; + uint64_t *ab = a; uint64_t *res_j = res + i0; uint64_t c = 0ULL; for (uint32_t i = 0U; i < i0 / 4U; i++) @@ -451,7 +469,16 @@ Hacl_Bignum_Multiplication_bn_sqr_u64(uint32_t aLen, uint64_t *a, uint64_t *res) uint64_t r = c; res[i0 + i0] = r; } - uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, res, res); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + uint64_t a_copy0[aLen + aLen]; + memset(a_copy0, 0U, (aLen + aLen) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + uint64_t b_copy0[aLen + aLen]; + memset(b_copy0, 0U, (aLen + aLen) * sizeof (uint64_t)); + memcpy(a_copy0, res, (aLen + aLen) * sizeof (uint64_t)); + memcpy(b_copy0, res, (aLen + aLen) * sizeof (uint64_t)); + uint64_t r = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, a_copy0, b_copy0, res); + uint64_t c0 = r; KRML_MAYBE_UNUSED_VAR(c0); KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); uint64_t tmp[aLen + aLen]; @@ -464,7 +491,16 @@ Hacl_Bignum_Multiplication_bn_sqr_u64(uint32_t aLen, uint64_t *a, uint64_t *res) tmp[2U * i] = lo; tmp[2U * i + 1U] = hi; } - uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, tmp, res); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + uint64_t a_copy[aLen + aLen]; + memset(a_copy, 0U, (aLen + aLen) * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen + aLen); + uint64_t b_copy[aLen + aLen]; + memset(b_copy, 0U, (aLen + aLen) * sizeof (uint64_t)); + memcpy(a_copy, res, (aLen + aLen) * sizeof (uint64_t)); + memcpy(b_copy, tmp, (aLen + aLen) * sizeof (uint64_t)); + uint64_t r0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, a_copy, b_copy, res); + uint64_t c1 = r0; KRML_MAYBE_UNUSED_VAR(c1); } diff --git a/include/internal/Hacl_Bignum_K256.h b/include/internal/Hacl_Bignum_K256.h index fe72fffe..8a66cf21 100644 --- a/include/internal/Hacl_Bignum_K256.h +++ b/include/internal/Hacl_Bignum_K256.h @@ -104,11 +104,11 @@ static inline void Hacl_K256_Field_load_felem(uint64_t *f, uint8_t *b) 0U, 4U, 1U, - uint64_t *os = tmp; uint8_t *bj = b + i * 8U; uint64_t u = load64_be(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = tmp; os[i] = x;); uint64_t s0 = tmp[3U]; uint64_t s1 = tmp[2U]; @@ -589,7 +589,9 @@ static inline void Hacl_K256_Field_fnegate_conditional_vartime(uint64_t *f, bool f[2U] = f2; f[3U] = f3; f[4U] = f4; - Hacl_K256_Field_fnormalize(f, f); + uint64_t f_copy[5U] = { 0U }; + memcpy(f_copy, f, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fnormalize(f, f_copy); return; } } @@ -598,7 +600,9 @@ static inline void Hacl_Impl_K256_Finv_fsquare_times_in_place(uint64_t *out, uin { for (uint32_t i = 0U; i < b; i++) { - Hacl_K256_Field_fsqr(out, out); + uint64_t x_copy[5U] = { 0U }; + memcpy(x_copy, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fsqr(out, x_copy); } } @@ -607,7 +611,9 @@ static inline void Hacl_Impl_K256_Finv_fsquare_times(uint64_t *out, uint64_t *a, memcpy(out, a, 5U * sizeof (uint64_t)); for (uint32_t i = 0U; i < b; i++) { - Hacl_K256_Field_fsqr(out, out); + uint64_t x_copy[5U] = { 0U }; + memcpy(x_copy, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fsqr(out, x_copy); } } @@ -618,29 +624,53 @@ static inline void Hacl_Impl_K256_Finv_fexp_223_23(uint64_t *out, uint64_t *x2, uint64_t x44[5U] = { 0U }; uint64_t x88[5U] = { 0U }; Hacl_Impl_K256_Finv_fsquare_times(x2, f, 1U); - Hacl_K256_Field_fmul(x2, x2, f); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, x2, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(x2, f1_copy, f); Hacl_Impl_K256_Finv_fsquare_times(x3, x2, 1U); - Hacl_K256_Field_fmul(x3, x3, f); + uint64_t f1_copy0[5U] = { 0U }; + memcpy(f1_copy0, x3, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(x3, f1_copy0, f); Hacl_Impl_K256_Finv_fsquare_times(out, x3, 3U); - Hacl_K256_Field_fmul(out, out, x3); + uint64_t f1_copy1[5U] = { 0U }; + memcpy(f1_copy1, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy1, x3); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 3U); - Hacl_K256_Field_fmul(out, out, x3); + uint64_t f1_copy2[5U] = { 0U }; + memcpy(f1_copy2, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy2, x3); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 2U); - Hacl_K256_Field_fmul(out, out, x2); + uint64_t f1_copy3[5U] = { 0U }; + memcpy(f1_copy3, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy3, x2); Hacl_Impl_K256_Finv_fsquare_times(x22, out, 11U); - Hacl_K256_Field_fmul(x22, x22, out); + uint64_t f1_copy4[5U] = { 0U }; + memcpy(f1_copy4, x22, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(x22, f1_copy4, out); Hacl_Impl_K256_Finv_fsquare_times(x44, x22, 22U); - Hacl_K256_Field_fmul(x44, x44, x22); + uint64_t f1_copy5[5U] = { 0U }; + memcpy(f1_copy5, x44, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(x44, f1_copy5, x22); Hacl_Impl_K256_Finv_fsquare_times(x88, x44, 44U); - Hacl_K256_Field_fmul(x88, x88, x44); + uint64_t f1_copy6[5U] = { 0U }; + memcpy(f1_copy6, x88, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(x88, f1_copy6, x44); Hacl_Impl_K256_Finv_fsquare_times(out, x88, 88U); - Hacl_K256_Field_fmul(out, out, x88); + uint64_t f1_copy7[5U] = { 0U }; + memcpy(f1_copy7, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy7, x88); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 44U); - Hacl_K256_Field_fmul(out, out, x44); + uint64_t f1_copy8[5U] = { 0U }; + memcpy(f1_copy8, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy8, x44); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 3U); - Hacl_K256_Field_fmul(out, out, x3); + uint64_t f1_copy9[5U] = { 0U }; + memcpy(f1_copy9, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy9, x3); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 23U); - Hacl_K256_Field_fmul(out, out, x22); + uint64_t f1_copy10[5U] = { 0U }; + memcpy(f1_copy10, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy10, x22); } static inline void Hacl_Impl_K256_Finv_finv(uint64_t *out, uint64_t *f) @@ -648,11 +678,17 @@ static inline void Hacl_Impl_K256_Finv_finv(uint64_t *out, uint64_t *f) uint64_t x2[5U] = { 0U }; Hacl_Impl_K256_Finv_fexp_223_23(out, x2, f); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 5U); - Hacl_K256_Field_fmul(out, out, f); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy, f); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 3U); - Hacl_K256_Field_fmul(out, out, x2); + uint64_t f1_copy0[5U] = { 0U }; + memcpy(f1_copy0, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy0, x2); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 2U); - Hacl_K256_Field_fmul(out, out, f); + uint64_t f1_copy1[5U] = { 0U }; + memcpy(f1_copy1, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy1, f); } static inline void Hacl_Impl_K256_Finv_fsqrt(uint64_t *out, uint64_t *f) @@ -660,7 +696,9 @@ static inline void Hacl_Impl_K256_Finv_fsqrt(uint64_t *out, uint64_t *f) uint64_t x2[5U] = { 0U }; Hacl_Impl_K256_Finv_fexp_223_23(out, x2, f); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 6U); - Hacl_K256_Field_fmul(out, out, x2); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, out, 5U * sizeof (uint64_t)); + Hacl_K256_Field_fmul(out, f1_copy, x2); Hacl_Impl_K256_Finv_fsquare_times_in_place(out, 2U); } diff --git a/include/internal/Hacl_Frodo_KEM.h b/include/internal/Hacl_Frodo_KEM.h index a4e2f62a..5065217c 100644 --- a/include/internal/Hacl_Frodo_KEM.h +++ b/include/internal/Hacl_Frodo_KEM.h @@ -182,9 +182,9 @@ Hacl_Impl_Matrix_matrix_from_lbytes(uint32_t n1, uint32_t n2, uint8_t *b, uint16 { for (uint32_t i = 0U; i < n1 * n2; i++) { - uint16_t *os = res; uint16_t u = load16_le(b + 2U * i); uint16_t x = u; + uint16_t *os = res; os[i] = x; } } diff --git a/include/internal/Hacl_Hash_Blake2b.h b/include/internal/Hacl_Hash_Blake2b.h index 21689d60..7d07e50b 100644 --- a/include/internal/Hacl_Hash_Blake2b.h +++ b/include/internal/Hacl_Hash_Blake2b.h @@ -38,6 +38,38 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" +typedef struct Hacl_Hash_Blake2s_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Hash_Blake2s_blake2s_params; + +typedef struct Hacl_Hash_Blake2s_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Hash_Blake2s_blake2b_params; + void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); void diff --git a/include/internal/Hacl_Hash_Blake2b_Simd256.h b/include/internal/Hacl_Hash_Blake2b_Simd256.h index 4cc07869..4dd986b2 100644 --- a/include/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/include/internal/Hacl_Hash_Blake2b_Simd256.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2b_Simd256.h" #include "libintvector.h" diff --git a/include/internal/Hacl_Hash_Blake2s.h b/include/internal/Hacl_Hash_Blake2s.h index f814aa95..eccd92de 100644 --- a/include/internal/Hacl_Hash_Blake2s.h +++ b/include/internal/Hacl_Hash_Blake2s.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s.h" void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); diff --git a/include/internal/Hacl_Hash_Blake2s_Simd128.h b/include/internal/Hacl_Hash_Blake2s_Simd128.h index 0589aec5..2c422949 100644 --- a/include/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/include/internal/Hacl_Hash_Blake2s_Simd128.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s_Simd128.h" #include "libintvector.h" diff --git a/include/lib_memzero0.h b/include/lib_memzero0.h index 506dd50f..fea3e41c 100644 --- a/include/lib_memzero0.h +++ b/include/lib_memzero0.h @@ -2,4 +2,4 @@ void Lib_Memzero0_memzero0(void *dst, uint64_t len); -#define Lib_Memzero0_memzero(dst, len, t) Lib_Memzero0_memzero0(dst, len * sizeof(t)) +#define Lib_Memzero0_memzero(dst, len, t, _ret_t) Lib_Memzero0_memzero0(dst, len * sizeof(t)) diff --git a/include/msvc/Hacl_Ed25519.h b/include/msvc/Hacl_Ed25519.h index b2654704..f0dc31e2 100644 --- a/include/msvc/Hacl_Ed25519.h +++ b/include/msvc/Hacl_Ed25519.h @@ -47,16 +47,16 @@ extern "C" { /** Compute the public key from the private key. - The outparam `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] public_key Points to 32 bytes of valid memory, i.e., `uint8_t[32]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. */ void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key); /** Compute the expanded keys for an Ed25519 signature. - The outparam `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -66,11 +66,10 @@ void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key); /** Create an Ed25519 signature with the (precomputed) expanded keys. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - - The argument `expanded_keys` is obtained through `expand_keys`. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `expanded_keys` nor `msg`. + @param[in] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`, containing the expanded keys obtained by invoking `expand_keys`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -86,9 +85,10 @@ Hacl_Ed25519_sign_expanded( /** Create an Ed25519 signature. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `private_key` nor `msg`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. The function first calls `expand_keys` and then invokes `sign_expanded`. @@ -101,11 +101,12 @@ Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, ui /** Verify an Ed25519 signature. - The function returns `true` if the signature is valid and `false` otherwise. + @param public_key Points to 32 bytes of valid memory containing the public key, i.e., `uint8_t[32]`. + @param msg_len Length of `msg`. + @param msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. + @param signature Points to 64 bytes of valid memory containing the signature, i.e., `uint8_t[64]`. - The argument `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - The argument `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. + @return Returns `true` if the signature is valid and `false` otherwise. */ bool Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature); diff --git a/include/msvc/internal/Hacl_Hash_Blake2b.h b/include/msvc/internal/Hacl_Hash_Blake2b.h index 21689d60..7d07e50b 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2b.h +++ b/include/msvc/internal/Hacl_Hash_Blake2b.h @@ -38,6 +38,38 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" +typedef struct Hacl_Hash_Blake2s_blake2s_params_s +{ + uint8_t digest_length; + uint8_t key_length; + uint8_t fanout; + uint8_t depth; + uint32_t leaf_length; + uint32_t node_offset; + uint16_t xof_length; + uint8_t node_depth; + uint8_t inner_length; + uint8_t *salt; + uint8_t *personal; +} +Hacl_Hash_Blake2s_blake2s_params; + +typedef struct Hacl_Hash_Blake2s_blake2b_params_s +{ + uint8_t digest_length1; + uint8_t key_length1; + uint8_t fanout1; + uint8_t depth1; + uint32_t leaf_length1; + uint32_t node_offset1; + uint32_t xof_length1; + uint8_t node_depth1; + uint8_t inner_length1; + uint8_t *salt1; + uint8_t *personal1; +} +Hacl_Hash_Blake2s_blake2b_params; + void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); void diff --git a/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h b/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h index 4cc07869..4dd986b2 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2b_Simd256.h" #include "libintvector.h" diff --git a/include/msvc/internal/Hacl_Hash_Blake2s.h b/include/msvc/internal/Hacl_Hash_Blake2s.h index f814aa95..eccd92de 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2s.h +++ b/include/msvc/internal/Hacl_Hash_Blake2s.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s.h" void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn); diff --git a/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h b/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h index 0589aec5..2c422949 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h @@ -36,6 +36,7 @@ extern "C" { #include "krml/internal/target.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "../Hacl_Hash_Blake2s_Simd128.h" #include "libintvector.h" diff --git a/include/msvc/lib_memzero0.h b/include/msvc/lib_memzero0.h index 506dd50f..fea3e41c 100644 --- a/include/msvc/lib_memzero0.h +++ b/include/msvc/lib_memzero0.h @@ -2,4 +2,4 @@ void Lib_Memzero0_memzero0(void *dst, uint64_t len); -#define Lib_Memzero0_memzero(dst, len, t) Lib_Memzero0_memzero0(dst, len * sizeof(t)) +#define Lib_Memzero0_memzero(dst, len, t, _ret_t) Lib_Memzero0_memzero0(dst, len * sizeof(t)) diff --git a/ocaml/ctypes.depend b/ocaml/ctypes.depend index 065ce5eb..75681072 100644 --- a/ocaml/ctypes.depend +++ b/ocaml/ctypes.depend @@ -1,4 +1,4 @@ -CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx +CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Streaming_Types_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmo: lib_gen/Hacl_Streaming_Types_gen.cmx: lib/Hacl_Streaming_Types_bindings.cmx @@ -291,14 +291,14 @@ lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Imp lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve51_CP32_SHA256_gen.cmx -lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx -lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo -lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx -lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx lib/EverCrypt_Poly1305_bindings.cmx: lib/EverCrypt_Poly1305_bindings.cmo: lib_gen/EverCrypt_Poly1305_gen.cmx: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.exe: lib/EverCrypt_Poly1305_bindings.cmx lib_gen/EverCrypt_Poly1305_gen.cmx +lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx +lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo +lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx: lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx +lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.exe: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_c_stubs.o lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib_gen/Hacl_HPKE_Curve64_CP256_SHA256_gen.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmo: lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmo lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmo lib_gen/Hacl_HPKE_Curve51_CP32_SHA512_gen.cmx: lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx diff --git a/ocaml/lib/Hacl_Bignum256_32_bindings.ml b/ocaml/lib/Hacl_Bignum256_32_bindings.ml index 1ea7279d..f4e2c3b8 100644 --- a/ocaml/lib/Hacl_Bignum256_32_bindings.ml +++ b/ocaml/lib/Hacl_Bignum256_32_bindings.ml @@ -30,8 +30,8 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Bignum256_32_sqr = foreign "Hacl_Bignum256_32_sqr" ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))) - let hacl_Bignum256_32_mod = - foreign "Hacl_Bignum256_32_mod" + let hacl_Bignum256_32_mod_op = + foreign "Hacl_Bignum256_32_mod_op" ((ptr uint32_t) @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))) let hacl_Bignum256_32_mod_exp_vartime = diff --git a/ocaml/lib/Hacl_Bignum256_bindings.ml b/ocaml/lib/Hacl_Bignum256_bindings.ml index 69dd0d77..f47ae741 100644 --- a/ocaml/lib/Hacl_Bignum256_bindings.ml +++ b/ocaml/lib/Hacl_Bignum256_bindings.ml @@ -30,8 +30,8 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Bignum256_sqr = foreign "Hacl_Bignum256_sqr" ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) - let hacl_Bignum256_mod = - foreign "Hacl_Bignum256_mod" + let hacl_Bignum256_mod_op = + foreign "Hacl_Bignum256_mod_op" ((ptr uint64_t) @-> ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))) let hacl_Bignum256_mod_exp_vartime = diff --git a/ocaml/lib/Hacl_Bignum32_bindings.ml b/ocaml/lib/Hacl_Bignum32_bindings.ml index e802e031..dca4753a 100644 --- a/ocaml/lib/Hacl_Bignum32_bindings.ml +++ b/ocaml/lib/Hacl_Bignum32_bindings.ml @@ -36,8 +36,8 @@ module Bindings(F:Cstubs.FOREIGN) = foreign "Hacl_Bignum32_sqr" (uint32_t @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void)))) - let hacl_Bignum32_mod = - foreign "Hacl_Bignum32_mod" + let hacl_Bignum32_mod_op = + foreign "Hacl_Bignum32_mod_op" (uint32_t @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool))))) diff --git a/ocaml/lib/Hacl_Bignum4096_32_bindings.ml b/ocaml/lib/Hacl_Bignum4096_32_bindings.ml index c1b846ff..ad4b0fe6 100644 --- a/ocaml/lib/Hacl_Bignum4096_32_bindings.ml +++ b/ocaml/lib/Hacl_Bignum4096_32_bindings.ml @@ -30,8 +30,8 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Bignum4096_32_sqr = foreign "Hacl_Bignum4096_32_sqr" ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning void))) - let hacl_Bignum4096_32_mod = - foreign "Hacl_Bignum4096_32_mod" + let hacl_Bignum4096_32_mod_op = + foreign "Hacl_Bignum4096_32_mod_op" ((ptr uint32_t) @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> (returning bool)))) let hacl_Bignum4096_32_mod_exp_vartime = diff --git a/ocaml/lib/Hacl_Bignum4096_bindings.ml b/ocaml/lib/Hacl_Bignum4096_bindings.ml index 2b66d574..b746ebbd 100644 --- a/ocaml/lib/Hacl_Bignum4096_bindings.ml +++ b/ocaml/lib/Hacl_Bignum4096_bindings.ml @@ -30,8 +30,8 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Bignum4096_sqr = foreign "Hacl_Bignum4096_sqr" ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void))) - let hacl_Bignum4096_mod = - foreign "Hacl_Bignum4096_mod" + let hacl_Bignum4096_mod_op = + foreign "Hacl_Bignum4096_mod_op" ((ptr uint64_t) @-> ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool)))) let hacl_Bignum4096_mod_exp_vartime = diff --git a/ocaml/lib/Hacl_Bignum64_bindings.ml b/ocaml/lib/Hacl_Bignum64_bindings.ml index a164f03a..841d55c4 100644 --- a/ocaml/lib/Hacl_Bignum64_bindings.ml +++ b/ocaml/lib/Hacl_Bignum64_bindings.ml @@ -36,8 +36,8 @@ module Bindings(F:Cstubs.FOREIGN) = foreign "Hacl_Bignum64_sqr" (uint32_t @-> ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning void)))) - let hacl_Bignum64_mod = - foreign "Hacl_Bignum64_mod" + let hacl_Bignum64_mod_op = + foreign "Hacl_Bignum64_mod_op" (uint32_t @-> ((ptr uint64_t) @-> ((ptr uint64_t) @-> ((ptr uint64_t) @-> (returning bool))))) diff --git a/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml index 75c75e90..4c32a894 100644 --- a/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml @@ -5,6 +5,62 @@ module Bindings(F:Cstubs.FOREIGN) = module Hacl_Streaming_Types_applied = (Hacl_Streaming_Types_bindings.Bindings)(Hacl_Streaming_Types_stubs) open Hacl_Streaming_Types_applied + type hacl_Hash_Blake2s_blake2s_params = + [ `hacl_Hash_Blake2s_blake2s_params ] structure + let (hacl_Hash_Blake2s_blake2s_params : + [ `hacl_Hash_Blake2s_blake2s_params ] structure typ) = + structure "Hacl_Hash_Blake2s_blake2s_params_s" + let hacl_Hash_Blake2s_blake2s_params_digest_length = + field hacl_Hash_Blake2s_blake2s_params "digest_length" uint8_t + let hacl_Hash_Blake2s_blake2s_params_key_length = + field hacl_Hash_Blake2s_blake2s_params "key_length" uint8_t + let hacl_Hash_Blake2s_blake2s_params_fanout = + field hacl_Hash_Blake2s_blake2s_params "fanout" uint8_t + let hacl_Hash_Blake2s_blake2s_params_depth = + field hacl_Hash_Blake2s_blake2s_params "depth" uint8_t + let hacl_Hash_Blake2s_blake2s_params_leaf_length = + field hacl_Hash_Blake2s_blake2s_params "leaf_length" uint32_t + let hacl_Hash_Blake2s_blake2s_params_node_offset = + field hacl_Hash_Blake2s_blake2s_params "node_offset" uint32_t + let hacl_Hash_Blake2s_blake2s_params_xof_length = + field hacl_Hash_Blake2s_blake2s_params "xof_length" uint16_t + let hacl_Hash_Blake2s_blake2s_params_node_depth = + field hacl_Hash_Blake2s_blake2s_params "node_depth" uint8_t + let hacl_Hash_Blake2s_blake2s_params_inner_length = + field hacl_Hash_Blake2s_blake2s_params "inner_length" uint8_t + let hacl_Hash_Blake2s_blake2s_params_salt = + field hacl_Hash_Blake2s_blake2s_params "salt" (ptr uint8_t) + let hacl_Hash_Blake2s_blake2s_params_personal = + field hacl_Hash_Blake2s_blake2s_params "personal" (ptr uint8_t) + let _ = seal hacl_Hash_Blake2s_blake2s_params + type hacl_Hash_Blake2s_blake2b_params = + [ `hacl_Hash_Blake2s_blake2b_params ] structure + let (hacl_Hash_Blake2s_blake2b_params : + [ `hacl_Hash_Blake2s_blake2b_params ] structure typ) = + structure "Hacl_Hash_Blake2s_blake2b_params_s" + let hacl_Hash_Blake2s_blake2b_params_digest_length1 = + field hacl_Hash_Blake2s_blake2b_params "digest_length1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_key_length1 = + field hacl_Hash_Blake2s_blake2b_params "key_length1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_fanout1 = + field hacl_Hash_Blake2s_blake2b_params "fanout1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_depth1 = + field hacl_Hash_Blake2s_blake2b_params "depth1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_leaf_length1 = + field hacl_Hash_Blake2s_blake2b_params "leaf_length1" uint32_t + let hacl_Hash_Blake2s_blake2b_params_node_offset1 = + field hacl_Hash_Blake2s_blake2b_params "node_offset1" uint32_t + let hacl_Hash_Blake2s_blake2b_params_xof_length1 = + field hacl_Hash_Blake2s_blake2b_params "xof_length1" uint32_t + let hacl_Hash_Blake2s_blake2b_params_node_depth1 = + field hacl_Hash_Blake2s_blake2b_params "node_depth1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_inner_length1 = + field hacl_Hash_Blake2s_blake2b_params "inner_length1" uint8_t + let hacl_Hash_Blake2s_blake2b_params_salt1 = + field hacl_Hash_Blake2s_blake2b_params "salt1" (ptr uint8_t) + let hacl_Hash_Blake2s_blake2b_params_personal1 = + field hacl_Hash_Blake2s_blake2b_params "personal1" (ptr uint8_t) + let _ = seal hacl_Hash_Blake2s_blake2b_params let hacl_Hash_Blake2b_init = foreign "Hacl_Hash_Blake2b_init" ((ptr uint64_t) @-> (uint32_t @-> (uint32_t @-> (returning void)))) diff --git a/src/EverCrypt_DRBG.c b/src/EverCrypt_DRBG.c index 301fe528..a831a5b5 100644 --- a/src/EverCrypt_DRBG.c +++ b/src/EverCrypt_DRBG.c @@ -1770,8 +1770,8 @@ static void uninstantiate_sha1(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 20U, uint8_t); - Lib_Memzero0_memzero(v, 20U, uint8_t); + Lib_Memzero0_memzero(k, 20U, uint8_t, void *); + Lib_Memzero0_memzero(v, 20U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); @@ -1794,8 +1794,8 @@ static void uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 32U, uint8_t); - Lib_Memzero0_memzero(v, 32U, uint8_t); + Lib_Memzero0_memzero(k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(v, 32U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); @@ -1818,8 +1818,8 @@ static void uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 48U, uint8_t); - Lib_Memzero0_memzero(v, 48U, uint8_t); + Lib_Memzero0_memzero(k, 48U, uint8_t, void *); + Lib_Memzero0_memzero(v, 48U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); @@ -1842,8 +1842,8 @@ static void uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 64U, uint8_t); - Lib_Memzero0_memzero(v, 64U, uint8_t); + Lib_Memzero0_memzero(k, 64U, uint8_t, void *); + Lib_Memzero0_memzero(v, 64U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); diff --git a/src/EverCrypt_HMAC.c b/src/EverCrypt_HMAC.c index 90bcaaac..24c2af58 100644 --- a/src/EverCrypt_HMAC.c +++ b/src/EverCrypt_HMAC.c @@ -236,8 +236,8 @@ EverCrypt_HMAC_compute_sha2_256( 0U, 8U, 1U, - uint32_t *os = st; uint32_t x = Hacl_Hash_SHA2_h256[i]; + uint32_t *os = st; os[i] = x;); uint32_t *s = st; uint8_t *dst1 = ipad; @@ -358,8 +358,8 @@ EverCrypt_HMAC_compute_sha2_384( 0U, 8U, 1U, - uint64_t *os = st; uint64_t x = Hacl_Hash_SHA2_h384[i]; + uint64_t *os = st; os[i] = x;); uint64_t *s = st; uint8_t *dst1 = ipad; @@ -488,8 +488,8 @@ EverCrypt_HMAC_compute_sha2_512( 0U, 8U, 1U, - uint64_t *os = st; uint64_t x = Hacl_Hash_SHA2_h512[i]; + uint64_t *os = st; os[i] = x;); uint64_t *s = st; uint8_t *dst1 = ipad; diff --git a/src/EverCrypt_Hash.c b/src/EverCrypt_Hash.c index 92b3c227..560f85ff 100644 --- a/src/EverCrypt_Hash.c +++ b/src/EverCrypt_Hash.c @@ -1273,6 +1273,7 @@ EverCrypt_Hash_Incremental_state_t KRML_CHECK_SIZE(sizeof (uint8_t), block_len(a)); uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); EverCrypt_Hash_state_s *block_state = create_in(a); + init(block_state); EverCrypt_Hash_Incremental_state_t s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; EverCrypt_Hash_Incremental_state_t @@ -1281,7 +1282,6 @@ EverCrypt_Hash_Incremental_state_t EverCrypt_Hash_Incremental_state_t )); p[0U] = s; - init(block_state); return p; } @@ -1290,15 +1290,11 @@ Reset an existing state to the initial hash state with empty data. */ void EverCrypt_Hash_Incremental_reset(EverCrypt_Hash_Incremental_state_t *state) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - uint8_t *buf = scrut.buf; - EverCrypt_Hash_state_s *block_state = scrut.block_state; + EverCrypt_Hash_state_s *block_state = (*state).block_state; Spec_Hash_Definitions_hash_alg i = alg_of_state(block_state); KRML_MAYBE_UNUSED_VAR(i); init(block_state); - EverCrypt_Hash_Incremental_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -1315,9 +1311,8 @@ EverCrypt_Hash_Incremental_update( uint32_t chunk_len ) { - EverCrypt_Hash_Incremental_state_t s = *state; - EverCrypt_Hash_state_s *block_state = s.block_state; - uint64_t total_len = s.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; Spec_Hash_Definitions_hash_alg i1 = alg_of_state(block_state); uint64_t sw; switch (i1) @@ -1416,10 +1411,8 @@ EverCrypt_Hash_Incremental_update( } if (chunk_len <= block_len(i1) - sz) { - EverCrypt_Hash_Incremental_state_t s1 = *state; - EverCrypt_Hash_state_s *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)block_len(i1) == 0ULL && total_len1 > 0ULL) { @@ -1432,22 +1425,12 @@ EverCrypt_Hash_Incremental_update( uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (EverCrypt_Hash_Incremental_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - EverCrypt_Hash_Incremental_state_t s1 = *state; - EverCrypt_Hash_state_s *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)block_len(i1) == 0ULL && total_len1 > 0ULL) { @@ -1460,7 +1443,7 @@ EverCrypt_Hash_Incremental_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - update_multi(block_state1, prevlen, buf, block_len(i1)); + update_multi(block_state, prevlen, buf, block_len(i1)); } uint32_t ite0; if ((uint64_t)chunk_len % (uint64_t)block_len(i1) == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -1476,28 +1459,18 @@ EverCrypt_Hash_Incremental_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - update_multi(block_state1, total_len1, data1, data1_len); + update_multi(block_state, total_len1, data1, data1_len); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (EverCrypt_Hash_Incremental_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = block_len(i1) - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - EverCrypt_Hash_Incremental_state_t s1 = *state; - EverCrypt_Hash_state_s *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)block_len(i1) == 0ULL && total_len10 > 0ULL) { @@ -1507,22 +1480,12 @@ EverCrypt_Hash_Incremental_update( { sz10 = (uint32_t)(total_len10 % (uint64_t)block_len(i1)); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (EverCrypt_Hash_Incremental_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - EverCrypt_Hash_Incremental_state_t s10 = *state; - EverCrypt_Hash_state_s *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)block_len(i1) == 0ULL && total_len1 > 0ULL) { @@ -1535,7 +1498,7 @@ EverCrypt_Hash_Incremental_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - update_multi(block_state1, prevlen, buf, block_len(i1)); + update_multi(block_state, prevlen, buf0, block_len(i1)); } uint32_t ite0; if @@ -1557,18 +1520,10 @@ EverCrypt_Hash_Incremental_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - update_multi(block_state1, total_len1, data1, data1_len); - uint8_t *dst = buf; + update_multi(block_state, total_len1, data1, data1_len); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (EverCrypt_Hash_Incremental_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } ite = Hacl_Streaming_Types_Success; } @@ -1592,10 +1547,9 @@ EverCrypt_Hash_Incremental_update( static void digest_md5(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_MD5) == 0ULL && total_len > 0ULL) { @@ -1611,6 +1565,7 @@ static void digest_md5(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outpu EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_MD5) == 0U && r > 0U) { @@ -1621,7 +1576,6 @@ static void digest_md5(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outpu ite = r % block_len(Spec_Hash_Definitions_MD5); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1630,10 +1584,9 @@ static void digest_md5(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outpu static void digest_sha1(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA1) == 0ULL && total_len > 0ULL) { @@ -1649,6 +1602,7 @@ static void digest_sha1(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outp EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA1) == 0U && r > 0U) { @@ -1659,7 +1613,6 @@ static void digest_sha1(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outp ite = r % block_len(Spec_Hash_Definitions_SHA1); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1668,10 +1621,9 @@ static void digest_sha1(EverCrypt_Hash_Incremental_state_t *state, uint8_t *outp static void digest_sha224(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA2_224) == 0ULL && total_len > 0ULL) @@ -1688,6 +1640,7 @@ static void digest_sha224(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA2_224) == 0U && r > 0U) { @@ -1698,7 +1651,6 @@ static void digest_sha224(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou ite = r % block_len(Spec_Hash_Definitions_SHA2_224); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1707,10 +1659,9 @@ static void digest_sha224(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou static void digest_sha256(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA2_256) == 0ULL && total_len > 0ULL) @@ -1727,6 +1678,7 @@ static void digest_sha256(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA2_256) == 0U && r > 0U) { @@ -1737,7 +1689,6 @@ static void digest_sha256(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou ite = r % block_len(Spec_Hash_Definitions_SHA2_256); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1746,10 +1697,9 @@ static void digest_sha256(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou static void digest_sha3_224(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA3_224) == 0ULL && total_len > 0ULL) @@ -1766,6 +1716,7 @@ static void digest_sha3_224(EverCrypt_Hash_Incremental_state_t *state, uint8_t * EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA3_224) == 0U && r > 0U) { @@ -1776,7 +1727,6 @@ static void digest_sha3_224(EverCrypt_Hash_Incremental_state_t *state, uint8_t * ite = r % block_len(Spec_Hash_Definitions_SHA3_224); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1785,10 +1735,9 @@ static void digest_sha3_224(EverCrypt_Hash_Incremental_state_t *state, uint8_t * static void digest_sha3_256(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA3_256) == 0ULL && total_len > 0ULL) @@ -1805,6 +1754,7 @@ static void digest_sha3_256(EverCrypt_Hash_Incremental_state_t *state, uint8_t * EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA3_256) == 0U && r > 0U) { @@ -1815,7 +1765,6 @@ static void digest_sha3_256(EverCrypt_Hash_Incremental_state_t *state, uint8_t * ite = r % block_len(Spec_Hash_Definitions_SHA3_256); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1824,10 +1773,9 @@ static void digest_sha3_256(EverCrypt_Hash_Incremental_state_t *state, uint8_t * static void digest_sha3_384(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA3_384) == 0ULL && total_len > 0ULL) @@ -1844,6 +1792,7 @@ static void digest_sha3_384(EverCrypt_Hash_Incremental_state_t *state, uint8_t * EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA3_384) == 0U && r > 0U) { @@ -1854,7 +1803,6 @@ static void digest_sha3_384(EverCrypt_Hash_Incremental_state_t *state, uint8_t * ite = r % block_len(Spec_Hash_Definitions_SHA3_384); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1863,10 +1811,9 @@ static void digest_sha3_384(EverCrypt_Hash_Incremental_state_t *state, uint8_t * static void digest_sha3_512(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA3_512) == 0ULL && total_len > 0ULL) @@ -1883,6 +1830,7 @@ static void digest_sha3_512(EverCrypt_Hash_Incremental_state_t *state, uint8_t * EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA3_512) == 0U && r > 0U) { @@ -1893,7 +1841,6 @@ static void digest_sha3_512(EverCrypt_Hash_Incremental_state_t *state, uint8_t * ite = r % block_len(Spec_Hash_Definitions_SHA3_512); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1902,10 +1849,9 @@ static void digest_sha3_512(EverCrypt_Hash_Incremental_state_t *state, uint8_t * static void digest_sha384(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA2_384) == 0ULL && total_len > 0ULL) @@ -1922,6 +1868,7 @@ static void digest_sha384(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA2_384) == 0U && r > 0U) { @@ -1932,7 +1879,6 @@ static void digest_sha384(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou ite = r % block_len(Spec_Hash_Definitions_SHA2_384); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1941,10 +1887,9 @@ static void digest_sha384(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou static void digest_sha512(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_SHA2_512) == 0ULL && total_len > 0ULL) @@ -1961,6 +1906,7 @@ static void digest_sha512(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_SHA2_512) == 0U && r > 0U) { @@ -1971,7 +1917,6 @@ static void digest_sha512(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou ite = r % block_len(Spec_Hash_Definitions_SHA2_512); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -1980,10 +1925,9 @@ static void digest_sha512(EverCrypt_Hash_Incremental_state_t *state, uint8_t *ou static void digest_blake2s(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_Blake2S) == 0ULL && total_len > 0ULL) { @@ -2014,6 +1958,7 @@ static void digest_blake2s(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_Blake2S) == 0U && r > 0U) { @@ -2024,7 +1969,6 @@ static void digest_blake2s(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o ite = r % block_len(Spec_Hash_Definitions_Blake2S); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -2033,10 +1977,9 @@ static void digest_blake2s(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o static void digest_blake2b(EverCrypt_Hash_Incremental_state_t *state, uint8_t *output) { - EverCrypt_Hash_Incremental_state_t scrut = *state; - EverCrypt_Hash_state_s *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + EverCrypt_Hash_state_s *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(Spec_Hash_Definitions_Blake2B) == 0ULL && total_len > 0ULL) { @@ -2067,6 +2010,7 @@ static void digest_blake2b(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o EverCrypt_Hash_state_s tmp_block_state = s; copy(block_state, &tmp_block_state); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(Spec_Hash_Definitions_Blake2B) == 0U && r > 0U) { @@ -2077,7 +2021,6 @@ static void digest_blake2b(EverCrypt_Hash_Incremental_state_t *state, uint8_t *o ite = r % block_len(Spec_Hash_Definitions_Blake2B); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; update_multi(&tmp_block_state, prev_len, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; update_last(&tmp_block_state, prev_len_last, buf_last, r); @@ -2196,8 +2139,8 @@ void EverCrypt_Hash_Incremental_hash_256(uint8_t *output, uint8_t *input, uint32 0U, 8U, 1U, - uint32_t *os = st; uint32_t x = Hacl_Hash_SHA2_h256[i]; + uint32_t *os = st; os[i] = x;); uint32_t *s = st; uint32_t blocks_n0 = input_len / 64U; @@ -2234,8 +2177,8 @@ static void hash_224(uint8_t *output, uint8_t *input, uint32_t input_len) 0U, 8U, 1U, - uint32_t *os = st; uint32_t x = Hacl_Hash_SHA2_h224[i]; + uint32_t *os = st; os[i] = x;); uint32_t *s = st; uint32_t blocks_n0 = input_len / 64U; diff --git a/src/Hacl_AEAD_Chacha20Poly1305.c b/src/Hacl_AEAD_Chacha20Poly1305.c index d5926093..4b683308 100644 --- a/src/Hacl_AEAD_Chacha20Poly1305.c +++ b/src/Hacl_AEAD_Chacha20Poly1305.c @@ -579,7 +579,8 @@ Hacl_AEAD_Chacha20Poly1305_encrypt( { Hacl_Chacha20_chacha20_encrypt(input_len, output, input, key, nonce, 1U); uint8_t tmp[64U] = { 0U }; - Hacl_Chacha20_chacha20_encrypt(64U, tmp, tmp, key, nonce, 0U); + uint8_t tmp_copy[64U] = { 0U }; + Hacl_Chacha20_chacha20_encrypt(64U, tmp, tmp_copy, key, nonce, 0U); uint8_t *key1 = tmp; poly1305_do_32(key1, data_len, data, input_len, output, tag); } @@ -618,7 +619,8 @@ Hacl_AEAD_Chacha20Poly1305_decrypt( { uint8_t computed_tag[16U] = { 0U }; uint8_t tmp[64U] = { 0U }; - Hacl_Chacha20_chacha20_encrypt(64U, tmp, tmp, key, nonce, 0U); + uint8_t tmp_copy[64U] = { 0U }; + Hacl_Chacha20_chacha20_encrypt(64U, tmp, tmp_copy, key, nonce, 0U); uint8_t *key1 = tmp; poly1305_do_32(key1, data_len, data, input_len, input, computed_tag); uint8_t res = 255U; diff --git a/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c b/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c index 0cfa41fd..38494f80 100644 --- a/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c +++ b/src/Hacl_AEAD_Chacha20Poly1305_Simd128.c @@ -1095,7 +1095,8 @@ Hacl_AEAD_Chacha20Poly1305_Simd128_encrypt( { Hacl_Chacha20_Vec128_chacha20_encrypt_128(input_len, output, input, key, nonce, 1U); uint8_t tmp[64U] = { 0U }; - Hacl_Chacha20_Vec128_chacha20_encrypt_128(64U, tmp, tmp, key, nonce, 0U); + uint8_t tmp_copy[64U] = { 0U }; + Hacl_Chacha20_Vec128_chacha20_encrypt_128(64U, tmp, tmp_copy, key, nonce, 0U); uint8_t *key1 = tmp; poly1305_do_128(key1, data_len, data, input_len, output, tag); } @@ -1134,7 +1135,8 @@ Hacl_AEAD_Chacha20Poly1305_Simd128_decrypt( { uint8_t computed_tag[16U] = { 0U }; uint8_t tmp[64U] = { 0U }; - Hacl_Chacha20_Vec128_chacha20_encrypt_128(64U, tmp, tmp, key, nonce, 0U); + uint8_t tmp_copy[64U] = { 0U }; + Hacl_Chacha20_Vec128_chacha20_encrypt_128(64U, tmp, tmp_copy, key, nonce, 0U); uint8_t *key1 = tmp; poly1305_do_128(key1, data_len, data, input_len, input, computed_tag); uint8_t res = 255U; diff --git a/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c b/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c index 28414516..edf44f38 100644 --- a/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c +++ b/src/Hacl_AEAD_Chacha20Poly1305_Simd256.c @@ -1096,7 +1096,8 @@ Hacl_AEAD_Chacha20Poly1305_Simd256_encrypt( { Hacl_Chacha20_Vec256_chacha20_encrypt_256(input_len, output, input, key, nonce, 1U); uint8_t tmp[64U] = { 0U }; - Hacl_Chacha20_Vec256_chacha20_encrypt_256(64U, tmp, tmp, key, nonce, 0U); + uint8_t tmp_copy[64U] = { 0U }; + Hacl_Chacha20_Vec256_chacha20_encrypt_256(64U, tmp, tmp_copy, key, nonce, 0U); uint8_t *key1 = tmp; poly1305_do_256(key1, data_len, data, input_len, output, tag); } @@ -1135,7 +1136,8 @@ Hacl_AEAD_Chacha20Poly1305_Simd256_decrypt( { uint8_t computed_tag[16U] = { 0U }; uint8_t tmp[64U] = { 0U }; - Hacl_Chacha20_Vec256_chacha20_encrypt_256(64U, tmp, tmp, key, nonce, 0U); + uint8_t tmp_copy[64U] = { 0U }; + Hacl_Chacha20_Vec256_chacha20_encrypt_256(64U, tmp, tmp_copy, key, nonce, 0U); uint8_t *key1 = tmp; poly1305_do_256(key1, data_len, data, input_len, input, computed_tag); uint8_t res = 255U; diff --git a/src/Hacl_Bignum.c b/src/Hacl_Bignum.c index 568bcc26..90f696d9 100644 --- a/src/Hacl_Bignum.c +++ b/src/Hacl_Bignum.c @@ -54,8 +54,8 