diff options
| author | Pete Bentley <prb@google.com> | 2022-04-08 14:58:19 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-04-08 14:58:19 +0000 |
| commit | c10370a9135e12ca597ab0cb648d1ed48b452f8a (patch) | |
| tree | 1f337973194ebe2e527c0085a51899e13686b0a6 | |
| parent | a5d98d3c248e3f389b9e4e81bec28a6a174e5210 (diff) | |
| parent | 00dbfb59720da729522f000c6f1a70cda4d2e7e8 (diff) | |
| download | boringssl-c10370a9135e12ca597ab0cb648d1ed48b452f8a.tar.gz | |
external/boringssl: Sync to c9a7dd687987666df5910f2b35fdc8c3d1e5ed05. am: 6d77d67fee am: d3915051ff am: 00dbfb5972
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/boringssl/+/17654895
Change-Id: I79ea758473ba5a6c26068c0a2c87e3b3529c6004
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
69 files changed, 8595 insertions, 4196 deletions
diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION index 95a1efcd..26d2c0d2 100644 --- a/BORINGSSL_REVISION +++ b/BORINGSSL_REVISION @@ -1 +1 @@ -81502beeddc5f116d44d0898c6c4a33057198db8 +c9a7dd687987666df5910f2b35fdc8c3d1e5ed05 diff --git a/BUILD.generated.bzl b/BUILD.generated.bzl index bf9efa75..5e19592d 100644 --- a/BUILD.generated.bzl +++ b/BUILD.generated.bzl @@ -266,7 +266,6 @@ crypto_sources = [ "src/crypto/asn1/a_bool.c", "src/crypto/asn1/a_d2i_fp.c", "src/crypto/asn1/a_dup.c", - "src/crypto/asn1/a_enum.c", "src/crypto/asn1/a_gentm.c", "src/crypto/asn1/a_i2d_fp.c", "src/crypto/asn1/a_int.c", diff --git a/android-sources.cmake b/android-sources.cmake index 15079b35..294c054c 100644 --- a/android-sources.cmake +++ b/android-sources.cmake @@ -22,7 +22,6 @@ set(crypto_sources ${BORINGSSL_ROOT}src/crypto/asn1/a_bool.c ${BORINGSSL_ROOT}src/crypto/asn1/a_d2i_fp.c ${BORINGSSL_ROOT}src/crypto/asn1/a_dup.c - ${BORINGSSL_ROOT}src/crypto/asn1/a_enum.c ${BORINGSSL_ROOT}src/crypto/asn1/a_gentm.c ${BORINGSSL_ROOT}src/crypto/asn1/a_i2d_fp.c ${BORINGSSL_ROOT}src/crypto/asn1/a_int.c @@ -55,188 +55,188 @@ OPENSSL_STATIC_ASSERT(ERR_LIB_USER == 33, "library value changed"); OPENSSL_STATIC_ASSERT(ERR_NUM_LIBS == 34, "number of libraries changed"); const uint32_t kOpenSSLReasonValues[] = { - 0xc320862, - 0xc32887c, - 0xc33088b, - 0xc33889b, - 0xc3408aa, - 0xc3488c3, - 0xc3508cf, - 0xc3588ec, - 0xc36090c, - 0xc36891a, - 0xc37092a, - 0xc378937, - 0xc380947, - 0xc388952, - 0xc390968, - 0xc398977, - 0xc3a098b, - 0xc3a886f, + 0xc320885, + 0xc32889f, + 0xc3308ae, + 0xc3388be, + 0xc3408cd, + 0xc3488e6, + 0xc3508f2, + 0xc35890f, + 0xc36092f, + 0xc36893d, + 0xc37094d, + 0xc37895a, + 0xc38096a, + 0xc388975, + 0xc39098b, + 0xc39899a, + 0xc3a09ae, + 0xc3a8892, 0xc3b00f7, - 0xc3b88fe, - 0x1032086f, - 0x103295e5, - 0x103315f1, - 0x1033960a, - 0x1034161d, - 0x10348f4f, - 0x10350c88, - 0x10359630, - 0x1036165a, - 0x1036966d, - 0x1037168c, - 0x103796a5, - 0x103816ba, - 0x103896d8, - 0x103916e7, - 0x10399703, - 0x103a171e, - 0x103a972d, - 0x103b1749, - 0x103b9764, - 0x103c178a, + 0xc3b8921, + 0x10320892, + 0x10329608, + 0x10331614, + 0x1033962d, + 0x10341640, + 0x10348f72, + 0x10350cab, + 0x10359653, + 0x1036167d, + 0x10369690, + 0x103716af, + 0x103796c8, + 0x103816dd, + 0x103896fb, + 0x1039170a, + 0x10399726, + 0x103a1741, + 0x103a9750, + 0x103b176c, + 0x103b9787, + 0x103c17ad, 0x103c80f7, - 0x103d179b, - 0x103d97af, - 0x103e17ce, - 0x103e97dd, - 0x103f17f4, - 0x103f9807, - 0x10400c4c, - 0x1040981a, - 0x10411838, - 0x1041984b, - 0x10421865, - 0x10429875, - 0x10431889, - 0x1043989f, - 0x104418b7, - 0x104498cc, - 0x104518e0, - 0x104598f2, - 0x10460625, - 0x10468977, - 0x10471907, - 0x1047991e, - 0x10481933, - 0x10489941, - 0x10490e9b, - 0x1049977b, - 0x104a1645, - 0x14320c2f, - 0x14328c3d, - 0x14330c4c, - 0x14338c5e, + 0x103d17be, + 0x103d97d2, + 0x103e17f1, + 0x103e9800, + 0x103f1817, + 0x103f982a, + 0x10400c6f, + 0x1040983d, + 0x1041185b, + 0x1041986e, + 0x10421888, + 0x10429898, + 0x104318ac, + 0x104398c2, + 0x104418da, + 0x104498ef, + 0x10451903, + 0x10459915, + 0x10460635, + 0x1046899a, + 0x1047192a, + 0x10479941, + 0x10481956, + 0x10489964, + 0x10490ebe, + 0x1049979e, + 0x104a1668, + 0x14320c52, + 0x14328c60, + 0x14330c6f, + 0x14338c81, 0x143400b9, 0x143480f7, 0x18320090, - 0x18328fa5, + 0x18328fc8, 0x183300b9, - 0x18338fbb, - 0x18340fcf, + 0x18338fde, + 0x18340ff2, 0x183480f7, - 0x18350fee, - 0x18359006, - 0x1836101b, - 0x1836902f, - 0x18371067, - 0x1837907d, - 0x18381091, - 0x183890a1, - 0x18390a9d, - 0x183990b1, - 0x183a10d7, - 0x183a90fd, - 0x183b0ca7, - 0x183b914c, - 0x183c115e, - 0x183c9169, - 0x183d1179, - 0x183d918a, - 0x183e119b, - 0x183e91ad, - 0x183f11d6, - 0x183f91ef, - 0x18401207, - 0x184086fd, - 0x18411120, - 0x184190eb, - 0x1842110a, - 0x18428c94, - 0x184310c6, - 0x18439132, - 0x18440fe4, - 0x18449053, - 0x20321241, - 0x2032922e, - 0x2432124d, - 0x243289bd, - 0x2433125f, - 0x2433926c, - 0x24341279, - 0x2434928b, - 0x2435129a, - 0x243592b7, - 0x243612c4, - 0x243692d2, - 0x243712e0, - 0x243792ee, - 0x243812f7, - 0x24389304, - 0x24391317, - 0x28320c7c, - 0x28328ca7, - 0x28330c4c, - 0x28338cba, - 0x28340c88, + 0x18351011, + 0x18359029, + 0x1836103e, + 0x18369052, + 0x1837108a, + 0x183790a0, + 0x183810b4, + 0x183890c4, + 0x18390ac0, + 0x183990d4, + 0x183a10fa, + 0x183a9120, + 0x183b0cca, + 0x183b916f, + 0x183c1181, + 0x183c918c, + 0x183d119c, + 0x183d91ad, + 0x183e11be, + 0x183e91d0, + 0x183f11f9, + 0x183f9212, + 0x1840122a, + 0x1840870d, + 0x18411143, + 0x1841910e, + 0x1842112d, + 0x18428cb7, + 0x184310e9, + 0x18439155, + 0x18441007, + 0x18449076, + 0x20321264, + 0x20329251, + 0x24321270, + 0x243289e0, + 0x24331282, + 0x2433928f, + 0x2434129c, + 0x243492ae, + 0x243512bd, + 0x243592da, + 0x243612e7, + 0x243692f5, + 0x24371303, + 0x24379311, + 0x2438131a, + 0x24389327, + 0x2439133a, + 0x28320c9f, + 0x28328cca, + 0x28330c6f, + 0x28338cdd, + 0x28340cab, 0x283480b9, 0x283500f7, - 0x28358c94, - 0x2c323284, - 0x2c32932e, - 0x2c333292, - 0x2c33b2a4, - 0x2c3432b8, - 0x2c34b2ca, - 0x2c3532e5, - 0x2c35b2f7, - 0x2c363327, + 0x28358cb7, + 0x2c3232a7, + 0x2c329351, + 0x2c3332b5, + 0x2c33b2c7, + 0x2c3432db, + 0x2c34b2ed, + 0x2c353308, + 0x2c35b31a, + 0x2c36334a, 0x2c36833a, - 0x2c373334, - 0x2c37b360, - 0x2c383385, - 0x2c38b39c, - 0x2c3933ba, - 0x2c39b3ca, - 0x2c3a33dc, - 0x2c3ab3f0, - 0x2c3b3401, - 0x2c3bb420, - 0x2c3c1340, - 0x2c3c9356, - 0x2c3d3465, - 0x2c3d936f, - 0x2c3e348f, - 0x2c3eb49d, - 0x2c3f34b5, - 0x2c3fb4cd, - 0x2c4034f7, - 0x2c409241, - 0x2c413508, - 0x2c41b51b, - 0x2c421207, - 0x2c42b52c, - 0x2c43074a, - 0x2c43b412, - 0x2c443373, - 0x2c44b4da, - 0x2c45330a, - 0x2c45b346, - 0x2c4633aa, - 0x2c46b434, - 0x2c473449, - 0x2c47b482, + 0x2c373357, + 0x2c37b383, + 0x2c3833a8, + 0x2c38b3bf, + 0x2c3933dd, + 0x2c39b3ed, + 0x2c3a33ff, + 0x2c3ab413, + 0x2c3b3424, + 0x2c3bb443, + 0x2c3c1363, + 0x2c3c9379, + 0x2c3d3488, + 0x2c3d9392, + 0x2c3e34b2, + 0x2c3eb4c0, + 0x2c3f34d8, + 0x2c3fb4f0, + 0x2c40351a, + 0x2c409264, + 0x2c41352b, + 0x2c41b53e, + 0x2c42122a, + 0x2c42b54f, + 0x2c43076d, + 0x2c43b435, + 0x2c443396, + 0x2c44b4fd, + 0x2c45332d, + 0x2c45b369, + 0x2c4633cd, + 0x2c46b457, + 0x2c47346c, + 0x2c47b4a5, 0x30320000, 0x30328015, 0x3033001f, @@ -281,528 +281,530 @@ const uint32_t kOpenSSLReasonValues[] = { 0x3046833a, 0x30470372, 0x30478384, - 0x30480392, - 0x304883a3, - 0x304903b2, - 0x304983ca, - 0x304a03dc, - 0x304a83f0, - 0x304b0408, - 0x304b841b, - 0x304c0426, - 0x304c8437, - 0x304d0443, - 0x304d8459, - 0x304e0467, - 0x304e847d, - 0x304f048f, - 0x304f84a1, - 0x305004c4, - 0x305084d7, - 0x305104e8, - 0x305184f8, - 0x30520510, - 0x30528525, - 0x3053053d, - 0x30538551, - 0x30540569, - 0x30548582, - 0x3055059b, - 0x305585b8, - 0x305605c3, - 0x305685db, - 0x305705eb, - 0x305785fc, - 0x3058060f, - 0x30588625, - 0x3059062e, - 0x30598643, - 0x305a0656, - 0x305a8665, - 0x305b0685, - 0x305b8694, - 0x305c06b5, - 0x305c86d1, - 0x305d06dd, - 0x305d86fd, - 0x305e0719, - 0x305e872a, - 0x305f0740, - 0x305f874a, - 0x306004b4, + 0x304803a2, + 0x304883b3, + 0x304903c2, + 0x304983da, + 0x304a03ec, + 0x304a8400, + 0x304b0418, + 0x304b842b, + 0x304c0436, + 0x304c8447, + 0x304d0453, + 0x304d8469, + 0x304e0477, + 0x304e848d, + 0x304f049f, + 0x304f84b1, + 0x305004d4, + 0x305084e7, + 0x305104f8, + 0x30518508, + 0x30520520, + 0x30528535, + 0x3053054d, + 0x30538561, + 0x30540579, + 0x30548592, + 0x305505ab, + 0x305585c8, + 0x305605d3, + 0x305685eb, + 0x305705fb, + 0x3057860c, + 0x3058061f, + 0x30588635, + 0x3059063e, + 0x30598653, + 0x305a0666, + 0x305a8675, + 0x305b0695, + 0x305b86a4, + 0x305c06c5, + 0x305c86e1, + 0x305d06ed, + 0x305d870d, + 0x305e0729, + 0x305e874d, + 0x305f0763, + 0x305f876d, + 0x306004c4, 0x3060804a, 0x30610357, - 0x34320b8d, - 0x34328ba1, - 0x34330bbe, - 0x34338bd1, - 0x34340be0, - 0x34348c19, - 0x34350bfd, + 0x3061873a, + 0x30620392, + 0x34320bb0, + 0x34328bc4, + 0x34330be1, + 0x34338bf4, + 0x34340c03, + 0x34348c3c, + 0x34350c20, 0x3c320090, - 0x3c328ce4, - 0x3c330cfd, - 0x3c338d18, - 0x3c340d35, - 0x3c348d5f, - 0x3c350d7a, - 0x3c358da0, - 0x3c360db9, - 0x3c368dd1, - 0x3c370de2, - 0x3c378df0, - 0x3c380dfd, - 0x3c388e11, - 0x3c390ca7, - 0x3c398e34, - 0x3c3a0e48, - 0x3c3a8937, - 0x3c3b0e58, - 0x3c3b8e73, - 0x3c3c0e85, - 0x3c3c8eb8, - 0x3c3d0ec2, - 0x3c3d8ed6, - 0x3c3e0ee4, - 0x3c3e8f09, - 0x3c3f0cd0, - 0x3c3f8ef2, + 0x3c328d07, + 0x3c330d20, + 0x3c338d3b, + 0x3c340d58, + 0x3c348d82, + 0x3c350d9d, + 0x3c358dc3, + 0x3c360ddc, + 0x3c368df4, + 0x3c370e05, + 0x3c378e13, + 0x3c380e20, + 0x3c388e34, + 0x3c390cca, + 0x3c398e57, + 0x3c3a0e6b, + 0x3c3a895a, + 0x3c3b0e7b, + 0x3c3b8e96, + 0x3c3c0ea8, + 0x3c3c8edb, + 0x3c3d0ee5, + 0x3c3d8ef9, + 0x3c3e0f07, + 0x3c3e8f2c, + 0x3c3f0cf3, + 0x3c3f8f15, 0x3c4000b9, 0x3c4080f7, - 0x3c410d50, - 0x3c418d8f, - 0x3c420e9b, - 0x3c428e25, - 0x403219d3, - 0x403299e9, - 0x40331a17, - 0x40339a21, - 0x40341a38, - 0x40349a56, - 0x40351a66, - 0x40359a78, - 0x40361a85, - 0x40369a91, - 0x40371aa6, - 0x40379ab8, - 0x40381ac3, - 0x40389ad5, - 0x40390f4f, - 0x40399ae5, - 0x403a1af8, - 0x403a9b19, - 0x403b1b2a, - 0x403b9b3a, + 0x3c410d73, + 0x3c418db2, + 0x3c420ebe, + 0x3c428e48, + 0x403219f6, + 0x40329a0c, + 0x40331a3a, + 0x40339a44, + 0x40341a5b, + 0x40349a79, + 0x40351a89, + 0x40359a9b, + 0x40361aa8, + 0x40369ab4, + 0x40371ac9, + 0x40379adb, + 0x40381ae6, + 0x40389af8, + 0x40390f72, + 0x40399b08, + 0x403a1b1b, + 0x403a9b3c, + 0x403b1b4d, + 0x403b9b5d, 0x403c0071, 0x403c8090, - 0x403d1b9b, - 0x403d9bb1, - 0x403e1bc0, - 0x403e9bf8, - 0x403f1c12, - 0x403f9c3a, - 0x40401c4f, - 0x40409c63, - 0x40411c9e, - 0x40419cb9, - 0x40421cd2, - 0x40429ce5, - 0x40431cf9, - 0x40439d27, - 0x40441d3e, + 0x403d1bbe, + 0x403d9bd4, + 0x403e1be3, + 0x403e9c1b, + 0x403f1c35, + 0x403f9c5d, + 0x40401c72, + 0x40409c86, + 0x40411cc1, + 0x40419cdc, + 0x40421cf5, + 0x40429d08, + 0x40431d1c, + 0x40439d4a, + 0x40441d61, 0x404480b9, - 0x40451d53, - 0x40459d65, - 0x40461d89, - 0x40469da9, - 0x40471db7, - 0x40479dde, - 0x40481e4f, - 0x40489f09, - 0x40491f20, - 0x40499f3a, - 0x404a1f51, - 0x404a9f6f, - 0x404b1f87, - 0x404b9fb4, - 0x404c1fca, - 0x404c9fdc, - 0x404d1ffd, - 0x404da036, - 0x404e204a, - 0x404ea057, - 0x404f20f1, - 0x404fa167, - 0x405021d6, - 0x4050a1ea, - 0x4051221d, - 0x4052222d, - 0x4052a251, - 0x40532269, - 0x4053a27c, - 0x40542291, - 0x4054a2b4, - 0x405522df, - 0x4055a31c, - 0x40562341, - 0x4056a35a, - 0x40572372, - 0x4057a385, - 0x4058239a, - 0x4058a3c1, - 0x405923f0, - 0x4059a41d, - 0x405a2431, - 0x405aa441, - 0x405b2459, - 0x405ba46a, - 0x405c247d, - 0x405ca4bc, - 0x405d24c9, - 0x405da4ee, - 0x405e252c, - 0x405e8adb, - 0x405f254d, - 0x405fa55a, - 0x40602568, - 0x4060a58a, - 0x406125eb, - 0x4061a623, - 0x4062263a, - 0x4062a64b, - 0x40632698, - 0x4063a6ad, - 0x406426c4, - 0x4064a6f0, - 0x4065270b, - 0x4065a722, - 0x4066273a, - 0x4066a764, - 0x4067278f, - 0x4067a7d4, - 0x4068281c, - 0x4068a83d, - 0x4069286f, - 0x4069a89d, - 0x406a28be, - 0x406aa8de, - 0x406b2a66, - 0x406baa89, - 0x406c2a9f, - 0x406cada9, - 0x406d2dd8, - 0x406dae00, - 0x406e2e2e, - 0x406eae7b, - 0x406f2ed4, - 0x406faf0c, - 0x40702f1f, - 0x4070af3c, - 0x4071082a, - 0x4071af4e, - 0x40722f61, - 0x4072af97, - 0x40732faf, - 0x40739540, - 0x40742fc3, - 0x4074afdd, - 0x40752fee, - 0x4075b002, - 0x40763010, - 0x40769304, - 0x40773035, - 0x4077b075, - 0x40783090, - 0x4078b0c9, - 0x407930e0, - 0x4079b0f6, - 0x407a3122, - 0x407ab135, - 0x407b314a, - 0x407bb15c, - 0x407c318d, - 0x407cb196, - 0x407d2858, - 0x407da18f, - 0x407e30a5, - 0x407ea3d1, - 0x407f1dcb, - 0x407f9f9e, - 0x40802101, - 0x40809df3, - 0x4081223f, - 0x4081a0a5, - 0x40822e19, - 0x40829b46, - 0x408323ac, - 0x4083a6d5, - 0x40841e07, - 0x4084a409, - 0x4085248e, - 0x4085a5b2, - 0x4086250e, - 0x4086a1a9, - 0x40872e5f, - 0x4087a600, - 0x40881b84, - 0x4088a7e7, - 0x40891bd3, - 0x40899b60, - 0x408a2ad7, - 0x408a9958, - 0x408b3171, - 0x408baee9, - 0x408c249e, - 0x408c9990, - 0x408d1eef, - 0x408d9e39, - 0x408e201f, - 0x408ea2fc, - 0x408f27fb, - 0x408fa5ce, - 0x409027b0, - 0x4090a4e0, - 0x40912abf, - 0x409199b6, - 0x40921c20, - 0x4092ae9a, - 0x40932f7a, - 0x4093a1ba, - 0x40941e1b, - 0x4094aaf0, - 0x4095265c, - 0x4095b102, - 0x40962e46, - 0x4096a11a, - 0x40972205, - 0x4097a06e, - 0x40981c80, - 0x4098a670, - 0x40992eb6, - 0x4099a329, - 0x409a22c2, - 0x409a9974, - 0x409b1e75, - 0x409b9ea0, - 0x409c3057, - 0x409c9ec8, - 0x409d20d6, - 0x409da0bb, - 0x409e1d11, - 0x409ea14f, - 0x409f2137, - 0x409f9e68, - 0x40a02177, - 0x40a0a088, - 0x41f42991, - 0x41f92a23, - 0x41fe2916, - 0x41feabcc, - 0x41ff2cfa, - 0x420329aa, - 0x420829cc, - 0x4208aa08, - 0x420928fa, - 0x4209aa42, - 0x420a2951, - 0x420aa931, - 0x420b2971, - 0x420ba9ea, - 0x420c2d16, - 0x420cab00, - 0x420d2bb3, - 0x420dabea, - 0x42122c1d, - 0x42172cdd, - 0x4217ac5f, - 0x421c2c81, - 0x421f2c3c, - 0x42212d8e, - 0x42262cc0, - 0x422b2d6c, - 0x422bab8e, - 0x422c2d4e, - 0x422cab41, - 0x422d2b1a, - 0x422dad2d, - 0x422e2b6d, - 0x42302c9c, - 0x4230ac04, - 0x44320755, - 0x44328764, - 0x44330770, - 0x4433877e, - 0x44340791, - 0x443487a2, - 0x443507a9, - 0x443587b3, - 0x443607c6, - 0x443687dc, - 0x443707ee, - 0x443787fb, - 0x4438080a, - 0x44388812, - 0x4439082a, - 0x44398838, - 0x443a084b, - 0x4832132e, - 0x48329340, - 0x48331356, - 0x4833936f, - 0x4c321394, - 0x4c3293a4, - 0x4c3313b7, - 0x4c3393d7, + 0x40451d76, + 0x40459d88, + 0x40461dac, + 0x40469dcc, + 0x40471dda, + 0x40479e01, + 0x40481e72, + 0x40489f2c, + 0x40491f43, + 0x40499f5d, + 0x404a1f74, + 0x404a9f92, + 0x404b1faa, + 0x404b9fd7, + 0x404c1fed, + 0x404c9fff, + 0x404d2020, + 0x404da059, + 0x404e206d, + 0x404ea07a, + 0x404f2114, + 0x404fa18a, + 0x405021f9, + 0x4050a20d, + 0x40512240, + 0x40522250, + 0x4052a274, + 0x4053228c, + 0x4053a29f, + 0x405422b4, + 0x4054a2d7, + 0x40552302, + 0x4055a33f, + 0x40562364, + 0x4056a37d, + 0x40572395, + 0x4057a3a8, + 0x405823bd, + 0x4058a3e4, + 0x40592413, + 0x4059a440, + 0x405a2454, + 0x405aa464, + 0x405b247c, + 0x405ba48d, + 0x405c24a0, + 0x405ca4df, + 0x405d24ec, + 0x405da511, + 0x405e254f, + 0x405e8afe, + 0x405f2570, + 0x405fa57d, + 0x4060258b, + 0x4060a5ad, + 0x4061260e, + 0x4061a646, + 0x4062265d, + 0x4062a66e, + 0x406326bb, + 0x4063a6d0, + 0x406426e7, + 0x4064a713, + 0x4065272e, + 0x4065a745, + 0x4066275d, + 0x4066a787, + 0x406727b2, + 0x4067a7f7, + 0x4068283f, + 0x4068a860, + 0x40692892, + 0x4069a8c0, + 0x406a28e1, + 0x406aa901, + 0x406b2a89, + 0x406baaac, + 0x406c2ac2, + 0x406cadcc, + 0x406d2dfb, + 0x406dae23, + 0x406e2e51, + 0x406eae9e, + 0x406f2ef7, + 0x406faf2f, + 0x40702f42, + 0x4070af5f, + 0x4071084d, + 0x4071af71, + 0x40722f84, + 0x4072afba, + 0x40732fd2, + 0x40739563, + 0x40742fe6, + 0x4074b000, + 0x40753011, + 0x4075b025, + 0x40763033, + 0x40769327, + 0x40773058, + 0x4077b098, + 0x407830b3, + 0x4078b0ec, + 0x40793103, + 0x4079b119, + 0x407a3145, + 0x407ab158, + 0x407b316d, + 0x407bb17f, + 0x407c31b0, + 0x407cb1b9, + 0x407d287b, + 0x407da1b2, + 0x407e30c8, + 0x407ea3f4, + 0x407f1dee, + 0x407f9fc1, + 0x40802124, + 0x40809e16, + 0x40812262, + 0x4081a0c8, + 0x40822e3c, + 0x40829b69, + 0x408323cf, + 0x4083a6f8, + 0x40841e2a, + 0x4084a42c, + 0x408524b1, + 0x4085a5d5, + 0x40862531, + 0x4086a1cc, + 0x40872e82, + 0x4087a623, + 0x40881ba7, + 0x4088a80a, + 0x40891bf6, + 0x40899b83, + 0x408a2afa, + 0x408a997b, + 0x408b3194, + 0x408baf0c, + 0x408c24c1, + 0x408c99b3, + 0x408d1f12, + 0x408d9e5c, + 0x408e2042, + 0x408ea31f, + 0x408f281e, + 0x408fa5f1, + 0x409027d3, + 0x4090a503, + 0x40912ae2, + 0x409199d9, + 0x40921c43, + 0x4092aebd, + 0x40932f9d, + 0x4093a1dd, + 0x40941e3e, + 0x4094ab13, + 0x4095267f, + 0x4095b125, + 0x40962e69, + 0x4096a13d, + 0x40972228, + 0x4097a091, + 0x40981ca3, + 0x4098a693, + 0x40992ed9, + 0x4099a34c, + 0x409a22e5, + 0x409a9997, + 0x409b1e98, + 0x409b9ec3, + 0x409c307a, + 0x409c9eeb, + 0x409d20f9, + 0x409da0de, + 0x409e1d34, + 0x409ea172, + 0x409f215a, + 0x409f9e8b, + 0x40a0219a, + 0x40a0a0ab, + 0x41f429b4, + 0x41f92a46, + 0x41fe2939, + 0x41feabef, + 0x41ff2d1d, + 0x420329cd, + 0x420829ef, + 0x4208aa2b, + 0x4209291d, + 0x4209aa65, + 0x420a2974, + 0x420aa954, + 0x420b2994, + 0x420baa0d, + 0x420c2d39, + 0x420cab23, + 0x420d2bd6, + 0x420dac0d, + 0x42122c40, + 0x42172d00, + 0x4217ac82, + 0x421c2ca4, + 0x421f2c5f, + 0x42212db1, + 0x42262ce3, + 0x422b2d8f, + 0x422babb1, + 0x422c2d71, + 0x422cab64, + 0x422d2b3d, + 0x422dad50, + 0x422e2b90, + 0x42302cbf, + 0x4230ac27, + 0x44320778, + 0x44328787, + 0x44330793, + 0x443387a1, + 0x443407b4, + 0x443487c5, + 0x443507cc, + 0x443587d6, + 0x443607e9, + 0x443687ff, + 0x44370811, + 0x4437881e, + 0x4438082d, + 0x44388835, + 0x4439084d, + 0x4439885b, + 0x443a086e, + 0x48321351, + 0x48329363, + 0x48331379, + 0x48339392, + 0x4c3213b7, + 0x4c3293c7, + 0x4c3313da, + 0x4c3393fa, 0x4c3400b9, 0x4c3480f7, - 0x4c3513e3, - 0x4c3593f1, - 0x4c36140d, - 0x4c369433, - 0x4c371442, - 0x4c379450, - 0x4c381465, - 0x4c389471, - 0x4c391491, - 0x4c3994bb, - 0x4c3a14d4, - 0x4c3a94ed, - 0x4c3b0625, - 0x4c3b9506, - 0x4c3c1518, - 0x4c3c9527, - 0x4c3d1540, - 0x4c3d8c6f, - 0x4c3e15ad, - 0x4c3e954f, - 0x4c3f15cf, - 0x4c3f9304, - 0x4c401565, - 0x4c409380, - 0x4c41159d, - 0x4c419420, - 0x4c421589, - 0x5032353e, - 0x5032b54d, - 0x50333558, - 0x5033b568, - 0x50343581, - 0x5034b59b, - 0x503535a9, - 0x5035b5bf, - 0x503635d1, - 0x5036b5e7, - 0x50373600, - 0x5037b613, - 0x5038362b, - 0x5038b63c, - 0x50393651, - 0x5039b665, - 0x503a3685, - 0x503ab69b, - 0x503b36b3, - 0x503bb6c5, - 0x503c36e1, - 0x503cb6f8, - 0x503d3711, - 0x503db727, - 0x503e3734, - 0x503eb74a, - 0x503f375c, - 0x503f83a3, - 0x5040376f, - 0x5040b77f, - 0x50413799, - 0x5041b7a8, - 0x504237c2, - 0x5042b7df, - 0x504337ef, - 0x5043b7ff, - 0x5044381c, - 0x50448459, - 0x50453830, - 0x5045b84e, - 0x50463861, - 0x5046b877, - 0x50473889, - 0x5047b89e, - 0x504838c4, - 0x5048b8d2, - 0x504938e5, - 0x5049b8fa, - 0x504a3910, - 0x504ab920, - 0x504b3940, - 0x504bb953, - 0x504c3976, - 0x504cb9a4, - 0x504d39d1, - 0x504db9ee, - 0x504e3a09, - 0x504eba25, - 0x504f3a37, - 0x504fba4e, - 0x50503a5d, - 0x50508719, - 0x50513a70, - 0x5051b80e, - 0x505239b6, - 0x58320f8d, - 0x68320f4f, - 0x68328ca7, - 0x68330cba, - 0x68338f5d, - 0x68340f6d, + 0x4c351406, + 0x4c359414, + 0x4c361430, + 0x4c369456, + 0x4c371465, + 0x4c379473, + 0x4c381488, + 0x4c389494, + 0x4c3914b4, + 0x4c3994de, + 0x4c3a14f7, + 0x4c3a9510, + 0x4c3b0635, + 0x4c3b9529, + 0x4c3c153b, + 0x4c3c954a, + 0x4c3d1563, + 0x4c3d8c92, + 0x4c3e15d0, + 0x4c3e9572, + 0x4c3f15f2, + 0x4c3f9327, + 0x4c401588, + 0x4c4093a3, + 0x4c4115c0, + 0x4c419443, + 0x4c4215ac, + 0x50323561, + 0x5032b570, + 0x5033357b, + 0x5033b58b, + 0x503435a4, + 0x5034b5be, + 0x503535cc, + 0x5035b5e2, + 0x503635f4, + 0x5036b60a, + 0x50373623, + 0x5037b636, + 0x5038364e, + 0x5038b65f, + 0x50393674, + 0x5039b688, + 0x503a36a8, + 0x503ab6be, + 0x503b36d6, + 0x503bb6e8, + 0x503c3704, + 0x503cb71b, + 0x503d3734, + 0x503db74a, + 0x503e3757, + 0x503eb76d, + 0x503f377f, + 0x503f83b3, + 0x50403792, + 0x5040b7a2, + 0x504137bc, + 0x5041b7cb, + 0x504237e5, + 0x5042b802, + 0x50433812, + 0x5043b822, + 0x5044383f, + 0x50448469, + 0x50453853, + 0x5045b871, + 0x50463884, + 0x5046b89a, + 0x504738ac, + 0x5047b8c1, + 0x504838e7, + 0x5048b8f5, + 0x50493908, + 0x5049b91d, + 0x504a3933, + 0x504ab943, + 0x504b3963, + 0x504bb976, + 0x504c3999, + 0x504cb9c7, + 0x504d39f4, + 0x504dba11, + 0x504e3a2c, + 0x504eba48, + 0x504f3a5a, + 0x504fba71, + 0x50503a80, + 0x50508729, + 0x50513a93, + 0x5051b831, + 0x505239d9, + 0x58320fb0, + 0x68320f72, + 0x68328cca, + 0x68330cdd, + 0x68338f80, + 0x68340f90, 0x683480f7, - 0x6c320f15, - 0x6c328c5e, - 0x6c330f20, - 0x6c338f39, - 0x74320a43, + 0x6c320f38, + 0x6c328c81, + 0x6c330f43, + 0x6c338f5c, + 0x74320a66, 0x743280b9, - 0x74330c6f, - 0x783209a8, - 0x783289bd, - 0x783309c9, + 0x74330c92, + 0x783209cb, + 0x783289e0, + 0x783309ec, 0x78338090, - 0x783409d8, - 0x783489ed, - 0x78350a0c, - 0x78358a2e, - 0x78360a43, - 0x78368a59, - 0x78370a69, - 0x78378a8a, - 0x78380a9d, - 0x78388aaf, - 0x78390abc, - 0x78398adb, - 0x783a0af0, - 0x783a8afe, - 0x783b0b08, - 0x783b8b1c, - 0x783c0b33, - 0x783c8b48, - 0x783d0b5f, - 0x783d8b74, - 0x783e0aca, - 0x783e8a7c, - 0x7c32121d, - 0x80321433, + 0x783409fb, + 0x78348a10, + 0x78350a2f, + 0x78358a51, + 0x78360a66, + 0x78368a7c, + 0x78370a8c, + 0x78378aad, + 0x78380ac0, + 0x78388ad2, + 0x78390adf, + 0x78398afe, + 0x783a0b13, + 0x783a8b21, + 0x783b0b2b, + 0x783b8b3f, + 0x783c0b56, + 0x783c8b6b, + 0x783d0b82, + 0x783d8b97, + 0x783e0aed, + 0x783e8a9f, + 0x7c321240, + 0x80321456, 0x80328090, - 0x80333253, + 0x80333276, 0x803380b9, - 0x80343262, - 0x8034b1ca, - 0x803531e8, - 0x8035b276, - 0x8036322a, - 0x8036b1d9, - 0x8037321c, - 0x8037b1b7, - 0x8038323d, - 0x8038b1f9, - 0x8039320e, + 0x80343285, + 0x8034b1ed, + 0x8035320b, + 0x8035b299, + 0x8036324d, + 0x8036b1fc, + 0x8037323f, + 0x8037b1da, + 0x80383260, + 0x8038b21c, + 0x80393231, }; const size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]); @@ -854,6 +856,7 @@ const char kOpenSSLReasonStringData[] = "INVALID_BIT_STRING_PADDING\0" "INVALID_BMPSTRING\0" "INVALID_DIGIT\0" + "INVALID_INTEGER\0" "INVALID_MODIFIER\0" "INVALID_NUMBER\0" "INVALID_OBJECT_ENCODING\0" @@ -900,6 +903,7 @@ const char kOpenSSLReasonStringData[] = "UNSUPPORTED_ANY_DEFINED_BY_TYPE\0" "UNSUPPORTED_PUBLIC_KEY_TYPE\0" "UNSUPPORTED_TYPE\0" + "WRONG_INTEGER_TYPE\0" "WRONG_PUBLIC_KEY_TYPE\0" "WRONG_TAG\0" "WRONG_TYPE\0" @@ -20,7 +20,6 @@ crypto_sources := \ src/crypto/asn1/a_bool.c\ src/crypto/asn1/a_d2i_fp.c\ src/crypto/asn1/a_dup.c\ - src/crypto/asn1/a_enum.c\ src/crypto/asn1/a_gentm.c\ src/crypto/asn1/a_i2d_fp.c\ src/crypto/asn1/a_int.c\ @@ -22,7 +22,6 @@ cc_defaults { "src/crypto/asn1/a_bool.c", "src/crypto/asn1/a_d2i_fp.c", "src/crypto/asn1/a_dup.c", - "src/crypto/asn1/a_enum.c", "src/crypto/asn1/a_gentm.c", "src/crypto/asn1/a_i2d_fp.c", "src/crypto/asn1/a_int.c", @@ -20,7 +20,6 @@ crypto_sources := \ src/crypto/asn1/a_bool.c\ src/crypto/asn1/a_d2i_fp.c\ src/crypto/asn1/a_dup.c\ - src/crypto/asn1/a_enum.c\ src/crypto/asn1/a_gentm.c\ src/crypto/asn1/a_i2d_fp.c\ src/crypto/asn1/a_int.c\ diff --git a/src/.gitignore b/src/.gitignore index 6cbc9d2a..1a27c894 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -7,6 +7,7 @@ ssl/test/runner/runner *.swo doc/*.html doc/doc.css +rust/Cargo.lock rust/target util/bot/android_ndk diff --git a/src/BUILDING.md b/src/BUILDING.md index 10645bef..e9a2b0cb 100644 --- a/src/BUILDING.md +++ b/src/BUILDING.md @@ -30,12 +30,10 @@ most recent stable version of each tool. by CMake, it may be configured explicitly by setting `CMAKE_ASM_NASM_COMPILER`. - * C and C++ compilers with C++11 support are required. On Windows, MSVC 14 - (Visual Studio 2015) or later with Platform SDK 8.1 or later are supported, - but newer versions are recommended. We will drop support for Visual Studio - 2015 in March 2022, five years after the release of Visual Studio 2017. - Recent versions of GCC (6.1+) and Clang should work on non-Windows - platforms, and maybe on Windows too. + * C and C++ compilers with C++11 support are required. On Windows, MSVC from + Visual Studio 2017 or later with Platform SDK 8.1 or later are supported, + but newer versions are recommended. Recent versions of GCC (6.1+) and Clang + should work on non-Windows platforms, and maybe on Windows too. * The most recent stable version of [Go](https://golang.org/dl/) is required. Note Go is exempt from the five year support window. If not found by CMake, diff --git a/src/crypto/CMakeLists.txt b/src/crypto/CMakeLists.txt index 6ab74b89..79802c67 100644 --- a/src/crypto/CMakeLists.txt +++ b/src/crypto/CMakeLists.txt @@ -203,7 +203,6 @@ add_library( asn1/a_bool.c asn1/a_d2i_fp.c asn1/a_dup.c - asn1/a_enum.c asn1/a_gentm.c asn1/a_i2d_fp.c asn1/a_int.c diff --git a/src/crypto/abi_self_test.cc b/src/crypto/abi_self_test.cc index c48818b6..96814985 100644 --- a/src/crypto/abi_self_test.cc +++ b/src/crypto/abi_self_test.cc @@ -58,9 +58,10 @@ TEST(ABITest, SanityCheck) { #if defined(OPENSSL_WINDOWS) // The invalid epilog makes Windows believe the epilog starts later than it // actually does. As a result, immediately after the popq, it does not - // realize the stack has been unwound and repeats the work. - EXPECT_NONFATAL_FAILURE(CHECK_ABI_SEH(abi_test_bad_unwind_epilog), - "unwound past starting frame"); + // realize the stack has been unwound and repeats the popq. This will result + // in reading the wrong return address and fail to unwind. The exact failure + // may vary depending on what was on the stack before. + EXPECT_NONFATAL_FAILURE(CHECK_ABI_SEH(abi_test_bad_unwind_epilog), ""); CHECK_ABI_NO_UNWIND(abi_test_bad_unwind_epilog); #endif // OPENSSL_WINDOWS } diff --git a/src/crypto/asn1/a_enum.c b/src/crypto/asn1/a_enum.c deleted file mode 100644 index d7a7357f..00000000 --- a/src/crypto/asn1/a_enum.c +++ /dev/null @@ -1,195 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include <openssl/asn1.h> - -#include <limits.h> -#include <string.h> - -#include <openssl/err.h> -#include <openssl/mem.h> - -#include "../internal.h" - - -/* - * Code for ENUMERATED type: identical to INTEGER apart from a different tag. - * for comments on encoding see a_int.c - */ - -int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) -{ - int j, k; - unsigned int i; - unsigned char buf[sizeof(long) + 1]; - long d; - - a->type = V_ASN1_ENUMERATED; - if (a->length < (int)(sizeof(long) + 1)) { - if (a->data != NULL) - OPENSSL_free(a->data); - if ((a->data = - (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL) - OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1); - } - if (a->data == NULL) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return (0); - } - d = v; - if (d < 0) { - d = -d; - a->type = V_ASN1_NEG_ENUMERATED; - } - - for (i = 0; i < sizeof(long); i++) { - if (d == 0) - break; - buf[i] = (int)d & 0xff; - d >>= 8; - } - j = 0; - for (k = i - 1; k >= 0; k--) - a->data[j++] = buf[k]; - a->length = j; - return (1); -} - -long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) -{ - int neg = 0, i; - - if (a == NULL) - return (0L); - i = a->type; - if (i == V_ASN1_NEG_ENUMERATED) - neg = 1; - else if (i != V_ASN1_ENUMERATED) - return -1; - - OPENSSL_STATIC_ASSERT(sizeof(uint64_t) >= sizeof(long), - "long larger than uint64_t"); - - if (a->length > (int)sizeof(uint64_t)) { - /* hmm... a bit ugly */ - return -1; - } - - uint64_t r64 = 0; - if (a->data != NULL) { - for (i = 0; i < a->length; i++) { - r64 <<= 8; - r64 |= (unsigned char)a->data[i]; - } - - if (r64 > LONG_MAX) { - return -1; - } - } - - long r = (long) r64; - if (neg) - r = -r; - - return r; -} - -ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) -{ - ASN1_ENUMERATED *ret; - int len, j; - - if (ai == NULL) - ret = ASN1_ENUMERATED_new(); - else - ret = ai; - if (ret == NULL) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); - goto err; - } - if (BN_is_negative(bn)) - ret->type = V_ASN1_NEG_ENUMERATED; - else - ret->type = V_ASN1_ENUMERATED; - j = BN_num_bits(bn); - len = ((j == 0) ? 0 : ((j / 8) + 1)); - if (ret->length < len + 4) { - unsigned char *new_data = OPENSSL_realloc(ret->data, len + 4); - if (!new_data) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - goto err; - } - ret->data = new_data; - } - - ret->length = BN_bn2bin(bn, ret->data); - return (ret); - err: - if (ret != ai) - ASN1_ENUMERATED_free(ret); - return (NULL); -} - -BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) -{ - BIGNUM *ret; - - if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) - OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB); - else if (ai->type == V_ASN1_NEG_ENUMERATED) - BN_set_negative(ret, 1); - return (ret); -} diff --git a/src/crypto/asn1/a_int.c b/src/crypto/asn1/a_int.c index 1695fd07..512472ac 100644 --- a/src/crypto/asn1/a_int.c +++ b/src/crypto/asn1/a_int.c @@ -59,8 +59,10 @@ #include <string.h> #include <limits.h> +#include <openssl/bytestring.h> #include <openssl/err.h> #include <openssl/mem.h> +#include <openssl/type_check.h> #include "../internal.h" @@ -72,129 +74,110 @@ ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x) int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) { - int neg, ret; - /* Compare signs */ - neg = x->type & V_ASN1_NEG; + /* Compare signs. */ + int neg = x->type & V_ASN1_NEG; if (neg != (y->type & V_ASN1_NEG)) { - if (neg) - return -1; - else + return neg ? -1 : 1; + } + + int ret = ASN1_STRING_cmp(x, y); + if (neg) { + /* This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from + * returning |INT_MIN|. */ + if (ret < 0) { return 1; + } else if (ret > 0) { + return -1; + } else { + return 0; + } } - ret = ASN1_STRING_cmp(x, y); + return ret; +} - if (neg) - return -ret; - else - return ret; +/* negate_twos_complement negates |len| bytes from |buf| in-place, interpreted + * as a signed, big-endian two's complement value. */ +static void negate_twos_complement(uint8_t *buf, size_t len) +{ + uint8_t borrow = 0; + for (size_t i = len - 1; i < len; i--) { + uint8_t t = buf[i]; + buf[i] = 0u - borrow - t; + borrow |= t != 0; + } } -/* - * This converts an ASN1 INTEGER into its content encoding. - * The internal representation is an ASN1_STRING whose data is a big endian - * representation of the value, ignoring the sign. The sign is determined by - * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative. - * - * Positive integers are no problem: they are almost the same as the DER - * encoding, except if the first byte is >= 0x80 we need to add a zero pad. - * - * Negative integers are a bit trickier... - * The DER representation of negative integers is in 2s complement form. - * The internal form is converted by complementing each octet and finally - * adding one to the result. This can be done less messily with a little trick. - * If the internal form has trailing zeroes then they will become FF by the - * complement and 0 by the add one (due to carry) so just copy as many trailing - * zeros to the destination as there are in the source. The carry will add one - * to the last none zero octet: so complement this octet and add one and finally - * complement any left over until you get to the start of the string. - * - * Padding is a little trickier too. If the first bytes is > 0x80 then we pad - * with 0xff. However if the first byte is 0x80 and one of the following bytes - * is non-zero we pad with 0xff. The reason for this distinction is that 0x80 - * followed by optional zeros isn't padded. - */ +static int is_all_zeros(const uint8_t *in, size_t len) { + for (size_t i = 0; i < len; i++) { + if (in[i] != 0) { + return 0; + } + } + return 1; +} -int i2c_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **pp) +int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, unsigned char **outp) { - int pad = 0, ret, i, neg; - unsigned char *p, *n, pb = 0; - - if (a == NULL) - return (0); - neg = a->type & V_ASN1_NEG; - if (a->length == 0) - ret = 1; - else { - ret = a->length; - i = a->data[0]; - if (ret == 1 && i == 0) - neg = 0; - if (!neg && (i > 127)) { - pad = 1; - pb = 0; - } else if (neg) { - if (i > 128) { - pad = 1; - pb = 0xFF; - } else if (i == 128) { - /* - * Special case: if any other bytes non zero we pad: - * otherwise we don't. - */ - for (i = 1; i < a->length; i++) - if (a->data[i]) { - pad = 1; - pb = 0xFF; - break; - } - } - } - ret += pad; - } - if (pp == NULL) - return (ret); - p = *pp; - - if (pad) - *(p++) = pb; - if (a->length == 0) - *(p++) = 0; - else if (!neg) - OPENSSL_memcpy(p, a->data, (unsigned int)a->length); - else { - /* Begin at the end of the encoding */ - n = a->data + a->length - 1; - p += a->length - 1; - i = a->length; - /* Copy zeros to destination as long as source is zero */ - while (!*n && i > 1) { - *(p--) = 0; - n--; - i--; - } - /* Complement and increment next octet */ - *(p--) = ((*(n--)) ^ 0xff) + 1; - i--; - /* Complement any octets left */ - for (; i > 0; i--) - *(p--) = *(n--) ^ 0xff; + if (in == NULL) { + return 0; } - *pp += ret; - return (ret); -} + /* |ASN1_INTEGER|s should be represented minimally, but it is possible to + * construct invalid ones. Skip leading zeros so this does not produce an + * invalid encoding or break invariants. */ + int start = 0; + while (start < in->length && in->data[start] == 0) { + start++; + } + + int is_negative = (in->type & V_ASN1_NEG) != 0; + int pad; + if (start >= in->length) { + /* Zero is represented as a single byte. */ + is_negative = 0; + pad = 1; + } else if (is_negative) { + /* 0x80...01 through 0xff...ff have a two's complement of 0x7f...ff + * through 0x00...01 and need an extra byte to be negative. + * 0x01...00 through 0x80...00 have a two's complement of 0xfe...ff + * through 0x80...00 and can be negated as-is. */ + pad = in->data[start] > 0x80 || + (in->data[start] == 0x80 && + !is_all_zeros(in->data + start + 1, in->length - start - 1)); + } else { + /* If the high bit is set, the signed representation needs an extra + * byte to be positive. */ + pad = (in->data[start] & 0x80) != 0; + } -/* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */ + if (in->length - start > INT_MAX - pad) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); + return 0; + } + int len = pad + in->length - start; + assert(len > 0); + if (outp == NULL) { + return len; + } -ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, + if (pad) { + (*outp)[0] = 0; + } + OPENSSL_memcpy(*outp + pad, in->data + start, in->length - start); + if (is_negative) { + negate_twos_complement(*outp, len); + assert((*outp)[0] >= 0x80); + } else { + assert((*outp)[0] < 0x80); + } + *outp += len; + return len; +} + +ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **out, const unsigned char **inp, long len) { - ASN1_INTEGER *ret = NULL; - const unsigned char *p, *pend; - unsigned char *to, *s; - int i; - /* * This function can handle lengths up to INT_MAX - 1, but the rest of the * legacy ASN.1 code mixes integer types, so avoid exposing it to @@ -205,85 +188,69 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, return NULL; } - if ((a == NULL) || ((*a) == NULL)) { - if ((ret = ASN1_INTEGER_new()) == NULL) - return (NULL); - ret->type = V_ASN1_INTEGER; - } else - ret = (*a); + CBS cbs; + CBS_init(&cbs, *inp, (size_t)len); + int is_negative; + if (!CBS_is_valid_asn1_integer(&cbs, &is_negative)) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER); + return NULL; + } - p = *pp; - pend = p + len; + ASN1_INTEGER *ret = NULL; + if (out == NULL || *out == NULL) { + ret = ASN1_INTEGER_new(); + if (ret == NULL) { + return NULL; + } + } else { + ret = *out; + } - /* - * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies - * a missing NULL parameter. - */ - s = (unsigned char *)OPENSSL_malloc((int)len + 1); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; + /* Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First, + * determine the size needed for a minimal result. */ + if (is_negative) { + /* 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff + * through 0x000100...001 and need one leading zero removed. 0x8000...00 + * through 0xff00...00 have a two's complement of 0x8000...00 through + * 0x0100...00 and will be minimally-encoded as-is. */ + if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0xff && + !is_all_zeros(CBS_data(&cbs) + 1, CBS_len(&cbs) - 1)) { + CBS_skip(&cbs, 1); + } + } else { + /* Remove the leading zero byte, if any. */ + if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0x00) { + CBS_skip(&cbs, 1); + } + } + + if (!ASN1_STRING_set(ret, CBS_data(&cbs), CBS_len(&cbs))) { goto err; } - to = s; - if (!len) { - /* - * Strictly speaking this is an illegal INTEGER but we tolerate it. - */ - ret->type = V_ASN1_INTEGER; - } else if (*p & 0x80) { /* a negative number */ + + if (is_negative) { ret->type = V_ASN1_NEG_INTEGER; - if ((*p == 0xff) && (len != 1)) { - p++; - len--; - } - i = len; - p += i - 1; - to += i - 1; - while ((!*p) && i) { - *(to--) = 0; - i--; - p--; - } - /* - * Special case: if all zeros then the number will be of the form FF - * followed by n zero bytes: this corresponds to 1 followed by n zero - * bytes. We've already written n zeros so we just append an extra - * one and set the first byte to a 1. This is treated separately - * because it is the only case where the number of bytes is larger - * than len. - */ - if (!i) { - *s = 1; - s[len] = 0; - len++; - } else { - *(to--) = (*(p--) ^ 0xff) + 1; - i--; - for (; i > 0; i--) - *(to--) = *(p--) ^ 0xff; - } + negate_twos_complement(ret->data, ret->length); } else { ret->type = V_ASN1_INTEGER; - if ((*p == 0) && (len != 1)) { - p++; - len--; - } - OPENSSL_memcpy(s, p, (int)len); } - if (ret->data != NULL) - OPENSSL_free(ret->data); - ret->data = s; - ret->length = (int)len; - if (a != NULL) - (*a) = ret; - *pp = pend; - return (ret); + /* The value should be minimally-encoded. */ + assert(ret->length == 0 || ret->data[0] != 0); + /* Zero is not negative. */ + assert(!is_negative || ret->length > 0); + + *inp += len; + if (out != NULL) { + *out = ret; + } + return ret; + err: - OPENSSL_PUT_ERROR(ASN1, i); - if ((ret != NULL) && ((a == NULL) || (*a != ret))) + if (ret != NULL && (out == NULL || *out != ret)) { ASN1_INTEGER_free(ret); - return (NULL); + } + return NULL; } int ASN1_INTEGER_set(ASN1_INTEGER *a, long v) @@ -300,121 +267,196 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v) return 1; } -int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v) +int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) { - uint8_t *const newdata = OPENSSL_malloc(sizeof(uint64_t)); - if (newdata == NULL) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; + if (v >= 0) { + return ASN1_ENUMERATED_set_uint64(a, (uint64_t) v); } - OPENSSL_free(out->data); - out->data = newdata; - v = CRYPTO_bswap8(v); - memcpy(out->data, &v, sizeof(v)); + if (!ASN1_ENUMERATED_set_uint64(a, 0 - (uint64_t) v)) { + return 0; + } - out->type = V_ASN1_INTEGER; + a->type = V_ASN1_NEG_ENUMERATED; + return 1; +} +static int asn1_string_set_uint64(ASN1_STRING *out, uint64_t v, int type) +{ + uint8_t buf[sizeof(uint64_t)]; + CRYPTO_store_u64_be(buf, v); size_t leading_zeros; - for (leading_zeros = 0; leading_zeros < sizeof(uint64_t) - 1; - leading_zeros++) { - if (out->data[leading_zeros] != 0) { - break; - } + for (leading_zeros = 0; leading_zeros < sizeof(buf); leading_zeros++) { + if (buf[leading_zeros] != 0) { + break; + } } - out->length = sizeof(uint64_t) - leading_zeros; - OPENSSL_memmove(out->data, out->data + leading_zeros, out->length); + if (!ASN1_STRING_set(out, buf + leading_zeros, + sizeof(buf) - leading_zeros)) { + return 0; + } + out->type = type; + return 1; +} + +int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v) +{ + return asn1_string_set_uint64(out, v, V_ASN1_INTEGER); +} +int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v) +{ + return asn1_string_set_uint64(out, v, V_ASN1_ENUMERATED); +} + +static int asn1_string_get_abs_uint64(uint64_t *out, const ASN1_STRING *a, + int type) +{ + if ((a->type & ~V_ASN1_NEG) != type) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE); + return 0; + } + uint8_t buf[sizeof(uint64_t)] = {0}; + if (a->length > (int)sizeof(buf)) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER); + return 0; + } + OPENSSL_memcpy(buf + sizeof(buf) - a->length, a->data, a->length); + *out = CRYPTO_load_u64_be(buf); return 1; } -long ASN1_INTEGER_get(const ASN1_INTEGER *a) +static int asn1_string_get_uint64(uint64_t *out, const ASN1_STRING *a, int type) { - int neg = 0, i; + if (!asn1_string_get_abs_uint64(out, a, type)) { + return 0; + } + if (a->type & V_ASN1_NEG) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER); + return 0; + } + return 1; +} - if (a == NULL) - return (0L); - i = a->type; - if (i == V_ASN1_NEG_INTEGER) - neg = 1; - else if (i != V_ASN1_INTEGER) - return -1; +int ASN1_INTEGER_get_uint64(uint64_t *out, const ASN1_INTEGER *a) +{ + return asn1_string_get_uint64(out, a, V_ASN1_INTEGER); +} - OPENSSL_STATIC_ASSERT(sizeof(uint64_t) >= sizeof(long), - "long larger than uint64_t"); +int ASN1_ENUMERATED_get_uint64(uint64_t *out, const ASN1_ENUMERATED *a) +{ + return asn1_string_get_uint64(out, a, V_ASN1_ENUMERATED); +} - if (a->length > (int)sizeof(uint64_t)) { - /* hmm... a bit ugly, return all ones */ - return -1; +static long asn1_string_get_long(const ASN1_STRING *a, int type) +{ + if (a == NULL) { + return 0; } - uint64_t r64 = 0; - if (a->data != NULL) { - for (i = 0; i < a->length; i++) { - r64 <<= 8; - r64 |= (unsigned char)a->data[i]; - } + uint64_t v; + if (!asn1_string_get_abs_uint64(&v, a, type)) { + goto err; + } - if (r64 > LONG_MAX) { - return -1; - } + int64_t i64; + int fits_in_i64; + /* Check |v != 0| to handle manually-constructed negative zeros. */ + if ((a->type & V_ASN1_NEG) && v != 0) { + i64 = (int64_t)(0u - v); + fits_in_i64 = i64 < 0; + } else { + i64 = (int64_t)v; + fits_in_i64 = i64 >= 0; } + OPENSSL_STATIC_ASSERT(sizeof(long) <= sizeof(int64_t), "long is too big"); - long r = (long) r64; - if (neg) - r = -r; + if (fits_in_i64 && LONG_MIN <= i64 && i64 <= LONG_MAX) { + return (long)i64; + } - return r; +err: + /* This function's return value does not distinguish overflow from -1. */ + ERR_clear_error(); + return -1; } -ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) +long ASN1_INTEGER_get(const ASN1_INTEGER *a) { - ASN1_INTEGER *ret; - int len, j; + return asn1_string_get_long(a, V_ASN1_INTEGER); +} - if (ai == NULL) - ret = ASN1_INTEGER_new(); - else +long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) +{ + return asn1_string_get_long(a, V_ASN1_ENUMERATED); +} + +static ASN1_STRING *bn_to_asn1_string(const BIGNUM *bn, ASN1_STRING *ai, + int type) +{ + ASN1_INTEGER *ret; + if (ai == NULL) { + ret = ASN1_STRING_type_new(type); + } else { ret = ai; + } if (ret == NULL) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn) && !BN_is_zero(bn)) - ret->type = V_ASN1_NEG_INTEGER; - else - ret->type = V_ASN1_INTEGER; - j = BN_num_bits(bn); - len = ((j == 0) ? 0 : ((j / 8) + 1)); - if (ret->length < len + 4) { - unsigned char *new_data = OPENSSL_realloc(ret->data, len + 4); - if (!new_data) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - goto err; - } - ret->data = new_data; + + if (BN_is_negative(bn) && !BN_is_zero(bn)) { + ret->type = type | V_ASN1_NEG; + } else { + ret->type = type; } - ret->length = BN_bn2bin(bn, ret->data); - /* Correct zero case */ - if (!ret->length) { - ret->data[0] = 0; - ret->length = 1; + + int len = BN_num_bytes(bn); + if (!ASN1_STRING_set(ret, NULL, len) || + !BN_bn2bin_padded(ret->data, len, bn)) { + goto err; } - return (ret); + return ret; + err: - if (ret != ai) - ASN1_INTEGER_free(ret); - return (NULL); + if (ret != ai) { + ASN1_STRING_free(ret); + } + return NULL; } -BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) +ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) { - BIGNUM *ret; + return bn_to_asn1_string(bn, ai, V_ASN1_INTEGER); +} + +ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) +{ + return bn_to_asn1_string(bn, ai, V_ASN1_ENUMERATED); +} + +static BIGNUM *asn1_string_to_bn(const ASN1_STRING *ai, BIGNUM *bn, int type) +{ + if ((ai->type & ~V_ASN1_NEG) != type) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE); + return NULL; + } + BIGNUM *ret; if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB); - else if (ai->type == V_ASN1_NEG_INTEGER) + else if (ai->type & V_ASN1_NEG) BN_set_negative(ret, 1); return (ret); } + +BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) +{ + return asn1_string_to_bn(ai, bn, V_ASN1_INTEGER); +} + +BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) +{ + return asn1_string_to_bn(ai, bn, V_ASN1_ENUMERATED); +} diff --git a/src/crypto/asn1/a_strex.c b/src/crypto/asn1/a_strex.c index 7829d671..37328941 100644 --- a/src/crypto/asn1/a_strex.c +++ b/src/crypto/asn1/a_strex.c @@ -574,7 +574,8 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm) // their value, updates |v| and |len|, and returns one. Otherwise, returns // zero. static int consume_two_digits(int* out, const char **v, int *len) { - if (*len < 2|| !isdigit((*v)[0]) || !isdigit((*v)[1])) { + if (*len < 2 || !isdigit((unsigned char)((*v)[0])) || + !isdigit((unsigned char)((*v)[1]))) { return 0; } *out = ((*v)[0] - '0') * 10 + ((*v)[1] - '0'); diff --git a/src/crypto/asn1/asn1_lib.c b/src/crypto/asn1/asn1_lib.c index fbf4d686..edf5e7c5 100644 --- a/src/crypto/asn1/asn1_lib.c +++ b/src/crypto/asn1/asn1_lib.c @@ -59,7 +59,7 @@ #include <limits.h> #include <string.h> -#include <openssl/asn1_mac.h> +#include <openssl/bytestring.h> #include <openssl/err.h> #include <openssl/mem.h> @@ -104,101 +104,54 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE) -static int asn1_get_length(const unsigned char **pp, long *rl, long max); static void asn1_put_length(unsigned char **pp, int length); -int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, - int *pclass, long omax) +int ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag, + int *out_class, long in_len) { - int i, ret; - long l; - const unsigned char *p = *pp; - int tag, xclass; - long max = omax; - - if (!max) - goto err; - ret = (*p & V_ASN1_CONSTRUCTED); - xclass = (*p & V_ASN1_PRIVATE); - i = *p & V_ASN1_PRIMITIVE_TAG; - if (i == V_ASN1_PRIMITIVE_TAG) { /* high-tag */ - p++; - if (--max == 0) - goto err; - l = 0; - while (*p & 0x80) { - l <<= 7L; - l |= *(p++) & 0x7f; - if (--max == 0) - goto err; - if (l > (INT_MAX >> 7L)) - goto err; - } - l <<= 7L; - l |= *(p++) & 0x7f; - tag = (int)l; - if (--max == 0) - goto err; - } else { - tag = i; - p++; - if (--max == 0) - goto err; + if (in_len < 0) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); + return 0x80; } - /* To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags. */ - if (xclass == V_ASN1_UNIVERSAL && tag > V_ASN1_MAX_UNIVERSAL) - goto err; - - *ptag = tag; - *pclass = xclass; - if (!asn1_get_length(&p, plength, max)) - goto err; - - if (*plength > (omax - (p - *pp))) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); + /* TODO(https://crbug.com/boringssl/354): This should use |CBS_get_asn1| to + * reject non-minimal lengths, which are only allowed in BER. However, + * Android sometimes needs allow a non-minimal length in certificate + * signature fields (see b/18228011). Make this only apply to that field, + * while requiring DER elsewhere. Better yet, it should be limited to an + * preprocessing step in that part of Android. */ + unsigned tag; + size_t header_len; + int indefinite; + CBS cbs, body; + CBS_init(&cbs, *inp, (size_t)in_len); + if (!CBS_get_any_ber_asn1_element(&cbs, &body, &tag, &header_len, + /*out_ber_found=*/NULL, &indefinite) || + indefinite || + !CBS_skip(&body, header_len) || + /* Bound the length to comfortably fit in an int. Lengths in this + * module often switch between int and long without overflow checks. */ + CBS_len(&body) > INT_MAX / 2) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); return 0x80; } - *pp = p; - return ret; - err: - OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); - return 0x80; -} -static int asn1_get_length(const unsigned char **pp, long *rl, long max) -{ - const unsigned char *p = *pp; - unsigned long ret = 0; - unsigned long i; + /* Convert between tag representations. */ + int tag_class = (tag & CBS_ASN1_CLASS_MASK) >> CBS_ASN1_TAG_SHIFT; + int constructed = (tag & CBS_ASN1_CONSTRUCTED) >> CBS_ASN1_TAG_SHIFT; + int tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK; - if (max-- < 1) { - return 0; - } - if (*p == 0x80) { - /* We do not support BER indefinite-length encoding. */ - return 0; - } - i = *p & 0x7f; - if (*(p++) & 0x80) { - if (i > sizeof(ret) || max < (long)i) - return 0; - while (i-- > 0) { - ret <<= 8L; - ret |= *(p++); - } - } else { - ret = i; + /* To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags. */ + if (tag_class == V_ASN1_UNIVERSAL && tag_number > V_ASN1_MAX_UNIVERSAL) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); + return 0x80; } - /* - * Bound the length to comfortably fit in an int. Lengths in this module - * often switch between int and long without overflow checks. - */ - if (ret > INT_MAX / 2) - return 0; - *pp = p; - *rl = (long)ret; - return 1; + + *inp = CBS_data(&body); + *out_len = CBS_len(&body); + *out_tag = tag_number; + *out_class = tag_class; + return constructed; } /* diff --git a/src/crypto/asn1/asn1_test.cc b/src/crypto/asn1/asn1_test.cc index ab9cb017..7d698896 100644 --- a/src/crypto/asn1/asn1_test.cc +++ b/src/crypto/asn1/asn1_test.cc @@ -15,6 +15,7 @@ #include <limits.h> #include <stdio.h> +#include <map> #include <string> #include <vector> @@ -76,33 +77,6 @@ TEST(ASN1Test, LargeTags) { obj->value.asn1_string->length)); } -TEST(ASN1Test, IntegerSetting) { - bssl::UniquePtr<ASN1_INTEGER> by_bn(ASN1_INTEGER_new()); - bssl::UniquePtr<ASN1_INTEGER> by_long(ASN1_INTEGER_new()); - bssl::UniquePtr<ASN1_INTEGER> by_uint64(ASN1_INTEGER_new()); - bssl::UniquePtr<BIGNUM> bn(BN_new()); - - const std::vector<int64_t> kValues = { - LONG_MIN, -2, -1, 0, 1, 2, 0xff, 0x100, 0xffff, 0x10000, LONG_MAX, - }; - for (const auto &i : kValues) { - SCOPED_TRACE(i); - - ASSERT_EQ(1, ASN1_INTEGER_set(by_long.get(), i)); - const uint64_t abs = i < 0 ? (0 - (uint64_t) i) : i; - ASSERT_TRUE(BN_set_u64(bn.get(), abs)); - BN_set_negative(bn.get(), i < 0); - ASSERT_TRUE(BN_to_ASN1_INTEGER(bn.get(), by_bn.get())); - - EXPECT_EQ(0, ASN1_INTEGER_cmp(by_bn.get(), by_long.get())); - - if (i >= 0) { - ASSERT_EQ(1, ASN1_INTEGER_set_uint64(by_uint64.get(), i)); - EXPECT_EQ(0, ASN1_INTEGER_cmp(by_bn.get(), by_uint64.get())); - } - } -} - // |obj| and |i2d_func| require different template parameters because C++ may // deduce, say, |ASN1_STRING*| via |obj| and |const ASN1_STRING*| via // |i2d_func|. Template argument deduction then fails. The language is not able @@ -131,6 +105,391 @@ void TestSerialize(T obj, int (*i2d_func)(U a, uint8_t **pp), EXPECT_EQ(Bytes(expected), Bytes(buf)); } +static bssl::UniquePtr<BIGNUM> BIGNUMPow2(unsigned bit) { + bssl::UniquePtr<BIGNUM> bn(BN_new()); + if (!bn || + !BN_set_bit(bn.get(), bit)) { + return nullptr; + } + return bn; +} + +TEST(ASN1Test, Integer) { + bssl::UniquePtr<BIGNUM> int64_min = BIGNUMPow2(63); + ASSERT_TRUE(int64_min); + BN_set_negative(int64_min.get(), 1); + + bssl::UniquePtr<BIGNUM> int64_max = BIGNUMPow2(63); + ASSERT_TRUE(int64_max); + ASSERT_TRUE(BN_sub_word(int64_max.get(), 1)); + + bssl::UniquePtr<BIGNUM> int32_min = BIGNUMPow2(31); + ASSERT_TRUE(int32_min); + BN_set_negative(int32_min.get(), 1); + + bssl::UniquePtr<BIGNUM> int32_max = BIGNUMPow2(31); + ASSERT_TRUE(int32_max); + ASSERT_TRUE(BN_sub_word(int32_max.get(), 1)); + + struct { + // der is the DER encoding of the INTEGER, including the tag and length. + std::vector<uint8_t> der; + // type and data are the corresponding fields of the |ASN1_STRING| + // representation. + int type; + std::vector<uint8_t> data; + // bn_asc is the |BIGNUM| representation, as parsed by the |BN_asc2bn| + // function. + const char *bn_asc; + } kTests[] = { + // -2^64 - 1 + {{0x02, 0x09, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + V_ASN1_NEG_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + "-0x10000000000000001"}, + // -2^64 + {{0x02, 0x09, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + V_ASN1_NEG_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + "-0x10000000000000000"}, + // -2^64 + 1 + {{0x02, 0x09, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + V_ASN1_NEG_INTEGER, + {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + "-0xffffffffffffffff"}, + // -2^63 - 1 + {{0x02, 0x09, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + V_ASN1_NEG_INTEGER, + {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + "-0x8000000000000001"}, + // -2^63 (INT64_MIN) + {{0x02, 0x08, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + V_ASN1_NEG_INTEGER, + {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + "-0x8000000000000000"}, + // -2^63 + 1 + {{0x02, 0x08, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + V_ASN1_NEG_INTEGER, + {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + "-0x7fffffffffffffff"}, + // -2^32 - 1 + {{0x02, 0x05, 0xfe, 0xff, 0xff, 0xff, 0xff}, + V_ASN1_NEG_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x01}, + "-0x100000001"}, + // -2^32 + {{0x02, 0x05, 0xff, 0x00, 0x00, 0x00, 0x00}, + V_ASN1_NEG_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x00}, + "-0x100000000"}, + // -2^32 + 1 + {{0x02, 0x05, 0xff, 0x00, 0x00, 0x00, 0x01}, + V_ASN1_NEG_INTEGER, + {0xff, 0xff, 0xff, 0xff}, + "-0xffffffff"}, + // -2^31 - 1 + {{0x02, 0x05, 0xff, 0x7f, 0xff, 0xff, 0xff}, + V_ASN1_NEG_INTEGER, + {0x80, 0x00, 0x00, 0x01}, + "-0x80000001"}, + // -2^31 (INT32_MIN) + {{0x02, 0x04, 0x80, 0x00, 0x00, 0x00}, + V_ASN1_NEG_INTEGER, + {0x80, 0x00, 0x00, 0x00}, + "-0x80000000"}, + // -2^31 + 1 + {{0x02, 0x04, 0x80, 0x00, 0x00, 0x01}, + V_ASN1_NEG_INTEGER, + {0x7f, 0xff, 0xff, 0xff}, + "-0x7fffffff"}, + // -257 + {{0x02, 0x02, 0xfe, 0xff}, V_ASN1_NEG_INTEGER, {0x01, 0x01}, "-257"}, + // -256 + {{0x02, 0x02, 0xff, 0x00}, V_ASN1_NEG_INTEGER, {0x01, 0x00}, "-256"}, + // -255 + {{0x02, 0x02, 0xff, 0x01}, V_ASN1_NEG_INTEGER, {0xff}, "-255"}, + // -129 + {{0x02, 0x02, 0xff, 0x7f}, V_ASN1_NEG_INTEGER, {0x81}, "-129"}, + // -128 + {{0x02, 0x01, 0x80}, V_ASN1_NEG_INTEGER, {0x80}, "-128"}, + // -127 + {{0x02, 0x01, 0x81}, V_ASN1_NEG_INTEGER, {0x7f}, "-127"}, + // -1 + {{0x02, 0x01, 0xff}, V_ASN1_NEG_INTEGER, {0x01}, "-1"}, + // 0 + {{0x02, 0x01, 0x00}, V_ASN1_INTEGER, {}, "0"}, + // 1 + {{0x02, 0x01, 0x01}, V_ASN1_INTEGER, {0x01}, "1"}, + // 127 + {{0x02, 0x01, 0x7f}, V_ASN1_INTEGER, {0x7f}, "127"}, + // 128 + {{0x02, 0x02, 0x00, 0x80}, V_ASN1_INTEGER, {0x80}, "128"}, + // 129 + {{0x02, 0x02, 0x00, 0x81}, V_ASN1_INTEGER, {0x81}, "129"}, + // 255 + {{0x02, 0x02, 0x00, 0xff}, V_ASN1_INTEGER, {0xff}, "255"}, + // 256 + {{0x02, 0x02, 0x01, 0x00}, V_ASN1_INTEGER, {0x01, 0x00}, "256"}, + // 257 + {{0x02, 0x02, 0x01, 0x01}, V_ASN1_INTEGER, {0x01, 0x01}, "257"}, + // 2^31 - 2 + {{0x02, 0x04, 0x7f, 0xff, 0xff, 0xfe}, + V_ASN1_INTEGER, + {0x7f, 0xff, 0xff, 0xfe}, + "0x7ffffffe"}, + // 2^31 - 1 (INT32_MAX) + {{0x02, 0x04, 0x7f, 0xff, 0xff, 0xff}, + V_ASN1_INTEGER, + {0x7f, 0xff, 0xff, 0xff}, + "0x7fffffff"}, + // 2^31 + {{0x02, 0x05, 0x00, 0x80, 0x00, 0x00, 0x00}, + V_ASN1_INTEGER, + {0x80, 0x00, 0x00, 0x00}, + "0x80000000"}, + // 2^32 - 2 + {{0x02, 0x05, 0x00, 0xff, 0xff, 0xff, 0xfe}, + V_ASN1_INTEGER, + {0xff, 0xff, 0xff, 0xfe}, + "0xfffffffe"}, + // 2^32 - 1 (UINT32_MAX) + {{0x02, 0x05, 0x00, 0xff, 0xff, 0xff, 0xff}, + V_ASN1_INTEGER, + {0xff, 0xff, 0xff, 0xff}, + "0xffffffff"}, + // 2^32 + {{0x02, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00}, + V_ASN1_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x00}, + "0x100000000"}, + // 2^63 - 2 + {{0x02, 0x08, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + V_ASN1_INTEGER, + {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + "0x7ffffffffffffffe"}, + // 2^63 - 1 (INT64_MAX) + {{0x02, 0x08, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + V_ASN1_INTEGER, + {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + "0x7fffffffffffffff"}, + // 2^63 + {{0x02, 0x09, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + V_ASN1_INTEGER, + {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + "0x8000000000000000"}, + // 2^64 - 2 + {{0x02, 0x09, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + V_ASN1_INTEGER, + {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe}, + "0xfffffffffffffffe"}, + // 2^64 - 1 (UINT64_MAX) + {{0x02, 0x09, 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + V_ASN1_INTEGER, + {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, + "0xffffffffffffffff"}, + // 2^64 + {{0x02, 0x09, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + V_ASN1_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, + "0x10000000000000000"}, + // 2^64 + 1 + {{0x02, 0x09, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + V_ASN1_INTEGER, + {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}, + "0x10000000000000001"}, + }; + + for (const auto &t : kTests) { + SCOPED_TRACE(t.bn_asc); + // Collect a map of different ways to construct the integer. The key is the + // method used and is only retained to aid debugging. + std::map<std::string, bssl::UniquePtr<ASN1_INTEGER>> objs; + + // Construct |ASN1_INTEGER| by setting the type and data manually. + bssl::UniquePtr<ASN1_INTEGER> by_data(ASN1_STRING_type_new(t.type)); + ASSERT_TRUE(by_data); + ASSERT_TRUE(ASN1_STRING_set(by_data.get(), t.data.data(), t.data.size())); + objs["data"] = std::move(by_data); + + // Construct |ASN1_INTEGER| from a |BIGNUM|. + BIGNUM *bn_raw = nullptr; + ASSERT_TRUE(BN_asc2bn(&bn_raw, t.bn_asc)); + bssl::UniquePtr<BIGNUM> bn(bn_raw); + bssl::UniquePtr<ASN1_INTEGER> by_bn(BN_to_ASN1_INTEGER(bn.get(), nullptr)); + ASSERT_TRUE(by_bn); + objs["bn"] = std::move(by_bn); + + // Construct |ASN1_INTEGER| from decoding. + const uint8_t *ptr = t.der.data(); + bssl::UniquePtr<ASN1_INTEGER> by_der( + d2i_ASN1_INTEGER(nullptr, &ptr, t.der.size())); + ASSERT_TRUE(by_der); + EXPECT_EQ(ptr, t.der.data() + t.der.size()); + objs["der"] = std::move(by_der); + + // Construct |ASN1_INTEGER| from |long| or |uint64_t|, if it fits. + bool fits_in_long = false, fits_in_u64 = false; + uint64_t u64 = 0; + long l = 0; + uint64_t abs_u64; + if (BN_get_u64(bn.get(), &abs_u64)) { + fits_in_u64 = !BN_is_negative(bn.get()); + if (fits_in_u64) { + u64 = abs_u64; + bssl::UniquePtr<ASN1_INTEGER> by_u64(ASN1_INTEGER_new()); + ASSERT_TRUE(by_u64); + ASSERT_TRUE(ASN1_INTEGER_set_uint64(by_u64.get(), u64)); + objs["u64"] = std::move(by_u64); + } + + if (sizeof(long) == 8) { + fits_in_long = BN_cmp(int64_min.get(), bn.get()) <= 0 && + BN_cmp(bn.get(), int64_max.get()) <= 0; + } else { + ASSERT_EQ(4u, sizeof(long)); + fits_in_long = BN_cmp(int32_min.get(), bn.get()) <= 0 && + BN_cmp(bn.get(), int32_max.get()) <= 0; + } + if (fits_in_long) { + if (BN_is_negative(bn.get())) { + l = static_cast<long>(0u - abs_u64); + } else { + l = static_cast<long>(abs_u64); + } + bssl::UniquePtr<ASN1_INTEGER> by_long(ASN1_INTEGER_new()); + ASSERT_TRUE(by_long); + ASSERT_TRUE(ASN1_INTEGER_set(by_long.get(), l)); + objs["long"] = std::move(by_long); + } + } + + // Default construction should return the zero |ASN1_INTEGER|. + if (BN_is_zero(bn.get())) { + bssl::UniquePtr<ASN1_INTEGER> by_default(ASN1_INTEGER_new()); + ASSERT_TRUE(by_default); + objs["default"] = std::move(by_default); + } + + // Test that every |ASN1_INTEGER| constructed behaves as expected. + for (const auto &pair : objs) { + // The fields should be as expected. + SCOPED_TRACE(pair.first); + const ASN1_INTEGER *obj = pair.second.get(); + EXPECT_EQ(t.type, ASN1_STRING_type(obj)); + EXPECT_EQ(Bytes(t.data), Bytes(ASN1_STRING_get0_data(obj), + ASN1_STRING_length(obj))); + + // The object should encode correctly. + TestSerialize(obj, i2d_ASN1_INTEGER, t.der); + + bssl::UniquePtr<BIGNUM> bn2(ASN1_INTEGER_to_BN(obj, nullptr)); + ASSERT_TRUE(bn2); + EXPECT_EQ(0, BN_cmp(bn.get(), bn2.get())); + + if (fits_in_u64) { + uint64_t v; + ASSERT_TRUE(ASN1_INTEGER_get_uint64(&v, obj)); + EXPECT_EQ(v, u64); + } else { + uint64_t v; + EXPECT_FALSE(ASN1_INTEGER_get_uint64(&v, obj)); + } + + if (fits_in_long) { + EXPECT_EQ(l, ASN1_INTEGER_get(obj)); + } else { + EXPECT_EQ(-1, ASN1_INTEGER_get(obj)); + } + + // All variations of integers should compare as equal to each other, as + // strings or integers. (Functions like |ASN1_TYPE_cmp| rely on + // string-based comparison.) + for (const auto &pair2 : objs) { + SCOPED_TRACE(pair2.first); + EXPECT_EQ(0, ASN1_INTEGER_cmp(obj, pair2.second.get())); + EXPECT_EQ(0, ASN1_STRING_cmp(obj, pair2.second.get())); + } + } + + // Although our parsers will never output non-minimal |ASN1_INTEGER|s, it is + // possible to construct them manually. They should encode correctly. + std::vector<uint8_t> data = t.data; + const int kMaxExtraBytes = 5; + for (int i = 0; i < kMaxExtraBytes; i++) { + data.insert(data.begin(), 0x00); + SCOPED_TRACE(Bytes(data)); + + bssl::UniquePtr<ASN1_INTEGER> non_minimal(ASN1_STRING_type_new(t.type)); + ASSERT_TRUE(non_minimal); + ASSERT_TRUE(ASN1_STRING_set(non_minimal.get(), data.data(), data.size())); + + TestSerialize(non_minimal.get(), i2d_ASN1_INTEGER, t.der); + } + } + + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTests); i++) { + SCOPED_TRACE(Bytes(kTests[i].der)); + const uint8_t *ptr = kTests[i].der.data(); + bssl::UniquePtr<ASN1_INTEGER> a( + d2i_ASN1_INTEGER(nullptr, &ptr, kTests[i].der.size())); + ASSERT_TRUE(a); + for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kTests); j++) { + SCOPED_TRACE(Bytes(kTests[j].der)); + ptr = kTests[j].der.data(); + bssl::UniquePtr<ASN1_INTEGER> b( + d2i_ASN1_INTEGER(nullptr, &ptr, kTests[j].der.size())); + ASSERT_TRUE(b); + + // |ASN1_INTEGER_cmp| should compare numerically. |ASN1_STRING_cmp| does + // not but should preserve equality. + if (i < j) { + EXPECT_LT(ASN1_INTEGER_cmp(a.get(), b.get()), 0); + EXPECT_NE(ASN1_STRING_cmp(a.get(), b.get()), 0); + } else if (i > j) { + EXPECT_GT(ASN1_INTEGER_cmp(a.get(), b.get()), 0); + EXPECT_NE(ASN1_STRING_cmp(a.get(), b.get()), 0); + } else { + EXPECT_EQ(ASN1_INTEGER_cmp(a.get(), b.get()), 0); + EXPECT_EQ(ASN1_STRING_cmp(a.get(), b.get()), 0); + } + } + } + + std::vector<uint8_t> kInvalidTests[] = { + // The empty string is not an integer. + {0x02, 0x00}, + // Integers must be minimally-encoded. + {0x02, 0x02, 0x00, 0x00}, + {0x02, 0x02, 0x00, 0x7f}, + {0x02, 0x02, 0xff, 0xff}, + {0x02, 0x02, 0xff, 0x80}, + }; + for (const auto &invalid : kInvalidTests) { + SCOPED_TRACE(Bytes(invalid)); + + const uint8_t *ptr = invalid.data(); + bssl::UniquePtr<ASN1_INTEGER> integer( + d2i_ASN1_INTEGER(nullptr, &ptr, invalid.size())); + EXPECT_FALSE(integer); + } + + // Callers expect |ASN1_INTEGER_get| and |ASN1_ENUMERATED_get| to return zero + // given NULL. + EXPECT_EQ(0, ASN1_INTEGER_get(nullptr)); + EXPECT_EQ(0, ASN1_ENUMERATED_get(nullptr)); +} + +// Although invalid, a negative zero should encode correctly. +TEST(ASN1Test, NegativeZero) { + bssl::UniquePtr<ASN1_INTEGER> neg_zero( + ASN1_STRING_type_new(V_ASN1_NEG_INTEGER)); + ASSERT_TRUE(neg_zero); + EXPECT_EQ(0, ASN1_INTEGER_get(neg_zero.get())); + + static const uint8_t kDER[] = {0x02, 0x01, 0x00}; + TestSerialize(neg_zero.get(), i2d_ASN1_INTEGER, kDER); +} + TEST(ASN1Test, SerializeObject) { static const uint8_t kDER[] = {0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}; @@ -1700,7 +2059,7 @@ TEST(ASN1Test, PrintASN1Object) { std::string(reinterpret_cast<const char *>(bio_data), bio_len)); } -TEST(ASN1, GetObject) { +TEST(ASN1Test, GetObject) { // The header is valid, but there are not enough bytes for the length. static const uint8_t kTruncated[] = {0x30, 0x01}; const uint8_t *ptr = kTruncated; diff --git a/src/crypto/asn1/tasn_utl.c b/src/crypto/asn1/tasn_utl.c index 9b1da0b7..0b6048c3 100644 --- a/src/crypto/asn1/tasn_utl.c +++ b/src/crypto/asn1/tasn_utl.c @@ -223,7 +223,6 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr) { const ASN1_ADB *adb; const ASN1_ADB_TABLE *atbl; - long selector; ASN1_VALUE **sfld; int i; if (!(tt->flags & ASN1_TFLG_ADB_MASK)) { @@ -244,14 +243,11 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, return adb->null_tt; } - /* Convert type to a long: + /* Convert type to a NID: * NB: don't check for NID_undef here because it * might be a legitimate value in the table */ - if (tt->flags & ASN1_TFLG_ADB_OID) { - selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld); - } else { - selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld); - } + assert(tt->flags & ASN1_TFLG_ADB_OID); + int selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld); /* Try to find matching entry in table Maybe should check application types * first to allow application override? Might also be useful to have a flag diff --git a/src/crypto/bio/printf.c b/src/crypto/bio/printf.c index 4f9d8a18..253546b7 100644 --- a/src/crypto/bio/printf.c +++ b/src/crypto/bio/printf.c @@ -71,18 +71,6 @@ int BIO_printf(BIO *bio, const char *format, ...) { va_start(args, format); out_len = vsnprintf(buf, sizeof(buf), format, args); va_end(args); - -#if defined(OPENSSL_WINDOWS) - // On Windows, vsnprintf returns -1 rather than the requested length on - // truncation - if (out_len < 0) { - va_start(args, format); - out_len = _vscprintf(format, args); - va_end(args); - assert(out_len >= (int)sizeof(buf)); - } -#endif - if (out_len < 0) { return -1; } diff --git a/src/crypto/bytestring/ber.c b/src/crypto/bytestring/ber.c index e7f67ddf..d9b780f9 100644 --- a/src/crypto/bytestring/ber.c +++ b/src/crypto/bytestring/ber.c @@ -69,9 +69,9 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, unsigned depth) { CBS contents; unsigned tag; size_t header_len; - + int indefinite; if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len, - ber_found)) { + ber_found, &indefinite)) { return 0; } if (*ber_found) { @@ -119,11 +119,11 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, CBS contents; unsigned tag, child_string_tag = string_tag; size_t header_len; - int ber_found; + int indefinite; CBB *out_contents, out_contents_storage; if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len, - &ber_found)) { + /*out_ber_found=*/NULL, &indefinite)) { return 0; } @@ -153,11 +153,9 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, out_contents = &out_contents_storage; } - if (CBS_len(&contents) == header_len && header_len > 0 && - CBS_data(&contents)[header_len - 1] == 0x80) { - // This is an indefinite length element. + if (indefinite) { if (!cbs_convert_ber(in, out_contents, child_string_tag, - 1 /* looking for eoc */, depth + 1) || + /*looking_for_eoc=*/1, depth + 1) || !CBB_flush(out)) { return 0; } @@ -171,7 +169,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, if (tag & CBS_ASN1_CONSTRUCTED) { // Recurse into children. if (!cbs_convert_ber(&contents, out_contents, child_string_tag, - 0 /* not looking for eoc */, depth + 1)) { + /*looking_for_eoc=*/0, depth + 1)) { return 0; } } else { diff --git a/src/crypto/bytestring/bytestring_test.cc b/src/crypto/bytestring/bytestring_test.cc index 985e38cc..77261a30 100644 --- a/src/crypto/bytestring/bytestring_test.cc +++ b/src/crypto/bytestring/bytestring_test.cc @@ -693,29 +693,38 @@ struct BERTest { const char *in_hex; bool ok; bool ber_found; + bool indefinite; unsigned tag; }; static const BERTest kBERTests[] = { - // Trivial cases, also valid DER. - {"0000", true, false, 0}, - {"0100", true, false, 1}, - {"020101", true, false, 2}, - - // Non-minimally encoded lengths. - {"02810101", true, true, 2}, - {"0282000101", true, true, 2}, - {"028300000101", true, true, 2}, - {"02840000000101", true, true, 2}, - // Technically valid BER, but not handled. - {"02850000000101", false, false, 0}, - - {"0280", false, false, 0}, // Indefinite length, but not constructed. - {"2280", true, true, CBS_ASN1_CONSTRUCTED | 2}, // Indefinite length. - {"3f0000", false, false, 0}, // Invalid extended tag zero (X.690 8.1.2.4.2.c) - {"1f0100", false, false, 0}, // Should be a low-number tag form, even in BER. - {"1f4000", true, false, 0x40}, - {"1f804000", false, false, 0}, // Non-minimal tags are invalid, even in BER. + // Trivial cases, also valid DER. + {"0000", true, false, false, 0}, + {"0100", true, false, false, 1}, + {"020101", true, false, false, 2}, + + // Non-minimally encoded lengths. + {"02810101", true, true, false, 2}, + {"0282000101", true, true, false, 2}, + {"028300000101", true, true, false, 2}, + {"02840000000101", true, true, false, 2}, + // Technically valid BER, but not handled. + {"02850000000101", false, false, false, 0}, + + // Indefinite length, but not constructed. + {"0280", false, false, false, 0}, + // Indefinite length. + {"2280", true, true, true, CBS_ASN1_CONSTRUCTED | 2}, + // Indefinite length with multi-byte tag. + {"bf1f80", true, true, true, + CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 31}, + // Invalid extended tag zero (X.690 8.1.2.4.2.c) + {"3f0000", false, false, false, 0}, + // Should be a low-number tag form, even in BER. + {"1f0100", false, false, false, 0}, + {"1f4000", true, false, false, 0x40}, + // Non-minimal tags are invalid, even in BER. + {"1f804000", false, false, false, 0}, }; TEST(CBSTest, BERElementTest) { @@ -729,14 +738,16 @@ TEST(CBSTest, BERElementTest) { unsigned tag; size_t header_len; int ber_found; - int ok = - CBS_get_any_ber_asn1_element(&in, &out, &tag, &header_len, &ber_found); + int indefinite; + int ok = CBS_get_any_ber_asn1_element(&in, &out, &tag, &header_len, + &ber_found, &indefinite); ASSERT_TRUE((ok == 1) == test.ok); if (!test.ok) { continue; } - EXPECT_TRUE((ber_found == 1) == test.ber_found); + EXPECT_EQ(test.ber_found ? 1 : 0, ber_found); + EXPECT_EQ(test.indefinite ? 1 : 0, indefinite); EXPECT_LE(header_len, in_bytes.size()); EXPECT_EQ(CBS_len(&out), in_bytes.size()); EXPECT_EQ(CBS_len(&in), 0u); diff --git a/src/crypto/bytestring/cbs.c b/src/crypto/bytestring/cbs.c index 803c97ae..293e66c3 100644 --- a/src/crypto/bytestring/cbs.c +++ b/src/crypto/bytestring/cbs.c @@ -285,7 +285,7 @@ static int parse_asn1_tag(CBS *cbs, unsigned *out) { static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, size_t *out_header_len, int *out_ber_found, - int ber_ok) { + int *out_indefinite, int ber_ok) { CBS header = *cbs; CBS throwaway; @@ -294,6 +294,10 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, } if (ber_ok) { *out_ber_found = 0; + *out_indefinite = 0; + } else { + assert(out_ber_found == NULL); + assert(out_indefinite == NULL); } unsigned tag; @@ -333,6 +337,7 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, *out_header_len = header_len; } *out_ber_found = 1; + *out_indefinite = 1; return CBS_get_bytes(cbs, out, header_len); } @@ -395,16 +400,18 @@ int CBS_get_any_asn1(CBS *cbs, CBS *out, unsigned *out_tag) { int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, size_t *out_header_len) { - return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len, - NULL, 0 /* DER only */); + return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len, NULL, NULL, + /*ber_ok=*/0); } int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, - size_t *out_header_len, int *out_ber_found) { + size_t *out_header_len, int *out_ber_found, + int *out_indefinite) { int ber_found_temp; return cbs_get_any_asn1_element( cbs, out, out_tag, out_header_len, - out_ber_found ? out_ber_found : &ber_found_temp, 1 /* BER allowed */); + out_ber_found ? out_ber_found : &ber_found_temp, out_indefinite, + /*ber_ok=*/1); } static int cbs_get_asn1(CBS *cbs, CBS *out, unsigned tag_value, diff --git a/src/crypto/crypto_test.cc b/src/crypto/crypto_test.cc index 7f15a232..caccba53 100644 --- a/src/crypto/crypto_test.cc +++ b/src/crypto/crypto_test.cc @@ -138,3 +138,23 @@ TEST(CryptoTest, FIPSCountersEVP_AEAD) { } #endif // BORINGSSL_FIPS_COUNTERS + +TEST(Crypto, QueryAlgorithmStatus) { +#if defined(BORINGSSL_FIPS) + const bool is_fips_build = true; +#else + const bool is_fips_build = false; +#endif + + EXPECT_EQ(FIPS_query_algorithm_status("AES-GCM"), is_fips_build); + EXPECT_EQ(FIPS_query_algorithm_status("AES-ECB"), is_fips_build); + + EXPECT_FALSE(FIPS_query_algorithm_status("FakeEncrypt")); + EXPECT_FALSE(FIPS_query_algorithm_status("")); +} + +#if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN) +TEST(Crypto, OnDemandIntegrityTest) { + BORINGSSL_integrity_test(); +} +#endif diff --git a/src/crypto/curve25519/curve25519.c b/src/crypto/curve25519/curve25519.c index 7cb0add4..e316acd7 100644 --- a/src/crypto/curve25519/curve25519.c +++ b/src/crypto/curve25519/curve25519.c @@ -36,6 +36,10 @@ // Various pre-computed constants. #include "./curve25519_tables.h" +#if defined(OPENSSL_NO_ASM) +#define FIAT_25519_NO_ASM +#endif + #if defined(BORINGSSL_CURVE25519_64BIT) #include "../../third_party/fiat/curve25519_64.h" #else diff --git a/src/crypto/err/asn1.errordata b/src/crypto/err/asn1.errordata index 9344621b..8ba7cf62 100644 --- a/src/crypto/err/asn1.errordata +++ b/src/crypto/err/asn1.errordata @@ -44,6 +44,7 @@ ASN1,141,INVALID_BIT_STRING_BITS_LEFT ASN1,194,INVALID_BIT_STRING_PADDING ASN1,142,INVALID_BMPSTRING ASN1,143,INVALID_DIGIT +ASN1,196,INVALID_INTEGER ASN1,144,INVALID_MODIFIER ASN1,145,INVALID_NUMBER ASN1,146,INVALID_OBJECT_ENCODING @@ -90,6 +91,7 @@ ASN1,185,UNKNOWN_TAG ASN1,186,UNSUPPORTED_ANY_DEFINED_BY_TYPE ASN1,187,UNSUPPORTED_PUBLIC_KEY_TYPE ASN1,188,UNSUPPORTED_TYPE +ASN1,195,WRONG_INTEGER_TYPE ASN1,189,WRONG_PUBLIC_KEY_TYPE ASN1,190,WRONG_TAG ASN1,191,WRONG_TYPE diff --git a/src/crypto/fipsmodule/bcm.c b/src/crypto/fipsmodule/bcm.c index 1219bc72..faff6c42 100644 --- a/src/crypto/fipsmodule/bcm.c +++ b/src/crypto/fipsmodule/bcm.c @@ -169,6 +169,23 @@ BORINGSSL_bcm_power_on_self_test(void) { #if !defined(OPENSSL_ASAN) // Integrity tests cannot run under ASAN because it involves reading the full // .text section, which triggers the global-buffer overflow detection. + if (!BORINGSSL_integrity_test()) { + goto err; + } +#endif // OPENSSL_ASAN + + if (!boringssl_self_test_startup()) { + goto err; + } + + return; + +err: + BORINGSSL_FIPS_abort(); +} + +#if !defined(OPENSSL_ASAN) +int BORINGSSL_integrity_test(void) { const uint8_t *const start = BORINGSSL_bcm_text_start; const uint8_t *const end = BORINGSSL_bcm_text_end; @@ -198,14 +215,14 @@ BORINGSSL_bcm_power_on_self_test(void) { const EVP_MD *const kHashFunction = EVP_sha256(); if (!boringssl_self_test_sha256() || !boringssl_self_test_hmac_sha256()) { - goto err; + return 0; } #else uint8_t result[SHA512_DIGEST_LENGTH]; const EVP_MD *const kHashFunction = EVP_sha512(); if (!boringssl_self_test_sha512() || !boringssl_self_test_hmac_sha256()) { - goto err; + return 0; } #endif @@ -216,7 +233,7 @@ BORINGSSL_bcm_power_on_self_test(void) { if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), kHashFunction, NULL /* no ENGINE */)) { fprintf(stderr, "HMAC_Init_ex failed.\n"); - goto err; + return 0; } BORINGSSL_maybe_set_module_text_permissions(PROT_READ | PROT_EXEC); @@ -236,7 +253,7 @@ BORINGSSL_bcm_power_on_self_test(void) { if (!HMAC_Final(&hmac_ctx, result, &result_len) || result_len != sizeof(result)) { fprintf(stderr, "HMAC failed.\n"); - goto err; + return 0; } HMAC_CTX_cleanse(&hmac_ctx); // FIPS 140-3, AS05.10. @@ -244,22 +261,14 @@ BORINGSSL_bcm_power_on_self_test(void) { if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) { #if !defined(BORINGSSL_FIPS_BREAK_TESTS) - goto err; + return 0; #endif } OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10. -#endif // OPENSSL_ASAN - - if (!boringssl_self_test_startup()) { - goto err; - } - - return; - -err: - BORINGSSL_FIPS_abort(); + return 1; } +#endif // OPENSSL_ASAN void BORINGSSL_FIPS_abort(void) { for (;;) { diff --git a/src/crypto/fipsmodule/bn/bn_test.cc b/src/crypto/fipsmodule/bn/bn_test.cc index 72ec8c2f..7d578028 100644 --- a/src/crypto/fipsmodule/bn/bn_test.cc +++ b/src/crypto/fipsmodule/bn/bn_test.cc @@ -2712,6 +2712,22 @@ TEST_F(BNTest, WriteIntoNegative) { EXPECT_FALSE(BN_is_negative(r.get())); } +TEST_F(BNTest, ModSqrtInvalid) { + bssl::UniquePtr<BIGNUM> bn2140141 = ASCIIToBIGNUM("2140141"); + ASSERT_TRUE(bn2140141); + bssl::UniquePtr<BIGNUM> bn2140142 = ASCIIToBIGNUM("2140142"); + ASSERT_TRUE(bn2140142); + bssl::UniquePtr<BIGNUM> bn4588033 = ASCIIToBIGNUM("4588033"); + ASSERT_TRUE(bn4588033); + + // |BN_mod_sqrt| may fail or return an arbitrary value, so we do not use + // |TestModSqrt| or |TestNotModSquare|. We only promise it will not crash or + // infinite loop. (For some invalid inputs, it may even be non-deterministic.) + // See CVE-2022-0778. + BN_free(BN_mod_sqrt(nullptr, bn2140141.get(), bn4588033.get(), ctx())); + BN_free(BN_mod_sqrt(nullptr, bn2140142.get(), bn4588033.get(), ctx())); +} + #if defined(OPENSSL_BN_ASM_MONT) && defined(SUPPORTS_ABI_TEST) TEST_F(BNTest, BNMulMontABI) { for (size_t words : {4, 5, 6, 7, 8, 16, 32}) { diff --git a/src/crypto/fipsmodule/bn/sqrt.c b/src/crypto/fipsmodule/bn/sqrt.c index db888297..9180d540 100644 --- a/src/crypto/fipsmodule/bn/sqrt.c +++ b/src/crypto/fipsmodule/bn/sqrt.c @@ -306,8 +306,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { } // x := a^((q-1)/2) - if (BN_is_zero(t)) // special case: p = 2^e + 1 - { + if (BN_is_zero(t)) { // special case: p = 2^e + 1 if (!BN_nnmod(t, A, p, ctx)) { goto end; } @@ -350,7 +349,6 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { // We have a*b = x^2, // y^2^(e-1) = -1, // b^2^(e-1) = 1. - if (BN_is_one(b)) { if (!BN_copy(ret, x)) { goto end; @@ -359,23 +357,26 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { goto vrfy; } - - // find smallest i such that b^(2^i) = 1 - i = 1; - if (!BN_mod_sqr(t, b, p, ctx)) { - goto end; - } - while (!BN_is_one(t)) { - i++; - if (i == e) { - OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE); - goto end; + // Find the smallest i, 0 < i < e, such that b^(2^i) = 1 + for (i = 1; i < e; i++) { + if (i == 1) { + if (!BN_mod_sqr(t, b, p, ctx)) { + goto end; + } + } else { + if (!BN_mod_mul(t, t, t, p, ctx)) { + goto end; + } } - if (!BN_mod_mul(t, t, t, p, ctx)) { - goto end; + if (BN_is_one(t)) { + break; } } - + // If not found, a is not a square or p is not a prime. + if (i >= e) { + OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE); + goto end; + } // t := y^2^(e - i - 1) if (!BN_copy(t, y)) { @@ -391,14 +392,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { !BN_mod_mul(b, b, y, p, ctx)) { goto end; } + + // e decreases each iteration, so this loop will terminate. + assert(i < e); e = i; } vrfy: if (!err) { - // verify the result -- the input might have been not a square - // (test added in 0.9.8) - + // Verify the result. The input might have been not a square. if (!BN_mod_sqr(x, ret, p, ctx)) { err = 1; } diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c index d7acf969..2d04d13c 100644 --- a/src/crypto/fipsmodule/ec/ec_key.c +++ b/src/crypto/fipsmodule/ec/ec_key.c @@ -308,6 +308,9 @@ int EC_KEY_check_key(const EC_KEY *eckey) { } // Check the public and private keys match. + // + // NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP + // 800-56Ar3, page 36. if (eckey->priv_key != NULL) { EC_RAW_POINT point; if (!ec_point_mul_scalar_base(eckey->group, &point, diff --git a/src/crypto/fipsmodule/ec/p256.c b/src/crypto/fipsmodule/ec/p256.c index 9f5694c2..0d0e7663 100644 --- a/src/crypto/fipsmodule/ec/p256.c +++ b/src/crypto/fipsmodule/ec/p256.c @@ -31,8 +31,10 @@ #include "../delocate.h" #include "./internal.h" +#if defined(OPENSSL_NO_ASM) +#define FIAT_P256_NO_ASM +#endif -// MSVC does not implement uint128_t, and crashes with intrinsics #if defined(BORINGSSL_HAS_UINT128) #define BORINGSSL_NISTP256_64BIT 1 #include "../../../third_party/fiat/p256_64.h" diff --git a/src/crypto/fipsmodule/self_check/fips.c b/src/crypto/fipsmodule/self_check/fips.c index d55c493c..11c93098 100644 --- a/src/crypto/fipsmodule/self_check/fips.c +++ b/src/crypto/fipsmodule/self_check/fips.c @@ -28,6 +28,45 @@ int FIPS_mode(void) { int FIPS_mode_set(int on) { return on == FIPS_mode(); } +uint32_t FIPS_version(void) { + return 0; +} + +int FIPS_query_algorithm_status(const char *algorithm) { +#if defined(BORINGSSL_FIPS) + static const char kApprovedAlgorithms[][13] = { + "AES-CBC", + "AES-CCM", + "AES-CTR", + "AES-ECB", + "AES-GCM", + "AES-KW", + "AES-KWP", + "ctrDRBG", + "ECC-SSC", + "ECDSA-sign", + "ECDSA-verify", + "FFC-SSC", + "HMAC", + "RSA-sign", + "RSA-verify", + "SHA-1", + "SHA2-224", + "SHA2-256", + "SHA2-384", + "SHA2-512", + "SHA2-512/256", + }; + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) { + if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) { + return 1; + } + } +#endif // BORINGSSL_FIPS + + return 0; +} + #if defined(BORINGSSL_FIPS_COUNTERS) size_t FIPS_read_counter(enum fips_counter_t counter) { diff --git a/src/crypto/fipsmodule/self_check/self_check.c b/src/crypto/fipsmodule/self_check/self_check.c index b7cd8682..b2487895 100644 --- a/src/crypto/fipsmodule/self_check/self_check.c +++ b/src/crypto/fipsmodule/self_check/self_check.c @@ -35,6 +35,7 @@ #include "../ec/internal.h" #include "../ecdsa/internal.h" #include "../rand/internal.h" +#include "../rsa/internal.h" #include "../tls/internal.h" diff --git a/src/crypto/mem.c b/src/crypto/mem.c index d3b2112d..15d3436c 100644 --- a/src/crypto/mem.c +++ b/src/crypto/mem.c @@ -180,11 +180,17 @@ void OPENSSL_free(void *orig_ptr) { size_t size = *(size_t *)ptr; OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX); + +// ASan knows to intercept malloc and free, but not sdallocx. +#if defined(OPENSSL_ASAN) + free(ptr); +#else if (sdallocx) { sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */); } else { free(ptr); } +#endif } void *OPENSSL_realloc(void *orig_ptr, size_t new_size) { diff --git a/src/crypto/poly1305/poly1305.c b/src/crypto/poly1305/poly1305.c index 2eb3974d..e4e62980 100644 --- a/src/crypto/poly1305/poly1305.c +++ b/src/crypto/poly1305/poly1305.c @@ -204,6 +204,11 @@ void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in, size_t in_len) { struct poly1305_state_st *state = poly1305_aligned_state(statep); + // Work around a C language bug. See https://crbug.com/1019588. + if (in_len == 0) { + return; + } + #if defined(OPENSSL_POLY1305_NEON) if (CRYPTO_is_NEON_capable()) { CRYPTO_poly1305_update_neon(statep, in, in_len); diff --git a/src/crypto/x509/internal.h b/src/crypto/x509/internal.h index 702464a9..ff8288fd 100644 --- a/src/crypto/x509/internal.h +++ b/src/crypto/x509/internal.h @@ -106,13 +106,14 @@ struct x509_attributes_st { STACK_OF(ASN1_TYPE) *set; } /* X509_ATTRIBUTE */; -struct x509_cert_aux_st { +typedef struct x509_cert_aux_st { STACK_OF(ASN1_OBJECT) *trust; // trusted uses STACK_OF(ASN1_OBJECT) *reject; // rejected uses ASN1_UTF8STRING *alias; // "friendly name" ASN1_OCTET_STRING *keyid; // key id of private key - STACK_OF(X509_ALGOR) *other; // other unspecified info -} /* X509_CERT_AUX */; +} X509_CERT_AUX; + +DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) struct X509_extension_st { ASN1_OBJECT *object; @@ -155,7 +156,7 @@ struct x509_st { STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + unsigned char cert_hash[SHA256_DIGEST_LENGTH]; X509_CERT_AUX *aux; CRYPTO_BUFFER *buf; CRYPTO_MUTEX lock; @@ -218,7 +219,7 @@ struct X509_crl_st { // CRL and base CRL numbers for delta processing ASN1_INTEGER *crl_number; ASN1_INTEGER *base_crl_number; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + unsigned char crl_hash[SHA256_DIGEST_LENGTH]; STACK_OF(GENERAL_NAMES) *issuers; const X509_CRL_METHOD *meth; void *meth_data; @@ -370,6 +371,8 @@ struct x509_store_ctx_st { ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf); +int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); + /* RSA-PSS functions. */ diff --git a/src/crypto/x509/t_x509.c b/src/crypto/x509/t_x509.c index 10a7cad6..4f9d4097 100644 --- a/src/crypto/x509/t_x509.c +++ b/src/crypto/x509/t_x509.c @@ -134,13 +134,12 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, } const ASN1_INTEGER *serial = X509_get0_serialNumber(x); - /* |ASN1_INTEGER_get| returns -1 on overflow, so this check skips - * negative and large serial numbers. */ - l = ASN1_INTEGER_get(serial); - if (l >= 0) { + uint64_t serial_u64; + if (ASN1_INTEGER_get_uint64(&serial_u64, serial)) { assert(serial->type != V_ASN1_NEG_INTEGER); - if (BIO_printf(bp, " %ld (0x%lx)\n", l, (unsigned long)l) <= 0) { - goto err; + if (BIO_printf(bp, " %" PRIu64 " (0x%" PRIx64 ")\n", serial_u64, + serial_u64) <= 0) { + goto err; } } else { neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; diff --git a/src/crypto/x509/x509_cmp.c b/src/crypto/x509/x509_cmp.c index 5811f440..e9e1d8cd 100644 --- a/src/crypto/x509/x509_cmp.c +++ b/src/crypto/x509/x509_cmp.c @@ -101,7 +101,7 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { - return OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, 20); + return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH); } X509_NAME *X509_get_issuer_name(const X509 *a) @@ -154,7 +154,7 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - /* Fill in the |sha1_hash| fields. + /* Fill in the |cert_hash| fields. * * TODO(davidben): This may fail, in which case the the hash will be all * zeros. This produces a consistent comparison (failures are sticky), but @@ -165,7 +165,7 @@ int X509_cmp(const X509 *a, const X509 *b) x509v3_cache_extensions((X509 *)a); x509v3_cache_extensions((X509 *)b); - int rv = OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); + int rv = OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH); if (rv) return rv; /* Check for match against stored encoding too */ diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc index 007fc62c..b201afe9 100644 --- a/src/crypto/x509/x509_test.cc +++ b/src/crypto/x509/x509_test.cc @@ -3220,6 +3220,659 @@ TEST(X509Test, GeneralName) { } } +// Test that extracting fields of an |X509_ALGOR| works correctly. +TEST(X509Test, X509AlgorExtract) { + static const char kTestOID[] = "1.2.840.113554.4.1.72585.2"; + const struct { + int param_type; + std::vector<uint8_t> param_der; + } kTests[] = { + // No parameter. + {V_ASN1_UNDEF, {}}, + // BOOLEAN { TRUE } + {V_ASN1_BOOLEAN, {0x01, 0x01, 0xff}}, + // BOOLEAN { FALSE } + {V_ASN1_BOOLEAN, {0x01, 0x01, 0x00}}, + // OCTET_STRING { "a" } + {V_ASN1_OCTET_STRING, {0x04, 0x01, 0x61}}, + // BIT_STRING { `01` `00` } + {V_ASN1_BIT_STRING, {0x03, 0x02, 0x01, 0x00}}, + // INTEGER { -1 } + {V_ASN1_INTEGER, {0x02, 0x01, 0xff}}, + // OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2 } + {V_ASN1_OBJECT, + {0x06, 0x0c, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84, 0xb7, + 0x09, 0x02}}, + // NULL {} + {V_ASN1_NULL, {0x05, 0x00}}, + // SEQUENCE {} + {V_ASN1_SEQUENCE, {0x30, 0x00}}, + // SET {} + {V_ASN1_SET, {0x31, 0x00}}, + // [0] { UTF8String { "a" } } + {V_ASN1_OTHER, {0xa0, 0x03, 0x0c, 0x01, 0x61}}, + }; + for (const auto &t : kTests) { + SCOPED_TRACE(Bytes(t.param_der)); + + // Assemble an AlgorithmIdentifier with the parameter. + bssl::ScopedCBB cbb; + CBB seq, oid; + ASSERT_TRUE(CBB_init(cbb.get(), 64)); + ASSERT_TRUE(CBB_add_asn1(cbb.get(), &seq, CBS_ASN1_SEQUENCE)); + ASSERT_TRUE(CBB_add_asn1(&seq, &oid, CBS_ASN1_OBJECT)); + ASSERT_TRUE(CBB_add_asn1_oid_from_text(&oid, kTestOID, strlen(kTestOID))); + ASSERT_TRUE(CBB_add_bytes(&seq, t.param_der.data(), t.param_der.size())); + ASSERT_TRUE(CBB_flush(cbb.get())); + + const uint8_t *ptr = CBB_data(cbb.get()); + bssl::UniquePtr<X509_ALGOR> alg( + d2i_X509_ALGOR(nullptr, &ptr, CBB_len(cbb.get()))); + ASSERT_TRUE(alg); + + const ASN1_OBJECT *obj; + int param_type; + const void *param_value; + X509_ALGOR_get0(&obj, ¶m_type, ¶m_value, alg.get()); + + EXPECT_EQ(param_type, t.param_type); + char oid_buf[sizeof(kTestOID)]; + ASSERT_EQ(int(sizeof(oid_buf) - 1), + OBJ_obj2txt(oid_buf, sizeof(oid_buf), obj, + /*always_return_oid=*/1)); + EXPECT_STREQ(oid_buf, kTestOID); + + // |param_type| and |param_value| must be consistent with |ASN1_TYPE|. + if (param_type == V_ASN1_UNDEF) { + EXPECT_EQ(nullptr, param_value); + } else { + bssl::UniquePtr<ASN1_TYPE> param(ASN1_TYPE_new()); + ASSERT_TRUE(param); + ASSERT_TRUE(ASN1_TYPE_set1(param.get(), param_type, param_value)); + + uint8_t *param_der = nullptr; + int param_len = i2d_ASN1_TYPE(param.get(), ¶m_der); + ASSERT_GE(param_len, 0); + bssl::UniquePtr<uint8_t> free_param_der(param_der); + + EXPECT_EQ(Bytes(param_der, param_len), Bytes(t.param_der)); + } + } +} + +// Test the various |X509_ATTRIBUTE| creation functions. +TEST(X509Test, Attribute) { + // The friendlyName attribute has a BMPString value. See RFC 2985, + // section 5.5.1. + static const uint8_t kTest1[] = {0x26, 0x03}; // U+2603 SNOWMAN + static const uint8_t kTest1UTF8[] = {0xe2, 0x98, 0x83}; + static const uint8_t kTest2[] = {0, 't', 0, 'e', 0, 's', 0, 't'}; + + auto check_attribute = [&](X509_ATTRIBUTE *attr, bool has_test2) { + EXPECT_EQ(NID_friendlyName, OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr))); + + EXPECT_EQ(has_test2 ? 2 : 1, X509_ATTRIBUTE_count(attr)); + + // The first attribute should contain |kTest1|. + const ASN1_TYPE *value = X509_ATTRIBUTE_get0_type(attr, 0); + ASSERT_TRUE(value); + EXPECT_EQ(V_ASN1_BMPSTRING, value->type); + EXPECT_EQ(Bytes(kTest1), + Bytes(ASN1_STRING_get0_data(value->value.bmpstring), + ASN1_STRING_length(value->value.bmpstring))); + + // |X509_ATTRIBUTE_get0_data| requires the type match. + EXPECT_FALSE( + X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_OCTET_STRING, nullptr)); + const ASN1_BMPSTRING *bmpstring = static_cast<const ASN1_BMPSTRING *>( + X509_ATTRIBUTE_get0_data(attr, 0, V_ASN1_BMPSTRING, nullptr)); + ASSERT_TRUE(bmpstring); + EXPECT_EQ(Bytes(kTest1), Bytes(ASN1_STRING_get0_data(bmpstring), + ASN1_STRING_length(bmpstring))); + + if (has_test2) { + value = X509_ATTRIBUTE_get0_type(attr, 1); + ASSERT_TRUE(value); + EXPECT_EQ(V_ASN1_BMPSTRING, value->type); + EXPECT_EQ(Bytes(kTest2), + Bytes(ASN1_STRING_get0_data(value->value.bmpstring), + ASN1_STRING_length(value->value.bmpstring))); + } else { + EXPECT_FALSE(X509_ATTRIBUTE_get0_type(attr, 1)); + } + + EXPECT_FALSE(X509_ATTRIBUTE_get0_type(attr, 2)); + }; + + bssl::UniquePtr<ASN1_STRING> str(ASN1_STRING_type_new(V_ASN1_BMPSTRING)); + ASSERT_TRUE(str); + ASSERT_TRUE(ASN1_STRING_set(str.get(), kTest1, sizeof(kTest1))); + + // Test |X509_ATTRIBUTE_create|. + bssl::UniquePtr<X509_ATTRIBUTE> attr( + X509_ATTRIBUTE_create(NID_friendlyName, V_ASN1_BMPSTRING, str.get())); + ASSERT_TRUE(attr); + str.release(); // |X509_ATTRIBUTE_create| takes ownership on success. + check_attribute(attr.get(), /*has_test2=*/false); + + // Test the |MBSTRING_*| form of |X509_ATTRIBUTE_set1_data|. + attr.reset(X509_ATTRIBUTE_new()); + ASSERT_TRUE(attr); + ASSERT_TRUE( + X509_ATTRIBUTE_set1_object(attr.get(), OBJ_nid2obj(NID_friendlyName))); + ASSERT_TRUE(X509_ATTRIBUTE_set1_data(attr.get(), MBSTRING_UTF8, kTest1UTF8, + sizeof(kTest1UTF8))); + check_attribute(attr.get(), /*has_test2=*/false); + + // Test the |ASN1_STRING| form of |X509_ATTRIBUTE_set1_data|. + ASSERT_TRUE(X509_ATTRIBUTE_set1_data(attr.get(), V_ASN1_BMPSTRING, kTest2, + sizeof(kTest2))); + check_attribute(attr.get(), /*has_test2=*/true); + + // Test the |ASN1_TYPE| form of |X509_ATTRIBUTE_set1_data|. + attr.reset(X509_ATTRIBUTE_new()); + ASSERT_TRUE(attr); + ASSERT_TRUE( + X509_ATTRIBUTE_set1_object(attr.get(), OBJ_nid2obj(NID_friendlyName))); + str.reset(ASN1_STRING_type_new(V_ASN1_BMPSTRING)); + ASSERT_TRUE(str); + ASSERT_TRUE(ASN1_STRING_set(str.get(), kTest1, sizeof(kTest1))); + ASSERT_TRUE( + X509_ATTRIBUTE_set1_data(attr.get(), V_ASN1_BMPSTRING, str.get(), -1)); + check_attribute(attr.get(), /*has_test2=*/false); +} + +// Test that, by default, |X509_V_FLAG_TRUSTED_FIRST| is set, which means we'll +// skip over server-sent expired intermediates when there is a local trust +// anchor that works better. +TEST(X509Test, TrustedFirst) { + // Generate the following certificates: + // + // Root 2 (in store, expired) + // | + // Root 1 (in store) Root 1 (cross-sign) + // \ / + // Intermediate + // | + // Leaf + bssl::UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key); + ASSERT_TRUE(key); + + bssl::UniquePtr<X509> root2 = + MakeTestCert("Root 2", "Root 2", key.get(), /*is_ca=*/true); + ASSERT_TRUE(root2); + ASSERT_TRUE(ASN1_TIME_adj(X509_getm_notAfter(root2.get()), kReferenceTime, + /*offset_day=*/0, + /*offset_sec=*/-1)); + ASSERT_TRUE(X509_sign(root2.get(), key.get(), EVP_sha256())); + + bssl::UniquePtr<X509> root1 = + MakeTestCert("Root 1", "Root 1", key.get(), /*is_ca=*/true); + ASSERT_TRUE(root1); + ASSERT_TRUE(X509_sign(root1.get(), key.get(), EVP_sha256())); + + bssl::UniquePtr<X509> root1_cross = + MakeTestCert("Root 2", "Root 1", key.get(), /*is_ca=*/true); + ASSERT_TRUE(root1_cross); + ASSERT_TRUE(X509_sign(root1_cross.get(), key.get(), EVP_sha256())); + + bssl::UniquePtr<X509> intermediate = + MakeTestCert("Root 1", "Intermediate", key.get(), /*is_ca=*/true); + ASSERT_TRUE(intermediate); + ASSERT_TRUE(X509_sign(intermediate.get(), key.get(), EVP_sha256())); + + bssl::UniquePtr<X509> leaf = + MakeTestCert("Intermediate", "Leaf", key.get(), /*is_ca=*/false); + ASSERT_TRUE(leaf); + ASSERT_TRUE(X509_sign(leaf.get(), key.get(), EVP_sha256())); + + // As a control, confirm that |leaf| -> |intermediate| -> |root1| is valid, + // but the path through |root1_cross| is expired. + EXPECT_EQ(X509_V_OK, + Verify(leaf.get(), {root1.get()}, {intermediate.get()}, {})); + EXPECT_EQ(X509_V_ERR_CERT_HAS_EXPIRED, + Verify(leaf.get(), {root2.get()}, + {intermediate.get(), root1_cross.get()}, {})); + + // By default, we should find the |leaf| -> |intermediate| -> |root2| chain, + // skipping |root1_cross|. + EXPECT_EQ(X509_V_OK, Verify(leaf.get(), {root1.get(), root2.get()}, + {intermediate.get(), root1_cross.get()}, {})); + + // When |X509_V_FLAG_TRUSTED_FIRST| is disabled, we get stuck on the expired + // intermediate. Note we need the callback to clear the flag. Setting |flags| + // to zero only skips setting new flags. + // + // This test exists to confirm our current behavior, but these modes are just + // workarounds for not having an actual path-building verifier. If we fix it, + // this test can be removed. + EXPECT_EQ(X509_V_ERR_CERT_HAS_EXPIRED, + Verify(leaf.get(), {root1.get(), root2.get()}, + {intermediate.get(), root1_cross.get()}, {}, /*flags=*/0, + [&](X509_VERIFY_PARAM *param) { + X509_VERIFY_PARAM_clear_flags(param, + X509_V_FLAG_TRUSTED_FIRST); + })); + + // Even when |X509_V_FLAG_TRUSTED_FIRST| is disabled, if |root2| is not + // trusted, the alt chains logic recovers the path. + EXPECT_EQ( + X509_V_OK, + Verify(leaf.get(), {root1.get()}, {intermediate.get(), root1_cross.get()}, + {}, /*flags=*/0, [&](X509_VERIFY_PARAM *param) { + X509_VERIFY_PARAM_clear_flags(param, X509_V_FLAG_TRUSTED_FIRST); + })); +} + +// kConstructedBitString is an X.509 certificate where the signature is encoded +// as a BER constructed BIT STRING. Note that, while OpenSSL's parser accepts +// this input, it interprets the value incorrectly. +static const char kConstructedBitString[] = R"( +-----BEGIN CERTIFICATE----- +MIIBJTCBxqADAgECAgIE0jAKBggqhkjOPQQDAjAPMQ0wCwYDVQQDEwRUZXN0MCAX +DTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAPMQ0wCwYDVQQDEwRUZXN0 +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp4r9ln5e+Lx4NlIpM1Zdrt6ke +DUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsWGhz1HX7xlC1Lz3IiwaMQMA4w +DAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAiNOAyQAMEYCIQCp0iIX5s30KXjihR4g +KnJpd3seqGlVRqCVgrD0KGYDJgA1QAIhAKkx0vR82QU0NtHDD11KX/LuQF2T+2nX +oeKp5LKAbMVi +-----END CERTIFICATE----- +)"; + +// kConstructedOctetString is an X.509 certificate where an extension is encoded +// as a BER constructed OCTET STRING. +static const char kConstructedOctetString[] = R"( +-----BEGIN CERTIFICATE----- +MIIBJDCByqADAgECAgIE0jAKBggqhkjOPQQDAjAPMQ0wCwYDVQQDEwRUZXN0MCAX +DTAwMDEwMTAwMDAwMFoYDzIxMDAwMTAxMDAwMDAwWjAPMQ0wCwYDVQQDEwRUZXN0 +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE5itp4r9ln5e+Lx4NlIpM1Zdrt6ke +DUb73ampHp3culoB59aXqAoY+cPEox5W4nyDSNsWGhz1HX7xlC1Lz3IiwaMUMBIw +EAYDVR0TJAkEAzADAQQCAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKnSIhfmzfQpeOKF +HiAqcml3ex6oaVVGoJWCsPQoZjVAAiEAqTHS9HzZBTQ20cMPXUpf8u5AXZP7adeh +4qnksoBsxWI= +-----END CERTIFICATE----- +)"; + +// kIndefiniteLength is an X.509 certificate where the outermost SEQUENCE uses +// BER indefinite-length encoding. +static const char kIndefiniteLength[] = R"( +-----BEGIN CERTIFICATE----- +MIAwgcagAwIBAgICBNIwCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEVGVzdDAgFw0w +MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowDzENMAsGA1UEAxMEVGVzdDBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOYraeK/ZZ+Xvi8eDZSKTNWXa7epHg1G ++92pqR6d3LpaAefWl6gKGPnDxKMeVuJ8g0jbFhoc9R1+8ZQtS89yIsGjEDAOMAwG +A1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKnSIhfmzfQpeOKFHiAqcml3 +ex6oaVVGoJWCsPQoZjVAAiEAqTHS9HzZBTQ20cMPXUpf8u5AXZP7adeh4qnksoBs +xWIAAA== +-----END CERTIFICATE----- +)"; + +// kNonZeroPadding is an X.09 certificate where the BIT STRING signature field +// has non-zero padding values. +static const char kNonZeroPadding[] = R"( +-----BEGIN CERTIFICATE----- +MIIB0DCCAXagAwIBAgIJANlMBNpJfb/rMAkGByqGSM49BAEwRTELMAkGA1UEBhMC +QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp +dHMgUHR5IEx0ZDAeFw0xNDA0MjMyMzIxNTdaFw0xNDA1MjMyMzIxNTdaMEUxCzAJ +BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l +dCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmK2ni +v2Wfl74vHg2UikzVl2u3qR4NRvvdqakendy6WgHn1peoChj5w8SjHlbifINI2xYa +HPUdfvGULUvPciLBo1AwTjAdBgNVHQ4EFgQUq4TSrKuV8IJOFngHVVdf5CaNgtEw +HwYDVR0jBBgwFoAUq4TSrKuV8IJOFngHVVdf5CaNgtEwDAYDVR0TBAUwAwEB/zAJ +BgcqhkjOPQQBA0kBMEUCIQDyoDVeUTo2w4J5m+4nUIWOcAZ0lVfSKXQA9L4Vh13E +BwIgfB55FGohg/B6dGh5XxSZmmi08cueFV7mHzJSYV51yRQB +-----END CERTIFICATE----- +)"; + +// kHighTagNumber is an X.509 certificate where the outermost SEQUENCE tag uses +// high tag number form. +static const char kHighTagNumber[] = R"( +-----BEGIN CERTIFICATE----- +PxCCASAwgcagAwIBAgICBNIwCgYIKoZIzj0EAwIwDzENMAsGA1UEAxMEVGVzdDAg +Fw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowDzENMAsGA1UEAxMEVGVz +dDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOYraeK/ZZ+Xvi8eDZSKTNWXa7ep +Hg1G+92pqR6d3LpaAefWl6gKGPnDxKMeVuJ8g0jbFhoc9R1+8ZQtS89yIsGjEDAO +MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIhAKnSIhfmzfQpeOKFHiAq +cml3ex6oaVVGoJWCsPQoZjVAAiEAqTHS9HzZBTQ20cMPXUpf8u5AXZP7adeh4qnk +soBsxWI= +-----END CERTIFICATE----- +)"; + +TEST(X509Test, BER) { + // Constructed strings are forbidden in DER. + EXPECT_FALSE(CertFromPEM(kConstructedBitString)); + EXPECT_FALSE(CertFromPEM(kConstructedOctetString)); + // Indefinite lengths are forbidden in DER. + EXPECT_FALSE(CertFromPEM(kIndefiniteLength)); + // Padding bits in BIT STRINGs must be zero in BER. + EXPECT_FALSE(CertFromPEM(kNonZeroPadding)); + // Tags must be minimal in both BER and DER, though many BER decoders + // incorrectly support non-minimal tags. + EXPECT_FALSE(CertFromPEM(kHighTagNumber)); +} + +TEST(X509Test, Names) { + bssl::UniquePtr<EVP_PKEY> key = PrivateKeyFromPEM(kP256Key); + ASSERT_TRUE(key); + bssl::UniquePtr<X509> root = + MakeTestCert("Root", "Root", key.get(), /*is_ca=*/true); + ASSERT_TRUE(root); + ASSERT_TRUE(X509_sign(root.get(), key.get(), EVP_sha256())); + + struct { + std::vector<std::pair<int, std::string>> cert_subject; + std::vector<std::string> cert_dns_names; + std::vector<std::string> cert_emails; + std::vector<std::string> valid_dns_names; + std::vector<std::string> invalid_dns_names; + std::vector<std::string> valid_emails; + std::vector<std::string> invalid_emails; + unsigned flags; + } kTests[] = { + // DNS names only match DNS names and do so case-insensitively. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{"example.com", "WWW.EXAMPLE.COM"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/ + {"example.com", "EXAMPLE.COM", "www.example.com", "WWW.EXAMPLE.COM"}, + /*invalid_dns_names=*/{"test.example.com", "example.org"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{"test@example.com", "example.com"}, + /*flags=*/0, + }, + + // DNS wildcards match exactly one component. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{"*.example.com", "*.EXAMPLE.ORG"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/ + {"www.example.com", "WWW.EXAMPLE.COM", "www.example.org", + "WWW.EXAMPLE.ORG"}, + /*invalid_dns_names=*/{"example.com", "test.www.example.com"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{"test@example.com", "www.example.com"}, + /*flags=*/0, + }, + + // DNS wildcards can be disabled. + // TODO(davidben): Can we remove this feature? Does anyone use it? + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{"example.com", "*.example.com"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{"example.com"}, + /*invalid_dns_names=*/{"www.example.com"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/X509_CHECK_FLAG_NO_WILDCARDS, + }, + + // Invalid DNS wildcards do not match. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/ + {"a.*", "**.b.example", "*c.example", "d*.example", "e*e.example", + "*", ".", "..", "*."}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/ + {"a.example", "test.b.example", "cc.example", "dd.example", + "eee.example", "f", "g."}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + + // IDNs match like any other DNS labels. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/ + {"xn--rger-koa.a.example", "*.xn--rger-koa.b.example", + "www.xn--rger-koa.c.example"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/ + {"xn--rger-koa.a.example", "www.xn--rger-koa.b.example", + "www.xn--rger-koa.c.example"}, + /*invalid_dns_names=*/ + {"www.xn--rger-koa.a.example", "xn--rger-koa.b.example", + "www.xn--rger-koa.d.example"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + + // For now, DNS names are also extracted out of the common name, but only + // there is no SAN list. + // TODO(https://crbug.com/boringssl/464): Remove this. + { + /*cert_subject=*/{{NID_commonName, "a.example"}, + {NID_commonName, "*.b.example"}}, + /*cert_dns_names=*/{}, + /*cert_emails=*/{}, + /*valid_dns_names=*/ + {"a.example", "A.EXAMPLE", "test.b.example", "TEST.B.EXAMPLE"}, + /*invalid_dns_names=*/{}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + { + /*cert_subject=*/{{NID_commonName, "a.example"}, + {NID_commonName, "*.b.example"}}, + /*cert_dns_names=*/{"example.com"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/ + {"a.example", "A.EXAMPLE", "test.b.example", "TEST.B.EXAMPLE"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + + // Other subject RDNs do not provide DNS names. + { + /*cert_subject=*/{{NID_organizationName, "example.com"}}, + /*cert_dns_names=*/{}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/{"example.com"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + + // Input DNS names cannot have wildcards. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{"www.example.com"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/{"*.example.com"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + + // OpenSSL has some non-standard wildcard syntax for input DNS names. We + // do not support this. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{"www.a.example", "*.b.test"}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/ + {".www.a.example", ".www.b.test", ".a.example", ".b.test", ".example", + ".test"}, + /*valid_emails=*/{}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + + // Emails match case-sensitively before the '@' and case-insensitively + // after. They do not match DNS names. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{}, + /*cert_emails=*/{"test@a.example", "TEST@B.EXAMPLE"}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/{"a.example", "b.example"}, + /*valid_emails=*/ + {"test@a.example", "test@A.EXAMPLE", "TEST@b.example", + "TEST@B.EXAMPLE"}, + /*invalid_emails=*/ + {"TEST@a.example", "test@B.EXAMPLE", "another-test@a.example", + "est@a.example"}, + /*flags=*/0, + }, + + // Emails may also be found in the subject. + { + /*cert_subject=*/{{NID_pkcs9_emailAddress, "test@a.example"}, + {NID_pkcs9_emailAddress, "TEST@B.EXAMPLE"}}, + /*cert_dns_names=*/{}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/{"a.example", "b.example"}, + /*valid_emails=*/ + {"test@a.example", "test@A.EXAMPLE", "TEST@b.example", + "TEST@B.EXAMPLE"}, + /*invalid_emails=*/ + {"TEST@a.example", "test@B.EXAMPLE", "another-test@a.example", + "est@a.example"}, + /*flags=*/0, + }, + + // There are no email wildcard names. + { + /*cert_subject=*/{}, + /*cert_dns_names=*/{}, + /*cert_emails=*/{"test@*.a.example", "@b.example", "*@c.example"}, + /*valid_dns_names=*/{}, + /*invalid_dns_names=*/{}, + /*valid_emails=*/{}, + /*invalid_emails=*/ + {"test@test.a.example", "test@b.example", "test@c.example"}, + /*flags=*/0, + }, + + // Unrelated RDNs can be skipped when looking in the subject. + { + /*cert_subject=*/{{NID_organizationName, "Acme Corporation"}, + {NID_commonName, "a.example"}, + {NID_pkcs9_emailAddress, "test@b.example"}, + {NID_countryName, "US"}}, + /*cert_dns_names=*/{}, + /*cert_emails=*/{}, + /*valid_dns_names=*/{"a.example"}, + /*invalid_dns_names=*/{}, + /*valid_emails=*/{"test@b.example"}, + /*invalid_emails=*/{}, + /*flags=*/0, + }, + }; + + size_t i = 0; + for (const auto &t : kTests) { + SCOPED_TRACE(i++); + + // Issue a test certificate. + bssl::UniquePtr<X509> cert = + MakeTestCert("Root", "Leaf", key.get(), /*is_ca=*/false); + ASSERT_TRUE(cert); + if (!t.cert_subject.empty()) { + bssl::UniquePtr<X509_NAME> subject(X509_NAME_new()); + ASSERT_TRUE(subject); + for (const auto &entry : t.cert_subject) { + ASSERT_TRUE(X509_NAME_add_entry_by_NID( + subject.get(), entry.first, MBSTRING_ASC, + reinterpret_cast<const unsigned char *>(entry.second.data()), + entry.second.size(), /*loc=*/-1, /*set=*/0)); + } + ASSERT_TRUE(X509_set_subject_name(cert.get(), subject.get())); + } + bssl::UniquePtr<GENERAL_NAMES> sans(sk_GENERAL_NAME_new_null()); + ASSERT_TRUE(sans); + for (const auto &dns : t.cert_dns_names) { + bssl::UniquePtr<GENERAL_NAME> name(GENERAL_NAME_new()); + ASSERT_TRUE(name); + name->type = GEN_DNS; + name->d.dNSName = ASN1_IA5STRING_new(); + ASSERT_TRUE(name->d.dNSName); + ASSERT_TRUE(ASN1_STRING_set(name->d.dNSName, dns.data(), dns.size())); + ASSERT_TRUE(bssl::PushToStack(sans.get(), std::move(name))); + } + for (const auto &email : t.cert_emails) { + bssl::UniquePtr<GENERAL_NAME> name(GENERAL_NAME_new()); + ASSERT_TRUE(name); + name->type = GEN_EMAIL; + name->d.rfc822Name = ASN1_IA5STRING_new(); + ASSERT_TRUE(name->d.rfc822Name); + ASSERT_TRUE( + ASN1_STRING_set(name->d.rfc822Name, email.data(), email.size())); + ASSERT_TRUE(bssl::PushToStack(sans.get(), std::move(name))); + } + if (sk_GENERAL_NAME_num(sans.get()) != 0) { + ASSERT_TRUE(X509_add1_ext_i2d(cert.get(), NID_subject_alt_name, + sans.get(), /*crit=*/0, /*flags=*/0)); + } + ASSERT_TRUE(X509_sign(cert.get(), key.get(), EVP_sha256())); + + for (const auto &dns : t.valid_dns_names) { + SCOPED_TRACE(dns); + EXPECT_EQ(1, X509_check_host(cert.get(), dns.data(), dns.size(), t.flags, + /*peername=*/nullptr)); + EXPECT_EQ(X509_V_OK, + Verify(cert.get(), {root.get()}, /*intermediates=*/{}, + /*crls=*/{}, /*flags=*/0, [&](X509_VERIFY_PARAM *param) { + ASSERT_TRUE(X509_VERIFY_PARAM_set1_host( + param, dns.data(), dns.size())); + X509_VERIFY_PARAM_set_hostflags(param, t.flags); + })); + } + + for (const auto &dns : t.invalid_dns_names) { + SCOPED_TRACE(dns); + EXPECT_EQ(0, X509_check_host(cert.get(), dns.data(), dns.size(), t.flags, + /*peername=*/nullptr)); + EXPECT_EQ(X509_V_ERR_HOSTNAME_MISMATCH, + Verify(cert.get(), {root.get()}, /*intermediates=*/{}, + /*crls=*/{}, /*flags=*/0, [&](X509_VERIFY_PARAM *param) { + ASSERT_TRUE(X509_VERIFY_PARAM_set1_host( + param, dns.data(), dns.size())); + X509_VERIFY_PARAM_set_hostflags(param, t.flags); + })); + } + + for (const auto &email : t.valid_emails) { + SCOPED_TRACE(email); + EXPECT_EQ( + 1, X509_check_email(cert.get(), email.data(), email.size(), t.flags)); + EXPECT_EQ(X509_V_OK, + Verify(cert.get(), {root.get()}, /*intermediates=*/{}, + /*crls=*/{}, /*flags=*/0, [&](X509_VERIFY_PARAM *param) { + ASSERT_TRUE(X509_VERIFY_PARAM_set1_email( + param, email.data(), email.size())); + X509_VERIFY_PARAM_set_hostflags(param, t.flags); + })); + } + + for (const auto &email : t.invalid_emails) { + SCOPED_TRACE(email); + EXPECT_EQ( + 0, X509_check_email(cert.get(), email.data(), email.size(), t.flags)); + EXPECT_EQ(X509_V_ERR_EMAIL_MISMATCH, + Verify(cert.get(), {root.get()}, /*intermediates=*/{}, + /*crls=*/{}, /*flags=*/0, [&](X509_VERIFY_PARAM *param) { + ASSERT_TRUE(X509_VERIFY_PARAM_set1_email( + param, email.data(), email.size())); + X509_VERIFY_PARAM_set_hostflags(param, t.flags); + })); + } + } +} + TEST(X509Test, AddDuplicates) { bssl::UniquePtr<X509_STORE> store(X509_STORE_new()); bssl::UniquePtr<X509> a(CertFromPEM(kCrossSigningRootPEM)); @@ -3238,3 +3891,23 @@ TEST(X509Test, AddDuplicates) { EXPECT_EQ(sk_X509_OBJECT_num(X509_STORE_get0_objects(store.get())), 2u); } + +TEST(X509Test, BytesToHex) { + struct { + std::vector<uint8_t> bytes; + const char *hex; + } kTests[] = { + {{}, ""}, + {{0x00}, "00"}, + {{0x00, 0x11, 0x22}, "00:11:22"}, + {{0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef}, + "01:23:45:67:89:AB:CD:EF"}, + }; + for (const auto &t : kTests) { + SCOPED_TRACE(Bytes(t.bytes)); + bssl::UniquePtr<char> hex( + x509v3_bytes_to_hex(t.bytes.data(), t.bytes.size())); + ASSERT_TRUE(hex); + EXPECT_STREQ(hex.get(), t.hex); + } +} diff --git a/src/crypto/x509/x509_trs.c b/src/crypto/x509/x509_trs.c index c95d6fca..d21548d1 100644 --- a/src/crypto/x509/x509_trs.c +++ b/src/crypto/x509/x509_trs.c @@ -71,7 +71,6 @@ static int trust_1oid(X509_TRUST *trust, X509 *x, int flags); static int trust_compat(X509_TRUST *trust, X509 *x, int flags); static int obj_trust(int id, X509 *x, int flags); -static int (*default_trust) (int id, X509 *x, int flags) = obj_trust; /* * WARNING: the following table should be kept in order of trust and without @@ -106,14 +105,6 @@ static int tr_cmp(const X509_TRUST **a, const X509_TRUST **b) return (*a)->trust - (*b)->trust; } -int (*X509_TRUST_set_default(int (*trust) (int, X509 *, int))) (int, X509 *, - int) { - int (*oldtrust) (int, X509 *, int); - oldtrust = default_trust; - default_trust = trust; - return oldtrust; -} - int X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; @@ -130,7 +121,7 @@ int X509_check_trust(X509 *x, int id, int flags) } idx = X509_TRUST_get_by_id(id); if (idx == -1) - return default_trust(id, x, flags); + return obj_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } diff --git a/src/crypto/x509/x_crl.c b/src/crypto/x509/x_crl.c index f010849b..ab2a0393 100644 --- a/src/crypto/x509/x_crl.c +++ b/src/crypto/x509/x_crl.c @@ -251,7 +251,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_D2I_POST: - if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) { + if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) { return 0; } diff --git a/src/crypto/x509/x_x509a.c b/src/crypto/x509/x_x509a.c index fca02a63..d0e921f2 100644 --- a/src/crypto/x509/x_x509a.c +++ b/src/crypto/x509/x_x509a.c @@ -78,7 +78,6 @@ ASN1_SEQUENCE(X509_CERT_AUX) = { ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0), ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING), ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING), - ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1) } ASN1_SEQUENCE_END(X509_CERT_AUX) IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX) @@ -95,6 +94,9 @@ static X509_CERT_AUX *aux_get(X509 *x) int X509_alias_set1(X509 *x, const unsigned char *name, int len) { X509_CERT_AUX *aux; + /* TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the + * getters cannot quite represent them. Also erase the object if |len| is + * zero. */ if (!name) { if (!x || !x->aux || !x->aux->alias) return 1; @@ -112,6 +114,9 @@ int X509_alias_set1(X509 *x, const unsigned char *name, int len) int X509_keyid_set1(X509 *x, const unsigned char *id, int len) { X509_CERT_AUX *aux; + /* TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the + * getters cannot quite represent them. Also erase the object if |len| is + * zero. */ if (!id) { if (!x || !x->aux || !x->aux->keyid) return 1; @@ -126,22 +131,22 @@ int X509_keyid_set1(X509 *x, const unsigned char *id, int len) return ASN1_STRING_set(aux->keyid, id, len); } -unsigned char *X509_alias_get0(X509 *x, int *len) +unsigned char *X509_alias_get0(X509 *x, int *out_len) { - if (!x->aux || !x->aux->alias) - return NULL; - if (len) - *len = x->aux->alias->length; - return x->aux->alias->data; + const ASN1_UTF8STRING *alias = x->aux != NULL ? x->aux->alias : NULL; + if (out_len != NULL) { + *out_len = alias != NULL ? alias->length : 0; + } + return alias != NULL ? alias->data : NULL; } -unsigned char *X509_keyid_get0(X509 *x, int *len) +unsigned char *X509_keyid_get0(X509 *x, int *out_len) { - if (!x->aux || !x->aux->keyid) - return NULL; - if (len) - *len = x->aux->keyid->length; - return x->aux->keyid->data; + const ASN1_OCTET_STRING *keyid = x->aux != NULL ? x->aux->keyid : NULL; + if (out_len != NULL) { + *out_len = keyid != NULL ? keyid->length : 0; + } + return keyid != NULL ? keyid->data : NULL; } int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) diff --git a/src/crypto/x509v3/internal.h b/src/crypto/x509v3/internal.h index 3e6081b4..976e34d3 100644 --- a/src/crypto/x509v3/internal.h +++ b/src/crypto/x509v3/internal.h @@ -70,21 +70,21 @@ extern "C" { #endif -// x509v3_bytes_to_hex encodes |len| bytes from |buffer| to hex and returns a +// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a // newly-allocated NUL-terminated string containing the result, or NULL on // allocation error. // -// Note this function was historically named |hex_to_string| in OpenSSL, not -// |string_to_hex|. -char *x509v3_bytes_to_hex(const unsigned char *buffer, long len); +// This function was historically named |hex_to_string| in OpenSSL. Despite the +// name, |hex_to_string| converted to hex. +OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); // x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated // array containing the result, or NULL on error. On success, it sets |*len| to // the length of the result. Colon separators between bytes in the input are // allowed and ignored. // -// Note this function was historically named |string_to_hex| in OpenSSL, not -// |hex_to_string|. +// This function was historically named |string_to_hex| in OpenSSL. Despite the +// name, |string_to_hex| converted from hex. unsigned char *x509v3_hex_to_bytes(const char *str, long *len); // x509v3_name_cmp returns zero if |name| is equal to |cmp| or begins with |cmp| diff --git a/src/crypto/x509v3/v3_akey.c b/src/crypto/x509v3/v3_akey.c index 0aba20ed..e64e99fe 100644 --- a/src/crypto/x509v3/v3_akey.c +++ b/src/crypto/x509v3/v3_akey.c @@ -93,10 +93,10 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, STACK_OF(CONF_VALUE) *extlist) { - char *tmp = NULL; int extlist_was_null = extlist == NULL; if (akeyid->keyid) { - tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length); + char *tmp = x509v3_bytes_to_hex(akeyid->keyid->data, + akeyid->keyid->length); int ok = tmp != NULL && X509V3_add_value("keyid", tmp, &extlist); OPENSSL_free(tmp); if (!ok) { @@ -112,10 +112,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, extlist = tmpextlist; } if (akeyid->serial) { - tmp = x509v3_bytes_to_hex(akeyid->serial->data, akeyid->serial->length); - int ok = tmp != NULL && X509V3_add_value("serial", tmp, &extlist); - OPENSSL_free(tmp); - if (!ok) { + if (!X509V3_add_value_int("serial", akeyid->serial, &extlist)) { goto err; } } diff --git a/src/crypto/x509v3/v3_purp.c b/src/crypto/x509v3/v3_purp.c index 133839ad..909a8dbf 100644 --- a/src/crypto/x509v3/v3_purp.c +++ b/src/crypto/x509v3/v3_purp.c @@ -437,7 +437,7 @@ int x509v3_cache_extensions(X509 *x) return (x->ex_flags & EXFLAG_INVALID) == 0; } - if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) + if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) x->ex_flags |= EXFLAG_INVALID; /* V1 should mean no extensions ... */ if (X509_get_version(x) == X509_VERSION_1) diff --git a/src/crypto/x509v3/v3_utl.c b/src/crypto/x509v3/v3_utl.c index 474acf85..960c407a 100644 --- a/src/crypto/x509v3/v3_utl.c +++ b/src/crypto/x509v3/v3_utl.c @@ -63,6 +63,7 @@ #include <string.h> #include <openssl/bn.h> +#include <openssl/bytestring.h> #include <openssl/conf.h> #include <openssl/err.h> #include <openssl/mem.h> @@ -467,33 +468,33 @@ static char *strip_spaces(char *name) /* hex string utilities */ -/* - * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its - * hex representation @@@ (Contents of buffer are always kept in ASCII, also - * on EBCDIC machines) - */ - -char *x509v3_bytes_to_hex(const unsigned char *buffer, long len) +char *x509v3_bytes_to_hex(const uint8_t *in, size_t len) { - char *tmp, *q; - const unsigned char *p; - int i; - static const char hexdig[] = "0123456789ABCDEF"; - if (!buffer || !len) - return NULL; - if (!(tmp = OPENSSL_malloc(len * 3 + 1))) { - OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); - return NULL; + CBB cbb; + if (!CBB_init(&cbb, len * 3 + 1)) { + goto err; } - q = tmp; - for (i = 0, p = buffer; i < len; i++, p++) { - *q++ = hexdig[(*p >> 4) & 0xf]; - *q++ = hexdig[*p & 0xf]; - *q++ = ':'; + for (size_t i = 0; i < len; i++) { + static const char hex[] = "0123456789ABCDEF"; + if ((i > 0 && !CBB_add_u8(&cbb, ':')) || + !CBB_add_u8(&cbb, hex[in[i] >> 4]) || + !CBB_add_u8(&cbb, hex[in[i] & 0xf])) { + goto err; + } + } + uint8_t *ret; + size_t unused_len; + if (!CBB_add_u8(&cbb, 0) || + !CBB_finish(&cbb, &ret, &unused_len)) { + goto err; } - q[-1] = 0; - return tmp; + return (char *)ret; + +err: + OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); + CBB_cleanup(&cbb); + return NULL; } unsigned char *x509v3_hex_to_bytes(const char *str, long *len) diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h index d8a371c3..d6fa2f70 100644 --- a/src/include/openssl/asn1.h +++ b/src/include/openssl/asn1.h @@ -605,7 +605,9 @@ OPENSSL_EXPORT int ASN1_STRING_length(const ASN1_STRING *str); OPENSSL_EXPORT int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b); // ASN1_STRING_set sets the contents of |str| to a copy of |len| bytes from -// |data|. It returns one on success and zero on error. +// |data|. It returns one on success and zero on error. If |data| is NULL, it +// updates the length and allocates the buffer as needed, but does not +// initialize the contents. OPENSSL_EXPORT int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); // ASN1_STRING_set0 sets the contents of |str| to |len| bytes from |data|. It @@ -1014,6 +1016,12 @@ OPENSSL_EXPORT int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *str, // |V_ASN1_INTEGER| or |V_ASN1_ENUMERATED|, while negative values have a type of // |V_ASN1_NEG_INTEGER| or |V_ASN1_NEG_ENUMERATED|. Note this differs from DER's // two's complement representation. +// +// The data in the |ASN1_STRING| may not have leading zeros. Note this means +// zero is represented as the empty string. Parsing functions will never return +// invalid representations. If an invalid input is constructed, the marshaling +// functions will skip leading zeros, however other functions, such as +// |ASN1_INTEGER_cmp| or |ASN1_INTEGER_get|, may not return the correct result. DEFINE_STACK_OF(ASN1_INTEGER) @@ -1068,16 +1076,25 @@ OPENSSL_EXPORT int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp); // |ASN1_INTEGER*|. DECLARE_ASN1_ITEM(ASN1_INTEGER) +// ASN1_INTEGER_set_uint64 sets |a| to an INTEGER with value |v|. It returns one +// on success and zero on error. +OPENSSL_EXPORT int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v); + // ASN1_INTEGER_set sets |a| to an INTEGER with value |v|. It returns one on // success and zero on error. OPENSSL_EXPORT int ASN1_INTEGER_set(ASN1_INTEGER *a, long v); -// ASN1_INTEGER_set_uint64 sets |a| to an INTEGER with value |v|. It returns one -// on success and zero on error. -OPENSSL_EXPORT int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v); +// ASN1_INTEGER_get_uint64 converts |a| to a |uint64_t|. On success, it returns +// one and sets |*out| to the result. If |a| did not fit or has the wrong type, +// it returns zero. +OPENSSL_EXPORT int ASN1_INTEGER_get_uint64(uint64_t *out, + const ASN1_INTEGER *a); // ASN1_INTEGER_get returns the value of |a| as a |long|, or -1 if |a| is out of // range or the wrong type. +// +// WARNING: This function's return value cannot distinguish errors from -1. +// Prefer |ASN1_INTEGER_get_uint64|. OPENSSL_EXPORT long ASN1_INTEGER_get(const ASN1_INTEGER *a); // BN_to_ASN1_INTEGER sets |ai| to an INTEGER with value |bn| and returns |ai| @@ -1123,18 +1140,31 @@ OPENSSL_EXPORT int i2d_ASN1_ENUMERATED(const ASN1_ENUMERATED *in, // |ASN1_ENUMERATED*|. DECLARE_ASN1_ITEM(ASN1_ENUMERATED) +// ASN1_ENUMERATED_set_uint64 sets |a| to an ENUMERATED with value |v|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v); + // ASN1_ENUMERATED_set sets |a| to an ENUMERATED with value |v|. It returns one // on success and zero on error. OPENSSL_EXPORT int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); +// ASN1_ENUMERATED_get_uint64 converts |a| to a |uint64_t|. On success, it +// returns one and sets |*out| to the result. If |a| did not fit or has the +// wrong type, it returns zero. +OPENSSL_EXPORT int ASN1_ENUMERATED_get_uint64(uint64_t *out, + const ASN1_ENUMERATED *a); + // ASN1_ENUMERATED_get returns the value of |a| as a |long|, or -1 if |a| is out // of range or the wrong type. +// +// WARNING: This function's return value cannot distinguish errors from -1. +// Prefer |ASN1_ENUMERATED_get_uint64|. OPENSSL_EXPORT long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); // BN_to_ASN1_ENUMERATED sets |ai| to an ENUMERATED with value |bn| and returns // |ai| on success or NULL or error. If |ai| is NULL, it returns a -// newly-allocated |ASN1_INTEGER| on success instead, which the caller must -// release with |ASN1_INTEGER_free|. +// newly-allocated |ASN1_ENUMERATED| on success instead, which the caller must +// release with |ASN1_ENUMERATED_free|. OPENSSL_EXPORT ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); @@ -2035,5 +2065,7 @@ BSSL_NAMESPACE_END #define ASN1_R_NESTED_TOO_DEEP 192 #define ASN1_R_BAD_TEMPLATE 193 #define ASN1_R_INVALID_BIT_STRING_PADDING 194 +#define ASN1_R_WRONG_INTEGER_TYPE 195 +#define ASN1_R_INVALID_INTEGER 196 #endif diff --git a/src/include/openssl/asn1t.h b/src/include/openssl/asn1t.h index dccbd1ac..b65272d5 100644 --- a/src/include/openssl/asn1t.h +++ b/src/include/openssl/asn1t.h @@ -260,7 +260,6 @@ typedef struct ASN1_TLC_st ASN1_TLC; /* Any defined by macros: the field used is in the table itself */ #define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) } -#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) } /* Plain simple type */ #define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type) @@ -377,7 +376,7 @@ struct ASN1_ADB_st { }; struct ASN1_ADB_TABLE_st { - long value; /* NID for an object or value for an int */ + int value; /* NID for an object */ const ASN1_TEMPLATE tt; /* item for this value */ }; @@ -442,8 +441,6 @@ struct ASN1_ADB_TABLE_st { #define ASN1_TFLG_ADB_OID (0x1<<8) -#define ASN1_TFLG_ADB_INT (0x1<<9) - /* This flag means a parent structure is passed * instead of the field: this is useful is a * SEQUENCE is being combined with a CHOICE for diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h index 983eadc5..b6302366 100644 --- a/src/include/openssl/base.h +++ b/src/include/openssl/base.h @@ -195,7 +195,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 16 +#define BORINGSSL_API_VERSION 17 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -448,7 +448,6 @@ typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER; typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; typedef struct x509_attributes_st X509_ATTRIBUTE; -typedef struct x509_cert_aux_st X509_CERT_AUX; typedef struct x509_crl_method_st X509_CRL_METHOD; typedef struct x509_lookup_st X509_LOOKUP; typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h index a95a8940..d9491a93 100644 --- a/src/include/openssl/bn.h +++ b/src/include/openssl/bn.h @@ -584,9 +584,14 @@ OPENSSL_EXPORT int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m); // BN_mod_sqrt returns a newly-allocated |BIGNUM|, r, such that -// r^2 == a (mod p). |p| must be a prime. It returns NULL on error or if |a| is -// not a square mod |p|. In the latter case, it will add |BN_R_NOT_A_SQUARE| to -// the error queue. +// r^2 == a (mod p). It returns NULL on error or if |a| is not a square mod |p|. +// In the latter case, it will add |BN_R_NOT_A_SQUARE| to the error queue. +// If |a| is a square and |p| > 2, there are two possible square roots. This +// function may return either and may even select one non-deterministically. +// +// This function only works if |p| is a prime. If |p| is composite, it may fail +// or return an arbitrary value. Callers should not pass attacker-controlled +// values of |p|. OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h index 5ef37420..199d89c3 100644 --- a/src/include/openssl/bytestring.h +++ b/src/include/openssl/bytestring.h @@ -259,15 +259,17 @@ OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out, // CBS_get_any_ber_asn1_element acts the same as |CBS_get_any_asn1_element| but // also allows indefinite-length elements to be returned and does not enforce -// that lengths are minimal. For indefinite-lengths, |*out_header_len| and +// that lengths are minimal. It sets |*out_indefinite| to one if the length was +// indefinite and zero otherwise. If indefinite, |*out_header_len| and // |CBS_len(out)| will be equal as only the header is returned (although this is -// also true for empty elements so the length must be checked too). If +// also true for empty elements so |*out_indefinite| should be checked). If // |out_ber_found| is not NULL then it is set to one if any case of invalid DER // but valid BER is found, and to zero otherwise. OPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, size_t *out_header_len, - int *out_ber_found); + int *out_ber_found, + int *out_indefinite); // CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1| // and sets |*out| to its value. It returns one on success and zero on error, diff --git a/src/include/openssl/crypto.h b/src/include/openssl/crypto.h index 0824b934..117b3470 100644 --- a/src/include/openssl/crypto.h +++ b/src/include/openssl/crypto.h @@ -59,6 +59,12 @@ OPENSSL_EXPORT int CRYPTO_has_asm(void); // success and zero on error. OPENSSL_EXPORT int BORINGSSL_self_test(void); +// BORINGSSL_integrity_test triggers the module's integrity test where the code +// and data of the module is matched against a hash injected at build time. It +// returns one on success or zero if there's a mismatch. This function only +// exists if the module was built in FIPS mode without ASAN. +OPENSSL_EXPORT int BORINGSSL_integrity_test(void); + // CRYPTO_pre_sandbox_init initializes the crypto library, pre-acquiring some // unusual resources to aid running in sandboxed environments. It is safe to // call this function multiple times and concurrently from multiple threads. @@ -172,6 +178,18 @@ OPENSSL_EXPORT void OPENSSL_cleanup(void); // |BORINGSSL_FIPS| and zero otherwise. OPENSSL_EXPORT int FIPS_mode_set(int on); +// FIPS_version returns the version of the FIPS module, or zero if the build +// isn't exactly at a verified version. The version, expressed in base 10, will +// be a date in the form yyyymmddXX where XX is often "00", but can be +// incremented if multiple versions are defined on a single day. +// +// (This format exceeds a |uint32_t| in the year 4294.) +OPENSSL_EXPORT uint32_t FIPS_version(void); + +// FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in +// the current BoringSSL and zero otherwise. +OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm); + #if defined(__cplusplus) } // extern C diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h index cc8138de..8339bfbb 100644 --- a/src/include/openssl/ec.h +++ b/src/include/openssl/ec.h @@ -323,7 +323,15 @@ OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, // |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always // return |NID_undef|. // -// Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| instead. +// This function is provided for compatibility with some legacy applications +// only. Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| +// instead. This ensures the result meets preconditions necessary for +// elliptic curve algorithms to function correctly and securely. +// +// Given invalid parameters, this function may fail or it may return an +// |EC_GROUP| which breaks these preconditions. Subsequent operations may then +// return arbitrary, incorrect values. Callers should not pass +// attacker-controlled values to this function. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); diff --git a/src/include/openssl/ec_key.h b/src/include/openssl/ec_key.h index 3a408566..502bfc2d 100644 --- a/src/include/openssl/ec_key.h +++ b/src/include/openssl/ec_key.h @@ -167,8 +167,9 @@ OPENSSL_EXPORT void EC_KEY_set_conv_form(EC_KEY *key, // about the problem can be found on the error stack. OPENSSL_EXPORT int EC_KEY_check_key(const EC_KEY *key); -// EC_KEY_check_fips performs a signing pairwise consistency test (FIPS 140-2 -// 4.9.2). It returns one if it passes and zero otherwise. +// EC_KEY_check_fips performs both a signing pairwise consistency test +// (FIPS 140-2 4.9.2) and the consistency test from SP 800-56Ar3 section +// 5.6.2.1.4. It returns one if it passes and zero otherwise. OPENSSL_EXPORT int EC_KEY_check_fips(const EC_KEY *key); // EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to @@ -194,7 +195,9 @@ OPENSSL_EXPORT size_t EC_KEY_key2buf(const EC_KEY *key, OPENSSL_EXPORT int EC_KEY_generate_key(EC_KEY *key); // EC_KEY_generate_key_fips behaves like |EC_KEY_generate_key| but performs -// additional checks for FIPS compliance. +// additional checks for FIPS compliance. This function is applicable when +// generating keys for either signing/verification or key agreement because +// both types of consistency check (PCT) are performed. OPENSSL_EXPORT int EC_KEY_generate_key_fips(EC_KEY *key); // EC_KEY_derive_from_secret deterministically derives a private key for |group| diff --git a/src/include/openssl/span.h b/src/include/openssl/span.h index 79f1d416..38e9a968 100644 --- a/src/include/openssl/span.h +++ b/src/include/openssl/span.h @@ -96,6 +96,16 @@ class Span : private internal::SpanBase<const T> { private: static const size_t npos = static_cast<size_t>(-1); + // Heuristically test whether C is a container type that can be converted into + // a Span by checking for data() and size() member functions. + // + // TODO(davidben): Require C++14 support and switch to std::enable_if_t. + // Perhaps even C++17 now? + template <typename C> + using EnableIfContainer = typename std::enable_if< + std::is_convertible<decltype(std::declval<C>().data()), T *>::value && + std::is_integral<decltype(std::declval<C>().size())>::value>::type; + public: constexpr Span() : Span(nullptr, 0) {} constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {} @@ -104,27 +114,12 @@ class Span : private internal::SpanBase<const T> { constexpr Span(T (&array)[N]) : Span(array, N) {} template < - typename C, - // TODO(davidben): Switch everything to std::enable_if_t when we remove - // support for MSVC 2015. Although we could write our own enable_if_t and - // MSVC 2015 has std::enable_if_t anyway, MSVC 2015's SFINAE - // implementation is problematic and does not work below unless we write - // the ::type at use. - // - // TODO(davidben): Move this and the identical copy below into an - // EnableIfContainer alias when we drop MSVC 2015 support. MSVC 2015's - // SFINAE support cannot handle type aliases. - typename = typename std::enable_if< - std::is_convertible<decltype(std::declval<C>().data()), T *>::value && - std::is_integral<decltype(std::declval<C>().size())>::value>::type, + typename C, typename = EnableIfContainer<C>, typename = typename std::enable_if<std::is_const<T>::value, C>::type> Span(const C &container) : data_(container.data()), size_(container.size()) {} template < - typename C, - typename = typename std::enable_if< - std::is_convertible<decltype(std::declval<C>().data()), T *>::value && - std::is_integral<decltype(std::declval<C>().size())>::value>::type, + typename C, typename = EnableIfContainer<C>, typename = typename std::enable_if<!std::is_const<T>::value, C>::type> explicit Span(C &container) : data_(container.data()), size_(container.size()) {} diff --git a/src/include/openssl/thread.h b/src/include/openssl/thread.h index 91706fec..c6e357e1 100644 --- a/src/include/openssl/thread.h +++ b/src/include/openssl/thread.h @@ -77,14 +77,13 @@ typedef struct crypto_mutex_st { typedef union crypto_mutex_st { void *handle; } CRYPTO_MUTEX; -#elif defined(__MACH__) && defined(__APPLE__) +#elif !defined(__GLIBC__) typedef pthread_rwlock_t CRYPTO_MUTEX; #else -// It is reasonable to include pthread.h on non-Windows systems, however the -// |pthread_rwlock_t| that we need is hidden under feature flags, and we can't -// ensure that we'll be able to get it. It's statically asserted that this -// structure is large enough to contain a |pthread_rwlock_t| by -// thread_pthread.c. +// On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't +// ensure that we'll be able to get it from a public header. It's statically +// asserted that this structure is large enough to contain a |pthread_rwlock_t| +// by thread_pthread.c. typedef union crypto_mutex_st { double alignment; uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8]; diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index 66969885..3633186b 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -858,7 +858,6 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME) OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); DECLARE_ASN1_FUNCTIONS(X509) -DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) // X509_up_ref adds one to the reference count of |x509| and returns one. OPENSSL_EXPORT int X509_up_ref(X509 *x509); @@ -869,9 +868,6 @@ OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_free *free_func); OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); -OPENSSL_EXPORT int i2d_X509_AUX(X509 *a, unsigned char **pp); -OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, - long length); // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described // in |i2d_SAMPLE|. @@ -924,19 +920,81 @@ OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig, // a known NID. OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); -OPENSSL_EXPORT int X509_alias_set1(X509 *x, const unsigned char *name, int len); -OPENSSL_EXPORT int X509_keyid_set1(X509 *x, const unsigned char *id, int len); -OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x, int *len); -OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x, int *len); -OPENSSL_EXPORT int (*X509_TRUST_set_default(int (*trust)(int, X509 *, - int)))(int, X509 *, - int); -OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); + +// Auxiliary properties. +// +// |X509| objects optionally maintain auxiliary properties. These are not part +// of the certificates themselves, and thus are not covered by signatures or +// preserved by the standard serialization. They are used as inputs or outputs +// to other functions in this library. + +// i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), +// followed optionally by a separate, OpenSSL-specific structure with auxiliary +// properties. It behaves as described in |i2d_SAMPLE|. +// +// Unlike similarly-named functions, this function does not output a single +// ASN.1 element. Directly embedding the output in a larger ASN.1 structure will +// not behave correctly. +OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp); + +// d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 +// Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific +// structure with auxiliary properties. It behaves as described in +// |d2i_SAMPLE_with_reuse|. +// +// Some auxiliary properties affect trust decisions, so this function should not +// be used with untrusted input. +// +// Unlike similarly-named functions, this function does not parse a single +// ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 +// structure will not behave correctly. +OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp, + long length); + +// X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is +// NULL, the alias is cleared instead. Aliases are not part of the certificate +// itself and will not be serialized by |i2d_X509|. +OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name, + int len); + +// X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is +// NULL, the key ID is cleared instead. Key IDs are not part of the certificate +// itself and will not be serialized by |i2d_X509|. +OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, + int len); + +// X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the +// alias's length and returns a pointer to a buffer containing the contents. If +// not found, it outputs the empty string by returning NULL and setting +// |*out_len| to zero. +// +// If |x509| was parsed from a PKCS#12 structure (see +// |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName +// attribute (RFC 2985). +// +// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was +// missing. Callers that target both OpenSSL and BoringSSL should set the value +// to zero before calling this function. +OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); + +// X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the +// key ID's length and returns a pointer to a buffer containing the contents. If +// not found, it outputs the empty string by returning NULL and setting +// |*out_len| to zero. +// +// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was +// missing. Callers that target both OpenSSL and BoringSSL should set the value +// to zero before calling this function. +OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len); + OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); OPENSSL_EXPORT void X509_trust_clear(X509 *x); OPENSSL_EXPORT void X509_reject_clear(X509 *x); + +OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); + DECLARE_ASN1_FUNCTIONS(X509_REVOKED) DECLARE_ASN1_FUNCTIONS(X509_CRL) @@ -1300,7 +1358,6 @@ OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, unsigned long cflag); OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); OPENSSL_EXPORT int X509_ocspid_print(BIO *bp, X509 *x); -OPENSSL_EXPORT int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag); diff --git a/src/rust/build.rs b/src/rust/build.rs index f6ce794e..b0292232 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -13,14 +13,27 @@ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +use std::env; +use std::path::Path; + fn main() { + let dir = env::var("CARGO_MANIFEST_DIR").unwrap(); + let crate_path = Path::new(&dir); + let parent_path = crate_path.parent().unwrap(); + // Statically link libraries. - println!("cargo:rustc-link-search=native=../crypto"); + println!( + "cargo:rustc-link-search=native={}", + parent_path.join("crypto").display() + ); println!("cargo:rustc-link-lib=static=crypto"); - println!("cargo:rustc-link-search=native=../ssl"); + println!( + "cargo:rustc-link-search=native={}", + parent_path.join("ssl").display() + ); println!("cargo:rustc-link-lib=static=ssl"); - println!("cargo:rustc-link-search=native=."); + println!("cargo:rustc-link-search=native={}", crate_path.display()); println!("cargo:rustc-link-lib=static=rust_wrapper"); } diff --git a/src/ssl/handshake_server.cc b/src/ssl/handshake_server.cc index 15820bea..7678904d 100644 --- a/src/ssl/handshake_server.cc +++ b/src/ssl/handshake_server.cc @@ -418,7 +418,7 @@ static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) { // JDK 11 always sends extensions in a particular order. constexpr uint16_t kMaxFragmentLength = 0x0001; constexpr uint16_t kStatusRequestV2 = 0x0011; - static CONSTEXPR_ARRAY struct { + static constexpr struct { uint16_t id; bool required; } kJavaExtensions[] = { diff --git a/src/ssl/internal.h b/src/ssl/internal.h index 8f68fc5e..0087e7f7 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -245,14 +245,6 @@ UniquePtr<T> MakeUnique(Args &&... args) { { abort(); } #endif -// CONSTEXPR_ARRAY works around a VS 2015 bug where ranged for loops don't work -// on constexpr arrays. -#if defined(_MSC_VER) && !defined(__clang__) && _MSC_VER < 1910 -#define CONSTEXPR_ARRAY const -#else -#define CONSTEXPR_ARRAY constexpr -#endif - // Array<T> is an owning array of elements of |T|. template <typename T> class Array { diff --git a/src/ssl/ssl_key_share.cc b/src/ssl/ssl_key_share.cc index c847a0a0..920f25ee 100644 --- a/src/ssl/ssl_key_share.cc +++ b/src/ssl/ssl_key_share.cc @@ -290,7 +290,7 @@ class CECPQ2KeyShare : public SSLKeyShare { HRSS_private_key hrss_private_key_; }; -CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = { +constexpr NamedGroup kNamedGroups[] = { {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"}, {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"}, {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"}, diff --git a/src/third_party/fiat/LICENSE b/src/third_party/fiat/LICENSE index bd46c613..70cae037 100644 --- a/src/third_party/fiat/LICENSE +++ b/src/third_party/fiat/LICENSE @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2015-2016 the fiat-crypto authors (see +Copyright (c) 2015-2020 the fiat-crypto authors (see https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS). Permission is hereby granted, free of charge, to any person obtaining a copy diff --git a/src/third_party/fiat/METADATA b/src/third_party/fiat/METADATA index e527c140..339fe5f8 100644 --- a/src/third_party/fiat/METADATA +++ b/src/third_party/fiat/METADATA @@ -6,8 +6,8 @@ third_party { type: GIT value: "https://github.com/mit-plv/fiat-crypto" } - version: "0884b6d374a9d937c44bf024fe3a647ffae2c540" - last_upgrade_date { year: 2020 month: 4 day: 16 } + version: "6ccc6638716d4632304baf1adbb5c47c3a12ea6f" + last_upgrade_date { year: 2022 month: 3 day: 22 } - local_modifications: "Files renamed to .h for BoringSSL integration. Select functions patched with value barriers." + local_modifications: "Files renamed to .h for BoringSSL integration. LICENSE file is LICENSE-MIT from upstream." } diff --git a/src/third_party/fiat/curve25519_32.h b/src/third_party/fiat/curve25519_32.h index 7b78d00d..cb83c606 100644 --- a/src/third_party/fiat/curve25519_32.h +++ b/src/third_party/fiat/curve25519_32.h @@ -1,24 +1,51 @@ -/* Autogenerated: src/ExtractionOCaml/unsaturated_solinas --static 25519 10 '2^255 - 19' 32 carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */ +/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */ /* curve description: 25519 */ -/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */ -/* n = 10 (from "10") */ -/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* machine_wordsize = 32 (from "32") */ - +/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */ +/* n = 10 (from "(auto)") */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* tight_bounds_multiplier = 1 (from "") */ +/* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ #include <stdint.h> typedef unsigned char fiat_25519_uint1; typedef signed char fiat_25519_int1; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_25519_FIAT_INLINE __inline__ +#else +# define FIAT_25519_FIAT_INLINE +#endif + +/* The type fiat_25519_loose_field_element is a field element with loose bounds. */ +/* Bounds: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] */ +typedef uint32_t fiat_25519_loose_field_element[10]; + +/* The type fiat_25519_tight_field_element is a field element with tight bounds. */ +/* Bounds: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] */ +typedef uint32_t fiat_25519_tight_field_element[10]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t fiat_25519_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_25519_value_barrier_u32(x) (x) +#endif + /* * The function fiat_25519_addcarryx_u26 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^26 * out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -31,16 +58,20 @@ typedef signed char fiat_25519_int1; * out1: [0x0 ~> 0x3ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - uint32_t x1 = ((arg1 + arg2) + arg3); - uint32_t x2 = (x1 & UINT32_C(0x3ffffff)); - fiat_25519_uint1 x3 = (fiat_25519_uint1)(x1 >> 26); +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + uint32_t x1; + uint32_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT32_C(0x3ffffff)); + x3 = (fiat_25519_uint1)(x1 >> 26); *out1 = x2; *out2 = x3; } /* * The function fiat_25519_subborrowx_u26 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^26 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -53,16 +84,20 @@ static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fia * out1: [0x0 ~> 0x3ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - int32_t x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); - fiat_25519_int1 x2 = (fiat_25519_int1)(x1 >> 26); - uint32_t x3 = (x1 & UINT32_C(0x3ffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + int32_t x1; + fiat_25519_int1 x2; + uint32_t x3; + x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 26); + x3 = (x1 & UINT32_C(0x3ffffff)); *out1 = x3; *out2 = (fiat_25519_uint1)(0x0 - x2); } /* * The function fiat_25519_addcarryx_u25 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^25 * out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ @@ -75,16 +110,20 @@ static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fi * out1: [0x0 ~> 0x1ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - uint32_t x1 = ((arg1 + arg2) + arg3); - uint32_t x2 = (x1 & UINT32_C(0x1ffffff)); - fiat_25519_uint1 x3 = (fiat_25519_uint1)(x1 >> 25); +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + uint32_t x1; + uint32_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT32_C(0x1ffffff)); + x3 = (fiat_25519_uint1)(x1 >> 25); *out1 = x2; *out2 = x3; } /* * The function fiat_25519_subborrowx_u25 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^25 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ @@ -97,16 +136,20 @@ static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fia * out1: [0x0 ~> 0x1ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - int32_t x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); - fiat_25519_int1 x2 = (fiat_25519_int1)(x1 >> 25); - uint32_t x3 = (x1 & UINT32_C(0x1ffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + int32_t x1; + fiat_25519_int1 x2; + uint32_t x3; + x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 25); + x3 = (x1 & UINT32_C(0x1ffffff)); *out1 = x3; *out2 = (fiat_25519_uint1)(0x0 - x2); } /* * The function fiat_25519_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -117,178 +160,318 @@ static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fi * Output Bounds: * out1: [0x0 ~> 0xffffffff] */ -static void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - fiat_25519_uint1 x1 = (!