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( uint32_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); for (uint32_t i = 0U; i < len2; i++) { - uint32_t *os = t0; uint32_t x = ((0U - c0) & t0[i]) | (~(0U - c0) & tmp_[i]); + uint32_t *os = t0; os[i] = x; } KRML_MAYBE_UNUSED_VAR(c10); @@ -64,8 +64,8 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, b1, b0, t1); for (uint32_t i = 0U; i < len2; i++) { - uint32_t *os = t1; uint32_t x = ((0U - c010) & t1[i]) | (~(0U - c010) & tmp_[i]); + uint32_t *os = t1; os[i] = x; } KRML_MAYBE_UNUSED_VAR(c1); @@ -92,15 +92,24 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32( uint32_t mask = 0U - c_sign; for (uint32_t i = 0U; i < aLen; i++) { - uint32_t *os = t45; uint32_t x = (mask & t45[i]) | (~mask & t67[i]); + uint32_t *os = t45; os[i] = x; } uint32_t c5 = (mask & c41) | (~mask & c31); uint32_t aLen2 = aLen / 2U; uint32_t *r0 = res + aLen2; - uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); - uint32_t c6 = r10; + KRML_CHECK_SIZE(sizeof (uint32_t), aLen); + uint32_t a_copy[aLen]; + memset(a_copy, 0U, aLen * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen); + uint32_t b_copy[aLen]; + memset(b_copy, 0U, aLen * sizeof (uint32_t)); + memcpy(a_copy, r0, aLen * sizeof (uint32_t)); + memcpy(b_copy, t45, aLen * sizeof (uint32_t)); + uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, a_copy, b_copy, r0); + uint32_t r11 = r10; + uint32_t c6 = r11; uint32_t c60 = c6; uint32_t c7 = c5 + c60; uint32_t *r = res + aLen + aLen2; @@ -176,8 +185,8 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( uint64_t c10 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); for (uint32_t i = 0U; i < len2; i++) { - uint64_t *os = t0; uint64_t x = ((0ULL - c0) & t0[i]) | (~(0ULL - c0) & tmp_[i]); + uint64_t *os = t0; os[i] = x; } KRML_MAYBE_UNUSED_VAR(c10); @@ -186,8 +195,8 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, b1, b0, t1); for (uint32_t i = 0U; i < len2; i++) { - uint64_t *os = t1; uint64_t x = ((0ULL - c010) & t1[i]) | (~(0ULL - c010) & tmp_[i]); + uint64_t *os = t1; os[i] = x; } KRML_MAYBE_UNUSED_VAR(c1); @@ -214,15 +223,24 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64( uint64_t mask = 0ULL - c_sign; for (uint32_t i = 0U; i < aLen; i++) { - uint64_t *os = t45; uint64_t x = (mask & t45[i]) | (~mask & t67[i]); + uint64_t *os = t45; os[i] = x; } uint64_t c5 = (mask & c41) | (~mask & c31); uint32_t aLen2 = aLen / 2U; uint64_t *r0 = res + aLen2; - uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); - uint64_t c6 = r10; + KRML_CHECK_SIZE(sizeof (uint64_t), aLen); + uint64_t a_copy[aLen]; + memset(a_copy, 0U, aLen * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen); + uint64_t b_copy[aLen]; + memset(b_copy, 0U, aLen * sizeof (uint64_t)); + memcpy(a_copy, r0, aLen * sizeof (uint64_t)); + memcpy(b_copy, t45, aLen * sizeof (uint64_t)); + uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, a_copy, b_copy, r0); + uint64_t r11 = r10; + uint64_t c6 = r11; uint64_t c60 = c6; uint64_t c7 = c5 + c60; uint64_t *r = res + aLen + aLen2; @@ -294,8 +312,8 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( uint32_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u32(len2, a1, a0, t0); for (uint32_t i = 0U; i < len2; i++) { - uint32_t *os = t0; uint32_t x = ((0U - c0) & t0[i]) | (~(0U - c0) & tmp_[i]); + uint32_t *os = t0; os[i] = x; } KRML_MAYBE_UNUSED_VAR(c1); @@ -318,8 +336,17 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32( uint32_t c5 = c2 - c3; uint32_t aLen2 = aLen / 2U; uint32_t *r0 = res + aLen2; - uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, r0, t45, r0); - uint32_t c4 = r10; + KRML_CHECK_SIZE(sizeof (uint32_t), aLen); + uint32_t a_copy[aLen]; + memset(a_copy, 0U, aLen * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), aLen); + uint32_t b_copy[aLen]; + memset(b_copy, 0U, aLen * sizeof (uint32_t)); + memcpy(a_copy, r0, aLen * sizeof (uint32_t)); + memcpy(b_copy, t45, aLen * sizeof (uint32_t)); + uint32_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen, a_copy, b_copy, r0); + uint32_t r11 = r10; + uint32_t c4 = r11; uint32_t c6 = c4; uint32_t c7 = c5 + c6; uint32_t *r = res + aLen + aLen2; @@ -391,8 +418,8 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( uint64_t c1 = Hacl_Bignum_Addition_bn_sub_eq_len_u64(len2, a1, a0, t0); for (uint32_t i = 0U; i < len2; i++) { - uint64_t *os = t0; uint64_t x = ((0ULL - c0) & t0[i]) | (~(0ULL - c0) & tmp_[i]); + uint64_t *os = t0; os[i] = x; } KRML_MAYBE_UNUSED_VAR(c1); @@ -415,8 +442,17 @@ Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64( uint64_t c5 = c2 - c3; uint32_t aLen2 = aLen / 2U; uint64_t *r0 = res + aLen2; - uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, r0, t45, r0); - uint64_t c4 = r10; + KRML_CHECK_SIZE(sizeof (uint64_t), aLen); + uint64_t a_copy[aLen]; + memset(a_copy, 0U, aLen * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), aLen); + uint64_t b_copy[aLen]; + memset(b_copy, 0U, aLen * sizeof (uint64_t)); + memcpy(a_copy, r0, aLen * sizeof (uint64_t)); + memcpy(b_copy, t45, aLen * sizeof (uint64_t)); + uint64_t r10 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen, a_copy, b_copy, r0); + uint64_t r11 = r10; + uint64_t c4 = r11; uint64_t c6 = c4; uint64_t c7 = c5 + c6; uint64_t *r = res + aLen + aLen2; @@ -537,8 +573,8 @@ Hacl_Bignum_bn_add_mod_n_u32( uint32_t c2 = c00 - c1; for (uint32_t i = 0U; i < len1; i++) { - uint32_t *os = res; uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint32_t *os = res; os[i] = x; } } @@ -614,8 +650,8 @@ Hacl_Bignum_bn_add_mod_n_u64( uint64_t c2 = c00 - c1; for (uint32_t i = 0U; i < len1; i++) { - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x; } } @@ -692,8 +728,8 @@ Hacl_Bignum_bn_sub_mod_n_u32( uint32_t c2 = 0U - c00; for (uint32_t i = 0U; i < len1; i++) { - uint32_t *os = res; uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint32_t *os = res; os[i] = x; } } @@ -770,8 +806,8 @@ Hacl_Bignum_bn_sub_mod_n_u64( uint64_t c2 = 0ULL - c00; for (uint32_t i = 0U; i < len1; i++) { - uint64_t *os = res; uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint64_t *os = res; os[i] = x; } } @@ -852,7 +888,15 @@ Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32( res[i] = res[i] | 1U << j; for (uint32_t i0 = 0U; i0 < 64U * len - nBits; i0++) { - Hacl_Bignum_bn_add_mod_n_u32(len, n, res, res, res); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t a_copy[len]; + memset(a_copy, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t b_copy[len]; + memset(b_copy, 0U, len * sizeof (uint32_t)); + memcpy(a_copy, res, len * sizeof (uint32_t)); + memcpy(b_copy, res, len * sizeof (uint32_t)); + Hacl_Bignum_bn_add_mod_n_u32(len, n, a_copy, b_copy, res); } } @@ -888,8 +932,8 @@ bn_mont_reduction_u32(uint32_t len, uint32_t *n, uint32_t nInv, uint32_t *c, uin } uint32_t r = c1; uint32_t c10 = r; - uint32_t *resb = c + len + i0; uint32_t res_j = c[len + i0]; + uint32_t *resb = c + len + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); } memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); @@ -928,8 +972,8 @@ bn_mont_reduction_u32(uint32_t len, uint32_t *n, uint32_t nInv, uint32_t *c, uin uint32_t c2 = c00 - c10; for (uint32_t i = 0U; i < len; i++) { - uint32_t *os = res; uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint32_t *os = res; os[i] = x; } } @@ -1043,7 +1087,15 @@ Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64( res[i] = res[i] | 1ULL << j; for (uint32_t i0 = 0U; i0 < 128U * len - nBits; i0++) { - Hacl_Bignum_bn_add_mod_n_u64(len, n, res, res, res); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t a_copy[len]; + memset(a_copy, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t b_copy[len]; + memset(b_copy, 0U, len * sizeof (uint64_t)); + memcpy(a_copy, res, len * sizeof (uint64_t)); + memcpy(b_copy, res, len * sizeof (uint64_t)); + Hacl_Bignum_bn_add_mod_n_u64(len, n, a_copy, b_copy, res); } } @@ -1079,8 +1131,8 @@ bn_mont_reduction_u64(uint32_t len, uint64_t *n, uint64_t nInv, uint64_t *c, uin } uint64_t r = c1; uint64_t c10 = r; - uint64_t *resb = c + len + i0; uint64_t res_j = c[len + i0]; + uint64_t *resb = c + len + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); } memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); @@ -1119,8 +1171,8 @@ bn_mont_reduction_u64(uint32_t len, uint64_t *n, uint64_t nInv, uint64_t *c, uin uint64_t c2 = c00 - c10; for (uint32_t i = 0U; i < len; i++) { - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x; } } @@ -1238,8 +1290,8 @@ Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u32( } uint32_t r = c1; uint32_t c10 = r; - uint32_t *resb = c + len + i0; uint32_t res_j = c[len + i0]; + uint32_t *resb = c + len + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); } memcpy(res, c + len, (len + len - len) * sizeof (uint32_t)); @@ -1252,8 +1304,8 @@ Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u32( uint32_t m = 0U - c00; for (uint32_t i = 0U; i < len; i++) { - uint32_t *os = res; uint32_t x = (m & tmp[i]) | (~m & res[i]); + uint32_t *os = res; os[i] = x; } } @@ -1335,8 +1387,8 @@ Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u64( } uint64_t r = c1; uint64_t c10 = r; - uint64_t *resb = c + len + i0; uint64_t res_j = c[len + i0]; + uint64_t *resb = c + len + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); } memcpy(res, c + len, (len + len - len) * sizeof (uint64_t)); @@ -1349,8 +1401,8 @@ Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u64( uint64_t m = 0ULL - c00; for (uint32_t i = 0U; i < len; i++) { - uint64_t *os = res; uint64_t x = (m & tmp[i]) | (~m & res[i]); + uint64_t *os = res; os[i] = x; } } @@ -1489,9 +1541,9 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( memset(ctx, 0U, (len + len) * sizeof (uint32_t)); memcpy(ctx, n, len * sizeof (uint32_t)); memcpy(ctx + len, r2, len * sizeof (uint32_t)); - uint32_t *ctx_n = ctx; + uint32_t *ctx_n0 = ctx; uint32_t *ctx_r2 = ctx + len; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len, ctx_n, mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len, ctx_n0, mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 32U; @@ -1500,11 +1552,19 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( uint32_t bit = tmp >> j & 1U; if (!(bit == 0U)) { - uint32_t *ctx_n0 = ctx; - bn_almost_mont_mul_u32(len, ctx_n0, mu, resM, aM, resM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, resM, len * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + bn_almost_mont_mul_u32(len, ctx_n, mu, aM_copy, aM, resM); } - uint32_t *ctx_n0 = ctx; - bn_almost_mont_sqr_u32(len, ctx_n0, mu, aM, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, aM, len * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + bn_almost_mont_sqr_u32(len, ctx_n, mu, aM_copy, aM); } Hacl_Bignum_Montgomery_bn_from_mont_u32(len, n, mu, resM, res); return; @@ -1542,17 +1602,26 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( uint32_t *ctx_r20 = ctx + len; Hacl_Bignum_Montgomery_bn_from_mont_u32(len, ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, len * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * len; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy0[len]; + memset(aM_copy0, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy0, t11, len * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - bn_almost_mont_sqr_u32(len, ctx_n1, mu, t11, tmp); + bn_almost_mont_sqr_u32(len, ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * len, tmp, len * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * len; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, aM, len * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - bn_almost_mont_mul_u32(len, ctx_n, mu, aM, t2, tmp); + bn_almost_mont_mul_u32(len, ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * len, tmp, len * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -1577,15 +1646,23 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32( 0U, 4U, 1U, + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, resM, len * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - bn_almost_mont_sqr_u32(len, ctx_n, mu, resM, resM);); + bn_almost_mont_sqr_u32(len, ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k, 4U); uint32_t bits_l32 = bits_l; const uint32_t *a_bits_l = table + bits_l32 * len; memcpy(tmp0, (uint32_t *)a_bits_l, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, resM, len * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - bn_almost_mont_mul_u32(len, ctx_n, mu, resM, tmp0, resM); + bn_almost_mont_mul_u32(len, ctx_n, mu, aM_copy, tmp0, resM); } Hacl_Bignum_Montgomery_bn_from_mont_u32(len, n, mu, resM, res); } @@ -1617,9 +1694,9 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( memcpy(ctx, n, len * sizeof (uint32_t)); memcpy(ctx + len, r2, len * sizeof (uint32_t)); uint32_t sw = 0U; - uint32_t *ctx_n = ctx; + uint32_t *ctx_n0 = ctx; uint32_t *ctx_r2 = ctx + len; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len, ctx_n, mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len, ctx_n0, mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 32U; @@ -1633,10 +1710,18 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( resM[i] = resM[i] ^ dummy; aM[i] = aM[i] ^ dummy; } - uint32_t *ctx_n0 = ctx; - bn_almost_mont_mul_u32(len, ctx_n0, mu, aM, resM, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, aM, len * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - bn_almost_mont_sqr_u32(len, ctx_n1, mu, resM, resM); + bn_almost_mont_mul_u32(len, ctx_n1, mu, aM_copy, resM, aM); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy0[len]; + memset(aM_copy0, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy0, resM, len * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + bn_almost_mont_sqr_u32(len, ctx_n, mu, aM_copy0, resM); sw = bit; } uint32_t sw0 = sw; @@ -1682,17 +1767,26 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( uint32_t *ctx_r20 = ctx + len; Hacl_Bignum_Montgomery_bn_from_mont_u32(len, ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, len * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * len; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy0[len]; + memset(aM_copy0, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy0, t11, len * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - bn_almost_mont_sqr_u32(len, ctx_n1, mu, t11, tmp); + bn_almost_mont_sqr_u32(len, ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * len, tmp, len * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * len; + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, aM, len * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - bn_almost_mont_mul_u32(len, ctx_n, mu, aM, t2, tmp); + bn_almost_mont_mul_u32(len, ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * len, tmp, len * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -1707,8 +1801,8 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( const uint32_t *res_j = table + (i1 + 1U) * len; for (uint32_t i = 0U; i < len; i++) { - uint32_t *os = resM; uint32_t x = (c & res_j[i]) | (~c & resM[i]); + uint32_t *os = resM; os[i] = x; }); } @@ -1727,8 +1821,12 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( 0U, 4U, 1U, + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, resM, len * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - bn_almost_mont_sqr_u32(len, ctx_n, mu, resM, resM);); + bn_almost_mont_sqr_u32(len, ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i0 - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k, 4U); memcpy(tmp0, (uint32_t *)(table + 0U * len), len * sizeof (uint32_t)); @@ -1740,12 +1838,16 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32( const uint32_t *res_j = table + (i1 + 1U) * len; for (uint32_t i = 0U; i < len; i++) { - uint32_t *os = tmp0; uint32_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint32_t *os = tmp0; os[i] = x; }); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint32_t)); + memcpy(aM_copy, resM, len * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - bn_almost_mont_mul_u32(len, ctx_n, mu, resM, tmp0, resM); + bn_almost_mont_mul_u32(len, ctx_n, mu, aM_copy, tmp0, resM); } Hacl_Bignum_Montgomery_bn_from_mont_u32(len, n, mu, resM, res); } @@ -1883,9 +1985,9 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( memset(ctx, 0U, (len + len) * sizeof (uint64_t)); memcpy(ctx, n, len * sizeof (uint64_t)); memcpy(ctx + len, r2, len * sizeof (uint64_t)); - uint64_t *ctx_n = ctx; + uint64_t *ctx_n0 = ctx; uint64_t *ctx_r2 = ctx + len; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len, ctx_n, mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len, ctx_n0, mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 64U; @@ -1894,11 +1996,19 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( uint64_t bit = tmp >> j & 1ULL; if (!(bit == 0ULL)) { - uint64_t *ctx_n0 = ctx; - bn_almost_mont_mul_u64(len, ctx_n0, mu, resM, aM, resM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, resM, len * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + bn_almost_mont_mul_u64(len, ctx_n, mu, aM_copy, aM, resM); } - uint64_t *ctx_n0 = ctx; - bn_almost_mont_sqr_u64(len, ctx_n0, mu, aM, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, aM, len * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + bn_almost_mont_sqr_u64(len, ctx_n, mu, aM_copy, aM); } Hacl_Bignum_Montgomery_bn_from_mont_u64(len, n, mu, resM, res); return; @@ -1936,17 +2046,26 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( uint64_t *ctx_r20 = ctx + len; Hacl_Bignum_Montgomery_bn_from_mont_u64(len, ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, len * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * len; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy0[len]; + memset(aM_copy0, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy0, t11, len * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - bn_almost_mont_sqr_u64(len, ctx_n1, mu, t11, tmp); + bn_almost_mont_sqr_u64(len, ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * len, tmp, len * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * len; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, aM, len * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - bn_almost_mont_mul_u64(len, ctx_n, mu, aM, t2, tmp); + bn_almost_mont_mul_u64(len, ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * len, tmp, len * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -1971,15 +2090,23 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64( 0U, 4U, 1U, + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, resM, len * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - bn_almost_mont_sqr_u64(len, ctx_n, mu, resM, resM);); + bn_almost_mont_sqr_u64(len, ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k, 4U); uint32_t bits_l32 = (uint32_t)bits_l; const uint64_t *a_bits_l = table + bits_l32 * len; memcpy(tmp0, (uint64_t *)a_bits_l, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, resM, len * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - bn_almost_mont_mul_u64(len, ctx_n, mu, resM, tmp0, resM); + bn_almost_mont_mul_u64(len, ctx_n, mu, aM_copy, tmp0, resM); } Hacl_Bignum_Montgomery_bn_from_mont_u64(len, n, mu, resM, res); } @@ -2011,9 +2138,9 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( memcpy(ctx, n, len * sizeof (uint64_t)); memcpy(ctx + len, r2, len * sizeof (uint64_t)); uint64_t sw = 0ULL; - uint64_t *ctx_n = ctx; + uint64_t *ctx_n0 = ctx; uint64_t *ctx_r2 = ctx + len; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len, ctx_n, mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len, ctx_n0, mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 64U; @@ -2027,10 +2154,18 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( resM[i] = resM[i] ^ dummy; aM[i] = aM[i] ^ dummy; } - uint64_t *ctx_n0 = ctx; - bn_almost_mont_mul_u64(len, ctx_n0, mu, aM, resM, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, aM, len * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - bn_almost_mont_sqr_u64(len, ctx_n1, mu, resM, resM); + bn_almost_mont_mul_u64(len, ctx_n1, mu, aM_copy, resM, aM); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy0[len]; + memset(aM_copy0, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy0, resM, len * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + bn_almost_mont_sqr_u64(len, ctx_n, mu, aM_copy0, resM); sw = bit; } uint64_t sw0 = sw; @@ -2076,17 +2211,26 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( uint64_t *ctx_r20 = ctx + len; Hacl_Bignum_Montgomery_bn_from_mont_u64(len, ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, len * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * len; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy0[len]; + memset(aM_copy0, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy0, t11, len * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - bn_almost_mont_sqr_u64(len, ctx_n1, mu, t11, tmp); + bn_almost_mont_sqr_u64(len, ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * len, tmp, len * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * len; + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, aM, len * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - bn_almost_mont_mul_u64(len, ctx_n, mu, aM, t2, tmp); + bn_almost_mont_mul_u64(len, ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * len, tmp, len * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -2101,8 +2245,8 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( const uint64_t *res_j = table + (i1 + 1U) * len; for (uint32_t i = 0U; i < len; i++) { - uint64_t *os = resM; uint64_t x = (c & res_j[i]) | (~c & resM[i]); + uint64_t *os = resM; os[i] = x; }); } @@ -2121,8 +2265,12 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( 0U, 4U, 1U, + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, resM, len * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - bn_almost_mont_sqr_u64(len, ctx_n, mu, resM, resM);); + bn_almost_mont_sqr_u64(len, ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i0 - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k, 4U); memcpy(tmp0, (uint64_t *)(table + 0U * len), len * sizeof (uint64_t)); @@ -2134,12 +2282,16 @@ Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64( const uint64_t *res_j = table + (i1 + 1U) * len; for (uint32_t i = 0U; i < len; i++) { - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x; }); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t aM_copy[len]; + memset(aM_copy, 0U, len * sizeof (uint64_t)); + memcpy(aM_copy, resM, len * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - bn_almost_mont_mul_u64(len, ctx_n, mu, resM, tmp0, resM); + bn_almost_mont_mul_u64(len, ctx_n, mu, aM_copy, tmp0, resM); } Hacl_Bignum_Montgomery_bn_from_mont_u64(len, n, mu, resM, res); } diff --git a/src/Hacl_Bignum256.c b/src/Hacl_Bignum256.c index 54bbc88a..a41498ae 100644 --- a/src/Hacl_Bignum256.c +++ b/src/Hacl_Bignum256.c @@ -171,8 +171,8 @@ void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x;); } @@ -235,8 +235,8 @@ void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint64_t *os = res; os[i] = x;); } @@ -287,8 +287,8 @@ void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res) 0U, 4U, 1U, - uint64_t *ab = a; uint64_t a_j = a[i0]; + uint64_t *ab = a; uint64_t *res_j = res + i0; uint64_t c = 0ULL; for (uint32_t i = 0U; i < i0 / 4U; i++) @@ -314,7 +314,12 @@ void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res) } uint64_t r = c; res[i0 + i0] = r;); - uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, res, res, res); + uint64_t a_copy0[8U] = { 0U }; + uint64_t b_copy0[8U] = { 0U }; + memcpy(a_copy0, res, 8U * sizeof (uint64_t)); + memcpy(b_copy0, res, 8U * sizeof (uint64_t)); + uint64_t r = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, a_copy0, b_copy0, res); + uint64_t c0 = r; KRML_MAYBE_UNUSED_VAR(c0); uint64_t tmp[8U] = { 0U }; KRML_MAYBE_FOR4(i, @@ -326,7 +331,12 @@ void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res) uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); tmp[2U * i] = lo; tmp[2U * i + 1U] = hi;); - uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, res, tmp, res); + uint64_t a_copy[8U] = { 0U }; + uint64_t b_copy[8U] = { 0U }; + memcpy(a_copy, res, 8U * sizeof (uint64_t)); + memcpy(b_copy, tmp, 8U * sizeof (uint64_t)); + uint64_t r0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, a_copy, b_copy, res); + uint64_t c1 = r0; KRML_MAYBE_UNUSED_VAR(c1); } @@ -338,7 +348,11 @@ static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) res[i] = res[i] | 1ULL << j; for (uint32_t i0 = 0U; i0 < 512U - nBits; i0++) { - Hacl_Bignum256_add_mod(n, res, res, res); + uint64_t a_copy[4U] = { 0U }; + uint64_t b_copy[4U] = { 0U }; + memcpy(a_copy, res, 4U * sizeof (uint64_t)); + memcpy(b_copy, res, 4U * sizeof (uint64_t)); + Hacl_Bignum256_add_mod(n, a_copy, b_copy, res); } } @@ -368,8 +382,8 @@ static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t * } uint64_t r = c1; uint64_t c10 = r; - uint64_t *resb = c + 4U + i0; uint64_t res_j = c[4U + i0]; + uint64_t *resb = c + 4U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb);); memcpy(res, c + 4U, 4U * sizeof (uint64_t)); uint64_t c00 = c0; @@ -399,8 +413,8 @@ static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t * 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x;); } @@ -444,8 +458,8 @@ static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t } uint64_t r = c1; uint64_t c10 = r; - uint64_t *resb = c + 4U + i0; uint64_t res_j = c[4U + i0]; + uint64_t *resb = c + 4U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb);); memcpy(res, c + 4U, 4U * sizeof (uint64_t)); uint64_t c00 = c0; @@ -457,8 +471,8 @@ static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (m & tmp[i]) | (~m & res[i]); + uint64_t *os = res; os[i] = x;); } @@ -498,7 +512,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res) +bool Hacl_Bignum256_mod_op(uint64_t *n, uint64_t *a, uint64_t *res) { uint64_t one[4U] = { 0U }; memset(one, 0U, 4U * sizeof (uint64_t)); @@ -611,9 +625,9 @@ exp_vartime_precomp( uint64_t ctx[8U] = { 0U }; memcpy(ctx, n, 4U * sizeof (uint64_t)); memcpy(ctx + 4U, r2, 4U * sizeof (uint64_t)); - uint64_t *ctx_n = ctx; + uint64_t *ctx_n0 = ctx; uint64_t *ctx_r2 = ctx + 4U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 64U; @@ -622,11 +636,15 @@ exp_vartime_precomp( uint64_t bit = tmp >> j & 1ULL; if (!(bit == 0ULL)) { - uint64_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, resM, aM, resM); + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, resM, 4U * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + amont_mul(ctx_n, mu, aM_copy, aM, resM); } - uint64_t *ctx_n0 = ctx; - amont_sqr(ctx_n0, mu, aM, aM); + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, aM, 4U * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy, aM); } from(n, mu, resM, res); return; @@ -654,17 +672,22 @@ exp_vartime_precomp( uint64_t *ctx_r20 = ctx + 4U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 4U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * 4U; + uint64_t aM_copy0[4U] = { 0U }; + memcpy(aM_copy0, t11, 4U * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 4U, tmp, 4U * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * 4U; + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, aM, 4U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 4U, tmp, 4U * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -687,15 +710,19 @@ exp_vartime_precomp( 0U, 4U, 1U, + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, resM, 4U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k, 4U); uint32_t bits_l32 = (uint32_t)bits_l; const uint64_t *a_bits_l = table + bits_l32 * 4U; memcpy(tmp0, (uint64_t *)a_bits_l, 4U * sizeof (uint64_t)); + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, resM, 4U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -720,9 +747,9 @@ exp_consttime_precomp( memcpy(ctx, n, 4U * sizeof (uint64_t)); memcpy(ctx + 4U, r2, 4U * sizeof (uint64_t)); uint64_t sw = 0ULL; - uint64_t *ctx_n = ctx; + uint64_t *ctx_n0 = ctx; uint64_t *ctx_r2 = ctx + 4U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 64U; @@ -737,10 +764,14 @@ exp_consttime_precomp( uint64_t dummy = (0ULL - sw1) & (resM[i] ^ aM[i]); resM[i] = resM[i] ^ dummy; aM[i] = aM[i] ^ dummy;); - uint64_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, aM, resM, aM); + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, aM, 4U * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, resM, resM); + amont_mul(ctx_n1, mu, aM_copy, resM, aM); + uint64_t aM_copy0[4U] = { 0U }; + memcpy(aM_copy0, resM, 4U * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy0, resM); sw = bit; } uint64_t sw0 = sw; @@ -777,17 +808,22 @@ exp_consttime_precomp( uint64_t *ctx_r20 = ctx + 4U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 4U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * 4U; + uint64_t aM_copy0[4U] = { 0U }; + memcpy(aM_copy0, t11, 4U * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 4U, tmp, 4U * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * 4U; + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, aM, 4U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 4U, tmp, 4U * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -804,8 +840,8 @@ exp_consttime_precomp( 0U, 4U, 1U, - uint64_t *os = resM; uint64_t x = (c & res_j[i]) | (~c & resM[i]); + uint64_t *os = resM; os[i] = x;);); } else @@ -821,8 +857,10 @@ exp_consttime_precomp( 0U, 4U, 1U, + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, resM, 4U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i0 - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k, 4U); memcpy(tmp0, (uint64_t *)table, 4U * sizeof (uint64_t)); @@ -836,11 +874,13 @@ exp_consttime_precomp( 0U, 4U, 1U, - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x;);); + uint64_t aM_copy[4U] = { 0U }; + memcpy(aM_copy, resM, 4U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -1087,9 +1127,9 @@ Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. */ void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - uint64_t *n = k1.n; - uint64_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + uint64_t *n = uu____0.n; + uint64_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -1109,8 +1149,10 @@ Hacl_Bignum256_mod_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + bn_slow_precomp(n, mu, r2, a, res); } /** @@ -1141,8 +1183,10 @@ Hacl_Bignum256_mod_exp_vartime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1173,8 +1217,10 @@ Hacl_Bignum256_mod_exp_consttime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1196,10 +1242,12 @@ Hacl_Bignum256_mod_inv_prime_vartime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; uint64_t n2[4U] = { 0U }; - uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, k1.n[0U], 2ULL, n2); - uint64_t *a1 = k1.n + 1U; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, n[0U], 2ULL, n2); + uint64_t *a1 = n + 1U; uint64_t *res1 = n2 + 1U; uint64_t c = c0; KRML_MAYBE_FOR3(i, @@ -1212,7 +1260,7 @@ Hacl_Bignum256_mod_inv_prime_vartime_precomp( uint64_t c1 = c; uint64_t c2 = c1; KRML_MAYBE_UNUSED_VAR(c2); - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, 256U, n2, res); + exp_vartime_precomp(n, mu, r2, a, 256U, n2, res); } @@ -1254,9 +1302,9 @@ uint64_t *Hacl_Bignum256_new_bn_from_bytes_be(uint32_t len, uint8_t *b) memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint64_t *os = res2; uint64_t u = load64_be(tmp + (bnLen - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = res2; os[i] = x; } return res2; @@ -1295,11 +1343,11 @@ uint64_t *Hacl_Bignum256_new_bn_from_bytes_le(uint32_t len, uint8_t *b) memcpy(tmp, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < (len - 1U) / 8U + 1U; i++) { - uint64_t *os = res2; uint8_t *bj = tmp + i * 8U; uint64_t u = load64_le(bj); uint64_t r1 = u; uint64_t x = r1; + uint64_t *os = res2; os[i] = x; } return res2; diff --git a/src/Hacl_Bignum256_32.c b/src/Hacl_Bignum256_32.c index eed6c65c..e961ddab 100644 --- a/src/Hacl_Bignum256_32.c +++ b/src/Hacl_Bignum256_32.c @@ -179,8 +179,8 @@ void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t * 0U, 8U, 1U, - uint32_t *os = res; uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint32_t *os = res; os[i] = x;); } @@ -247,8 +247,8 @@ void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t * 0U, 8U, 1U, - uint32_t *os = res; uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint32_t *os = res; os[i] = x;); } @@ -301,8 +301,8 @@ void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res) 0U, 8U, 1U, - uint32_t *ab = a; uint32_t a_j = a[i0]; + uint32_t *ab = a; uint32_t *res_j = res + i0; uint32_t c = 0U; for (uint32_t i = 0U; i < i0 / 4U; i++) @@ -328,7 +328,12 @@ void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res) } uint32_t r = c; res[i0 + i0] = r;); - uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(16U, res, res, res); + uint32_t a_copy0[16U] = { 0U }; + uint32_t b_copy0[16U] = { 0U }; + memcpy(a_copy0, res, 16U * sizeof (uint32_t)); + memcpy(b_copy0, res, 16U * sizeof (uint32_t)); + uint32_t r = Hacl_Bignum_Addition_bn_add_eq_len_u32(16U, a_copy0, b_copy0, res); + uint32_t c0 = r; KRML_MAYBE_UNUSED_VAR(c0); uint32_t tmp[16U] = { 0U }; KRML_MAYBE_FOR8(i, @@ -340,7 +345,12 @@ void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res) uint32_t lo = (uint32_t)res1; tmp[2U * i] = lo; tmp[2U * i + 1U] = hi;); - uint32_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u32(16U, res, tmp, res); + uint32_t a_copy[16U] = { 0U }; + uint32_t b_copy[16U] = { 0U }; + memcpy(a_copy, res, 16U * sizeof (uint32_t)); + memcpy(b_copy, tmp, 16U * sizeof (uint32_t)); + uint32_t r0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(16U, a_copy, b_copy, res); + uint32_t c1 = r0; KRML_MAYBE_UNUSED_VAR(c1); } @@ -352,7 +362,11 @@ static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) res[i] = res[i] | 1U << j; for (uint32_t i0 = 0U; i0 < 512U - nBits; i0++) { - Hacl_Bignum256_32_add_mod(n, res, res, res); + uint32_t a_copy[8U] = { 0U }; + uint32_t b_copy[8U] = { 0U }; + memcpy(a_copy, res, 8U * sizeof (uint32_t)); + memcpy(b_copy, res, 8U * sizeof (uint32_t)); + Hacl_Bignum256_32_add_mod(n, a_copy, b_copy, res); } } @@ -384,8 +398,8 @@ static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t * c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i);); uint32_t r = c1; uint32_t c10 = r; - uint32_t *resb = c + 8U + i0; uint32_t res_j = c[8U + i0]; + uint32_t *resb = c + 8U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb);); memcpy(res, c + 8U, 8U * sizeof (uint32_t)); uint32_t c00 = c0; @@ -417,8 +431,8 @@ static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t * 0U, 8U, 1U, - uint32_t *os = res; uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint32_t *os = res; os[i] = x;); } @@ -464,8 +478,8 @@ static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t c1 = Hacl_Bignum_Base_mul_wide_add2_u32(a_i2, qj, c1, res_i);); uint32_t r = c1; uint32_t c10 = r; - uint32_t *resb = c + 8U + i0; uint32_t res_j = c[8U + i0]; + uint32_t *resb = c + 8U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb);); memcpy(res, c + 8U, 8U * sizeof (uint32_t)); uint32_t c00 = c0; @@ -477,8 +491,8 @@ static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t 0U, 8U, 1U, - uint32_t *os = res; uint32_t x = (m & tmp[i]) | (~m & res[i]); + uint32_t *os = res; os[i] = x;); } @@ -518,7 +532,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +bool Hacl_Bignum256_32_mod_op(uint32_t *n, uint32_t *a, uint32_t *res) { uint32_t one[8U] = { 0U }; memset(one, 0U, 8U * sizeof (uint32_t)); @@ -631,9 +645,9 @@ exp_vartime_precomp( uint32_t ctx[16U] = { 0U }; memcpy(ctx, n, 8U * sizeof (uint32_t)); memcpy(ctx + 8U, r2, 8U * sizeof (uint32_t)); - uint32_t *ctx_n = ctx; + uint32_t *ctx_n0 = ctx; uint32_t *ctx_r2 = ctx + 8U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 32U; @@ -642,11 +656,15 @@ exp_vartime_precomp( uint32_t bit = tmp >> j & 1U; if (!(bit == 0U)) { - uint32_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, resM, aM, resM); + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, resM, 8U * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + amont_mul(ctx_n, mu, aM_copy, aM, resM); } - uint32_t *ctx_n0 = ctx; - amont_sqr(ctx_n0, mu, aM, aM); + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, aM, 8U * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy, aM); } from(n, mu, resM, res); return; @@ -674,17 +692,22 @@ exp_vartime_precomp( uint32_t *ctx_r20 = ctx + 8U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 8U * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * 8U; + uint32_t aM_copy0[8U] = { 0U }; + memcpy(aM_copy0, t11, 8U * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 8U, tmp, 8U * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * 8U; + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, aM, 8U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 8U, tmp, 8U * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -707,15 +730,19 @@ exp_vartime_precomp( 0U, 4U, 1U, + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, resM, 8U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k, 4U); uint32_t bits_l32 = bits_l; const uint32_t *a_bits_l = table + bits_l32 * 8U; memcpy(tmp0, (uint32_t *)a_bits_l, 8U * sizeof (uint32_t)); + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, resM, 8U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -740,9 +767,9 @@ exp_consttime_precomp( memcpy(ctx, n, 8U * sizeof (uint32_t)); memcpy(ctx + 8U, r2, 8U * sizeof (uint32_t)); uint32_t sw = 0U; - uint32_t *ctx_n = ctx; + uint32_t *ctx_n0 = ctx; uint32_t *ctx_r2 = ctx + 8U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 32U; @@ -757,10 +784,14 @@ exp_consttime_precomp( uint32_t dummy = (0U - sw1) & (resM[i] ^ aM[i]); resM[i] = resM[i] ^ dummy; aM[i] = aM[i] ^ dummy;); - uint32_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, aM, resM, aM); + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, aM, 8U * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, resM, resM); + amont_mul(ctx_n1, mu, aM_copy, resM, aM); + uint32_t aM_copy0[8U] = { 0U }; + memcpy(aM_copy0, resM, 8U * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy0, resM); sw = bit; } uint32_t sw0 = sw; @@ -797,17 +828,22 @@ exp_consttime_precomp( uint32_t *ctx_r20 = ctx + 8U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 8U * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * 8U; + uint32_t aM_copy0[8U] = { 0U }; + memcpy(aM_copy0, t11, 8U * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 8U, tmp, 8U * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * 8U; + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, aM, 8U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 8U, tmp, 8U * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -824,8 +860,8 @@ exp_consttime_precomp( 0U, 8U, 1U, - uint32_t *os = resM; uint32_t x = (c & res_j[i]) | (~c & resM[i]); + uint32_t *os = resM; os[i] = x;);); } else @@ -841,8 +877,10 @@ exp_consttime_precomp( 0U, 4U, 1U, + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, resM, 8U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i0 - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k, 4U); memcpy(tmp0, (uint32_t *)table, 8U * sizeof (uint32_t)); @@ -856,11 +894,13 @@ exp_consttime_precomp( 0U, 8U, 1U, - uint32_t *os = tmp0; uint32_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint32_t *os = tmp0; os[i] = x;);); + uint32_t aM_copy[8U] = { 0U }; + memcpy(aM_copy, resM, 8U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -1121,9 +1161,9 @@ Deallocate the memory previously allocated by Hacl_Bignum256_mont_ctx_init. */ void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - uint32_t *n = k1.n; - uint32_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + uint32_t *n = uu____0.n; + uint32_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -1143,8 +1183,10 @@ Hacl_Bignum256_32_mod_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + bn_slow_precomp(n, mu, r2, a, res); } /** @@ -1175,8 +1217,10 @@ Hacl_Bignum256_32_mod_exp_vartime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1207,8 +1251,10 @@ Hacl_Bignum256_32_mod_exp_consttime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1230,10 +1276,12 @@ Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; uint32_t n2[8U] = { 0U }; - uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, k1.n[0U], 2U, n2); - uint32_t *a1 = k1.n + 1U; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, n[0U], 2U, n2); + uint32_t *a1 = n + 1U; uint32_t *res1 = n2 + 1U; uint32_t c = c0; { @@ -1260,7 +1308,7 @@ Hacl_Bignum256_32_mod_inv_prime_vartime_precomp( uint32_t c1 = c; uint32_t c2 = c1; KRML_MAYBE_UNUSED_VAR(c2); - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, 256U, n2, res); + exp_vartime_precomp(n, mu, r2, a, 256U, n2, res); } @@ -1302,9 +1350,9 @@ uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint32_t *os = res2; uint32_t u = load32_be(tmp + (bnLen - i - 1U) * 4U); uint32_t x = u; + uint32_t *os = res2; os[i] = x; } return res2; @@ -1343,11 +1391,11 @@ uint32_t *Hacl_Bignum256_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) memcpy(tmp, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < (len - 1U) / 4U + 1U; i++) { - uint32_t *os = res2; uint8_t *bj = tmp + i * 4U; uint32_t u = load32_le(bj); uint32_t r1 = u; uint32_t x = r1; + uint32_t *os = res2; os[i] = x; } return res2; diff --git a/src/Hacl_Bignum32.c b/src/Hacl_Bignum32.c index 34b46324..1af9dcd8 100644 --- a/src/Hacl_Bignum32.c +++ b/src/Hacl_Bignum32.c @@ -79,7 +79,15 @@ Write `(a + b) mod n` in `res`. */ void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *b, uint32_t *res) { - Hacl_Bignum_bn_add_mod_n_u32(len, n, a, b, res); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t a_copy[len]; + memset(a_copy, 0U, len * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len); + uint32_t b_copy[len]; + memset(b_copy, 0U, len * sizeof (uint32_t)); + memcpy(a_copy, a, len * sizeof (uint32_t)); + memcpy(b_copy, b, len * sizeof (uint32_t)); + Hacl_Bignum_bn_add_mod_n_u32(len, n, a_copy, b_copy, res); } /** @@ -157,7 +165,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) +bool Hacl_Bignum32_mod_op(uint32_t len, uint32_t *n, uint32_t *a, uint32_t *res) { KRML_CHECK_SIZE(sizeof (uint32_t), len); uint32_t one[len]; @@ -433,9 +441,9 @@ Deallocate the memory previously allocated by Hacl_Bignum32_mont_ctx_init. */ void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - uint32_t *n = k1.n; - uint32_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + uint32_t *n = uu____0.n; + uint32_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -455,10 +463,11 @@ Hacl_Bignum32_mod_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); + uint32_t len1 = (*k).len; + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + bn_slow_precomp(len1, n, mu, r2, a, res); } /** @@ -489,17 +498,11 @@ Hacl_Bignum32_mod_exp_vartime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, - k1.n, - k1.mu, - k1.r2, - a, - bBits, - b, - res); + uint32_t len1 = (*k).len; + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, n, mu, r2, a, bBits, b, res); } /** @@ -530,17 +533,11 @@ Hacl_Bignum32_mod_exp_consttime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len1, - k1.n, - k1.mu, - k1.r2, - a, - bBits, - b, - res); + uint32_t len1 = (*k).len; + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32(len1, n, mu, r2, a, bBits, b, res); } /** @@ -562,17 +559,18 @@ Hacl_Bignum32_mod_inv_prime_vartime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t len1 = (*k).len; + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; KRML_CHECK_SIZE(sizeof (uint32_t), len1); uint32_t n2[len1]; memset(n2, 0U, len1 * sizeof (uint32_t)); - uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, k1.n[0U], 2U, n2); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, n[0U], 2U, n2); uint32_t c1; if (1U < len1) { - uint32_t *a1 = k1.n + 1U; + uint32_t *a1 = n + 1U; uint32_t *res1 = n2 + 1U; uint32_t c = c0; for (uint32_t i = 0U; i < (len1 - 1U) / 4U; i++) @@ -605,9 +603,9 @@ Hacl_Bignum32_mod_inv_prime_vartime_precomp( } KRML_MAYBE_UNUSED_VAR(c1); Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32(len1, - k1.n, - k1.mu, - k1.r2, + n, + mu, + r2, a, 32U * len1, n2, @@ -653,9 +651,9 @@ uint32_t *Hacl_Bignum32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint32_t *os = res2; uint32_t u = load32_be(tmp + (bnLen - i - 1U) * 4U); uint32_t x = u; + uint32_t *os = res2; os[i] = x; } return res2; @@ -694,11 +692,11 @@ uint32_t *Hacl_Bignum32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) memcpy(tmp, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < (len - 1U) / 4U + 1U; i++) { - uint32_t *os = res2; uint8_t *bj = tmp + i * 4U; uint32_t u = load32_le(bj); uint32_t r1 = u; uint32_t x = r1; + uint32_t *os = res2; os[i] = x; } return res2; diff --git a/src/Hacl_Bignum4096.c b/src/Hacl_Bignum4096.c index 3572db07..11b2a760 100644 --- a/src/Hacl_Bignum4096.c +++ b/src/Hacl_Bignum4096.c @@ -180,8 +180,8 @@ void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *re uint64_t c2 = c00 - c1; for (uint32_t i = 0U; i < 64U; i++) { - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x; } } @@ -247,8 +247,8 @@ void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *re uint64_t c2 = 0ULL - c00; for (uint32_t i = 0U; i < 64U; i++) { - uint64_t *os = res; uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint64_t *os = res; os[i] = x; } } @@ -285,7 +285,11 @@ static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res) res[i] = res[i] | 1ULL << j; for (uint32_t i0 = 0U; i0 < 8192U - nBits; i0++) { - Hacl_Bignum4096_add_mod(n, res, res, res); + uint64_t a_copy[64U] = { 0U }; + uint64_t b_copy[64U] = { 0U }; + memcpy(a_copy, res, 64U * sizeof (uint64_t)); + memcpy(b_copy, res, 64U * sizeof (uint64_t)); + Hacl_Bignum4096_add_mod(n, a_copy, b_copy, res); } } @@ -315,8 +319,8 @@ static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t * c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i);); uint64_t r = c1; uint64_t c10 = r; - uint64_t *resb = c + 64U + i0; uint64_t res_j = c[64U + i0]; + uint64_t *resb = c + 64U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); } memcpy(res, c + 64U, 64U * sizeof (uint64_t)); @@ -347,8 +351,8 @@ static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t * uint64_t c2 = c00 - c10; for (uint32_t i = 0U; i < 64U; i++) { - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x; } } @@ -393,8 +397,8 @@ static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t c1 = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c1, res_i);); uint64_t r = c1; uint64_t c10 = r; - uint64_t *resb = c + 64U + i0; uint64_t res_j = c[64U + i0]; + uint64_t *resb = c + 64U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c10, res_j, resb); } memcpy(res, c + 64U, 64U * sizeof (uint64_t)); @@ -405,8 +409,8 @@ static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, uint64_t uint64_t m = 0ULL - c00; for (uint32_t i = 0U; i < 64U; i++) { - uint64_t *os = res; uint64_t x = (m & tmp[i]) | (~m & res[i]); + uint64_t *os = res; os[i] = x; } } @@ -447,7 +451,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res) +bool Hacl_Bignum4096_mod_op(uint64_t *n, uint64_t *a, uint64_t *res) { uint64_t one[64U] = { 0U }; memset(one, 0U, 64U * sizeof (uint64_t)); @@ -557,9 +561,9 @@ exp_vartime_precomp( uint64_t ctx[128U] = { 0U }; memcpy(ctx, n, 64U * sizeof (uint64_t)); memcpy(ctx + 64U, r2, 64U * sizeof (uint64_t)); - uint64_t *ctx_n = ctx; + uint64_t *ctx_n0 = ctx; uint64_t *ctx_r2 = ctx + 64U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 64U; @@ -568,11 +572,15 @@ exp_vartime_precomp( uint64_t bit = tmp >> j & 1ULL; if (!(bit == 0ULL)) { - uint64_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, resM, aM, resM); + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, resM, 64U * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + amont_mul(ctx_n, mu, aM_copy, aM, resM); } - uint64_t *ctx_n0 = ctx; - amont_sqr(ctx_n0, mu, aM, aM); + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, aM, 64U * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy, aM); } from(n, mu, resM, res); return; @@ -600,17 +608,22 @@ exp_vartime_precomp( uint64_t *ctx_r20 = ctx + 64U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 64U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * 64U; + uint64_t aM_copy0[64U] = { 0U }; + memcpy(aM_copy0, t11, 64U * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 64U, tmp, 64U * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * 64U; + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, aM, 64U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 64U, tmp, 64U * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -633,15 +646,19 @@ exp_vartime_precomp( 0U, 4U, 1U, + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, resM, 64U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k, 4U); uint32_t bits_l32 = (uint32_t)bits_l; const uint64_t *a_bits_l = table + bits_l32 * 64U; memcpy(tmp0, (uint64_t *)a_bits_l, 64U * sizeof (uint64_t)); + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, resM, 64U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -666,9 +683,9 @@ exp_consttime_precomp( memcpy(ctx, n, 64U * sizeof (uint64_t)); memcpy(ctx + 64U, r2, 64U * sizeof (uint64_t)); uint64_t sw = 0ULL; - uint64_t *ctx_n = ctx; + uint64_t *ctx_n0 = ctx; uint64_t *ctx_r2 = ctx + 64U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 64U; @@ -682,10 +699,14 @@ exp_consttime_precomp( resM[i] = resM[i] ^ dummy; aM[i] = aM[i] ^ dummy; } - uint64_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, aM, resM, aM); + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, aM, 64U * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, resM, resM); + amont_mul(ctx_n1, mu, aM_copy, resM, aM); + uint64_t aM_copy0[64U] = { 0U }; + memcpy(aM_copy0, resM, 64U * sizeof (uint64_t)); + uint64_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy0, resM); sw = bit; } uint64_t sw0 = sw; @@ -721,17 +742,22 @@ exp_consttime_precomp( uint64_t *ctx_r20 = ctx + 64U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 64U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * 64U; + uint64_t aM_copy0[64U] = { 0U }; + memcpy(aM_copy0, t11, 64U * sizeof (uint64_t)); uint64_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 64U, tmp, 64U * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * 64U; + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, aM, 64U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 64U, tmp, 64U * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -746,8 +772,8 @@ exp_consttime_precomp( const uint64_t *res_j = table + (i1 + 1U) * 64U; for (uint32_t i = 0U; i < 64U; i++) { - uint64_t *os = resM; uint64_t x = (c & res_j[i]) | (~c & resM[i]); + uint64_t *os = resM; os[i] = x; }); } @@ -764,8 +790,10 @@ exp_consttime_precomp( 0U, 4U, 1U, + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, resM, 64U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i0 - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k, 4U); memcpy(tmp0, (uint64_t *)table, 64U * sizeof (uint64_t)); @@ -777,12 +805,14 @@ exp_consttime_precomp( const uint64_t *res_j = table + (i1 + 1U) * 64U; for (uint32_t i = 0U; i < 64U; i++) { - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x; }); + uint64_t aM_copy[64U] = { 0U }; + memcpy(aM_copy, resM, 64U * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -1042,9 +1072,9 @@ Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. */ void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - uint64_t *n = k1.n; - uint64_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + uint64_t *n = uu____0.n; + uint64_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -1064,8 +1094,10 @@ Hacl_Bignum4096_mod_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + bn_slow_precomp(n, mu, r2, a, res); } /** @@ -1096,8 +1128,10 @@ Hacl_Bignum4096_mod_exp_vartime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1128,8 +1162,10 @@ Hacl_Bignum4096_mod_exp_consttime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1151,10 +1187,12 @@ Hacl_Bignum4096_mod_inv_prime_vartime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; uint64_t n2[64U] = { 0U }; - uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, k1.n[0U], 2ULL, n2); - uint64_t *a1 = k1.n + 1U; + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, n[0U], 2ULL, n2); + uint64_t *a1 = n + 1U; uint64_t *res1 = n2 + 1U; uint64_t c = c0; KRML_MAYBE_FOR15(i, @@ -1183,7 +1221,7 @@ Hacl_Bignum4096_mod_inv_prime_vartime_precomp( uint64_t c1 = c; uint64_t c2 = c1; KRML_MAYBE_UNUSED_VAR(c2); - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, 4096U, n2, res); + exp_vartime_precomp(n, mu, r2, a, 4096U, n2, res); } @@ -1225,9 +1263,9 @@ uint64_t *Hacl_Bignum4096_new_bn_from_bytes_be(uint32_t len, uint8_t *b) memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint64_t *os = res2; uint64_t u = load64_be(tmp + (bnLen - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = res2; os[i] = x; } return res2; @@ -1266,11 +1304,11 @@ uint64_t *Hacl_Bignum4096_new_bn_from_bytes_le(uint32_t len, uint8_t *b) memcpy(tmp, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < (len - 1U) / 8U + 1U; i++) { - uint64_t *os = res2; uint8_t *bj = tmp + i * 8U; uint64_t u = load64_le(bj); uint64_t r1 = u; uint64_t x = r1; + uint64_t *os = res2; os[i] = x; } return res2; diff --git a/src/Hacl_Bignum4096_32.c b/src/Hacl_Bignum4096_32.c index 1a8b361c..b2865b5b 100644 --- a/src/Hacl_Bignum4096_32.c +++ b/src/Hacl_Bignum4096_32.c @@ -177,8 +177,8 @@ void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t uint32_t c2 = c00 - c1; for (uint32_t i = 0U; i < 128U; i++) { - uint32_t *os = res; uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint32_t *os = res; os[i] = x; } } @@ -242,8 +242,8 @@ void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, uint32_t uint32_t c2 = 0U - c00; for (uint32_t i = 0U; i < 128U; i++) { - uint32_t *os = res; uint32_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint32_t *os = res; os[i] = x; } } @@ -280,7 +280,11 @@ static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res) res[i] = res[i] | 1U << j; for (uint32_t i0 = 0U; i0 < 8192U - nBits; i0++) { - Hacl_Bignum4096_32_add_mod(n, res, res, res); + uint32_t a_copy[128U] = { 0U }; + uint32_t b_copy[128U] = { 0U }; + memcpy(a_copy, res, 128U * sizeof (uint32_t)); + memcpy(b_copy, res, 128U * sizeof (uint32_t)); + Hacl_Bignum4096_32_add_mod(n, a_copy, b_copy, res); } } @@ -309,8 +313,8 @@ static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t * } uint32_t r = c1; uint32_t c10 = r; - uint32_t *resb = c + 128U + i0; uint32_t res_j = c[128U + i0]; + uint32_t *resb = c + 128U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); } memcpy(res, c + 128U, 128U * sizeof (uint32_t)); @@ -340,8 +344,8 @@ static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t * uint32_t c2 = c00 - c10; for (uint32_t i = 0U; i < 128U; i++) { - uint32_t *os = res; uint32_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint32_t *os = res; os[i] = x; } } @@ -385,8 +389,8 @@ static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t } uint32_t r = c1; uint32_t c10 = r; - uint32_t *resb = c + 128U + i0; uint32_t res_j = c[128U + i0]; + uint32_t *resb = c + 128U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u32(c0, c10, res_j, resb); } memcpy(res, c + 128U, 128U * sizeof (uint32_t)); @@ -397,8 +401,8 @@ static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, uint32_t uint32_t m = 0U - c00; for (uint32_t i = 0U; i < 128U; i++) { - uint32_t *os = res; uint32_t x = (m & tmp[i]) | (~m & res[i]); + uint32_t *os = res; os[i] = x; } } @@ -439,7 +443,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res) +bool Hacl_Bignum4096_32_mod_op(uint32_t *n, uint32_t *a, uint32_t *res) { uint32_t one[128U] = { 0U }; memset(one, 0U, 128U * sizeof (uint32_t)); @@ -549,9 +553,9 @@ exp_vartime_precomp( uint32_t ctx[256U] = { 0U }; memcpy(ctx, n, 128U * sizeof (uint32_t)); memcpy(ctx + 128U, r2, 128U * sizeof (uint32_t)); - uint32_t *ctx_n = ctx; + uint32_t *ctx_n0 = ctx; uint32_t *ctx_r2 = ctx + 128U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 32U; @@ -560,11 +564,15 @@ exp_vartime_precomp( uint32_t bit = tmp >> j & 1U; if (!(bit == 0U)) { - uint32_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, resM, aM, resM); + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, resM, 128U * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + amont_mul(ctx_n, mu, aM_copy, aM, resM); } - uint32_t *ctx_n0 = ctx; - amont_sqr(ctx_n0, mu, aM, aM); + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, aM, 128U * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy, aM); } from(n, mu, resM, res); return; @@ -592,17 +600,22 @@ exp_vartime_precomp( uint32_t *ctx_r20 = ctx + 128U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 128U * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * 128U; + uint32_t aM_copy0[128U] = { 0U }; + memcpy(aM_copy0, t11, 128U * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 128U, tmp, 128U * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * 128U; + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, aM, 128U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 128U, tmp, 128U * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -625,15 +638,19 @@ exp_vartime_precomp( 0U, 4U, 1U, + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, resM, 128U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k, 4U); uint32_t bits_l32 = bits_l; const uint32_t *a_bits_l = table + bits_l32 * 128U; memcpy(tmp0, (uint32_t *)a_bits_l, 128U * sizeof (uint32_t)); + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, resM, 128U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -658,9 +675,9 @@ exp_consttime_precomp( memcpy(ctx, n, 128U * sizeof (uint32_t)); memcpy(ctx + 128U, r2, 128U * sizeof (uint32_t)); uint32_t sw = 0U; - uint32_t *ctx_n = ctx; + uint32_t *ctx_n0 = ctx; uint32_t *ctx_r2 = ctx + 128U; - from(ctx_n, mu, ctx_r2, resM); + from(ctx_n0, mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 32U; @@ -674,10 +691,14 @@ exp_consttime_precomp( resM[i] = resM[i] ^ dummy; aM[i] = aM[i] ^ dummy; } - uint32_t *ctx_n0 = ctx; - amont_mul(ctx_n0, mu, aM, resM, aM); + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, aM, 128U * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, resM, resM); + amont_mul(ctx_n1, mu, aM_copy, resM, aM); + uint32_t aM_copy0[128U] = { 0U }; + memcpy(aM_copy0, resM, 128U * sizeof (uint32_t)); + uint32_t *ctx_n = ctx; + amont_sqr(ctx_n, mu, aM_copy0, resM); sw = bit; } uint32_t sw0 = sw; @@ -713,17 +734,22 @@ exp_consttime_precomp( uint32_t *ctx_r20 = ctx + 128U; from(ctx_n0, mu, ctx_r20, t0); memcpy(t1, aM, 128U * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * 128U; + uint32_t aM_copy0[128U] = { 0U }; + memcpy(aM_copy0, t11, 128U * sizeof (uint32_t)); uint32_t *ctx_n1 = ctx; - amont_sqr(ctx_n1, mu, t11, tmp); + amont_sqr(ctx_n1, mu, aM_copy0, tmp); memcpy(table + (2U * i + 2U) * 128U, tmp, 128U * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * 128U; + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, aM, 128U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, aM, t2, tmp); + amont_mul(ctx_n, mu, aM_copy, t2, tmp); memcpy(table + (2U * i + 3U) * 128U, tmp, 128U * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -738,8 +764,8 @@ exp_consttime_precomp( const uint32_t *res_j = table + (i1 + 1U) * 128U; for (uint32_t i = 0U; i < 128U; i++) { - uint32_t *os = resM; uint32_t x = (c & res_j[i]) | (~c & resM[i]); + uint32_t *os = resM; os[i] = x; }); } @@ -756,8 +782,10 @@ exp_consttime_precomp( 0U, 4U, 1U, + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, resM, 128U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_sqr(ctx_n, mu, resM, resM);); + amont_sqr(ctx_n, mu, aM_copy, resM);); uint32_t k = bBits - bBits % 4U - 4U * i0 - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k, 4U); memcpy(tmp0, (uint32_t *)table, 128U * sizeof (uint32_t)); @@ -769,12 +797,14 @@ exp_consttime_precomp( const uint32_t *res_j = table + (i1 + 1U) * 128U; for (uint32_t i = 0U; i < 128U; i++) { - uint32_t *os = tmp0; uint32_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint32_t *os = tmp0; os[i] = x; }); + uint32_t aM_copy[128U] = { 0U }; + memcpy(aM_copy, resM, 128U * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - amont_mul(ctx_n, mu, resM, tmp0, resM); + amont_mul(ctx_n, mu, aM_copy, tmp0, resM); } from(n, mu, resM, res); } @@ -1034,9 +1064,9 @@ Deallocate the memory previously allocated by Hacl_Bignum4096_mont_ctx_init. */ void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - uint32_t *n = k1.n; - uint32_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + uint32_t *n = uu____0.n; + uint32_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -1056,8 +1086,10 @@ Hacl_Bignum4096_32_mod_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - bn_slow_precomp(k1.n, k1.mu, k1.r2, a, res); + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + bn_slow_precomp(n, mu, r2, a, res); } /** @@ -1088,8 +1120,10 @@ Hacl_Bignum4096_32_mod_exp_vartime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + exp_vartime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1120,8 +1154,10 @@ Hacl_Bignum4096_32_mod_exp_consttime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - exp_consttime_precomp(k1.n, k1.mu, k1.r2, a, bBits, b, res); + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; + exp_consttime_precomp(n, mu, r2, a, bBits, b, res); } /** @@ -1143,10 +1179,12 @@ Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( uint32_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; + uint32_t *n = (*k).n; + uint32_t mu = (*k).mu; + uint32_t *r2 = (*k).r2; uint32_t n2[128U] = { 0U }; - uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, k1.n[0U], 2U, n2); - uint32_t *a1 = k1.n + 1U; + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, n[0U], 2U, n2); + uint32_t *a1 = n + 1U; uint32_t *res1 = n2 + 1U; uint32_t c = c0; for (uint32_t i = 0U; i < 31U; i++) @@ -1174,7 +1212,7 @@ Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp( uint32_t c1 = c; uint32_t c2 = c1; KRML_MAYBE_UNUSED_VAR(c2); - exp_vartime_precomp(k1.n, k1.mu, k1.r2, a, 4096U, n2, res); + exp_vartime_precomp(n, mu, r2, a, 4096U, n2, res); } @@ -1216,9 +1254,9 @@ uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_be(uint32_t len, uint8_t *b) memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint32_t *os = res2; uint32_t u = load32_be(tmp + (bnLen - i - 1U) * 4U); uint32_t x = u; + uint32_t *os = res2; os[i] = x; } return res2; @@ -1257,11 +1295,11 @@ uint32_t *Hacl_Bignum4096_32_new_bn_from_bytes_le(uint32_t len, uint8_t *b) memcpy(tmp, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < (len - 1U) / 4U + 1U; i++) { - uint32_t *os = res2; uint8_t *bj = tmp + i * 4U; uint32_t u = load32_le(bj); uint32_t r1 = u; uint32_t x = r1; + uint32_t *os = res2; os[i] = x; } return res2; diff --git a/src/Hacl_Bignum64.c b/src/Hacl_Bignum64.c index f8f5bb6f..a5db482b 100644 --- a/src/Hacl_Bignum64.c +++ b/src/Hacl_Bignum64.c @@ -78,7 +78,15 @@ Write `(a + b) mod n` in `res`. */ void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) { - Hacl_Bignum_bn_add_mod_n_u64(len, n, a, b, res); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t a_copy[len]; + memset(a_copy, 0U, len * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len); + uint64_t b_copy[len]; + memset(b_copy, 0U, len * sizeof (uint64_t)); + memcpy(a_copy, a, len * sizeof (uint64_t)); + memcpy(b_copy, b, len * sizeof (uint64_t)); + Hacl_Bignum_bn_add_mod_n_u64(len, n, a_copy, b_copy, res); } /** @@ -156,7 +164,7 @@ Write `a mod n` in `res`. • 1 < n • n % 2 = 1 */ -bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) +bool Hacl_Bignum64_mod_op(uint32_t len, uint64_t *n, uint64_t *a, uint64_t *res) { KRML_CHECK_SIZE(sizeof (uint64_t), len); uint64_t one[len]; @@ -432,9 +440,9 @@ Deallocate the memory previously allocated by Hacl_Bignum64_mont_ctx_init. */ void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - uint64_t *n = k1.n; - uint64_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + uint64_t *n = uu____0.n; + uint64_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -454,10 +462,11 @@ Hacl_Bignum64_mod_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - bn_slow_precomp(len1, k1.n, k1.mu, k1.r2, a, res); + uint32_t len1 = (*k).len; + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + bn_slow_precomp(len1, n, mu, r2, a, res); } /** @@ -488,17 +497,11 @@ Hacl_Bignum64_mod_exp_vartime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, - k1.n, - k1.mu, - k1.r2, - a, - bBits, - b, - res); + uint32_t len1 = (*k).len; + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, n, mu, r2, a, bBits, b, res); } /** @@ -529,17 +532,11 @@ Hacl_Bignum64_mod_exp_consttime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len1, - k1.n, - k1.mu, - k1.r2, - a, - bBits, - b, - res); + uint32_t len1 = (*k).len; + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; + Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64(len1, n, mu, r2, a, bBits, b, res); } /** @@ -561,17 +558,18 @@ Hacl_Bignum64_mod_inv_prime_vartime_precomp( uint64_t *res ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k10 = *k; - uint32_t len1 = k10.len; - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; + uint32_t len1 = (*k).len; + uint64_t *n = (*k).n; + uint64_t mu = (*k).mu; + uint64_t *r2 = (*k).r2; KRML_CHECK_SIZE(sizeof (uint64_t), len1); uint64_t n2[len1]; memset(n2, 0U, len1 * sizeof (uint64_t)); - uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, k1.n[0U], 2ULL, n2); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, n[0U], 2ULL, n2); uint64_t c1; if (1U < len1) { - uint64_t *a1 = k1.n + 1U; + uint64_t *a1 = n + 1U; uint64_t *res1 = n2 + 1U; uint64_t c = c0; for (uint32_t i = 0U; i < (len1 - 1U) / 4U; i++) @@ -604,9 +602,9 @@ Hacl_Bignum64_mod_inv_prime_vartime_precomp( } KRML_MAYBE_UNUSED_VAR(c1); Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64(len1, - k1.n, - k1.mu, - k1.r2, + n, + mu, + r2, a, 64U * len1, n2, @@ -652,9 +650,9 @@ uint64_t *Hacl_Bignum64_new_bn_from_bytes_be(uint32_t len, uint8_t *b) memcpy(tmp + tmpLen - len, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < bnLen; i++) { - uint64_t *os = res2; uint64_t u = load64_be(tmp + (bnLen - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = res2; os[i] = x; } return res2; @@ -693,11 +691,11 @@ uint64_t *Hacl_Bignum64_new_bn_from_bytes_le(uint32_t len, uint8_t *b) memcpy(tmp, b, len * sizeof (uint8_t)); for (uint32_t i = 0U; i < (len - 1U) / 8U + 1U; i++) { - uint64_t *os = res2; uint8_t *bj = tmp + i * 8U; uint64_t u = load64_le(bj); uint64_t r1 = u; uint64_t x = r1; + uint64_t *os = res2; os[i] = x; } return res2; diff --git a/src/Hacl_Chacha20.c b/src/Hacl_Chacha20.c index 38a5c373..cc5b5fb4 100644 --- a/src/Hacl_Chacha20.c +++ b/src/Hacl_Chacha20.c @@ -102,45 +102,43 @@ static inline void chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) 0U, 16U, 1U, - uint32_t *os = k; uint32_t x = k[i] + ctx[i]; + uint32_t *os = k; os[i] = x;); k[12U] = k[12U] + ctr_u32; } -static const -uint32_t -chacha20_constants[4U] = { 0x61707865U, 0x3320646eU, 0x79622d32U, 0x6b206574U }; - void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n, uint32_t ctr) { KRML_MAYBE_FOR4(i, 0U, 4U, 1U, + uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; uint32_t *os = ctx; - uint32_t x = chacha20_constants[i]; os[i] = x;); + uint32_t *uu____0 = ctx + 4U; KRML_MAYBE_FOR8(i, 0U, 8U, 1U, - uint32_t *os = ctx + 4U; uint8_t *bj = k + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____0; os[i] = x;); ctx[12U] = ctr; + uint32_t *uu____1 = ctx + 13U; KRML_MAYBE_FOR3(i, 0U, 3U, 1U, - uint32_t *os = ctx + 13U; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____1; os[i] = x;); } @@ -153,18 +151,18 @@ static void chacha20_encrypt_block(uint32_t *ctx, uint8_t *out, uint32_t incr, u 0U, 16U, 1U, - uint32_t *os = bl; uint8_t *bj = text + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - uint32_t *os = bl; uint32_t x = bl[i] ^ k[i]; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, store32_le(out + i * 4U, bl[i]);); } @@ -174,7 +172,9 @@ chacha20_encrypt_last(uint32_t *ctx, uint32_t len, uint8_t *out, uint32_t incr, { uint8_t plain[64U] = { 0U }; memcpy(plain, text, len * sizeof (uint8_t)); - chacha20_encrypt_block(ctx, plain, incr, plain); + uint8_t plain_copy[64U] = { 0U }; + memcpy(plain_copy, plain, 64U * sizeof (uint8_t)); + chacha20_encrypt_block(ctx, plain, incr, plain_copy); memcpy(out, plain, len * sizeof (uint8_t)); } diff --git a/src/Hacl_Chacha20_Vec128.c b/src/Hacl_Chacha20_Vec128.c index deab1dfc..1c49e409 100644 --- a/src/Hacl_Chacha20_Vec128.c +++ b/src/Hacl_Chacha20_Vec128.c @@ -153,8 +153,8 @@ chacha20_core_128( 0U, 16U, 1U, - Lib_IntVector_Intrinsics_vec128 *os = k; Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(k[i], ctx[i]); + Lib_IntVector_Intrinsics_vec128 *os = k; os[i] = x;); k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv); } @@ -167,37 +167,39 @@ chacha20_init_128(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *k, uint8_t *n, 0U, 4U, 1U, - uint32_t *os = ctx1; uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + uint32_t *os = ctx1; os[i] = x;); + uint32_t *uu____0 = ctx1 + 4U; KRML_MAYBE_FOR8(i, 0U, 8U, 1U, - uint32_t *os = ctx1 + 4U; uint8_t *bj = k + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____0; os[i] = x;); ctx1[12U] = ctr; + uint32_t *uu____1 = ctx1 + 13U; KRML_MAYBE_FOR3(i, 0U, 3U, 1U, - uint32_t *os = ctx1 + 13U; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____1; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - Lib_IntVector_Intrinsics_vec128 *os = ctx; uint32_t x = ctx1[i]; Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_load32(x); + Lib_IntVector_Intrinsics_vec128 *os = ctx; os[i] = x0;); Lib_IntVector_Intrinsics_vec128 ctr1 = Lib_IntVector_Intrinsics_vec128_load32s(0U, 1U, 2U, 3U); Lib_IntVector_Intrinsics_vec128 c12 = ctx[12U]; diff --git a/src/Hacl_Chacha20_Vec256.c b/src/Hacl_Chacha20_Vec256.c index e61a7cfe..83195c90 100644 --- a/src/Hacl_Chacha20_Vec256.c +++ b/src/Hacl_Chacha20_Vec256.c @@ -153,8 +153,8 @@ chacha20_core_256( 0U, 16U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = k; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(k[i], ctx[i]); + Lib_IntVector_Intrinsics_vec256 *os = k; os[i] = x;); k[12U] = Lib_IntVector_Intrinsics_vec256_add32(k[12U], cv); } @@ -167,37 +167,39 @@ chacha20_init_256(Lib_IntVector_Intrinsics_vec256 *ctx, uint8_t *k, uint8_t *n, 0U, 4U, 1U, - uint32_t *os = ctx1; uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + uint32_t *os = ctx1; os[i] = x;); + uint32_t *uu____0 = ctx1 + 4U; KRML_MAYBE_FOR8(i, 0U, 8U, 1U, - uint32_t *os = ctx1 + 4U; uint8_t *bj = k + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____0; os[i] = x;); ctx1[12U] = ctr; + uint32_t *uu____1 = ctx1 + 13U; KRML_MAYBE_FOR3(i, 0U, 3U, 1U, - uint32_t *os = ctx1 + 13U; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____1; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = ctx; uint32_t x = ctx1[i]; Lib_IntVector_Intrinsics_vec256 x0 = Lib_IntVector_Intrinsics_vec256_load32(x); + Lib_IntVector_Intrinsics_vec256 *os = ctx; os[i] = x0;); Lib_IntVector_Intrinsics_vec256 ctr1 = Lib_IntVector_Intrinsics_vec256_load32s(0U, 1U, 2U, 3U, 4U, 5U, 6U, 7U); diff --git a/src/Hacl_Chacha20_Vec32.c b/src/Hacl_Chacha20_Vec32.c index 0dce915c..63f1e951 100644 --- a/src/Hacl_Chacha20_Vec32.c +++ b/src/Hacl_Chacha20_Vec32.c @@ -147,8 +147,8 @@ static inline void chacha20_core_32(uint32_t *k, uint32_t *ctx, uint32_t ctr) 0U, 16U, 1U, - uint32_t *os = k; uint32_t x = k[i] + ctx[i]; + uint32_t *os = k; os[i] = x;); k[12U] = k[12U] + cv; } @@ -160,36 +160,38 @@ static inline void chacha20_init_32(uint32_t *ctx, uint8_t *k, uint8_t *n, uint3 0U, 4U, 1U, - uint32_t *os = ctx1; uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i]; + uint32_t *os = ctx1; os[i] = x;); + uint32_t *uu____0 = ctx1 + 4U; KRML_MAYBE_FOR8(i, 0U, 8U, 1U, - uint32_t *os = ctx1 + 4U; uint8_t *bj = k + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____0; os[i] = x;); ctx1[12U] = ctr; + uint32_t *uu____1 = ctx1 + 13U; KRML_MAYBE_FOR3(i, 0U, 3U, 1U, - uint32_t *os = ctx1 + 13U; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = uu____1; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - uint32_t *os = ctx; uint32_t x = ctx1[i]; + uint32_t *os = ctx; os[i] = x;); uint32_t ctr1 = 0U; uint32_t c12 = ctx[12U]; diff --git a/src/Hacl_Curve25519_51.c b/src/Hacl_Curve25519_51.c index ca561e89..2d1b7c76 100644 --- a/src/Hacl_Curve25519_51.c +++ b/src/Hacl_Curve25519_51.c @@ -38,64 +38,87 @@ static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_UInt128_ uint64_t *x1 = q; uint64_t *x2 = nq; uint64_t *z2 = nq + 5U; - uint64_t *z3 = nq_p1 + 5U; - uint64_t *a = tmp1; - uint64_t *b = tmp1 + 5U; - uint64_t *ab = tmp1; uint64_t *dc = tmp1 + 10U; + uint64_t *ab = tmp1; + uint64_t *a = ab; + uint64_t *b = ab + 5U; Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); + uint64_t *ab1 = tmp1; uint64_t *x3 = nq_p1; uint64_t *z31 = nq_p1 + 5U; uint64_t *d0 = dc; uint64_t *c0 = dc + 5U; Hacl_Impl_Curve25519_Field51_fadd(c0, x3, z31); Hacl_Impl_Curve25519_Field51_fsub(d0, x3, z31); - Hacl_Impl_Curve25519_Field51_fmul2(dc, dc, ab, tmp2); - Hacl_Impl_Curve25519_Field51_fadd(x3, d0, c0); - Hacl_Impl_Curve25519_Field51_fsub(z31, d0, c0); - uint64_t *a1 = tmp1; - uint64_t *b1 = tmp1 + 5U; - uint64_t *d = tmp1 + 10U; - uint64_t *c = tmp1 + 15U; - uint64_t *ab1 = tmp1; + uint64_t f1_copy0[10U] = { 0U }; + memcpy(f1_copy0, dc, 10U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul2(dc, f1_copy0, ab1, tmp2); + uint64_t *d1 = dc; + uint64_t *c1 = dc + 5U; + Hacl_Impl_Curve25519_Field51_fadd(x3, d1, c1); + Hacl_Impl_Curve25519_Field51_fsub(z31, d1, c1); + uint64_t *ab2 = tmp1; uint64_t *dc1 = tmp1 + 10U; - Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab1, tmp2); - Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, nq_p1, tmp2); + Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab2, tmp2); + uint64_t f1_copy1[10U] = { 0U }; + memcpy(f1_copy1, nq_p1, 10U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, f1_copy1, tmp2); + uint64_t *a1 = ab2; + uint64_t *b1 = ab2 + 5U; + uint64_t *d = dc1; + uint64_t *c = dc1 + 5U; a1[0U] = c[0U]; a1[1U] = c[1U]; a1[2U] = c[2U]; a1[3U] = c[3U]; a1[4U] = c[4U]; - Hacl_Impl_Curve25519_Field51_fsub(c, d, c); + uint64_t f2_copy[5U] = { 0U }; + memcpy(f2_copy, c, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fsub(c, d, f2_copy); Hacl_Impl_Curve25519_Field51_fmul1(b1, c, 121665ULL); - Hacl_Impl_Curve25519_Field51_fadd(b1, b1, d); - Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2); - Hacl_Impl_Curve25519_Field51_fmul(z3, z3, x1, tmp2); + uint64_t f1_copy2[5U] = { 0U }; + memcpy(f1_copy2, b1, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fadd(b1, f1_copy2, d); + uint64_t *ab3 = tmp1; + uint64_t *dc2 = tmp1 + 10U; + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc2, ab3, tmp2); + uint64_t *z310 = nq_p1 + 5U; + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, z310, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(z310, f1_copy, x1, tmp2); } static void point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2) { uint64_t *x2 = nq; uint64_t *z2 = nq + 5U; - uint64_t *a = tmp1; - uint64_t *b = tmp1 + 5U; - uint64_t *d = tmp1 + 10U; - uint64_t *c = tmp1 + 15U; uint64_t *ab = tmp1; uint64_t *dc = tmp1 + 10U; + uint64_t *a = ab; + uint64_t *b = ab + 5U; Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2); Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2); Hacl_Impl_Curve25519_Field51_fsqr2(dc, ab, tmp2); - a[0U] = c[0U]; - a[1U] = c[1U]; - a[2U] = c[2U]; - a[3U] = c[3U]; - a[4U] = c[4U]; - Hacl_Impl_Curve25519_Field51_fsub(c, d, c); - Hacl_Impl_Curve25519_Field51_fmul1(b, c, 121665ULL); - Hacl_Impl_Curve25519_Field51_fadd(b, b, d); - Hacl_Impl_Curve25519_Field51_fmul2(nq, dc, ab, tmp2); + uint64_t *d = dc; + uint64_t *c = dc + 5U; + uint64_t *a1 = ab; + uint64_t *b1 = ab + 5U; + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + a1[4U] = c[4U]; + uint64_t f2_copy[5U] = { 0U }; + memcpy(f2_copy, c, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fsub(c, d, f2_copy); + Hacl_Impl_Curve25519_Field51_fmul1(b1, c, 121665ULL); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, b1, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fadd(b1, f1_copy, d); + uint64_t *ab1 = tmp1; + uint64_t *dc1 = tmp1 + 10U; + Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2); } static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) @@ -104,7 +127,6 @@ static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) for (uint32_t _i = 0U; _i < 10U; ++_i) tmp2[_i] = FStar_UInt128_uint64_to_uint128(0ULL); uint64_t p01_tmp1_swap[41U] = { 0U }; - uint64_t *p0 = p01_tmp1_swap; uint64_t *p01 = p01_tmp1_swap; uint64_t *p03 = p01; uint64_t *p11 = p01 + 10U; @@ -121,34 +143,39 @@ static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) z0[2U] = 0ULL; z0[3U] = 0ULL; z0[4U] = 0ULL; + uint64_t *swap = p01_tmp1_swap + 40U; uint64_t *p01_tmp1 = p01_tmp1_swap; + uint64_t *nq0 = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + 10U; + Hacl_Impl_Curve25519_Field51_cswap2(1ULL, nq0, nq_p1); uint64_t *p01_tmp11 = p01_tmp1_swap; - uint64_t *nq1 = p01_tmp1_swap; - uint64_t *nq_p11 = p01_tmp1_swap + 10U; - uint64_t *swap = p01_tmp1_swap + 40U; - Hacl_Impl_Curve25519_Field51_cswap2(1ULL, nq1, nq_p11); point_add_and_double(init, p01_tmp11, tmp2); swap[0U] = 1ULL; for (uint32_t i = 0U; i < 251U; i++) { uint64_t *p01_tmp12 = p01_tmp1_swap; uint64_t *swap1 = p01_tmp1_swap + 40U; - uint64_t *nq2 = p01_tmp12; - uint64_t *nq_p12 = p01_tmp12 + 10U; + uint64_t *nq1 = p01_tmp12; + uint64_t *nq_p11 = p01_tmp12 + 10U; uint64_t bit = (uint64_t)((uint32_t)key[(253U - i) / 8U] >> (253U - i) % 8U & 1U); uint64_t sw = swap1[0U] ^ bit; - Hacl_Impl_Curve25519_Field51_cswap2(sw, nq2, nq_p12); + Hacl_Impl_Curve25519_Field51_cswap2(sw, nq1, nq_p11); point_add_and_double(init, p01_tmp12, tmp2); swap1[0U] = bit; } uint64_t sw = swap[0U]; + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *nq1 = p01_tmp12; + uint64_t *nq_p11 = p01_tmp12 + 10U; Hacl_Impl_Curve25519_Field51_cswap2(sw, nq1, nq_p11); - uint64_t *nq10 = p01_tmp1; - uint64_t *tmp1 = p01_tmp1 + 20U; - point_double(nq10, tmp1, tmp2); - point_double(nq10, tmp1, tmp2); - point_double(nq10, tmp1, tmp2); - memcpy(out, p0, 10U * sizeof (uint64_t)); + uint64_t *p01_tmp10 = p01_tmp1_swap; + uint64_t *nq = p01_tmp10; + uint64_t *tmp1 = p01_tmp10 + 20U; + point_double(nq, tmp1, tmp2); + point_double(nq, tmp1, tmp2); + point_double(nq, tmp1, tmp2); + uint64_t *p010 = p01_tmp1_swap; + memcpy(out, p010, 10U * sizeof (uint64_t)); } void @@ -162,7 +189,9 @@ Hacl_Curve25519_51_fsquare_times( Hacl_Impl_Curve25519_Field51_fsqr(o, inp, tmp); for (uint32_t i = 0U; i < n - 1U; i++) { - Hacl_Impl_Curve25519_Field51_fsqr(o, o, tmp); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, o, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fsqr(o, f1_copy, tmp); } } @@ -176,32 +205,59 @@ void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tm Hacl_Curve25519_51_fsquare_times(a1, i, tmp10, 1U); Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, 2U); Hacl_Impl_Curve25519_Field51_fmul(b1, t010, i, tmp); - Hacl_Impl_Curve25519_Field51_fmul(a1, b1, a1, tmp); - Hacl_Curve25519_51_fsquare_times(t010, a1, tmp10, 1U); - Hacl_Impl_Curve25519_Field51_fmul(b1, t010, b1, tmp); - Hacl_Curve25519_51_fsquare_times(t010, b1, tmp10, 5U); - Hacl_Impl_Curve25519_Field51_fmul(b1, t010, b1, tmp); + uint64_t f2_copy[5U] = { 0U }; + memcpy(f2_copy, a1, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(a1, b1, f2_copy, tmp); + FStar_UInt128_uint128 *tmp11 = tmp; + Hacl_Curve25519_51_fsquare_times(t010, a1, tmp11, 1U); + uint64_t f2_copy0[5U] = { 0U }; + memcpy(f2_copy0, b1, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, f2_copy0, tmp); + FStar_UInt128_uint128 *tmp12 = tmp; + Hacl_Curve25519_51_fsquare_times(t010, b1, tmp12, 5U); + uint64_t f2_copy1[5U] = { 0U }; + memcpy(f2_copy1, b1, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(b1, t010, f2_copy1, tmp); uint64_t *b10 = t1 + 5U; uint64_t *c10 = t1 + 10U; uint64_t *t011 = t1 + 15U; - FStar_UInt128_uint128 *tmp11 = tmp; - Hacl_Curve25519_51_fsquare_times(t011, b10, tmp11, 10U); + FStar_UInt128_uint128 *tmp13 = tmp; + Hacl_Curve25519_51_fsquare_times(t011, b10, tmp13, 10U); Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b10, tmp); - Hacl_Curve25519_51_fsquare_times(t011, c10, tmp11, 20U); - Hacl_Impl_Curve25519_Field51_fmul(t011, t011, c10, tmp); - Hacl_Curve25519_51_fsquare_times(t011, t011, tmp11, 10U); - Hacl_Impl_Curve25519_Field51_fmul(b10, t011, b10, tmp); - Hacl_Curve25519_51_fsquare_times(t011, b10, tmp11, 50U); + FStar_UInt128_uint128 *tmp110 = tmp; + Hacl_Curve25519_51_fsquare_times(t011, c10, tmp110, 20U); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, t011, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(t011, f1_copy, c10, tmp); + FStar_UInt128_uint128 *tmp120 = tmp; + uint64_t i_copy0[5U] = { 0U }; + memcpy(i_copy0, t011, 5U * sizeof (uint64_t)); + Hacl_Curve25519_51_fsquare_times(t011, i_copy0, tmp120, 10U); + uint64_t f2_copy2[5U] = { 0U }; + memcpy(f2_copy2, b10, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(b10, t011, f2_copy2, tmp); + FStar_UInt128_uint128 *tmp130 = tmp; + Hacl_Curve25519_51_fsquare_times(t011, b10, tmp130, 50U); Hacl_Impl_Curve25519_Field51_fmul(c10, t011, b10, tmp); uint64_t *b11 = t1 + 5U; uint64_t *c1 = t1 + 10U; uint64_t *t01 = t1 + 15U; FStar_UInt128_uint128 *tmp1 = tmp; Hacl_Curve25519_51_fsquare_times(t01, c1, tmp1, 100U); - Hacl_Impl_Curve25519_Field51_fmul(t01, t01, c1, tmp); - Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, 