(!arg1)); - uint32_t x2 = ((fiat_25519_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint32_t x3 = ((value_barrier_u32(x2) & arg3) | (value_barrier_u32(~x2) & arg2)); +static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + fiat_25519_uint1 x1; + uint32_t x2; + uint32_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_25519_int1)(0x0 - x1) & UINT32_C(0xffffffff)); + x3 = ((fiat_25519_value_barrier_u32(x2) & arg3) | (fiat_25519_value_barrier_u32((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * arg2: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) { - uint64_t x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26))); - uint64_t x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26))); - uint64_t x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13))); - uint64_t x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26))); - uint64_t x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13))); - uint64_t x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13))); - uint64_t x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13))); - uint64_t x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13))); - uint64_t x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26))); - uint64_t x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26))); - uint64_t x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13))); - uint64_t x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13))); - uint64_t x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26))); - uint64_t x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13))); - uint64_t x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x46 = ((uint64_t)(arg1[9]) * (arg2[0])); - uint64_t x47 = ((uint64_t)(arg1[8]) * (arg2[1])); - uint64_t x48 = ((uint64_t)(arg1[8]) * (arg2[0])); - uint64_t x49 = ((uint64_t)(arg1[7]) * (arg2[2])); - uint64_t x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2)); - uint64_t x51 = ((uint64_t)(arg1[7]) * (arg2[0])); - uint64_t x52 = ((uint64_t)(arg1[6]) * (arg2[3])); - uint64_t x53 = ((uint64_t)(arg1[6]) * (arg2[2])); - uint64_t x54 = ((uint64_t)(arg1[6]) * (arg2[1])); - uint64_t x55 = ((uint64_t)(arg1[6]) * (arg2[0])); - uint64_t x56 = ((uint64_t)(arg1[5]) * (arg2[4])); - uint64_t x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2)); - uint64_t x58 = ((uint64_t)(arg1[5]) * (arg2[2])); - uint64_t x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2)); - uint64_t x60 = ((uint64_t)(arg1[5]) * (arg2[0])); - uint64_t x61 = ((uint64_t)(arg1[4]) * (arg2[5])); - uint64_t x62 = ((uint64_t)(arg1[4]) * (arg2[4])); - uint64_t x63 = ((uint64_t)(arg1[4]) * (arg2[3])); - uint64_t x64 = ((uint64_t)(arg1[4]) * (arg2[2])); - uint64_t x65 = ((uint64_t)(arg1[4]) * (arg2[1])); - uint64_t x66 = ((uint64_t)(arg1[4]) * (arg2[0])); - uint64_t x67 = ((uint64_t)(arg1[3]) * (arg2[6])); - uint64_t x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2)); - uint64_t x69 = ((uint64_t)(arg1[3]) * (arg2[4])); - uint64_t x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2)); - uint64_t x71 = ((uint64_t)(arg1[3]) * (arg2[2])); - uint64_t x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2)); - uint64_t x73 = ((uint64_t)(arg1[3]) * (arg2[0])); - uint64_t x74 = ((uint64_t)(arg1[2]) * (arg2[7])); - uint64_t x75 = ((uint64_t)(arg1[2]) * (arg2[6])); - uint64_t x76 = ((uint64_t)(arg1[2]) * (arg2[5])); - uint64_t x77 = ((uint64_t)(arg1[2]) * (arg2[4])); - uint64_t x78 = ((uint64_t)(arg1[2]) * (arg2[3])); - uint64_t x79 = ((uint64_t)(arg1[2]) * (arg2[2])); - uint64_t x80 = ((uint64_t)(arg1[2]) * (arg2[1])); - uint64_t x81 = ((uint64_t)(arg1[2]) * (arg2[0])); - uint64_t x82 = ((uint64_t)(arg1[1]) * (arg2[8])); - uint64_t x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2)); - uint64_t x84 = ((uint64_t)(arg1[1]) * (arg2[6])); - uint64_t x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2)); - uint64_t x86 = ((uint64_t)(arg1[1]) * (arg2[4])); - uint64_t x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2)); - uint64_t x88 = ((uint64_t)(arg1[1]) * (arg2[2])); - uint64_t x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2)); - uint64_t x90 = ((uint64_t)(arg1[1]) * (arg2[0])); - uint64_t x91 = ((uint64_t)(arg1[0]) * (arg2[9])); - uint64_t x92 = ((uint64_t)(arg1[0]) * (arg2[8])); - uint64_t x93 = ((uint64_t)(arg1[0]) * (arg2[7])); - uint64_t x94 = ((uint64_t)(arg1[0]) * (arg2[6])); - uint64_t x95 = ((uint64_t)(arg1[0]) * (arg2[5])); - uint64_t x96 = ((uint64_t)(arg1[0]) * (arg2[4])); - uint64_t x97 = ((uint64_t)(arg1[0]) * (arg2[3])); - uint64_t x98 = ((uint64_t)(arg1[0]) * (arg2[2])); - uint64_t x99 = ((uint64_t)(arg1[0]) * (arg2[1])); - uint64_t x100 = ((uint64_t)(arg1[0]) * (arg2[0])); - uint64_t x101 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9))))))))); - uint64_t x102 = (x101 >> 26); - uint32_t x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); - uint64_t x104 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46))))))))); - uint64_t x105 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1))))))))); - uint64_t x106 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2))))))))); - uint64_t x107 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3))))))))); - uint64_t x108 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4))))))))); - uint64_t x109 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5))))))))); - uint64_t x110 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6))))))))); - uint64_t x111 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7))))))))); - uint64_t x112 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8))))))))); - uint64_t x113 = (x102 + x112); - uint64_t x114 = (x113 >> 25); - uint32_t x115 = (uint32_t)(x113 & UINT32_C(0x1ffffff)); - uint64_t x116 = (x114 + x111); - uint64_t x117 = (x116 >> 26); - uint32_t x118 = (uint32_t)(x116 & UINT32_C(0x3ffffff)); - uint64_t x119 = (x117 + x110); - uint64_t x120 = (x119 >> 25); - uint32_t x121 = (uint32_t)(x119 & UINT32_C(0x1ffffff)); - uint64_t x122 = (x120 + x109); - uint64_t x123 = (x122 >> 26); - uint32_t x124 = (uint32_t)(x122 & UINT32_C(0x3ffffff)); - uint64_t x125 = (x123 + x108); - uint64_t x126 = (x125 >> 25); - uint32_t x127 = (uint32_t)(x125 & UINT32_C(0x1ffffff)); - uint64_t x128 = (x126 + x107); - uint64_t x129 = (x128 >> 26); - uint32_t x130 = (uint32_t)(x128 & UINT32_C(0x3ffffff)); - uint64_t x131 = (x129 + x106); - uint64_t x132 = (x131 >> 25); - uint32_t x133 = (uint32_t)(x131 & UINT32_C(0x1ffffff)); - uint64_t x134 = (x132 + x105); - uint64_t x135 = (x134 >> 26); - uint32_t x136 = (uint32_t)(x134 & UINT32_C(0x3ffffff)); - uint64_t x137 = (x135 + x104); - uint64_t x138 = (x137 >> 25); - uint32_t x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff)); - uint64_t x140 = (x138 * UINT8_C(0x13)); - uint64_t x141 = (x103 + x140); - uint32_t x142 = (uint32_t)(x141 >> 26); - uint32_t x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff)); - uint32_t x144 = (x142 + x115); - fiat_25519_uint1 x145 = (fiat_25519_uint1)(x144 >> 25); - uint32_t x146 = (x144 & UINT32_C(0x1ffffff)); - uint32_t x147 = (x145 + x118); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + uint64_t x74; + uint64_t x75; + uint64_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + uint64_t x93; + uint64_t x94; + uint64_t x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint32_t x103; + uint64_t x104; + uint64_t x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + uint64_t x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint32_t x115; + uint64_t x116; + uint64_t x117; + uint32_t x118; + uint64_t x119; + uint64_t x120; + uint32_t x121; + uint64_t x122; + uint64_t x123; + uint32_t x124; + uint64_t x125; + uint64_t x126; + uint32_t x127; + uint64_t x128; + uint64_t x129; + uint32_t x130; + uint64_t x131; + uint64_t x132; + uint32_t x133; + uint64_t x134; + uint64_t x135; + uint32_t x136; + uint64_t x137; + uint64_t x138; + uint32_t x139; + uint64_t x140; + uint64_t x141; + uint32_t x142; + uint32_t x143; + uint32_t x144; + fiat_25519_uint1 x145; + uint32_t x146; + uint32_t x147; + x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26))); + x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13))); + x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26))); + x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13))); + x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26))); + x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13))); + x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26))); + x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13))); + x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26))); + x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13))); + x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13))); + x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13))); + x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13))); + x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13))); + x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13))); + x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13))); + x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13))); + x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26))); + x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13))); + x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26))); + x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13))); + x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26))); + x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13))); + x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26))); + x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13))); + x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13))); + x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13))); + x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13))); + x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13))); + x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13))); + x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26))); + x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13))); + x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26))); + x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13))); + x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26))); + x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13))); + x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13))); + x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13))); + x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13))); + x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26))); + x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13))); + x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26))); + x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13))); + x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13))); + x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26))); + x46 = ((uint64_t)(arg1[9]) * (arg2[0])); + x47 = ((uint64_t)(arg1[8]) * (arg2[1])); + x48 = ((uint64_t)(arg1[8]) * (arg2[0])); + x49 = ((uint64_t)(arg1[7]) * (arg2[2])); + x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2)); + x51 = ((uint64_t)(arg1[7]) * (arg2[0])); + x52 = ((uint64_t)(arg1[6]) * (arg2[3])); + x53 = ((uint64_t)(arg1[6]) * (arg2[2])); + x54 = ((uint64_t)(arg1[6]) * (arg2[1])); + x55 = ((uint64_t)(arg1[6]) * (arg2[0])); + x56 = ((uint64_t)(arg1[5]) * (arg2[4])); + x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2)); + x58 = ((uint64_t)(arg1[5]) * (arg2[2])); + x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2)); + x60 = ((uint64_t)(arg1[5]) * (arg2[0])); + x61 = ((uint64_t)(arg1[4]) * (arg2[5])); + x62 = ((uint64_t)(arg1[4]) * (arg2[4])); + x63 = ((uint64_t)(arg1[4]) * (arg2[3])); + x64 = ((uint64_t)(arg1[4]) * (arg2[2])); + x65 = ((uint64_t)(arg1[4]) * (arg2[1])); + x66 = ((uint64_t)(arg1[4]) * (arg2[0])); + x67 = ((uint64_t)(arg1[3]) * (arg2[6])); + x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2)); + x69 = ((uint64_t)(arg1[3]) * (arg2[4])); + x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2)); + x71 = ((uint64_t)(arg1[3]) * (arg2[2])); + x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2)); + x73 = ((uint64_t)(arg1[3]) * (arg2[0])); + x74 = ((uint64_t)(arg1[2]) * (arg2[7])); + x75 = ((uint64_t)(arg1[2]) * (arg2[6])); + x76 = ((uint64_t)(arg1[2]) * (arg2[5])); + x77 = ((uint64_t)(arg1[2]) * (arg2[4])); + x78 = ((uint64_t)(arg1[2]) * (arg2[3])); + x79 = ((uint64_t)(arg1[2]) * (arg2[2])); + x80 = ((uint64_t)(arg1[2]) * (arg2[1])); + x81 = ((uint64_t)(arg1[2]) * (arg2[0])); + x82 = ((uint64_t)(arg1[1]) * (arg2[8])); + x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2)); + x84 = ((uint64_t)(arg1[1]) * (arg2[6])); + x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2)); + x86 = ((uint64_t)(arg1[1]) * (arg2[4])); + x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2)); + x88 = ((uint64_t)(arg1[1]) * (arg2[2])); + x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2)); + x90 = ((uint64_t)(arg1[1]) * (arg2[0])); + x91 = ((uint64_t)(arg1[0]) * (arg2[9])); + x92 = ((uint64_t)(arg1[0]) * (arg2[8])); + x93 = ((uint64_t)(arg1[0]) * (arg2[7])); + x94 = ((uint64_t)(arg1[0]) * (arg2[6])); + x95 = ((uint64_t)(arg1[0]) * (arg2[5])); + x96 = ((uint64_t)(arg1[0]) * (arg2[4])); + x97 = ((uint64_t)(arg1[0]) * (arg2[3])); + x98 = ((uint64_t)(arg1[0]) * (arg2[2])); + x99 = ((uint64_t)(arg1[0]) * (arg2[1])); + x100 = ((uint64_t)(arg1[0]) * (arg2[0])); + x101 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9))))))))); + x102 = (x101 >> 26); + x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); + x104 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46))))))))); + x105 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1))))))))); + x106 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2))))))))); + x107 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3))))))))); + x108 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4))))))))); + x109 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5))))))))); + x110 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6))))))))); + x111 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7))))))))); + x112 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8))))))))); + x113 = (x102 + x112); + x114 = (x113 >> 25); + x115 = (uint32_t)(x113 & UINT32_C(0x1ffffff)); + x116 = (x114 + x111); + x117 = (x116 >> 26); + x118 = (uint32_t)(x116 & UINT32_C(0x3ffffff)); + x119 = (x117 + x110); + x120 = (x119 >> 25); + x121 = (uint32_t)(x119 & UINT32_C(0x1ffffff)); + x122 = (x120 + x109); + x123 = (x122 >> 26); + x124 = (uint32_t)(x122 & UINT32_C(0x3ffffff)); + x125 = (x123 + x108); + x126 = (x125 >> 25); + x127 = (uint32_t)(x125 & UINT32_C(0x1ffffff)); + x128 = (x126 + x107); + x129 = (x128 >> 26); + x130 = (uint32_t)(x128 & UINT32_C(0x3ffffff)); + x131 = (x129 + x106); + x132 = (x131 >> 25); + x133 = (uint32_t)(x131 & UINT32_C(0x1ffffff)); + x134 = (x132 + x105); + x135 = (x134 >> 26); + x136 = (uint32_t)(x134 & UINT32_C(0x3ffffff)); + x137 = (x135 + x104); + x138 = (x137 >> 25); + x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff)); + x140 = (x138 * UINT8_C(0x13)); + x141 = (x103 + x140); + x142 = (uint32_t)(x141 >> 26); + x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff)); + x144 = (x142 + x115); + x145 = (fiat_25519_uint1)(x144 >> 25); + x146 = (x144 & UINT32_C(0x1ffffff)); + x147 = (x145 + x118); out1[0] = x143; out1[1] = x146; out1[2] = x147; @@ -303,135 +486,252 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con /* * The function fiat_25519_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) { - uint32_t x1 = ((arg1[9]) * UINT8_C(0x13)); - uint32_t x2 = (x1 * 0x2); - uint32_t x3 = ((arg1[9]) * 0x2); - uint32_t x4 = ((arg1[8]) * UINT8_C(0x13)); - uint64_t x5 = ((uint64_t)x4 * 0x2); - uint32_t x6 = ((arg1[8]) * 0x2); - uint32_t x7 = ((arg1[7]) * UINT8_C(0x13)); - uint32_t x8 = (x7 * 0x2); - uint32_t x9 = ((arg1[7]) * 0x2); - uint32_t x10 = ((arg1[6]) * UINT8_C(0x13)); - uint64_t x11 = ((uint64_t)x10 * 0x2); - uint32_t x12 = ((arg1[6]) * 0x2); - uint32_t x13 = ((arg1[5]) * UINT8_C(0x13)); - uint32_t x14 = ((arg1[5]) * 0x2); - uint32_t x15 = ((arg1[4]) * 0x2); - uint32_t x16 = ((arg1[3]) * 0x2); - uint32_t x17 = ((arg1[2]) * 0x2); - uint32_t x18 = ((arg1[1]) * 0x2); - uint64_t x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2)); - uint64_t x20 = ((uint64_t)(arg1[8]) * x2); - uint64_t x21 = ((uint64_t)(arg1[8]) * x4); - uint64_t x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2)); - uint64_t x23 = ((arg1[7]) * x5); - uint64_t x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2)); - uint64_t x25 = ((uint64_t)(arg1[6]) * x2); - uint64_t x26 = ((arg1[6]) * x5); - uint64_t x27 = ((uint64_t)(arg1[6]) * x8); - uint64_t x28 = ((uint64_t)(arg1[6]) * x10); - uint64_t x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2)); - uint64_t x30 = ((arg1[5]) * x5); - uint64_t x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2)); - uint64_t x32 = ((arg1[5]) * x11); - uint64_t x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2)); - uint64_t x34 = ((uint64_t)(arg1[4]) * x2); - uint64_t x35 = ((arg1[4]) * x5); - uint64_t x36 = ((uint64_t)(arg1[4]) * x8); - uint64_t x37 = ((arg1[4]) * x11); - uint64_t x38 = ((uint64_t)(arg1[4]) * x14); - uint64_t x39 = ((uint64_t)(arg1[4]) * (arg1[4])); - uint64_t x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2)); - uint64_t x41 = ((arg1[3]) * x5); - uint64_t x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2)); - uint64_t x43 = ((uint64_t)(arg1[3]) * x12); - uint64_t x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2)); - uint64_t x45 = ((uint64_t)(arg1[3]) * x15); - uint64_t x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2)); - uint64_t x47 = ((uint64_t)(arg1[2]) * x2); - uint64_t x48 = ((arg1[2]) * x5); - uint64_t x49 = ((uint64_t)(arg1[2]) * x9); - uint64_t x50 = ((uint64_t)(arg1[2]) * x12); - uint64_t x51 = ((uint64_t)(arg1[2]) * x14); - uint64_t x52 = ((uint64_t)(arg1[2]) * x15); - uint64_t x53 = ((uint64_t)(arg1[2]) * x16); - uint64_t x54 = ((uint64_t)(arg1[2]) * (arg1[2])); - uint64_t x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2)); - uint64_t x56 = ((uint64_t)(arg1[1]) * x6); - uint64_t x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2)); - uint64_t x58 = ((uint64_t)(arg1[1]) * x12); - uint64_t x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2)); - uint64_t x60 = ((uint64_t)(arg1[1]) * x15); - uint64_t x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2)); - uint64_t x62 = ((uint64_t)(arg1[1]) * x17); - uint64_t x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2)); - uint64_t x64 = ((uint64_t)(arg1[0]) * x3); - uint64_t x65 = ((uint64_t)(arg1[0]) * x6); - uint64_t x66 = ((uint64_t)(arg1[0]) * x9); - uint64_t x67 = ((uint64_t)(arg1[0]) * x12); - uint64_t x68 = ((uint64_t)(arg1[0]) * x14); - uint64_t x69 = ((uint64_t)(arg1[0]) * x15); - uint64_t x70 = ((uint64_t)(arg1[0]) * x16); - uint64_t x71 = ((uint64_t)(arg1[0]) * x17); - uint64_t x72 = ((uint64_t)(arg1[0]) * x18); - uint64_t x73 = ((uint64_t)(arg1[0]) * (arg1[0])); - uint64_t x74 = (x73 + (x55 + (x48 + (x42 + (x37 + x33))))); - uint64_t x75 = (x74 >> 26); - uint32_t x76 = (uint32_t)(x74 & UINT32_C(0x3ffffff)); - uint64_t x77 = (x64 + (x56 + (x49 + (x43 + x38)))); - uint64_t x78 = (x65 + (x57 + (x50 + (x44 + (x39 + x19))))); - uint64_t x79 = (x66 + (x58 + (x51 + (x45 + x20)))); - uint64_t x80 = (x67 + (x59 + (x52 + (x46 + (x22 + x21))))); - uint64_t x81 = (x68 + (x60 + (x53 + (x25 + x23)))); - uint64_t x82 = (x69 + (x61 + (x54 + (x29 + (x26 + x24))))); - uint64_t x83 = (x70 + (x62 + (x34 + (x30 + x27)))); - uint64_t x84 = (x71 + (x63 + (x40 + (x35 + (x31 + x28))))); - uint64_t x85 = (x72 + (x47 + (x41 + (x36 + x32)))); - uint64_t x86 = (x75 + x85); - uint64_t x87 = (x86 >> 25); - uint32_t x88 = (uint32_t)(x86 & UINT32_C(0x1ffffff)); - uint64_t x89 = (x87 + x84); - uint64_t x90 = (x89 >> 26); - uint32_t x91 = (uint32_t)(x89 & UINT32_C(0x3ffffff)); - uint64_t x92 = (x90 + x83); - uint64_t x93 = (x92 >> 25); - uint32_t x94 = (uint32_t)(x92 & UINT32_C(0x1ffffff)); - uint64_t x95 = (x93 + x82); - uint64_t x96 = (x95 >> 26); - uint32_t x97 = (uint32_t)(x95 & UINT32_C(0x3ffffff)); - uint64_t x98 = (x96 + x81); - uint64_t x99 = (x98 >> 25); - uint32_t x100 = (uint32_t)(x98 & UINT32_C(0x1ffffff)); - uint64_t x101 = (x99 + x80); - uint64_t x102 = (x101 >> 26); - uint32_t x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); - uint64_t x104 = (x102 + x79); - uint64_t x105 = (x104 >> 25); - uint32_t x106 = (uint32_t)(x104 & UINT32_C(0x1ffffff)); - uint64_t x107 = (x105 + x78); - uint64_t x108 = (x107 >> 26); - uint32_t x109 = (uint32_t)(x107 & UINT32_C(0x3ffffff)); - uint64_t x110 = (x108 + x77); - uint64_t x111 = (x110 >> 25); - uint32_t x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff)); - uint64_t x113 = (x111 * UINT8_C(0x13)); - uint64_t x114 = (x76 + x113); - uint32_t x115 = (uint32_t)(x114 >> 26); - uint32_t x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff)); - uint32_t x117 = (x115 + x88); - fiat_25519_uint1 x118 = (fiat_25519_uint1)(x117 >> 25); - uint32_t x119 = (x117 & UINT32_C(0x1ffffff)); - uint32_t x120 = (x118 + x91); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint64_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint64_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + uint32_t x17; + uint32_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + uint64_t x74; + uint64_t x75; + uint32_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint32_t x88; + uint64_t x89; + uint64_t x90; + uint32_t x91; + uint64_t x92; + uint64_t x93; + uint32_t x94; + uint64_t x95; + uint64_t x96; + uint32_t x97; + uint64_t x98; + uint64_t x99; + uint32_t x100; + uint64_t x101; + uint64_t x102; + uint32_t x103; + uint64_t x104; + uint64_t x105; + uint32_t x106; + uint64_t x107; + uint64_t x108; + uint32_t x109; + uint64_t x110; + uint64_t x111; + uint32_t x112; + uint64_t x113; + uint64_t x114; + uint32_t x115; + uint32_t x116; + uint32_t x117; + fiat_25519_uint1 x118; + uint32_t x119; + uint32_t x120; + x1 = ((arg1[9]) * UINT8_C(0x13)); + x2 = (x1 * 0x2); + x3 = ((arg1[9]) * 0x2); + x4 = ((arg1[8]) * UINT8_C(0x13)); + x5 = ((uint64_t)x4 * 0x2); + x6 = ((arg1[8]) * 0x2); + x7 = ((arg1[7]) * UINT8_C(0x13)); + x8 = (x7 * 0x2); + x9 = ((arg1[7]) * 0x2); + x10 = ((arg1[6]) * UINT8_C(0x13)); + x11 = ((uint64_t)x10 * 0x2); + x12 = ((arg1[6]) * 0x2); + x13 = ((arg1[5]) * UINT8_C(0x13)); + x14 = ((arg1[5]) * 0x2); + x15 = ((arg1[4]) * 0x2); + x16 = ((arg1[3]) * 0x2); + x17 = ((arg1[2]) * 0x2); + x18 = ((arg1[1]) * 0x2); + x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2)); + x20 = ((uint64_t)(arg1[8]) * x2); + x21 = ((uint64_t)(arg1[8]) * x4); + x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2)); + x23 = ((arg1[7]) * x5); + x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2)); + x25 = ((uint64_t)(arg1[6]) * x2); + x26 = ((arg1[6]) * x5); + x27 = ((uint64_t)(arg1[6]) * x8); + x28 = ((uint64_t)(arg1[6]) * x10); + x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2)); + x30 = ((arg1[5]) * x5); + x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2)); + x32 = ((arg1[5]) * x11); + x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2)); + x34 = ((uint64_t)(arg1[4]) * x2); + x35 = ((arg1[4]) * x5); + x36 = ((uint64_t)(arg1[4]) * x8); + x37 = ((arg1[4]) * x11); + x38 = ((uint64_t)(arg1[4]) * x14); + x39 = ((uint64_t)(arg1[4]) * (arg1[4])); + x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2)); + x41 = ((arg1[3]) * x5); + x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2)); + x43 = ((uint64_t)(arg1[3]) * x12); + x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2)); + x45 = ((uint64_t)(arg1[3]) * x15); + x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2)); + x47 = ((uint64_t)(arg1[2]) * x2); + x48 = ((arg1[2]) * x5); + x49 = ((uint64_t)(arg1[2]) * x9); + x50 = ((uint64_t)(arg1[2]) * x12); + x51 = ((uint64_t)(arg1[2]) * x14); + x52 = ((uint64_t)(arg1[2]) * x15); + x53 = ((uint64_t)(arg1[2]) * x16); + x54 = ((uint64_t)(arg1[2]) * (arg1[2])); + x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2)); + x56 = ((uint64_t)(arg1[1]) * x6); + x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2)); + x58 = ((uint64_t)(arg1[1]) * x12); + x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2)); + x60 = ((uint64_t)(arg1[1]) * x15); + x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2)); + x62 = ((uint64_t)(arg1[1]) * x17); + x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2)); + x64 = ((uint64_t)(arg1[0]) * x3); + x65 = ((uint64_t)(arg1[0]) * x6); + x66 = ((uint64_t)(arg1[0]) * x9); + x67 = ((uint64_t)(arg1[0]) * x12); + x68 = ((uint64_t)(arg1[0]) * x14); + x69 = ((uint64_t)(arg1[0]) * x15); + x70 = ((uint64_t)(arg1[0]) * x16); + x71 = ((uint64_t)(arg1[0]) * x17); + x72 = ((uint64_t)(arg1[0]) * x18); + x73 = ((uint64_t)(arg1[0]) * (arg1[0])); + x74 = (x73 + (x55 + (x48 + (x42 + (x37 + x33))))); + x75 = (x74 >> 26); + x76 = (uint32_t)(x74 & UINT32_C(0x3ffffff)); + x77 = (x64 + (x56 + (x49 + (x43 + x38)))); + x78 = (x65 + (x57 + (x50 + (x44 + (x39 + x19))))); + x79 = (x66 + (x58 + (x51 + (x45 + x20)))); + x80 = (x67 + (x59 + (x52 + (x46 + (x22 + x21))))); + x81 = (x68 + (x60 + (x53 + (x25 + x23)))); + x82 = (x69 + (x61 + (x54 + (x29 + (x26 + x24))))); + x83 = (x70 + (x62 + (x34 + (x30 + x27)))); + x84 = (x71 + (x63 + (x40 + (x35 + (x31 + x28))))); + x85 = (x72 + (x47 + (x41 + (x36 + x32)))); + x86 = (x75 + x85); + x87 = (x86 >> 25); + x88 = (uint32_t)(x86 & UINT32_C(0x1ffffff)); + x89 = (x87 + x84); + x90 = (x89 >> 26); + x91 = (uint32_t)(x89 & UINT32_C(0x3ffffff)); + x92 = (x90 + x83); + x93 = (x92 >> 25); + x94 = (uint32_t)(x92 & UINT32_C(0x1ffffff)); + x95 = (x93 + x82); + x96 = (x95 >> 26); + x97 = (uint32_t)(x95 & UINT32_C(0x3ffffff)); + x98 = (x96 + x81); + x99 = (x98 >> 25); + x100 = (uint32_t)(x98 & UINT32_C(0x1ffffff)); + x101 = (x99 + x80); + x102 = (x101 >> 26); + x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); + x104 = (x102 + x79); + x105 = (x104 >> 25); + x106 = (uint32_t)(x104 & UINT32_C(0x1ffffff)); + x107 = (x105 + x78); + x108 = (x107 >> 26); + x109 = (uint32_t)(x107 & UINT32_C(0x3ffffff)); + x110 = (x108 + x77); + x111 = (x110 >> 25); + x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff)); + x113 = (x111 * UINT8_C(0x13)); + x114 = (x76 + x113); + x115 = (uint32_t)(x114 >> 26); + x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff)); + x117 = (x115 + x88); + x118 = (fiat_25519_uint1)(x117 >> 25); + x119 = (x117 & UINT32_C(0x1ffffff)); + x120 = (x118 + x91); out1[0] = x116; out1[1] = x119; out1[2] = x120; @@ -446,37 +746,56 @@ static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) /* * The function fiat_25519_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) { - uint32_t x1 = (arg1[0]); - uint32_t x2 = ((x1 >> 26) + (arg1[1])); - uint32_t x3 = ((x2 >> 25) + (arg1[2])); - uint32_t x4 = ((x3 >> 26) + (arg1[3])); - uint32_t x5 = ((x4 >> 25) + (arg1[4])); - uint32_t x6 = ((x5 >> 26) + (arg1[5])); - uint32_t x7 = ((x6 >> 25) + (arg1[6])); - uint32_t x8 = ((x7 >> 26) + (arg1[7])); - uint32_t x9 = ((x8 >> 25) + (arg1[8])); - uint32_t x10 = ((x9 >> 26) + (arg1[9])); - uint32_t x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13))); - uint32_t x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff))); - uint32_t x13 = (x11 & UINT32_C(0x3ffffff)); - uint32_t x14 = (x12 & UINT32_C(0x1ffffff)); - uint32_t x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff))); - uint32_t x16 = (x4 & UINT32_C(0x1ffffff)); - uint32_t x17 = (x5 & UINT32_C(0x3ffffff)); - uint32_t x18 = (x6 & UINT32_C(0x1ffffff)); - uint32_t x19 = (x7 & UINT32_C(0x3ffffff)); - uint32_t x20 = (x8 & UINT32_C(0x1ffffff)); - uint32_t x21 = (x9 & UINT32_C(0x3ffffff)); - uint32_t x22 = (x10 & UINT32_C(0x1ffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint32_t x20; + uint32_t x21; + uint32_t x22; + x1 = (arg1[0]); + x2 = ((x1 >> 26) + (arg1[1])); + x3 = ((x2 >> 25) + (arg1[2])); + x4 = ((x3 >> 26) + (arg1[3])); + x5 = ((x4 >> 25) + (arg1[4])); + x6 = ((x5 >> 26) + (arg1[5])); + x7 = ((x6 >> 25) + (arg1[6])); + x8 = ((x7 >> 26) + (arg1[7])); + x9 = ((x8 >> 25) + (arg1[8])); + x10 = ((x9 >> 26) + (arg1[9])); + x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13))); + x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff))); + x13 = (x11 & UINT32_C(0x3ffffff)); + x14 = (x12 & UINT32_C(0x1ffffff)); + x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff))); + x16 = (x4 & UINT32_C(0x1ffffff)); + x17 = (x5 & UINT32_C(0x3ffffff)); + x18 = (x6 & UINT32_C(0x1ffffff)); + x19 = (x7 & UINT32_C(0x3ffffff)); + x20 = (x8 & UINT32_C(0x1ffffff)); + x21 = (x9 & UINT32_C(0x3ffffff)); + x22 = (x10 & UINT32_C(0x1ffffff)); out1[0] = x13; out1[1] = x14; out1[2] = x15; @@ -491,26 +810,32 @@ static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) { /* * The function fiat_25519_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * arg2: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * Output Bounds: - * out1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] */ -static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) { - uint32_t x1 = ((arg1[0]) + (arg2[0])); - uint32_t x2 = ((arg1[1]) + (arg2[1])); - uint32_t x3 = ((arg1[2]) + (arg2[2])); - uint32_t x4 = ((arg1[3]) + (arg2[3])); - uint32_t x5 = ((arg1[4]) + (arg2[4])); - uint32_t x6 = ((arg1[5]) + (arg2[5])); - uint32_t x7 = ((arg1[6]) + (arg2[6])); - uint32_t x8 = ((arg1[7]) + (arg2[7])); - uint32_t x9 = ((arg1[8]) + (arg2[8])); - uint32_t x10 = ((arg1[9]) + (arg2[9])); +static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = ((arg1[0]) + (arg2[0])); + x2 = ((arg1[1]) + (arg2[1])); + x3 = ((arg1[2]) + (arg2[2])); + x4 = ((arg1[3]) + (arg2[3])); + x5 = ((arg1[4]) + (arg2[4])); + x6 = ((arg1[5]) + (arg2[5])); + x7 = ((arg1[6]) + (arg2[6])); + x8 = ((arg1[7]) + (arg2[7])); + x9 = ((arg1[8]) + (arg2[8])); + x10 = ((arg1[9]) + (arg2[9])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -525,26 +850,32 @@ static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uin /* * The function fiat_25519_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * arg2: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * Output Bounds: - * out1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] */ -static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) { - uint32_t x1 = ((UINT32_C(0x7ffffda) + (arg1[0])) - (arg2[0])); - uint32_t x2 = ((UINT32_C(0x3fffffe) + (arg1[1])) - (arg2[1])); - uint32_t x3 = ((UINT32_C(0x7fffffe) + (arg1[2])) - (arg2[2])); - uint32_t x4 = ((UINT32_C(0x3fffffe) + (arg1[3])) - (arg2[3])); - uint32_t x5 = ((UINT32_C(0x7fffffe) + (arg1[4])) - (arg2[4])); - uint32_t x6 = ((UINT32_C(0x3fffffe) + (arg1[5])) - (arg2[5])); - uint32_t x7 = ((UINT32_C(0x7fffffe) + (arg1[6])) - (arg2[6])); - uint32_t x8 = ((UINT32_C(0x3fffffe) + (arg1[7])) - (arg2[7])); - uint32_t x9 = ((UINT32_C(0x7fffffe) + (arg1[8])) - (arg2[8])); - uint32_t x10 = ((UINT32_C(0x3fffffe) + (arg1[9])) - (arg2[9])); +static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = ((UINT32_C(0x7ffffda) + (arg1[0])) - (arg2[0])); + x2 = ((UINT32_C(0x3fffffe) + (arg1[1])) - (arg2[1])); + x3 = ((UINT32_C(0x7fffffe) + (arg1[2])) - (arg2[2])); + x4 = ((UINT32_C(0x3fffffe) + (arg1[3])) - (arg2[3])); + x5 = ((UINT32_C(0x7fffffe) + (arg1[4])) - (arg2[4])); + x6 = ((UINT32_C(0x3fffffe) + (arg1[5])) - (arg2[5])); + x7 = ((UINT32_C(0x7fffffe) + (arg1[6])) - (arg2[6])); + x8 = ((UINT32_C(0x3fffffe) + (arg1[7])) - (arg2[7])); + x9 = ((UINT32_C(0x7fffffe) + (arg1[8])) - (arg2[8])); + x10 = ((UINT32_C(0x3fffffe) + (arg1[9])) - (arg2[9])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -559,25 +890,32 @@ static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uin /* * The function fiat_25519_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * Output Bounds: - * out1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] */ -static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { - uint32_t x1 = (UINT32_C(0x7ffffda) - (arg1[0])); - uint32_t x2 = (UINT32_C(0x3fffffe) - (arg1[1])); - uint32_t x3 = (UINT32_C(0x7fffffe) - (arg1[2])); - uint32_t x4 = (UINT32_C(0x3fffffe) - (arg1[3])); - uint32_t x5 = (UINT32_C(0x7fffffe) - (arg1[4])); - uint32_t x6 = (UINT32_C(0x3fffffe) - (arg1[5])); - uint32_t x7 = (UINT32_C(0x7fffffe) - (arg1[6])); - uint32_t x8 = (UINT32_C(0x3fffffe) - (arg1[7])); - uint32_t x9 = (UINT32_C(0x7fffffe) - (arg1[8])); - uint32_t x10 = (UINT32_C(0x3fffffe) - (arg1[9])); +static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = (UINT32_C(0x7ffffda) - (arg1[0])); + x2 = (UINT32_C(0x3fffffe) - (arg1[1])); + x3 = (UINT32_C(0x7fffffe) - (arg1[2])); + x4 = (UINT32_C(0x3fffffe) - (arg1[3])); + x5 = (UINT32_C(0x7fffffe) - (arg1[4])); + x6 = (UINT32_C(0x3fffffe) - (arg1[5])); + x7 = (UINT32_C(0x7fffffe) - (arg1[6])); + x8 = (UINT32_C(0x3fffffe) - (arg1[7])); + x9 = (UINT32_C(0x7fffffe) - (arg1[8])); + x10 = (UINT32_C(0x3fffffe) - (arg1[9])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -592,6 +930,7 @@ static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { /* * The function fiat_25519_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -602,26 +941,26 @@ static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const uint32_t arg2[10], const uint32_t arg3[10]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const uint32_t arg2[10], const uint32_t arg3[10]) { uint32_t x1; - fiat_25519_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); uint32_t x2; - fiat_25519_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); uint32_t x3; - fiat_25519_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); uint32_t x4; - fiat_25519_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); uint32_t x5; - fiat_25519_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); uint32_t x6; - fiat_25519_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); uint32_t x7; - fiat_25519_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); uint32_t x8; - fiat_25519_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); uint32_t x9; - fiat_25519_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); uint32_t x10; + fiat_25519_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_25519_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_25519_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_25519_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); + fiat_25519_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); + fiat_25519_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); + fiat_25519_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); + fiat_25519_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); + fiat_25519_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); fiat_25519_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9])); out1[0] = x1; out1[1] = x2; @@ -637,336 +976,582 @@ static void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const /* * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] */ -static void fiat_25519_to_bytes(uint8_t out1[32], const uint32_t arg1[10]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) { uint32_t x1; fiat_25519_uint1 x2; - fiat_25519_subborrowx_u26(&x1, &x2, 0x0, (arg1[0]), UINT32_C(0x3ffffed)); uint32_t x3; fiat_25519_uint1 x4; - fiat_25519_subborrowx_u25(&x3, &x4, x2, (arg1[1]), UINT32_C(0x1ffffff)); uint32_t x5; fiat_25519_uint1 x6; - fiat_25519_subborrowx_u26(&x5, &x6, x4, (arg1[2]), UINT32_C(0x3ffffff)); uint32_t x7; fiat_25519_uint1 x8; - fiat_25519_subborrowx_u25(&x7, &x8, x6, (arg1[3]), UINT32_C(0x1ffffff)); uint32_t x9; fiat_25519_uint1 x10; - fiat_25519_subborrowx_u26(&x9, &x10, x8, (arg1[4]), UINT32_C(0x3ffffff)); uint32_t x11; fiat_25519_uint1 x12; - fiat_25519_subborrowx_u25(&x11, &x12, x10, (arg1[5]), UINT32_C(0x1ffffff)); uint32_t x13; fiat_25519_uint1 x14; - fiat_25519_subborrowx_u26(&x13, &x14, x12, (arg1[6]), UINT32_C(0x3ffffff)); uint32_t x15; fiat_25519_uint1 x16; - fiat_25519_subborrowx_u25(&x15, &x16, x14, (arg1[7]), UINT32_C(0x1ffffff)); uint32_t x17; fiat_25519_uint1 x18; - fiat_25519_subborrowx_u26(&x17, &x18, x16, (arg1[8]), UINT32_C(0x3ffffff)); uint32_t x19; fiat_25519_uint1 x20; - fiat_25519_subborrowx_u25(&x19, &x20, x18, (arg1[9]), UINT32_C(0x1ffffff)); uint32_t x21; - fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff)); uint32_t x22; fiat_25519_uint1 x23; - fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed))); uint32_t x24; fiat_25519_uint1 x25; - fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff))); uint32_t x26; fiat_25519_uint1 x27; - fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff))); uint32_t x28; fiat_25519_uint1 x29; - fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff))); uint32_t x30; fiat_25519_uint1 x31; - fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff))); uint32_t x32; fiat_25519_uint1 x33; - fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff))); uint32_t x34; fiat_25519_uint1 x35; - fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff))); uint32_t x36; fiat_25519_uint1 x37; - fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff))); uint32_t x38; fiat_25519_uint1 x39; - fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff))); uint32_t x40; fiat_25519_uint1 x41; + uint32_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint32_t x47; + uint32_t x48; + uint32_t x49; + uint8_t x50; + uint32_t x51; + uint8_t x52; + uint32_t x53; + uint8_t x54; + uint8_t x55; + uint32_t x56; + uint8_t x57; + uint32_t x58; + uint8_t x59; + uint32_t x60; + uint8_t x61; + uint8_t x62; + uint32_t x63; + uint8_t x64; + uint32_t x65; + uint8_t x66; + uint32_t x67; + uint8_t x68; + uint8_t x69; + uint32_t x70; + uint8_t x71; + uint32_t x72; + uint8_t x73; + uint32_t x74; + uint8_t x75; + uint8_t x76; + uint32_t x77; + uint8_t x78; + uint32_t x79; + uint8_t x80; + uint32_t x81; + uint8_t x82; + uint8_t x83; + uint8_t x84; + uint32_t x85; + uint8_t x86; + uint32_t x87; + uint8_t x88; + fiat_25519_uint1 x89; + uint32_t x90; + uint8_t x91; + uint32_t x92; + uint8_t x93; + uint32_t x94; + uint8_t x95; + uint8_t x96; + uint32_t x97; + uint8_t x98; + uint32_t x99; + uint8_t x100; + uint32_t x101; + uint8_t x102; + uint8_t x103; + uint32_t x104; + uint8_t x105; + uint32_t x106; + uint8_t x107; + uint32_t x108; + uint8_t x109; + uint8_t x110; + uint32_t x111; + uint8_t x112; + uint32_t x113; + uint8_t x114; + uint32_t x115; + uint8_t x116; + uint8_t x117; + fiat_25519_subborrowx_u26(&x1, &x2, 0x0, (arg1[0]), UINT32_C(0x3ffffed)); + fiat_25519_subborrowx_u25(&x3, &x4, x2, (arg1[1]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x5, &x6, x4, (arg1[2]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x7, &x8, x6, (arg1[3]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x9, &x10, x8, (arg1[4]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x11, &x12, x10, (arg1[5]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x13, &x14, x12, (arg1[6]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x15, &x16, x14, (arg1[7]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x17, &x18, x16, (arg1[8]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x19, &x20, x18, (arg1[9]), UINT32_C(0x1ffffff)); + fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff)); + fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed))); + fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff))); + fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff))); + fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff))); + fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff))); fiat_25519_addcarryx_u25(&x40, &x41, x39, x19, (x21 & UINT32_C(0x1ffffff))); - uint32_t x42 = (x40 << 6); - uint32_t x43 = (x38 << 4); - uint32_t x44 = (x36 << 3); - uint32_t x45 = (x34 * (uint32_t)0x2); - uint32_t x46 = (x30 << 6); - uint32_t x47 = (x28 << 5); - uint32_t x48 = (x26 << 3); - uint32_t x49 = (x24 << 2); - uint32_t x50 = (x22 >> 8); - uint8_t x51 = (uint8_t)(x22 & UINT8_C(0xff)); - uint32_t x52 = (x50 >> 8); - uint8_t x53 = (uint8_t)(x50 & UINT8_C(0xff)); - uint8_t x54 = (uint8_t)(x52 >> 8); - uint8_t x55 = (uint8_t)(x52 & UINT8_C(0xff)); - uint32_t x56 = (x54 + x49); - uint32_t x57 = (x56 >> 8); - uint8_t x58 = (uint8_t)(x56 & UINT8_C(0xff)); - uint32_t x59 = (x57 >> 8); - uint8_t x60 = (uint8_t)(x57 & UINT8_C(0xff)); - uint8_t x61 = (uint8_t)(x59 >> 8); - uint8_t x62 = (uint8_t)(x59 & UINT8_C(0xff)); - uint32_t x63 = (x61 + x48); - uint32_t x64 = (x63 >> 8); - uint8_t x65 = (uint8_t)(x63 & UINT8_C(0xff)); - uint32_t x66 = (x64 >> 8); - uint8_t x67 = (uint8_t)(x64 & UINT8_C(0xff)); - uint8_t x68 = (uint8_t)(x66 >> 8); - uint8_t x69 = (uint8_t)(x66 & UINT8_C(0xff)); - uint32_t x70 = (x68 + x47); - uint32_t x71 = (x70 >> 8); - uint8_t x72 = (uint8_t)(x70 & UINT8_C(0xff)); - uint32_t x73 = (x71 >> 8); - uint8_t x74 = (uint8_t)(x71 & UINT8_C(0xff)); - uint8_t x75 = (uint8_t)(x73 >> 8); - uint8_t x76 = (uint8_t)(x73 & UINT8_C(0xff)); - uint32_t x77 = (x75 + x46); - uint32_t x78 = (x77 >> 8); - uint8_t x79 = (uint8_t)(x77 & UINT8_C(0xff)); - uint32_t x80 = (x78 >> 8); - uint8_t x81 = (uint8_t)(x78 & UINT8_C(0xff)); - uint8_t x82 = (uint8_t)(x80 >> 8); - uint8_t x83 = (uint8_t)(x80 & UINT8_C(0xff)); - uint8_t x84 = (uint8_t)(x82 & UINT8_C(0xff)); - uint32_t x85 = (x32 >> 8); - uint8_t x86 = (uint8_t)(x32 & UINT8_C(0xff)); - uint32_t x87 = (x85 >> 8); - uint8_t x88 = (uint8_t)(x85 & UINT8_C(0xff)); - fiat_25519_uint1 x89 = (fiat_25519_uint1)(x87 >> 8); - uint8_t x90 = (uint8_t)(x87 & UINT8_C(0xff)); - uint32_t x91 = (x89 + x45); - uint32_t x92 = (x91 >> 8); - uint8_t x93 = (uint8_t)(x91 & UINT8_C(0xff)); - uint32_t x94 = (x92 >> 8); - uint8_t x95 = (uint8_t)(x92 & UINT8_C(0xff)); - uint8_t x96 = (uint8_t)(x94 >> 8); - uint8_t x97 = (uint8_t)(x94 & UINT8_C(0xff)); - uint32_t x98 = (x96 + x44); - uint32_t x99 = (x98 >> 8); - uint8_t x100 = (uint8_t)(x98 & UINT8_C(0xff)); - uint32_t x101 = (x99 >> 8); - uint8_t x102 = (uint8_t)(x99 & UINT8_C(0xff)); - uint8_t x103 = (uint8_t)(x101 >> 8); - uint8_t x104 = (uint8_t)(x101 & UINT8_C(0xff)); - uint32_t x105 = (x103 + x43); - uint32_t x106 = (x105 >> 8); - uint8_t x107 = (uint8_t)(x105 & UINT8_C(0xff)); - uint32_t x108 = (x106 >> 8); - uint8_t x109 = (uint8_t)(x106 & UINT8_C(0xff)); - uint8_t x110 = (uint8_t)(x108 >> 8); - uint8_t x111 = (uint8_t)(x108 & UINT8_C(0xff)); - uint32_t x112 = (x110 + x42); - uint32_t x113 = (x112 >> 8); - uint8_t x114 = (uint8_t)(x112 & UINT8_C(0xff)); - uint32_t x115 = (x113 >> 8); - uint8_t x116 = (uint8_t)(x113 & UINT8_C(0xff)); - uint8_t x117 = (uint8_t)(x115 >> 8); - uint8_t x118 = (uint8_t)(x115 & UINT8_C(0xff)); - out1[0] = x51; - out1[1] = x53; - out1[2] = x55; - out1[3] = x58; - out1[4] = x60; - out1[5] = x62; - out1[6] = x65; - out1[7] = x67; - out1[8] = x69; - out1[9] = x72; - out1[10] = x74; - out1[11] = x76; - out1[12] = x79; - out1[13] = x81; - out1[14] = x83; - out1[15] = x84; - out1[16] = x86; - out1[17] = x88; - out1[18] = x90; - out1[19] = x93; - out1[20] = x95; - out1[21] = x97; - out1[22] = x100; - out1[23] = x102; - out1[24] = x104; - out1[25] = x107; - out1[26] = x109; - out1[27] = x111; - out1[28] = x114; - out1[29] = x116; - out1[30] = x118; + x42 = (x40 << 6); + x43 = (x38 << 4); + x44 = (x36 << 3); + x45 = (x34 * (uint32_t)0x2); + x46 = (x30 << 6); + x47 = (x28 << 5); + x48 = (x26 << 3); + x49 = (x24 << 2); + x50 = (uint8_t)(x22 & UINT8_C(0xff)); + x51 = (x22 >> 8); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (uint8_t)(x53 >> 8); + x56 = (x49 + (uint32_t)x55); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (x56 >> 8); + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (x58 >> 8); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); + x62 = (uint8_t)(x60 >> 8); + x63 = (x48 + (uint32_t)x62); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (x63 >> 8); + x66 = (uint8_t)(x65 & UINT8_C(0xff)); + x67 = (x65 >> 8); + x68 = (uint8_t)(x67 & UINT8_C(0xff)); + x69 = (uint8_t)(x67 >> 8); + x70 = (x47 + (uint32_t)x69); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (uint8_t)(x74 >> 8); + x77 = (x46 + (uint32_t)x76); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (uint8_t)(x81 >> 8); + x84 = (uint8_t)(x32 & UINT8_C(0xff)); + x85 = (x32 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (fiat_25519_uint1)(x87 >> 8); + x90 = (x45 + (uint32_t)x89); + x91 = (uint8_t)(x90 & UINT8_C(0xff)); + x92 = (x90 >> 8); + x93 = (uint8_t)(x92 & UINT8_C(0xff)); + x94 = (x92 >> 8); + x95 = (uint8_t)(x94 & UINT8_C(0xff)); + x96 = (uint8_t)(x94 >> 8); + x97 = (x44 + (uint32_t)x96); + x98 = (uint8_t)(x97 & UINT8_C(0xff)); + x99 = (x97 >> 8); + x100 = (uint8_t)(x99 & UINT8_C(0xff)); + x101 = (x99 >> 8); + x102 = (uint8_t)(x101 & UINT8_C(0xff)); + x103 = (uint8_t)(x101 >> 8); + x104 = (x43 + (uint32_t)x103); + x105 = (uint8_t)(x104 & UINT8_C(0xff)); + x106 = (x104 >> 8); + x107 = (uint8_t)(x106 & UINT8_C(0xff)); + x108 = (x106 >> 8); + x109 = (uint8_t)(x108 & UINT8_C(0xff)); + x110 = (uint8_t)(x108 >> 8); + x111 = (x42 + (uint32_t)x110); + x112 = (uint8_t)(x111 & UINT8_C(0xff)); + x113 = (x111 >> 8); + x114 = (uint8_t)(x113 & UINT8_C(0xff)); + x115 = (x113 >> 8); + x116 = (uint8_t)(x115 & UINT8_C(0xff)); + x117 = (uint8_t)(x115 >> 8); + out1[0] = x50; + out1[1] = x52; + out1[2] = x54; + out1[3] = x57; + out1[4] = x59; + out1[5] = x61; + out1[6] = x64; + out1[7] = x66; + out1[8] = x68; + out1[9] = x71; + out1[10] = x73; + out1[11] = x75; + out1[12] = x78; + out1[13] = x80; + out1[14] = x82; + out1[15] = x83; + out1[16] = x84; + out1[17] = x86; + out1[18] = x88; + out1[19] = x91; + out1[20] = x93; + out1[21] = x95; + out1[22] = x98; + out1[23] = x100; + out1[24] = x102; + out1[25] = x105; + out1[26] = x107; + out1[27] = x109; + out1[28] = x112; + out1[29] = x114; + out1[30] = x116; out1[31] = x117; } /* * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_from_bytes(uint32_t out1[10], const uint8_t arg1[32]) { - uint32_t x1 = ((uint32_t)(arg1[31]) << 18); - uint32_t x2 = ((uint32_t)(arg1[30]) << 10); - uint32_t x3 = ((uint32_t)(arg1[29]) << 2); - uint32_t x4 = ((uint32_t)(arg1[28]) << 20); - uint32_t x5 = ((uint32_t)(arg1[27]) << 12); - uint32_t x6 = ((uint32_t)(arg1[26]) << 4); - uint32_t x7 = ((uint32_t)(arg1[25]) << 21); - uint32_t x8 = ((uint32_t)(arg1[24]) << 13); - uint32_t x9 = ((uint32_t)(arg1[23]) << 5); - uint32_t x10 = ((uint32_t)(arg1[22]) << 23); - uint32_t x11 = ((uint32_t)(arg1[21]) << 15); - uint32_t x12 = ((uint32_t)(arg1[20]) << 7); - uint32_t x13 = ((uint32_t)(arg1[19]) << 24); - uint32_t x14 = ((uint32_t)(arg1[18]) << 16); - uint32_t x15 = ((uint32_t)(arg1[17]) << 8); - uint8_t x16 = (arg1[16]); - uint32_t x17 = ((uint32_t)(arg1[15]) << 18); - uint32_t x18 = ((uint32_t)(arg1[14]) << 10); - uint32_t x19 = ((uint32_t)(arg1[13]) << 2); - uint32_t x20 = ((uint32_t)(arg1[12]) << 19); - uint32_t x21 = ((uint32_t)(arg1[11]) << 11); - uint32_t x22 = ((uint32_t)(arg1[10]) << 3); - uint32_t x23 = ((uint32_t)(arg1[9]) << 21); - uint32_t x24 = ((uint32_t)(arg1[8]) << 13); - uint32_t x25 = ((uint32_t)(arg1[7]) << 5); - uint32_t x26 = ((uint32_t)(arg1[6]) << 22); - uint32_t x27 = ((uint32_t)(arg1[5]) << 14); - uint32_t x28 = ((uint32_t)(arg1[4]) << 6); - uint32_t x29 = ((uint32_t)(arg1[3]) << 24); - uint32_t x30 = ((uint32_t)(arg1[2]) << 16); - uint32_t x31 = ((uint32_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint32_t x33 = (x32 + (x31 + (x30 + x29))); - uint8_t x34 = (uint8_t)(x33 >> 26); - uint32_t x35 = (x33 & UINT32_C(0x3ffffff)); - uint32_t x36 = (x3 + (x2 + x1)); - uint32_t x37 = (x6 + (x5 + x4)); - uint32_t x38 = (x9 + (x8 + x7)); - uint32_t x39 = (x12 + (x11 + x10)); - uint32_t x40 = (x16 + (x15 + (x14 + x13))); - uint32_t x41 = (x19 + (x18 + x17)); - uint32_t x42 = (x22 + (x21 + x20)); - uint32_t x43 = (x25 + (x24 + x23)); - uint32_t x44 = (x28 + (x27 + x26)); - uint32_t x45 = (x34 + x44); - uint8_t x46 = (uint8_t)(x45 >> 25); - uint32_t x47 = (x45 & UINT32_C(0x1ffffff)); - uint32_t x48 = (x46 + x43); - uint8_t x49 = (uint8_t)(x48 >> 26); - uint32_t x50 = (x48 & UINT32_C(0x3ffffff)); - uint32_t x51 = (x49 + x42); - uint8_t x52 = (uint8_t)(x51 >> 25); - uint32_t x53 = (x51 & UINT32_C(0x1ffffff)); - uint32_t x54 = (x52 + x41); - uint32_t x55 = (x54 & UINT32_C(0x3ffffff)); - uint8_t x56 = (uint8_t)(x40 >> 25); - uint32_t x57 = (x40 & UINT32_C(0x1ffffff)); - uint32_t x58 = (x56 + x39); - uint8_t x59 = (uint8_t)(x58 >> 26); - uint32_t x60 = (x58 & UINT32_C(0x3ffffff)); - uint32_t x61 = (x59 + x38); - uint8_t x62 = (uint8_t)(x61 >> 25); - uint32_t x63 = (x61 & UINT32_C(0x1ffffff)); - uint32_t x64 = (x62 + x37); - uint8_t x65 = (uint8_t)(x64 >> 26); - uint32_t x66 = (x64 & UINT32_C(0x3ffffff)); - uint32_t x67 = (x65 + x36); - out1[0] = x35; - out1[1] = x47; - out1[2] = x50; - out1[3] = x53; +static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint8_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint32_t x20; + uint32_t x21; + uint32_t x22; + uint32_t x23; + uint32_t x24; + uint32_t x25; + uint32_t x26; + uint32_t x27; + uint32_t x28; + uint32_t x29; + uint32_t x30; + uint32_t x31; + uint8_t x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint8_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint8_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint8_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint8_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; + uint32_t x57; + uint32_t x58; + uint32_t x59; + uint8_t x60; + uint32_t x61; + uint32_t x62; + uint32_t x63; + uint32_t x64; + uint8_t x65; + uint32_t x66; + uint32_t x67; + uint32_t x68; + uint32_t x69; + uint8_t x70; + uint32_t x71; + uint32_t x72; + uint32_t x73; + uint32_t x74; + uint8_t x75; + uint32_t x76; + uint32_t x77; + uint32_t x78; + x1 = ((uint32_t)(arg1[31]) << 18); + x2 = ((uint32_t)(arg1[30]) << 10); + x3 = ((uint32_t)(arg1[29]) << 2); + x4 = ((uint32_t)(arg1[28]) << 20); + x5 = ((uint32_t)(arg1[27]) << 12); + x6 = ((uint32_t)(arg1[26]) << 4); + x7 = ((uint32_t)(arg1[25]) << 21); + x8 = ((uint32_t)(arg1[24]) << 13); + x9 = ((uint32_t)(arg1[23]) << 5); + x10 = ((uint32_t)(arg1[22]) << 23); + x11 = ((uint32_t)(arg1[21]) << 15); + x12 = ((uint32_t)(arg1[20]) << 7); + x13 = ((uint32_t)(arg1[19]) << 24); + x14 = ((uint32_t)(arg1[18]) << 16); + x15 = ((uint32_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint32_t)(arg1[15]) << 18); + x18 = ((uint32_t)(arg1[14]) << 10); + x19 = ((uint32_t)(arg1[13]) << 2); + x20 = ((uint32_t)(arg1[12]) << 19); + x21 = ((uint32_t)(arg1[11]) << 11); + x22 = ((uint32_t)(arg1[10]) << 3); + x23 = ((uint32_t)(arg1[9]) << 21); + x24 = ((uint32_t)(arg1[8]) << 13); + x25 = ((uint32_t)(arg1[7]) << 5); + x26 = ((uint32_t)(arg1[6]) << 22); + x27 = ((uint32_t)(arg1[5]) << 14); + x28 = ((uint32_t)(arg1[4]) << 6); + x29 = ((uint32_t)(arg1[3]) << 24); + x30 = ((uint32_t)(arg1[2]) << 16); + x31 = ((uint32_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x35 & UINT32_C(0x3ffffff)); + x37 = (uint8_t)(x35 >> 26); + x38 = (x28 + (uint32_t)x37); + x39 = (x27 + x38); + x40 = (x26 + x39); + x41 = (x40 & UINT32_C(0x1ffffff)); + x42 = (uint8_t)(x40 >> 25); + x43 = (x25 + (uint32_t)x42); + x44 = (x24 + x43); + x45 = (x23 + x44); + x46 = (x45 & UINT32_C(0x3ffffff)); + x47 = (uint8_t)(x45 >> 26); + x48 = (x22 + (uint32_t)x47); + x49 = (x21 + x48); + x50 = (x20 + x49); + x51 = (x50 & UINT32_C(0x1ffffff)); + x52 = (uint8_t)(x50 >> 25); + x53 = (x19 + (uint32_t)x52); + x54 = (x18 + x53); + x55 = (x17 + x54); + x56 = (x15 + (uint32_t)x16); + x57 = (x14 + x56); + x58 = (x13 + x57); + x59 = (x58 & UINT32_C(0x1ffffff)); + x60 = (uint8_t)(x58 >> 25); + x61 = (x12 + (uint32_t)x60); + x62 = (x11 + x61); + x63 = (x10 + x62); + x64 = (x63 & UINT32_C(0x3ffffff)); + x65 = (uint8_t)(x63 >> 26); + x66 = (x9 + (uint32_t)x65); + x67 = (x8 + x66); + x68 = (x7 + x67); + x69 = (x68 & UINT32_C(0x1ffffff)); + x70 = (uint8_t)(x68 >> 25); + x71 = (x6 + (uint32_t)x70); + x72 = (x5 + x71); + x73 = (x4 + x72); + x74 = (x73 & UINT32_C(0x3ffffff)); + x75 = (uint8_t)(x73 >> 26); + x76 = (x3 + (uint32_t)x75); + x77 = (x2 + x76); + x78 = (x1 + x77); + out1[0] = x36; + out1[1] = x41; + out1[2] = x46; + out1[3] = x51; out1[4] = x55; - out1[5] = x57; - out1[6] = x60; - out1[7] = x63; - out1[8] = x66; - out1[9] = x67; + out1[5] = x59; + out1[6] = x64; + out1[7] = x69; + out1[8] = x74; + out1[9] = x78; +} + +/* + * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements. + * + * Postconditions: + * out1 = arg1 + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = (arg1[0]); + x2 = (arg1[1]); + x3 = (arg1[2]); + x4 = (arg1[3]); + x5 = (arg1[4]); + x6 = (arg1[5]); + x7 = (arg1[6]); + x8 = (arg1[7]); + x9 = (arg1[8]); + x10 = (arg1[9]); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; + out1[5] = x6; + out1[6] = x7; + out1[7] = x8; + out1[8] = x9; + out1[9] = x10; } /* * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * * Postconditions: * eval out1 mod m = (121666 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1[10]) { - uint64_t x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9])); - uint64_t x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8])); - uint64_t x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7])); - uint64_t x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6])); - uint64_t x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5])); - uint64_t x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4])); - uint64_t x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3])); - uint64_t x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2])); - uint64_t x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1])); - uint64_t x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0])); - uint32_t x11 = (uint32_t)(x10 >> 26); - uint32_t x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff)); - uint64_t x13 = (x11 + x9); - uint32_t x14 = (uint32_t)(x13 >> 25); - uint32_t x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff)); - uint64_t x16 = (x14 + x8); - uint32_t x17 = (uint32_t)(x16 >> 26); - uint32_t x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff)); - uint64_t x19 = (x17 + x7); - uint32_t x20 = (uint32_t)(x19 >> 25); - uint32_t x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff)); - uint64_t x22 = (x20 + x6); - uint32_t x23 = (uint32_t)(x22 >> 26); - uint32_t x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff)); - uint64_t x25 = (x23 + x5); - uint32_t x26 = (uint32_t)(x25 >> 25); - uint32_t x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff)); - uint64_t x28 = (x26 + x4); - uint32_t x29 = (uint32_t)(x28 >> 26); - uint32_t x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff)); - uint64_t x31 = (x29 + x3); - uint32_t x32 = (uint32_t)(x31 >> 25); - uint32_t x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff)); - uint64_t x34 = (x32 + x2); - uint32_t x35 = (uint32_t)(x34 >> 26); - uint32_t x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff)); - uint64_t x37 = (x35 + x1); - uint32_t x38 = (uint32_t)(x37 >> 25); - uint32_t x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff)); - uint32_t x40 = (x38 * UINT8_C(0x13)); - uint32_t x41 = (x12 + x40); - fiat_25519_uint1 x42 = (fiat_25519_uint1)(x41 >> 26); - uint32_t x43 = (x41 & UINT32_C(0x3ffffff)); - uint32_t x44 = (x42 + x15); - fiat_25519_uint1 x45 = (fiat_25519_uint1)(x44 >> 25); - uint32_t x46 = (x44 & UINT32_C(0x1ffffff)); - uint32_t x47 = (x45 + x18); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint32_t x11; + uint32_t x12; + uint64_t x13; + uint32_t x14; + uint32_t x15; + uint64_t x16; + uint32_t x17; + uint32_t x18; + uint64_t x19; + uint32_t x20; + uint32_t x21; + uint64_t x22; + uint32_t x23; + uint32_t x24; + uint64_t x25; + uint32_t x26; + uint32_t x27; + uint64_t x28; + uint32_t x29; + uint32_t x30; + uint64_t x31; + uint32_t x32; + uint32_t x33; + uint64_t x34; + uint32_t x35; + uint32_t x36; + uint64_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + fiat_25519_uint1 x42; + uint32_t x43; + uint32_t x44; + fiat_25519_uint1 x45; + uint32_t x46; + uint32_t x47; + x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9])); + x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8])); + x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7])); + x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6])); + x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5])); + x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4])); + x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3])); + x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2])); + x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1])); + x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0])); + x11 = (uint32_t)(x10 >> 26); + x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff)); + x13 = (x11 + x9); + x14 = (uint32_t)(x13 >> 25); + x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff)); + x16 = (x14 + x8); + x17 = (uint32_t)(x16 >> 26); + x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff)); + x19 = (x17 + x7); + x20 = (uint32_t)(x19 >> 25); + x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff)); + x22 = (x20 + x6); + x23 = (uint32_t)(x22 >> 26); + x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff)); + x25 = (x23 + x5); + x26 = (uint32_t)(x25 >> 25); + x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff)); + x28 = (x26 + x4); + x29 = (uint32_t)(x28 >> 26); + x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff)); + x31 = (x29 + x3); + x32 = (uint32_t)(x31 >> 25); + x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff)); + x34 = (x32 + x2); + x35 = (uint32_t)(x34 >> 26); + x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff)); + x37 = (x35 + x1); + x38 = (uint32_t)(x37 >> 25); + x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff)); + x40 = (x38 * UINT8_C(0x13)); + x41 = (x12 + x40); + x42 = (fiat_25519_uint1)(x41 >> 26); + x43 = (x41 & UINT32_C(0x3ffffff)); + x44 = (x42 + x15); + x45 = (fiat_25519_uint1)(x44 >> 25); + x46 = (x44 & UINT32_C(0x1ffffff)); + x47 = (x45 + x18); out1[0] = x43; out1[1] = x46; out1[2] = x47; @@ -978,4 +1563,3 @@ static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1 out1[8] = x36; out1[9] = x39; } - diff --git a/src/third_party/fiat/curve25519_64.h b/src/third_party/fiat/curve25519_64.h index 02679bbb..faed049d 100644 --- a/src/third_party/fiat/curve25519_64.h +++ b/src/third_party/fiat/curve25519_64.h @@ -1,26 +1,56 @@ -/* Autogenerated: src/ExtractionOCaml/unsaturated_solinas --static 25519 5 '2^255 - 19' 64 carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */ +/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */ /* curve description: 25519 */ -/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */ -/* n = 5 (from "5") */ -/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* machine_wordsize = 64 (from "64") */ - +/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */ +/* n = 5 (from "(auto)") */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* tight_bounds_multiplier = 1 (from "") */ +/* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include <stdint.h> typedef unsigned char fiat_25519_uint1; typedef signed char fiat_25519_int1; -typedef signed __int128 fiat_25519_int128; -typedef unsigned __int128 fiat_25519_uint128; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_25519_FIAT_EXTENSION __extension__ +# define FIAT_25519_FIAT_INLINE __inline__ +#else +# define FIAT_25519_FIAT_EXTENSION +# define FIAT_25519_FIAT_INLINE +#endif + +FIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128; +FIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128; + +/* The type fiat_25519_loose_field_element is a field element with loose bounds. */ +/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ +typedef uint64_t fiat_25519_loose_field_element[5]; + +/* The type fiat_25519_tight_field_element is a field element with tight bounds. */ +/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ +typedef uint64_t fiat_25519_tight_field_element[5]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_25519_value_barrier_u64(x) (x) +#endif + /* * The function fiat_25519_addcarryx_u51 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^51 * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ @@ -33,16 +63,20 @@ typedef unsigned __int128 fiat_25519_uint128; * out1: [0x0 ~> 0x7ffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - uint64_t x1 = ((arg1 + arg2) + arg3); - uint64_t x2 = (x1 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint1 x3 = (fiat_25519_uint1)(x1 >> 51); +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + uint64_t x1; + uint64_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT64_C(0x7ffffffffffff)); + x3 = (fiat_25519_uint1)(x1 >> 51); *out1 = x2; *out2 = x3; } /* * The function fiat_25519_subborrowx_u51 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^51 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ @@ -55,16 +89,20 @@ static void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fia * out1: [0x0 ~> 0x7ffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - int64_t x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); - fiat_25519_int1 x2 = (fiat_25519_int1)(x1 >> 51); - uint64_t x3 = (x1 & UINT64_C(0x7ffffffffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + int64_t x1; + fiat_25519_int1 x2; + uint64_t x3; + x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 51); + x3 = (x1 & UINT64_C(0x7ffffffffffff)); *out1 = x3; *out2 = (fiat_25519_uint1)(0x0 - x2); } /* * The function fiat_25519_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -75,83 +113,128 @@ static void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fi * Output Bounds: * out1: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_25519_uint1 x1 = (!(!arg1)); - uint64_t x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint64_t x3 = ((value_barrier_u64(x2) & arg3) | (value_barrier_u64(~x2) & arg2)); +static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_25519_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry_mul(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { - fiat_25519_uint128 x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13))); - fiat_25519_uint128 x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13))); - fiat_25519_uint128 x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13))); - fiat_25519_uint128 x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13))); - fiat_25519_uint128 x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13))); - fiat_25519_uint128 x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13))); - fiat_25519_uint128 x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0])); - fiat_25519_uint128 x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1])); - fiat_25519_uint128 x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0])); - fiat_25519_uint128 x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2])); - fiat_25519_uint128 x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1])); - fiat_25519_uint128 x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0])); - fiat_25519_uint128 x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3])); - fiat_25519_uint128 x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2])); - fiat_25519_uint128 x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1])); - fiat_25519_uint128 x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0])); - fiat_25519_uint128 x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4])); - fiat_25519_uint128 x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3])); - fiat_25519_uint128 x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2])); - fiat_25519_uint128 x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1])); - fiat_25519_uint128 x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0])); - fiat_25519_uint128 x26 = (x25 + (x10 + (x9 + (x7 + x4)))); - uint64_t x27 = (uint64_t)(x26 >> 51); - uint64_t x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x29 = (x21 + (x17 + (x14 + (x12 + x11)))); - fiat_25519_uint128 x30 = (x22 + (x18 + (x15 + (x13 + x1)))); - fiat_25519_uint128 x31 = (x23 + (x19 + (x16 + (x5 + x2)))); - fiat_25519_uint128 x32 = (x24 + (x20 + (x8 + (x6 + x3)))); - fiat_25519_uint128 x33 = (x27 + x32); - uint64_t x34 = (uint64_t)(x33 >> 51); - uint64_t x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x36 = (x34 + x31); - uint64_t x37 = (uint64_t)(x36 >> 51); - uint64_t x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x39 = (x37 + x30); - uint64_t x40 = (uint64_t)(x39 >> 51); - uint64_t x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x42 = (x40 + x29); - uint64_t x43 = (uint64_t)(x42 >> 51); - uint64_t x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff)); - uint64_t x45 = (x43 * UINT8_C(0x13)); - uint64_t x46 = (x28 + x45); - uint64_t x47 = (x46 >> 51); - uint64_t x48 = (x46 & UINT64_C(0x7ffffffffffff)); - uint64_t x49 = (x47 + x35); - fiat_25519_uint1 x50 = (fiat_25519_uint1)(x49 >> 51); - uint64_t x51 = (x49 & UINT64_C(0x7ffffffffffff)); - uint64_t x52 = (x50 + x38); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) { + fiat_25519_uint128 x1; + fiat_25519_uint128 x2; + fiat_25519_uint128 x3; + fiat_25519_uint128 x4; + fiat_25519_uint128 x5; + fiat_25519_uint128 x6; + fiat_25519_uint128 x7; + fiat_25519_uint128 x8; + fiat_25519_uint128 x9; + fiat_25519_uint128 x10; + fiat_25519_uint128 x11; + fiat_25519_uint128 x12; + fiat_25519_uint128 x13; + fiat_25519_uint128 x14; + fiat_25519_uint128 x15; + fiat_25519_uint128 x16; + fiat_25519_uint128 x17; + fiat_25519_uint128 x18; + fiat_25519_uint128 x19; + fiat_25519_uint128 x20; + fiat_25519_uint128 x21; + fiat_25519_uint128 x22; + fiat_25519_uint128 x23; + fiat_25519_uint128 x24; + fiat_25519_uint128 x25; + fiat_25519_uint128 x26; + uint64_t x27; + uint64_t x28; + fiat_25519_uint128 x29; + fiat_25519_uint128 x30; + fiat_25519_uint128 x31; + fiat_25519_uint128 x32; + fiat_25519_uint128 x33; + uint64_t x34; + uint64_t x35; + fiat_25519_uint128 x36; + uint64_t x37; + uint64_t x38; + fiat_25519_uint128 x39; + uint64_t x40; + uint64_t x41; + fiat_25519_uint128 x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + fiat_25519_uint1 x50; + uint64_t x51; + uint64_t x52; + x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13))); + x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13))); + x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13))); + x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13))); + x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13))); + x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13))); + x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13))); + x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13))); + x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13))); + x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13))); + x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0])); + x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1])); + x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0])); + x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2])); + x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1])); + x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0])); + x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3])); + x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2])); + x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1])); + x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0])); + x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4])); + x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3])); + x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2])); + x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1])); + x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0])); + x26 = (x25 + (x10 + (x9 + (x7 + x4)))); + x27 = (uint64_t)(x26 >> 51); + x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff)); + x29 = (x21 + (x17 + (x14 + (x12 + x11)))); + x30 = (x22 + (x18 + (x15 + (x13 + x1)))); + x31 = (x23 + (x19 + (x16 + (x5 + x2)))); + x32 = (x24 + (x20 + (x8 + (x6 + x3)))); + x33 = (x27 + x32); + x34 = (uint64_t)(x33 >> 51); + x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff)); + x36 = (x34 + x31); + x37 = (uint64_t)(x36 >> 51); + x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff)); + x39 = (x37 + x30); + x40 = (uint64_t)(x39 >> 51); + x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff)); + x42 = (x40 + x29); + x43 = (uint64_t)(x42 >> 51); + x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff)); + x45 = (x43 * UINT8_C(0x13)); + x46 = (x28 + x45); + x47 = (x46 >> 51); + x48 = (x46 & UINT64_C(0x7ffffffffffff)); + x49 = (x47 + x35); + x50 = (fiat_25519_uint1)(x49 >> 51); + x51 = (x49 & UINT64_C(0x7ffffffffffff)); + x52 = (x50 + x38); out1[0] = x48; out1[1] = x51; out1[2] = x52; @@ -161,65 +244,112 @@ static void fiat_25519_carry_mul(uint64_t out1[5], const uint64_t arg1[5], const /* * The function fiat_25519_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry_square(uint64_t out1[5], const uint64_t arg1[5]) { - uint64_t x1 = ((arg1[4]) * UINT8_C(0x13)); - uint64_t x2 = (x1 * 0x2); - uint64_t x3 = ((arg1[4]) * 0x2); - uint64_t x4 = ((arg1[3]) * UINT8_C(0x13)); - uint64_t x5 = (x4 * 0x2); - uint64_t x6 = ((arg1[3]) * 0x2); - uint64_t x7 = ((arg1[2]) * 0x2); - uint64_t x8 = ((arg1[1]) * 0x2); - fiat_25519_uint128 x9 = ((fiat_25519_uint128)(arg1[4]) * x1); - fiat_25519_uint128 x10 = ((fiat_25519_uint128)(arg1[3]) * x2); - fiat_25519_uint128 x11 = ((fiat_25519_uint128)(arg1[3]) * x4); - fiat_25519_uint128 x12 = ((fiat_25519_uint128)(arg1[2]) * x2); - fiat_25519_uint128 x13 = ((fiat_25519_uint128)(arg1[2]) * x5); - fiat_25519_uint128 x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2])); - fiat_25519_uint128 x15 = ((fiat_25519_uint128)(arg1[1]) * x2); - fiat_25519_uint128 x16 = ((fiat_25519_uint128)(arg1[1]) * x6); - fiat_25519_uint128 x17 = ((fiat_25519_uint128)(arg1[1]) * x7); - fiat_25519_uint128 x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1])); - fiat_25519_uint128 x19 = ((fiat_25519_uint128)(arg1[0]) * x3); - fiat_25519_uint128 x20 = ((fiat_25519_uint128)(arg1[0]) * x6); - fiat_25519_uint128 x21 = ((fiat_25519_uint128)(arg1[0]) * x7); - fiat_25519_uint128 x22 = ((fiat_25519_uint128)(arg1[0]) * x8); - fiat_25519_uint128 x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0])); - fiat_25519_uint128 x24 = (x23 + (x15 + x13)); - uint64_t x25 = (uint64_t)(x24 >> 51); - uint64_t x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x27 = (x19 + (x16 + x14)); - fiat_25519_uint128 x28 = (x20 + (x17 + x9)); - fiat_25519_uint128 x29 = (x21 + (x18 + x10)); - fiat_25519_uint128 x30 = (x22 + (x12 + x11)); - fiat_25519_uint128 x31 = (x25 + x30); - uint64_t x32 = (uint64_t)(x31 >> 51); - uint64_t x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x34 = (x32 + x29); - uint64_t x35 = (uint64_t)(x34 >> 51); - uint64_t x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x37 = (x35 + x28); - uint64_t x38 = (uint64_t)(x37 >> 51); - uint64_t x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x40 = (x38 + x27); - uint64_t x41 = (uint64_t)(x40 >> 51); - uint64_t x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff)); - uint64_t x43 = (x41 * UINT8_C(0x13)); - uint64_t x44 = (x26 + x43); - uint64_t x45 = (x44 >> 51); - uint64_t x46 = (x44 & UINT64_C(0x7ffffffffffff)); - uint64_t x47 = (x45 + x33); - fiat_25519_uint1 x48 = (fiat_25519_uint1)(x47 >> 51); - uint64_t x49 = (x47 & UINT64_C(0x7ffffffffffff)); - uint64_t x50 = (x48 + x36); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + fiat_25519_uint128 x9; + fiat_25519_uint128 x10; + fiat_25519_uint128 x11; + fiat_25519_uint128 x12; + fiat_25519_uint128 x13; + fiat_25519_uint128 x14; + fiat_25519_uint128 x15; + fiat_25519_uint128 x16; + fiat_25519_uint128 x17; + fiat_25519_uint128 x18; + fiat_25519_uint128 x19; + fiat_25519_uint128 x20; + fiat_25519_uint128 x21; + fiat_25519_uint128 x22; + fiat_25519_uint128 x23; + fiat_25519_uint128 x24; + uint64_t x25; + uint64_t x26; + fiat_25519_uint128 x27; + fiat_25519_uint128 x28; + fiat_25519_uint128 x29; + fiat_25519_uint128 x30; + fiat_25519_uint128 x31; + uint64_t x32; + uint64_t x33; + fiat_25519_uint128 x34; + uint64_t x35; + uint64_t x36; + fiat_25519_uint128 x37; + uint64_t x38; + uint64_t x39; + fiat_25519_uint128 x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + fiat_25519_uint1 x48; + uint64_t x49; + uint64_t x50; + x1 = ((arg1[4]) * UINT8_C(0x13)); + x2 = (x1 * 0x2); + x3 = ((arg1[4]) * 0x2); + x4 = ((arg1[3]) * UINT8_C(0x13)); + x5 = (x4 * 0x2); + x6 = ((arg1[3]) * 0x2); + x7 = ((arg1[2]) * 0x2); + x8 = ((arg1[1]) * 0x2); + x9 = ((fiat_25519_uint128)(arg1[4]) * x1); + x10 = ((fiat_25519_uint128)(arg1[3]) * x2); + x11 = ((fiat_25519_uint128)(arg1[3]) * x4); + x12 = ((fiat_25519_uint128)(arg1[2]) * x2); + x13 = ((fiat_25519_uint128)(arg1[2]) * x5); + x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2])); + x15 = ((fiat_25519_uint128)(arg1[1]) * x2); + x16 = ((fiat_25519_uint128)(arg1[1]) * x6); + x17 = ((fiat_25519_uint128)(arg1[1]) * x7); + x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1])); + x19 = ((fiat_25519_uint128)(arg1[0]) * x3); + x20 = ((fiat_25519_uint128)(arg1[0]) * x6); + x21 = ((fiat_25519_uint128)(arg1[0]) * x7); + x22 = ((fiat_25519_uint128)(arg1[0]) * x8); + x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0])); + x24 = (x23 + (x15 + x13)); + x25 = (uint64_t)(x24 >> 51); + x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff)); + x27 = (x19 + (x16 + x14)); + x28 = (x20 + (x17 + x9)); + x29 = (x21 + (x18 + x10)); + x30 = (x22 + (x12 + x11)); + x31 = (x25 + x30); + x32 = (uint64_t)(x31 >> 51); + x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff)); + x34 = (x32 + x29); + x35 = (uint64_t)(x34 >> 51); + x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff)); + x37 = (x35 + x28); + x38 = (uint64_t)(x37 >> 51); + x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff)); + x40 = (x38 + x27); + x41 = (uint64_t)(x40 >> 51); + x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff)); + x43 = (x41 * UINT8_C(0x13)); + x44 = (x26 + x43); + x45 = (x44 >> 51); + x46 = (x44 & UINT64_C(0x7ffffffffffff)); + x47 = (x45 + x33); + x48 = (fiat_25519_uint1)(x47 >> 51); + x49 = (x47 & UINT64_C(0x7ffffffffffff)); + x50 = (x48 + x36); out1[0] = x46; out1[1] = x49; out1[2] = x50; @@ -229,27 +359,36 @@ static void fiat_25519_carry_square(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry(uint64_t out1[5], const uint64_t arg1[5]) { - uint64_t x1 = (arg1[0]); - uint64_t x2 = ((x1 >> 51) + (arg1[1])); - uint64_t x3 = ((x2 >> 51) + (arg1[2])); - uint64_t x4 = ((x3 >> 51) + (arg1[3])); - uint64_t x5 = ((x4 >> 51) + (arg1[4])); - uint64_t x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13))); - uint64_t x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff))); - uint64_t x8 = (x6 & UINT64_C(0x7ffffffffffff)); - uint64_t x9 = (x7 & UINT64_C(0x7ffffffffffff)); - uint64_t x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff))); - uint64_t x11 = (x4 & UINT64_C(0x7ffffffffffff)); - uint64_t x12 = (x5 & UINT64_C(0x7ffffffffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + x1 = (arg1[0]); + x2 = ((x1 >> 51) + (arg1[1])); + x3 = ((x2 >> 51) + (arg1[2])); + x4 = ((x3 >> 51) + (arg1[3])); + x5 = ((x4 >> 51) + (arg1[4])); + x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13))); + x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff))); + x8 = (x6 & UINT64_C(0x7ffffffffffff)); + x9 = (x7 & UINT64_C(0x7ffffffffffff)); + x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff))); + x11 = (x4 & UINT64_C(0x7ffffffffffff)); + x12 = (x5 & UINT64_C(0x7ffffffffffff)); out1[0] = x8; out1[1] = x9; out1[2] = x10; @@ -259,21 +398,22 @@ static void fiat_25519_carry(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * Output Bounds: - * out1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] */ -static void fiat_25519_add(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { - uint64_t x1 = ((arg1[0]) + (arg2[0])); - uint64_t x2 = ((arg1[1]) + (arg2[1])); - uint64_t x3 = ((arg1[2]) + (arg2[2])); - uint64_t x4 = ((arg1[3]) + (arg2[3])); - uint64_t x5 = ((arg1[4]) + (arg2[4])); +static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = ((arg1[0]) + (arg2[0])); + x2 = ((arg1[1]) + (arg2[1])); + x3 = ((arg1[2]) + (arg2[2])); + x4 = ((arg1[3]) + (arg2[3])); + x5 = ((arg1[4]) + (arg2[4])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -283,21 +423,22 @@ static void fiat_25519_add(uint64_t out1[5], const uint64_t arg1[5], const uint6 /* * The function fiat_25519_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * Output Bounds: - * out1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] */ -static void fiat_25519_sub(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { - uint64_t x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0])); - uint64_t x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1])); - uint64_t x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2])); - uint64_t x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3])); - uint64_t x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4])); +static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0])); + x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1])); + x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2])); + x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3])); + x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -307,20 +448,22 @@ static void fiat_25519_sub(uint64_t out1[5], const uint64_t arg1[5], const uint6 /* * The function fiat_25519_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * Output Bounds: - * out1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] */ -static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { - uint64_t x1 = (UINT64_C(0xfffffffffffda) - (arg1[0])); - uint64_t x2 = (UINT64_C(0xffffffffffffe) - (arg1[1])); - uint64_t x3 = (UINT64_C(0xffffffffffffe) - (arg1[2])); - uint64_t x4 = (UINT64_C(0xffffffffffffe) - (arg1[3])); - uint64_t x5 = (UINT64_C(0xffffffffffffe) - (arg1[4])); +static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = (UINT64_C(0xfffffffffffda) - (arg1[0])); + x2 = (UINT64_C(0xffffffffffffe) - (arg1[1])); + x3 = (UINT64_C(0xffffffffffffe) - (arg1[2])); + x4 = (UINT64_C(0xffffffffffffe) - (arg1[3])); + x5 = (UINT64_C(0xffffffffffffe) - (arg1[4])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -330,6 +473,7 @@ static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -340,16 +484,16 @@ static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) { uint64_t x1; - fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); uint64_t x2; - fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); uint64_t x3; - fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); uint64_t x4; - fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); uint64_t x5; + fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); out1[0] = x1; out1[1] = x2; @@ -360,260 +504,469 @@ static void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const /* * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] */ -static void fiat_25519_to_bytes(uint8_t out1[32], const uint64_t arg1[5]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) { uint64_t x1; fiat_25519_uint1 x2; - fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed)); uint64_t x3; fiat_25519_uint1 x4; - fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff)); uint64_t x5; fiat_25519_uint1 x6; - fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff)); uint64_t x7; fiat_25519_uint1 x8; - fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff)); uint64_t x9; fiat_25519_uint1 x10; - fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff)); uint64_t x11; - fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff)); uint64_t x12; fiat_25519_uint1 x13; - fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed))); uint64_t x14; fiat_25519_uint1 x15; - fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff))); uint64_t x16; fiat_25519_uint1 x17; - fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff))); uint64_t x18; fiat_25519_uint1 x19; - fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff))); uint64_t x20; fiat_25519_uint1 x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint8_t x26; + uint64_t x27; + uint8_t x28; + uint64_t x29; + uint8_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint8_t x34; + uint64_t x35; + uint8_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; + uint8_t x50; + uint64_t x51; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; + uint8_t x60; + uint64_t x61; + uint8_t x62; + uint64_t x63; + uint8_t x64; + fiat_25519_uint1 x65; + uint64_t x66; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; + uint8_t x77; + uint8_t x78; + uint64_t x79; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; + uint8_t x88; + uint64_t x89; + uint8_t x90; + uint8_t x91; + fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed)); + fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff)); + fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed))); + fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff))); fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff))); - uint64_t x22 = (x20 << 4); - uint64_t x23 = (x18 * (uint64_t)0x2); - uint64_t x24 = (x16 << 6); - uint64_t x25 = (x14 << 3); - uint64_t x26 = (x12 >> 8); - uint8_t x27 = (uint8_t)(x12 & UINT8_C(0xff)); - uint64_t x28 = (x26 >> 8); - uint8_t x29 = (uint8_t)(x26 & UINT8_C(0xff)); - uint64_t x30 = (x28 >> 8); - uint8_t x31 = (uint8_t)(x28 & UINT8_C(0xff)); - uint64_t x32 = (x30 >> 8); - uint8_t x33 = (uint8_t)(x30 & UINT8_C(0xff)); - uint64_t x34 = (x32 >> 8); - uint8_t x35 = (uint8_t)(x32 & UINT8_C(0xff)); - uint8_t x36 = (uint8_t)(x34 >> 8); - uint8_t x37 = (uint8_t)(x34 & UINT8_C(0xff)); - uint64_t x38 = (x36 + x25); - uint64_t x39 = (x38 >> 8); - uint8_t x40 = (uint8_t)(x38 & UINT8_C(0xff)); - uint64_t x41 = (x39 >> 8); - uint8_t x42 = (uint8_t)(x39 & UINT8_C(0xff)); - uint64_t x43 = (x41 >> 8); - uint8_t x44 = (uint8_t)(x41 & UINT8_C(0xff)); - uint64_t x45 = (x43 >> 8); - uint8_t x46 = (uint8_t)(x43 & UINT8_C(0xff)); - uint64_t x47 = (x45 >> 8); - uint8_t x48 = (uint8_t)(x45 & UINT8_C(0xff)); - uint8_t x49 = (uint8_t)(x47 >> 8); - uint8_t x50 = (uint8_t)(x47 & UINT8_C(0xff)); - uint64_t x51 = (x49 + x24); - uint64_t x52 = (x51 >> 8); - uint8_t x53 = (uint8_t)(x51 & UINT8_C(0xff)); - uint64_t x54 = (x52 >> 8); - uint8_t x55 = (uint8_t)(x52 & UINT8_C(0xff)); - uint64_t x56 = (x54 >> 8); - uint8_t x57 = (uint8_t)(x54 & UINT8_C(0xff)); - uint64_t x58 = (x56 >> 8); - uint8_t x59 = (uint8_t)(x56 & UINT8_C(0xff)); - uint64_t x60 = (x58 >> 8); - uint8_t x61 = (uint8_t)(x58 & UINT8_C(0xff)); - uint64_t x62 = (x60 >> 8); - uint8_t x63 = (uint8_t)(x60 & UINT8_C(0xff)); - fiat_25519_uint1 x64 = (fiat_25519_uint1)(x62 >> 8); - uint8_t x65 = (uint8_t)(x62 & UINT8_C(0xff)); - uint64_t x66 = (x64 + x23); - uint64_t x67 = (x66 >> 8); - uint8_t x68 = (uint8_t)(x66 & UINT8_C(0xff)); - uint64_t x69 = (x67 >> 8); - uint8_t x70 = (uint8_t)(x67 & UINT8_C(0xff)); - uint64_t x71 = (x69 >> 8); - uint8_t x72 = (uint8_t)(x69 & UINT8_C(0xff)); - uint64_t x73 = (x71 >> 8); - uint8_t x74 = (uint8_t)(x71 & UINT8_C(0xff)); - uint64_t x75 = (x73 >> 8); - uint8_t x76 = (uint8_t)(x73 & UINT8_C(0xff)); - uint8_t x77 = (uint8_t)(x75 >> 8); - uint8_t x78 = (uint8_t)(x75 & UINT8_C(0xff)); - uint64_t x79 = (x77 + x22); - uint64_t x80 = (x79 >> 8); - uint8_t x81 = (uint8_t)(x79 & UINT8_C(0xff)); - uint64_t x82 = (x80 >> 8); - uint8_t x83 = (uint8_t)(x80 & UINT8_C(0xff)); - uint64_t x84 = (x82 >> 8); - uint8_t x85 = (uint8_t)(x82 & UINT8_C(0xff)); - uint64_t x86 = (x84 >> 8); - uint8_t x87 = (uint8_t)(x84 & UINT8_C(0xff)); - uint64_t x88 = (x86 >> 8); - uint8_t x89 = (uint8_t)(x86 & UINT8_C(0xff)); - uint8_t x90 = (uint8_t)(x88 >> 8); - uint8_t x91 = (uint8_t)(x88 & UINT8_C(0xff)); - out1[0] = x27; - out1[1] = x29; - out1[2] = x31; - out1[3] = x33; - out1[4] = x35; - out1[5] = x37; - out1[6] = x40; - out1[7] = x42; - out1[8] = x44; - out1[9] = x46; - out1[10] = x48; - out1[11] = x50; - out1[12] = x53; - out1[13] = x55; - out1[14] = x57; - out1[15] = x59; - out1[16] = x61; - out1[17] = x63; - out1[18] = x65; - out1[19] = x68; - out1[20] = x70; - out1[21] = x72; - out1[22] = x74; - out1[23] = x76; - out1[24] = x78; - out1[25] = x81; - out1[26] = x83; - out1[27] = x85; - out1[28] = x87; - out1[29] = x89; - out1[30] = x91; - out1[31] = x90; + x22 = (x20 << 4); + x23 = (x18 * (uint64_t)0x2); + x24 = (x16 << 6); + x25 = (x14 << 3); + x26 = (uint8_t)(x12 & UINT8_C(0xff)); + x27 = (x12 >> 8); + x28 = (uint8_t)(x27 & UINT8_C(0xff)); + x29 = (x27 >> 8); + x30 = (uint8_t)(x29 & UINT8_C(0xff)); + x31 = (x29 >> 8); + x32 = (uint8_t)(x31 & UINT8_C(0xff)); + x33 = (x31 >> 8); + x34 = (uint8_t)(x33 & UINT8_C(0xff)); + x35 = (x33 >> 8); + x36 = (uint8_t)(x35 & UINT8_C(0xff)); + x37 = (uint8_t)(x35 >> 8); + x38 = (x25 + (uint64_t)x37); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (x24 + (uint64_t)x50); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (x59 >> 8); + x62 = (uint8_t)(x61 & UINT8_C(0xff)); + x63 = (x61 >> 8); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (fiat_25519_uint1)(x63 >> 8); + x66 = (x23 + (uint64_t)x65); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (x22 + (uint64_t)x78); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (x87 >> 8); + x90 = (uint8_t)(x89 & UINT8_C(0xff)); + x91 = (uint8_t)(x89 >> 8); + out1[0] = x26; + out1[1] = x28; + out1[2] = x30; + out1[3] = x32; + out1[4] = x34; + out1[5] = x36; + out1[6] = x39; + out1[7] = x41; + out1[8] = x43; + out1[9] = x45; + out1[10] = x47; + out1[11] = x49; + out1[12] = x52; + out1[13] = x54; + out1[14] = x56; + out1[15] = x58; + out1[16] = x60; + out1[17] = x62; + out1[18] = x64; + out1[19] = x67; + out1[20] = x69; + out1[21] = x71; + out1[22] = x73; + out1[23] = x75; + out1[24] = x77; + out1[25] = x80; + out1[26] = x82; + out1[27] = x84; + out1[28] = x86; + out1[29] = x88; + out1[30] = x90; + out1[31] = x91; } /* * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_from_bytes(uint64_t out1[5], const uint8_t arg1[32]) { - uint64_t x1 = ((uint64_t)(arg1[31]) << 44); - uint64_t x2 = ((uint64_t)(arg1[30]) << 36); - uint64_t x3 = ((uint64_t)(arg1[29]) << 28); - uint64_t x4 = ((uint64_t)(arg1[28]) << 20); - uint64_t x5 = ((uint64_t)(arg1[27]) << 12); - uint64_t x6 = ((uint64_t)(arg1[26]) << 4); - uint64_t x7 = ((uint64_t)(arg1[25]) << 47); - uint64_t x8 = ((uint64_t)(arg1[24]) << 39); - uint64_t x9 = ((uint64_t)(arg1[23]) << 31); - uint64_t x10 = ((uint64_t)(arg1[22]) << 23); - uint64_t x11 = ((uint64_t)(arg1[21]) << 15); - uint64_t x12 = ((uint64_t)(arg1[20]) << 7); - uint64_t x13 = ((uint64_t)(arg1[19]) << 50); - uint64_t x14 = ((uint64_t)(arg1[18]) << 42); - uint64_t x15 = ((uint64_t)(arg1[17]) << 34); - uint64_t x16 = ((uint64_t)(arg1[16]) << 26); - uint64_t x17 = ((uint64_t)(arg1[15]) << 18); - uint64_t x18 = ((uint64_t)(arg1[14]) << 10); - uint64_t x19 = ((uint64_t)(arg1[13]) << 2); - uint64_t x20 = ((uint64_t)(arg1[12]) << 45); - uint64_t x21 = ((uint64_t)(arg1[11]) << 37); - uint64_t x22 = ((uint64_t)(arg1[10]) << 29); - uint64_t x23 = ((uint64_t)(arg1[9]) << 21); - uint64_t x24 = ((uint64_t)(arg1[8]) << 13); - uint64_t x25 = ((uint64_t)(arg1[7]) << 5); - uint64_t x26 = ((uint64_t)(arg1[6]) << 48); - uint64_t x27 = ((uint64_t)(arg1[5]) << 40); - uint64_t x28 = ((uint64_t)(arg1[4]) << 32); - uint64_t x29 = ((uint64_t)(arg1[3]) << 24); - uint64_t x30 = ((uint64_t)(arg1[2]) << 16); - uint64_t x31 = ((uint64_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint64_t x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - uint8_t x34 = (uint8_t)(x33 >> 51); - uint64_t x35 = (x33 & UINT64_C(0x7ffffffffffff)); - uint64_t x36 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - uint64_t x37 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - uint64_t x38 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - uint64_t x39 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - uint64_t x40 = (x34 + x39); - uint8_t x41 = (uint8_t)(x40 >> 51); - uint64_t x42 = (x40 & UINT64_C(0x7ffffffffffff)); - uint64_t x43 = (x41 + x38); - uint8_t x44 = (uint8_t)(x43 >> 51); - uint64_t x45 = (x43 & UINT64_C(0x7ffffffffffff)); - uint64_t x46 = (x44 + x37); - uint8_t x47 = (uint8_t)(x46 >> 51); - uint64_t x48 = (x46 & UINT64_C(0x7ffffffffffff)); - uint64_t x49 = (x47 + x36); - out1[0] = x35; - out1[1] = x42; - out1[2] = x45; - out1[3] = x48; - out1[4] = x49; +static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint8_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint8_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + x1 = ((uint64_t)(arg1[31]) << 44); + x2 = ((uint64_t)(arg1[30]) << 36); + x3 = ((uint64_t)(arg1[29]) << 28); + x4 = ((uint64_t)(arg1[28]) << 20); + x5 = ((uint64_t)(arg1[27]) << 12); + x6 = ((uint64_t)(arg1[26]) << 4); + x7 = ((uint64_t)(arg1[25]) << 47); + x8 = ((uint64_t)(arg1[24]) << 39); + x9 = ((uint64_t)(arg1[23]) << 31); + x10 = ((uint64_t)(arg1[22]) << 23); + x11 = ((uint64_t)(arg1[21]) << 15); + x12 = ((uint64_t)(arg1[20]) << 7); + x13 = ((uint64_t)(arg1[19]) << 50); + x14 = ((uint64_t)(arg1[18]) << 42); + x15 = ((uint64_t)(arg1[17]) << 34); + x16 = ((uint64_t)(arg1[16]) << 26); + x17 = ((uint64_t)(arg1[15]) << 18); + x18 = ((uint64_t)(arg1[14]) << 10); + x19 = ((uint64_t)(arg1[13]) << 2); + x20 = ((uint64_t)(arg1[12]) << 45); + x21 = ((uint64_t)(arg1[11]) << 37); + x22 = ((uint64_t)(arg1[10]) << 29); + x23 = ((uint64_t)(arg1[9]) << 21); + x24 = ((uint64_t)(arg1[8]) << 13); + x25 = ((uint64_t)(arg1[7]) << 5); + x26 = ((uint64_t)(arg1[6]) << 48); + x27 = ((uint64_t)(arg1[5]) << 40); + x28 = ((uint64_t)(arg1[4]) << 32); + x29 = ((uint64_t)(arg1[3]) << 24); + x30 = ((uint64_t)(arg1[2]) << 16); + x31 = ((uint64_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x38 & UINT64_C(0x7ffffffffffff)); + x40 = (uint8_t)(x38 >> 51); + x41 = (x25 + (uint64_t)x40); + x42 = (x24 + x41); + x43 = (x23 + x42); + x44 = (x22 + x43); + x45 = (x21 + x44); + x46 = (x20 + x45); + x47 = (x46 & UINT64_C(0x7ffffffffffff)); + x48 = (uint8_t)(x46 >> 51); + x49 = (x19 + (uint64_t)x48); + x50 = (x18 + x49); + x51 = (x17 + x50); + x52 = (x16 + x51); + x53 = (x15 + x52); + x54 = (x14 + x53); + x55 = (x13 + x54); + x56 = (x55 & UINT64_C(0x7ffffffffffff)); + x57 = (uint8_t)(x55 >> 51); + x58 = (x12 + (uint64_t)x57); + x59 = (x11 + x58); + x60 = (x10 + x59); + x61 = (x9 + x60); + x62 = (x8 + x61); + x63 = (x7 + x62); + x64 = (x63 & UINT64_C(0x7ffffffffffff)); + x65 = (uint8_t)(x63 >> 51); + x66 = (x6 + (uint64_t)x65); + x67 = (x5 + x66); + x68 = (x4 + x67); + x69 = (x3 + x68); + x70 = (x2 + x69); + x71 = (x1 + x70); + out1[0] = x39; + out1[1] = x47; + out1[2] = x56; + out1[3] = x64; + out1[4] = x71; +} + +/* + * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements. + * + * Postconditions: + * out1 = arg1 + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = (arg1[0]); + x2 = (arg1[1]); + x3 = (arg1[2]); + x4 = (arg1[3]); + x5 = (arg1[4]); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; } /* * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * * Postconditions: * eval out1 mod m = (121666 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry_scmul_121666(uint64_t out1[5], const uint64_t arg1[5]) { - fiat_25519_uint128 x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4])); - fiat_25519_uint128 x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3])); - fiat_25519_uint128 x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2])); - fiat_25519_uint128 x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1])); - fiat_25519_uint128 x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0])); - uint64_t x6 = (uint64_t)(x5 >> 51); - uint64_t x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x8 = (x6 + x4); - uint64_t x9 = (uint64_t)(x8 >> 51); - uint64_t x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x11 = (x9 + x3); - uint64_t x12 = (uint64_t)(x11 >> 51); - uint64_t x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x14 = (x12 + x2); - uint64_t x15 = (uint64_t)(x14 >> 51); - uint64_t x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x17 = (x15 + x1); - uint64_t x18 = (uint64_t)(x17 >> 51); - uint64_t x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff)); - uint64_t x20 = (x18 * UINT8_C(0x13)); - uint64_t x21 = (x7 + x20); - fiat_25519_uint1 x22 = (fiat_25519_uint1)(x21 >> 51); - uint64_t x23 = (x21 & UINT64_C(0x7ffffffffffff)); - uint64_t x24 = (x22 + x10); - fiat_25519_uint1 x25 = (fiat_25519_uint1)(x24 >> 51); - uint64_t x26 = (x24 & UINT64_C(0x7ffffffffffff)); - uint64_t x27 = (x25 + x13); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + fiat_25519_uint128 x1; + fiat_25519_uint128 x2; + fiat_25519_uint128 x3; + fiat_25519_uint128 x4; + fiat_25519_uint128 x5; + uint64_t x6; + uint64_t x7; + fiat_25519_uint128 x8; + uint64_t x9; + uint64_t x10; + fiat_25519_uint128 x11; + uint64_t x12; + uint64_t x13; + fiat_25519_uint128 x14; + uint64_t x15; + uint64_t x16; + fiat_25519_uint128 x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + fiat_25519_uint1 x22; + uint64_t x23; + uint64_t x24; + fiat_25519_uint1 x25; + uint64_t x26; + uint64_t x27; + x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4])); + x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3])); + x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2])); + x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1])); + x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0])); + x6 = (uint64_t)(x5 >> 51); + x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff)); + x8 = (x6 + x4); + x9 = (uint64_t)(x8 >> 51); + x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff)); + x11 = (x9 + x3); + x12 = (uint64_t)(x11 >> 51); + x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff)); + x14 = (x12 + x2); + x15 = (uint64_t)(x14 >> 51); + x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff)); + x17 = (x15 + x1); + x18 = (uint64_t)(x17 >> 51); + x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff)); + x20 = (x18 * UINT8_C(0x13)); + x21 = (x7 + x20); + x22 = (fiat_25519_uint1)(x21 >> 51); + x23 = (x21 & UINT64_C(0x7ffffffffffff)); + x24 = (x22 + x10); + x25 = (fiat_25519_uint1)(x24 >> 51); + x26 = (x24 & UINT64_C(0x7ffffffffffff)); + x27 = (x25 + x13); out1[0] = x23; out1[1] = x26; out1[2] = x27; out1[3] = x16; out1[4] = x19; } - diff --git a/src/third_party/fiat/p256_32.h b/src/third_party/fiat/p256_32.h index 504da42d..3812d8ce 100644 --- a/src/third_party/fiat/p256_32.h +++ b/src/third_party/fiat/p256_32.h @@ -1,8 +1,8 @@ -/* Autogenerated: src/ExtractionOCaml/word_by_word_montgomery --static p256 '2^256 - 2^224 + 2^192 + 2^96 - 1' 32 mul square add sub opp from_montgomery nonzero selectznz to_bytes from_bytes */ +/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ /* curve description: p256 */ -/* requested operations: mul, square, add, sub, opp, from_montgomery, nonzero, selectznz, to_bytes, from_bytes */ -/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* machine_wordsize = 32 (from "32") */ +/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */ +/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* */ /* NOTE: In addition to the bounds specified above each function, all */ /* functions synthesized for this Montgomery arithmetic require the */ @@ -10,18 +10,47 @@ /* require the input to be in the unique saturated representation. */ /* All functions also ensure that these two properties are true of */ /* return values. */ +/* */ +/* Computed values: */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include <stdint.h> typedef unsigned char fiat_p256_uint1; typedef signed char fiat_p256_int1; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_P256_FIAT_INLINE __inline__ +#else +# define FIAT_P256_FIAT_INLINE +#endif + +/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ +typedef uint32_t fiat_p256_montgomery_domain_field_element[8]; + +/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ +typedef uint32_t fiat_p256_non_montgomery_domain_field_element[8]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_P256_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t fiat_p256_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_p256_value_barrier_u32(x) (x) +#endif + /* * The function fiat_p256_addcarryx_u32 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^32 * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -34,16 +63,20 @@ typedef signed char fiat_p256_int1; * out1: [0x0 ~> 0xffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { - uint64_t x1 = ((arg1 + (uint64_t)arg2) + arg3); - uint32_t x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - fiat_p256_uint1 x3 = (fiat_p256_uint1)(x1 >> 32); +static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { + uint64_t x1; + uint32_t x2; + fiat_p256_uint1 x3; + x1 = ((arg1 + (uint64_t)arg2) + arg3); + x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); + x3 = (fiat_p256_uint1)(x1 >> 32); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_subborrowx_u32 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^32 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -56,16 +89,20 @@ static void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_ * out1: [0x0 ~> 0xffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { - int64_t x1 = ((arg2 - (int64_t)arg1) - arg3); - fiat_p256_int1 x2 = (fiat_p256_int1)(x1 >> 32); - uint32_t x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); +static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { + int64_t x1; + fiat_p256_int1 x2; + uint32_t x3; + x1 = ((arg2 - (int64_t)arg1) - arg3); + x2 = (fiat_p256_int1)(x1 >> 32); + x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); *out1 = x3; *out2 = (fiat_p256_uint1)(0x0 - x2); } /* * The function fiat_p256_mulx_u32 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^32 * out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -77,16 +114,20 @@ static void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat * out1: [0x0 ~> 0xffffffff] * out2: [0x0 ~> 0xffffffff] */ -static void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) { - uint64_t x1 = ((uint64_t)arg1 * arg2); - uint32_t x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - uint32_t x3 = (uint32_t)(x1 >> 32); +static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) { + uint64_t x1; + uint32_t x2; + uint32_t x3; + x1 = ((uint64_t)arg1 * arg2); + x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); + x3 = (uint32_t)(x1 >> 32); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -97,21 +138,19 @@ static void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, ui * Output Bounds: * out1: [0x0 ~> 0xffffffff] */ -static void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { - fiat_p256_uint1 x1 = (!