50U); - Hacl_Impl_Curve25519_Field51_fmul(t01, t01, b11, tmp); - Hacl_Curve25519_51_fsquare_times(t01, t01, tmp1, 5U); + uint64_t f1_copy0[5U] = { 0U }; + memcpy(f1_copy0, t01, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(t01, f1_copy0, c1, tmp); + FStar_UInt128_uint128 *tmp111 = tmp; + uint64_t i_copy1[5U] = { 0U }; + memcpy(i_copy1, t01, 5U * sizeof (uint64_t)); + Hacl_Curve25519_51_fsquare_times(t01, i_copy1, tmp111, 50U); + uint64_t f1_copy1[5U] = { 0U }; + memcpy(f1_copy1, t01, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(t01, f1_copy1, b11, tmp); + FStar_UInt128_uint128 *tmp121 = tmp; + uint64_t i_copy[5U] = { 0U }; + memcpy(i_copy, t01, 5U * sizeof (uint64_t)); + Hacl_Curve25519_51_fsquare_times(t01, i_copy, tmp121, 5U); uint64_t *a = t1; uint64_t *t0 = t1 + 15U; Hacl_Impl_Curve25519_Field51_fmul(o, t0, a, tmp); @@ -217,7 +273,9 @@ static void encode_point(uint8_t *o, uint64_t *i) for (uint32_t _i = 0U; _i < 10U; ++_i) tmp_w[_i] = FStar_UInt128_uint64_to_uint128(0ULL); Hacl_Curve25519_51_finv(tmp, z, tmp_w); - Hacl_Impl_Curve25519_Field51_fmul(tmp, tmp, x, tmp_w); + uint64_t f1_copy[5U] = { 0U }; + memcpy(f1_copy, tmp, 5U * sizeof (uint64_t)); + Hacl_Impl_Curve25519_Field51_fmul(tmp, f1_copy, x, tmp_w); Hacl_Impl_Curve25519_Field51_store_felem(u64s, tmp); KRML_MAYBE_FOR4(i0, 0U, 4U, 1U, store64_le(o + i0 * 8U, u64s[i0]);); } @@ -232,16 +290,17 @@ Compute the scalar multiple of a point. void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) { uint64_t init[10U] = { 0U }; + uint64_t init_copy[10U] = { 0U }; uint64_t tmp[4U] = { 0U }; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = tmp; uint8_t *bj = pub + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = tmp; os[i] = x;); uint64_t tmp3 = tmp[3U]; tmp[3U] = tmp3 & 0x7fffffffffffffffULL; @@ -265,7 +324,8 @@ void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) x[2U] = f1h | f2l; x[3U] = f2h | f3l; x[4U] = f3h; - montgomery_ladder(init, priv, init); + memcpy(init_copy, init, 10U * sizeof (uint64_t)); + montgomery_ladder(init, priv, init_copy); encode_point(out, init); } @@ -282,8 +342,8 @@ void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv) uint8_t basepoint[32U] = { 0U }; for (uint32_t i = 0U; i < 32U; i++) { - uint8_t *os = basepoint; uint8_t x = g25519[i]; + uint8_t *os = basepoint; os[i] = x; } Hacl_Curve25519_51_scalarmult(pub, priv, basepoint); diff --git a/src/Hacl_Curve25519_64.c b/src/Hacl_Curve25519_64.c index edcab306..0a0dd778 100644 --- a/src/Hacl_Curve25519_64.c +++ b/src/Hacl_Curve25519_64.c @@ -121,69 +121,91 @@ static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, uint64_t *tmp2 uint64_t *x1 = q; uint64_t *x2 = nq; uint64_t *z2 = nq + 4U; - uint64_t *z3 = nq_p1 + 4U; - uint64_t *a = tmp1; - uint64_t *b = tmp1 + 4U; - uint64_t *ab = tmp1; uint64_t *dc = tmp1 + 8U; + uint64_t *ab = tmp1; + uint64_t *a = ab; + uint64_t *b = ab + 4U; fadd0(a, x2, z2); fsub0(b, x2, z2); + uint64_t *ab1 = tmp1; uint64_t *x3 = nq_p1; uint64_t *z31 = nq_p1 + 4U; uint64_t *d0 = dc; uint64_t *c0 = dc + 4U; fadd0(c0, x3, z31); fsub0(d0, x3, z31); - fmul20(dc, dc, ab, tmp2); - fadd0(x3, d0, c0); - fsub0(z31, d0, c0); - uint64_t *a1 = tmp1; - uint64_t *b1 = tmp1 + 4U; - uint64_t *d = tmp1 + 8U; - uint64_t *c = tmp1 + 12U; - uint64_t *ab1 = tmp1; + uint64_t f1_copy0[8U] = { 0U }; + memcpy(f1_copy0, dc, 8U * sizeof (uint64_t)); + fmul20(dc, f1_copy0, ab1, tmp2); + uint64_t *d1 = dc; + uint64_t *c1 = dc + 4U; + fadd0(x3, d1, c1); + fsub0(z31, d1, c1); + uint64_t *ab2 = tmp1; uint64_t *dc1 = tmp1 + 8U; - fsqr20(dc1, ab1, tmp2); - fsqr20(nq_p1, nq_p1, tmp2); + fsqr20(dc1, ab2, tmp2); + uint64_t f1_copy1[8U] = { 0U }; + memcpy(f1_copy1, nq_p1, 8U * sizeof (uint64_t)); + fsqr20(nq_p1, f1_copy1, tmp2); + uint64_t *a1 = ab2; + uint64_t *b1 = ab2 + 4U; + uint64_t *d = dc1; + uint64_t *c = dc1 + 4U; a1[0U] = c[0U]; a1[1U] = c[1U]; a1[2U] = c[2U]; a1[3U] = c[3U]; - fsub0(c, d, c); + uint64_t f2_copy[4U] = { 0U }; + memcpy(f2_copy, c, 4U * sizeof (uint64_t)); + fsub0(c, d, f2_copy); fmul_scalar0(b1, c, 121665ULL); - fadd0(b1, b1, d); - fmul20(nq, dc1, ab1, tmp2); - fmul0(z3, z3, x1, tmp2); + uint64_t f1_copy2[4U] = { 0U }; + memcpy(f1_copy2, b1, 4U * sizeof (uint64_t)); + fadd0(b1, f1_copy2, d); + uint64_t *ab3 = tmp1; + uint64_t *dc2 = tmp1 + 8U; + fmul20(nq, dc2, ab3, tmp2); + uint64_t *z310 = nq_p1 + 4U; + uint64_t f1_copy[4U] = { 0U }; + memcpy(f1_copy, z310, 4U * sizeof (uint64_t)); + fmul0(z310, f1_copy, x1, tmp2); } static void point_double(uint64_t *nq, uint64_t *tmp1, uint64_t *tmp2) { uint64_t *x2 = nq; uint64_t *z2 = nq + 4U; - uint64_t *a = tmp1; - uint64_t *b = tmp1 + 4U; - uint64_t *d = tmp1 + 8U; - uint64_t *c = tmp1 + 12U; uint64_t *ab = tmp1; uint64_t *dc = tmp1 + 8U; + uint64_t *a = ab; + uint64_t *b = ab + 4U; fadd0(a, x2, z2); fsub0(b, x2, z2); fsqr20(dc, ab, tmp2); - a[0U] = c[0U]; - a[1U] = c[1U]; - a[2U] = c[2U]; - a[3U] = c[3U]; - fsub0(c, d, c); - fmul_scalar0(b, c, 121665ULL); - fadd0(b, b, d); - fmul20(nq, dc, ab, tmp2); + uint64_t *d = dc; + uint64_t *c = dc + 4U; + uint64_t *a1 = ab; + uint64_t *b1 = ab + 4U; + a1[0U] = c[0U]; + a1[1U] = c[1U]; + a1[2U] = c[2U]; + a1[3U] = c[3U]; + uint64_t f2_copy[4U] = { 0U }; + memcpy(f2_copy, c, 4U * sizeof (uint64_t)); + fsub0(c, d, f2_copy); + fmul_scalar0(b1, c, 121665ULL); + uint64_t f1_copy[4U] = { 0U }; + memcpy(f1_copy, b1, 4U * sizeof (uint64_t)); + fadd0(b1, f1_copy, d); + uint64_t *ab1 = tmp1; + uint64_t *dc1 = tmp1 + 8U; + fmul20(nq, dc1, ab1, tmp2); } static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) { uint64_t tmp2[16U] = { 0U }; uint64_t p01_tmp1_swap[33U] = { 0U }; - uint64_t *p0 = p01_tmp1_swap; uint64_t *p01 = p01_tmp1_swap; uint64_t *p03 = p01; uint64_t *p11 = p01 + 8U; @@ -198,34 +220,39 @@ static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init) z0[1U] = 0ULL; z0[2U] = 0ULL; z0[3U] = 0ULL; + uint64_t *swap = p01_tmp1_swap + 32U; uint64_t *p01_tmp1 = p01_tmp1_swap; + uint64_t *nq0 = p01_tmp1; + uint64_t *nq_p1 = p01_tmp1 + 8U; + cswap20(1ULL, nq0, nq_p1); uint64_t *p01_tmp11 = p01_tmp1_swap; - uint64_t *nq1 = p01_tmp1_swap; - uint64_t *nq_p11 = p01_tmp1_swap + 8U; - uint64_t *swap = p01_tmp1_swap + 32U; - cswap20(1ULL, nq1, nq_p11); point_add_and_double(init, p01_tmp11, tmp2); swap[0U] = 1ULL; for (uint32_t i = 0U; i < 251U; i++) { uint64_t *p01_tmp12 = p01_tmp1_swap; uint64_t *swap1 = p01_tmp1_swap + 32U; - uint64_t *nq2 = p01_tmp12; - uint64_t *nq_p12 = p01_tmp12 + 8U; + uint64_t *nq1 = p01_tmp12; + uint64_t *nq_p11 = p01_tmp12 + 8U; uint64_t bit = (uint64_t)((uint32_t)key[(253U - i) / 8U] >> (253U - i) % 8U & 1U); uint64_t sw = swap1[0U] ^ bit; - cswap20(sw, nq2, nq_p12); + cswap20(sw, nq1, nq_p11); point_add_and_double(init, p01_tmp12, tmp2); swap1[0U] = bit; } uint64_t sw = swap[0U]; + uint64_t *p01_tmp12 = p01_tmp1_swap; + uint64_t *nq1 = p01_tmp12; + uint64_t *nq_p11 = p01_tmp12 + 8U; cswap20(sw, nq1, nq_p11); - uint64_t *nq10 = p01_tmp1; - uint64_t *tmp1 = p01_tmp1 + 16U; - point_double(nq10, tmp1, tmp2); - point_double(nq10, tmp1, tmp2); - point_double(nq10, tmp1, tmp2); - memcpy(out, p0, 8U * sizeof (uint64_t)); + uint64_t *p01_tmp10 = p01_tmp1_swap; + uint64_t *nq = p01_tmp10; + uint64_t *tmp1 = p01_tmp10 + 16U; + point_double(nq, tmp1, tmp2); + point_double(nq, tmp1, tmp2); + point_double(nq, tmp1, tmp2); + uint64_t *p010 = p01_tmp1_swap; + memcpy(out, p010, 8U * sizeof (uint64_t)); } static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uint32_t n) @@ -233,7 +260,9 @@ static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uint32_t n) fsqr0(o, inp, tmp); for (uint32_t i = 0U; i < n - 1U; i++) { - fsqr0(o, o, tmp); + uint64_t f1_copy[4U] = { 0U }; + memcpy(f1_copy, o, 4U * sizeof (uint64_t)); + fsqr0(o, f1_copy, tmp); } } @@ -247,32 +276,59 @@ static void finv(uint64_t *o, uint64_t *i, uint64_t *tmp) fsquare_times(a1, i, tmp10, 1U); fsquare_times(t010, a1, tmp10, 2U); fmul0(b1, t010, i, tmp); - fmul0(a1, b1, a1, tmp); - fsquare_times(t010, a1, tmp10, 1U); - fmul0(b1, t010, b1, tmp); - fsquare_times(t010, b1, tmp10, 5U); - fmul0(b1, t010, b1, tmp); + uint64_t f2_copy[4U] = { 0U }; + memcpy(f2_copy, a1, 4U * sizeof (uint64_t)); + fmul0(a1, b1, f2_copy, tmp); + uint64_t *tmp11 = tmp; + fsquare_times(t010, a1, tmp11, 1U); + uint64_t f2_copy0[4U] = { 0U }; + memcpy(f2_copy0, b1, 4U * sizeof (uint64_t)); + fmul0(b1, t010, f2_copy0, tmp); + uint64_t *tmp12 = tmp; + fsquare_times(t010, b1, tmp12, 5U); + uint64_t f2_copy1[4U] = { 0U }; + memcpy(f2_copy1, b1, 4U * sizeof (uint64_t)); + fmul0(b1, t010, f2_copy1, tmp); uint64_t *b10 = t1 + 4U; uint64_t *c10 = t1 + 8U; uint64_t *t011 = t1 + 12U; - uint64_t *tmp11 = tmp; - fsquare_times(t011, b10, tmp11, 10U); + uint64_t *tmp13 = tmp; + fsquare_times(t011, b10, tmp13, 10U); fmul0(c10, t011, b10, tmp); - fsquare_times(t011, c10, tmp11, 20U); - fmul0(t011, t011, c10, tmp); - fsquare_times(t011, t011, tmp11, 10U); - fmul0(b10, t011, b10, tmp); - fsquare_times(t011, b10, tmp11, 50U); + uint64_t *tmp110 = tmp; + fsquare_times(t011, c10, tmp110, 20U); + uint64_t f1_copy[4U] = { 0U }; + memcpy(f1_copy, t011, 4U * sizeof (uint64_t)); + fmul0(t011, f1_copy, c10, tmp); + uint64_t *tmp120 = tmp; + uint64_t i_copy0[4U] = { 0U }; + memcpy(i_copy0, t011, 4U * sizeof (uint64_t)); + fsquare_times(t011, i_copy0, tmp120, 10U); + uint64_t f2_copy2[4U] = { 0U }; + memcpy(f2_copy2, b10, 4U * sizeof (uint64_t)); + fmul0(b10, t011, f2_copy2, tmp); + uint64_t *tmp130 = tmp; + fsquare_times(t011, b10, tmp130, 50U); fmul0(c10, t011, b10, tmp); uint64_t *b11 = t1 + 4U; uint64_t *c1 = t1 + 8U; uint64_t *t01 = t1 + 12U; uint64_t *tmp1 = tmp; fsquare_times(t01, c1, tmp1, 100U); - fmul0(t01, t01, c1, tmp); - fsquare_times(t01, t01, tmp1, 50U); - fmul0(t01, t01, b11, tmp); - fsquare_times(t01, t01, tmp1, 5U); + uint64_t f1_copy0[4U] = { 0U }; + memcpy(f1_copy0, t01, 4U * sizeof (uint64_t)); + fmul0(t01, f1_copy0, c1, tmp); + uint64_t *tmp111 = tmp; + uint64_t i_copy1[4U] = { 0U }; + memcpy(i_copy1, t01, 4U * sizeof (uint64_t)); + fsquare_times(t01, i_copy1, tmp111, 50U); + uint64_t f1_copy1[4U] = { 0U }; + memcpy(f1_copy1, t01, 4U * sizeof (uint64_t)); + fmul0(t01, f1_copy1, b11, tmp); + uint64_t *tmp121 = tmp; + uint64_t i_copy[4U] = { 0U }; + memcpy(i_copy, t01, 4U * sizeof (uint64_t)); + fsquare_times(t01, i_copy, tmp121, 5U); uint64_t *a = t1; uint64_t *t0 = t1 + 12U; fmul0(o, t0, a, tmp); @@ -319,7 +375,9 @@ static void encode_point(uint8_t *o, uint64_t *i) uint64_t u64s[4U] = { 0U }; uint64_t tmp_w[16U] = { 0U }; finv(tmp, z, tmp_w); - fmul0(tmp, tmp, x, tmp_w); + uint64_t f1_copy[4U] = { 0U }; + memcpy(f1_copy, tmp, 4U * sizeof (uint64_t)); + fmul0(tmp, f1_copy, x, tmp_w); store_felem(u64s, tmp); KRML_MAYBE_FOR4(i0, 0U, 4U, 1U, store64_le(o + i0 * 8U, u64s[i0]);); } @@ -334,16 +392,17 @@ Compute the scalar multiple of a point. void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) { uint64_t init[8U] = { 0U }; + uint64_t init_copy[8U] = { 0U }; uint64_t tmp[4U] = { 0U }; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = tmp; uint8_t *bj = pub + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = tmp; os[i] = x;); uint64_t tmp3 = tmp[3U]; tmp[3U] = tmp3 & 0x7fffffffffffffffULL; @@ -357,7 +416,8 @@ void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub) x[1U] = tmp[1U]; x[2U] = tmp[2U]; x[3U] = tmp[3U]; - montgomery_ladder(init, priv, init); + memcpy(init_copy, init, 8U * sizeof (uint64_t)); + montgomery_ladder(init, priv, init_copy); encode_point(out, init); } @@ -374,8 +434,8 @@ void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv) uint8_t basepoint[32U] = { 0U }; for (uint32_t i = 0U; i < 32U; i++) { - uint8_t *os = basepoint; uint8_t x = g25519[i]; + uint8_t *os = basepoint; os[i] = x; } Hacl_Curve25519_64_scalarmult(pub, priv, basepoint); diff --git a/src/Hacl_EC_K256.c b/src/Hacl_EC_K256.c index 581c223b..d5f6e1a9 100644 --- a/src/Hacl_EC_K256.c +++ b/src/Hacl_EC_K256.c @@ -267,9 +267,9 @@ void Hacl_EC_K256_point_mul(uint8_t *scalar, uint64_t *p, uint64_t *out) 0U, 4U, 1U, - uint64_t *os = scalar_q; uint64_t u = load64_be(scalar + (4U - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = scalar_q; os[i] = x;); Hacl_Impl_K256_PointMul_point_mul(out, scalar_q, p); } diff --git a/src/Hacl_Ed25519.c b/src/Hacl_Ed25519.c index 05d96cd0..124369fb 100644 --- a/src/Hacl_Ed25519.c +++ b/src/Hacl_Ed25519.c @@ -215,11 +215,11 @@ void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input) 0U, 4U, 1U, - uint64_t *os = u64s; uint8_t *bj = input + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = u64s; os[i] = x;); uint64_t u64s3 = u64s[3U]; u64s[3U] = u64s3 & 0x7fffffffffffffffULL; @@ -1246,11 +1246,11 @@ void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *out, uint8_t *scalar, uint64_t 0U, 4U, 1U, - uint64_t *os = bscalar; uint8_t *bj = scalar + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = bscalar; os[i] = x;); uint64_t table[320U] = { 0U }; uint64_t tmp[20U] = { 0U }; @@ -1258,6 +1258,7 @@ void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *out, uint8_t *scalar, uint64_t uint64_t *t1 = table + 20U; Hacl_Impl_Ed25519_PointConstants_make_point_inf(t0); memcpy(t1, q, 20U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, @@ -1284,8 +1285,8 @@ void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *out, uint8_t *scalar, uint64_t const uint64_t *res_j = table + (i1 + 1U) * 20U; for (uint32_t i = 0U; i < 20U; i++) { - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x; }); Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp0); @@ -1303,8 +1304,8 @@ static inline void precomp_get_consttime(const uint64_t *table, uint64_t bits_l, const uint64_t *res_j = table + (i0 + 1U) * 20U; for (uint32_t i = 0U; i < 20U; i++) { - uint64_t *os = tmp; uint64_t x = (c & res_j[i]) | (~c & tmp[i]); + uint64_t *os = tmp; os[i] = x; }); } @@ -1316,11 +1317,11 @@ static inline void point_mul_g(uint64_t *out, uint8_t *scalar) 0U, 4U, 1U, - uint64_t *os = bscalar; uint8_t *bj = scalar + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = bscalar; os[i] = x;); uint64_t q1[20U] = { 0U }; uint64_t *gx = q1; @@ -1441,21 +1442,21 @@ point_mul_g_double_vartime(uint64_t *out, uint8_t *scalar1, uint8_t *scalar2, ui 0U, 4U, 1U, - uint64_t *os = bscalar1; uint8_t *bj = scalar1 + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = bscalar1; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = bscalar2; uint8_t *bj = scalar2 + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = bscalar2; os[i] = x;); uint64_t table2[640U] = { 0U }; uint64_t tmp1[20U] = { 0U }; @@ -1463,6 +1464,7 @@ point_mul_g_double_vartime(uint64_t *out, uint8_t *scalar1, uint8_t *scalar2, ui uint64_t *t1 = table2 + 20U; Hacl_Impl_Ed25519_PointConstants_make_point_inf(t0); memcpy(t1, q2, 20U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table2); KRML_MAYBE_FOR15(i, 0U, 15U, @@ -1712,8 +1714,8 @@ static inline void secret_expand(uint8_t *expanded, uint8_t *secret) /** Compute the public key from the private key. - The outparam `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] public_key Points to 32 bytes of valid memory, i.e., `uint8_t[32]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. */ void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key) { @@ -1726,8 +1728,8 @@ void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key) /** Compute the expanded keys for an Ed25519 signature. - The outparam `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -1744,11 +1746,10 @@ void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key) /** Create an Ed25519 signature with the (precomputed) expanded keys. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - - The argument `expanded_keys` is obtained through `expand_keys`. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `expanded_keys` nor `msg`. + @param[in] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`, containing the expanded keys obtained by invoking `expand_keys`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -1783,9 +1784,10 @@ Hacl_Ed25519_sign_expanded( /** Create an Ed25519 signature. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `private_key` nor `msg`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. The function first calls `expand_keys` and then invokes `sign_expanded`. @@ -1803,11 +1805,12 @@ Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, ui /** Verify an Ed25519 signature. - The function returns `true` if the signature is valid and `false` otherwise. + @param public_key Points to 32 bytes of valid memory containing the public key, i.e., `uint8_t[32]`. + @param msg_len Length of `msg`. + @param msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. + @param signature Points to 64 bytes of valid memory containing the signature, i.e., `uint8_t[64]`. - The argument `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - The argument `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. + @return Returns `true` if the signature is valid and `false` otherwise. */ bool Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature) diff --git a/src/Hacl_FFDHE.c b/src/Hacl_FFDHE.c index 098aa607..8e5c94f1 100644 --- a/src/Hacl_FFDHE.c +++ b/src/Hacl_FFDHE.c @@ -140,8 +140,8 @@ static inline void ffdhe_precomp_p(Spec_FFDHE_ffdhe_alg a, uint64_t *p_r2_n) uint32_t len = ffdhe_len(a); for (uint32_t i = 0U; i < len; i++) { - uint8_t *os = p_s; uint8_t x = p[i]; + uint8_t *os = p_s; os[i] = x; } Hacl_Bignum_Convert_bn_from_bytes_be_uint64(ffdhe_len(a), p_s, p_n); @@ -279,8 +279,8 @@ Hacl_FFDHE_ffdhe_secret_to_public_precomp( memset(g_n, 0U, nLen * sizeof (uint64_t)); uint8_t g = 0U; { - uint8_t *os = &g; uint8_t x = Hacl_Impl_FFDHE_Constants_ffdhe_g2[0U]; + uint8_t *os = &g; os[0U] = x; } Hacl_Bignum_Convert_bn_from_bytes_be_uint64(1U, &g, g_n); diff --git a/src/Hacl_Frodo1344.c b/src/Hacl_Frodo1344.c index a565a85b..5eac4a49 100644 --- a/src/Hacl_Frodo1344.c +++ b/src/Hacl_Frodo1344.c @@ -55,7 +55,7 @@ uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(33U, shake_input_seed_se, 43008U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(1344U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(1344U, 8U, r + 21504U, e_matrix); uint16_t b_matrix[10752U] = { 0U }; @@ -66,14 +66,14 @@ uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(1344U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(1344U, 8U, 16U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(1344U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 10752U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 10752U, uint16_t, void *); uint32_t slen1 = 43056U; uint8_t *sk_p = sk; memcpy(sk_p, s, 32U * sizeof (uint8_t)); memcpy(sk_p + 32U, pk, 21520U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(21520U, pk, 32U, sk + slen1); - Lib_Memzero0_memzero(coins, 80U, uint8_t); + Lib_Memzero0_memzero(coins, 80U, uint8_t, void *); return 0U; } @@ -98,7 +98,7 @@ uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(33U, shake_input_seed_se, 43136U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r + 21504U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 8U, r + 43008U, epp_matrix); @@ -119,12 +119,12 @@ uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 4U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 16U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 21664U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t shake_input_ss[ss_init_len]; @@ -132,9 +132,9 @@ uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 21632U * sizeof (uint8_t)); memcpy(shake_input_ss + 21632U, k, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, shake_input_ss, 32U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t); - Lib_Memzero0_memzero(coins, 32U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 32U, uint8_t, void *); return 0U; } @@ -154,8 +154,8 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 1344U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(16U, 4U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[64U] = { 0U }; uint32_t pkh_mu_decode_len = 64U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -178,7 +178,7 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(33U, shake_input_seed_se, 43136U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r + 21504U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 8U, r + 43008U, epp_matrix); @@ -197,12 +197,12 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 4U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 1344U, 16U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 16U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 1344U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -210,10 +210,10 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint8_t kp_s[32U] = { 0U }; for (uint32_t i = 0U; i < 32U; i++) { - uint8_t *os = kp_s; uint8_t uu____0 = s[i]; uint8_t x = (uint32_t)uu____0 ^ ((uint32_t)(uint8_t)mask0 & ((uint32_t)kp[i] ^ (uint32_t)uu____0)); + uint8_t *os = kp_s; os[i] = x; } uint32_t ss_init_len = 21664U; @@ -223,10 +223,10 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 21632U * sizeof (uint8_t)); memcpy(ss_init + 21632U, kp_s, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, ss_init, 32U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 32U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 32U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 32U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 32U, uint8_t, void *); return 0U; } diff --git a/src/Hacl_Frodo64.c b/src/Hacl_Frodo64.c index 91434038..c36db3a8 100644 --- a/src/Hacl_Frodo64.c +++ b/src/Hacl_Frodo64.c @@ -60,7 +60,7 @@ uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 2048U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(64U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(64U, 8U, r + 1024U, e_matrix); uint16_t b_matrix[512U] = { 0U }; @@ -70,14 +70,14 @@ uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(64U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(64U, 8U, 15U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(64U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 512U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 512U, uint16_t, void *); uint32_t slen1 = 2016U; uint8_t *sk_p = sk; memcpy(sk_p, s, 16U * sizeof (uint8_t)); memcpy(sk_p + 16U, pk, 976U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(976U, pk, 16U, sk + slen1); - Lib_Memzero0_memzero(coins, 48U, uint8_t); + Lib_Memzero0_memzero(coins, 48U, uint8_t, void *); return 0U; } @@ -102,7 +102,7 @@ uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 2176U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r + 1024U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 8U, r + 2048U, epp_matrix); @@ -122,12 +122,12 @@ uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 15U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 1096U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t shake_input_ss[ss_init_len]; @@ -135,9 +135,9 @@ uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 1080U * sizeof (uint8_t)); memcpy(shake_input_ss + 1080U, k, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, shake_input_ss, 16U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(coins, 16U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 16U, uint8_t, void *); return 0U; } @@ -157,8 +157,8 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 64U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(15U, 2U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[32U] = { 0U }; uint32_t pkh_mu_decode_len = 32U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -181,7 +181,7 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 2176U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r + 1024U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 8U, r + 2048U, epp_matrix); @@ -199,12 +199,12 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 64U, 15U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 15U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 64U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -214,10 +214,10 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) 0U, 16U, 1U, - uint8_t *os = kp_s; uint8_t uu____0 = s[i]; uint8_t x = (uint32_t)uu____0 ^ ((uint32_t)(uint8_t)mask0 & ((uint32_t)kp[i] ^ (uint32_t)uu____0)); + uint8_t *os = kp_s; os[i] = x;); uint32_t ss_init_len = 1096U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); @@ -226,10 +226,10 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 1080U * sizeof (uint8_t)); memcpy(ss_init + 1080U, kp_s, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, ss_init, 16U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 16U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 16U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 16U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 16U, uint8_t, void *); return 0U; } diff --git a/src/Hacl_Frodo640.c b/src/Hacl_Frodo640.c index 8baaee46..9efd01a8 100644 --- a/src/Hacl_Frodo640.c +++ b/src/Hacl_Frodo640.c @@ -55,7 +55,7 @@ uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 20480U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(640U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(640U, 8U, r + 10240U, e_matrix); uint16_t b_matrix[5120U] = { 0U }; @@ -66,14 +66,14 @@ uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(640U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(640U, 8U, 15U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(640U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 5120U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 5120U, uint16_t, void *); uint32_t slen1 = 19872U; uint8_t *sk_p = sk; memcpy(sk_p, s, 16U * sizeof (uint8_t)); memcpy(sk_p + 16U, pk, 9616U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(9616U, pk, 16U, sk + slen1); - Lib_Memzero0_memzero(coins, 48U, uint8_t); + Lib_Memzero0_memzero(coins, 48U, uint8_t, void *); return 0U; } @@ -98,7 +98,7 @@ uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 20608U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r + 10240U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 8U, r + 20480U, epp_matrix); @@ -119,12 +119,12 @@ uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 15U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 9736U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t shake_input_ss[ss_init_len]; @@ -132,9 +132,9 @@ uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 9720U * sizeof (uint8_t)); memcpy(shake_input_ss + 9720U, k, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, shake_input_ss, 16U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(coins, 16U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 16U, uint8_t, void *); return 0U; } @@ -154,8 +154,8 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 640U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(15U, 2U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[32U] = { 0U }; uint32_t pkh_mu_decode_len = 32U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -178,7 +178,7 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 20608U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r + 10240U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 8U, r + 20480U, epp_matrix); @@ -197,12 +197,12 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 640U, 15U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 15U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 640U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -212,10 +212,10 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) 0U, 16U, 1U, - uint8_t *os = kp_s; uint8_t uu____0 = s[i]; uint8_t x = (uint32_t)uu____0 ^ ((uint32_t)(uint8_t)mask0 & ((uint32_t)kp[i] ^ (uint32_t)uu____0)); + uint8_t *os = kp_s; os[i] = x;); uint32_t ss_init_len = 9736U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); @@ -224,10 +224,10 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 9720U * sizeof (uint8_t)); memcpy(ss_init + 9720U, kp_s, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, ss_init, 16U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 16U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 16U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 16U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 16U, uint8_t, void *); return 0U; } diff --git a/src/Hacl_Frodo976.c b/src/Hacl_Frodo976.c index 76d78a30..c55fb93b 100644 --- a/src/Hacl_Frodo976.c +++ b/src/Hacl_Frodo976.c @@ -55,7 +55,7 @@ uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(25U, shake_input_seed_se, 31232U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(976U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(976U, 8U, r + 15616U, e_matrix); uint16_t b_matrix[7808U] = { 0U }; @@ -66,14 +66,14 @@ uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(976U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(976U, 8U, 16U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(976U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 7808U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 7808U, uint16_t, void *); uint32_t slen1 = 31272U; uint8_t *sk_p = sk; memcpy(sk_p, s, 24U * sizeof (uint8_t)); memcpy(sk_p + 24U, pk, 15632U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(15632U, pk, 24U, sk + slen1); - Lib_Memzero0_memzero(coins, 64U, uint8_t); + Lib_Memzero0_memzero(coins, 64U, uint8_t, void *); return 0U; } @@ -98,7 +98,7 @@ uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(25U, shake_input_seed_se, 31360U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r + 15616U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 8U, r + 31232U, epp_matrix); @@ -119,12 +119,12 @@ uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 3U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 16U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 15768U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t shake_input_ss[ss_init_len]; @@ -132,9 +132,9 @@ uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 15744U * sizeof (uint8_t)); memcpy(shake_input_ss + 15744U, k, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, shake_input_ss, 24U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t); - Lib_Memzero0_memzero(coins, 24U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 24U, uint8_t, void *); return 0U; } @@ -154,8 +154,8 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 976U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(16U, 3U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[48U] = { 0U }; uint32_t pkh_mu_decode_len = 48U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -178,7 +178,7 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(25U, shake_input_seed_se, 31360U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r + 15616U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 8U, r + 31232U, epp_matrix); @@ -197,12 +197,12 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 3U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 976U, 16U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 16U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 976U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -210,10 +210,10 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint8_t kp_s[24U] = { 0U }; for (uint32_t i = 0U; i < 24U; i++) { - uint8_t *os = kp_s; uint8_t uu____0 = s[i]; uint8_t x = (uint32_t)uu____0 ^ ((uint32_t)(uint8_t)mask0 & ((uint32_t)kp[i] ^ (uint32_t)uu____0)); + uint8_t *os = kp_s; os[i] = x; } uint32_t ss_init_len = 15768U; @@ -223,10 +223,10 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 15744U * sizeof (uint8_t)); memcpy(ss_init + 15744U, kp_s, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, ss_init, 24U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 24U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 24U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 24U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 24U, uint8_t, void *); return 0U; } diff --git a/src/Hacl_GenericField32.c b/src/Hacl_GenericField32.c index f509e6d4..34a8fb55 100644 --- a/src/Hacl_GenericField32.c +++ b/src/Hacl_GenericField32.c @@ -102,9 +102,9 @@ Deallocate the memory previously allocated by Hacl_GenericField32_field_init. */ void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - uint32_t *n = k1.n; - uint32_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + uint32_t *n = uu____0.n; + uint32_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -117,8 +117,7 @@ Return the size of a modulus `n` in limbs. */ uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - return k1.len; + return (*k).len; } /** @@ -137,8 +136,8 @@ Hacl_GenericField32_to_field( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Montgomery_bn_to_mont_u32(len1, k1.n, k1.mu, k1.r2, a, aM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u32(len1, uu____0.n, uu____0.mu, uu____0.r2, a, aM); } /** @@ -158,8 +157,8 @@ Hacl_GenericField32_from_field( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, aM, a); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, uu____0.n, uu____0.mu, aM, a); } /** @@ -177,8 +176,16 @@ Hacl_GenericField32_add( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_bn_add_mod_n_u32(len1, k1.n, aM, bM, cM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t a_copy[len1]; + memset(a_copy, 0U, len1 * sizeof (uint32_t)); + KRML_CHECK_SIZE(sizeof (uint32_t), len1); + uint32_t b_copy[len1]; + memset(b_copy, 0U, len1 * sizeof (uint32_t)); + memcpy(a_copy, aM, len1 * sizeof (uint32_t)); + memcpy(b_copy, bM, len1 * sizeof (uint32_t)); + Hacl_Bignum_bn_add_mod_n_u32(len1, uu____0.n, a_copy, b_copy, cM); } /** @@ -196,8 +203,7 @@ Hacl_GenericField32_sub( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_bn_sub_mod_n_u32(len1, k1.n, aM, bM, cM); + Hacl_Bignum_bn_sub_mod_n_u32(len1, (*k).n, aM, bM, cM); } /** @@ -215,8 +221,8 @@ Hacl_GenericField32_mul( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, k1.n, k1.mu, aM, bM, cM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, uu____0.n, uu____0.mu, aM, bM, cM); } /** @@ -233,8 +239,8 @@ Hacl_GenericField32_sqr( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, k1.n, k1.mu, aM, cM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, uu____0.n, uu____0.mu, aM, cM); } /** @@ -246,8 +252,8 @@ Convert a bignum `one` to its Montgomery representation. void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *k, uint32_t *oneM) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, k1.n, k1.mu, k1.r2, oneM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, uu____0.n, uu____0.mu, uu____0.r2, oneM); } /** @@ -278,22 +284,22 @@ Hacl_GenericField32_exp_consttime( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); - uint32_t aMc[k1.len]; - memset(aMc, 0U, k1.len * sizeof (uint32_t)); - memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), uu____0.len); + uint32_t aMc[uu____0.len]; + memset(aMc, 0U, uu____0.len * sizeof (uint32_t)); + memcpy(aMc, aM, uu____0.len * sizeof (uint32_t)); if (bBits < 200U) { KRML_CHECK_SIZE(sizeof (uint32_t), len1 + len1); uint32_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint32_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint32_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint32_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint32_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint32_t)); uint32_t sw = 0U; uint32_t *ctx_n = ctx; uint32_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, uu____0.mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 32U; @@ -308,9 +314,9 @@ Hacl_GenericField32_exp_consttime( aMc[i] = aMc[i] ^ dummy; } uint32_t *ctx_n0 = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n0, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n0, uu____0.mu, aMc, resM, aMc); uint32_t *ctx_n1 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n1, k1.mu, resM, resM); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n1, uu____0.mu, resM, resM); sw = bit; } uint32_t sw0 = sw; @@ -335,8 +341,8 @@ Hacl_GenericField32_exp_consttime( KRML_CHECK_SIZE(sizeof (uint32_t), len1 + len1); uint32_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint32_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint32_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint32_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint32_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint32_t)); KRML_CHECK_SIZE(sizeof (uint32_t), 16U * len1); uint32_t table[16U * len1]; memset(table, 0U, 16U * len1 * sizeof (uint32_t)); @@ -347,19 +353,20 @@ Hacl_GenericField32_exp_consttime( uint32_t *t1 = table + len1; uint32_t *ctx_n0 = ctx; uint32_t *ctx_r20 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n0, k1.mu, ctx_r20, t0); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n0, uu____0.mu, ctx_r20, t0); memcpy(t1, aMc, len1 * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * len1; uint32_t *ctx_n1 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n1, k1.mu, t11, tmp); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n1, uu____0.mu, t11, tmp); memcpy(table + (2U * i + 2U) * len1, tmp, len1 * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * len1; uint32_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, k1.mu, aMc, t2, tmp); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, uu____0.mu, aMc, t2, tmp); memcpy(table + (2U * i + 3U) * len1, tmp, len1 * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -374,8 +381,8 @@ Hacl_GenericField32_exp_consttime( const uint32_t *res_j = table + (i1 + 1U) * len1; for (uint32_t i = 0U; i < len1; i++) { - uint32_t *os = resM; uint32_t x = (c & res_j[i]) | (~c & resM[i]); + uint32_t *os = resM; os[i] = x; }); } @@ -383,7 +390,7 @@ Hacl_GenericField32_exp_consttime( { uint32_t *ctx_n = ctx; uint32_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, uu____0.mu, ctx_r2, resM); } KRML_CHECK_SIZE(sizeof (uint32_t), len1); uint32_t tmp0[len1]; @@ -395,7 +402,7 @@ Hacl_GenericField32_exp_consttime( 4U, 1U, uint32_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n, k1.mu, resM, resM);); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n, uu____0.mu, resM, resM);); uint32_t k2 = bBits - bBits % 4U - 4U * i0 - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k2, 4U); memcpy(tmp0, (uint32_t *)(table + 0U * len1), len1 * sizeof (uint32_t)); @@ -407,12 +414,12 @@ Hacl_GenericField32_exp_consttime( const uint32_t *res_j = table + (i1 + 1U) * len1; for (uint32_t i = 0U; i < len1; i++) { - uint32_t *os = tmp0; uint32_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint32_t *os = tmp0; os[i] = x; }); uint32_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, k1.mu, resM, tmp0, resM); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, uu____0.mu, resM, tmp0, resM); } } } @@ -445,21 +452,21 @@ Hacl_GenericField32_exp_vartime( ) { uint32_t len1 = Hacl_GenericField32_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - KRML_CHECK_SIZE(sizeof (uint32_t), k1.len); - uint32_t aMc[k1.len]; - memset(aMc, 0U, k1.len * sizeof (uint32_t)); - memcpy(aMc, aM, k1.len * sizeof (uint32_t)); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + KRML_CHECK_SIZE(sizeof (uint32_t), uu____0.len); + uint32_t aMc[uu____0.len]; + memset(aMc, 0U, uu____0.len * sizeof (uint32_t)); + memcpy(aMc, aM, uu____0.len * sizeof (uint32_t)); if (bBits < 200U) { KRML_CHECK_SIZE(sizeof (uint32_t), len1 + len1); uint32_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint32_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint32_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint32_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint32_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint32_t)); uint32_t *ctx_n = ctx; uint32_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, uu____0.mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 32U; @@ -469,10 +476,10 @@ Hacl_GenericField32_exp_vartime( if (!