(!arg1)); - uint32_t x2 = ((fiat_p256_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint32_t x3 = ((value_barrier_u32(x2) & arg3) | (value_barrier_u32(~x2) & arg2)); +static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { + fiat_p256_uint1 x1; + uint32_t x2; + uint32_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_p256_int1)(0x0 - x1) & UINT32_C(0xffffffff)); + x3 = ((fiat_p256_value_barrier_u32(x2) & arg3) | (fiat_p256_value_barrier_u32((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -119,995 +158,1021 @@ static void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_mul(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) { - uint32_t x1 = (arg1[1]); - uint32_t x2 = (arg1[2]); - uint32_t x3 = (arg1[3]); - uint32_t x4 = (arg1[4]); - uint32_t x5 = (arg1[5]); - uint32_t x6 = (arg1[6]); - uint32_t x7 = (arg1[7]); - uint32_t x8 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; uint32_t x9; uint32_t x10; - fiat_p256_mulx_u32(&x9, &x10, x8, (arg2[7])); uint32_t x11; uint32_t x12; - fiat_p256_mulx_u32(&x11, &x12, x8, (arg2[6])); uint32_t x13; uint32_t x14; - fiat_p256_mulx_u32(&x13, &x14, x8, (arg2[5])); uint32_t x15; uint32_t x16; - fiat_p256_mulx_u32(&x15, &x16, x8, (arg2[4])); uint32_t x17; uint32_t x18; - fiat_p256_mulx_u32(&x17, &x18, x8, (arg2[3])); uint32_t x19; uint32_t x20; - fiat_p256_mulx_u32(&x19, &x20, x8, (arg2[2])); uint32_t x21; uint32_t x22; - fiat_p256_mulx_u32(&x21, &x22, x8, (arg2[1])); uint32_t x23; uint32_t x24; - fiat_p256_mulx_u32(&x23, &x24, x8, (arg2[0])); uint32_t x25; fiat_p256_uint1 x26; - fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); uint32_t x27; fiat_p256_uint1 x28; - fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); uint32_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); uint32_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); uint32_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); uint32_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); uint32_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); - uint32_t x39 = (x38 + x10); + uint32_t x39; uint32_t x40; uint32_t x41; - fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); uint32_t x42; uint32_t x43; - fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); uint32_t x44; uint32_t x45; - fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); uint32_t x46; uint32_t x47; - fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); uint32_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); uint32_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); - uint32_t x52 = (x51 + x43); + uint32_t x52; uint32_t x53; fiat_p256_uint1 x54; - fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); uint32_t x55; fiat_p256_uint1 x56; - fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); uint32_t x57; fiat_p256_uint1 x58; - fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); uint32_t x59; fiat_p256_uint1 x60; - fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); uint32_t x61; fiat_p256_uint1 x62; - fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); uint32_t x63; fiat_p256_uint1 x64; - fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); uint32_t x65; fiat_p256_uint1 x66; - fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); uint32_t x67; fiat_p256_uint1 x68; - fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); uint32_t x69; fiat_p256_uint1 x70; - fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); uint32_t x71; uint32_t x72; - fiat_p256_mulx_u32(&x71, &x72, x1, (arg2[7])); uint32_t x73; uint32_t x74; - fiat_p256_mulx_u32(&x73, &x74, x1, (arg2[6])); uint32_t x75; uint32_t x76; - fiat_p256_mulx_u32(&x75, &x76, x1, (arg2[5])); uint32_t x77; uint32_t x78; - fiat_p256_mulx_u32(&x77, &x78, x1, (arg2[4])); uint32_t x79; uint32_t x80; - fiat_p256_mulx_u32(&x79, &x80, x1, (arg2[3])); uint32_t x81; uint32_t x82; - fiat_p256_mulx_u32(&x81, &x82, x1, (arg2[2])); uint32_t x83; uint32_t x84; - fiat_p256_mulx_u32(&x83, &x84, x1, (arg2[1])); uint32_t x85; uint32_t x86; - fiat_p256_mulx_u32(&x85, &x86, x1, (arg2[0])); uint32_t x87; fiat_p256_uint1 x88; - fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); uint32_t x89; fiat_p256_uint1 x90; - fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); uint32_t x91; fiat_p256_uint1 x92; - fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); uint32_t x93; fiat_p256_uint1 x94; - fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); uint32_t x95; fiat_p256_uint1 x96; - fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); uint32_t x97; fiat_p256_uint1 x98; - fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); uint32_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); - uint32_t x101 = (x100 + x72); + uint32_t x101; uint32_t x102; fiat_p256_uint1 x103; - fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); uint32_t x104; fiat_p256_uint1 x105; - fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); uint32_t x106; fiat_p256_uint1 x107; - fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); uint32_t x108; fiat_p256_uint1 x109; - fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); uint32_t x110; fiat_p256_uint1 x111; - fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); uint32_t x112; fiat_p256_uint1 x113; - fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); uint32_t x114; fiat_p256_uint1 x115; - fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); uint32_t x116; fiat_p256_uint1 x117; - fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); uint32_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); uint32_t x120; uint32_t x121; - fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); uint32_t x122; uint32_t x123; - fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); uint32_t x124; uint32_t x125; - fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); uint32_t x126; uint32_t x127; - fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); uint32_t x128; fiat_p256_uint1 x129; - fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); uint32_t x130; fiat_p256_uint1 x131; - fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); - uint32_t x132 = (x131 + x123); + uint32_t x132; uint32_t x133; fiat_p256_uint1 x134; - fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); uint32_t x135; fiat_p256_uint1 x136; - fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); uint32_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); uint32_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); uint32_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); uint32_t x143; fiat_p256_uint1 x144; - fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); uint32_t x145; fiat_p256_uint1 x146; - fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); uint32_t x147; fiat_p256_uint1 x148; - fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); uint32_t x149; fiat_p256_uint1 x150; - fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); - uint32_t x151 = ((uint32_t)x150 + x119); + uint32_t x151; uint32_t x152; uint32_t x153; - fiat_p256_mulx_u32(&x152, &x153, x2, (arg2[7])); uint32_t x154; uint32_t x155; - fiat_p256_mulx_u32(&x154, &x155, x2, (arg2[6])); uint32_t x156; uint32_t x157; - fiat_p256_mulx_u32(&x156, &x157, x2, (arg2[5])); uint32_t x158; uint32_t x159; - fiat_p256_mulx_u32(&x158, &x159, x2, (arg2[4])); uint32_t x160; uint32_t x161; - fiat_p256_mulx_u32(&x160, &x161, x2, (arg2[3])); uint32_t x162; uint32_t x163; - fiat_p256_mulx_u32(&x162, &x163, x2, (arg2[2])); uint32_t x164; uint32_t x165; - fiat_p256_mulx_u32(&x164, &x165, x2, (arg2[1])); uint32_t x166; uint32_t x167; - fiat_p256_mulx_u32(&x166, &x167, x2, (arg2[0])); uint32_t x168; fiat_p256_uint1 x169; - fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); uint32_t x170; fiat_p256_uint1 x171; - fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); uint32_t x172; fiat_p256_uint1 x173; - fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); uint32_t x174; fiat_p256_uint1 x175; - fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); uint32_t x176; fiat_p256_uint1 x177; - fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); uint32_t x178; fiat_p256_uint1 x179; - fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); uint32_t x180; fiat_p256_uint1 x181; - fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); - uint32_t x182 = (x181 + x153); + uint32_t x182; uint32_t x183; fiat_p256_uint1 x184; - fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); uint32_t x185; fiat_p256_uint1 x186; - fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); uint32_t x187; fiat_p256_uint1 x188; - fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); uint32_t x189; fiat_p256_uint1 x190; - fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); uint32_t x191; fiat_p256_uint1 x192; - fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); uint32_t x193; fiat_p256_uint1 x194; - fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); uint32_t x195; fiat_p256_uint1 x196; - fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); uint32_t x197; fiat_p256_uint1 x198; - fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); uint32_t x199; fiat_p256_uint1 x200; - fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); uint32_t x201; uint32_t x202; - fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); uint32_t x203; uint32_t x204; - fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); uint32_t x205; uint32_t x206; - fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); uint32_t x207; uint32_t x208; - fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); uint32_t x209; fiat_p256_uint1 x210; - fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); uint32_t x211; fiat_p256_uint1 x212; - fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); - uint32_t x213 = (x212 + x204); + uint32_t x213; uint32_t x214; fiat_p256_uint1 x215; - fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); uint32_t x216; fiat_p256_uint1 x217; - fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); uint32_t x218; fiat_p256_uint1 x219; - fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); uint32_t x220; fiat_p256_uint1 x221; - fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); uint32_t x222; fiat_p256_uint1 x223; - fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); uint32_t x224; fiat_p256_uint1 x225; - fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); uint32_t x226; fiat_p256_uint1 x227; - fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); uint32_t x228; fiat_p256_uint1 x229; - fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); uint32_t x230; fiat_p256_uint1 x231; - fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); - uint32_t x232 = ((uint32_t)x231 + x200); + uint32_t x232; uint32_t x233; uint32_t x234; - fiat_p256_mulx_u32(&x233, &x234, x3, (arg2[7])); uint32_t x235; uint32_t x236; - fiat_p256_mulx_u32(&x235, &x236, x3, (arg2[6])); uint32_t x237; uint32_t x238; - fiat_p256_mulx_u32(&x237, &x238, x3, (arg2[5])); uint32_t x239; uint32_t x240; - fiat_p256_mulx_u32(&x239, &x240, x3, (arg2[4])); uint32_t x241; uint32_t x242; - fiat_p256_mulx_u32(&x241, &x242, x3, (arg2[3])); uint32_t x243; uint32_t x244; - fiat_p256_mulx_u32(&x243, &x244, x3, (arg2[2])); uint32_t x245; uint32_t x246; - fiat_p256_mulx_u32(&x245, &x246, x3, (arg2[1])); uint32_t x247; uint32_t x248; - fiat_p256_mulx_u32(&x247, &x248, x3, (arg2[0])); uint32_t x249; fiat_p256_uint1 x250; - fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); uint32_t x251; fiat_p256_uint1 x252; - fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); uint32_t x253; fiat_p256_uint1 x254; - fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); uint32_t x255; fiat_p256_uint1 x256; - fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); uint32_t x257; fiat_p256_uint1 x258; - fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); uint32_t x259; fiat_p256_uint1 x260; - fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); uint32_t x261; fiat_p256_uint1 x262; - fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); - uint32_t x263 = (x262 + x234); + uint32_t x263; uint32_t x264; fiat_p256_uint1 x265; - fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); uint32_t x266; fiat_p256_uint1 x267; - fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); uint32_t x268; fiat_p256_uint1 x269; - fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); uint32_t x270; fiat_p256_uint1 x271; - fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); uint32_t x272; fiat_p256_uint1 x273; - fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); uint32_t x274; fiat_p256_uint1 x275; - fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); uint32_t x276; fiat_p256_uint1 x277; - fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); uint32_t x278; fiat_p256_uint1 x279; - fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); uint32_t x280; fiat_p256_uint1 x281; - fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); uint32_t x282; uint32_t x283; - fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); uint32_t x284; uint32_t x285; - fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); uint32_t x286; uint32_t x287; - fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); uint32_t x288; uint32_t x289; - fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); uint32_t x290; fiat_p256_uint1 x291; - fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); uint32_t x292; fiat_p256_uint1 x293; - fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); - uint32_t x294 = (x293 + x285); + uint32_t x294; uint32_t x295; fiat_p256_uint1 x296; - fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); uint32_t x297; fiat_p256_uint1 x298; - fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); uint32_t x299; fiat_p256_uint1 x300; - fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); uint32_t x301; fiat_p256_uint1 x302; - fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); uint32_t x303; fiat_p256_uint1 x304; - fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); uint32_t x305; fiat_p256_uint1 x306; - fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); uint32_t x307; fiat_p256_uint1 x308; - fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); uint32_t x309; fiat_p256_uint1 x310; - fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); uint32_t x311; fiat_p256_uint1 x312; - fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); - uint32_t x313 = ((uint32_t)x312 + x281); + uint32_t x313; uint32_t x314; uint32_t x315; - fiat_p256_mulx_u32(&x314, &x315, x4, (arg2[7])); uint32_t x316; uint32_t x317; - fiat_p256_mulx_u32(&x316, &x317, x4, (arg2[6])); uint32_t x318; uint32_t x319; - fiat_p256_mulx_u32(&x318, &x319, x4, (arg2[5])); uint32_t x320; uint32_t x321; - fiat_p256_mulx_u32(&x320, &x321, x4, (arg2[4])); uint32_t x322; uint32_t x323; - fiat_p256_mulx_u32(&x322, &x323, x4, (arg2[3])); uint32_t x324; uint32_t x325; - fiat_p256_mulx_u32(&x324, &x325, x4, (arg2[2])); uint32_t x326; uint32_t x327; - fiat_p256_mulx_u32(&x326, &x327, x4, (arg2[1])); uint32_t x328; uint32_t x329; - fiat_p256_mulx_u32(&x328, &x329, x4, (arg2[0])); uint32_t x330; fiat_p256_uint1 x331; - fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); uint32_t x332; fiat_p256_uint1 x333; - fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); uint32_t x334; fiat_p256_uint1 x335; - fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); uint32_t x336; fiat_p256_uint1 x337; - fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); uint32_t x338; fiat_p256_uint1 x339; - fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); uint32_t x340; fiat_p256_uint1 x341; - fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); uint32_t x342; fiat_p256_uint1 x343; - fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); - uint32_t x344 = (x343 + x315); + uint32_t x344; uint32_t x345; fiat_p256_uint1 x346; - fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); uint32_t x347; fiat_p256_uint1 x348; - fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); uint32_t x349; fiat_p256_uint1 x350; - fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); uint32_t x351; fiat_p256_uint1 x352; - fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); uint32_t x353; fiat_p256_uint1 x354; - fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); uint32_t x355; fiat_p256_uint1 x356; - fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); uint32_t x357; fiat_p256_uint1 x358; - fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); uint32_t x359; fiat_p256_uint1 x360; - fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); uint32_t x361; fiat_p256_uint1 x362; - fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); uint32_t x363; uint32_t x364; - fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); uint32_t x365; uint32_t x366; - fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); uint32_t x367; uint32_t x368; - fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); uint32_t x369; uint32_t x370; - fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); uint32_t x371; fiat_p256_uint1 x372; - fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); uint32_t x373; fiat_p256_uint1 x374; - fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); - uint32_t x375 = (x374 + x366); + uint32_t x375; uint32_t x376; fiat_p256_uint1 x377; - fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); uint32_t x378; fiat_p256_uint1 x379; - fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); uint32_t x380; fiat_p256_uint1 x381; - fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); uint32_t x382; fiat_p256_uint1 x383; - fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); uint32_t x384; fiat_p256_uint1 x385; - fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); uint32_t x386; fiat_p256_uint1 x387; - fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); uint32_t x388; fiat_p256_uint1 x389; - fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); uint32_t x390; fiat_p256_uint1 x391; - fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); uint32_t x392; fiat_p256_uint1 x393; - fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); - uint32_t x394 = ((uint32_t)x393 + x362); + uint32_t x394; uint32_t x395; uint32_t x396; - fiat_p256_mulx_u32(&x395, &x396, x5, (arg2[7])); uint32_t x397; uint32_t x398; - fiat_p256_mulx_u32(&x397, &x398, x5, (arg2[6])); uint32_t x399; uint32_t x400; - fiat_p256_mulx_u32(&x399, &x400, x5, (arg2[5])); uint32_t x401; uint32_t x402; - fiat_p256_mulx_u32(&x401, &x402, x5, (arg2[4])); uint32_t x403; uint32_t x404; - fiat_p256_mulx_u32(&x403, &x404, x5, (arg2[3])); uint32_t x405; uint32_t x406; - fiat_p256_mulx_u32(&x405, &x406, x5, (arg2[2])); uint32_t x407; uint32_t x408; - fiat_p256_mulx_u32(&x407, &x408, x5, (arg2[1])); uint32_t x409; uint32_t x410; - fiat_p256_mulx_u32(&x409, &x410, x5, (arg2[0])); uint32_t x411; fiat_p256_uint1 x412; - fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); uint32_t x413; fiat_p256_uint1 x414; - fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); uint32_t x415; fiat_p256_uint1 x416; - fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); uint32_t x417; fiat_p256_uint1 x418; - fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); uint32_t x419; fiat_p256_uint1 x420; - fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); uint32_t x421; fiat_p256_uint1 x422; - fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); uint32_t x423; fiat_p256_uint1 x424; - fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); - uint32_t x425 = (x424 + x396); + uint32_t x425; uint32_t x426; fiat_p256_uint1 x427; - fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); uint32_t x428; fiat_p256_uint1 x429; - fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); uint32_t x430; fiat_p256_uint1 x431; - fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); uint32_t x432; fiat_p256_uint1 x433; - fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); uint32_t x434; fiat_p256_uint1 x435; - fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); uint32_t x436; fiat_p256_uint1 x437; - fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); uint32_t x438; fiat_p256_uint1 x439; - fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); uint32_t x440; fiat_p256_uint1 x441; - fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); uint32_t x442; fiat_p256_uint1 x443; - fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); uint32_t x444; uint32_t x445; - fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); uint32_t x446; uint32_t x447; - fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); uint32_t x448; uint32_t x449; - fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); uint32_t x450; uint32_t x451; - fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); uint32_t x452; fiat_p256_uint1 x453; - fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); uint32_t x454; fiat_p256_uint1 x455; - fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); - uint32_t x456 = (x455 + x447); + uint32_t x456; uint32_t x457; fiat_p256_uint1 x458; - fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); uint32_t x459; fiat_p256_uint1 x460; - fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); uint32_t x461; fiat_p256_uint1 x462; - fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); uint32_t x463; fiat_p256_uint1 x464; - fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); uint32_t x465; fiat_p256_uint1 x466; - fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); uint32_t x467; fiat_p256_uint1 x468; - fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); uint32_t x469; fiat_p256_uint1 x470; - fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); uint32_t x471; fiat_p256_uint1 x472; - fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); uint32_t x473; fiat_p256_uint1 x474; - fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); - uint32_t x475 = ((uint32_t)x474 + x443); + uint32_t x475; uint32_t x476; uint32_t x477; - fiat_p256_mulx_u32(&x476, &x477, x6, (arg2[7])); uint32_t x478; uint32_t x479; - fiat_p256_mulx_u32(&x478, &x479, x6, (arg2[6])); uint32_t x480; uint32_t x481; - fiat_p256_mulx_u32(&x480, &x481, x6, (arg2[5])); uint32_t x482; uint32_t x483; - fiat_p256_mulx_u32(&x482, &x483, x6, (arg2[4])); uint32_t x484; uint32_t x485; - fiat_p256_mulx_u32(&x484, &x485, x6, (arg2[3])); uint32_t x486; uint32_t x487; - fiat_p256_mulx_u32(&x486, &x487, x6, (arg2[2])); uint32_t x488; uint32_t x489; - fiat_p256_mulx_u32(&x488, &x489, x6, (arg2[1])); uint32_t x490; uint32_t x491; - fiat_p256_mulx_u32(&x490, &x491, x6, (arg2[0])); uint32_t x492; fiat_p256_uint1 x493; - fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); uint32_t x494; fiat_p256_uint1 x495; - fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); uint32_t x496; fiat_p256_uint1 x497; - fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); uint32_t x498; fiat_p256_uint1 x499; - fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); uint32_t x500; fiat_p256_uint1 x501; - fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); uint32_t x502; fiat_p256_uint1 x503; - fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); uint32_t x504; fiat_p256_uint1 x505; - fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); - uint32_t x506 = (x505 + x477); + uint32_t x506; uint32_t x507; fiat_p256_uint1 x508; - fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); uint32_t x509; fiat_p256_uint1 x510; - fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); uint32_t x511; fiat_p256_uint1 x512; - fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); uint32_t x513; fiat_p256_uint1 x514; - fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); uint32_t x515; fiat_p256_uint1 x516; - fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); uint32_t x517; fiat_p256_uint1 x518; - fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); uint32_t x519; fiat_p256_uint1 x520; - fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); uint32_t x521; fiat_p256_uint1 x522; - fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); uint32_t x523; fiat_p256_uint1 x524; - fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); uint32_t x525; uint32_t x526; - fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); uint32_t x527; uint32_t x528; - fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); uint32_t x529; uint32_t x530; - fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); uint32_t x531; uint32_t x532; - fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); uint32_t x533; fiat_p256_uint1 x534; - fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); uint32_t x535; fiat_p256_uint1 x536; - fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); - uint32_t x537 = (x536 + x528); + uint32_t x537; uint32_t x538; fiat_p256_uint1 x539; - fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); uint32_t x540; fiat_p256_uint1 x541; - fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); uint32_t x542; fiat_p256_uint1 x543; - fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); uint32_t x544; fiat_p256_uint1 x545; - fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); uint32_t x546; fiat_p256_uint1 x547; - fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); uint32_t x548; fiat_p256_uint1 x549; - fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); uint32_t x550; fiat_p256_uint1 x551; - fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); uint32_t x552; fiat_p256_uint1 x553; - fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); uint32_t x554; fiat_p256_uint1 x555; - fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); - uint32_t x556 = ((uint32_t)x555 + x524); + uint32_t x556; uint32_t x557; uint32_t x558; - fiat_p256_mulx_u32(&x557, &x558, x7, (arg2[7])); uint32_t x559; uint32_t x560; - fiat_p256_mulx_u32(&x559, &x560, x7, (arg2[6])); uint32_t x561; uint32_t x562; - fiat_p256_mulx_u32(&x561, &x562, x7, (arg2[5])); uint32_t x563; uint32_t x564; - fiat_p256_mulx_u32(&x563, &x564, x7, (arg2[4])); uint32_t x565; uint32_t x566; - fiat_p256_mulx_u32(&x565, &x566, x7, (arg2[3])); uint32_t x567; uint32_t x568; - fiat_p256_mulx_u32(&x567, &x568, x7, (arg2[2])); uint32_t x569; uint32_t x570; - fiat_p256_mulx_u32(&x569, &x570, x7, (arg2[1])); uint32_t x571; uint32_t x572; - fiat_p256_mulx_u32(&x571, &x572, x7, (arg2[0])); uint32_t x573; fiat_p256_uint1 x574; - fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); uint32_t x575; fiat_p256_uint1 x576; - fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); uint32_t x577; fiat_p256_uint1 x578; - fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); uint32_t x579; fiat_p256_uint1 x580; - fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); uint32_t x581; fiat_p256_uint1 x582; - fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); uint32_t x583; fiat_p256_uint1 x584; - fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); uint32_t x585; fiat_p256_uint1 x586; - fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); - uint32_t x587 = (x586 + x558); + uint32_t x587; uint32_t x588; fiat_p256_uint1 x589; - fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); uint32_t x590; fiat_p256_uint1 x591; - fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); uint32_t x592; fiat_p256_uint1 x593; - fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); uint32_t x594; fiat_p256_uint1 x595; - fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); uint32_t x596; fiat_p256_uint1 x597; - fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); uint32_t x598; fiat_p256_uint1 x599; - fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); uint32_t x600; fiat_p256_uint1 x601; - fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); uint32_t x602; fiat_p256_uint1 x603; - fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); uint32_t x604; fiat_p256_uint1 x605; - fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); uint32_t x606; uint32_t x607; - fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); uint32_t x608; uint32_t x609; - fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); uint32_t x610; uint32_t x611; - fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); uint32_t x612; uint32_t x613; - fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); uint32_t x614; fiat_p256_uint1 x615; - fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); uint32_t x616; fiat_p256_uint1 x617; - fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); - uint32_t x618 = (x617 + x609); + uint32_t x618; uint32_t x619; fiat_p256_uint1 x620; - fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); uint32_t x621; fiat_p256_uint1 x622; - fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); uint32_t x623; fiat_p256_uint1 x624; - fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); uint32_t x625; fiat_p256_uint1 x626; - fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); uint32_t x627; fiat_p256_uint1 x628; - fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); uint32_t x629; fiat_p256_uint1 x630; - fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); uint32_t x631; fiat_p256_uint1 x632; - fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); uint32_t x633; fiat_p256_uint1 x634; - fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); uint32_t x635; fiat_p256_uint1 x636; - fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); - uint32_t x637 = ((uint32_t)x636 + x605); + uint32_t x637; uint32_t x638; fiat_p256_uint1 x639; - fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); uint32_t x640; fiat_p256_uint1 x641; - fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); uint32_t x642; fiat_p256_uint1 x643; - fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); uint32_t x644; fiat_p256_uint1 x645; - fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); uint32_t x646; fiat_p256_uint1 x647; - fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); uint32_t x648; fiat_p256_uint1 x649; - fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); uint32_t x650; fiat_p256_uint1 x651; - fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); uint32_t x652; fiat_p256_uint1 x653; - fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); uint32_t x654; fiat_p256_uint1 x655; - fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); uint32_t x656; - fiat_p256_cmovznz_u32(&x656, x655, x638, x621); uint32_t x657; - fiat_p256_cmovznz_u32(&x657, x655, x640, x623); uint32_t x658; - fiat_p256_cmovznz_u32(&x658, x655, x642, x625); uint32_t x659; - fiat_p256_cmovznz_u32(&x659, x655, x644, x627); uint32_t x660; - fiat_p256_cmovznz_u32(&x660, x655, x646, x629); uint32_t x661; - fiat_p256_cmovznz_u32(&x661, x655, x648, x631); uint32_t x662; - fiat_p256_cmovznz_u32(&x662, x655, x650, x633); uint32_t x663; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[4]); + x5 = (arg1[5]); + x6 = (arg1[6]); + x7 = (arg1[7]); + x8 = (arg1[0]); + fiat_p256_mulx_u32(&x9, &x10, x8, (arg2[7])); + fiat_p256_mulx_u32(&x11, &x12, x8, (arg2[6])); + fiat_p256_mulx_u32(&x13, &x14, x8, (arg2[5])); + fiat_p256_mulx_u32(&x15, &x16, x8, (arg2[4])); + fiat_p256_mulx_u32(&x17, &x18, x8, (arg2[3])); + fiat_p256_mulx_u32(&x19, &x20, x8, (arg2[2])); + fiat_p256_mulx_u32(&x21, &x22, x8, (arg2[1])); + fiat_p256_mulx_u32(&x23, &x24, x8, (arg2[0])); + fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); + fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); + fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); + fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); + fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); + fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); + fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); + x39 = (x38 + x10); + fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); + fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); + x52 = (x51 + x43); + fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); + fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); + fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); + fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); + fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); + fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); + fiat_p256_mulx_u32(&x71, &x72, x1, (arg2[7])); + fiat_p256_mulx_u32(&x73, &x74, x1, (arg2[6])); + fiat_p256_mulx_u32(&x75, &x76, x1, (arg2[5])); + fiat_p256_mulx_u32(&x77, &x78, x1, (arg2[4])); + fiat_p256_mulx_u32(&x79, &x80, x1, (arg2[3])); + fiat_p256_mulx_u32(&x81, &x82, x1, (arg2[2])); + fiat_p256_mulx_u32(&x83, &x84, x1, (arg2[1])); + fiat_p256_mulx_u32(&x85, &x86, x1, (arg2[0])); + fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); + fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); + fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); + fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); + fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); + fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); + fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); + x101 = (x100 + x72); + fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); + fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); + fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); + fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); + fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); + fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); + fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); + fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); + x132 = (x131 + x123); + fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); + fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); + fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); + fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); + fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); + fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); + fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); + fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); + fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); + x151 = ((uint32_t)x150 + x119); + fiat_p256_mulx_u32(&x152, &x153, x2, (arg2[7])); + fiat_p256_mulx_u32(&x154, &x155, x2, (arg2[6])); + fiat_p256_mulx_u32(&x156, &x157, x2, (arg2[5])); + fiat_p256_mulx_u32(&x158, &x159, x2, (arg2[4])); + fiat_p256_mulx_u32(&x160, &x161, x2, (arg2[3])); + fiat_p256_mulx_u32(&x162, &x163, x2, (arg2[2])); + fiat_p256_mulx_u32(&x164, &x165, x2, (arg2[1])); + fiat_p256_mulx_u32(&x166, &x167, x2, (arg2[0])); + fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); + fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); + fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); + fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); + x182 = (x181 + x153); + fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); + fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); + fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); + fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); + fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); + fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); + fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); + fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); + fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); + fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); + fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); + x213 = (x212 + x204); + fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); + fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); + fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); + fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); + fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); + fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); + fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); + fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); + fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); + x232 = ((uint32_t)x231 + x200); + fiat_p256_mulx_u32(&x233, &x234, x3, (arg2[7])); + fiat_p256_mulx_u32(&x235, &x236, x3, (arg2[6])); + fiat_p256_mulx_u32(&x237, &x238, x3, (arg2[5])); + fiat_p256_mulx_u32(&x239, &x240, x3, (arg2[4])); + fiat_p256_mulx_u32(&x241, &x242, x3, (arg2[3])); + fiat_p256_mulx_u32(&x243, &x244, x3, (arg2[2])); + fiat_p256_mulx_u32(&x245, &x246, x3, (arg2[1])); + fiat_p256_mulx_u32(&x247, &x248, x3, (arg2[0])); + fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); + fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); + fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); + fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); + fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); + fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); + fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); + x263 = (x262 + x234); + fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); + fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); + fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); + fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); + fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); + fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); + fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); + fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); + fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); + fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); + fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); + x294 = (x293 + x285); + fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); + fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); + fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); + fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); + fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); + fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); + fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); + fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); + fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); + x313 = ((uint32_t)x312 + x281); + fiat_p256_mulx_u32(&x314, &x315, x4, (arg2[7])); + fiat_p256_mulx_u32(&x316, &x317, x4, (arg2[6])); + fiat_p256_mulx_u32(&x318, &x319, x4, (arg2[5])); + fiat_p256_mulx_u32(&x320, &x321, x4, (arg2[4])); + fiat_p256_mulx_u32(&x322, &x323, x4, (arg2[3])); + fiat_p256_mulx_u32(&x324, &x325, x4, (arg2[2])); + fiat_p256_mulx_u32(&x326, &x327, x4, (arg2[1])); + fiat_p256_mulx_u32(&x328, &x329, x4, (arg2[0])); + fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); + fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); + fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); + fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); + fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); + fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); + fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); + x344 = (x343 + x315); + fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); + fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); + fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); + fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); + fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); + fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); + fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); + fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); + fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); + fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); + fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); + x375 = (x374 + x366); + fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); + fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); + fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); + fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); + fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); + fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); + fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); + fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); + fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); + x394 = ((uint32_t)x393 + x362); + fiat_p256_mulx_u32(&x395, &x396, x5, (arg2[7])); + fiat_p256_mulx_u32(&x397, &x398, x5, (arg2[6])); + fiat_p256_mulx_u32(&x399, &x400, x5, (arg2[5])); + fiat_p256_mulx_u32(&x401, &x402, x5, (arg2[4])); + fiat_p256_mulx_u32(&x403, &x404, x5, (arg2[3])); + fiat_p256_mulx_u32(&x405, &x406, x5, (arg2[2])); + fiat_p256_mulx_u32(&x407, &x408, x5, (arg2[1])); + fiat_p256_mulx_u32(&x409, &x410, x5, (arg2[0])); + fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); + fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); + fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); + fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); + fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); + fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); + fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); + x425 = (x424 + x396); + fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); + fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); + fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); + fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); + fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); + fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); + fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); + fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); + fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); + fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); + fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); + x456 = (x455 + x447); + fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); + fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); + fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); + fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); + fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); + fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); + fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); + fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); + fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); + x475 = ((uint32_t)x474 + x443); + fiat_p256_mulx_u32(&x476, &x477, x6, (arg2[7])); + fiat_p256_mulx_u32(&x478, &x479, x6, (arg2[6])); + fiat_p256_mulx_u32(&x480, &x481, x6, (arg2[5])); + fiat_p256_mulx_u32(&x482, &x483, x6, (arg2[4])); + fiat_p256_mulx_u32(&x484, &x485, x6, (arg2[3])); + fiat_p256_mulx_u32(&x486, &x487, x6, (arg2[2])); + fiat_p256_mulx_u32(&x488, &x489, x6, (arg2[1])); + fiat_p256_mulx_u32(&x490, &x491, x6, (arg2[0])); + fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); + fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); + fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); + fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); + fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); + fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); + fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); + x506 = (x505 + x477); + fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); + fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); + fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); + fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); + fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); + fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); + fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); + fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); + fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); + fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); + fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); + x537 = (x536 + x528); + fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); + fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); + fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); + fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); + fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); + fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); + fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); + fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); + fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); + x556 = ((uint32_t)x555 + x524); + fiat_p256_mulx_u32(&x557, &x558, x7, (arg2[7])); + fiat_p256_mulx_u32(&x559, &x560, x7, (arg2[6])); + fiat_p256_mulx_u32(&x561, &x562, x7, (arg2[5])); + fiat_p256_mulx_u32(&x563, &x564, x7, (arg2[4])); + fiat_p256_mulx_u32(&x565, &x566, x7, (arg2[3])); + fiat_p256_mulx_u32(&x567, &x568, x7, (arg2[2])); + fiat_p256_mulx_u32(&x569, &x570, x7, (arg2[1])); + fiat_p256_mulx_u32(&x571, &x572, x7, (arg2[0])); + fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); + fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); + fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); + fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); + fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); + fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); + fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); + x587 = (x586 + x558); + fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); + fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); + fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); + fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); + fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); + fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); + fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); + fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); + fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); + fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); + fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); + x618 = (x617 + x609); + fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); + fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); + fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); + fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); + fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); + fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); + fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); + fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); + fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); + x637 = ((uint32_t)x636 + x605); + fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); + fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); + fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); + fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); + fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); + fiat_p256_cmovznz_u32(&x656, x655, x638, x621); + fiat_p256_cmovznz_u32(&x657, x655, x640, x623); + fiat_p256_cmovznz_u32(&x658, x655, x642, x625); + fiat_p256_cmovznz_u32(&x659, x655, x644, x627); + fiat_p256_cmovznz_u32(&x660, x655, x646, x629); + fiat_p256_cmovznz_u32(&x661, x655, x648, x631); + fiat_p256_cmovznz_u32(&x662, x655, x650, x633); fiat_p256_cmovznz_u32(&x663, x655, x652, x635); out1[0] = x656; out1[1] = x657; @@ -1121,1000 +1186,1028 @@ static void fiat_p256_mul(uint32_t out1[8], const uint32_t arg1[8], const uint32 /* * The function fiat_p256_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) { - uint32_t x1 = (arg1[1]); - uint32_t x2 = (arg1[2]); - uint32_t x3 = (arg1[3]); - uint32_t x4 = (arg1[4]); - uint32_t x5 = (arg1[5]); - uint32_t x6 = (arg1[6]); - uint32_t x7 = (arg1[7]); - uint32_t x8 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; uint32_t x9; uint32_t x10; - fiat_p256_mulx_u32(&x9, &x10, x8, (arg1[7])); uint32_t x11; uint32_t x12; - fiat_p256_mulx_u32(&x11, &x12, x8, (arg1[6])); uint32_t x13; uint32_t x14; - fiat_p256_mulx_u32(&x13, &x14, x8, (arg1[5])); uint32_t x15; uint32_t x16; - fiat_p256_mulx_u32(&x15, &x16, x8, (arg1[4])); uint32_t x17; uint32_t x18; - fiat_p256_mulx_u32(&x17, &x18, x8, (arg1[3])); uint32_t x19; uint32_t x20; - fiat_p256_mulx_u32(&x19, &x20, x8, (arg1[2])); uint32_t x21; uint32_t x22; - fiat_p256_mulx_u32(&x21, &x22, x8, (arg1[1])); uint32_t x23; uint32_t x24; - fiat_p256_mulx_u32(&x23, &x24, x8, (arg1[0])); uint32_t x25; fiat_p256_uint1 x26; - fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); uint32_t x27; fiat_p256_uint1 x28; - fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); uint32_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); uint32_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); uint32_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); uint32_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); uint32_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); - uint32_t x39 = (x38 + x10); + uint32_t x39; uint32_t x40; uint32_t x41; - fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); uint32_t x42; uint32_t x43; - fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); uint32_t x44; uint32_t x45; - fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); uint32_t x46; uint32_t x47; - fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); uint32_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); uint32_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); - uint32_t x52 = (x51 + x43); + uint32_t x52; uint32_t x53; fiat_p256_uint1 x54; - fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); uint32_t x55; fiat_p256_uint1 x56; - fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); uint32_t x57; fiat_p256_uint1 x58; - fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); uint32_t x59; fiat_p256_uint1 x60; - fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); uint32_t x61; fiat_p256_uint1 x62; - fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); uint32_t x63; fiat_p256_uint1 x64; - fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); uint32_t x65; fiat_p256_uint1 x66; - fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); uint32_t x67; fiat_p256_uint1 x68; - fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); uint32_t x69; fiat_p256_uint1 x70; - fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); uint32_t x71; uint32_t x72; - fiat_p256_mulx_u32(&x71, &x72, x1, (arg1[7])); uint32_t x73; uint32_t x74; - fiat_p256_mulx_u32(&x73, &x74, x1, (arg1[6])); uint32_t x75; uint32_t x76; - fiat_p256_mulx_u32(&x75, &x76, x1, (arg1[5])); uint32_t x77; uint32_t x78; - fiat_p256_mulx_u32(&x77, &x78, x1, (arg1[4])); uint32_t x79; uint32_t x80; - fiat_p256_mulx_u32(&x79, &x80, x1, (arg1[3])); uint32_t x81; uint32_t x82; - fiat_p256_mulx_u32(&x81, &x82, x1, (arg1[2])); uint32_t x83; uint32_t x84; - fiat_p256_mulx_u32(&x83, &x84, x1, (arg1[1])); uint32_t x85; uint32_t x86; - fiat_p256_mulx_u32(&x85, &x86, x1, (arg1[0])); uint32_t x87; fiat_p256_uint1 x88; - fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); uint32_t x89; fiat_p256_uint1 x90; - fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); uint32_t x91; fiat_p256_uint1 x92; - fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); uint32_t x93; fiat_p256_uint1 x94; - fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); uint32_t x95; fiat_p256_uint1 x96; - fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); uint32_t x97; fiat_p256_uint1 x98; - fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); uint32_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); - uint32_t x101 = (x100 + x72); + uint32_t x101; uint32_t x102; fiat_p256_uint1 x103; - fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); uint32_t x104; fiat_p256_uint1 x105; - fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); uint32_t x106; fiat_p256_uint1 x107; - fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); uint32_t x108; fiat_p256_uint1 x109; - fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); uint32_t x110; fiat_p256_uint1 x111; - fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); uint32_t x112; fiat_p256_uint1 x113; - fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); uint32_t x114; fiat_p256_uint1 x115; - fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); uint32_t x116; fiat_p256_uint1 x117; - fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); uint32_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); uint32_t x120; uint32_t x121; - fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); uint32_t x122; uint32_t x123; - fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); uint32_t x124; uint32_t x125; - fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); uint32_t x126; uint32_t x127; - fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); uint32_t x128; fiat_p256_uint1 x129; - fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); uint32_t x130; fiat_p256_uint1 x131; - fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); - uint32_t x132 = (x131 + x123); + uint32_t x132; uint32_t x133; fiat_p256_uint1 x134; - fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); uint32_t x135; fiat_p256_uint1 x136; - fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); uint32_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); uint32_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); uint32_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); uint32_t x143; fiat_p256_uint1 x144; - fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); uint32_t x145; fiat_p256_uint1 x146; - fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); uint32_t x147; fiat_p256_uint1 x148; - fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); uint32_t x149; fiat_p256_uint1 x150; - fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); - uint32_t x151 = ((uint32_t)x150 + x119); + uint32_t x151; uint32_t x152; uint32_t x153; - fiat_p256_mulx_u32(&x152, &x153, x2, (arg1[7])); uint32_t x154; uint32_t x155; - fiat_p256_mulx_u32(&x154, &x155, x2, (arg1[6])); uint32_t x156; uint32_t x157; - fiat_p256_mulx_u32(&x156, &x157, x2, (arg1[5])); uint32_t x158; uint32_t x159; - fiat_p256_mulx_u32(&x158, &x159, x2, (arg1[4])); uint32_t x160; uint32_t x161; - fiat_p256_mulx_u32(&x160, &x161, x2, (arg1[3])); uint32_t x162; uint32_t x163; - fiat_p256_mulx_u32(&x162, &x163, x2, (arg1[2])); uint32_t x164; uint32_t x165; - fiat_p256_mulx_u32(&x164, &x165, x2, (arg1[1])); uint32_t x166; uint32_t x167; - fiat_p256_mulx_u32(&x166, &x167, x2, (arg1[0])); uint32_t x168; fiat_p256_uint1 x169; - fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); uint32_t x170; fiat_p256_uint1 x171; - fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); uint32_t x172; fiat_p256_uint1 x173; - fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); uint32_t x174; fiat_p256_uint1 x175; - fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); uint32_t x176; fiat_p256_uint1 x177; - fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); uint32_t x178; fiat_p256_uint1 x179; - fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); uint32_t x180; fiat_p256_uint1 x181; - fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); - uint32_t x182 = (x181 + x153); + uint32_t x182; uint32_t x183; fiat_p256_uint1 x184; - fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); uint32_t x185; fiat_p256_uint1 x186; - fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); uint32_t x187; fiat_p256_uint1 x188; - fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); uint32_t x189; fiat_p256_uint1 x190; - fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); uint32_t x191; fiat_p256_uint1 x192; - fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); uint32_t x193; fiat_p256_uint1 x194; - fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); uint32_t x195; fiat_p256_uint1 x196; - fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); uint32_t x197; fiat_p256_uint1 x198; - fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); uint32_t x199; fiat_p256_uint1 x200; - fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); uint32_t