(bit == 0U)) { uint32_t *ctx_n0 = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n0, k1.mu, resM, aMc, resM); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n0, uu____0.mu, resM, aMc, resM); } uint32_t *ctx_n0 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n0, k1.mu, aMc, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n0, uu____0.mu, aMc, aMc); } } else @@ -489,8 +496,8 @@ Hacl_GenericField32_exp_vartime( KRML_CHECK_SIZE(sizeof (uint32_t), len1 + len1); uint32_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint32_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint32_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint32_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint32_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint32_t)); KRML_CHECK_SIZE(sizeof (uint32_t), 16U * len1); uint32_t table[16U * len1]; memset(table, 0U, 16U * len1 * sizeof (uint32_t)); @@ -501,19 +508,20 @@ Hacl_GenericField32_exp_vartime( uint32_t *t1 = table + len1; uint32_t *ctx_n0 = ctx; uint32_t *ctx_r20 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n0, k1.mu, ctx_r20, t0); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n0, uu____0.mu, ctx_r20, t0); memcpy(t1, aMc, len1 * sizeof (uint32_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint32_t *t11 = table + (i + 1U) * len1; uint32_t *ctx_n1 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n1, k1.mu, t11, tmp); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n1, uu____0.mu, t11, tmp); memcpy(table + (2U * i + 2U) * len1, tmp, len1 * sizeof (uint32_t)); uint32_t *t2 = table + (2U * i + 2U) * len1; uint32_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, k1.mu, aMc, t2, tmp); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, uu____0.mu, aMc, t2, tmp); memcpy(table + (2U * i + 3U) * len1, tmp, len1 * sizeof (uint32_t));); if (bBits % 4U != 0U) { @@ -527,7 +535,7 @@ Hacl_GenericField32_exp_vartime( { uint32_t *ctx_n = ctx; uint32_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u32(len1, ctx_n, uu____0.mu, ctx_r2, resM); } KRML_CHECK_SIZE(sizeof (uint32_t), len1); uint32_t tmp0[len1]; @@ -539,14 +547,14 @@ Hacl_GenericField32_exp_vartime( 4U, 1U, uint32_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n, k1.mu, resM, resM);); + Hacl_Bignum_Montgomery_bn_mont_sqr_u32(len1, ctx_n, uu____0.mu, resM, resM);); uint32_t k2 = bBits - bBits % 4U - 4U * i - 4U; uint32_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u32(bLen, b, k2, 4U); uint32_t bits_l32 = bits_l; const uint32_t *a_bits_l = table + bits_l32 * len1; memcpy(tmp0, (uint32_t *)a_bits_l, len1 * sizeof (uint32_t)); uint32_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, k1.mu, resM, tmp0, resM); + Hacl_Bignum_Montgomery_bn_mont_mul_u32(len1, ctx_n, uu____0.mu, resM, tmp0, resM); } } } @@ -569,16 +577,16 @@ Hacl_GenericField32_inverse( uint32_t *aInvM ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 k1 = *k; - uint32_t len1 = k1.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 uu____0 = *k; + uint32_t len1 = uu____0.len; KRML_CHECK_SIZE(sizeof (uint32_t), len1); uint32_t n2[len1]; memset(n2, 0U, len1 * sizeof (uint32_t)); - uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, k1.n[0U], 2U, n2); + uint32_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u32(0U, uu____0.n[0U], 2U, n2); uint32_t c1; if (1U < len1) { - uint32_t *a1 = k1.n + 1U; + uint32_t *a1 = uu____0.n + 1U; uint32_t *res1 = n2 + 1U; uint32_t c = c0; for (uint32_t i = 0U; i < (len1 - 1U) / 4U; i++) @@ -610,6 +618,6 @@ Hacl_GenericField32_inverse( c1 = c0; } KRML_MAYBE_UNUSED_VAR(c1); - Hacl_GenericField32_exp_vartime(k, aM, k1.len * 32U, n2, aInvM); + Hacl_GenericField32_exp_vartime(k, aM, uu____0.len * 32U, n2, aInvM); } diff --git a/src/Hacl_GenericField64.c b/src/Hacl_GenericField64.c index 3f291d36..bf80fc30 100644 --- a/src/Hacl_GenericField64.c +++ b/src/Hacl_GenericField64.c @@ -101,9 +101,9 @@ Deallocate the memory previously allocated by Hacl_GenericField64_field_init. */ void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - uint64_t *n = k1.n; - uint64_t *r2 = k1.r2; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + uint64_t *n = uu____0.n; + uint64_t *r2 = uu____0.r2; KRML_HOST_FREE(n); KRML_HOST_FREE(r2); KRML_HOST_FREE(k); @@ -116,8 +116,7 @@ Return the size of a modulus `n` in limbs. */ uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - return k1.len; + return (*k).len; } /** @@ -136,8 +135,8 @@ Hacl_GenericField64_to_field( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Montgomery_bn_to_mont_u64(len1, k1.n, k1.mu, k1.r2, a, aM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_to_mont_u64(len1, uu____0.n, uu____0.mu, uu____0.r2, a, aM); } /** @@ -157,8 +156,8 @@ Hacl_GenericField64_from_field( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, aM, a); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, uu____0.n, uu____0.mu, aM, a); } /** @@ -176,8 +175,16 @@ Hacl_GenericField64_add( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_bn_add_mod_n_u64(len1, k1.n, aM, bM, cM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t a_copy[len1]; + memset(a_copy, 0U, len1 * sizeof (uint64_t)); + KRML_CHECK_SIZE(sizeof (uint64_t), len1); + uint64_t b_copy[len1]; + memset(b_copy, 0U, len1 * sizeof (uint64_t)); + memcpy(a_copy, aM, len1 * sizeof (uint64_t)); + memcpy(b_copy, bM, len1 * sizeof (uint64_t)); + Hacl_Bignum_bn_add_mod_n_u64(len1, uu____0.n, a_copy, b_copy, cM); } /** @@ -195,8 +202,7 @@ Hacl_GenericField64_sub( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_bn_sub_mod_n_u64(len1, k1.n, aM, bM, cM); + Hacl_Bignum_bn_sub_mod_n_u64(len1, (*k).n, aM, bM, cM); } /** @@ -214,8 +220,8 @@ Hacl_GenericField64_mul( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, k1.n, k1.mu, aM, bM, cM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, uu____0.n, uu____0.mu, aM, bM, cM); } /** @@ -232,8 +238,8 @@ Hacl_GenericField64_sqr( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, k1.n, k1.mu, aM, cM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, uu____0.n, uu____0.mu, aM, cM); } /** @@ -245,8 +251,8 @@ Convert a bignum `one` to its Montgomery representation. void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *k, uint64_t *oneM) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, k1.n, k1.mu, k1.r2, oneM); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, uu____0.n, uu____0.mu, uu____0.r2, oneM); } /** @@ -277,22 +283,22 @@ Hacl_GenericField64_exp_consttime( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); - uint64_t aMc[k1.len]; - memset(aMc, 0U, k1.len * sizeof (uint64_t)); - memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), uu____0.len); + uint64_t aMc[uu____0.len]; + memset(aMc, 0U, uu____0.len * sizeof (uint64_t)); + memcpy(aMc, aM, uu____0.len * sizeof (uint64_t)); if (bBits < 200U) { KRML_CHECK_SIZE(sizeof (uint64_t), len1 + len1); uint64_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint64_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint64_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint64_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint64_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint64_t)); uint64_t sw = 0ULL; uint64_t *ctx_n = ctx; uint64_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, uu____0.mu, ctx_r2, resM); for (uint32_t i0 = 0U; i0 < bBits; i0++) { uint32_t i1 = (bBits - i0 - 1U) / 64U; @@ -307,9 +313,9 @@ Hacl_GenericField64_exp_consttime( aMc[i] = aMc[i] ^ dummy; } uint64_t *ctx_n0 = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n0, k1.mu, aMc, resM, aMc); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n0, uu____0.mu, aMc, resM, aMc); uint64_t *ctx_n1 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n1, k1.mu, resM, resM); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n1, uu____0.mu, resM, resM); sw = bit; } uint64_t sw0 = sw; @@ -334,8 +340,8 @@ Hacl_GenericField64_exp_consttime( KRML_CHECK_SIZE(sizeof (uint64_t), len1 + len1); uint64_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint64_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint64_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint64_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint64_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint64_t)); KRML_CHECK_SIZE(sizeof (uint64_t), 16U * len1); uint64_t table[16U * len1]; memset(table, 0U, 16U * len1 * sizeof (uint64_t)); @@ -346,19 +352,20 @@ Hacl_GenericField64_exp_consttime( uint64_t *t1 = table + len1; uint64_t *ctx_n0 = ctx; uint64_t *ctx_r20 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n0, k1.mu, ctx_r20, t0); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n0, uu____0.mu, ctx_r20, t0); memcpy(t1, aMc, len1 * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * len1; uint64_t *ctx_n1 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n1, k1.mu, t11, tmp); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n1, uu____0.mu, t11, tmp); memcpy(table + (2U * i + 2U) * len1, tmp, len1 * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * len1; uint64_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, k1.mu, aMc, t2, tmp); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, uu____0.mu, aMc, t2, tmp); memcpy(table + (2U * i + 3U) * len1, tmp, len1 * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -373,8 +380,8 @@ Hacl_GenericField64_exp_consttime( const uint64_t *res_j = table + (i1 + 1U) * len1; for (uint32_t i = 0U; i < len1; i++) { - uint64_t *os = resM; uint64_t x = (c & res_j[i]) | (~c & resM[i]); + uint64_t *os = resM; os[i] = x; }); } @@ -382,7 +389,7 @@ Hacl_GenericField64_exp_consttime( { uint64_t *ctx_n = ctx; uint64_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, uu____0.mu, ctx_r2, resM); } KRML_CHECK_SIZE(sizeof (uint64_t), len1); uint64_t tmp0[len1]; @@ -394,7 +401,7 @@ Hacl_GenericField64_exp_consttime( 4U, 1U, uint64_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n, k1.mu, resM, resM);); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n, uu____0.mu, resM, resM);); uint32_t k2 = bBits - bBits % 4U - 4U * i0 - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k2, 4U); memcpy(tmp0, (uint64_t *)(table + 0U * len1), len1 * sizeof (uint64_t)); @@ -406,12 +413,12 @@ Hacl_GenericField64_exp_consttime( const uint64_t *res_j = table + (i1 + 1U) * len1; for (uint32_t i = 0U; i < len1; i++) { - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x; }); uint64_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, k1.mu, resM, tmp0, resM); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, uu____0.mu, resM, tmp0, resM); } } } @@ -444,21 +451,21 @@ Hacl_GenericField64_exp_vartime( ) { uint32_t len1 = Hacl_GenericField64_field_get_len(k); - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - KRML_CHECK_SIZE(sizeof (uint64_t), k1.len); - uint64_t aMc[k1.len]; - memset(aMc, 0U, k1.len * sizeof (uint64_t)); - memcpy(aMc, aM, k1.len * sizeof (uint64_t)); + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + KRML_CHECK_SIZE(sizeof (uint64_t), uu____0.len); + uint64_t aMc[uu____0.len]; + memset(aMc, 0U, uu____0.len * sizeof (uint64_t)); + memcpy(aMc, aM, uu____0.len * sizeof (uint64_t)); if (bBits < 200U) { KRML_CHECK_SIZE(sizeof (uint64_t), len1 + len1); uint64_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint64_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint64_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint64_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint64_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint64_t)); uint64_t *ctx_n = ctx; uint64_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, uu____0.mu, ctx_r2, resM); for (uint32_t i = 0U; i < bBits; i++) { uint32_t i1 = i / 64U; @@ -468,10 +475,10 @@ Hacl_GenericField64_exp_vartime( if (!(bit == 0ULL)) { uint64_t *ctx_n0 = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n0, k1.mu, resM, aMc, resM); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n0, uu____0.mu, resM, aMc, resM); } uint64_t *ctx_n0 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n0, k1.mu, aMc, aMc); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n0, uu____0.mu, aMc, aMc); } } else @@ -488,8 +495,8 @@ Hacl_GenericField64_exp_vartime( KRML_CHECK_SIZE(sizeof (uint64_t), len1 + len1); uint64_t ctx[len1 + len1]; memset(ctx, 0U, (len1 + len1) * sizeof (uint64_t)); - memcpy(ctx, k1.n, len1 * sizeof (uint64_t)); - memcpy(ctx + len1, k1.r2, len1 * sizeof (uint64_t)); + memcpy(ctx, uu____0.n, len1 * sizeof (uint64_t)); + memcpy(ctx + len1, uu____0.r2, len1 * sizeof (uint64_t)); KRML_CHECK_SIZE(sizeof (uint64_t), 16U * len1); uint64_t table[16U * len1]; memset(table, 0U, 16U * len1 * sizeof (uint64_t)); @@ -500,19 +507,20 @@ Hacl_GenericField64_exp_vartime( uint64_t *t1 = table + len1; uint64_t *ctx_n0 = ctx; uint64_t *ctx_r20 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n0, k1.mu, ctx_r20, t0); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n0, uu____0.mu, ctx_r20, t0); memcpy(t1, aMc, len1 * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, 1U, uint64_t *t11 = table + (i + 1U) * len1; uint64_t *ctx_n1 = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n1, k1.mu, t11, tmp); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n1, uu____0.mu, t11, tmp); memcpy(table + (2U * i + 2U) * len1, tmp, len1 * sizeof (uint64_t)); uint64_t *t2 = table + (2U * i + 2U) * len1; uint64_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, k1.mu, aMc, t2, tmp); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, uu____0.mu, aMc, t2, tmp); memcpy(table + (2U * i + 3U) * len1, tmp, len1 * sizeof (uint64_t));); if (bBits % 4U != 0U) { @@ -526,7 +534,7 @@ Hacl_GenericField64_exp_vartime( { uint64_t *ctx_n = ctx; uint64_t *ctx_r2 = ctx + len1; - Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, k1.mu, ctx_r2, resM); + Hacl_Bignum_Montgomery_bn_from_mont_u64(len1, ctx_n, uu____0.mu, ctx_r2, resM); } KRML_CHECK_SIZE(sizeof (uint64_t), len1); uint64_t tmp0[len1]; @@ -538,14 +546,14 @@ Hacl_GenericField64_exp_vartime( 4U, 1U, uint64_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n, k1.mu, resM, resM);); + Hacl_Bignum_Montgomery_bn_mont_sqr_u64(len1, ctx_n, uu____0.mu, resM, resM);); uint32_t k2 = bBits - bBits % 4U - 4U * i - 4U; uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64(bLen, b, k2, 4U); uint32_t bits_l32 = (uint32_t)bits_l; const uint64_t *a_bits_l = table + bits_l32 * len1; memcpy(tmp0, (uint64_t *)a_bits_l, len1 * sizeof (uint64_t)); uint64_t *ctx_n = ctx; - Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, k1.mu, resM, tmp0, resM); + Hacl_Bignum_Montgomery_bn_mont_mul_u64(len1, ctx_n, uu____0.mu, resM, tmp0, resM); } } } @@ -568,16 +576,16 @@ Hacl_GenericField64_inverse( uint64_t *aInvM ) { - Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 k1 = *k; - uint32_t len1 = k1.len; + Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 uu____0 = *k; + uint32_t len1 = uu____0.len; KRML_CHECK_SIZE(sizeof (uint64_t), len1); uint64_t n2[len1]; memset(n2, 0U, len1 * sizeof (uint64_t)); - uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, k1.n[0U], 2ULL, n2); + uint64_t c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(0ULL, uu____0.n[0U], 2ULL, n2); uint64_t c1; if (1U < len1) { - uint64_t *a1 = k1.n + 1U; + uint64_t *a1 = uu____0.n + 1U; uint64_t *res1 = n2 + 1U; uint64_t c = c0; for (uint32_t i = 0U; i < (len1 - 1U) / 4U; i++) @@ -609,6 +617,6 @@ Hacl_GenericField64_inverse( c1 = c0; } KRML_MAYBE_UNUSED_VAR(c1); - Hacl_GenericField64_exp_vartime(k, aM, k1.len * 64U, n2, aInvM); + Hacl_GenericField64_exp_vartime(k, aM, uu____0.len * 64U, n2, aInvM); } diff --git a/src/Hacl_HMAC.c b/src/Hacl_HMAC.c index b03bc7ac..411be0f3 100644 --- a/src/Hacl_HMAC.c +++ b/src/Hacl_HMAC.c @@ -207,8 +207,8 @@ Hacl_HMAC_compute_sha2_256( 0U, 8U, 1U, - uint32_t *os = st; uint32_t x = Hacl_Hash_SHA2_h256[i]; + uint32_t *os = st; os[i] = x;); uint32_t *s = st; uint8_t *dst1 = ipad; @@ -335,8 +335,8 @@ Hacl_HMAC_compute_sha2_384( 0U, 8U, 1U, - uint64_t *os = st; uint64_t x = Hacl_Hash_SHA2_h384[i]; + uint64_t *os = st; os[i] = x;); uint64_t *s = st; uint8_t *dst1 = ipad; @@ -471,8 +471,8 @@ Hacl_HMAC_compute_sha2_512( 0U, 8U, 1U, - uint64_t *os = st; uint64_t x = Hacl_Hash_SHA2_h512[i]; + uint64_t *os = st; os[i] = x;); uint64_t *s = st; uint8_t *dst1 = ipad; diff --git a/src/Hacl_Hash_Blake2b.c b/src/Hacl_Hash_Blake2b.c index 2dceaf4b..befb4d23 100644 --- a/src/Hacl_Hash_Blake2b.c +++ b/src/Hacl_Hash_Blake2b.c @@ -36,11 +36,11 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 16U, 1U, - uint64_t *os = m_w; uint8_t *bj = d + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = m_w; os[i] = x;); uint64_t mask[4U] = { 0U }; uint64_t wv_14; @@ -63,8 +63,8 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv3; uint64_t x = wv3[i] ^ mask[i]; + uint64_t *os = wv3; os[i] = x;); KRML_MAYBE_FOR12(i0, 0U, @@ -134,15 +134,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a0; uint64_t x1 = wv_a0[i] + wv_b0[i]; + uint64_t *os = wv_a0; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = wv_a0; uint64_t x1 = wv_a0[i] + x[i]; + uint64_t *os = wv_a0; os[i] = x1;); uint64_t *wv_a1 = wv + d10 * 4U; uint64_t *wv_b1 = wv + a * 4U; @@ -150,17 +150,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a1; uint64_t x1 = wv_a1[i] ^ wv_b1[i]; + uint64_t *os = wv_a1; os[i] = x1;); uint64_t *r10 = wv_a1; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r10; uint64_t x1 = r10[i]; uint64_t x10 = x1 >> 32U | x1 << 32U; + uint64_t *os = r10; os[i] = x10;); uint64_t *wv_a2 = wv + c0 * 4U; uint64_t *wv_b2 = wv + d10 * 4U; @@ -168,8 +168,8 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a2; uint64_t x1 = wv_a2[i] + wv_b2[i]; + uint64_t *os = wv_a2; os[i] = x1;); uint64_t *wv_a3 = wv + b0 * 4U; uint64_t *wv_b3 = wv + c0 * 4U; @@ -177,17 +177,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a3; uint64_t x1 = wv_a3[i] ^ wv_b3[i]; + uint64_t *os = wv_a3; os[i] = x1;); uint64_t *r12 = wv_a3; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r12; uint64_t x1 = r12[i]; uint64_t x10 = x1 >> 24U | x1 << 40U; + uint64_t *os = r12; os[i] = x10;); uint64_t *wv_a4 = wv + a * 4U; uint64_t *wv_b4 = wv + b0 * 4U; @@ -195,15 +195,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a4; uint64_t x1 = wv_a4[i] + wv_b4[i]; + uint64_t *os = wv_a4; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = wv_a4; uint64_t x1 = wv_a4[i] + y[i]; + uint64_t *os = wv_a4; os[i] = x1;); uint64_t *wv_a5 = wv + d10 * 4U; uint64_t *wv_b5 = wv + a * 4U; @@ -211,17 +211,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a5; uint64_t x1 = wv_a5[i] ^ wv_b5[i]; + uint64_t *os = wv_a5; os[i] = x1;); uint64_t *r13 = wv_a5; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r13; uint64_t x1 = r13[i]; uint64_t x10 = x1 >> 16U | x1 << 48U; + uint64_t *os = r13; os[i] = x10;); uint64_t *wv_a6 = wv + c0 * 4U; uint64_t *wv_b6 = wv + d10 * 4U; @@ -229,8 +229,8 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a6; uint64_t x1 = wv_a6[i] + wv_b6[i]; + uint64_t *os = wv_a6; os[i] = x1;); uint64_t *wv_a7 = wv + b0 * 4U; uint64_t *wv_b7 = wv + c0 * 4U; @@ -238,17 +238,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a7; uint64_t x1 = wv_a7[i] ^ wv_b7[i]; + uint64_t *os = wv_a7; os[i] = x1;); uint64_t *r14 = wv_a7; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r14; uint64_t x1 = r14[i]; uint64_t x10 = x1 >> 63U | x1 << 1U; + uint64_t *os = r14; os[i] = x10;); uint64_t *r15 = wv + 4U; uint64_t *r21 = wv + 8U; @@ -290,15 +290,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a; uint64_t x1 = wv_a[i] + wv_b8[i]; + uint64_t *os = wv_a; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = wv_a; uint64_t x1 = wv_a[i] + z[i]; + uint64_t *os = wv_a; os[i] = x1;); uint64_t *wv_a8 = wv + d1 * 4U; uint64_t *wv_b9 = wv + a0 * 4U; @@ -306,17 +306,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a8; uint64_t x1 = wv_a8[i] ^ wv_b9[i]; + uint64_t *os = wv_a8; os[i] = x1;); uint64_t *r16 = wv_a8; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r16; uint64_t x1 = r16[i]; uint64_t x13 = x1 >> 32U | x1 << 32U; + uint64_t *os = r16; os[i] = x13;); uint64_t *wv_a9 = wv + c * 4U; uint64_t *wv_b10 = wv + d1 * 4U; @@ -324,8 +324,8 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a9; uint64_t x1 = wv_a9[i] + wv_b10[i]; + uint64_t *os = wv_a9; os[i] = x1;); uint64_t *wv_a10 = wv + b * 4U; uint64_t *wv_b11 = wv + c * 4U; @@ -333,17 +333,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a10; uint64_t x1 = wv_a10[i] ^ wv_b11[i]; + uint64_t *os = wv_a10; os[i] = x1;); uint64_t *r17 = wv_a10; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r17; uint64_t x1 = r17[i]; uint64_t x13 = x1 >> 24U | x1 << 40U; + uint64_t *os = r17; os[i] = x13;); uint64_t *wv_a11 = wv + a0 * 4U; uint64_t *wv_b12 = wv + b * 4U; @@ -351,15 +351,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a11; uint64_t x1 = wv_a11[i] + wv_b12[i]; + uint64_t *os = wv_a11; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = wv_a11; uint64_t x1 = wv_a11[i] + w[i]; + uint64_t *os = wv_a11; os[i] = x1;); uint64_t *wv_a12 = wv + d1 * 4U; uint64_t *wv_b13 = wv + a0 * 4U; @@ -367,17 +367,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a12; uint64_t x1 = wv_a12[i] ^ wv_b13[i]; + uint64_t *os = wv_a12; os[i] = x1;); uint64_t *r18 = wv_a12; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r18; uint64_t x1 = r18[i]; uint64_t x13 = x1 >> 16U | x1 << 48U; + uint64_t *os = r18; os[i] = x13;); uint64_t *wv_a13 = wv + c * 4U; uint64_t *wv_b14 = wv + d1 * 4U; @@ -385,8 +385,8 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a13; uint64_t x1 = wv_a13[i] + wv_b14[i]; + uint64_t *os = wv_a13; os[i] = x1;); uint64_t *wv_a14 = wv + b * 4U; uint64_t *wv_b = wv + c * 4U; @@ -394,17 +394,17 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = wv_a14; uint64_t x1 = wv_a14[i] ^ wv_b[i]; + uint64_t *os = wv_a14; os[i] = x1;); uint64_t *r19 = wv_a14; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = r19; uint64_t x1 = r19[i]; uint64_t x13 = x1 >> 63U | x1 << 1U; + uint64_t *os = r19; os[i] = x13;); uint64_t *r113 = wv + 4U; uint64_t *r2 = wv + 8U; @@ -446,34 +446,35 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl 0U, 4U, 1U, - uint64_t *os = s0; uint64_t x = s0[i] ^ r0[i]; + uint64_t *os = s0; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = s0; uint64_t x = s0[i] ^ r2[i]; + uint64_t *os = s0; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = s1; uint64_t x = s1[i] ^ r1[i]; + uint64_t *os = s1; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint64_t *os = s1; uint64_t x = s1[i] ^ r3[i]; + uint64_t *os = s1; os[i] = x;); } void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -494,16 +495,70 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + uint64_t *uu____0 = tmp + 4U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + uint64_t *os = uu____0; + os[i] = x;); + uint64_t *uu____1 = tmp + 6U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + uint64_t *os = uu____1; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) @@ -519,7 +574,7 @@ static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, ui { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } void @@ -560,7 +615,7 @@ Hacl_Hash_Blake2b_update_last( FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } static void @@ -624,7 +679,7 @@ void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) KRML_MAYBE_FOR4(i, 0U, 4U, 1U, store64_le(second + i * 8U, row1[i]);); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } /** @@ -636,12 +691,12 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void) uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); Hacl_Hash_Blake2b_block_state_t block_state = { .fst = wv, .snd = b }; + Hacl_Hash_Blake2b_init(block_state.snd, 0U, 64U); Hacl_Hash_Blake2b_state_t s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Hash_Blake2b_state_t *p = (Hacl_Hash_Blake2b_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_state_t)); p[0U] = s; - Hacl_Hash_Blake2b_init(block_state.snd, 0U, 64U); return p; } @@ -650,13 +705,9 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void) */ void Hacl_Hash_Blake2b_reset(Hacl_Hash_Blake2b_state_t *state) { - Hacl_Hash_Blake2b_state_t scrut = *state; - uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + Hacl_Hash_Blake2b_block_state_t block_state = (*state).block_state; Hacl_Hash_Blake2b_init(block_state.snd, 0U, 64U); - Hacl_Hash_Blake2b_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -665,8 +716,8 @@ void Hacl_Hash_Blake2b_reset(Hacl_Hash_Blake2b_state_t *state) Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Hash_Blake2b_state_t s = *state; - uint64_t total_len = s.total_len; + Hacl_Hash_Blake2b_block_state_t block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -682,10 +733,8 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 } if (chunk_len <= 128U - sz) { - Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -698,22 +747,12 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Hash_Blake2b_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -726,8 +765,8 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - uint64_t *wv = block_state1.fst; - uint64_t *hash = block_state1.snd; + uint64_t *wv = block_state.fst; + uint64_t *hash = block_state.snd; uint32_t nb = 1U; Hacl_Hash_Blake2b_update_multi(128U, wv, @@ -750,8 +789,8 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - uint64_t *wv = block_state1.fst; - uint64_t *hash = block_state1.snd; + uint64_t *wv = block_state.fst; + uint64_t *hash = block_state.snd; uint32_t nb = data1_len / 128U; Hacl_Hash_Blake2b_update_multi(data1_len, wv, @@ -761,25 +800,15 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 nb); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2b_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 128U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Hash_Blake2b_state_t s1 = *state; - Hacl_Hash_Blake2b_block_state_t block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)128U == 0ULL && total_len10 > 0ULL) { @@ -789,22 +818,12 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 { sz10 = (uint32_t)(total_len10 % (uint64_t)128U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Hash_Blake2b_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Hash_Blake2b_state_t s10 = *state; - Hacl_Hash_Blake2b_block_state_t block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -817,14 +836,14 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - uint64_t *wv = block_state1.fst; - uint64_t *hash = block_state1.snd; + uint64_t *wv = block_state.fst; + uint64_t *hash = block_state.snd; uint32_t nb = 1U; Hacl_Hash_Blake2b_update_multi(128U, wv, hash, FStar_UInt128_uint64_to_uint128(prevlen), - buf, + buf0, nb); } uint32_t ite; @@ -842,8 +861,8 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - uint64_t *wv = block_state1.fst; - uint64_t *hash = block_state1.snd; + uint64_t *wv = block_state.fst; + uint64_t *hash = block_state.snd; uint32_t nb = data1_len / 128U; Hacl_Hash_Blake2b_update_multi(data1_len, wv, @@ -851,17 +870,9 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 FStar_UInt128_uint64_to_uint128(total_len1), data1, nb); - uint8_t *dst = buf; + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2b_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -871,10 +882,9 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 */ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) { - Hacl_Hash_Blake2b_state_t scrut = *state; - Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + Hacl_Hash_Blake2b_block_state_t block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL) { @@ -892,6 +902,7 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) uint64_t *dst_b = tmp_block_state.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 128U == 0U && r > 0U) { @@ -902,7 +913,6 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) ite = r % 128U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; uint64_t *wv1 = tmp_block_state.fst; uint64_t *hash0 = tmp_block_state.snd; uint32_t nb = 0U; @@ -965,7 +975,7 @@ Hacl_Hash_Blake2b_hash_with_key( Hacl_Hash_Blake2b_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2b_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 16U, uint64_t); - Lib_Memzero0_memzero(b, 16U, uint64_t); + Lib_Memzero0_memzero(b1, 16U, uint64_t, void *); + Lib_Memzero0_memzero(b, 16U, uint64_t, void *); } diff --git a/src/Hacl_Hash_Blake2b_Simd256.c b/src/Hacl_Hash_Blake2b_Simd256.c index 1a5e8cf2..6a934628 100644 --- a/src/Hacl_Hash_Blake2b_Simd256.c +++ b/src/Hacl_Hash_Blake2b_Simd256.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -42,11 +43,11 @@ update_block( 0U, 16U, 1U, - uint64_t *os = m_w; uint8_t *bj = d + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = m_w; os[i] = x;); Lib_IntVector_Intrinsics_vec256 mask = Lib_IntVector_Intrinsics_vec256_zero; uint64_t wv_14; @@ -214,6 +215,7 @@ update_block( void Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; @@ -228,10 +230,64 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k uint64_t iv7 = Hacl_Hash_Blake2s_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + uint64_t *uu____0 = tmp + 4U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + uint64_t *os = uu____0; + os[i] = x;); + uint64_t *uu____1 = tmp + 6U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + uint64_t *os = uu____1; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } static void @@ -254,7 +310,7 @@ update_key( { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } void @@ -295,7 +351,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } static inline void @@ -371,7 +427,7 @@ Hacl_Hash_Blake2b_Simd256_finish( Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } void @@ -414,11 +470,11 @@ Hacl_Hash_Blake2b_Simd256_store_state256b_to_state32( 0U, 4U, 1U, - uint64_t *os = b0; uint8_t *bj = b8 + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = b0; os[i] = x;); uint8_t b80[32U] = { 0U }; Lib_IntVector_Intrinsics_vec256_store64_le(b80, r1[0U]); @@ -426,11 +482,11 @@ Hacl_Hash_Blake2b_Simd256_store_state256b_to_state32( 0U, 4U, 1U, - uint64_t *os = b1; uint8_t *bj = b80 + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = b1; os[i] = x;); uint8_t b81[32U] = { 0U }; Lib_IntVector_Intrinsics_vec256_store64_le(b81, r2[0U]); @@ -438,11 +494,11 @@ Hacl_Hash_Blake2b_Simd256_store_state256b_to_state32( 0U, 4U, 1U, - uint64_t *os = b2; uint8_t *bj = b81 + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = b2; os[i] = x;); uint8_t b82[32U] = { 0U }; Lib_IntVector_Intrinsics_vec256_store64_le(b82, r3[0U]); @@ -450,11 +506,11 @@ Hacl_Hash_Blake2b_Simd256_store_state256b_to_state32( 0U, 4U, 1U, - uint64_t *os = b3; uint8_t *bj = b82 + i * 8U; uint64_t u = load64_le(bj); uint64_t r = u; uint64_t x = r; + uint64_t *os = b3; os[i] = x;); } @@ -485,6 +541,7 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_block_state_t block_state = { .fst = wv, .snd = b }; + Hacl_Hash_Blake2b_Simd256_init(block_state.snd, 0U, 64U); Hacl_Hash_Blake2b_Simd256_state_t s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Hash_Blake2b_Simd256_state_t @@ -493,7 +550,6 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) Hacl_Hash_Blake2b_Simd256_state_t )); p[0U] = s; - Hacl_Hash_Blake2b_Simd256_init(block_state.snd, 0U, 64U); return p; } @@ -502,13 +558,9 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *state) { - Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; - uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*state).block_state; Hacl_Hash_Blake2b_Simd256_init(block_state.snd, 0U, 64U); - Hacl_Hash_Blake2b_Simd256_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -521,8 +573,8 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t chunk_len ) { - Hacl_Hash_Blake2b_Simd256_state_t s = *state; - uint64_t total_len = s.total_len; + Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -538,10 +590,8 @@ Hacl_Hash_Blake2b_Simd256_update( } if (chunk_len <= 128U - sz) { - Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -554,22 +604,12 @@ Hacl_Hash_Blake2b_Simd256_update( uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Hash_Blake2b_Simd256_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -582,8 +622,8 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - Lib_IntVector_Intrinsics_vec256 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec256 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *hash = block_state.snd; uint32_t nb = 1U; Hacl_Hash_Blake2b_Simd256_update_multi(128U, wv, @@ -606,8 +646,8 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Lib_IntVector_Intrinsics_vec256 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec256 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *hash = block_state.snd; uint32_t nb = data1_len / 128U; Hacl_Hash_Blake2b_Simd256_update_multi(data1_len, wv, @@ -617,25 +657,15 @@ Hacl_Hash_Blake2b_Simd256_update( nb); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2b_Simd256_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 128U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Hash_Blake2b_Simd256_state_t s1 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)128U == 0ULL && total_len10 > 0ULL) { @@ -645,22 +675,12 @@ Hacl_Hash_Blake2b_Simd256_update( { sz10 = (uint32_t)(total_len10 % (uint64_t)128U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Hash_Blake2b_Simd256_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Hash_Blake2b_Simd256_state_t s10 = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -673,14 +693,14 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - Lib_IntVector_Intrinsics_vec256 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec256 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *hash = block_state.snd; uint32_t nb = 1U; Hacl_Hash_Blake2b_Simd256_update_multi(128U, wv, hash, FStar_UInt128_uint64_to_uint128(prevlen), - buf, + buf0, nb); } uint32_t ite; @@ -698,8 +718,8 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Lib_IntVector_Intrinsics_vec256 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec256 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec256 *hash = block_state.snd; uint32_t nb = data1_len / 128U; Hacl_Hash_Blake2b_Simd256_update_multi(data1_len, wv, @@ -707,17 +727,9 @@ Hacl_Hash_Blake2b_Simd256_update( FStar_UInt128_uint64_to_uint128(total_len1), data1, nb); - uint8_t *dst = buf; + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2b_Simd256_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -728,10 +740,9 @@ Hacl_Hash_Blake2b_Simd256_update( void Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output) { - Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; - Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL) { @@ -749,6 +760,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 128U == 0U && r > 0U) { @@ -759,7 +771,6 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 ite = r % 128U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Lib_IntVector_Intrinsics_vec256 *wv1 = tmp_block_state.fst; Lib_IntVector_Intrinsics_vec256 *hash0 = tmp_block_state.snd; uint32_t nb = 0U; @@ -822,7 +833,7 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( Hacl_Hash_Blake2b_Simd256_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2b_Simd256_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec256); - Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256); + Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec256, void *); + Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256, void *); } diff --git a/src/Hacl_Hash_Blake2s.c b/src/Hacl_Hash_Blake2s.c index 652c3f33..5cd9a1b0 100644 --- a/src/Hacl_Hash_Blake2s.c +++ b/src/Hacl_Hash_Blake2s.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -36,11 +37,11 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 16U, 1U, - uint32_t *os = m_w; uint8_t *bj = d + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = m_w; os[i] = x;); uint32_t mask[4U] = { 0U }; uint32_t wv_14; @@ -63,8 +64,8 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv3; uint32_t x = wv3[i] ^ mask[i]; + uint32_t *os = wv3; os[i] = x;); KRML_MAYBE_FOR10(i0, 0U, @@ -134,15 +135,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a0; uint32_t x1 = wv_a0[i] + wv_b0[i]; + uint32_t *os = wv_a0; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = wv_a0; uint32_t x1 = wv_a0[i] + x[i]; + uint32_t *os = wv_a0; os[i] = x1;); uint32_t *wv_a1 = wv + d10 * 4U; uint32_t *wv_b1 = wv + a * 4U; @@ -150,17 +151,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a1; uint32_t x1 = wv_a1[i] ^ wv_b1[i]; + uint32_t *os = wv_a1; os[i] = x1;); uint32_t *r10 = wv_a1; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r10; uint32_t x1 = r10[i]; uint32_t x10 = x1 >> 16U | x1 << 16U; + uint32_t *os = r10; os[i] = x10;); uint32_t *wv_a2 = wv + c0 * 4U; uint32_t *wv_b2 = wv + d10 * 4U; @@ -168,8 +169,8 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a2; uint32_t x1 = wv_a2[i] + wv_b2[i]; + uint32_t *os = wv_a2; os[i] = x1;); uint32_t *wv_a3 = wv + b0 * 4U; uint32_t *wv_b3 = wv + c0 * 4U; @@ -177,17 +178,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a3; uint32_t x1 = wv_a3[i] ^ wv_b3[i]; + uint32_t *os = wv_a3; os[i] = x1;); uint32_t *r12 = wv_a3; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r12; uint32_t x1 = r12[i]; uint32_t x10 = x1 >> 12U | x1 << 20U; + uint32_t *os = r12; os[i] = x10;); uint32_t *wv_a4 = wv + a * 4U; uint32_t *wv_b4 = wv + b0 * 4U; @@ -195,15 +196,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a4; uint32_t x1 = wv_a4[i] + wv_b4[i]; + uint32_t *os = wv_a4; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = wv_a4; uint32_t x1 = wv_a4[i] + y[i]; + uint32_t *os = wv_a4; os[i] = x1;); uint32_t *wv_a5 = wv + d10 * 4U; uint32_t *wv_b5 = wv + a * 4U; @@ -211,17 +212,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a5; uint32_t x1 = wv_a5[i] ^ wv_b5[i]; + uint32_t *os = wv_a5; os[i] = x1;); uint32_t *r13 = wv_a5; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r13; uint32_t x1 = r13[i]; uint32_t x10 = x1 >> 8U | x1 << 24U; + uint32_t *os = r13; os[i] = x10;); uint32_t *wv_a6 = wv + c0 * 4U; uint32_t *wv_b6 = wv + d10 * 4U; @@ -229,8 +230,8 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a6; uint32_t x1 = wv_a6[i] + wv_b6[i]; + uint32_t *os = wv_a6; os[i] = x1;); uint32_t *wv_a7 = wv + b0 * 4U; uint32_t *wv_b7 = wv + c0 * 4U; @@ -238,17 +239,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a7; uint32_t x1 = wv_a7[i] ^ wv_b7[i]; + uint32_t *os = wv_a7; os[i] = x1;); uint32_t *r14 = wv_a7; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r14; uint32_t x1 = r14[i]; uint32_t x10 = x1 >> 7U | x1 << 25U; + uint32_t *os = r14; os[i] = x10;); uint32_t *r15 = wv + 4U; uint32_t *r21 = wv + 8U; @@ -290,15 +291,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a; uint32_t x1 = wv_a[i] + wv_b8[i]; + uint32_t *os = wv_a; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = wv_a; uint32_t x1 = wv_a[i] + z[i]; + uint32_t *os = wv_a; os[i] = x1;); uint32_t *wv_a8 = wv + d1 * 4U; uint32_t *wv_b9 = wv + a0 * 4U; @@ -306,17 +307,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a8; uint32_t x1 = wv_a8[i] ^ wv_b9[i]; + uint32_t *os = wv_a8; os[i] = x1;); uint32_t *r16 = wv_a8; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r16; uint32_t x1 = r16[i]; uint32_t x13 = x1 >> 16U | x1 << 16U; + uint32_t *os = r16; os[i] = x13;); uint32_t *wv_a9 = wv + c * 4U; uint32_t *wv_b10 = wv + d1 * 4U; @@ -324,8 +325,8 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a9; uint32_t x1 = wv_a9[i] + wv_b10[i]; + uint32_t *os = wv_a9; os[i] = x1;); uint32_t *wv_a10 = wv + b * 4U; uint32_t *wv_b11 = wv + c * 4U; @@ -333,17 +334,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a10; uint32_t x1 = wv_a10[i] ^ wv_b11[i]; + uint32_t *os = wv_a10; os[i] = x1;); uint32_t *r17 = wv_a10; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r17; uint32_t x1 = r17[i]; uint32_t x13 = x1 >> 12U | x1 << 20U; + uint32_t *os = r17; os[i] = x13;); uint32_t *wv_a11 = wv + a0 * 4U; uint32_t *wv_b12 = wv + b * 4U; @@ -351,15 +352,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a11; uint32_t x1 = wv_a11[i] + wv_b12[i]; + uint32_t *os = wv_a11; os[i] = x1;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = wv_a11; uint32_t x1 = wv_a11[i] + w[i]; + uint32_t *os = wv_a11; os[i] = x1;); uint32_t *wv_a12 = wv + d1 * 4U; uint32_t *wv_b13 = wv + a0 * 4U; @@ -367,17 +368,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a12; uint32_t x1 = wv_a12[i] ^ wv_b13[i]; + uint32_t *os = wv_a12; os[i] = x1;); uint32_t *r18 = wv_a12; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r18; uint32_t x1 = r18[i]; uint32_t x13 = x1 >> 8U | x1 << 24U; + uint32_t *os = r18; os[i] = x13;); uint32_t *wv_a13 = wv + c * 4U; uint32_t *wv_b14 = wv + d1 * 4U; @@ -385,8 +386,8 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a13; uint32_t x1 = wv_a13[i] + wv_b14[i]; + uint32_t *os = wv_a13; os[i] = x1;); uint32_t *wv_a14 = wv + b * 4U; uint32_t *wv_b = wv + c * 4U; @@ -394,17 +395,17 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = wv_a14; uint32_t x1 = wv_a14[i] ^ wv_b[i]; + uint32_t *os = wv_a14; os[i] = x1;); uint32_t *r19 = wv_a14; KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = r19; uint32_t x1 = r19[i]; uint32_t x13 = x1 >> 7U | x1 << 25U; + uint32_t *os = r19; os[i] = x13;); uint32_t *r113 = wv + 4U; uint32_t *r2 = wv + 8U; @@ -446,34 +447,35 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * 0U, 4U, 1U, - uint32_t *os = s0; uint32_t x = s0[i] ^ r0[i]; + uint32_t *os = s0; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = s0; uint32_t x = s0[i] ^ r2[i]; + uint32_t *os = s0; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = s1; uint32_t x = s1[i] ^ r1[i]; + uint32_t *os = s1; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = s1; uint32_t x = s1[i] ^ r3[i]; + uint32_t *os = s1; os[i] = x;); } void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -494,16 +496,67 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + uint32_t *uu____0 = tmp + 4U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + uint32_t *os = uu____0; + os[i] = x;); + uint32_t *uu____1 = tmp + 6U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + uint32_t *os = uu____1; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) @@ -519,7 +572,7 @@ static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, ui { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } void @@ -556,7 +609,7 @@ Hacl_Hash_Blake2s_update_last( memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } static void @@ -614,7 +667,7 @@ void Hacl_Hash_Blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) KRML_MAYBE_FOR4(i, 0U, 4U, 1U, store32_le(second + i * 4U, row1[i]);); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 32U, uint8_t); + Lib_Memzero0_memzero(b, 32U, uint8_t, void *); } /** @@ -626,12 +679,12 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); Hacl_Hash_Blake2s_block_state_t block_state = { .fst = wv, .snd = b }; + Hacl_Hash_Blake2s_init(block_state.snd, 0U, 32U); Hacl_Hash_Blake2s_state_t s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Hash_Blake2s_state_t *p = (Hacl_Hash_Blake2s_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2s_state_t)); p[0U] = s; - Hacl_Hash_Blake2s_init(block_state.snd, 0U, 32U); return p; } @@ -640,13 +693,9 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *state) { - Hacl_Hash_Blake2s_state_t scrut = *state; - uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + Hacl_Hash_Blake2s_block_state_t block_state = (*state).block_state; Hacl_Hash_Blake2s_init(block_state.snd, 0U, 32U); - Hacl_Hash_Blake2s_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -655,8 +704,8 @@ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *state) Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Hash_Blake2s_state_t s = *state; - uint64_t total_len = s.total_len; + Hacl_Hash_Blake2s_block_state_t block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -672,10 +721,8 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } if (chunk_len <= 64U - sz) { - Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -688,22 +735,12 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Hash_Blake2s_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -716,8 +753,8 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - uint32_t *wv = block_state1.fst; - uint32_t *hash = block_state1.snd; + uint32_t *wv = block_state.fst; + uint32_t *hash = block_state.snd; uint32_t nb = 1U; Hacl_Hash_Blake2s_update_multi(64U, wv, hash, prevlen, buf, nb); } @@ -735,31 +772,21 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - uint32_t *wv = block_state1.fst; - uint32_t *hash = block_state1.snd; + uint32_t *wv = block_state.fst; + uint32_t *hash = block_state.snd; uint32_t nb = data1_len / 64U; Hacl_Hash_Blake2s_update_multi(data1_len, wv, hash, total_len1, data1, nb); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2s_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 64U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Hash_Blake2s_state_t s1 = *state; - Hacl_Hash_Blake2s_block_state_t block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL) { @@ -769,22 +796,12 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 { sz10 = (uint32_t)(total_len10 % (uint64_t)64U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Hash_Blake2s_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Hash_Blake2s_state_t s10 = *state; - Hacl_Hash_Blake2s_block_state_t block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -797,10 +814,10 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - uint32_t *wv = block_state1.fst; - uint32_t *hash = block_state1.snd; + uint32_t *wv = block_state.fst; + uint32_t *hash = block_state.snd; uint32_t nb = 1U; - Hacl_Hash_Blake2s_update_multi(64U, wv, hash, prevlen, buf, nb); + Hacl_Hash_Blake2s_update_multi(64U, wv, hash, prevlen, buf0, nb); } uint32_t ite; if @@ -817,21 +834,13 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - uint32_t *wv = block_state1.fst; - uint32_t *hash = block_state1.snd; + uint32_t *wv = block_state.fst; + uint32_t *hash = block_state.snd; uint32_t nb = data1_len / 64U; Hacl_Hash_Blake2s_update_multi(data1_len, wv, hash, total_len1, data1, nb); - uint8_t *dst = buf; + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2s_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -841,10 +850,9 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 */ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) { - Hacl_Hash_Blake2s_state_t scrut = *state; - Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + Hacl_Hash_Blake2s_block_state_t block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -862,6 +870,7 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) uint32_t *dst_b = tmp_block_state.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 64U == 0U && r > 0U) { @@ -872,7 +881,6 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) ite = r % 64U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; uint32_t *wv1 = tmp_block_state.fst; uint32_t *hash0 = tmp_block_state.snd; uint32_t nb = 0U; @@ -925,7 +933,7 @@ Hacl_Hash_Blake2s_hash_with_key( Hacl_Hash_Blake2s_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2s_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 16U, uint32_t); - Lib_Memzero0_memzero(b, 16U, uint32_t); + Lib_Memzero0_memzero(b1, 16U, uint32_t, void *); + Lib_Memzero0_memzero(b, 16U, uint32_t, void *); } diff --git a/src/Hacl_Hash_Blake2s_Simd128.c b/src/Hacl_Hash_Blake2s_Simd128.c index 73f0cccb..07f93c5c 100644 --- a/src/Hacl_Hash_Blake2s_Simd128.c +++ b/src/Hacl_Hash_Blake2s_Simd128.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -42,11 +43,11 @@ update_block( 0U, 16U, 1U, - uint32_t *os = m_w; uint8_t *bj = d + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = m_w; os[i] = x;); Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_zero; uint32_t wv_14; @@ -214,6 +215,7 @@ update_block( void Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; @@ -228,10 +230,61 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k uint32_t iv7 = Hacl_Hash_Blake2s_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + uint32_t *uu____0 = tmp + 4U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + uint32_t *os = uu____0; + os[i] = x;); + uint32_t *uu____1 = tmp + 6U; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + uint32_t *os = uu____1; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } static void @@ -254,7 +307,7 @@ update_key( { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } void @@ -291,7 +344,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } static inline void @@ -367,7 +420,7 @@ Hacl_Hash_Blake2s_Simd128_finish( Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 32U, uint8_t); + Lib_Memzero0_memzero(b, 32U, uint8_t, void *); } void @@ -390,11 +443,11 @@ Hacl_Hash_Blake2s_Simd128_store_state128s_to_state32( 0U, 4U, 1U, - uint32_t *os = b0; uint8_t *bj = b8 + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = b0; os[i] = x;); uint8_t b80[16U] = { 0U }; Lib_IntVector_Intrinsics_vec128_store32_le(b80, r1[0U]); @@ -402,11 +455,11 @@ Hacl_Hash_Blake2s_Simd128_store_state128s_to_state32( 0U, 4U, 1U, - uint32_t *os = b1; uint8_t *bj = b80 + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = b1; os[i] = x;); uint8_t b81[16U] = { 0U }; Lib_IntVector_Intrinsics_vec128_store32_le(b81, r2[0U]); @@ -414,11 +467,11 @@ Hacl_Hash_Blake2s_Simd128_store_state128s_to_state32( 0U, 4U, 1U, - uint32_t *os = b2; uint8_t *bj = b81 + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = b2; os[i] = x;); uint8_t b82[16U] = { 0U }; Lib_IntVector_Intrinsics_vec128_store32_le(b82, r3[0U]); @@ -426,11 +479,11 @@ Hacl_Hash_Blake2s_Simd128_store_state128s_to_state32( 0U, 4U, 1U, - uint32_t *os = b3; uint8_t *bj = b82 + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = b3; os[i] = x;); } @@ -481,6 +534,7 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_block_state_t block_state = { .fst = wv, .snd = b }; + Hacl_Hash_Blake2s_Simd128_init(block_state.snd, 0U, 32U); Hacl_Hash_Blake2s_Simd128_state_t s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Hash_Blake2s_Simd128_state_t @@ -489,7 +543,6 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) Hacl_Hash_Blake2s_Simd128_state_t )); p[0U] = s; - Hacl_Hash_Blake2s_Simd128_init(block_state.snd, 0U, 32U); return p; } @@ -498,13 +551,9 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *state) { - Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; - uint8_t *buf = scrut.buf; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*state).block_state; Hacl_Hash_Blake2s_Simd128_init(block_state.snd, 0U, 32U); - Hacl_Hash_Blake2s_Simd128_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -517,8 +566,8 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t chunk_len ) { - Hacl_Hash_Blake2s_Simd128_state_t s = *state; - uint64_t total_len = s.total_len; + Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -534,10 +583,8 @@ Hacl_Hash_Blake2s_Simd128_update( } if (chunk_len <= 64U - sz) { - Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -550,22 +597,12 @@ Hacl_Hash_Blake2s_Simd128_update( uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Hash_Blake2s_Simd128_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -578,8 +615,8 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - Lib_IntVector_Intrinsics_vec128 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec128 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *hash = block_state.snd; uint32_t nb = 1U; Hacl_Hash_Blake2s_Simd128_update_multi(64U, wv, hash, prevlen, buf, nb); } @@ -597,31 +634,21 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Lib_IntVector_Intrinsics_vec128 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec128 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *hash = block_state.snd; uint32_t nb = data1_len / 64U; Hacl_Hash_Blake2s_Simd128_update_multi(data1_len, wv, hash, total_len1, data1, nb); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2s_Simd128_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 64U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Hash_Blake2s_Simd128_state_t s1 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL) { @@ -631,22 +658,12 @@ Hacl_Hash_Blake2s_Simd128_update( { sz10 = (uint32_t)(total_len10 % (uint64_t)64U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Hash_Blake2s_Simd128_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Hash_Blake2s_Simd128_state_t s10 = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -659,10 +676,10 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - Lib_IntVector_Intrinsics_vec128 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec128 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *hash = block_state.snd; uint32_t nb = 1U; - Hacl_Hash_Blake2s_Simd128_update_multi(64U, wv, hash, prevlen, buf, nb); + Hacl_Hash_Blake2s_Simd128_update_multi(64U, wv, hash, prevlen, buf0, nb); } uint32_t ite; if @@ -679,21 +696,13 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Lib_IntVector_Intrinsics_vec128 *wv = block_state1.fst; - Lib_IntVector_Intrinsics_vec128 *hash = block_state1.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.fst; + Lib_IntVector_Intrinsics_vec128 *hash = block_state.snd; uint32_t nb = data1_len / 64U; Hacl_Hash_Blake2s_Simd128_update_multi(data1_len, wv, hash, total_len1, data1, nb); - uint8_t *dst = buf; + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_Blake2s_Simd128_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -704,10 +713,9 @@ Hacl_Hash_Blake2s_Simd128_update( void Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output) { - Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; - Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -725,6 +733,7 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); uint64_t prev_len = total_len - (uint64_t)r; + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 64U == 0U && r > 0U) { @@ -735,7 +744,6 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 ite = r % 64U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Lib_IntVector_Intrinsics_vec128 *wv1 = tmp_block_state.fst; Lib_IntVector_Intrinsics_vec128 *hash0 = tmp_block_state.snd; uint32_t nb = 0U; @@ -788,7 +796,7 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( Hacl_Hash_Blake2s_Simd128_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2s_Simd128_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec128); - Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128); + Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec128, void *); + Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128, void *); } diff --git a/src/Hacl_Hash_MD5.c b/src/Hacl_Hash_MD5.c index ed294839..f2d874eb 100644 --- a/src/Hacl_Hash_MD5.c +++ b/src/Hacl_Hash_MD5.c @@ -1167,24 +1167,20 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_malloc(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); + Hacl_Hash_MD5_init(block_state); Hacl_Streaming_MD_state_32 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Streaming_MD_state_32 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); p[0U] = s; - Hacl_Hash_MD5_init(block_state); return p; } void Hacl_Hash_MD5_reset(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint8_t *buf = scrut.buf; - uint32_t *block_state = scrut.block_state; + uint32_t *block_state = (*state).block_state; Hacl_Hash_MD5_init(block_state); - Hacl_Streaming_MD_state_32 - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -1193,8 +1189,8 @@ void Hacl_Hash_MD5_reset(Hacl_Streaming_MD_state_32 *state) Hacl_Streaming_Types_error_code Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Streaming_MD_state_32 s = *state; - uint64_t total_len = s.total_len; + uint32_t *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 2305843009213693951ULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -1210,10 +1206,8 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t } if (chunk_len <= 64U - sz) { - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -1226,22 +1220,12 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -1253,7 +1237,7 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t } if (!(sz1 == 0U)) { - Hacl_Hash_MD5_update_multi(block_state1, buf, 1U); + Hacl_Hash_MD5_update_multi(block_state, buf, 1U); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)64U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -1269,28 +1253,18 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Hacl_Hash_MD5_update_multi(block_state1, data1, data1_len / 64U); + Hacl_Hash_MD5_update_multi(block_state, data1, data1_len / 64U); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 64U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL) { @@ -1300,22 +1274,12 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t { sz10 = (uint32_t)(total_len10 % (uint64_t)64U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Streaming_MD_state_32 s10 = *state; - uint32_t *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -1327,7 +1291,7 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t } if (!(sz1 == 0U)) { - Hacl_Hash_MD5_update_multi(block_state1, buf, 1U); + Hacl_Hash_MD5_update_multi(block_state, buf0, 1U); } uint32_t ite; if @@ -1344,28 +1308,19 @@ Hacl_Hash_MD5_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Hacl_Hash_MD5_update_multi(block_state1, data1, data1_len / 64U); - uint8_t *dst = buf; + Hacl_Hash_MD5_update_multi(block_state, data1, data1_len / 64U); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } void Hacl_Hash_MD5_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *output) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + uint32_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -1378,6 +1333,7 @@ void Hacl_Hash_MD5_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *output) uint8_t *buf_1 = buf_; uint32_t tmp_block_state[4U] = { 0U }; memcpy(tmp_block_state, block_state, 4U * sizeof (uint32_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 64U == 0U && r > 0U) { @@ -1388,7 +1344,6 @@ void Hacl_Hash_MD5_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *output) ite = r % 64U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Hacl_Hash_MD5_update_multi(tmp_block_state, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_MD5_update_last(tmp_block_state, prev_len_last, buf_last, r); @@ -1407,10 +1362,9 @@ void Hacl_Hash_MD5_free(Hacl_Streaming_MD_state_32 *state) Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_copy(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state0 = scrut.block_state; - uint8_t *buf0 = scrut.buf; - uint64_t total_len0 = scrut.total_len; + uint32_t *block_state0 = (*state).block_state; + uint8_t *buf0 = (*state).buf; + uint64_t total_len0 = (*state).total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(4U, sizeof (uint32_t)); diff --git a/src/Hacl_Hash_SHA1.c b/src/Hacl_Hash_SHA1.c index 1a8b09b1..44f6bfe5 100644 --- a/src/Hacl_Hash_SHA1.c +++ b/src/Hacl_Hash_SHA1.c @@ -200,24 +200,20 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_malloc(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); + Hacl_Hash_SHA1_init(block_state); Hacl_Streaming_MD_state_32 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Streaming_MD_state_32 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); p[0U] = s; - Hacl_Hash_SHA1_init(block_state); return p; } void Hacl_Hash_SHA1_reset(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint8_t *buf = scrut.buf; - uint32_t *block_state = scrut.block_state; + uint32_t *block_state = (*state).block_state; Hacl_Hash_SHA1_init(block_state); - Hacl_Streaming_MD_state_32 - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } /** @@ -226,8 +222,8 @@ void Hacl_Hash_SHA1_reset(Hacl_Streaming_MD_state_32 *state) Hacl_Streaming_Types_error_code Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Streaming_MD_state_32 s = *state; - uint64_t total_len = s.total_len; + uint32_t *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 2305843009213693951ULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -243,10 +239,8 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ } if (chunk_len <= 64U - sz) { - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -259,22 +253,12 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -286,7 +270,7 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ } if (!(sz1 == 0U)) { - Hacl_Hash_SHA1_update_multi(block_state1, buf, 1U); + Hacl_Hash_SHA1_update_multi(block_state, buf, 1U); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)64U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -302,28 +286,18 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Hacl_Hash_SHA1_update_multi(block_state1, data1, data1_len / 64U); + Hacl_Hash_SHA1_update_multi(block_state, data1, data1_len / 64U); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 64U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL) { @@ -333,22 +307,12 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ { sz10 = (uint32_t)(total_len10 % (uint64_t)64U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Streaming_MD_state_32 s10 = *state; - uint32_t *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -360,7 +324,7 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ } if (!(sz1 == 0U)) { - Hacl_Hash_SHA1_update_multi(block_state1, buf, 1U); + Hacl_Hash_SHA1_update_multi(block_state, buf0, 1U); } uint32_t ite; if @@ -377,28 +341,19 @@ Hacl_Hash_SHA1_update(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_ uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Hacl_Hash_SHA1_update_multi(block_state1, data1, data1_len / 64U); - uint8_t *dst = buf; + Hacl_Hash_SHA1_update_multi(block_state, data1, data1_len / 64U); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } void Hacl_Hash_SHA1_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *output) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + uint32_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -411,6 +366,7 @@ void Hacl_Hash_SHA1_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *output) uint8_t *buf_1 = buf_; uint32_t tmp_block_state[5U] = { 0U }; memcpy(tmp_block_state, block_state, 5U * sizeof (uint32_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 64U == 0U && r > 0U) { @@ -421,7 +377,6 @@ void Hacl_Hash_SHA1_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *output) ite = r % 64U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Hacl_Hash_SHA1_update_multi(tmp_block_state, buf_multi, 0U); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA1_update_last(tmp_block_state, prev_len_last, buf_last, r); @@ -440,10 +395,9 @@ void Hacl_Hash_SHA1_free(Hacl_Streaming_MD_state_32 *state) Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_copy(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state0 = scrut.block_state; - uint8_t *buf0 = scrut.buf; - uint64_t total_len0 = scrut.total_len; + uint32_t *block_state0 = (*state).block_state; + uint8_t *buf0 = (*state).buf; + uint64_t total_len0 = (*state).total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(5U, sizeof (uint32_t)); diff --git a/src/Hacl_Hash_SHA2.c b/src/Hacl_Hash_SHA2.c index 995fe707..1d4fbbfd 100644 --- a/src/Hacl_Hash_SHA2.c +++ b/src/Hacl_Hash_SHA2.c @@ -33,8 +33,8 @@ void Hacl_Hash_SHA2_sha256_init(uint32_t *hash) 0U, 8U, 1U, - uint32_t *os = hash; uint32_t x = Hacl_Hash_SHA2_h256[i]; + uint32_t *os = hash; os[i] = x;); } @@ -140,8 +140,8 @@ static inline void sha256_update(uint8_t *b, uint32_t *hash) 0U, 8U, 1U, - uint32_t *os = hash; uint32_t x = hash[i] + hash_old[i]; + uint32_t *os = hash; os[i] = x;); } @@ -206,8 +206,8 @@ void Hacl_Hash_SHA2_sha224_init(uint32_t *hash) 0U, 8U, 1U, - uint32_t *os = hash; uint32_t x = Hacl_Hash_SHA2_h224[i]; + uint32_t *os = hash; os[i] = x;); } @@ -234,8 +234,8 @@ void Hacl_Hash_SHA2_sha512_init(uint64_t *hash) 0U, 8U, 1U, - uint64_t *os = hash; uint64_t x = Hacl_Hash_SHA2_h512[i]; + uint64_t *os = hash; os[i] = x;); } @@ -341,8 +341,8 @@ static inline void sha512_update(uint8_t *b, uint64_t *hash) 0U, 8U, 1U, - uint64_t *os = hash; uint64_t x = hash[i] + hash_old[i]; + uint64_t *os = hash; os[i] = x;); } @@ -412,8 +412,8 @@ void Hacl_Hash_SHA2_sha384_init(uint64_t *hash) 0U, 8U, 1U, - uint64_t *os = hash; uint64_t x = Hacl_Hash_SHA2_h384[i]; + uint64_t *os = hash; os[i] = x;); } @@ -448,12 +448,12 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_256(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Hash_SHA2_sha256_init(block_state); Hacl_Streaming_MD_state_32 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Streaming_MD_state_32 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); p[0U] = s; - Hacl_Hash_SHA2_sha256_init(block_state); return p; } @@ -465,10 +465,9 @@ more (different) data into the hash in each branch. */ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state0 = scrut.block_state; - uint8_t *buf0 = scrut.buf; - uint64_t total_len0 = scrut.total_len; + uint32_t *block_state0 = (*state).block_state; + uint8_t *buf0 = (*state).buf; + uint64_t total_len0 = (*state).total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); @@ -486,20 +485,16 @@ Reset an existing state to the initial hash state with empty data. */ void Hacl_Hash_SHA2_reset_256(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint8_t *buf = scrut.buf; - uint32_t *block_state = scrut.block_state; + uint32_t *block_state = (*state).block_state; Hacl_Hash_SHA2_sha256_init(block_state); - Hacl_Streaming_MD_state_32 - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } static inline Hacl_Streaming_Types_error_code update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Streaming_MD_state_32 s = *state; - uint64_t total_len = s.total_len; + uint32_t *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 2305843009213693951ULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -515,10 +510,8 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk } if (chunk_len <= 64U - sz) { - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -531,22 +524,12 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -558,7 +541,7 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk } if (!(sz1 == 0U)) { - Hacl_Hash_SHA2_sha256_update_nblocks(64U, buf, block_state1); + Hacl_Hash_SHA2_sha256_update_nblocks(64U, buf, block_state); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)64U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -574,28 +557,18 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Hacl_Hash_SHA2_sha256_update_nblocks(data1_len / 64U * 64U, data1, block_state1); + Hacl_Hash_SHA2_sha256_update_nblocks(data1_len / 64U * 64U, data1, block_state); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 64U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Streaming_MD_state_32 s1 = *state; - uint32_t *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL) { @@ -605,22 +578,12 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk { sz10 = (uint32_t)(total_len10 % (uint64_t)64U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Streaming_MD_state_32 s10 = *state; - uint32_t *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -632,7 +595,7 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk } if (!(sz1 == 0U)) { - Hacl_Hash_SHA2_sha256_update_nblocks(64U, buf, block_state1); + Hacl_Hash_SHA2_sha256_update_nblocks(64U, buf0, block_state); } uint32_t ite; if @@ -649,18 +612,10 @@ update_224_256(Hacl_Streaming_MD_state_32 *state, uint8_t *chunk, uint32_t chunk uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Hacl_Hash_SHA2_sha256_update_nblocks(data1_len / 64U * 64U, data1, block_state1); - uint8_t *dst = buf; + Hacl_Hash_SHA2_sha256_update_nblocks(data1_len / 64U * 64U, data1, block_state); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_32){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -690,10 +645,9 @@ the state and therefore does not invalidate the client-held state `p`.) */ void Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 *state, uint8_t *output) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + uint32_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -706,6 +660,7 @@ void Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 *state, uint8_t *outpu uint8_t *buf_1 = buf_; uint32_t tmp_block_state[8U] = { 0U }; memcpy(tmp_block_state, block_state, 8U * sizeof (uint32_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 64U == 0U && r > 0U) { @@ -716,7 +671,6 @@ void Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 *state, uint8_t *outpu ite = r % 64U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Hacl_Hash_SHA2_sha256_update_nblocks(0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA2_sha256_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state); @@ -761,24 +715,20 @@ Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_224(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC(8U, sizeof (uint32_t)); + Hacl_Hash_SHA2_sha224_init(block_state); Hacl_Streaming_MD_state_32 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Streaming_MD_state_32 *p = (Hacl_Streaming_MD_state_32 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_32)); p[0U] = s; - Hacl_Hash_SHA2_sha224_init(block_state); return p; } void Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 *state) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint8_t *buf = scrut.buf; - uint32_t *block_state = scrut.block_state; + uint32_t *block_state = (*state).block_state; Hacl_Hash_SHA2_sha224_init(block_state); - Hacl_Streaming_MD_state_32 - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } Hacl_Streaming_Types_error_code @@ -798,10 +748,9 @@ the hash via `update_224`. */ void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_t *output) { - Hacl_Streaming_MD_state_32 scrut = *state; - uint32_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + uint32_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -814,6 +763,7 @@ void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_t *outpu uint8_t *buf_1 = buf_; uint32_t tmp_block_state[8U] = { 0U }; memcpy(tmp_block_state, block_state, 8U * sizeof (uint32_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 64U == 0U && r > 0U) { @@ -824,7 +774,6 @@ void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_t *outpu ite = r % 64U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; sha224_update_nblocks(0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA2_sha224_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state); @@ -859,12 +808,12 @@ Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_512(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Hash_SHA2_sha512_init(block_state); Hacl_Streaming_MD_state_64 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Streaming_MD_state_64 *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); p[0U] = s; - Hacl_Hash_SHA2_sha512_init(block_state); return p; } @@ -876,10 +825,9 @@ more (different) data into the hash in each branch. */ Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_state_64 *state) { - Hacl_Streaming_MD_state_64 scrut = *state; - uint64_t *block_state0 = scrut.block_state; - uint8_t *buf0 = scrut.buf; - uint64_t total_len0 = scrut.total_len; + uint64_t *block_state0 = (*state).block_state; + uint8_t *buf0 = (*state).buf; + uint64_t total_len0 = (*state).total_len; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); memcpy(buf, buf0, 128U * sizeof (uint8_t)); uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); @@ -894,20 +842,16 @@ Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_state_64 * void Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 *state) { - Hacl_Streaming_MD_state_64 scrut = *state; - uint8_t *buf = scrut.buf; - uint64_t *block_state = scrut.block_state; + uint64_t *block_state = (*state).block_state; Hacl_Hash_SHA2_sha512_init(block_state); - Hacl_Streaming_MD_state_64 - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } static inline Hacl_Streaming_Types_error_code update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Streaming_MD_state_64 s = *state; - uint64_t total_len = s.total_len; + uint64_t *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 18446744073709551615ULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -923,10 +867,8 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk } if (chunk_len <= 128U - sz) { - Hacl_Streaming_MD_state_64 s1 = *state; - uint64_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -939,22 +881,12 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_Streaming_MD_state_64){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2 - } - ); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Streaming_MD_state_64 s1 = *state; - uint64_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -966,7 +898,7 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk } if (!(sz1 == 0U)) { - Hacl_Hash_SHA2_sha512_update_nblocks(128U, buf, block_state1); + Hacl_Hash_SHA2_sha512_update_nblocks(128U, buf, block_state); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)128U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -982,28 +914,18 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Hacl_Hash_SHA2_sha512_update_nblocks(data1_len / 128U * 128U, data1, block_state1); + Hacl_Hash_SHA2_sha512_update_nblocks(data1_len / 128U * 128U, data1, block_state); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_64){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = 128U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Streaming_MD_state_64 s1 = *state; - uint64_t *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)128U == 0ULL && total_len10 > 0ULL) { @@ -1013,22 +935,12 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk { sz10 = (uint32_t)(total_len10 % (uint64_t)128U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Streaming_MD_state_64){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Streaming_MD_state_64 s10 = *state; - uint64_t *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)128U == 0ULL && total_len1 > 0ULL) { @@ -1040,7 +952,7 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk } if (!(sz1 == 0U)) { - Hacl_Hash_SHA2_sha512_update_nblocks(128U, buf, block_state1); + Hacl_Hash_SHA2_sha512_update_nblocks(128U, buf0, block_state); } uint32_t ite; if @@ -1057,18 +969,10 @@ update_384_512(Hacl_Streaming_MD_state_64 *state, uint8_t *chunk, uint32_t chunk uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Hacl_Hash_SHA2_sha512_update_nblocks(data1_len / 128U * 128U, data1, block_state1); - uint8_t *dst = buf; + Hacl_Hash_SHA2_sha512_update_nblocks(data1_len / 128U * 128U, data1, block_state); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Streaming_MD_state_64){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -1098,10 +1002,9 @@ the state and therefore does not invalidate the client-held state `p`.) */ void Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 *state, uint8_t *output) { - Hacl_Streaming_MD_state_64 scrut = *state; - uint64_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + uint64_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL) { @@ -1114,6 +1017,7 @@ void Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 *state, uint8_t *outpu uint8_t *buf_1 = buf_; uint64_t tmp_block_state[8U] = { 0U }; memcpy(tmp_block_state, block_state, 8U * sizeof (uint64_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 128U == 0U && r > 0U) { @@ -1124,7 +1028,6 @@ void Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 *state, uint8_t *outpu ite = r % 128U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Hacl_Hash_SHA2_sha512_update_nblocks(0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA2_sha512_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len_last), @@ -1173,24 +1076,20 @@ Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_384(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); uint64_t *block_state = (uint64_t *)KRML_HOST_CALLOC(8U, sizeof (uint64_t)); + Hacl_Hash_SHA2_sha384_init(block_state); Hacl_Streaming_MD_state_64 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; Hacl_Streaming_MD_state_64 *p = (Hacl_Streaming_MD_state_64 *)KRML_HOST_MALLOC(sizeof (Hacl_Streaming_MD_state_64)); p[0U] = s; - Hacl_Hash_SHA2_sha384_init(block_state); return p; } void Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 *state) { - Hacl_Streaming_MD_state_64 scrut = *state; - uint8_t *buf = scrut.buf; - uint64_t *block_state = scrut.block_state; + uint64_t *block_state = (*state).block_state; Hacl_Hash_SHA2_sha384_init(block_state); - Hacl_Streaming_MD_state_64 - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } Hacl_Streaming_Types_error_code @@ -1210,10 +1109,9 @@ the hash via `update_384`. */ void Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 *state, uint8_t *output) { - Hacl_Streaming_MD_state_64 scrut = *state; - uint64_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; + uint64_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)128U == 0ULL && total_len > 0ULL) { @@ -1226,6 +1124,7 @@ void Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 *state, uint8_t *outpu uint8_t *buf_1 = buf_; uint64_t tmp_block_state[8U] = { 0U }; memcpy(tmp_block_state, block_state, 8U * sizeof (uint64_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 128U == 0U && r > 0U) { @@ -1236,7 +1135,6 @@ void Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 *state, uint8_t *outpu ite = r % 128U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Hacl_Hash_SHA2_sha384_update_nblocks(0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; Hacl_Hash_SHA2_sha384_update_last(FStar_UInt128_add(FStar_UInt128_uint64_to_uint128(prev_len_last), diff --git a/src/Hacl_Hash_SHA3.c b/src/Hacl_Hash_SHA3.c index 4f502866..7029365c 100644 --- a/src/Hacl_Hash_SHA3.c +++ b/src/Hacl_Hash_SHA3.c @@ -157,13 +157,6 @@ Hacl_Hash_SHA3_update_last_sha3( Hacl_Hash_SHA3_state_permute(s); } -typedef struct hash_buf2_s -{ - Hacl_Hash_SHA3_hash_buf fst; - Hacl_Hash_SHA3_hash_buf snd; -} -hash_buf2; - Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_state_t *s) { Hacl_Hash_SHA3_hash_buf block_state = (*s).block_state; @@ -176,13 +169,13 @@ Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash_alg a) uint8_t *buf0 = (uint8_t *)KRML_HOST_CALLOC(block_len(a), sizeof (uint8_t)); uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); Hacl_Hash_SHA3_hash_buf block_state = { .fst = a, .snd = buf }; + uint64_t *s = block_state.snd; + memset(s, 0U, 25U * sizeof (uint64_t)); Hacl_Hash_SHA3_state_t - s = { .block_state = block_state, .buf = buf0, .total_len = (uint64_t)0U }; + s0 = { .block_state = block_state, .buf = buf0, .total_len = (uint64_t)0U }; Hacl_Hash_SHA3_state_t *p = (Hacl_Hash_SHA3_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_SHA3_state_t)); - p[0U] = s; - uint64_t *s1 = block_state.snd; - memset(s1, 0U, 25U * sizeof (uint64_t)); + p[0U] = s0; return p; } @@ -199,19 +192,17 @@ void Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t *state) Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state) { - Hacl_Hash_SHA3_state_t scrut0 = *state; - Hacl_Hash_SHA3_hash_buf block_state0 = scrut0.block_state; - uint8_t *buf0 = scrut0.buf; - uint64_t total_len0 = scrut0.total_len; + Hacl_Hash_SHA3_hash_buf block_state0 = (*state).block_state; + uint8_t *buf0 = (*state).buf; + uint64_t total_len0 = (*state).total_len; Spec_Hash_Definitions_hash_alg i = block_state0.fst; KRML_CHECK_SIZE(sizeof (uint8_t), block_len(i)); uint8_t *buf1 = (uint8_t *)KRML_HOST_CALLOC(block_len(i), sizeof (uint8_t)); memcpy(buf1, buf0, block_len(i) * sizeof (uint8_t)); uint64_t *buf = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); Hacl_Hash_SHA3_hash_buf block_state = { .fst = i, .snd = buf }; - hash_buf2 scrut = { .fst = block_state0, .snd = block_state }; - uint64_t *s_dst = scrut.snd.snd; - uint64_t *s_src = scrut.fst.snd; + uint64_t *s_src = block_state0.snd; + uint64_t *s_dst = block_state.snd; memcpy(s_dst, s_src, 25U * sizeof (uint64_t)); Hacl_Hash_SHA3_state_t s = { .block_state = block_state, .buf = buf1, .total_len = total_len0 }; @@ -223,24 +214,19 @@ Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state) void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state) { - Hacl_Hash_SHA3_state_t scrut = *state; - uint8_t *buf = scrut.buf; - Hacl_Hash_SHA3_hash_buf block_state = scrut.block_state; + Hacl_Hash_SHA3_hash_buf block_state = (*state).block_state; Spec_Hash_Definitions_hash_alg i = block_state.fst; KRML_MAYBE_UNUSED_VAR(i); uint64_t *s = block_state.snd; memset(s, 0U, 25U * sizeof (uint64_t)); - Hacl_Hash_SHA3_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; } Hacl_Streaming_Types_error_code Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_Hash_SHA3_state_t s = *state; - Hacl_Hash_SHA3_hash_buf block_state = s.block_state; - uint64_t total_len = s.total_len; + Hacl_Hash_SHA3_hash_buf block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; Spec_Hash_Definitions_hash_alg i = block_state.fst; if ((uint64_t)chunk_len > 0xFFFFFFFFFFFFFFFFULL - total_len) { @@ -257,10 +243,8 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch } if (chunk_len <= block_len(i) - sz) { - Hacl_Hash_SHA3_state_t s1 = *state; - Hacl_Hash_SHA3_hash_buf block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)block_len(i) == 0ULL && total_len1 > 0ULL) { @@ -273,16 +257,12 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ((Hacl_Hash_SHA3_state_t){ .block_state = block_state1, .buf = buf, .total_len = total_len2 }); + state->total_len = total_len2; } else if (sz == 0U) { - Hacl_Hash_SHA3_state_t s1 = *state; - Hacl_Hash_SHA3_hash_buf block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)block_len(i) == 0ULL && total_len1 > 0ULL) { @@ -294,9 +274,9 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch } if (!(sz1 == 0U)) { - Spec_Hash_Definitions_hash_alg a1 = block_state1.fst; - uint64_t *s2 = block_state1.snd; - Hacl_Hash_SHA3_update_multi_sha3(a1, s2, buf, block_len(i) / block_len(a1)); + Spec_Hash_Definitions_hash_alg a1 = block_state.fst; + uint64_t *s1 = block_state.snd; + Hacl_Hash_SHA3_update_multi_sha3(a1, s1, buf, block_len(i) / block_len(a1)); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)block_len(i) == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -312,30 +292,20 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - Spec_Hash_Definitions_hash_alg a1 = block_state1.fst; - uint64_t *s2 = block_state1.snd; - Hacl_Hash_SHA3_update_multi_sha3(a1, s2, data1, data1_len / block_len(a1)); + Spec_Hash_Definitions_hash_alg a1 = block_state.fst; + uint64_t *s1 = block_state.snd; + Hacl_Hash_SHA3_update_multi_sha3(a1, s1, data1, data1_len / block_len(a1)); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_SHA3_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; } else { uint32_t diff = block_len(i) - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_Hash_SHA3_state_t s1 = *state; - Hacl_Hash_SHA3_hash_buf block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; uint32_t sz10; if (total_len10 % (uint64_t)block_len(i) == 0ULL && total_len10 > 0ULL) { @@ -345,22 +315,12 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch { sz10 = (uint32_t)(total_len10 % (uint64_t)block_len(i)); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_Hash_SHA3_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2 - } - ); - Hacl_Hash_SHA3_state_t s10 = *state; - Hacl_Hash_SHA3_hash_buf block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; + state->total_len = total_len2; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; uint32_t sz1; if (total_len1 % (uint64_t)block_len(i) == 0ULL && total_len1 > 0ULL) { @@ -372,9 +332,9 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch } if (!