x201; uint32_t x202; - fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); uint32_t x203; uint32_t x204; - fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); uint32_t x205; uint32_t x206; - fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); uint32_t x207; uint32_t x208; - fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); uint32_t x209; fiat_p256_uint1 x210; - fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); uint32_t x211; fiat_p256_uint1 x212; - fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); - uint32_t x213 = (x212 + x204); + uint32_t x213; uint32_t x214; fiat_p256_uint1 x215; - fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); uint32_t x216; fiat_p256_uint1 x217; - fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); uint32_t x218; fiat_p256_uint1 x219; - fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); uint32_t x220; fiat_p256_uint1 x221; - fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); uint32_t x222; fiat_p256_uint1 x223; - fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); uint32_t x224; fiat_p256_uint1 x225; - fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); uint32_t x226; fiat_p256_uint1 x227; - fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); uint32_t x228; fiat_p256_uint1 x229; - fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); uint32_t x230; fiat_p256_uint1 x231; - fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); - uint32_t x232 = ((uint32_t)x231 + x200); + uint32_t x232; uint32_t x233; uint32_t x234; - fiat_p256_mulx_u32(&x233, &x234, x3, (arg1[7])); uint32_t x235; uint32_t x236; - fiat_p256_mulx_u32(&x235, &x236, x3, (arg1[6])); uint32_t x237; uint32_t x238; - fiat_p256_mulx_u32(&x237, &x238, x3, (arg1[5])); uint32_t x239; uint32_t x240; - fiat_p256_mulx_u32(&x239, &x240, x3, (arg1[4])); uint32_t x241; uint32_t x242; - fiat_p256_mulx_u32(&x241, &x242, x3, (arg1[3])); uint32_t x243; uint32_t x244; - fiat_p256_mulx_u32(&x243, &x244, x3, (arg1[2])); uint32_t x245; uint32_t x246; - fiat_p256_mulx_u32(&x245, &x246, x3, (arg1[1])); uint32_t x247; uint32_t x248; - fiat_p256_mulx_u32(&x247, &x248, x3, (arg1[0])); uint32_t x249; fiat_p256_uint1 x250; - fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); uint32_t x251; fiat_p256_uint1 x252; - fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); uint32_t x253; fiat_p256_uint1 x254; - fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); uint32_t x255; fiat_p256_uint1 x256; - fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); uint32_t x257; fiat_p256_uint1 x258; - fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); uint32_t x259; fiat_p256_uint1 x260; - fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); uint32_t x261; fiat_p256_uint1 x262; - fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); - uint32_t x263 = (x262 + x234); + uint32_t x263; uint32_t x264; fiat_p256_uint1 x265; - fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); uint32_t x266; fiat_p256_uint1 x267; - fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); uint32_t x268; fiat_p256_uint1 x269; - fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); uint32_t x270; fiat_p256_uint1 x271; - fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); uint32_t x272; fiat_p256_uint1 x273; - fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); uint32_t x274; fiat_p256_uint1 x275; - fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); uint32_t x276; fiat_p256_uint1 x277; - fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); uint32_t x278; fiat_p256_uint1 x279; - fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); uint32_t x280; fiat_p256_uint1 x281; - fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); uint32_t x282; uint32_t x283; - fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); uint32_t x284; uint32_t x285; - fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); uint32_t x286; uint32_t x287; - fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); uint32_t x288; uint32_t x289; - fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); uint32_t x290; fiat_p256_uint1 x291; - fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); uint32_t x292; fiat_p256_uint1 x293; - fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); - uint32_t x294 = (x293 + x285); + uint32_t x294; uint32_t x295; fiat_p256_uint1 x296; - fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); uint32_t x297; fiat_p256_uint1 x298; - fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); uint32_t x299; fiat_p256_uint1 x300; - fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); uint32_t x301; fiat_p256_uint1 x302; - fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); uint32_t x303; fiat_p256_uint1 x304; - fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); uint32_t x305; fiat_p256_uint1 x306; - fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); uint32_t x307; fiat_p256_uint1 x308; - fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); uint32_t x309; fiat_p256_uint1 x310; - fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); uint32_t x311; fiat_p256_uint1 x312; - fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); - uint32_t x313 = ((uint32_t)x312 + x281); + uint32_t x313; uint32_t x314; uint32_t x315; - fiat_p256_mulx_u32(&x314, &x315, x4, (arg1[7])); uint32_t x316; uint32_t x317; - fiat_p256_mulx_u32(&x316, &x317, x4, (arg1[6])); uint32_t x318; uint32_t x319; - fiat_p256_mulx_u32(&x318, &x319, x4, (arg1[5])); uint32_t x320; uint32_t x321; - fiat_p256_mulx_u32(&x320, &x321, x4, (arg1[4])); uint32_t x322; uint32_t x323; - fiat_p256_mulx_u32(&x322, &x323, x4, (arg1[3])); uint32_t x324; uint32_t x325; - fiat_p256_mulx_u32(&x324, &x325, x4, (arg1[2])); uint32_t x326; uint32_t x327; - fiat_p256_mulx_u32(&x326, &x327, x4, (arg1[1])); uint32_t x328; uint32_t x329; - fiat_p256_mulx_u32(&x328, &x329, x4, (arg1[0])); uint32_t x330; fiat_p256_uint1 x331; - fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); uint32_t x332; fiat_p256_uint1 x333; - fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); uint32_t x334; fiat_p256_uint1 x335; - fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); uint32_t x336; fiat_p256_uint1 x337; - fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); uint32_t x338; fiat_p256_uint1 x339; - fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); uint32_t x340; fiat_p256_uint1 x341; - fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); uint32_t x342; fiat_p256_uint1 x343; - fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); - uint32_t x344 = (x343 + x315); + uint32_t x344; uint32_t x345; fiat_p256_uint1 x346; - fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); uint32_t x347; fiat_p256_uint1 x348; - fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); uint32_t x349; fiat_p256_uint1 x350; - fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); uint32_t x351; fiat_p256_uint1 x352; - fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); uint32_t x353; fiat_p256_uint1 x354; - fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); uint32_t x355; fiat_p256_uint1 x356; - fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); uint32_t x357; fiat_p256_uint1 x358; - fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); uint32_t x359; fiat_p256_uint1 x360; - fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); uint32_t x361; fiat_p256_uint1 x362; - fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); uint32_t x363; uint32_t x364; - fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); uint32_t x365; uint32_t x366; - fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); uint32_t x367; uint32_t x368; - fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); uint32_t x369; uint32_t x370; - fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); uint32_t x371; fiat_p256_uint1 x372; - fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); uint32_t x373; fiat_p256_uint1 x374; - fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); - uint32_t x375 = (x374 + x366); + uint32_t x375; uint32_t x376; fiat_p256_uint1 x377; - fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); uint32_t x378; fiat_p256_uint1 x379; - fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); uint32_t x380; fiat_p256_uint1 x381; - fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); uint32_t x382; fiat_p256_uint1 x383; - fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); uint32_t x384; fiat_p256_uint1 x385; - fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); uint32_t x386; fiat_p256_uint1 x387; - fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); uint32_t x388; fiat_p256_uint1 x389; - fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); uint32_t x390; fiat_p256_uint1 x391; - fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); uint32_t x392; fiat_p256_uint1 x393; - fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); - uint32_t x394 = ((uint32_t)x393 + x362); + uint32_t x394; uint32_t x395; uint32_t x396; - fiat_p256_mulx_u32(&x395, &x396, x5, (arg1[7])); uint32_t x397; uint32_t x398; - fiat_p256_mulx_u32(&x397, &x398, x5, (arg1[6])); uint32_t x399; uint32_t x400; - fiat_p256_mulx_u32(&x399, &x400, x5, (arg1[5])); uint32_t x401; uint32_t x402; - fiat_p256_mulx_u32(&x401, &x402, x5, (arg1[4])); uint32_t x403; uint32_t x404; - fiat_p256_mulx_u32(&x403, &x404, x5, (arg1[3])); uint32_t x405; uint32_t x406; - fiat_p256_mulx_u32(&x405, &x406, x5, (arg1[2])); uint32_t x407; uint32_t x408; - fiat_p256_mulx_u32(&x407, &x408, x5, (arg1[1])); uint32_t x409; uint32_t x410; - fiat_p256_mulx_u32(&x409, &x410, x5, (arg1[0])); uint32_t x411; fiat_p256_uint1 x412; - fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); uint32_t x413; fiat_p256_uint1 x414; - fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); uint32_t x415; fiat_p256_uint1 x416; - fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); uint32_t x417; fiat_p256_uint1 x418; - fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); uint32_t x419; fiat_p256_uint1 x420; - fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); uint32_t x421; fiat_p256_uint1 x422; - fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); uint32_t x423; fiat_p256_uint1 x424; - fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); - uint32_t x425 = (x424 + x396); + uint32_t x425; uint32_t x426; fiat_p256_uint1 x427; - fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); uint32_t x428; fiat_p256_uint1 x429; - fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); uint32_t x430; fiat_p256_uint1 x431; - fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); uint32_t x432; fiat_p256_uint1 x433; - fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); uint32_t x434; fiat_p256_uint1 x435; - fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); uint32_t x436; fiat_p256_uint1 x437; - fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); uint32_t x438; fiat_p256_uint1 x439; - fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); uint32_t x440; fiat_p256_uint1 x441; - fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); uint32_t x442; fiat_p256_uint1 x443; - fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); uint32_t x444; uint32_t x445; - fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); uint32_t x446; uint32_t x447; - fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); uint32_t x448; uint32_t x449; - fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); uint32_t x450; uint32_t x451; - fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); uint32_t x452; fiat_p256_uint1 x453; - fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); uint32_t x454; fiat_p256_uint1 x455; - fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); - uint32_t x456 = (x455 + x447); + uint32_t x456; uint32_t x457; fiat_p256_uint1 x458; - fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); uint32_t x459; fiat_p256_uint1 x460; - fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); uint32_t x461; fiat_p256_uint1 x462; - fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); uint32_t x463; fiat_p256_uint1 x464; - fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); uint32_t x465; fiat_p256_uint1 x466; - fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); uint32_t x467; fiat_p256_uint1 x468; - fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); uint32_t x469; fiat_p256_uint1 x470; - fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); uint32_t x471; fiat_p256_uint1 x472; - fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); uint32_t x473; fiat_p256_uint1 x474; - fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); - uint32_t x475 = ((uint32_t)x474 + x443); + uint32_t x475; uint32_t x476; uint32_t x477; - fiat_p256_mulx_u32(&x476, &x477, x6, (arg1[7])); uint32_t x478; uint32_t x479; - fiat_p256_mulx_u32(&x478, &x479, x6, (arg1[6])); uint32_t x480; uint32_t x481; - fiat_p256_mulx_u32(&x480, &x481, x6, (arg1[5])); uint32_t x482; uint32_t x483; - fiat_p256_mulx_u32(&x482, &x483, x6, (arg1[4])); uint32_t x484; uint32_t x485; - fiat_p256_mulx_u32(&x484, &x485, x6, (arg1[3])); uint32_t x486; uint32_t x487; - fiat_p256_mulx_u32(&x486, &x487, x6, (arg1[2])); uint32_t x488; uint32_t x489; - fiat_p256_mulx_u32(&x488, &x489, x6, (arg1[1])); uint32_t x490; uint32_t x491; - fiat_p256_mulx_u32(&x490, &x491, x6, (arg1[0])); uint32_t x492; fiat_p256_uint1 x493; - fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); uint32_t x494; fiat_p256_uint1 x495; - fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); uint32_t x496; fiat_p256_uint1 x497; - fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); uint32_t x498; fiat_p256_uint1 x499; - fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); uint32_t x500; fiat_p256_uint1 x501; - fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); uint32_t x502; fiat_p256_uint1 x503; - fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); uint32_t x504; fiat_p256_uint1 x505; - fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); - uint32_t x506 = (x505 + x477); + uint32_t x506; uint32_t x507; fiat_p256_uint1 x508; - fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); uint32_t x509; fiat_p256_uint1 x510; - fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); uint32_t x511; fiat_p256_uint1 x512; - fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); uint32_t x513; fiat_p256_uint1 x514; - fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); uint32_t x515; fiat_p256_uint1 x516; - fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); uint32_t x517; fiat_p256_uint1 x518; - fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); uint32_t x519; fiat_p256_uint1 x520; - fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); uint32_t x521; fiat_p256_uint1 x522; - fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); uint32_t x523; fiat_p256_uint1 x524; - fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); uint32_t x525; uint32_t x526; - fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); uint32_t x527; uint32_t x528; - fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); uint32_t x529; uint32_t x530; - fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); uint32_t x531; uint32_t x532; - fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); uint32_t x533; fiat_p256_uint1 x534; - fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); uint32_t x535; fiat_p256_uint1 x536; - fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); - uint32_t x537 = (x536 + x528); + uint32_t x537; uint32_t x538; fiat_p256_uint1 x539; - fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); uint32_t x540; fiat_p256_uint1 x541; - fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); uint32_t x542; fiat_p256_uint1 x543; - fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); uint32_t x544; fiat_p256_uint1 x545; - fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); uint32_t x546; fiat_p256_uint1 x547; - fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); uint32_t x548; fiat_p256_uint1 x549; - fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); uint32_t x550; fiat_p256_uint1 x551; - fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); uint32_t x552; fiat_p256_uint1 x553; - fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); uint32_t x554; fiat_p256_uint1 x555; - fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); - uint32_t x556 = ((uint32_t)x555 + x524); + uint32_t x556; uint32_t x557; uint32_t x558; - fiat_p256_mulx_u32(&x557, &x558, x7, (arg1[7])); uint32_t x559; uint32_t x560; - fiat_p256_mulx_u32(&x559, &x560, x7, (arg1[6])); uint32_t x561; uint32_t x562; - fiat_p256_mulx_u32(&x561, &x562, x7, (arg1[5])); uint32_t x563; uint32_t x564; - fiat_p256_mulx_u32(&x563, &x564, x7, (arg1[4])); uint32_t x565; uint32_t x566; - fiat_p256_mulx_u32(&x565, &x566, x7, (arg1[3])); uint32_t x567; uint32_t x568; - fiat_p256_mulx_u32(&x567, &x568, x7, (arg1[2])); uint32_t x569; uint32_t x570; - fiat_p256_mulx_u32(&x569, &x570, x7, (arg1[1])); uint32_t x571; uint32_t x572; - fiat_p256_mulx_u32(&x571, &x572, x7, (arg1[0])); uint32_t x573; fiat_p256_uint1 x574; - fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); uint32_t x575; fiat_p256_uint1 x576; - fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); uint32_t x577; fiat_p256_uint1 x578; - fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); uint32_t x579; fiat_p256_uint1 x580; - fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); uint32_t x581; fiat_p256_uint1 x582; - fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); uint32_t x583; fiat_p256_uint1 x584; - fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); uint32_t x585; fiat_p256_uint1 x586; - fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); - uint32_t x587 = (x586 + x558); + uint32_t x587; uint32_t x588; fiat_p256_uint1 x589; - fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); uint32_t x590; fiat_p256_uint1 x591; - fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); uint32_t x592; fiat_p256_uint1 x593; - fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); uint32_t x594; fiat_p256_uint1 x595; - fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); uint32_t x596; fiat_p256_uint1 x597; - fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); uint32_t x598; fiat_p256_uint1 x599; - fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); uint32_t x600; fiat_p256_uint1 x601; - fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); uint32_t x602; fiat_p256_uint1 x603; - fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); uint32_t x604; fiat_p256_uint1 x605; - fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); uint32_t x606; uint32_t x607; - fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); uint32_t x608; uint32_t x609; - fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); uint32_t x610; uint32_t x611; - fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); uint32_t x612; uint32_t x613; - fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); uint32_t x614; fiat_p256_uint1 x615; - fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); uint32_t x616; fiat_p256_uint1 x617; - fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); - uint32_t x618 = (x617 + x609); + uint32_t x618; uint32_t x619; fiat_p256_uint1 x620; - fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); uint32_t x621; fiat_p256_uint1 x622; - fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); uint32_t x623; fiat_p256_uint1 x624; - fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); uint32_t x625; fiat_p256_uint1 x626; - fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); uint32_t x627; fiat_p256_uint1 x628; - fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); uint32_t x629; fiat_p256_uint1 x630; - fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); uint32_t x631; fiat_p256_uint1 x632; - fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); uint32_t x633; fiat_p256_uint1 x634; - fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); uint32_t x635; fiat_p256_uint1 x636; - fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); - uint32_t x637 = ((uint32_t)x636 + x605); + uint32_t x637; uint32_t x638; fiat_p256_uint1 x639; - fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); uint32_t x640; fiat_p256_uint1 x641; - fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); uint32_t x642; fiat_p256_uint1 x643; - fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); uint32_t x644; fiat_p256_uint1 x645; - fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); uint32_t x646; fiat_p256_uint1 x647; - fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); uint32_t x648; fiat_p256_uint1 x649; - fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); uint32_t x650; fiat_p256_uint1 x651; - fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); uint32_t x652; fiat_p256_uint1 x653; - fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); uint32_t x654; fiat_p256_uint1 x655; - fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); uint32_t x656; - fiat_p256_cmovznz_u32(&x656, x655, x638, x621); uint32_t x657; - fiat_p256_cmovznz_u32(&x657, x655, x640, x623); uint32_t x658; - fiat_p256_cmovznz_u32(&x658, x655, x642, x625); uint32_t x659; - fiat_p256_cmovznz_u32(&x659, x655, x644, x627); uint32_t x660; - fiat_p256_cmovznz_u32(&x660, x655, x646, x629); uint32_t x661; - fiat_p256_cmovznz_u32(&x661, x655, x648, x631); uint32_t x662; - fiat_p256_cmovznz_u32(&x662, x655, x650, x633); uint32_t x663; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[4]); + x5 = (arg1[5]); + x6 = (arg1[6]); + x7 = (arg1[7]); + x8 = (arg1[0]); + fiat_p256_mulx_u32(&x9, &x10, x8, (arg1[7])); + fiat_p256_mulx_u32(&x11, &x12, x8, (arg1[6])); + fiat_p256_mulx_u32(&x13, &x14, x8, (arg1[5])); + fiat_p256_mulx_u32(&x15, &x16, x8, (arg1[4])); + fiat_p256_mulx_u32(&x17, &x18, x8, (arg1[3])); + fiat_p256_mulx_u32(&x19, &x20, x8, (arg1[2])); + fiat_p256_mulx_u32(&x21, &x22, x8, (arg1[1])); + fiat_p256_mulx_u32(&x23, &x24, x8, (arg1[0])); + fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); + fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); + fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); + fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); + fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); + fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); + fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); + x39 = (x38 + x10); + fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); + fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); + x52 = (x51 + x43); + fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); + fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); + fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); + fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); + fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); + fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); + fiat_p256_mulx_u32(&x71, &x72, x1, (arg1[7])); + fiat_p256_mulx_u32(&x73, &x74, x1, (arg1[6])); + fiat_p256_mulx_u32(&x75, &x76, x1, (arg1[5])); + fiat_p256_mulx_u32(&x77, &x78, x1, (arg1[4])); + fiat_p256_mulx_u32(&x79, &x80, x1, (arg1[3])); + fiat_p256_mulx_u32(&x81, &x82, x1, (arg1[2])); + fiat_p256_mulx_u32(&x83, &x84, x1, (arg1[1])); + fiat_p256_mulx_u32(&x85, &x86, x1, (arg1[0])); + fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); + fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); + fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); + fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); + fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); + fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); + fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); + x101 = (x100 + x72); + fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); + fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); + fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); + fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); + fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); + fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); + fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); + fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); + x132 = (x131 + x123); + fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); + fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); + fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); + fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); + fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); + fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); + fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); + fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); + fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); + x151 = ((uint32_t)x150 + x119); + fiat_p256_mulx_u32(&x152, &x153, x2, (arg1[7])); + fiat_p256_mulx_u32(&x154, &x155, x2, (arg1[6])); + fiat_p256_mulx_u32(&x156, &x157, x2, (arg1[5])); + fiat_p256_mulx_u32(&x158, &x159, x2, (arg1[4])); + fiat_p256_mulx_u32(&x160, &x161, x2, (arg1[3])); + fiat_p256_mulx_u32(&x162, &x163, x2, (arg1[2])); + fiat_p256_mulx_u32(&x164, &x165, x2, (arg1[1])); + fiat_p256_mulx_u32(&x166, &x167, x2, (arg1[0])); + fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); + fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); + fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); + fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); + x182 = (x181 + x153); + fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); + fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); + fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); + fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); + fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); + fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); + fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); + fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); + fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); + fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); + fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); + x213 = (x212 + x204); + fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); + fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); + fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); + fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); + fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); + fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); + fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); + fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); + fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); + x232 = ((uint32_t)x231 + x200); + fiat_p256_mulx_u32(&x233, &x234, x3, (arg1[7])); + fiat_p256_mulx_u32(&x235, &x236, x3, (arg1[6])); + fiat_p256_mulx_u32(&x237, &x238, x3, (arg1[5])); + fiat_p256_mulx_u32(&x239, &x240, x3, (arg1[4])); + fiat_p256_mulx_u32(&x241, &x242, x3, (arg1[3])); + fiat_p256_mulx_u32(&x243, &x244, x3, (arg1[2])); + fiat_p256_mulx_u32(&x245, &x246, x3, (arg1[1])); + fiat_p256_mulx_u32(&x247, &x248, x3, (arg1[0])); + fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); + fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); + fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); + fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); + fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); + fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); + fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); + x263 = (x262 + x234); + fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); + fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); + fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); + fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); + fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); + fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); + fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); + fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); + fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); + fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); + fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); + x294 = (x293 + x285); + fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); + fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); + fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); + fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); + fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); + fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); + fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); + fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); + fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); + x313 = ((uint32_t)x312 + x281); + fiat_p256_mulx_u32(&x314, &x315, x4, (arg1[7])); + fiat_p256_mulx_u32(&x316, &x317, x4, (arg1[6])); + fiat_p256_mulx_u32(&x318, &x319, x4, (arg1[5])); + fiat_p256_mulx_u32(&x320, &x321, x4, (arg1[4])); + fiat_p256_mulx_u32(&x322, &x323, x4, (arg1[3])); + fiat_p256_mulx_u32(&x324, &x325, x4, (arg1[2])); + fiat_p256_mulx_u32(&x326, &x327, x4, (arg1[1])); + fiat_p256_mulx_u32(&x328, &x329, x4, (arg1[0])); + fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); + fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); + fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); + fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); + fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); + fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); + fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); + x344 = (x343 + x315); + fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); + fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); + fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); + fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); + fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); + fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); + fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); + fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); + fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); + fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); + fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); + x375 = (x374 + x366); + fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); + fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); + fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); + fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); + fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); + fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); + fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); + fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); + fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); + x394 = ((uint32_t)x393 + x362); + fiat_p256_mulx_u32(&x395, &x396, x5, (arg1[7])); + fiat_p256_mulx_u32(&x397, &x398, x5, (arg1[6])); + fiat_p256_mulx_u32(&x399, &x400, x5, (arg1[5])); + fiat_p256_mulx_u32(&x401, &x402, x5, (arg1[4])); + fiat_p256_mulx_u32(&x403, &x404, x5, (arg1[3])); + fiat_p256_mulx_u32(&x405, &x406, x5, (arg1[2])); + fiat_p256_mulx_u32(&x407, &x408, x5, (arg1[1])); + fiat_p256_mulx_u32(&x409, &x410, x5, (arg1[0])); + fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); + fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); + fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); + fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); + fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); + fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); + fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); + x425 = (x424 + x396); + fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); + fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); + fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); + fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); + fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); + fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); + fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); + fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); + fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); + fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); + fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); + x456 = (x455 + x447); + fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); + fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); + fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); + fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); + fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); + fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); + fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); + fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); + fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); + x475 = ((uint32_t)x474 + x443); + fiat_p256_mulx_u32(&x476, &x477, x6, (arg1[7])); + fiat_p256_mulx_u32(&x478, &x479, x6, (arg1[6])); + fiat_p256_mulx_u32(&x480, &x481, x6, (arg1[5])); + fiat_p256_mulx_u32(&x482, &x483, x6, (arg1[4])); + fiat_p256_mulx_u32(&x484, &x485, x6, (arg1[3])); + fiat_p256_mulx_u32(&x486, &x487, x6, (arg1[2])); + fiat_p256_mulx_u32(&x488, &x489, x6, (arg1[1])); + fiat_p256_mulx_u32(&x490, &x491, x6, (arg1[0])); + fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); + fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); + fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); + fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); + fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); + fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); + fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); + x506 = (x505 + x477); + fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); + fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); + fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); + fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); + fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); + fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); + fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); + fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); + fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); + fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); + fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); + x537 = (x536 + x528); + fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); + fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); + fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); + fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); + fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); + fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); + fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); + fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); + fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); + x556 = ((uint32_t)x555 + x524); + fiat_p256_mulx_u32(&x557, &x558, x7, (arg1[7])); + fiat_p256_mulx_u32(&x559, &x560, x7, (arg1[6])); + fiat_p256_mulx_u32(&x561, &x562, x7, (arg1[5])); + fiat_p256_mulx_u32(&x563, &x564, x7, (arg1[4])); + fiat_p256_mulx_u32(&x565, &x566, x7, (arg1[3])); + fiat_p256_mulx_u32(&x567, &x568, x7, (arg1[2])); + fiat_p256_mulx_u32(&x569, &x570, x7, (arg1[1])); + fiat_p256_mulx_u32(&x571, &x572, x7, (arg1[0])); + fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); + fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); + fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); + fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); + fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); + fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); + fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); + x587 = (x586 + x558); + fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); + fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); + fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); + fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); + fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); + fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); + fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); + fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); + fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); + fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); + fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); + x618 = (x617 + x609); + fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); + fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); + fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); + fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); + fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); + fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); + fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); + fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); + fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); + x637 = ((uint32_t)x636 + x605); + fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); + fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); + fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); + fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); + fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); + fiat_p256_cmovznz_u32(&x656, x655, x638, x621); + fiat_p256_cmovznz_u32(&x657, x655, x640, x623); + fiat_p256_cmovznz_u32(&x658, x655, x642, x625); + fiat_p256_cmovznz_u32(&x659, x655, x644, x627); + fiat_p256_cmovznz_u32(&x660, x655, x646, x629); + fiat_p256_cmovznz_u32(&x661, x655, x648, x631); + fiat_p256_cmovznz_u32(&x662, x655, x650, x633); fiat_p256_cmovznz_u32(&x663, x655, x652, x635); out1[0] = x656; out1[1] = x657; @@ -2128,6 +2221,7 @@ static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_p256_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2135,79 +2229,74 @@ static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) { * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { uint32_t x1; fiat_p256_uint1 x2; - fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); uint32_t x3; fiat_p256_uint1 x4; - fiat_p256_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); uint32_t x5; fiat_p256_uint1 x6; - fiat_p256_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); uint32_t x7; fiat_p256_uint1 x8; - fiat_p256_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); uint32_t x9; fiat_p256_uint1 x10; - fiat_p256_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); uint32_t x11; fiat_p256_uint1 x12; - fiat_p256_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); uint32_t x13; fiat_p256_uint1 x14; - fiat_p256_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); uint32_t x15; fiat_p256_uint1 x16; - fiat_p256_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); uint32_t x17; fiat_p256_uint1 x18; - fiat_p256_subborrowx_u32(&x17, &x18, 0x0, x1, UINT32_C(0xffffffff)); uint32_t x19; fiat_p256_uint1 x20; - fiat_p256_subborrowx_u32(&x19, &x20, x18, x3, UINT32_C(0xffffffff)); uint32_t x21; fiat_p256_uint1 x22; - fiat_p256_subborrowx_u32(&x21, &x22, x20, x5, UINT32_C(0xffffffff)); uint32_t x23; fiat_p256_uint1 x24; - fiat_p256_subborrowx_u32(&x23, &x24, x22, x7, 0x0); uint32_t x25; fiat_p256_uint1 x26; - fiat_p256_subborrowx_u32(&x25, &x26, x24, x9, 0x0); uint32_t x27; fiat_p256_uint1 x28; - fiat_p256_subborrowx_u32(&x27, &x28, x26, x11, 0x0); uint32_t x29; fiat_p256_uint1 x30; - fiat_p256_subborrowx_u32(&x29, &x30, x28, x13, 0x1); uint32_t x31; fiat_p256_uint1 x32; - fiat_p256_subborrowx_u32(&x31, &x32, x30, x15, UINT32_C(0xffffffff)); uint32_t x33; fiat_p256_uint1 x34; - fiat_p256_subborrowx_u32(&x33, &x34, x32, x16, 0x0); uint32_t x35; - fiat_p256_cmovznz_u32(&x35, x34, x17, x1); uint32_t x36; - fiat_p256_cmovznz_u32(&x36, x34, x19, x3); uint32_t x37; - fiat_p256_cmovznz_u32(&x37, x34, x21, x5); uint32_t x38; - fiat_p256_cmovznz_u32(&x38, x34, x23, x7); uint32_t x39; - fiat_p256_cmovznz_u32(&x39, x34, x25, x9); uint32_t x40; - fiat_p256_cmovznz_u32(&x40, x34, x27, x11); uint32_t x41; - fiat_p256_cmovznz_u32(&x41, x34, x29, x13); uint32_t x42; + fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); + fiat_p256_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); + fiat_p256_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); + fiat_p256_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); + fiat_p256_subborrowx_u32(&x17, &x18, 0x0, x1, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x19, &x20, x18, x3, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x21, &x22, x20, x5, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x23, &x24, x22, x7, 0x0); + fiat_p256_subborrowx_u32(&x25, &x26, x24, x9, 0x0); + fiat_p256_subborrowx_u32(&x27, &x28, x26, x11, 0x0); + fiat_p256_subborrowx_u32(&x29, &x30, x28, x13, 0x1); + fiat_p256_subborrowx_u32(&x31, &x32, x30, x15, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x33, &x34, x32, x16, 0x0); + fiat_p256_cmovznz_u32(&x35, x34, x17, x1); + fiat_p256_cmovznz_u32(&x36, x34, x19, x3); + fiat_p256_cmovznz_u32(&x37, x34, x21, x5); + fiat_p256_cmovznz_u32(&x38, x34, x23, x7); + fiat_p256_cmovznz_u32(&x39, x34, x25, x9); + fiat_p256_cmovznz_u32(&x40, x34, x27, x11); + fiat_p256_cmovznz_u32(&x41, x34, x29, x13); fiat_p256_cmovznz_u32(&x42, x34, x31, x15); out1[0] = x35; out1[1] = x36; @@ -2221,6 +2310,7 @@ static void fiat_p256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32 /* * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -2228,63 +2318,58 @@ static void fiat_p256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32 * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_sub(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { uint32_t x1; fiat_p256_uint1 x2; - fiat_p256_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); uint32_t x3; fiat_p256_uint1 x4; - fiat_p256_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); uint32_t x5; fiat_p256_uint1 x6; - fiat_p256_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); uint32_t x7; fiat_p256_uint1 x8; - fiat_p256_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); uint32_t x9; fiat_p256_uint1 x10; - fiat_p256_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); uint32_t x11; fiat_p256_uint1 x12; - fiat_p256_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); uint32_t x13; fiat_p256_uint1 x14; - fiat_p256_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); uint32_t x15; fiat_p256_uint1 x16; - fiat_p256_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); uint32_t x17; - fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); uint32_t x18; fiat_p256_uint1 x19; - fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, (x17 & UINT32_C(0xffffffff))); uint32_t x20; fiat_p256_uint1 x21; - fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, (x17 & UINT32_C(0xffffffff))); uint32_t x22; fiat_p256_uint1 x23; - fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, (x17 & UINT32_C(0xffffffff))); uint32_t x24; fiat_p256_uint1 x25; - fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); uint32_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); uint32_t x28; fiat_p256_uint1 x29; - fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); uint32_t x30; fiat_p256_uint1 x31; - fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); uint32_t x32; fiat_p256_uint1 x33; - fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, (x17 & UINT32_C(0xffffffff))); + fiat_p256_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); + fiat_p256_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); + fiat_p256_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); + fiat_p256_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); + fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, x17); + fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, x17); + fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, x17); + fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); + fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); + fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); + fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); + fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, x17); out1[0] = x18; out1[1] = x20; out1[2] = x22; @@ -2297,68 +2382,65 @@ static void fiat_p256_sub(uint32_t out1[8], const uint32_t arg1[8], const uint32 /* * The function fiat_p256_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_opp(uint32_t out1[8], const uint32_t arg1[8]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { uint32_t x1; fiat_p256_uint1 x2; - fiat_p256_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); uint32_t x3; fiat_p256_uint1 x4; - fiat_p256_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); uint32_t x5; fiat_p256_uint1 x6; - fiat_p256_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); uint32_t x7; fiat_p256_uint1 x8; - fiat_p256_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); uint32_t x9; fiat_p256_uint1 x10; - fiat_p256_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); uint32_t x11; fiat_p256_uint1 x12; - fiat_p256_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); uint32_t x13; fiat_p256_uint1 x14; - fiat_p256_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); uint32_t x15; fiat_p256_uint1 x16; - fiat_p256_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); uint32_t x17; - fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); uint32_t x18; fiat_p256_uint1 x19; - fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, (x17 & UINT32_C(0xffffffff))); uint32_t x20; fiat_p256_uint1 x21; - fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, (x17 & UINT32_C(0xffffffff))); uint32_t x22; fiat_p256_uint1 x23; - fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, (x17 & UINT32_C(0xffffffff))); uint32_t x24; fiat_p256_uint1 x25; - fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); uint32_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); uint32_t x28; fiat_p256_uint1 x29; - fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); uint32_t x30; fiat_p256_uint1 x31; - fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); uint32_t x32; fiat_p256_uint1 x33; - fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, (x17 & UINT32_C(0xffffffff))); + fiat_p256_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); + fiat_p256_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); + fiat_p256_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); + fiat_p256_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); + fiat_p256_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); + fiat_p256_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); + fiat_p256_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); + fiat_p256_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); + fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, x17); + fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, x17); + fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, x17); + fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); + fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); + fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); + fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); + fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, x17); out1[0] = x18; out1[1] = x20; out1[2] = x22; @@ -2371,532 +2453,530 @@ static void fiat_p256_opp(uint32_t out1[8], const uint32_t arg1[8]) { /* * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) { - uint32_t x1 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint32_t x1; uint32_t x2; uint32_t x3; - fiat_p256_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); uint32_t x4; uint32_t x5; - fiat_p256_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); uint32_t x6; uint32_t x7; - fiat_p256_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); uint32_t x8; uint32_t x9; - fiat_p256_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); uint32_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u32(&x10, &x11, 0x0, x9, x6); uint32_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u32(&x12, &x13, x11, x7, x4); uint32_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u32(&x14, &x15, 0x0, x1, x8); uint32_t x16; fiat_p256_uint1 x17; - fiat_p256_addcarryx_u32(&x16, &x17, x15, 0x0, x10); uint32_t x18; fiat_p256_uint1 x19; - fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, x12); uint32_t x20; fiat_p256_uint1 x21; - fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (x13 + x5)); uint32_t x22; fiat_p256_uint1 x23; - fiat_p256_addcarryx_u32(&x22, &x23, 0x0, x16, (arg1[1])); uint32_t x24; fiat_p256_uint1 x25; - fiat_p256_addcarryx_u32(&x24, &x25, x23, x18, 0x0); uint32_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u32(&x26, &x27, x25, x20, 0x0); uint32_t x28; uint32_t x29; - fiat_p256_mulx_u32(&x28, &x29, x22, UINT32_C(0xffffffff)); uint32_t x30; uint32_t x31; - fiat_p256_mulx_u32(&x30, &x31, x22, UINT32_C(0xffffffff)); uint32_t x32; uint32_t x33; - fiat_p256_mulx_u32(&x32, &x33, x22, UINT32_C(0xffffffff)); uint32_t x34; uint32_t x35; - fiat_p256_mulx_u32(&x34, &x35, x22, UINT32_C(0xffffffff)); uint32_t x36; fiat_p256_uint1 x37; - fiat_p256_addcarryx_u32(&x36, &x37, 0x0, x35, x32); uint32_t x38; fiat_p256_uint1 x39; - fiat_p256_addcarryx_u32(&x38, &x39, x37, x33, x30); uint32_t x40; fiat_p256_uint1 x41; - fiat_p256_addcarryx_u32(&x40, &x41, 0x0, x22, x34); uint32_t x42; fiat_p256_uint1 x43; - fiat_p256_addcarryx_u32(&x42, &x43, x41, x24, x36); uint32_t x44; fiat_p256_uint1 x45; - fiat_p256_addcarryx_u32(&x44, &x45, x43, x26, x38); uint32_t x46; fiat_p256_uint1 x47; - fiat_p256_addcarryx_u32(&x46, &x47, x45, ((uint32_t)x27 + x21), (x39 + x31)); uint32_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x2, x22); uint32_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u32(&x50, &x51, x49, x3, x28); uint32_t x52; fiat_p256_uint1 x53; - fiat_p256_addcarryx_u32(&x52, &x53, 0x0, x42, (arg1[2])); uint32_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u32(&x54, &x55, x53, x44, 0x0); uint32_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u32(&x56, &x57, x55, x46, 