(sz1 == 0U)) { - Spec_Hash_Definitions_hash_alg a1 = block_state1.fst; - uint64_t *s2 = block_state1.snd; - Hacl_Hash_SHA3_update_multi_sha3(a1, s2, buf, block_len(i) / block_len(a1)); + Spec_Hash_Definitions_hash_alg a1 = block_state.fst; + uint64_t *s1 = block_state.snd; + Hacl_Hash_SHA3_update_multi_sha3(a1, s1, buf0, block_len(i) / block_len(a1)); } uint32_t ite; if @@ -396,20 +356,12 @@ Hacl_Hash_SHA3_update(Hacl_Hash_SHA3_state_t *state, uint8_t *chunk, uint32_t ch uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - Spec_Hash_Definitions_hash_alg a1 = block_state1.fst; - uint64_t *s2 = block_state1.snd; - Hacl_Hash_SHA3_update_multi_sha3(a1, s2, data1, data1_len / block_len(a1)); - uint8_t *dst = buf; + Spec_Hash_Definitions_hash_alg a1 = block_state.fst; + uint64_t *s1 = block_state.snd; + Hacl_Hash_SHA3_update_multi_sha3(a1, s1, data1, data1_len / block_len(a1)); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_Hash_SHA3_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff) - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); } return Hacl_Streaming_Types_Success; } @@ -422,10 +374,9 @@ digest_( uint32_t l ) { - Hacl_Hash_SHA3_state_t scrut0 = *state; - Hacl_Hash_SHA3_hash_buf block_state = scrut0.block_state; - uint8_t *buf_ = scrut0.buf; - uint64_t total_len = scrut0.total_len; + Hacl_Hash_SHA3_hash_buf block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; uint32_t r; if (total_len % (uint64_t)block_len(a) == 0ULL && total_len > 0ULL) { @@ -438,10 +389,10 @@ digest_( uint8_t *buf_1 = buf_; uint64_t buf[25U] = { 0U }; Hacl_Hash_SHA3_hash_buf tmp_block_state = { .fst = a, .snd = buf }; - hash_buf2 scrut = { .fst = block_state, .snd = tmp_block_state }; - uint64_t *s_dst = scrut.snd.snd; - uint64_t *s_src = scrut.fst.snd; + uint64_t *s_src = block_state.snd; + uint64_t *s_dst = tmp_block_state.snd; memcpy(s_dst, s_src, 25U * sizeof (uint64_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % block_len(a) == 0U && r > 0U) { @@ -452,7 +403,6 @@ digest_( ite = r % block_len(a); } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; Spec_Hash_Definitions_hash_alg a1 = tmp_block_state.fst; uint64_t *s0 = tmp_block_state.snd; Hacl_Hash_SHA3_update_multi_sha3(a1, s0, buf_multi, 0U / block_len(a1)); @@ -704,8 +654,8 @@ Hacl_Hash_SHA3_squeeze0( { uint32_t outBlocks = outputByteLen / rateInBytes; uint32_t remOut = outputByteLen % rateInBytes; - uint8_t *last = output + outputByteLen - remOut; uint8_t *blocks = output; + uint8_t *last = output + outputByteLen - remOut; for (uint32_t i = 0U; i < outBlocks; i++) { storeState(rateInBytes, s, blocks + i * rateInBytes); diff --git a/src/Hacl_K256_ECDSA.c b/src/Hacl_K256_ECDSA.c index bbd2c615..8b9fa572 100644 --- a/src/Hacl_K256_ECDSA.c +++ b/src/Hacl_K256_ECDSA.c @@ -167,8 +167,8 @@ static void add_mod4(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x;); } @@ -221,8 +221,8 @@ static void sub_mod4(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res) 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (c2 & tmp[i]) | (~c2 & res[i]); + uint64_t *os = res; os[i] = x;); } @@ -261,8 +261,8 @@ static void sqr4(uint64_t *a, uint64_t *res) 0U, 4U, 1U, - uint64_t *ab = a; uint64_t a_j = a[i0]; + uint64_t *ab = a; uint64_t *res_j = res + i0; uint64_t c = 0ULL; for (uint32_t i = 0U; i < i0 / 4U; i++) @@ -288,7 +288,12 @@ static void sqr4(uint64_t *a, uint64_t *res) } uint64_t r = c; res[i0 + i0] = r;); - uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, res, res, res); + uint64_t a_copy0[8U] = { 0U }; + uint64_t b_copy0[8U] = { 0U }; + memcpy(a_copy0, res, 8U * sizeof (uint64_t)); + memcpy(b_copy0, res, 8U * sizeof (uint64_t)); + uint64_t r = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, a_copy0, b_copy0, res); + uint64_t c0 = r; KRML_MAYBE_UNUSED_VAR(c0); uint64_t tmp[8U] = { 0U }; KRML_MAYBE_FOR4(i, @@ -300,7 +305,12 @@ static void sqr4(uint64_t *a, uint64_t *res) uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); tmp[2U * i] = lo; tmp[2U * i + 1U] = hi;); - uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, res, tmp, res); + uint64_t a_copy[8U] = { 0U }; + uint64_t b_copy[8U] = { 0U }; + memcpy(a_copy, res, 8U * sizeof (uint64_t)); + memcpy(b_copy, tmp, 8U * sizeof (uint64_t)); + uint64_t r0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, a_copy, b_copy, res); + uint64_t c1 = r0; KRML_MAYBE_UNUSED_VAR(c1); } @@ -339,9 +349,9 @@ static inline uint64_t load_qelem_check(uint64_t *f, uint8_t *b) 0U, 4U, 1U, - uint64_t *os = f; uint64_t u = load64_be(b + (4U - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = f; os[i] = x;); uint64_t is_zero = is_qelem_zero(f); uint64_t acc = 0ULL; @@ -362,9 +372,9 @@ static inline bool load_qelem_vartime(uint64_t *f, uint8_t *b) 0U, 4U, 1U, - uint64_t *os = f; uint64_t u = load64_be(b + (4U - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = f; os[i] = x;); bool is_zero = is_qelem_zero_vartime(f); uint64_t a0 = f[0U]; @@ -412,8 +422,8 @@ static inline void modq_short(uint64_t *out, uint64_t *a) 0U, 4U, 1U, - uint64_t *os = out; uint64_t x = (mask & out[i]) | (~mask & a[i]); + uint64_t *os = out; os[i] = x;); } @@ -424,9 +434,9 @@ static inline void load_qelem_modq(uint64_t *f, uint8_t *b) 0U, 4U, 1U, - uint64_t *os = f; uint64_t u = load64_be(b + (4U - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = f; os[i] = x;); memcpy(tmp, f, 4U * sizeof (uint64_t)); modq_short(f, tmp); @@ -520,8 +530,8 @@ static inline void modq(uint64_t *out, uint64_t *a) 0U, 4U, 1U, - uint64_t *os = out; uint64_t x = (mask & out[i]) | (~mask & r[i]); + uint64_t *os = out; os[i] = x;); } @@ -611,8 +621,8 @@ static inline void qmul_shift_384(uint64_t *res, uint64_t *a, uint64_t *b) 0U, 4U, 1U, - uint64_t *os = res; uint64_t x = (mask & res[i]) | (~mask & res_b_padded[i]); + uint64_t *os = res; os[i] = x;); } @@ -1127,6 +1137,7 @@ void Hacl_Impl_K256_PointMul_point_mul(uint64_t *out, uint64_t *scalar, uint64_t uint64_t *t1 = table + 15U; Hacl_Impl_K256_Point_make_point_at_inf(t0); memcpy(t1, q, 15U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, @@ -1155,8 +1166,8 @@ void Hacl_Impl_K256_PointMul_point_mul(uint64_t *out, uint64_t *scalar, uint64_t 0U, 15U, 1U, - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x;);); Hacl_Impl_K256_PointAdd_point_add(out, out, tmp0); } @@ -1175,8 +1186,8 @@ static inline void precomp_get_consttime(const uint64_t *table, uint64_t bits_l, 0U, 15U, 1U, - uint64_t *os = tmp; uint64_t x = (c & res_j[i]) | (~c & tmp[i]); + uint64_t *os = tmp; os[i] = x;);); } @@ -1279,6 +1290,7 @@ point_mul_g_double_vartime(uint64_t *out, uint64_t *scalar1, uint64_t *scalar2, uint64_t *t1 = table2 + 15U; Hacl_Impl_K256_Point_make_point_at_inf(t0); memcpy(t1, q2, 15U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table2); KRML_MAYBE_FOR15(i, 0U, 15U, @@ -1342,6 +1354,7 @@ point_mul_g_double_split_lambda_table( uint64_t *t1 = table2 + 15U; Hacl_Impl_K256_Point_make_point_at_inf(t0); memcpy(t1, p2, 15U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table2); KRML_MAYBE_FOR15(i, 0U, 15U, @@ -1577,9 +1590,9 @@ Hacl_K256_ECDSA_ecdsa_sign_hashed_msg( 0U, 4U, 1U, - uint64_t *os = d_a; uint64_t uu____0 = oneq10[i]; uint64_t x = uu____0 ^ (is_b_valid0 & (d_a[i] ^ uu____0)); + uint64_t *os = d_a; os[i] = x;); uint64_t is_sk_valid = is_b_valid0; uint64_t is_b_valid = load_qelem_check(k_q, nonce); @@ -1588,9 +1601,9 @@ Hacl_K256_ECDSA_ecdsa_sign_hashed_msg( 0U, 4U, 1U, - uint64_t *os = k_q; uint64_t uu____1 = oneq1[i]; uint64_t x = uu____1 ^ (is_b_valid & (k_q[i] ^ uu____1)); + uint64_t *os = k_q; os[i] = x;); uint64_t is_nonce_valid = is_b_valid; uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; @@ -2063,9 +2076,9 @@ bool Hacl_K256_ECDSA_secret_to_public(uint8_t *public_key, uint8_t *private_key) 0U, 4U, 1U, - uint64_t *os = sk; uint64_t uu____0 = oneq[i]; uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); + uint64_t *os = sk; os[i] = x;); uint64_t is_sk_valid = is_b_valid; point_mul_g(pk, sk); @@ -2098,9 +2111,9 @@ bool Hacl_K256_ECDSA_ecdh(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t 0U, 4U, 1U, - uint64_t *os = sk; uint64_t uu____0 = oneq[i]; uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); + uint64_t *os = sk; os[i] = x;); uint64_t is_sk_valid = is_b_valid; if (is_pk_valid) diff --git a/src/Hacl_MAC_Poly1305.c b/src/Hacl_MAC_Poly1305.c index 28cbca5a..fed403b3 100644 --- a/src/Hacl_MAC_Poly1305.c +++ b/src/Hacl_MAC_Poly1305.c @@ -445,6 +445,7 @@ Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key) uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); uint64_t *r1 = (uint64_t *)KRML_HOST_CALLOC(25U, sizeof (uint64_t)); uint64_t *block_state = r1; + Hacl_MAC_Poly1305_poly1305_init(block_state, key); uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); memcpy(k_, key, 32U * sizeof (uint8_t)); uint8_t *k_0 = k_; @@ -453,22 +454,18 @@ Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key) Hacl_MAC_Poly1305_state_t *p = (Hacl_MAC_Poly1305_state_t *)KRML_HOST_MALLOC(sizeof (Hacl_MAC_Poly1305_state_t)); p[0U] = s; - Hacl_MAC_Poly1305_poly1305_init(block_state, key); return p; } void Hacl_MAC_Poly1305_reset(Hacl_MAC_Poly1305_state_t *state, uint8_t *key) { - Hacl_MAC_Poly1305_state_t scrut = *state; - uint8_t *k_ = scrut.p_key; - uint8_t *buf = scrut.buf; - uint64_t *block_state = scrut.block_state; + uint64_t *block_state = (*state).block_state; + uint8_t *k_ = (*state).p_key; Hacl_MAC_Poly1305_poly1305_init(block_state, key); memcpy(k_, key, 32U * sizeof (uint8_t)); uint8_t *k_1 = k_; - Hacl_MAC_Poly1305_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_1 }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; + state->p_key = k_1; } /** @@ -477,8 +474,8 @@ void Hacl_MAC_Poly1305_reset(Hacl_MAC_Poly1305_state_t *state, uint8_t *key) Hacl_Streaming_Types_error_code Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint32_t chunk_len) { - Hacl_MAC_Poly1305_state_t s = *state; - uint64_t total_len = s.total_len; + uint64_t *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -494,11 +491,9 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 } if (chunk_len <= 16U - sz) { - Hacl_MAC_Poly1305_state_t s1 = *state; - uint64_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)16U == 0ULL && total_len1 > 0ULL) { @@ -511,24 +506,14 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_MAC_Poly1305_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2, - .p_key = k_1 - } - ); + state->total_len = total_len2; + state->p_key = k_1; } else if (sz == 0U) { - Hacl_MAC_Poly1305_state_t s1 = *state; - uint64_t *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)16U == 0ULL && total_len1 > 0ULL) { @@ -540,7 +525,7 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 } if (!(sz1 == 0U)) { - poly1305_update(block_state1, 16U, buf); + poly1305_update(block_state, 16U, buf); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)16U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -556,30 +541,20 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - poly1305_update(block_state1, data1_len, data1); + poly1305_update(block_state, data1_len, data1); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_MAC_Poly1305_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len, - .p_key = k_1 - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; + state->p_key = k_1; } else { uint32_t diff = 16U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_MAC_Poly1305_state_t s1 = *state; - uint64_t *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz10; if (total_len10 % (uint64_t)16U == 0ULL && total_len10 > 0ULL) { @@ -589,24 +564,14 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 { sz10 = (uint32_t)(total_len10 % (uint64_t)16U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_MAC_Poly1305_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2, - .p_key = k_1 - } - ); - Hacl_MAC_Poly1305_state_t s10 = *state; - uint64_t *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; - uint8_t *k_10 = s10.p_key; + state->total_len = total_len2; + state->p_key = k_1; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_10 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)16U == 0ULL && total_len1 > 0ULL) { @@ -618,7 +583,7 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 } if (!(sz1 == 0U)) { - poly1305_update(block_state1, 16U, buf); + poly1305_update(block_state, 16U, buf0); } uint32_t ite; if @@ -635,30 +600,21 @@ Hacl_MAC_Poly1305_update(Hacl_MAC_Poly1305_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - poly1305_update(block_state1, data1_len, data1); - uint8_t *dst = buf; + poly1305_update(block_state, data1_len, data1); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_MAC_Poly1305_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff), - .p_key = k_10 - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); + state->p_key = k_10; } return Hacl_Streaming_Types_Success; } void Hacl_MAC_Poly1305_digest(Hacl_MAC_Poly1305_state_t *state, uint8_t *output) { - Hacl_MAC_Poly1305_state_t scrut = *state; - uint64_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; - uint8_t *k_ = scrut.p_key; + uint64_t *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; + uint8_t *k_ = (*state).p_key; uint32_t r; if (total_len % (uint64_t)16U == 0ULL && total_len > 0ULL) { @@ -672,6 +628,7 @@ void Hacl_MAC_Poly1305_digest(Hacl_MAC_Poly1305_state_t *state, uint8_t *output) uint64_t r1[25U] = { 0U }; uint64_t *tmp_block_state = r1; memcpy(tmp_block_state, block_state, 25U * sizeof (uint64_t)); + uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 16U == 0U && r > 0U) { @@ -682,7 +639,6 @@ void Hacl_MAC_Poly1305_digest(Hacl_MAC_Poly1305_state_t *state, uint8_t *output) ite = r % 16U; } uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; poly1305_update(tmp_block_state, 0U, buf_multi); poly1305_update(tmp_block_state, r, buf_last); uint64_t tmp[25U] = { 0U }; diff --git a/src/Hacl_MAC_Poly1305_Simd128.c b/src/Hacl_MAC_Poly1305_Simd128.c index 17e26978..8eae2273 100644 --- a/src/Hacl_MAC_Poly1305_Simd128.c +++ b/src/Hacl_MAC_Poly1305_Simd128.c @@ -1310,6 +1310,7 @@ Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint8_t *key sizeof (Lib_IntVector_Intrinsics_vec128) * 25U); memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec128)); Lib_IntVector_Intrinsics_vec128 *block_state = r1; + Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state, key); uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); memcpy(k_, key, 32U * sizeof (uint8_t)); uint8_t *k_0 = k_; @@ -1321,22 +1322,18 @@ Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint8_t *key Hacl_MAC_Poly1305_Simd128_state_t )); p[0U] = s; - Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state, key); return p; } void Hacl_MAC_Poly1305_Simd128_reset(Hacl_MAC_Poly1305_Simd128_state_t *state, uint8_t *key) { - Hacl_MAC_Poly1305_Simd128_state_t scrut = *state; - uint8_t *k_ = scrut.p_key; - uint8_t *buf = scrut.buf; - Lib_IntVector_Intrinsics_vec128 *block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec128 *block_state = (*state).block_state; + uint8_t *k_ = (*state).p_key; Hacl_MAC_Poly1305_Simd128_poly1305_init(block_state, key); memcpy(k_, key, 32U * sizeof (uint8_t)); uint8_t *k_1 = k_; - Hacl_MAC_Poly1305_Simd128_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_1 }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; + state->p_key = k_1; } /** @@ -1349,8 +1346,8 @@ Hacl_MAC_Poly1305_Simd128_update( uint32_t chunk_len ) { - Hacl_MAC_Poly1305_Simd128_state_t s = *state; - uint64_t total_len = s.total_len; + Lib_IntVector_Intrinsics_vec128 *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -1366,11 +1363,9 @@ Hacl_MAC_Poly1305_Simd128_update( } if (chunk_len <= 32U - sz) { - Hacl_MAC_Poly1305_Simd128_state_t s1 = *state; - Lib_IntVector_Intrinsics_vec128 *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)32U == 0ULL && total_len1 > 0ULL) { @@ -1383,24 +1378,14 @@ Hacl_MAC_Poly1305_Simd128_update( uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_MAC_Poly1305_Simd128_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2, - .p_key = k_1 - } - ); + state->total_len = total_len2; + state->p_key = k_1; } else if (sz == 0U) { - Hacl_MAC_Poly1305_Simd128_state_t s1 = *state; - Lib_IntVector_Intrinsics_vec128 *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)32U == 0ULL && total_len1 > 0ULL) { @@ -1412,7 +1397,7 @@ Hacl_MAC_Poly1305_Simd128_update( } if (!(sz1 == 0U)) { - poly1305_update(block_state1, 32U, buf); + poly1305_update(block_state, 32U, buf); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)32U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -1428,30 +1413,20 @@ Hacl_MAC_Poly1305_Simd128_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - poly1305_update(block_state1, data1_len, data1); + poly1305_update(block_state, data1_len, data1); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_MAC_Poly1305_Simd128_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len, - .p_key = k_1 - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; + state->p_key = k_1; } else { uint32_t diff = 32U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_MAC_Poly1305_Simd128_state_t s1 = *state; - Lib_IntVector_Intrinsics_vec128 *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz10; if (total_len10 % (uint64_t)32U == 0ULL && total_len10 > 0ULL) { @@ -1461,24 +1436,14 @@ Hacl_MAC_Poly1305_Simd128_update( { sz10 = (uint32_t)(total_len10 % (uint64_t)32U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_MAC_Poly1305_Simd128_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2, - .p_key = k_1 - } - ); - Hacl_MAC_Poly1305_Simd128_state_t s10 = *state; - Lib_IntVector_Intrinsics_vec128 *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; - uint8_t *k_10 = s10.p_key; + state->total_len = total_len2; + state->p_key = k_1; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_10 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)32U == 0ULL && total_len1 > 0ULL) { @@ -1490,7 +1455,7 @@ Hacl_MAC_Poly1305_Simd128_update( } if (!(sz1 == 0U)) { - poly1305_update(block_state1, 32U, buf); + poly1305_update(block_state, 32U, buf0); } uint32_t ite; if @@ -1507,19 +1472,11 @@ Hacl_MAC_Poly1305_Simd128_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - poly1305_update(block_state1, data1_len, data1); - uint8_t *dst = buf; + poly1305_update(block_state, data1_len, data1); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_MAC_Poly1305_Simd128_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff), - .p_key = k_10 - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); + state->p_key = k_10; } return Hacl_Streaming_Types_Success; } @@ -1527,11 +1484,10 @@ Hacl_MAC_Poly1305_Simd128_update( void Hacl_MAC_Poly1305_Simd128_digest(Hacl_MAC_Poly1305_Simd128_state_t *state, uint8_t *output) { - Hacl_MAC_Poly1305_Simd128_state_t scrut = *state; - Lib_IntVector_Intrinsics_vec128 *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; - uint8_t *k_ = scrut.p_key; + Lib_IntVector_Intrinsics_vec128 *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; + uint8_t *k_ = (*state).p_key; uint32_t r; if (total_len % (uint64_t)32U == 0ULL && total_len > 0ULL) { @@ -1545,6 +1501,7 @@ Hacl_MAC_Poly1305_Simd128_digest(Hacl_MAC_Poly1305_Simd128_state_t *state, uint8 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 r1[25U] KRML_POST_ALIGN(16) = { 0U }; Lib_IntVector_Intrinsics_vec128 *tmp_block_state = r1; memcpy(tmp_block_state, block_state, 25U * sizeof (Lib_IntVector_Intrinsics_vec128)); + uint8_t *buf_multi = buf_1; uint32_t ite0; if (r % 16U == 0U && r > 0U) { @@ -1555,7 +1512,6 @@ Hacl_MAC_Poly1305_Simd128_digest(Hacl_MAC_Poly1305_Simd128_state_t *state, uint8 ite0 = r % 16U; } uint8_t *buf_last = buf_1 + r - ite0; - uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 16U == 0U && r > 0U) { diff --git a/src/Hacl_MAC_Poly1305_Simd256.c b/src/Hacl_MAC_Poly1305_Simd256.c index f25e8fff..c5e7784b 100644 --- a/src/Hacl_MAC_Poly1305_Simd256.c +++ b/src/Hacl_MAC_Poly1305_Simd256.c @@ -1761,6 +1761,7 @@ Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint8_t *key sizeof (Lib_IntVector_Intrinsics_vec256) * 25U); memset(r1, 0U, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); Lib_IntVector_Intrinsics_vec256 *block_state = r1; + Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state, key); uint8_t *k_ = (uint8_t *)KRML_HOST_CALLOC(32U, sizeof (uint8_t)); memcpy(k_, key, 32U * sizeof (uint8_t)); uint8_t *k_0 = k_; @@ -1772,22 +1773,18 @@ Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint8_t *key Hacl_MAC_Poly1305_Simd256_state_t )); p[0U] = s; - Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state, key); return p; } void Hacl_MAC_Poly1305_Simd256_reset(Hacl_MAC_Poly1305_Simd256_state_t *state, uint8_t *key) { - Hacl_MAC_Poly1305_Simd256_state_t scrut = *state; - uint8_t *k_ = scrut.p_key; - uint8_t *buf = scrut.buf; - Lib_IntVector_Intrinsics_vec256 *block_state = scrut.block_state; + Lib_IntVector_Intrinsics_vec256 *block_state = (*state).block_state; + uint8_t *k_ = (*state).p_key; Hacl_MAC_Poly1305_Simd256_poly1305_init(block_state, key); memcpy(k_, key, 32U * sizeof (uint8_t)); uint8_t *k_1 = k_; - Hacl_MAC_Poly1305_Simd256_state_t - tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U, .p_key = k_1 }; - state[0U] = tmp; + state->total_len = (uint64_t)0U; + state->p_key = k_1; } /** @@ -1800,8 +1797,8 @@ Hacl_MAC_Poly1305_Simd256_update( uint32_t chunk_len ) { - Hacl_MAC_Poly1305_Simd256_state_t s = *state; - uint64_t total_len = s.total_len; + Lib_IntVector_Intrinsics_vec256 *block_state = (*state).block_state; + uint64_t total_len = (*state).total_len; if ((uint64_t)chunk_len > 0xffffffffULL - total_len) { return Hacl_Streaming_Types_MaximumLengthExceeded; @@ -1817,11 +1814,9 @@ Hacl_MAC_Poly1305_Simd256_update( } if (chunk_len <= 64U - sz) { - Hacl_MAC_Poly1305_Simd256_state_t s1 = *state; - Lib_IntVector_Intrinsics_vec256 *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -1834,24 +1829,14 @@ Hacl_MAC_Poly1305_Simd256_update( uint8_t *buf2 = buf + sz1; memcpy(buf2, chunk, chunk_len * sizeof (uint8_t)); uint64_t total_len2 = total_len1 + (uint64_t)chunk_len; - *state - = - ( - (Hacl_MAC_Poly1305_Simd256_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len2, - .p_key = k_1 - } - ); + state->total_len = total_len2; + state->p_key = k_1; } else if (sz == 0U) { - Hacl_MAC_Poly1305_Simd256_state_t s1 = *state; - Lib_IntVector_Intrinsics_vec256 *block_state1 = s1.block_state; - uint8_t *buf = s1.buf; - uint64_t total_len1 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -1863,7 +1848,7 @@ Hacl_MAC_Poly1305_Simd256_update( } if (!(sz1 == 0U)) { - poly1305_update(block_state1, 64U, buf); + poly1305_update(block_state, 64U, buf); } uint32_t ite; if ((uint64_t)chunk_len % (uint64_t)64U == 0ULL && (uint64_t)chunk_len > 0ULL) @@ -1879,30 +1864,20 @@ Hacl_MAC_Poly1305_Simd256_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - poly1305_update(block_state1, data1_len, data1); + poly1305_update(block_state, data1_len, data1); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_MAC_Poly1305_Simd256_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)chunk_len, - .p_key = k_1 - } - ); + state->total_len = total_len1 + (uint64_t)chunk_len; + state->p_key = k_1; } else { uint32_t diff = 64U - sz; uint8_t *chunk1 = chunk; uint8_t *chunk2 = chunk + diff; - Hacl_MAC_Poly1305_Simd256_state_t s1 = *state; - Lib_IntVector_Intrinsics_vec256 *block_state10 = s1.block_state; - uint8_t *buf0 = s1.buf; - uint64_t total_len10 = s1.total_len; - uint8_t *k_1 = s1.p_key; + uint8_t *buf = (*state).buf; + uint64_t total_len10 = (*state).total_len; + uint8_t *k_1 = (*state).p_key; uint32_t sz10; if (total_len10 % (uint64_t)64U == 0ULL && total_len10 > 0ULL) { @@ -1912,24 +1887,14 @@ Hacl_MAC_Poly1305_Simd256_update( { sz10 = (uint32_t)(total_len10 % (uint64_t)64U); } - uint8_t *buf2 = buf0 + sz10; + uint8_t *buf2 = buf + sz10; memcpy(buf2, chunk1, diff * sizeof (uint8_t)); uint64_t total_len2 = total_len10 + (uint64_t)diff; - *state - = - ( - (Hacl_MAC_Poly1305_Simd256_state_t){ - .block_state = block_state10, - .buf = buf0, - .total_len = total_len2, - .p_key = k_1 - } - ); - Hacl_MAC_Poly1305_Simd256_state_t s10 = *state; - Lib_IntVector_Intrinsics_vec256 *block_state1 = s10.block_state; - uint8_t *buf = s10.buf; - uint64_t total_len1 = s10.total_len; - uint8_t *k_10 = s10.p_key; + state->total_len = total_len2; + state->p_key = k_1; + uint8_t *buf0 = (*state).buf; + uint64_t total_len1 = (*state).total_len; + uint8_t *k_10 = (*state).p_key; uint32_t sz1; if (total_len1 % (uint64_t)64U == 0ULL && total_len1 > 0ULL) { @@ -1941,7 +1906,7 @@ Hacl_MAC_Poly1305_Simd256_update( } if (!(sz1 == 0U)) { - poly1305_update(block_state1, 64U, buf); + poly1305_update(block_state, 64U, buf0); } uint32_t ite; if @@ -1958,19 +1923,11 @@ Hacl_MAC_Poly1305_Simd256_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - poly1305_update(block_state1, data1_len, data1); - uint8_t *dst = buf; + poly1305_update(block_state, data1_len, data1); + uint8_t *dst = buf0; memcpy(dst, data2, data2_len * sizeof (uint8_t)); - *state - = - ( - (Hacl_MAC_Poly1305_Simd256_state_t){ - .block_state = block_state1, - .buf = buf, - .total_len = total_len1 + (uint64_t)(chunk_len - diff), - .p_key = k_10 - } - ); + state->total_len = total_len1 + (uint64_t)(chunk_len - diff); + state->p_key = k_10; } return Hacl_Streaming_Types_Success; } @@ -1978,11 +1935,10 @@ Hacl_MAC_Poly1305_Simd256_update( void Hacl_MAC_Poly1305_Simd256_digest(Hacl_MAC_Poly1305_Simd256_state_t *state, uint8_t *output) { - Hacl_MAC_Poly1305_Simd256_state_t scrut = *state; - Lib_IntVector_Intrinsics_vec256 *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; - uint8_t *k_ = scrut.p_key; + Lib_IntVector_Intrinsics_vec256 *block_state = (*state).block_state; + uint8_t *buf_ = (*state).buf; + uint64_t total_len = (*state).total_len; + uint8_t *k_ = (*state).p_key; uint32_t r; if (total_len % (uint64_t)64U == 0ULL && total_len > 0ULL) { @@ -1996,6 +1952,7 @@ Hacl_MAC_Poly1305_Simd256_digest(Hacl_MAC_Poly1305_Simd256_state_t *state, uint8 KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 r1[25U] KRML_POST_ALIGN(32) = { 0U }; Lib_IntVector_Intrinsics_vec256 *tmp_block_state = r1; memcpy(tmp_block_state, block_state, 25U * sizeof (Lib_IntVector_Intrinsics_vec256)); + uint8_t *buf_multi = buf_1; uint32_t ite0; if (r % 16U == 0U && r > 0U) { @@ -2006,7 +1963,6 @@ Hacl_MAC_Poly1305_Simd256_digest(Hacl_MAC_Poly1305_Simd256_state_t *state, uint8 ite0 = r % 16U; } uint8_t *buf_last = buf_1 + r - ite0; - uint8_t *buf_multi = buf_1; uint32_t ite; if (r % 16U == 0U && r > 0U) { diff --git a/src/Hacl_NaCl.c b/src/Hacl_NaCl.c index a1bbd25c..54cf0171 100644 --- a/src/Hacl_NaCl.c +++ b/src/Hacl_NaCl.c @@ -62,8 +62,8 @@ secretbox_detached(uint32_t mlen, uint8_t *c, uint8_t *tag, uint8_t *k, uint8_t memcpy(block0, m0, mlen0 * sizeof (uint8_t)); for (uint32_t i = 0U; i < 32U; i++) { - uint8_t *os = block0; uint8_t x = (uint32_t)block0[i] ^ (uint32_t)ekey0[i]; + uint8_t *os = block0; os[i] = x; } uint8_t *c0 = c; @@ -117,8 +117,8 @@ secretbox_open_detached( memcpy(block0, c0, mlen0 * sizeof (uint8_t)); for (uint32_t i = 0U; i < 32U; i++) { - uint8_t *os = block0; uint8_t x = (uint32_t)block0[i] ^ (uint32_t)ekey0[i]; + uint8_t *os = block0; os[i] = x; } uint8_t *m0 = m; diff --git a/src/Hacl_P256.c b/src/Hacl_P256.c index 609fed81..973c906d 100644 --- a/src/Hacl_P256.c +++ b/src/Hacl_P256.c @@ -77,9 +77,9 @@ static inline void bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x, uint64_ 0U, 4U, 1U, - uint64_t *os = res; uint64_t uu____0 = x[i]; uint64_t x1 = uu____0 ^ (mask & (y[i] ^ uu____0)); + uint64_t *os = res; os[i] = x1;); } @@ -131,8 +131,8 @@ static inline void bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t 0U, 4U, 1U, - uint64_t *os = res; uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x1;); } @@ -210,8 +210,8 @@ static inline void bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t 0U, 4U, 1U, - uint64_t *os = res; uint64_t x1 = (c2 & tmp[i]) | (~c2 & res[i]); + uint64_t *os = res; os[i] = x1;); } @@ -250,8 +250,8 @@ static inline void bn_sqr4(uint64_t *res, uint64_t *x) 0U, 4U, 1U, - uint64_t *ab = x; uint64_t a_j = x[i0]; + uint64_t *ab = x; uint64_t *res_j = res + i0; uint64_t c = 0ULL; for (uint32_t i = 0U; i < i0 / 4U; i++) @@ -277,7 +277,12 @@ static inline void bn_sqr4(uint64_t *res, uint64_t *x) } uint64_t r = c; res[i0 + i0] = r;); - uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, res, res, res); + uint64_t a_copy0[8U] = { 0U }; + uint64_t b_copy0[8U] = { 0U }; + memcpy(a_copy0, res, 8U * sizeof (uint64_t)); + memcpy(b_copy0, res, 8U * sizeof (uint64_t)); + uint64_t r = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, a_copy0, b_copy0, res); + uint64_t c0 = r; KRML_MAYBE_UNUSED_VAR(c0); uint64_t tmp[8U] = { 0U }; KRML_MAYBE_FOR4(i, @@ -289,7 +294,12 @@ static inline void bn_sqr4(uint64_t *res, uint64_t *x) uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); tmp[2U * i] = lo; tmp[2U * i + 1U] = hi;); - uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, res, tmp, res); + uint64_t a_copy[8U] = { 0U }; + uint64_t b_copy[8U] = { 0U }; + memcpy(a_copy, res, 8U * sizeof (uint64_t)); + memcpy(b_copy, tmp, 8U * sizeof (uint64_t)); + uint64_t r0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(8U, a_copy, b_copy, res); + uint64_t c1 = r0; KRML_MAYBE_UNUSED_VAR(c1); } @@ -306,9 +316,9 @@ static inline void bn_from_bytes_be4(uint64_t *res, uint8_t *b) 0U, 4U, 1U, - uint64_t *os = res; uint64_t u = load64_be(b + (4U - i - 1U) * 8U); uint64_t x = u; + uint64_t *os = res; os[i] = x;); } @@ -455,8 +465,8 @@ static inline void mont_reduction(uint64_t *res, uint64_t *x) } uint64_t r = c; uint64_t c1 = r; - uint64_t *resb = x + 4U + i0; uint64_t res_j = x[4U + i0]; + uint64_t *resb = x + 4U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); memcpy(res, x + 4U, 4U * sizeof (uint64_t)); uint64_t c00 = c0; @@ -486,8 +496,8 @@ static inline void mont_reduction(uint64_t *res, uint64_t *x) 0U, 4U, 1U, - uint64_t *os = res; uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x1;); } @@ -939,6 +949,7 @@ static inline void point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) uint64_t *t1 = table + 12U; make_point_at_inf(t0); memcpy(t1, p, 12U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table); KRML_MAYBE_FOR7(i, 0U, 7U, @@ -967,8 +978,8 @@ static inline void point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) 0U, 12U, 1U, - uint64_t *os = tmp0; uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); + uint64_t *os = tmp0; os[i] = x;);); point_add(res, res, tmp0); } @@ -987,8 +998,8 @@ static inline void precomp_get_consttime(const uint64_t *table, uint64_t bits_l, 0U, 12U, 1U, - uint64_t *os = tmp; uint64_t x = (c & res_j[i]) | (~c & tmp[i]); + uint64_t *os = tmp; os[i] = x;);); } @@ -1064,6 +1075,7 @@ point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t uint64_t *t1 = table2 + 12U; make_point_at_inf(t0); memcpy(t1, q2, 12U * sizeof (uint64_t)); + KRML_MAYBE_UNUSED_VAR(table2); KRML_MAYBE_FOR15(i, 0U, 15U, @@ -1165,8 +1177,8 @@ static inline void qmont_reduction(uint64_t *res, uint64_t *x) } uint64_t r = c; uint64_t c1 = r; - uint64_t *resb = x + 4U + i0; uint64_t res_j = x[4U + i0]; + uint64_t *resb = x + 4U + i0; c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); memcpy(res, x + 4U, 4U * sizeof (uint64_t)); uint64_t c00 = c0; @@ -1196,8 +1208,8 @@ static inline void qmont_reduction(uint64_t *res, uint64_t *x) 0U, 4U, 1U, - uint64_t *os = res; uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); + uint64_t *os = res; os[i] = x1;); } @@ -1238,9 +1250,9 @@ bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key) 0U, 4U, 1U, - uint64_t *os = sk; uint64_t uu____0 = oneq[i]; uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); + uint64_t *os = sk; os[i] = x;); uint64_t is_sk_valid = is_b_valid; point_mul_g(pk, sk); @@ -1270,9 +1282,9 @@ Hacl_Impl_P256_DH_ecp256dh_r( 0U, 4U, 1U, - uint64_t *os = sk; uint64_t uu____0 = oneq[i]; uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); + uint64_t *os = sk; os[i] = x;); uint64_t is_sk_valid = is_b_valid; uint64_t ss_proj[12U] = { 0U }; @@ -1464,9 +1476,9 @@ ecdsa_sign_msg_as_qelem( 0U, 4U, 1U, - uint64_t *os = d_a; uint64_t uu____0 = oneq0[i]; uint64_t x = uu____0 ^ (is_b_valid0 & (d_a[i] ^ uu____0)); + uint64_t *os = d_a; os[i] = x;); uint64_t is_sk_valid = is_b_valid0; bn_from_bytes_be4(k_q, nonce); @@ -1480,9 +1492,9 @@ ecdsa_sign_msg_as_qelem( 0U, 4U, 1U, - uint64_t *os = k_q; uint64_t uu____1 = oneq[i]; uint64_t x = uu____1 ^ (is_b_valid & (k_q[i] ^ uu____1)); + uint64_t *os = k_q; os[i] = x;); uint64_t is_nonce_valid = is_b_valid; uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; diff --git a/src/Hacl_RSAPSS.c b/src/Hacl_RSAPSS.c index 71e141d0..8b08977d 100644 --- a/src/Hacl_RSAPSS.c +++ b/src/Hacl_RSAPSS.c @@ -252,8 +252,8 @@ pss_encode( mgf_hash(a, hLen, m1Hash, dbLen, dbMask); for (uint32_t i = 0U; i < dbLen; i++) { - uint8_t *os = db; uint8_t x = (uint32_t)db[i] ^ (uint32_t)dbMask[i]; + uint8_t *os = db; os[i] = x; } uint32_t msBits = emBits % 8U; @@ -310,8 +310,8 @@ pss_verify( mgf_hash(a, hLen, m1Hash, dbLen, dbMask); for (uint32_t i = 0U; i < dbLen; i++) { - uint8_t *os = dbMask; uint8_t x = (uint32_t)dbMask[i] ^ (uint32_t)maskedDB[i]; + uint8_t *os = dbMask; os[i] = x; } uint32_t msBits1 = emBits % 8U; @@ -486,9 +486,9 @@ Hacl_RSAPSS_rsapss_sign( uint64_t eq_m = mask1; for (uint32_t i = 0U; i < nLen2; i++) { - uint64_t *os = s; uint64_t x = s[i]; uint64_t x0 = eq_m & x; + uint64_t *os = s; os[i] = x0; } bool eq_b = eq_m == 0xFFFFFFFFFFFFFFFFULL; diff --git a/src/Hacl_SHA2_Vec128.c b/src/Hacl_SHA2_Vec128.c index 02af75b1..e122dd8c 100644 --- a/src/Hacl_SHA2_Vec128.c +++ b/src/Hacl_SHA2_Vec128.c @@ -35,9 +35,9 @@ static inline void sha224_init4(Lib_IntVector_Intrinsics_vec128 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec128 *os = hash; uint32_t hi = Hacl_Hash_SHA2_h224[i]; Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + Lib_IntVector_Intrinsics_vec128 *os = hash; os[i] = x;); } @@ -286,9 +286,9 @@ sha224_update4(Hacl_Hash_SHA2_uint8_4p b, Lib_IntVector_Intrinsics_vec128 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec128 *os = hash; Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + Lib_IntVector_Intrinsics_vec128 *os = hash; os[i] = x;); } @@ -515,9 +515,9 @@ static inline void sha256_init4(Lib_IntVector_Intrinsics_vec128 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec128 *os = hash; uint32_t hi = Hacl_Hash_SHA2_h256[i]; Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_load32(hi); + Lib_IntVector_Intrinsics_vec128 *os = hash; os[i] = x;); } @@ -766,9 +766,9 @@ sha256_update4(Hacl_Hash_SHA2_uint8_4p b, Lib_IntVector_Intrinsics_vec128 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec128 *os = hash; Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(hash[i], hash_old[i]); + Lib_IntVector_Intrinsics_vec128 *os = hash; os[i] = x;); } diff --git a/src/Hacl_SHA2_Vec256.c b/src/Hacl_SHA2_Vec256.c index c34767f5..2bee1692 100644 --- a/src/Hacl_SHA2_Vec256.c +++ b/src/Hacl_SHA2_Vec256.c @@ -36,9 +36,9 @@ static inline void sha224_init8(Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; uint32_t hi = Hacl_Hash_SHA2_h224[i]; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -371,9 +371,9 @@ sha224_update8(Hacl_Hash_SHA2_uint8_8p b, Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -785,9 +785,9 @@ static inline void sha256_init8(Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; uint32_t hi = Hacl_Hash_SHA2_h256[i]; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load32(hi); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -1120,9 +1120,9 @@ sha256_update8(Hacl_Hash_SHA2_uint8_8p b, Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add32(hash[i], hash_old[i]); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -1534,9 +1534,9 @@ static inline void sha384_init4(Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; uint64_t hi = Hacl_Hash_SHA2_h384[i]; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -1769,9 +1769,9 @@ sha384_update4(Hacl_Hash_SHA2_uint8_4p b, Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -1990,9 +1990,9 @@ static inline void sha512_init4(Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; uint64_t hi = Hacl_Hash_SHA2_h512[i]; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_load64(hi); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } @@ -2225,9 +2225,9 @@ sha512_update4(Hacl_Hash_SHA2_uint8_4p b, Lib_IntVector_Intrinsics_vec256 *hash) 0U, 8U, 1U, - Lib_IntVector_Intrinsics_vec256 *os = hash; Lib_IntVector_Intrinsics_vec256 x = Lib_IntVector_Intrinsics_vec256_add64(hash[i], hash_old[i]); + Lib_IntVector_Intrinsics_vec256 *os = hash; os[i] = x;); } diff --git a/src/Hacl_Salsa20.c b/src/Hacl_Salsa20.c index 151df07d..372fd3c5 100644 --- a/src/Hacl_Salsa20.c +++ b/src/Hacl_Salsa20.c @@ -85,8 +85,8 @@ static inline void salsa20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr) 0U, 16U, 1U, - uint32_t *os = k; uint32_t x = k[i] + ctx[i]; + uint32_t *os = k; os[i] = x;); k[8U] = k[8U] + ctr_u32; } @@ -101,21 +101,21 @@ static inline void salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t *n) 0U, 8U, 1U, - uint32_t *os = k32; uint8_t *bj = key + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = k32; os[i] = x;); KRML_MAYBE_FOR2(i, 0U, 2U, 1U, - uint32_t *os = n32; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = n32; os[i] = x;); ctx[0U] = 0x61707865U; uint32_t *k0 = k32; @@ -149,21 +149,21 @@ salsa20_encrypt( 0U, 8U, 1U, - uint32_t *os = k32; uint8_t *bj = key + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = k32; os[i] = x;); KRML_MAYBE_FOR2(i, 0U, 2U, 1U, - uint32_t *os = n32; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = n32; os[i] = x;); ctx[0U] = 0x61707865U; uint32_t *k0 = k32; @@ -192,18 +192,18 @@ salsa20_encrypt( 0U, 16U, 1U, - uint32_t *os = bl; uint8_t *bj = uu____1 + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - uint32_t *os = bl; uint32_t x = bl[i] ^ k1[i]; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, store32_le(uu____0 + i * 4U, bl[i]);); } @@ -219,18 +219,18 @@ salsa20_encrypt( 0U, 16U, 1U, - uint32_t *os = bl; uint8_t *bj = plain + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - uint32_t *os = bl; uint32_t x = bl[i] ^ k1[i]; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, store32_le(plain + i * 4U, bl[i]);); memcpy(uu____2, plain, rem * sizeof (uint8_t)); @@ -254,21 +254,21 @@ salsa20_decrypt( 0U, 8U, 1U, - uint32_t *os = k32; uint8_t *bj = key + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = k32; os[i] = x;); KRML_MAYBE_FOR2(i, 0U, 2U, 1U, - uint32_t *os = n32; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = n32; os[i] = x;); ctx[0U] = 0x61707865U; uint32_t *k0 = k32; @@ -297,18 +297,18 @@ salsa20_decrypt( 0U, 16U, 1U, - uint32_t *os = bl; uint8_t *bj = uu____1 + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - uint32_t *os = bl; uint32_t x = bl[i] ^ k1[i]; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, store32_le(uu____0 + i * 4U, bl[i]);); } @@ -324,18 +324,18 @@ salsa20_decrypt( 0U, 16U, 1U, - uint32_t *os = bl; uint8_t *bj = plain + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, - uint32_t *os = bl; uint32_t x = bl[i] ^ k1[i]; + uint32_t *os = bl; os[i] = x;); KRML_MAYBE_FOR16(i, 0U, 16U, 1U, store32_le(plain + i * 4U, bl[i]);); memcpy(uu____2, plain, rem * sizeof (uint8_t)); @@ -351,21 +351,21 @@ static inline void hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n) 0U, 8U, 1U, - uint32_t *os = k32; uint8_t *bj = key + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = k32; os[i] = x;); KRML_MAYBE_FOR4(i, 0U, 4U, 1U, - uint32_t *os = n32; uint8_t *bj = n + i * 4U; uint32_t u = load32_le(bj); uint32_t r = u; uint32_t x = r; + uint32_t *os = n32; os[i] = x;); uint32_t *k0 = k32; uint32_t *k1 = k32 + 4U; diff --git a/src/Lib_RandomBuffer_System.c b/src/Lib_RandomBuffer_System.c index 0d7924b4..de6ef337 100644 --- a/src/Lib_RandomBuffer_System.c +++ b/src/Lib_RandomBuffer_System.c @@ -31,6 +31,7 @@ bool read_random_bytes(uint32_t len, uint8_t *buf) { #include #include #include +#include #include bool read_random_bytes(uint32_t len, uint8_t *buf) { diff --git a/src/msvc/EverCrypt_DRBG.c b/src/msvc/EverCrypt_DRBG.c index 1395f59f..c76a69cd 100644 --- a/src/msvc/EverCrypt_DRBG.c +++ b/src/msvc/EverCrypt_DRBG.c @@ -1798,8 +1798,8 @@ static void uninstantiate_sha1(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 20U, uint8_t); - Lib_Memzero0_memzero(v, 20U, uint8_t); + Lib_Memzero0_memzero(k, 20U, uint8_t, void *); + Lib_Memzero0_memzero(v, 20U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); @@ -1822,8 +1822,8 @@ static void uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 32U, uint8_t); - Lib_Memzero0_memzero(v, 32U, uint8_t); + Lib_Memzero0_memzero(k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(v, 32U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); @@ -1846,8 +1846,8 @@ static void uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 48U, uint8_t); - Lib_Memzero0_memzero(v, 48U, uint8_t); + Lib_Memzero0_memzero(k, 48U, uint8_t, void *); + Lib_Memzero0_memzero(v, 48U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); @@ -1870,8 +1870,8 @@ static void uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st) uint8_t *k = s.k; uint8_t *v = s.v; uint32_t *ctr = s.reseed_counter; - Lib_Memzero0_memzero(k, 64U, uint8_t); - Lib_Memzero0_memzero(v, 64U, uint8_t); + Lib_Memzero0_memzero(k, 64U, uint8_t, void *); + Lib_Memzero0_memzero(v, 64U, uint8_t, void *); ctr[0U] = 0U; KRML_HOST_FREE(k); KRML_HOST_FREE(v); diff --git a/src/msvc/Hacl_Ed25519.c b/src/msvc/Hacl_Ed25519.c index 05d96cd0..d1f8edf2 100644 --- a/src/msvc/Hacl_Ed25519.c +++ b/src/msvc/Hacl_Ed25519.c @@ -1712,8 +1712,8 @@ static inline void secret_expand(uint8_t *expanded, uint8_t *secret) /** Compute the public key from the private key. - The outparam `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] public_key Points to 32 bytes of valid memory, i.e., `uint8_t[32]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. */ void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key) { @@ -1726,8 +1726,8 @@ void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key) /** Compute the expanded keys for an Ed25519 signature. - The outparam `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. + @param[out] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`. Must not overlap the memory location of `private_key`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -1744,11 +1744,10 @@ void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key) /** Create an Ed25519 signature with the (precomputed) expanded keys. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - - The argument `expanded_keys` is obtained through `expand_keys`. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `expanded_keys` nor `msg`. + @param[in] expanded_keys Points to 96 bytes of valid memory, i.e., `uint8_t[96]`, containing the expanded keys obtained by invoking `expand_keys`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. If one needs to sign several messages under the same private key, it is more efficient to call `expand_keys` only once and `sign_expanded` multiple times, for each message. @@ -1783,9 +1782,10 @@ Hacl_Ed25519_sign_expanded( /** Create an Ed25519 signature. - The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. - The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. + @param[out] signature Points to 64 bytes of valid memory, i.e., `uint8_t[64]`. Must not overlap the memory locations of `private_key` nor `msg`. + @param[in] private_key Points to 32 bytes of valid memory containing the private key, i.e., `uint8_t[32]`. + @param[in] msg_len Length of `msg`. + @param[in] msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. The function first calls `expand_keys` and then invokes `sign_expanded`. @@ -1803,11 +1803,12 @@ Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, ui /** Verify an Ed25519 signature. - The function returns `true` if the signature is valid and `false` otherwise. + @param public_key Points to 32 bytes of valid memory containing the public key, i.e., `uint8_t[32]`. + @param msg_len Length of `msg`. + @param msg Points to `msg_len` bytes of valid memory containing the message, i.e., `uint8_t[msg_len]`. + @param signature Points to 64 bytes of valid memory containing the signature, i.e., `uint8_t[64]`. - The argument `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. - The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. - The argument `signature` points to 64 bytes of valid memory, i.e., uint8_t[64]. + @return Returns `true` if the signature is valid and `false` otherwise. */ bool Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature) diff --git a/src/msvc/Hacl_Frodo1344.c b/src/msvc/Hacl_Frodo1344.c index 61262a4c..f4c19de3 100644 --- a/src/msvc/Hacl_Frodo1344.c +++ b/src/msvc/Hacl_Frodo1344.c @@ -55,7 +55,7 @@ uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(33U, shake_input_seed_se, 43008U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(1344U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(1344U, 8U, r + 21504U, e_matrix); uint16_t b_matrix[10752U] = { 0U }; @@ -66,14 +66,14 @@ uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(1344U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(1344U, 8U, 16U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(1344U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 10752U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 10752U, uint16_t, void *); uint32_t slen1 = 43056U; uint8_t *sk_p = sk; memcpy(sk_p, s, 32U * sizeof (uint8_t)); memcpy(sk_p + 32U, pk, 21520U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(21520U, pk, 32U, sk + slen1); - Lib_Memzero0_memzero(coins, 80U, uint8_t); + Lib_Memzero0_memzero(coins, 80U, uint8_t, void *); return 0U; } @@ -98,7 +98,7 @@ uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(33U, shake_input_seed_se, 43136U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r + 21504U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 8U, r + 43008U, epp_matrix); @@ -119,12 +119,12 @@ uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 4U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 16U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 21664U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t *shake_input_ss = (uint8_t *)alloca(ss_init_len * sizeof (uint8_t)); @@ -132,9 +132,9 @@ uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 21632U * sizeof (uint8_t)); memcpy(shake_input_ss + 21632U, k, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, shake_input_ss, 32U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t); - Lib_Memzero0_memzero(coins, 32U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 32U, uint8_t, void *); return 0U; } @@ -154,8 +154,8 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 1344U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(16U, 4U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[64U] = { 0U }; uint32_t pkh_mu_decode_len = 64U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -178,7 +178,7 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(33U, shake_input_seed_se, 43136U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 33U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 1344U, r + 21504U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344(8U, 8U, r + 43008U, epp_matrix); @@ -197,12 +197,12 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 4U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 1344U, 16U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 16U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 10752U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 1344U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -223,10 +223,10 @@ uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 21632U * sizeof (uint8_t)); memcpy(ss_init + 21632U, kp_s, 32U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, ss_init, 32U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 32U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 32U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 32U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 64U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 32U, uint8_t, void *); return 0U; } diff --git a/src/msvc/Hacl_Frodo64.c b/src/msvc/Hacl_Frodo64.c index 392d87f9..e9a19d93 100644 --- a/src/msvc/Hacl_Frodo64.c +++ b/src/msvc/Hacl_Frodo64.c @@ -60,7 +60,7 @@ uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 2048U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(64U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(64U, 8U, r + 1024U, e_matrix); uint16_t b_matrix[512U] = { 0U }; @@ -70,14 +70,14 @@ uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(64U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(64U, 8U, 15U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(64U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 512U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 512U, uint16_t, void *); uint32_t slen1 = 2016U; uint8_t *sk_p = sk; memcpy(sk_p, s, 16U * sizeof (uint8_t)); memcpy(sk_p + 16U, pk, 976U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(976U, pk, 16U, sk + slen1); - Lib_Memzero0_memzero(coins, 48U, uint8_t); + Lib_Memzero0_memzero(coins, 48U, uint8_t, void *); return 0U; } @@ -102,7 +102,7 @@ uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 2176U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r + 1024U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 8U, r + 2048U, epp_matrix); @@ -122,12 +122,12 @@ uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 15U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 1096U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t *shake_input_ss = (uint8_t *)alloca(ss_init_len * sizeof (uint8_t)); @@ -135,9 +135,9 @@ uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 1080U * sizeof (uint8_t)); memcpy(shake_input_ss + 1080U, k, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, shake_input_ss, 16U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(coins, 16U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 16U, uint8_t, void *); return 0U; } @@ -157,8 +157,8 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 64U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(15U, 2U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[32U] = { 0U }; uint32_t pkh_mu_decode_len = 32U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -181,7 +181,7 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 2176U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 64U, r + 1024U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix64(8U, 8U, r + 2048U, epp_matrix); @@ -199,12 +199,12 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 64U, 15U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 15U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 512U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 64U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -226,10 +226,10 @@ uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 1080U * sizeof (uint8_t)); memcpy(ss_init + 1080U, kp_s, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, ss_init, 16U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 16U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 16U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 16U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 16U, uint8_t, void *); return 0U; } diff --git a/src/msvc/Hacl_Frodo640.c b/src/msvc/Hacl_Frodo640.c index 5de5871f..3a117991 100644 --- a/src/msvc/Hacl_Frodo640.c +++ b/src/msvc/Hacl_Frodo640.c @@ -55,7 +55,7 @@ uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 20480U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(640U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(640U, 8U, r + 10240U, e_matrix); uint16_t b_matrix[5120U] = { 0U }; @@ -66,14 +66,14 @@ uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(640U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(640U, 8U, 15U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(640U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 5120U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 5120U, uint16_t, void *); uint32_t slen1 = 19872U; uint8_t *sk_p = sk; memcpy(sk_p, s, 16U * sizeof (uint8_t)); memcpy(sk_p + 16U, pk, 9616U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(9616U, pk, 16U, sk + slen1); - Lib_Memzero0_memzero(coins, 48U, uint8_t); + Lib_Memzero0_memzero(coins, 48U, uint8_t, void *); return 0U; } @@ -98,7 +98,7 @@ uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 20608U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r + 10240U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 8U, r + 20480U, epp_matrix); @@ -119,12 +119,12 @@ uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 15U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 9736U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t *shake_input_ss = (uint8_t *)alloca(ss_init_len * sizeof (uint8_t)); @@ -132,9 +132,9 @@ uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 9720U * sizeof (uint8_t)); memcpy(shake_input_ss + 9720U, k, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, shake_input_ss, 16U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(coins, 16U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 16U, uint8_t, void *); return 0U; } @@ -154,8 +154,8 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 640U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(15U, 2U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[32U] = { 0U }; uint32_t pkh_mu_decode_len = 32U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -178,7 +178,7 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(17U, shake_input_seed_se, 20608U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 17U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 640U, r + 10240U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix640(8U, 8U, r + 20480U, epp_matrix); @@ -197,12 +197,12 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(15U, 2U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 640U, 15U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 15U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 5120U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 640U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -224,10 +224,10 @@ uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 9720U * sizeof (uint8_t)); memcpy(ss_init + 9720U, kp_s, 16U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake128_hacl(ss_init_len, ss_init, 16U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 16U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 16U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 16U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 32U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 16U, uint8_t, void *); return 0U; } diff --git a/src/msvc/Hacl_Frodo976.c b/src/msvc/Hacl_Frodo976.c index 61454ceb..b358a5e2 100644 --- a/src/msvc/Hacl_Frodo976.c +++ b/src/msvc/Hacl_Frodo976.c @@ -55,7 +55,7 @@ uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) shake_input_seed_se[0U] = 0x5fU; memcpy(shake_input_seed_se + 1U, seed_se, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(25U, shake_input_seed_se, 31232U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(976U, 8U, r, s_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(976U, 8U, r + 15616U, e_matrix); uint16_t b_matrix[7808U] = { 0U }; @@ -66,14 +66,14 @@ uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk) Hacl_Impl_Matrix_matrix_add(976U, 8U, b_matrix, e_matrix); Hacl_Impl_Frodo_Pack_frodo_pack(976U, 8U, 16U, b_matrix, b_bytes); Hacl_Impl_Matrix_matrix_to_lbytes(976U, 8U, s_matrix, s_bytes); - Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(e_matrix, 7808U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(e_matrix, 7808U, uint16_t, void *); uint32_t slen1 = 31272U; uint8_t *sk_p = sk; memcpy(sk_p, s, 24U * sizeof (uint8_t)); memcpy(sk_p + 24U, pk, 15632U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(15632U, pk, 24U, sk + slen1); - Lib_Memzero0_memzero(coins, 64U, uint8_t); + Lib_Memzero0_memzero(coins, 64U, uint8_t, void *); return 0U; } @@ -98,7 +98,7 @@ uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(25U, shake_input_seed_se, 31360U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r + 15616U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 8U, r + 31232U, epp_matrix); @@ -119,12 +119,12 @@ uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 3U, 8U, coins, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, v_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Frodo_Pack_frodo_pack(8U, 8U, 16U, v_matrix, c2); - Lib_Memzero0_memzero(v_matrix, 64U, uint16_t); - Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(v_matrix, 64U, uint16_t, void *); + Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint32_t ss_init_len = 15768U; KRML_CHECK_SIZE(sizeof (uint8_t), ss_init_len); uint8_t *shake_input_ss = (uint8_t *)alloca(ss_init_len * sizeof (uint8_t)); @@ -132,9 +132,9 @@ uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk) memcpy(shake_input_ss, ct, 15744U * sizeof (uint8_t)); memcpy(shake_input_ss + 15744U, k, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, shake_input_ss, 24U, ss); - Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t); - Lib_Memzero0_memzero(coins, 24U, uint8_t); + Lib_Memzero0_memzero(shake_input_ss, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t, void *); + Lib_Memzero0_memzero(coins, 24U, uint8_t, void *); return 0U; } @@ -154,8 +154,8 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) Hacl_Impl_Matrix_matrix_mul_s(8U, 976U, 8U, bp_matrix, s_matrix, m_matrix); Hacl_Impl_Matrix_matrix_sub(8U, 8U, c_matrix, m_matrix); Hacl_Impl_Frodo_Encode_frodo_key_decode(16U, 3U, 8U, m_matrix, mu_decode); - Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(m_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(s_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(m_matrix, 64U, uint16_t, void *); uint8_t seed_se_k[48U] = { 0U }; uint32_t pkh_mu_decode_len = 48U; KRML_CHECK_SIZE(sizeof (uint8_t), pkh_mu_decode_len); @@ -178,7 +178,7 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) shake_input_seed_se[0U] = 0x96U; memcpy(shake_input_seed_se + 1U, seed_se, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(25U, shake_input_seed_se, 31360U, r); - Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t); + Lib_Memzero0_memzero(shake_input_seed_se, 25U, uint8_t, void *); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r, sp_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 976U, r + 15616U, ep_matrix); Hacl_Impl_Frodo_Sample_frodo_sample_matrix976(8U, 8U, r + 31232U, epp_matrix); @@ -197,12 +197,12 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) uint16_t mu_encode[64U] = { 0U }; Hacl_Impl_Frodo_Encode_frodo_key_encode(16U, 3U, 8U, mu_decode, mu_encode); Hacl_Impl_Matrix_matrix_add(8U, 8U, cp_matrix, mu_encode); - Lib_Memzero0_memzero(mu_encode, 64U, uint16_t); + Lib_Memzero0_memzero(mu_encode, 64U, uint16_t, void *); Hacl_Impl_Matrix_mod_pow2(8U, 976U, 16U, bpp_matrix); Hacl_Impl_Matrix_mod_pow2(8U, 8U, 16U, cp_matrix); - Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t); - Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t); + Lib_Memzero0_memzero(sp_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(ep_matrix, 7808U, uint16_t, void *); + Lib_Memzero0_memzero(epp_matrix, 64U, uint16_t, void *); uint16_t b1 = Hacl_Impl_Matrix_matrix_eq(8U, 976U, bp_matrix, bpp_matrix); uint16_t b2 = Hacl_Impl_Matrix_matrix_eq(8U, 8U, c_matrix, cp_matrix); uint16_t mask = (uint32_t)b1 & (uint32_t)b2; @@ -223,10 +223,10 @@ uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk) memcpy(ss_init, ct, 15744U * sizeof (uint8_t)); memcpy(ss_init + 15744U, kp_s, 24U * sizeof (uint8_t)); Hacl_Hash_SHA3_shake256_hacl(ss_init_len, ss_init, 24U, ss); - Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t); - Lib_Memzero0_memzero(kp_s, 24U, uint8_t); - Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t); - Lib_Memzero0_memzero(mu_decode, 24U, uint8_t); + Lib_Memzero0_memzero(ss_init, ss_init_len, uint8_t, void *); + Lib_Memzero0_memzero(kp_s, 24U, uint8_t, void *); + Lib_Memzero0_memzero(seed_se_k, 48U, uint8_t, void *); + Lib_Memzero0_memzero(mu_decode, 24U, uint8_t, void *); return 0U; } diff --git a/src/msvc/Hacl_Hash_Blake2b.c b/src/msvc/Hacl_Hash_Blake2b.c index 2dceaf4b..f8513dc3 100644 --- a/src/msvc/Hacl_Hash_Blake2b.c +++ b/src/msvc/Hacl_Hash_Blake2b.c @@ -474,6 +474,7 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; uint64_t *r0 = hash; uint64_t *r1 = hash + 4U; uint64_t *r2 = hash + 8U; @@ -494,16 +495,68 @@ void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) @@ -519,7 +572,7 @@ static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, ui { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } void @@ -560,7 +613,7 @@ Hacl_Hash_Blake2b_update_last( FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } static void @@ -624,7 +677,7 @@ void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash) KRML_MAYBE_FOR4(i, 0U, 4U, 1U, store64_le(second + i * 8U, row1[i]);); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } /** @@ -965,7 +1018,7 @@ Hacl_Hash_Blake2b_hash_with_key( Hacl_Hash_Blake2b_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2b_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 16U, uint64_t); - Lib_Memzero0_memzero(b, 16U, uint64_t); + Lib_Memzero0_memzero(b1, 16U, uint64_t, void *); + Lib_Memzero0_memzero(b, 16U, uint64_t, void *); } diff --git a/src/msvc/Hacl_Hash_Blake2b_Simd256.c b/src/msvc/Hacl_Hash_Blake2b_Simd256.c index 1a5e8cf2..2bf96927 100644 --- a/src/msvc/Hacl_Hash_Blake2b_Simd256.c +++ b/src/msvc/Hacl_Hash_Blake2b_Simd256.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2b_Simd256.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -214,6 +215,7 @@ update_block( void Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t kk, uint32_t nn) { + uint64_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec256 *r0 = hash; Lib_IntVector_Intrinsics_vec256 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec256 *r2 = hash + 2U; @@ -228,10 +230,62 @@ Hacl_Hash_Blake2b_Simd256_init(Lib_IntVector_Intrinsics_vec256 *hash, uint32_t k uint64_t iv7 = Hacl_Hash_Blake2s_ivTable_B[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); - uint64_t kk_shift_8 = (uint64_t)kk << 8U; - uint64_t iv0_ = iv0 ^ (0x01010000ULL ^ (kk_shift_8 ^ (uint64_t)nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4, iv5, iv6, iv7); + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; + Hacl_Hash_Blake2s_blake2b_params + p = + { + .digest_length1 = 64U, .key_length1 = 0U, .fanout1 = 1U, .depth1 = 1U, .leaf_length1 = 0U, + .node_offset1 = 0U, .xof_length1 = 0U, .node_depth1 = 0U, .inner_length1 = 0U, .salt1 = salt, + .personal1 = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 4U; + uint8_t *bj = p.salt1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint64_t *os = tmp + 6U; + uint8_t *bj = p.personal1 + i * 8U; + uint64_t u = load64_le(bj); + uint64_t r = u; + uint64_t x = r; + os[i] = x;); + tmp[0U] = + (uint64_t)nn + ^ + ((uint64_t)kk + << 8U + ^ ((uint64_t)p.fanout1 << 16U ^ ((uint64_t)p.depth1 << 24U ^ (uint64_t)p.leaf_length1 << 32U))); + tmp[1U] = (uint64_t)p.node_offset1 ^ (uint64_t)p.xof_length1 << 32U; + tmp[2U] = (uint64_t)p.node_depth1 ^ (uint64_t)p.inner_length1 << 8U; + tmp[3U] = 0ULL; + uint64_t tmp0 = tmp[0U]; + uint64_t tmp1 = tmp[1U]; + uint64_t tmp2 = tmp[2U]; + uint64_t tmp3 = tmp[3U]; + uint64_t tmp4 = tmp[4U]; + uint64_t tmp5 = tmp[5U]; + uint64_t tmp6 = tmp[6U]; + uint64_t tmp7 = tmp[7U]; + uint64_t iv0_ = iv0 ^ tmp0; + uint64_t iv1_ = iv1 ^ tmp1; + uint64_t iv2_ = iv2 ^ tmp2; + uint64_t iv3_ = iv3 ^ tmp3; + uint64_t iv4_ = iv4 ^ tmp4; + uint64_t iv5_ = iv5 ^ tmp5; + uint64_t iv6_ = iv6 ^ tmp6; + uint64_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec256_load64s(iv4_, iv5_, iv6_, iv7_); } static void @@ -254,7 +308,7 @@ update_key( { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } void @@ -295,7 +349,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 128U, uint8_t); + Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } static inline void @@ -371,7 +425,7 @@ Hacl_Hash_Blake2b_Simd256_finish( Lib_IntVector_Intrinsics_vec256_store64_le(second, row1[0U]); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } void @@ -822,7 +876,7 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( Hacl_Hash_Blake2b_Simd256_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2b_Simd256_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec256); - Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256); + Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec256, void *); + Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256, void *); } diff --git a/src/msvc/Hacl_Hash_Blake2s.c b/src/msvc/Hacl_Hash_Blake2s.c index 652c3f33..87d64ca8 100644 --- a/src/msvc/Hacl_Hash_Blake2s.c +++ b/src/msvc/Hacl_Hash_Blake2s.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -474,6 +475,7 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; uint32_t *r0 = hash; uint32_t *r1 = hash + 4U; uint32_t *r2 = hash + 8U; @@ -494,16 +496,65 @@ void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn) r3[1U] = iv5; r3[2U] = iv6; r3[3U] = iv7; - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; r0[0U] = iv0_; - r0[1U] = iv1; - r0[2U] = iv2; - r0[3U] = iv3; - r1[0U] = iv4; - r1[1U] = iv5; - r1[2U] = iv6; - r1[3U] = iv7; + r0[1U] = iv1_; + r0[2U] = iv2_; + r0[3U] = iv3_; + r1[0U] = iv4_; + r1[1U] = iv5_; + r1[2U] = iv6_; + r1[3U] = iv7_; } static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, uint32_t ll) @@ -519,7 +570,7 @@ static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, ui { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } void @@ -556,7 +607,7 @@ Hacl_Hash_Blake2s_update_last( memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } static void @@ -614,7 +665,7 @@ void Hacl_Hash_Blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash) KRML_MAYBE_FOR4(i, 0U, 4U, 1U, store32_le(second + i * 4U, row1[i]);); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 32U, uint8_t); + Lib_Memzero0_memzero(b, 32U, uint8_t, void *); } /** @@ -925,7 +976,7 @@ Hacl_Hash_Blake2s_hash_with_key( Hacl_Hash_Blake2s_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2s_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 16U, uint32_t); - Lib_Memzero0_memzero(b, 16U, uint32_t); + Lib_Memzero0_memzero(b1, 16U, uint32_t, void *); + Lib_Memzero0_memzero(b, 16U, uint32_t, void *); } diff --git a/src/msvc/Hacl_Hash_Blake2s_Simd128.c b/src/msvc/Hacl_Hash_Blake2s_Simd128.c index 73f0cccb..7577c07e 100644 --- a/src/msvc/Hacl_Hash_Blake2s_Simd128.c +++ b/src/msvc/Hacl_Hash_Blake2s_Simd128.c @@ -26,6 +26,7 @@ #include "internal/Hacl_Hash_Blake2s_Simd128.h" #include "internal/Hacl_Impl_Blake2_Constants.h" +#include "internal/Hacl_Hash_Blake2b.h" #include "lib_memzero0.h" static inline void @@ -214,6 +215,7 @@ update_block( void Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t kk, uint32_t nn) { + uint32_t tmp[8U] = { 0U }; Lib_IntVector_Intrinsics_vec128 *r0 = hash; Lib_IntVector_Intrinsics_vec128 *r1 = hash + 1U; Lib_IntVector_Intrinsics_vec128 *r2 = hash + 2U; @@ -228,10 +230,59 @@ Hacl_Hash_Blake2s_Simd128_init(Lib_IntVector_Intrinsics_vec128 *hash, uint32_t k uint32_t iv7 = Hacl_Hash_Blake2s_ivTable_S[7U]; r2[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0, iv1, iv2, iv3); r3[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); - uint32_t kk_shift_8 = kk << 8U; - uint32_t iv0_ = iv0 ^ (0x01010000U ^ (kk_shift_8 ^ nn)); - r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1, iv2, iv3); - r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4, iv5, iv6, iv7); + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; + Hacl_Hash_Blake2s_blake2s_params + p = + { + .digest_length = 32U, .key_length = 0U, .fanout = 1U, .depth = 1U, .leaf_length = 0U, + .node_offset = 0U, .xof_length = 0U, .node_depth = 0U, .inner_length = 0U, .salt = salt, + .personal = personal + }; + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 4U; + uint8_t *bj = p.salt + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + KRML_MAYBE_FOR2(i, + 0U, + 2U, + 1U, + uint32_t *os = tmp + 6U; + uint8_t *bj = p.personal + i * 4U; + uint32_t u = load32_le(bj); + uint32_t r = u; + uint32_t x = r; + os[i] = x;); + tmp[0U] = nn ^ (kk << 8U ^ ((uint32_t)p.fanout << 16U ^ (uint32_t)p.depth << 24U)); + tmp[1U] = p.leaf_length; + tmp[2U] = p.node_offset; + tmp[3U] = + (uint32_t)p.xof_length + ^ ((uint32_t)p.node_depth << 16U ^ (uint32_t)p.inner_length << 24U); + uint32_t tmp0 = tmp[0U]; + uint32_t tmp1 = tmp[1U]; + uint32_t tmp2 = tmp[2U]; + uint32_t tmp3 = tmp[3U]; + uint32_t tmp4 = tmp[4U]; + uint32_t tmp5 = tmp[5U]; + uint32_t tmp6 = tmp[6U]; + uint32_t tmp7 = tmp[7U]; + uint32_t iv0_ = iv0 ^ tmp0; + uint32_t iv1_ = iv1 ^ tmp1; + uint32_t iv2_ = iv2 ^ tmp2; + uint32_t iv3_ = iv3 ^ tmp3; + uint32_t iv4_ = iv4 ^ tmp4; + uint32_t iv5_ = iv5 ^ tmp5; + uint32_t iv6_ = iv6 ^ tmp6; + uint32_t iv7_ = iv7 ^ tmp7; + r0[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv0_, iv1_, iv2_, iv3_); + r1[0U] = Lib_IntVector_Intrinsics_vec128_load32s(iv4_, iv5_, iv6_, iv7_); } static void @@ -254,7 +305,7 @@ update_key( { update_block(wv, hash, false, lb, b); } - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } void @@ -291,7 +342,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; update_block(wv, hash, true, totlen, b); - Lib_Memzero0_memzero(b, 64U, uint8_t); + Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } static inline void @@ -367,7 +418,7 @@ Hacl_Hash_Blake2s_Simd128_finish( Lib_IntVector_Intrinsics_vec128_store32_le(second, row1[0U]); uint8_t *final = b; memcpy(output, final, nn * sizeof (uint8_t)); - Lib_Memzero0_memzero(b, 32U, uint8_t); + Lib_Memzero0_memzero(b, 32U, uint8_t, void *); } void @@ -788,7 +839,7 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( Hacl_Hash_Blake2s_Simd128_init(b, key_len, output_len); update(b1, b, key_len, key, input_len, input); Hacl_Hash_Blake2s_Simd128_finish(output_len, output, b); - Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec128); - Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128); + Lib_Memzero0_memzero(b1, 4U, Lib_IntVector_Intrinsics_vec128, void *); + Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128, void *); } diff --git a/src/msvc/Lib_RandomBuffer_System.c b/src/msvc/Lib_RandomBuffer_System.c index 0d7924b4..de6ef337 100644 --- a/src/msvc/Lib_RandomBuffer_System.c +++ b/src/msvc/Lib_RandomBuffer_System.c @@ -31,6 +31,7 @@ bool read_random_bytes(uint32_t len, uint8_t *buf) { #include #include #include +#include #include bool read_random_bytes(uint32_t len, uint8_t *buf) { diff --git a/src/wasm/EverCrypt_Hash.wasm b/src/wasm/EverCrypt_Hash.wasm index 101c3f68..a5f05d9d 100644 Binary files a/src/wasm/EverCrypt_Hash.wasm and b/src/wasm/EverCrypt_Hash.wasm differ diff --git a/src/wasm/Hacl_AEAD_Chacha20Poly1305_Simd256.wasm b/src/wasm/Hacl_AEAD_Chacha20Poly1305_Simd256.wasm index 804858db..1f8a5cdc 100644 Binary files a/src/wasm/Hacl_AEAD_Chacha20Poly1305_Simd256.wasm and b/src/wasm/Hacl_AEAD_Chacha20Poly1305_Simd256.wasm differ diff --git a/src/wasm/Hacl_Ed25519_PrecompTable.wasm b/src/wasm/Hacl_Ed25519_PrecompTable.wasm index 46a7380d..c94538f0 100644 Binary files a/src/wasm/Hacl_Ed25519_PrecompTable.wasm and b/src/wasm/Hacl_Ed25519_PrecompTable.wasm differ diff --git a/src/wasm/Hacl_HMAC.wasm b/src/wasm/Hacl_HMAC.wasm index c2e51b85..4837783c 100644 Binary files a/src/wasm/Hacl_HMAC.wasm and b/src/wasm/Hacl_HMAC.wasm differ diff --git a/src/wasm/Hacl_HMAC_DRBG.wasm b/src/wasm/Hacl_HMAC_DRBG.wasm index c1cb2fd3..f536237d 100644 Binary files a/src/wasm/Hacl_HMAC_DRBG.wasm and b/src/wasm/Hacl_HMAC_DRBG.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2b.wasm b/src/wasm/Hacl_Hash_Blake2b.wasm index 8882f5e8..e158bcd8 100644 Binary files a/src/wasm/Hacl_Hash_Blake2b.wasm and b/src/wasm/Hacl_Hash_Blake2b.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm b/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm index 27244515..d144e065 100644 Binary files a/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm and b/src/wasm/Hacl_Hash_Blake2b_Simd256.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2s.wasm b/src/wasm/Hacl_Hash_Blake2s.wasm index 0dcaff92..f9d6889e 100644 Binary files a/src/wasm/Hacl_Hash_Blake2s.wasm and b/src/wasm/Hacl_Hash_Blake2s.wasm differ diff --git a/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm b/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm index 6d5cdb78..fd3c1b86 100644 Binary files a/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm and b/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm differ diff --git a/src/wasm/Hacl_SHA2_Vec128.wasm b/src/wasm/Hacl_SHA2_Vec128.wasm index cef1c90d..549c8a5f 100644 Binary files a/src/wasm/Hacl_SHA2_Vec128.wasm and b/src/wasm/Hacl_SHA2_Vec128.wasm differ diff --git a/src/wasm/INFO.txt b/src/wasm/INFO.txt index d2f1192f..00ae5eaf 100644 --- a/src/wasm/INFO.txt +++ b/src/wasm/INFO.txt @@ -1,4 +1,4 @@ This code was generated with the following toolchain. -F* version: 6e23042e74555544267731295b7d382c86edc574 -Karamel version: a7be2a7c43eca637ceb57fe8f3ffd16fc6627ebd +F* version: cd5b7bc765f790ee187c99e3c9e79bdde4ff0bc9 +Karamel version: 08bfa78ae1df5639446e6c5897b07c9823fbf3b0 Vale version: 0.3.19 diff --git a/src/wasm/layouts.json b/src/wasm/layouts.json index 81273a66..d62bb7ad 100644 --- a/src/wasm/layouts.json +++ b/src/wasm/layouts.json @@ -1 +1 @@ -{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_MAC_Poly1305_state_t":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Hash_SHA3_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["snd",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"Hacl_Hash_SHA3_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2s_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Hash_Blake2s_Simd128_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_Simd128_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_Simd128_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_Blake2b_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2b_Simd256_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_Simd256_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_Simd256_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_SHA2_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_7p"]]]]}],"Hacl_Hash_SHA2_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_6p"]]]]}],"Hacl_Hash_SHA2_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_5p"]]]]}],"Hacl_Hash_SHA2_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_3p"]]]]}],"Hacl_Hash_SHA2_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_2p"]]]]}],"Hacl_Hash_SHA2_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_8p"]]],["snd",[56,["Layout","Hacl_Hash_SHA2_uint8_8p"]]]]}],"Hacl_Hash_SHA2_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_4p"]]],["snd",[24,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_state_t":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file +{"Spec_Hash_Definitions_hash_alg":["LEnum"],"Prims_string":["LBuiltin",["I32"],["A32"]],"Prims_int":["LBuiltin",["I32"],["A32"]],"K___uint32_t_uint32_t":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Int",["A32"]]]]]}],"__bool_bool_bool_bool":["LFlat",{"size":4,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]],["thd",[2,["Int",["A8"]]]],["f3",[3,["Int",["A8"]]]]]}],"__bool_bool":["LFlat",{"size":2,"fields":[["fst",[0,["Int",["A8"]]]],["snd",[1,["Int",["A8"]]]]]}],"Hacl_Streaming_Types_error_code":["LEnum"],"Hacl_MAC_Poly1305_state_t":["LFlat",{"size":20,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]],["p_key",[16,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Streaming_MD_state_64":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A64"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Streaming_MD_state_32":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Int",["A32"]]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"Hacl_Hash_SHA3_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"hash_buf2":["LFlat",{"size":16,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA3_hash_buf"]]],["snd",[8,["Layout","Hacl_Hash_SHA3_hash_buf"]]]]}],"Hacl_Hash_SHA3_hash_buf":["LFlat",{"size":8,"fields":[["fst",[0,["Int",["A32"]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2s_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A32"]]]]],["snd",[4,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Hash_Blake2s_Simd128_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2s_Simd128_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2s_Simd128_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_Blake2b_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A64"]]]]],["snd",[4,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Hash_Blake2b_Simd256_state_t":["LFlat",{"size":24,"fields":[["block_state",[0,["Layout","Hacl_Hash_Blake2b_Simd256_block_state_t"]]],["buf",[8,["Pointer",["Int",["A8"]]]]],["total_len",[16,["Int",["A64"]]]]]}],"Hacl_Hash_Blake2b_Simd256_block_state_t":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Unknown"]]]],["snd",[4,["Pointer",["Unknown"]]]]]}],"Hacl_Hash_SHA2_uint8_8p":["LFlat",{"size":56,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_7p"]]]]}],"Hacl_Hash_SHA2_uint8_7p":["LFlat",{"size":48,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_6p"]]]]}],"Hacl_Hash_SHA2_uint8_6p":["LFlat",{"size":40,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_5p"]]]]}],"Hacl_Hash_SHA2_uint8_5p":["LFlat",{"size":32,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_4p":["LFlat",{"size":24,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_3p"]]]]}],"Hacl_Hash_SHA2_uint8_3p":["LFlat",{"size":16,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[8,["Layout","Hacl_Hash_SHA2_uint8_2p"]]]]}],"Hacl_Hash_SHA2_uint8_2x8p":["LFlat",{"size":112,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_8p"]]],["snd",[56,["Layout","Hacl_Hash_SHA2_uint8_8p"]]]]}],"Hacl_Hash_SHA2_uint8_2x4p":["LFlat",{"size":48,"fields":[["fst",[0,["Layout","Hacl_Hash_SHA2_uint8_4p"]]],["snd",[24,["Layout","Hacl_Hash_SHA2_uint8_4p"]]]]}],"Hacl_Hash_SHA2_uint8_2p":["LFlat",{"size":8,"fields":[["fst",[0,["Pointer",["Int",["A8"]]]]],["snd",[4,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Impl_HPKE_context_s":["LFlat",{"size":16,"fields":[["ctx_key",[0,["Pointer",["Int",["A8"]]]]],["ctx_nonce",[4,["Pointer",["Int",["A8"]]]]],["ctx_seq",[8,["Pointer",["Int",["A64"]]]]],["ctx_exporter",[12,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_Blake2s_blake2s_params":["LFlat",{"size":24,"fields":[["digest_length",[0,["Int",["A8"]]]],["key_length",[1,["Int",["A8"]]]],["fanout",[2,["Int",["A8"]]]],["depth",[3,["Int",["A8"]]]],["leaf_length",[4,["Int",["A32"]]]],["node_offset",[8,["Int",["A32"]]]],["xof_length",[12,["Int",["A16"]]]],["node_depth",[14,["Int",["A8"]]]],["inner_length",[15,["Int",["A8"]]]],["salt",[16,["Pointer",["Int",["A8"]]]]],["personal",[20,["Pointer",["Int",["A8"]]]]]]}],"Hacl_Hash_Blake2s_blake2b_params":["LFlat",{"size":28,"fields":[["digest_length1",[0,["Int",["A8"]]]],["key_length1",[1,["Int",["A8"]]]],["fanout1",[2,["Int",["A8"]]]],["depth1",[3,["Int",["A8"]]]],["leaf_length1",[4,["Int",["A32"]]]],["node_offset1",[8,["Int",["A32"]]]],["xof_length1",[12,["Int",["A32"]]]],["node_depth1",[16,["Int",["A8"]]]],["inner_length1",[17,["Int",["A8"]]]],["salt1",[20,["Pointer",["Int",["A8"]]]]],["personal1",[24,["Pointer",["Int",["A8"]]]]]]}],"Hacl_HMAC_DRBG_state":["LFlat",{"size":12,"fields":[["k",[0,["Pointer",["Int",["A8"]]]]],["v",[4,["Pointer",["Int",["A8"]]]]],["reseed_counter",[8,["Pointer",["Int",["A32"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64":["LFlat",{"size":20,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A64"]]]]],["mu",[8,["Int",["A64"]]]],["r2",[16,["Pointer",["Int",["A64"]]]]]]}],"Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32":["LFlat",{"size":16,"fields":[["len",[0,["Int",["A32"]]]],["n",[4,["Pointer",["Int",["A32"]]]]],["mu",[8,["Int",["A32"]]]],["r2",[12,["Pointer",["Int",["A32"]]]]]]}],"FStar_UInt128_uint128":["LFlat",{"size":16,"fields":[["low",[0,["Int",["A64"]]]],["high",[8,["Int",["A64"]]]]]}],"EverCrypt_Hash_Incremental_state_t":["LFlat",{"size":16,"fields":[["block_state",[0,["Pointer",["Layout","EverCrypt_Hash_state_s"]]]],["buf",[4,["Pointer",["Int",["A8"]]]]],["total_len",[8,["Int",["A64"]]]]]}],"state_s_tags":["LEnum"],"EverCrypt_Hash_state_s":["LFlat",{"size":12,"fields":[["tag",[0,["Int",["A32"]]]],["val",[8,["Union",[["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A32"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A64"]]],["Pointer",["Int",["A32"]]],["Pointer",["Unknown"]],["Pointer",["Int",["A64"]]],["Pointer",["Unknown"]]]]]]]}],"EverCrypt_Error_error_code":["LEnum"],"C_String_t_":["LBuiltin",["I32"],["A32"]],"C_String_t":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t_":["LBuiltin",["I32"],["A32"]],"C_Compat_String_t":["LBuiltin",["I32"],["A32"]],"exit_code":["LBuiltin",["I32"],["A32"]],"clock_t":["LBuiltin",["I32"],["A32"]]} \ No newline at end of file