0x0); uint32_t x58; uint32_t x59; - fiat_p256_mulx_u32(&x58, &x59, x52, UINT32_C(0xffffffff)); uint32_t x60; uint32_t x61; - fiat_p256_mulx_u32(&x60, &x61, x52, UINT32_C(0xffffffff)); uint32_t x62; uint32_t x63; - fiat_p256_mulx_u32(&x62, &x63, x52, UINT32_C(0xffffffff)); uint32_t x64; uint32_t x65; - fiat_p256_mulx_u32(&x64, &x65, x52, UINT32_C(0xffffffff)); uint32_t x66; fiat_p256_uint1 x67; - fiat_p256_addcarryx_u32(&x66, &x67, 0x0, x65, x62); uint32_t x68; fiat_p256_uint1 x69; - fiat_p256_addcarryx_u32(&x68, &x69, x67, x63, x60); uint32_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u32(&x70, &x71, 0x0, x52, x64); uint32_t x72; fiat_p256_uint1 x73; - fiat_p256_addcarryx_u32(&x72, &x73, x71, x54, x66); uint32_t x74; fiat_p256_uint1 x75; - fiat_p256_addcarryx_u32(&x74, &x75, x73, x56, x68); uint32_t x76; fiat_p256_uint1 x77; - fiat_p256_addcarryx_u32(&x76, &x77, x75, ((uint32_t)x57 + x47), (x69 + x61)); uint32_t x78; fiat_p256_uint1 x79; - fiat_p256_addcarryx_u32(&x78, &x79, x77, x1, 0x0); uint32_t x80; fiat_p256_uint1 x81; - fiat_p256_addcarryx_u32(&x80, &x81, x79, x48, 0x0); uint32_t x82; fiat_p256_uint1 x83; - fiat_p256_addcarryx_u32(&x82, &x83, x81, x50, x52); uint32_t x84; fiat_p256_uint1 x85; - fiat_p256_addcarryx_u32(&x84, &x85, x83, (x51 + x29), x58); uint32_t x86; fiat_p256_uint1 x87; - fiat_p256_addcarryx_u32(&x86, &x87, 0x0, x72, (arg1[3])); uint32_t x88; fiat_p256_uint1 x89; - fiat_p256_addcarryx_u32(&x88, &x89, x87, x74, 0x0); uint32_t x90; fiat_p256_uint1 x91; - fiat_p256_addcarryx_u32(&x90, &x91, x89, x76, 0x0); uint32_t x92; fiat_p256_uint1 x93; - fiat_p256_addcarryx_u32(&x92, &x93, x91, x78, 0x0); uint32_t x94; fiat_p256_uint1 x95; - fiat_p256_addcarryx_u32(&x94, &x95, x93, x80, 0x0); uint32_t x96; fiat_p256_uint1 x97; - fiat_p256_addcarryx_u32(&x96, &x97, x95, x82, 0x0); uint32_t x98; fiat_p256_uint1 x99; - fiat_p256_addcarryx_u32(&x98, &x99, x97, x84, 0x0); uint32_t x100; fiat_p256_uint1 x101; - fiat_p256_addcarryx_u32(&x100, &x101, x99, (x85 + x59), 0x0); uint32_t x102; uint32_t x103; - fiat_p256_mulx_u32(&x102, &x103, x86, UINT32_C(0xffffffff)); uint32_t x104; uint32_t x105; - fiat_p256_mulx_u32(&x104, &x105, x86, UINT32_C(0xffffffff)); uint32_t x106; uint32_t x107; - fiat_p256_mulx_u32(&x106, &x107, x86, UINT32_C(0xffffffff)); uint32_t x108; uint32_t x109; - fiat_p256_mulx_u32(&x108, &x109, x86, UINT32_C(0xffffffff)); uint32_t x110; fiat_p256_uint1 x111; - fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x109, x106); uint32_t x112; fiat_p256_uint1 x113; - fiat_p256_addcarryx_u32(&x112, &x113, x111, x107, x104); uint32_t x114; fiat_p256_uint1 x115; - fiat_p256_addcarryx_u32(&x114, &x115, 0x0, x86, x108); uint32_t x116; fiat_p256_uint1 x117; - fiat_p256_addcarryx_u32(&x116, &x117, x115, x88, x110); uint32_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u32(&x118, &x119, x117, x90, x112); uint32_t x120; fiat_p256_uint1 x121; - fiat_p256_addcarryx_u32(&x120, &x121, x119, x92, (x113 + x105)); uint32_t x122; fiat_p256_uint1 x123; - fiat_p256_addcarryx_u32(&x122, &x123, x121, x94, 0x0); uint32_t x124; fiat_p256_uint1 x125; - fiat_p256_addcarryx_u32(&x124, &x125, x123, x96, 0x0); uint32_t x126; fiat_p256_uint1 x127; - fiat_p256_addcarryx_u32(&x126, &x127, x125, x98, x86); uint32_t x128; fiat_p256_uint1 x129; - fiat_p256_addcarryx_u32(&x128, &x129, x127, x100, x102); uint32_t x130; fiat_p256_uint1 x131; - fiat_p256_addcarryx_u32(&x130, &x131, x129, x101, x103); uint32_t x132; fiat_p256_uint1 x133; - fiat_p256_addcarryx_u32(&x132, &x133, 0x0, x116, (arg1[4])); uint32_t x134; fiat_p256_uint1 x135; - fiat_p256_addcarryx_u32(&x134, &x135, x133, x118, 0x0); uint32_t x136; fiat_p256_uint1 x137; - fiat_p256_addcarryx_u32(&x136, &x137, x135, x120, 0x0); uint32_t x138; fiat_p256_uint1 x139; - fiat_p256_addcarryx_u32(&x138, &x139, x137, x122, 0x0); uint32_t x140; fiat_p256_uint1 x141; - fiat_p256_addcarryx_u32(&x140, &x141, x139, x124, 0x0); uint32_t x142; fiat_p256_uint1 x143; - fiat_p256_addcarryx_u32(&x142, &x143, x141, x126, 0x0); uint32_t x144; fiat_p256_uint1 x145; - fiat_p256_addcarryx_u32(&x144, &x145, x143, x128, 0x0); uint32_t x146; fiat_p256_uint1 x147; - fiat_p256_addcarryx_u32(&x146, &x147, x145, x130, 0x0); uint32_t x148; uint32_t x149; - fiat_p256_mulx_u32(&x148, &x149, x132, UINT32_C(0xffffffff)); uint32_t x150; uint32_t x151; - fiat_p256_mulx_u32(&x150, &x151, x132, UINT32_C(0xffffffff)); uint32_t x152; uint32_t x153; - fiat_p256_mulx_u32(&x152, &x153, x132, UINT32_C(0xffffffff)); uint32_t x154; uint32_t x155; - fiat_p256_mulx_u32(&x154, &x155, x132, UINT32_C(0xffffffff)); uint32_t x156; fiat_p256_uint1 x157; - fiat_p256_addcarryx_u32(&x156, &x157, 0x0, x155, x152); uint32_t x158; fiat_p256_uint1 x159; - fiat_p256_addcarryx_u32(&x158, &x159, x157, x153, x150); uint32_t x160; fiat_p256_uint1 x161; - fiat_p256_addcarryx_u32(&x160, &x161, 0x0, x132, x154); uint32_t x162; fiat_p256_uint1 x163; - fiat_p256_addcarryx_u32(&x162, &x163, x161, x134, x156); uint32_t x164; fiat_p256_uint1 x165; - fiat_p256_addcarryx_u32(&x164, &x165, x163, x136, x158); uint32_t x166; fiat_p256_uint1 x167; - fiat_p256_addcarryx_u32(&x166, &x167, x165, x138, (x159 + x151)); uint32_t x168; fiat_p256_uint1 x169; - fiat_p256_addcarryx_u32(&x168, &x169, x167, x140, 0x0); uint32_t x170; fiat_p256_uint1 x171; - fiat_p256_addcarryx_u32(&x170, &x171, x169, x142, 0x0); uint32_t x172; fiat_p256_uint1 x173; - fiat_p256_addcarryx_u32(&x172, &x173, x171, x144, x132); uint32_t x174; fiat_p256_uint1 x175; - fiat_p256_addcarryx_u32(&x174, &x175, x173, x146, x148); uint32_t x176; fiat_p256_uint1 x177; - fiat_p256_addcarryx_u32(&x176, &x177, x175, ((uint32_t)x147 + x131), x149); uint32_t x178; fiat_p256_uint1 x179; - fiat_p256_addcarryx_u32(&x178, &x179, 0x0, x162, (arg1[5])); uint32_t x180; fiat_p256_uint1 x181; - fiat_p256_addcarryx_u32(&x180, &x181, x179, x164, 0x0); uint32_t x182; fiat_p256_uint1 x183; - fiat_p256_addcarryx_u32(&x182, &x183, x181, x166, 0x0); uint32_t x184; fiat_p256_uint1 x185; - fiat_p256_addcarryx_u32(&x184, &x185, x183, x168, 0x0); uint32_t x186; fiat_p256_uint1 x187; - fiat_p256_addcarryx_u32(&x186, &x187, x185, x170, 0x0); uint32_t x188; fiat_p256_uint1 x189; - fiat_p256_addcarryx_u32(&x188, &x189, x187, x172, 0x0); uint32_t x190; fiat_p256_uint1 x191; - fiat_p256_addcarryx_u32(&x190, &x191, x189, x174, 0x0); uint32_t x192; fiat_p256_uint1 x193; - fiat_p256_addcarryx_u32(&x192, &x193, x191, x176, 0x0); uint32_t x194; uint32_t x195; - fiat_p256_mulx_u32(&x194, &x195, x178, UINT32_C(0xffffffff)); uint32_t x196; uint32_t x197; - fiat_p256_mulx_u32(&x196, &x197, x178, UINT32_C(0xffffffff)); uint32_t x198; uint32_t x199; - fiat_p256_mulx_u32(&x198, &x199, x178, UINT32_C(0xffffffff)); uint32_t x200; uint32_t x201; - fiat_p256_mulx_u32(&x200, &x201, x178, UINT32_C(0xffffffff)); uint32_t x202; fiat_p256_uint1 x203; - fiat_p256_addcarryx_u32(&x202, &x203, 0x0, x201, x198); uint32_t x204; fiat_p256_uint1 x205; - fiat_p256_addcarryx_u32(&x204, &x205, x203, x199, x196); uint32_t x206; fiat_p256_uint1 x207; - fiat_p256_addcarryx_u32(&x206, &x207, 0x0, x178, x200); uint32_t x208; fiat_p256_uint1 x209; - fiat_p256_addcarryx_u32(&x208, &x209, x207, x180, x202); uint32_t x210; fiat_p256_uint1 x211; - fiat_p256_addcarryx_u32(&x210, &x211, x209, x182, x204); uint32_t x212; fiat_p256_uint1 x213; - fiat_p256_addcarryx_u32(&x212, &x213, x211, x184, (x205 + x197)); uint32_t x214; fiat_p256_uint1 x215; - fiat_p256_addcarryx_u32(&x214, &x215, x213, x186, 0x0); uint32_t x216; fiat_p256_uint1 x217; - fiat_p256_addcarryx_u32(&x216, &x217, x215, x188, 0x0); uint32_t x218; fiat_p256_uint1 x219; - fiat_p256_addcarryx_u32(&x218, &x219, x217, x190, x178); uint32_t x220; fiat_p256_uint1 x221; - fiat_p256_addcarryx_u32(&x220, &x221, x219, x192, x194); uint32_t x222; fiat_p256_uint1 x223; - fiat_p256_addcarryx_u32(&x222, &x223, x221, ((uint32_t)x193 + x177), x195); uint32_t x224; fiat_p256_uint1 x225; - fiat_p256_addcarryx_u32(&x224, &x225, 0x0, x208, (arg1[6])); uint32_t x226; fiat_p256_uint1 x227; - fiat_p256_addcarryx_u32(&x226, &x227, x225, x210, 0x0); uint32_t x228; fiat_p256_uint1 x229; - fiat_p256_addcarryx_u32(&x228, &x229, x227, x212, 0x0); uint32_t x230; fiat_p256_uint1 x231; - fiat_p256_addcarryx_u32(&x230, &x231, x229, x214, 0x0); uint32_t x232; fiat_p256_uint1 x233; - fiat_p256_addcarryx_u32(&x232, &x233, x231, x216, 0x0); uint32_t x234; fiat_p256_uint1 x235; - fiat_p256_addcarryx_u32(&x234, &x235, x233, x218, 0x0); uint32_t x236; fiat_p256_uint1 x237; - fiat_p256_addcarryx_u32(&x236, &x237, x235, x220, 0x0); uint32_t x238; fiat_p256_uint1 x239; - fiat_p256_addcarryx_u32(&x238, &x239, x237, x222, 0x0); uint32_t x240; uint32_t x241; - fiat_p256_mulx_u32(&x240, &x241, x224, UINT32_C(0xffffffff)); uint32_t x242; uint32_t x243; - fiat_p256_mulx_u32(&x242, &x243, x224, UINT32_C(0xffffffff)); uint32_t x244; uint32_t x245; - fiat_p256_mulx_u32(&x244, &x245, x224, UINT32_C(0xffffffff)); uint32_t x246; uint32_t x247; - fiat_p256_mulx_u32(&x246, &x247, x224, UINT32_C(0xffffffff)); uint32_t x248; fiat_p256_uint1 x249; - fiat_p256_addcarryx_u32(&x248, &x249, 0x0, x247, x244); uint32_t x250; fiat_p256_uint1 x251; - fiat_p256_addcarryx_u32(&x250, &x251, x249, x245, x242); uint32_t x252; fiat_p256_uint1 x253; - fiat_p256_addcarryx_u32(&x252, &x253, 0x0, x224, x246); uint32_t x254; fiat_p256_uint1 x255; - fiat_p256_addcarryx_u32(&x254, &x255, x253, x226, x248); uint32_t x256; fiat_p256_uint1 x257; - fiat_p256_addcarryx_u32(&x256, &x257, x255, x228, x250); uint32_t x258; fiat_p256_uint1 x259; - fiat_p256_addcarryx_u32(&x258, &x259, x257, x230, (x251 + x243)); uint32_t x260; fiat_p256_uint1 x261; - fiat_p256_addcarryx_u32(&x260, &x261, x259, x232, 0x0); uint32_t x262; fiat_p256_uint1 x263; - fiat_p256_addcarryx_u32(&x262, &x263, x261, x234, 0x0); uint32_t x264; fiat_p256_uint1 x265; - fiat_p256_addcarryx_u32(&x264, &x265, x263, x236, x224); uint32_t x266; fiat_p256_uint1 x267; - fiat_p256_addcarryx_u32(&x266, &x267, x265, x238, x240); uint32_t x268; fiat_p256_uint1 x269; - fiat_p256_addcarryx_u32(&x268, &x269, x267, ((uint32_t)x239 + x223), x241); uint32_t x270; fiat_p256_uint1 x271; - fiat_p256_addcarryx_u32(&x270, &x271, 0x0, x254, (arg1[7])); uint32_t x272; fiat_p256_uint1 x273; - fiat_p256_addcarryx_u32(&x272, &x273, x271, x256, 0x0); uint32_t x274; fiat_p256_uint1 x275; - fiat_p256_addcarryx_u32(&x274, &x275, x273, x258, 0x0); uint32_t x276; fiat_p256_uint1 x277; - fiat_p256_addcarryx_u32(&x276, &x277, x275, x260, 0x0); uint32_t x278; fiat_p256_uint1 x279; - fiat_p256_addcarryx_u32(&x278, &x279, x277, x262, 0x0); uint32_t x280; fiat_p256_uint1 x281; - fiat_p256_addcarryx_u32(&x280, &x281, x279, x264, 0x0); uint32_t x282; fiat_p256_uint1 x283; - fiat_p256_addcarryx_u32(&x282, &x283, x281, x266, 0x0); uint32_t x284; fiat_p256_uint1 x285; - fiat_p256_addcarryx_u32(&x284, &x285, x283, x268, 0x0); uint32_t x286; uint32_t x287; - fiat_p256_mulx_u32(&x286, &x287, x270, UINT32_C(0xffffffff)); uint32_t x288; uint32_t x289; - fiat_p256_mulx_u32(&x288, &x289, x270, UINT32_C(0xffffffff)); uint32_t x290; uint32_t x291; - fiat_p256_mulx_u32(&x290, &x291, x270, UINT32_C(0xffffffff)); uint32_t x292; uint32_t x293; - fiat_p256_mulx_u32(&x292, &x293, x270, UINT32_C(0xffffffff)); uint32_t x294; fiat_p256_uint1 x295; - fiat_p256_addcarryx_u32(&x294, &x295, 0x0, x293, x290); uint32_t x296; fiat_p256_uint1 x297; - fiat_p256_addcarryx_u32(&x296, &x297, x295, x291, x288); uint32_t x298; fiat_p256_uint1 x299; - fiat_p256_addcarryx_u32(&x298, &x299, 0x0, x270, x292); uint32_t x300; fiat_p256_uint1 x301; - fiat_p256_addcarryx_u32(&x300, &x301, x299, x272, x294); uint32_t x302; fiat_p256_uint1 x303; - fiat_p256_addcarryx_u32(&x302, &x303, x301, x274, x296); uint32_t x304; fiat_p256_uint1 x305; - fiat_p256_addcarryx_u32(&x304, &x305, x303, x276, (x297 + x289)); uint32_t x306; fiat_p256_uint1 x307; - fiat_p256_addcarryx_u32(&x306, &x307, x305, x278, 0x0); uint32_t x308; fiat_p256_uint1 x309; - fiat_p256_addcarryx_u32(&x308, &x309, x307, x280, 0x0); uint32_t x310; fiat_p256_uint1 x311; - fiat_p256_addcarryx_u32(&x310, &x311, x309, x282, x270); uint32_t x312; fiat_p256_uint1 x313; - fiat_p256_addcarryx_u32(&x312, &x313, x311, x284, x286); uint32_t x314; fiat_p256_uint1 x315; - fiat_p256_addcarryx_u32(&x314, &x315, x313, ((uint32_t)x285 + x269), x287); uint32_t x316; fiat_p256_uint1 x317; - fiat_p256_subborrowx_u32(&x316, &x317, 0x0, x300, UINT32_C(0xffffffff)); uint32_t x318; fiat_p256_uint1 x319; - fiat_p256_subborrowx_u32(&x318, &x319, x317, x302, UINT32_C(0xffffffff)); uint32_t x320; fiat_p256_uint1 x321; - fiat_p256_subborrowx_u32(&x320, &x321, x319, x304, UINT32_C(0xffffffff)); uint32_t x322; fiat_p256_uint1 x323; - fiat_p256_subborrowx_u32(&x322, &x323, x321, x306, 0x0); uint32_t x324; fiat_p256_uint1 x325; - fiat_p256_subborrowx_u32(&x324, &x325, x323, x308, 0x0); uint32_t x326; fiat_p256_uint1 x327; - fiat_p256_subborrowx_u32(&x326, &x327, x325, x310, 0x0); uint32_t x328; fiat_p256_uint1 x329; - fiat_p256_subborrowx_u32(&x328, &x329, x327, x312, 0x1); uint32_t x330; fiat_p256_uint1 x331; - fiat_p256_subborrowx_u32(&x330, &x331, x329, x314, UINT32_C(0xffffffff)); uint32_t x332; fiat_p256_uint1 x333; - fiat_p256_subborrowx_u32(&x332, &x333, x331, x315, 0x0); uint32_t x334; - fiat_p256_cmovznz_u32(&x334, x333, x316, x300); uint32_t x335; - fiat_p256_cmovznz_u32(&x335, x333, x318, x302); uint32_t x336; - fiat_p256_cmovznz_u32(&x336, x333, x320, x304); uint32_t x337; - fiat_p256_cmovznz_u32(&x337, x333, x322, x306); uint32_t x338; - fiat_p256_cmovznz_u32(&x338, x333, x324, x308); uint32_t x339; - fiat_p256_cmovznz_u32(&x339, x333, x326, x310); uint32_t x340; - fiat_p256_cmovznz_u32(&x340, x333, x328, x312); uint32_t x341; + x1 = (arg1[0]); + fiat_p256_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x10, &x11, 0x0, x9, x6); + fiat_p256_addcarryx_u32(&x12, &x13, x11, x7, x4); + fiat_p256_addcarryx_u32(&x14, &x15, 0x0, x1, x8); + fiat_p256_addcarryx_u32(&x16, &x17, x15, 0x0, x10); + fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, x12); + fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (x13 + x5)); + fiat_p256_addcarryx_u32(&x22, &x23, 0x0, x16, (arg1[1])); + fiat_p256_addcarryx_u32(&x24, &x25, x23, x18, 0x0); + fiat_p256_addcarryx_u32(&x26, &x27, x25, x20, 0x0); + fiat_p256_mulx_u32(&x28, &x29, x22, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x30, &x31, x22, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x32, &x33, x22, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x34, &x35, x22, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x36, &x37, 0x0, x35, x32); + fiat_p256_addcarryx_u32(&x38, &x39, x37, x33, x30); + fiat_p256_addcarryx_u32(&x40, &x41, 0x0, x22, x34); + fiat_p256_addcarryx_u32(&x42, &x43, x41, x24, x36); + fiat_p256_addcarryx_u32(&x44, &x45, x43, x26, x38); + fiat_p256_addcarryx_u32(&x46, &x47, x45, ((uint32_t)x27 + x21), (x39 + x31)); + fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x2, x22); + fiat_p256_addcarryx_u32(&x50, &x51, x49, x3, x28); + fiat_p256_addcarryx_u32(&x52, &x53, 0x0, x42, (arg1[2])); + fiat_p256_addcarryx_u32(&x54, &x55, x53, x44, 0x0); + fiat_p256_addcarryx_u32(&x56, &x57, x55, x46, 0x0); + fiat_p256_mulx_u32(&x58, &x59, x52, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x60, &x61, x52, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x62, &x63, x52, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x64, &x65, x52, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x66, &x67, 0x0, x65, x62); + fiat_p256_addcarryx_u32(&x68, &x69, x67, x63, x60); + fiat_p256_addcarryx_u32(&x70, &x71, 0x0, x52, x64); + fiat_p256_addcarryx_u32(&x72, &x73, x71, x54, x66); + fiat_p256_addcarryx_u32(&x74, &x75, x73, x56, x68); + fiat_p256_addcarryx_u32(&x76, &x77, x75, ((uint32_t)x57 + x47), (x69 + x61)); + fiat_p256_addcarryx_u32(&x78, &x79, x77, x1, 0x0); + fiat_p256_addcarryx_u32(&x80, &x81, x79, x48, 0x0); + fiat_p256_addcarryx_u32(&x82, &x83, x81, x50, x52); + fiat_p256_addcarryx_u32(&x84, &x85, x83, (x51 + x29), x58); + fiat_p256_addcarryx_u32(&x86, &x87, 0x0, x72, (arg1[3])); + fiat_p256_addcarryx_u32(&x88, &x89, x87, x74, 0x0); + fiat_p256_addcarryx_u32(&x90, &x91, x89, x76, 0x0); + fiat_p256_addcarryx_u32(&x92, &x93, x91, x78, 0x0); + fiat_p256_addcarryx_u32(&x94, &x95, x93, x80, 0x0); + fiat_p256_addcarryx_u32(&x96, &x97, x95, x82, 0x0); + fiat_p256_addcarryx_u32(&x98, &x99, x97, x84, 0x0); + fiat_p256_addcarryx_u32(&x100, &x101, x99, (x85 + x59), 0x0); + fiat_p256_mulx_u32(&x102, &x103, x86, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x104, &x105, x86, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x106, &x107, x86, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x108, &x109, x86, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x109, x106); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x107, x104); + fiat_p256_addcarryx_u32(&x114, &x115, 0x0, x86, x108); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x88, x110); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x90, x112); + fiat_p256_addcarryx_u32(&x120, &x121, x119, x92, (x113 + x105)); + fiat_p256_addcarryx_u32(&x122, &x123, x121, x94, 0x0); + fiat_p256_addcarryx_u32(&x124, &x125, x123, x96, 0x0); + fiat_p256_addcarryx_u32(&x126, &x127, x125, x98, x86); + fiat_p256_addcarryx_u32(&x128, &x129, x127, x100, x102); + fiat_p256_addcarryx_u32(&x130, &x131, x129, x101, x103); + fiat_p256_addcarryx_u32(&x132, &x133, 0x0, x116, (arg1[4])); + fiat_p256_addcarryx_u32(&x134, &x135, x133, x118, 0x0); + fiat_p256_addcarryx_u32(&x136, &x137, x135, x120, 0x0); + fiat_p256_addcarryx_u32(&x138, &x139, x137, x122, 0x0); + fiat_p256_addcarryx_u32(&x140, &x141, x139, x124, 0x0); + fiat_p256_addcarryx_u32(&x142, &x143, x141, x126, 0x0); + fiat_p256_addcarryx_u32(&x144, &x145, x143, x128, 0x0); + fiat_p256_addcarryx_u32(&x146, &x147, x145, x130, 0x0); + fiat_p256_mulx_u32(&x148, &x149, x132, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x150, &x151, x132, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x152, &x153, x132, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x154, &x155, x132, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x156, &x157, 0x0, x155, x152); + fiat_p256_addcarryx_u32(&x158, &x159, x157, x153, x150); + fiat_p256_addcarryx_u32(&x160, &x161, 0x0, x132, x154); + fiat_p256_addcarryx_u32(&x162, &x163, x161, x134, x156); + fiat_p256_addcarryx_u32(&x164, &x165, x163, x136, x158); + fiat_p256_addcarryx_u32(&x166, &x167, x165, x138, (x159 + x151)); + fiat_p256_addcarryx_u32(&x168, &x169, x167, x140, 0x0); + fiat_p256_addcarryx_u32(&x170, &x171, x169, x142, 0x0); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x144, x132); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x146, x148); + fiat_p256_addcarryx_u32(&x176, &x177, x175, ((uint32_t)x147 + x131), x149); + fiat_p256_addcarryx_u32(&x178, &x179, 0x0, x162, (arg1[5])); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x164, 0x0); + fiat_p256_addcarryx_u32(&x182, &x183, x181, x166, 0x0); + fiat_p256_addcarryx_u32(&x184, &x185, x183, x168, 0x0); + fiat_p256_addcarryx_u32(&x186, &x187, x185, x170, 0x0); + fiat_p256_addcarryx_u32(&x188, &x189, x187, x172, 0x0); + fiat_p256_addcarryx_u32(&x190, &x191, x189, x174, 0x0); + fiat_p256_addcarryx_u32(&x192, &x193, x191, x176, 0x0); + fiat_p256_mulx_u32(&x194, &x195, x178, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x196, &x197, x178, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x198, &x199, x178, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x200, &x201, x178, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x202, &x203, 0x0, x201, x198); + fiat_p256_addcarryx_u32(&x204, &x205, x203, x199, x196); + fiat_p256_addcarryx_u32(&x206, &x207, 0x0, x178, x200); + fiat_p256_addcarryx_u32(&x208, &x209, x207, x180, x202); + fiat_p256_addcarryx_u32(&x210, &x211, x209, x182, x204); + fiat_p256_addcarryx_u32(&x212, &x213, x211, x184, (x205 + x197)); + fiat_p256_addcarryx_u32(&x214, &x215, x213, x186, 0x0); + fiat_p256_addcarryx_u32(&x216, &x217, x215, x188, 0x0); + fiat_p256_addcarryx_u32(&x218, &x219, x217, x190, x178); + fiat_p256_addcarryx_u32(&x220, &x221, x219, x192, x194); + fiat_p256_addcarryx_u32(&x222, &x223, x221, ((uint32_t)x193 + x177), x195); + fiat_p256_addcarryx_u32(&x224, &x225, 0x0, x208, (arg1[6])); + fiat_p256_addcarryx_u32(&x226, &x227, x225, x210, 0x0); + fiat_p256_addcarryx_u32(&x228, &x229, x227, x212, 0x0); + fiat_p256_addcarryx_u32(&x230, &x231, x229, x214, 0x0); + fiat_p256_addcarryx_u32(&x232, &x233, x231, x216, 0x0); + fiat_p256_addcarryx_u32(&x234, &x235, x233, x218, 0x0); + fiat_p256_addcarryx_u32(&x236, &x237, x235, x220, 0x0); + fiat_p256_addcarryx_u32(&x238, &x239, x237, x222, 0x0); + fiat_p256_mulx_u32(&x240, &x241, x224, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x242, &x243, x224, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x244, &x245, x224, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x246, &x247, x224, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x248, &x249, 0x0, x247, x244); + fiat_p256_addcarryx_u32(&x250, &x251, x249, x245, x242); + fiat_p256_addcarryx_u32(&x252, &x253, 0x0, x224, x246); + fiat_p256_addcarryx_u32(&x254, &x255, x253, x226, x248); + fiat_p256_addcarryx_u32(&x256, &x257, x255, x228, x250); + fiat_p256_addcarryx_u32(&x258, &x259, x257, x230, (x251 + x243)); + fiat_p256_addcarryx_u32(&x260, &x261, x259, x232, 0x0); + fiat_p256_addcarryx_u32(&x262, &x263, x261, x234, 0x0); + fiat_p256_addcarryx_u32(&x264, &x265, x263, x236, x224); + fiat_p256_addcarryx_u32(&x266, &x267, x265, x238, x240); + fiat_p256_addcarryx_u32(&x268, &x269, x267, ((uint32_t)x239 + x223), x241); + fiat_p256_addcarryx_u32(&x270, &x271, 0x0, x254, (arg1[7])); + fiat_p256_addcarryx_u32(&x272, &x273, x271, x256, 0x0); + fiat_p256_addcarryx_u32(&x274, &x275, x273, x258, 0x0); + fiat_p256_addcarryx_u32(&x276, &x277, x275, x260, 0x0); + fiat_p256_addcarryx_u32(&x278, &x279, x277, x262, 0x0); + fiat_p256_addcarryx_u32(&x280, &x281, x279, x264, 0x0); + fiat_p256_addcarryx_u32(&x282, &x283, x281, x266, 0x0); + fiat_p256_addcarryx_u32(&x284, &x285, x283, x268, 0x0); + fiat_p256_mulx_u32(&x286, &x287, x270, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x288, &x289, x270, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x290, &x291, x270, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x292, &x293, x270, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x294, &x295, 0x0, x293, x290); + fiat_p256_addcarryx_u32(&x296, &x297, x295, x291, x288); + fiat_p256_addcarryx_u32(&x298, &x299, 0x0, x270, x292); + fiat_p256_addcarryx_u32(&x300, &x301, x299, x272, x294); + fiat_p256_addcarryx_u32(&x302, &x303, x301, x274, x296); + fiat_p256_addcarryx_u32(&x304, &x305, x303, x276, (x297 + x289)); + fiat_p256_addcarryx_u32(&x306, &x307, x305, x278, 0x0); + fiat_p256_addcarryx_u32(&x308, &x309, x307, x280, 0x0); + fiat_p256_addcarryx_u32(&x310, &x311, x309, x282, x270); + fiat_p256_addcarryx_u32(&x312, &x313, x311, x284, x286); + fiat_p256_addcarryx_u32(&x314, &x315, x313, ((uint32_t)x285 + x269), x287); + fiat_p256_subborrowx_u32(&x316, &x317, 0x0, x300, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x318, &x319, x317, x302, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x320, &x321, x319, x304, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x322, &x323, x321, x306, 0x0); + fiat_p256_subborrowx_u32(&x324, &x325, x323, x308, 0x0); + fiat_p256_subborrowx_u32(&x326, &x327, x325, x310, 0x0); + fiat_p256_subborrowx_u32(&x328, &x329, x327, x312, 0x1); + fiat_p256_subborrowx_u32(&x330, &x331, x329, x314, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x332, &x333, x331, x315, 0x0); + fiat_p256_cmovznz_u32(&x334, x333, x316, x300); + fiat_p256_cmovznz_u32(&x335, x333, x318, x302); + fiat_p256_cmovznz_u32(&x336, x333, x320, x304); + fiat_p256_cmovznz_u32(&x337, x333, x322, x306); + fiat_p256_cmovznz_u32(&x338, x333, x324, x308); + fiat_p256_cmovznz_u32(&x339, x333, x326, x310); + fiat_p256_cmovznz_u32(&x340, x333, x328, x312); fiat_p256_cmovznz_u32(&x341, x333, x330, x314); out1[0] = x334; out1[1] = x335; @@ -2909,7 +2989,904 @@ static void fiat_p256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) } /* + * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = eval arg1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint32_t x20; + uint32_t x21; + uint32_t x22; + uint32_t x23; + fiat_p256_uint1 x24; + uint32_t x25; + fiat_p256_uint1 x26; + uint32_t x27; + fiat_p256_uint1 x28; + uint32_t x29; + fiat_p256_uint1 x30; + uint32_t x31; + fiat_p256_uint1 x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + fiat_p256_uint1 x42; + uint32_t x43; + fiat_p256_uint1 x44; + uint32_t x45; + fiat_p256_uint1 x46; + uint32_t x47; + fiat_p256_uint1 x48; + uint32_t x49; + fiat_p256_uint1 x50; + uint32_t x51; + fiat_p256_uint1 x52; + uint32_t x53; + fiat_p256_uint1 x54; + uint32_t x55; + fiat_p256_uint1 x56; + uint32_t x57; + fiat_p256_uint1 x58; + uint32_t x59; + fiat_p256_uint1 x60; + uint32_t x61; + fiat_p256_uint1 x62; + uint32_t x63; + uint32_t x64; + uint32_t x65; + uint32_t x66; + uint32_t x67; + uint32_t x68; + uint32_t x69; + uint32_t x70; + uint32_t x71; + uint32_t x72; + uint32_t x73; + uint32_t x74; + uint32_t x75; + uint32_t x76; + uint32_t x77; + fiat_p256_uint1 x78; + uint32_t x79; + fiat_p256_uint1 x80; + uint32_t x81; + fiat_p256_uint1 x82; + uint32_t x83; + fiat_p256_uint1 x84; + uint32_t x85; + fiat_p256_uint1 x86; + uint32_t x87; + fiat_p256_uint1 x88; + uint32_t x89; + fiat_p256_uint1 x90; + uint32_t x91; + fiat_p256_uint1 x92; + uint32_t x93; + fiat_p256_uint1 x94; + uint32_t x95; + fiat_p256_uint1 x96; + uint32_t x97; + fiat_p256_uint1 x98; + uint32_t x99; + fiat_p256_uint1 x100; + uint32_t x101; + fiat_p256_uint1 x102; + uint32_t x103; + uint32_t x104; + uint32_t x105; + uint32_t x106; + uint32_t x107; + uint32_t x108; + uint32_t x109; + uint32_t x110; + uint32_t x111; + fiat_p256_uint1 x112; + uint32_t x113; + fiat_p256_uint1 x114; + uint32_t x115; + fiat_p256_uint1 x116; + uint32_t x117; + fiat_p256_uint1 x118; + uint32_t x119; + fiat_p256_uint1 x120; + uint32_t x121; + fiat_p256_uint1 x122; + uint32_t x123; + fiat_p256_uint1 x124; + uint32_t x125; + fiat_p256_uint1 x126; + uint32_t x127; + fiat_p256_uint1 x128; + uint32_t x129; + fiat_p256_uint1 x130; + uint32_t x131; + fiat_p256_uint1 x132; + uint32_t x133; + uint32_t x134; + uint32_t x135; + uint32_t x136; + uint32_t x137; + uint32_t x138; + uint32_t x139; + uint32_t x140; + uint32_t x141; + uint32_t x142; + uint32_t x143; + uint32_t x144; + uint32_t x145; + uint32_t x146; + uint32_t x147; + fiat_p256_uint1 x148; + uint32_t x149; + fiat_p256_uint1 x150; + uint32_t x151; + fiat_p256_uint1 x152; + uint32_t x153; + fiat_p256_uint1 x154; + uint32_t x155; + fiat_p256_uint1 x156; + uint32_t x157; + fiat_p256_uint1 x158; + uint32_t x159; + fiat_p256_uint1 x160; + uint32_t x161; + fiat_p256_uint1 x162; + uint32_t x163; + fiat_p256_uint1 x164; + uint32_t x165; + fiat_p256_uint1 x166; + uint32_t x167; + fiat_p256_uint1 x168; + uint32_t x169; + fiat_p256_uint1 x170; + uint32_t x171; + fiat_p256_uint1 x172; + uint32_t x173; + uint32_t x174; + uint32_t x175; + uint32_t x176; + uint32_t x177; + uint32_t x178; + uint32_t x179; + uint32_t x180; + uint32_t x181; + fiat_p256_uint1 x182; + uint32_t x183; + fiat_p256_uint1 x184; + uint32_t x185; + fiat_p256_uint1 x186; + uint32_t x187; + fiat_p256_uint1 x188; + uint32_t x189; + fiat_p256_uint1 x190; + uint32_t x191; + fiat_p256_uint1 x192; + uint32_t x193; + fiat_p256_uint1 x194; + uint32_t x195; + fiat_p256_uint1 x196; + uint32_t x197; + fiat_p256_uint1 x198; + uint32_t x199; + fiat_p256_uint1 x200; + uint32_t x201; + fiat_p256_uint1 x202; + uint32_t x203; + uint32_t x204; + uint32_t x205; + uint32_t x206; + uint32_t x207; + uint32_t x208; + uint32_t x209; + uint32_t x210; + uint32_t x211; + uint32_t x212; + uint32_t x213; + uint32_t x214; + uint32_t x215; + uint32_t x216; + uint32_t x217; + fiat_p256_uint1 x218; + uint32_t x219; + fiat_p256_uint1 x220; + uint32_t x221; + fiat_p256_uint1 x222; + uint32_t x223; + fiat_p256_uint1 x224; + uint32_t x225; + fiat_p256_uint1 x226; + uint32_t x227; + fiat_p256_uint1 x228; + uint32_t x229; + fiat_p256_uint1 x230; + uint32_t x231; + fiat_p256_uint1 x232; + uint32_t x233; + fiat_p256_uint1 x234; + uint32_t x235; + fiat_p256_uint1 x236; + uint32_t x237; + fiat_p256_uint1 x238; + uint32_t x239; + fiat_p256_uint1 x240; + uint32_t x241; + fiat_p256_uint1 x242; + uint32_t x243; + uint32_t x244; + uint32_t x245; + uint32_t x246; + uint32_t x247; + uint32_t x248; + uint32_t x249; + uint32_t x250; + uint32_t x251; + fiat_p256_uint1 x252; + uint32_t x253; + fiat_p256_uint1 x254; + uint32_t x255; + fiat_p256_uint1 x256; + uint32_t x257; + fiat_p256_uint1 x258; + uint32_t x259; + fiat_p256_uint1 x260; + uint32_t x261; + fiat_p256_uint1 x262; + uint32_t x263; + fiat_p256_uint1 x264; + uint32_t x265; + fiat_p256_uint1 x266; + uint32_t x267; + fiat_p256_uint1 x268; + uint32_t x269; + fiat_p256_uint1 x270; + uint32_t x271; + fiat_p256_uint1 x272; + uint32_t x273; + uint32_t x274; + uint32_t x275; + uint32_t x276; + uint32_t x277; + uint32_t x278; + uint32_t x279; + uint32_t x280; + uint32_t x281; + uint32_t x282; + uint32_t x283; + uint32_t x284; + uint32_t x285; + uint32_t x286; + uint32_t x287; + fiat_p256_uint1 x288; + uint32_t x289; + fiat_p256_uint1 x290; + uint32_t x291; + fiat_p256_uint1 x292; + uint32_t x293; + fiat_p256_uint1 x294; + uint32_t x295; + fiat_p256_uint1 x296; + uint32_t x297; + fiat_p256_uint1 x298; + uint32_t x299; + fiat_p256_uint1 x300; + uint32_t x301; + fiat_p256_uint1 x302; + uint32_t x303; + fiat_p256_uint1 x304; + uint32_t x305; + fiat_p256_uint1 x306; + uint32_t x307; + fiat_p256_uint1 x308; + uint32_t x309; + fiat_p256_uint1 x310; + uint32_t x311; + fiat_p256_uint1 x312; + uint32_t x313; + uint32_t x314; + uint32_t x315; + uint32_t x316; + uint32_t x317; + uint32_t x318; + uint32_t x319; + uint32_t x320; + uint32_t x321; + fiat_p256_uint1 x322; + uint32_t x323; + fiat_p256_uint1 x324; + uint32_t x325; + fiat_p256_uint1 x326; + uint32_t x327; + fiat_p256_uint1 x328; + uint32_t x329; + fiat_p256_uint1 x330; + uint32_t x331; + fiat_p256_uint1 x332; + uint32_t x333; + fiat_p256_uint1 x334; + uint32_t x335; + fiat_p256_uint1 x336; + uint32_t x337; + fiat_p256_uint1 x338; + uint32_t x339; + fiat_p256_uint1 x340; + uint32_t x341; + fiat_p256_uint1 x342; + uint32_t x343; + uint32_t x344; + uint32_t x345; + uint32_t x346; + uint32_t x347; + uint32_t x348; + uint32_t x349; + uint32_t x350; + uint32_t x351; + uint32_t x352; + uint32_t x353; + uint32_t x354; + uint32_t x355; + uint32_t x356; + uint32_t x357; + fiat_p256_uint1 x358; + uint32_t x359; + fiat_p256_uint1 x360; + uint32_t x361; + fiat_p256_uint1 x362; + uint32_t x363; + fiat_p256_uint1 x364; + uint32_t x365; + fiat_p256_uint1 x366; + uint32_t x367; + fiat_p256_uint1 x368; + uint32_t x369; + fiat_p256_uint1 x370; + uint32_t x371; + fiat_p256_uint1 x372; + uint32_t x373; + fiat_p256_uint1 x374; + uint32_t x375; + fiat_p256_uint1 x376; + uint32_t x377; + fiat_p256_uint1 x378; + uint32_t x379; + fiat_p256_uint1 x380; + uint32_t x381; + fiat_p256_uint1 x382; + uint32_t x383; + uint32_t x384; + uint32_t x385; + uint32_t x386; + uint32_t x387; + uint32_t x388; + uint32_t x389; + uint32_t x390; + uint32_t x391; + fiat_p256_uint1 x392; + uint32_t x393; + fiat_p256_uint1 x394; + uint32_t x395; + fiat_p256_uint1 x396; + uint32_t x397; + fiat_p256_uint1 x398; + uint32_t x399; + fiat_p256_uint1 x400; + uint32_t x401; + fiat_p256_uint1 x402; + uint32_t x403; + fiat_p256_uint1 x404; + uint32_t x405; + fiat_p256_uint1 x406; + uint32_t x407; + fiat_p256_uint1 x408; + uint32_t x409; + fiat_p256_uint1 x410; + uint32_t x411; + fiat_p256_uint1 x412; + uint32_t x413; + uint32_t x414; + uint32_t x415; + uint32_t x416; + uint32_t x417; + uint32_t x418; + uint32_t x419; + uint32_t x420; + uint32_t x421; + uint32_t x422; + uint32_t x423; + uint32_t x424; + uint32_t x425; + uint32_t x426; + uint32_t x427; + fiat_p256_uint1 x428; + uint32_t x429; + fiat_p256_uint1 x430; + uint32_t x431; + fiat_p256_uint1 x432; + uint32_t x433; + fiat_p256_uint1 x434; + uint32_t x435; + fiat_p256_uint1 x436; + uint32_t x437; + fiat_p256_uint1 x438; + uint32_t x439; + fiat_p256_uint1 x440; + uint32_t x441; + fiat_p256_uint1 x442; + uint32_t x443; + fiat_p256_uint1 x444; + uint32_t x445; + fiat_p256_uint1 x446; + uint32_t x447; + fiat_p256_uint1 x448; + uint32_t x449; + fiat_p256_uint1 x450; + uint32_t x451; + fiat_p256_uint1 x452; + uint32_t x453; + uint32_t x454; + uint32_t x455; + uint32_t x456; + uint32_t x457; + uint32_t x458; + uint32_t x459; + uint32_t x460; + uint32_t x461; + fiat_p256_uint1 x462; + uint32_t x463; + fiat_p256_uint1 x464; + uint32_t x465; + fiat_p256_uint1 x466; + uint32_t x467; + fiat_p256_uint1 x468; + uint32_t x469; + fiat_p256_uint1 x470; + uint32_t x471; + fiat_p256_uint1 x472; + uint32_t x473; + fiat_p256_uint1 x474; + uint32_t x475; + fiat_p256_uint1 x476; + uint32_t x477; + fiat_p256_uint1 x478; + uint32_t x479; + fiat_p256_uint1 x480; + uint32_t x481; + fiat_p256_uint1 x482; + uint32_t x483; + uint32_t x484; + uint32_t x485; + uint32_t x486; + uint32_t x487; + uint32_t x488; + uint32_t x489; + uint32_t x490; + uint32_t x491; + uint32_t x492; + uint32_t x493; + uint32_t x494; + uint32_t x495; + uint32_t x496; + uint32_t x497; + fiat_p256_uint1 x498; + uint32_t x499; + fiat_p256_uint1 x500; + uint32_t x501; + fiat_p256_uint1 x502; + uint32_t x503; + fiat_p256_uint1 x504; + uint32_t x505; + fiat_p256_uint1 x506; + uint32_t x507; + fiat_p256_uint1 x508; + uint32_t x509; + fiat_p256_uint1 x510; + uint32_t x511; + fiat_p256_uint1 x512; + uint32_t x513; + fiat_p256_uint1 x514; + uint32_t x515; + fiat_p256_uint1 x516; + uint32_t x517; + fiat_p256_uint1 x518; + uint32_t x519; + fiat_p256_uint1 x520; + uint32_t x521; + fiat_p256_uint1 x522; + uint32_t x523; + uint32_t x524; + uint32_t x525; + uint32_t x526; + uint32_t x527; + uint32_t x528; + uint32_t x529; + uint32_t x530; + uint32_t x531; + fiat_p256_uint1 x532; + uint32_t x533; + fiat_p256_uint1 x534; + uint32_t x535; + fiat_p256_uint1 x536; + uint32_t x537; + fiat_p256_uint1 x538; + uint32_t x539; + fiat_p256_uint1 x540; + uint32_t x541; + fiat_p256_uint1 x542; + uint32_t x543; + fiat_p256_uint1 x544; + uint32_t x545; + fiat_p256_uint1 x546; + uint32_t x547; + fiat_p256_uint1 x548; + uint32_t x549; + fiat_p256_uint1 x550; + uint32_t x551; + fiat_p256_uint1 x552; + uint32_t x553; + fiat_p256_uint1 x554; + uint32_t x555; + fiat_p256_uint1 x556; + uint32_t x557; + fiat_p256_uint1 x558; + uint32_t x559; + fiat_p256_uint1 x560; + uint32_t x561; + fiat_p256_uint1 x562; + uint32_t x563; + fiat_p256_uint1 x564; + uint32_t x565; + fiat_p256_uint1 x566; + uint32_t x567; + fiat_p256_uint1 x568; + uint32_t x569; + fiat_p256_uint1 x570; + uint32_t x571; + uint32_t x572; + uint32_t x573; + uint32_t x574; + uint32_t x575; + uint32_t x576; + uint32_t x577; + uint32_t x578; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[4]); + x5 = (arg1[5]); + x6 = (arg1[6]); + x7 = (arg1[7]); + x8 = (arg1[0]); + fiat_p256_mulx_u32(&x9, &x10, x8, 0x4); + fiat_p256_mulx_u32(&x11, &x12, x8, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x13, &x14, x8, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x15, &x16, x8, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x17, &x18, x8, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x19, &x20, x8, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x21, &x22, x8, 0x3); + fiat_p256_addcarryx_u32(&x23, &x24, 0x0, x20, x17); + fiat_p256_addcarryx_u32(&x25, &x26, x24, x18, x15); + fiat_p256_addcarryx_u32(&x27, &x28, x26, x16, x13); + fiat_p256_addcarryx_u32(&x29, &x30, x28, x14, x11); + fiat_p256_addcarryx_u32(&x31, &x32, x30, x12, x9); + fiat_p256_mulx_u32(&x33, &x34, x21, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x35, &x36, x21, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x37, &x38, x21, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x39, &x40, x21, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x41, &x42, 0x0, x40, x37); + fiat_p256_addcarryx_u32(&x43, &x44, x42, x38, x35); + fiat_p256_addcarryx_u32(&x45, &x46, 0x0, x21, x39); + fiat_p256_addcarryx_u32(&x47, &x48, x46, x22, x41); + fiat_p256_addcarryx_u32(&x49, &x50, x48, x19, x43); + fiat_p256_addcarryx_u32(&x51, &x52, x50, x23, (x44 + x36)); + fiat_p256_addcarryx_u32(&x53, &x54, x52, x25, 0x0); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x27, 0x0); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x29, x21); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x31, x33); + fiat_p256_addcarryx_u32(&x61, &x62, x60, (x32 + x10), x34); + fiat_p256_mulx_u32(&x63, &x64, x1, 0x4); + fiat_p256_mulx_u32(&x65, &x66, x1, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x67, &x68, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x69, &x70, x1, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x71, &x72, x1, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x73, &x74, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x75, &x76, x1, 0x3); + fiat_p256_addcarryx_u32(&x77, &x78, 0x0, x74, x71); + fiat_p256_addcarryx_u32(&x79, &x80, x78, x72, x69); + fiat_p256_addcarryx_u32(&x81, &x82, x80, x70, x67); + fiat_p256_addcarryx_u32(&x83, &x84, x82, x68, x65); + fiat_p256_addcarryx_u32(&x85, &x86, x84, x66, x63); + fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x47, x75); + fiat_p256_addcarryx_u32(&x89, &x90, x88, x49, x76); + fiat_p256_addcarryx_u32(&x91, &x92, x90, x51, x73); + fiat_p256_addcarryx_u32(&x93, &x94, x92, x53, x77); + fiat_p256_addcarryx_u32(&x95, &x96, x94, x55, x79); + fiat_p256_addcarryx_u32(&x97, &x98, x96, x57, x81); + fiat_p256_addcarryx_u32(&x99, &x100, x98, x59, x83); + fiat_p256_addcarryx_u32(&x101, &x102, x100, x61, x85); + fiat_p256_mulx_u32(&x103, &x104, x87, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x105, &x106, x87, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x107, &x108, x87, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x109, &x110, x87, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x111, &x112, 0x0, x110, x107); + fiat_p256_addcarryx_u32(&x113, &x114, x112, x108, x105); + fiat_p256_addcarryx_u32(&x115, &x116, 0x0, x87, x109); + fiat_p256_addcarryx_u32(&x117, &x118, x116, x89, x111); + fiat_p256_addcarryx_u32(&x119, &x120, x118, x91, x113); + fiat_p256_addcarryx_u32(&x121, &x122, x120, x93, (x114 + x106)); + fiat_p256_addcarryx_u32(&x123, &x124, x122, x95, 0x0); + fiat_p256_addcarryx_u32(&x125, &x126, x124, x97, 0x0); + fiat_p256_addcarryx_u32(&x127, &x128, x126, x99, x87); + fiat_p256_addcarryx_u32(&x129, &x130, x128, x101, x103); + fiat_p256_addcarryx_u32(&x131, &x132, x130, (((uint32_t)x102 + x62) + (x86 + x64)), x104); + fiat_p256_mulx_u32(&x133, &x134, x2, 0x4); + fiat_p256_mulx_u32(&x135, &x136, x2, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x137, &x138, x2, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x139, &x140, x2, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x141, &x142, x2, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x143, &x144, x2, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x145, &x146, x2, 0x3); + fiat_p256_addcarryx_u32(&x147, &x148, 0x0, x144, x141); + fiat_p256_addcarryx_u32(&x149, &x150, x148, x142, x139); + fiat_p256_addcarryx_u32(&x151, &x152, x150, x140, x137); + fiat_p256_addcarryx_u32(&x153, &x154, x152, x138, x135); + fiat_p256_addcarryx_u32(&x155, &x156, x154, x136, x133); + fiat_p256_addcarryx_u32(&x157, &x158, 0x0, x117, x145); + fiat_p256_addcarryx_u32(&x159, &x160, x158, x119, x146); + fiat_p256_addcarryx_u32(&x161, &x162, x160, x121, x143); + fiat_p256_addcarryx_u32(&x163, &x164, x162, x123, x147); + fiat_p256_addcarryx_u32(&x165, &x166, x164, x125, x149); + fiat_p256_addcarryx_u32(&x167, &x168, x166, x127, x151); + fiat_p256_addcarryx_u32(&x169, &x170, x168, x129, x153); + fiat_p256_addcarryx_u32(&x171, &x172, x170, x131, x155); + fiat_p256_mulx_u32(&x173, &x174, x157, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x175, &x176, x157, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x177, &x178, x157, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x179, &x180, x157, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x181, &x182, 0x0, x180, x177); + fiat_p256_addcarryx_u32(&x183, &x184, x182, x178, x175); + fiat_p256_addcarryx_u32(&x185, &x186, 0x0, x157, x179); + fiat_p256_addcarryx_u32(&x187, &x188, x186, x159, x181); + fiat_p256_addcarryx_u32(&x189, &x190, x188, x161, x183); + fiat_p256_addcarryx_u32(&x191, &x192, x190, x163, (x184 + x176)); + fiat_p256_addcarryx_u32(&x193, &x194, x192, x165, 0x0); + fiat_p256_addcarryx_u32(&x195, &x196, x194, x167, 0x0); + fiat_p256_addcarryx_u32(&x197, &x198, x196, x169, x157); + fiat_p256_addcarryx_u32(&x199, &x200, x198, x171, x173); + fiat_p256_addcarryx_u32(&x201, &x202, x200, (((uint32_t)x172 + x132) + (x156 + x134)), x174); + fiat_p256_mulx_u32(&x203, &x204, x3, 0x4); + fiat_p256_mulx_u32(&x205, &x206, x3, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x207, &x208, x3, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x209, &x210, x3, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x211, &x212, x3, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x213, &x214, x3, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x215, &x216, x3, 0x3); + fiat_p256_addcarryx_u32(&x217, &x218, 0x0, x214, x211); + fiat_p256_addcarryx_u32(&x219, &x220, x218, x212, x209); + fiat_p256_addcarryx_u32(&x221, &x222, x220, x210, x207); + fiat_p256_addcarryx_u32(&x223, &x224, x222, x208, x205); + fiat_p256_addcarryx_u32(&x225, &x226, x224, x206, x203); + fiat_p256_addcarryx_u32(&x227, &x228, 0x0, x187, x215); + fiat_p256_addcarryx_u32(&x229, &x230, x228, x189, x216); + fiat_p256_addcarryx_u32(&x231, &x232, x230, x191, x213); + fiat_p256_addcarryx_u32(&x233, &x234, x232, x193, x217); + fiat_p256_addcarryx_u32(&x235, &x236, x234, x195, x219); + fiat_p256_addcarryx_u32(&x237, &x238, x236, x197, x221); + fiat_p256_addcarryx_u32(&x239, &x240, x238, x199, x223); + fiat_p256_addcarryx_u32(&x241, &x242, x240, x201, x225); + fiat_p256_mulx_u32(&x243, &x244, x227, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x245, &x246, x227, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x247, &x248, x227, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x249, &x250, x227, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x251, &x252, 0x0, x250, x247); + fiat_p256_addcarryx_u32(&x253, &x254, x252, x248, x245); + fiat_p256_addcarryx_u32(&x255, &x256, 0x0, x227, x249); + fiat_p256_addcarryx_u32(&x257, &x258, x256, x229, x251); + fiat_p256_addcarryx_u32(&x259, &x260, x258, x231, x253); + fiat_p256_addcarryx_u32(&x261, &x262, x260, x233, (x254 + x246)); + fiat_p256_addcarryx_u32(&x263, &x264, x262, x235, 0x0); + fiat_p256_addcarryx_u32(&x265, &x266, x264, x237, 0x0); + fiat_p256_addcarryx_u32(&x267, &x268, x266, x239, x227); + fiat_p256_addcarryx_u32(&x269, &x270, x268, x241, x243); + fiat_p256_addcarryx_u32(&x271, &x272, x270, (((uint32_t)x242 + x202) + (x226 + x204)), x244); + fiat_p256_mulx_u32(&x273, &x274, x4, 0x4); + fiat_p256_mulx_u32(&x275, &x276, x4, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x277, &x278, x4, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x279, &x280, x4, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x281, &x282, x4, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x283, &x284, x4, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x285, &x286, x4, 0x3); + fiat_p256_addcarryx_u32(&x287, &x288, 0x0, x284, x281); + fiat_p256_addcarryx_u32(&x289, &x290, x288, x282, x279); + fiat_p256_addcarryx_u32(&x291, &x292, x290, x280, x277); + fiat_p256_addcarryx_u32(&x293, &x294, x292, x278, x275); + fiat_p256_addcarryx_u32(&x295, &x296, x294, x276, x273); + fiat_p256_addcarryx_u32(&x297, &x298, 0x0, x257, x285); + fiat_p256_addcarryx_u32(&x299, &x300, x298, x259, x286); + fiat_p256_addcarryx_u32(&x301, &x302, x300, x261, x283); + fiat_p256_addcarryx_u32(&x303, &x304, x302, x263, x287); + fiat_p256_addcarryx_u32(&x305, &x306, x304, x265, x289); + fiat_p256_addcarryx_u32(&x307, &x308, x306, x267, x291); + fiat_p256_addcarryx_u32(&x309, &x310, x308, x269, x293); + fiat_p256_addcarryx_u32(&x311, &x312, x310, x271, x295); + fiat_p256_mulx_u32(&x313, &x314, x297, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x315, &x316, x297, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x317, &x318, x297, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x319, &x320, x297, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x321, &x322, 0x0, x320, x317); + fiat_p256_addcarryx_u32(&x323, &x324, x322, x318, x315); + fiat_p256_addcarryx_u32(&x325, &x326, 0x0, x297, x319); + fiat_p256_addcarryx_u32(&x327, &x328, x326, x299, x321); + fiat_p256_addcarryx_u32(&x329, &x330, x328, x301, x323); + fiat_p256_addcarryx_u32(&x331, &x332, x330, x303, (x324 + x316)); + fiat_p256_addcarryx_u32(&x333, &x334, x332, x305, 0x0); + fiat_p256_addcarryx_u32(&x335, &x336, x334, x307, 0x0); + fiat_p256_addcarryx_u32(&x337, &x338, x336, x309, x297); + fiat_p256_addcarryx_u32(&x339, &x340, x338, x311, x313); + fiat_p256_addcarryx_u32(&x341, &x342, x340, (((uint32_t)x312 + x272) + (x296 + x274)), x314); + fiat_p256_mulx_u32(&x343, &x344, x5, 0x4); + fiat_p256_mulx_u32(&x345, &x346, x5, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x347, &x348, x5, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x349, &x350, x5, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x351, &x352, x5, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x353, &x354, x5, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x355, &x356, x5, 0x3); + fiat_p256_addcarryx_u32(&x357, &x358, 0x0, x354, x351); + fiat_p256_addcarryx_u32(&x359, &x360, x358, x352, x349); + fiat_p256_addcarryx_u32(&x361, &x362, x360, x350, x347); + fiat_p256_addcarryx_u32(&x363, &x364, x362, x348, x345); + fiat_p256_addcarryx_u32(&x365, &x366, x364, x346, x343); + fiat_p256_addcarryx_u32(&x367, &x368, 0x0, x327, x355); + fiat_p256_addcarryx_u32(&x369, &x370, x368, x329, x356); + fiat_p256_addcarryx_u32(&x371, &x372, x370, x331, x353); + fiat_p256_addcarryx_u32(&x373, &x374, x372, x333, x357); + fiat_p256_addcarryx_u32(&x375, &x376, x374, x335, x359); + fiat_p256_addcarryx_u32(&x377, &x378, x376, x337, x361); + fiat_p256_addcarryx_u32(&x379, &x380, x378, x339, x363); + fiat_p256_addcarryx_u32(&x381, &x382, x380, x341, x365); + fiat_p256_mulx_u32(&x383, &x384, x367, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x385, &x386, x367, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x387, &x388, x367, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x389, &x390, x367, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x391, &x392, 0x0, x390, x387); + fiat_p256_addcarryx_u32(&x393, &x394, x392, x388, x385); + fiat_p256_addcarryx_u32(&x395, &x396, 0x0, x367, x389); + fiat_p256_addcarryx_u32(&x397, &x398, x396, x369, x391); + fiat_p256_addcarryx_u32(&x399, &x400, x398, x371, x393); + fiat_p256_addcarryx_u32(&x401, &x402, x400, x373, (x394 + x386)); + fiat_p256_addcarryx_u32(&x403, &x404, x402, x375, 0x0); + fiat_p256_addcarryx_u32(&x405, &x406, x404, x377, 0x0); + fiat_p256_addcarryx_u32(&x407, &x408, x406, x379, x367); + fiat_p256_addcarryx_u32(&x409, &x410, x408, x381, x383); + fiat_p256_addcarryx_u32(&x411, &x412, x410, (((uint32_t)x382 + x342) + (x366 + x344)), x384); + fiat_p256_mulx_u32(&x413, &x414, x6, 0x4); + fiat_p256_mulx_u32(&x415, &x416, x6, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x417, &x418, x6, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x419, &x420, x6, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x421, &x422, x6, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x423, &x424, x6, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x425, &x426, x6, 0x3); + fiat_p256_addcarryx_u32(&x427, &x428, 0x0, x424, x421); + fiat_p256_addcarryx_u32(&x429, &x430, x428, x422, x419); + fiat_p256_addcarryx_u32(&x431, &x432, x430, x420, x417); + fiat_p256_addcarryx_u32(&x433, &x434, x432, x418, x415); + fiat_p256_addcarryx_u32(&x435, &x436, x434, x416, x413); + fiat_p256_addcarryx_u32(&x437, &x438, 0x0, x397, x425); + fiat_p256_addcarryx_u32(&x439, &x440, x438, x399, x426); + fiat_p256_addcarryx_u32(&x441, &x442, x440, x401, x423); + fiat_p256_addcarryx_u32(&x443, &x444, x442, x403, x427); + fiat_p256_addcarryx_u32(&x445, &x446, x444, x405, x429); + fiat_p256_addcarryx_u32(&x447, &x448, x446, x407, x431); + fiat_p256_addcarryx_u32(&x449, &x450, x448, x409, x433); + fiat_p256_addcarryx_u32(&x451, &x452, x450, x411, x435); + fiat_p256_mulx_u32(&x453, &x454, x437, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x455, &x456, x437, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x457, &x458, x437, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x459, &x460, x437, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x461, &x462, 0x0, x460, x457); + fiat_p256_addcarryx_u32(&x463, &x464, x462, x458, x455); + fiat_p256_addcarryx_u32(&x465, &x466, 0x0, x437, x459); + fiat_p256_addcarryx_u32(&x467, &x468, x466, x439, x461); + fiat_p256_addcarryx_u32(&x469, &x470, x468, x441, x463); + fiat_p256_addcarryx_u32(&x471, &x472, x470, x443, (x464 + x456)); + fiat_p256_addcarryx_u32(&x473, &x474, x472, x445, 0x0); + fiat_p256_addcarryx_u32(&x475, &x476, x474, x447, 0x0); + fiat_p256_addcarryx_u32(&x477, &x478, x476, x449, x437); + fiat_p256_addcarryx_u32(&x479, &x480, x478, x451, x453); + fiat_p256_addcarryx_u32(&x481, &x482, x480, (((uint32_t)x452 + x412) + (x436 + x414)), x454); + fiat_p256_mulx_u32(&x483, &x484, x7, 0x4); + fiat_p256_mulx_u32(&x485, &x486, x7, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x487, &x488, x7, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x489, &x490, x7, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x491, &x492, x7, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x493, &x494, x7, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x495, &x496, x7, 0x3); + fiat_p256_addcarryx_u32(&x497, &x498, 0x0, x494, x491); + fiat_p256_addcarryx_u32(&x499, &x500, x498, x492, x489); + fiat_p256_addcarryx_u32(&x501, &x502, x500, x490, x487); + fiat_p256_addcarryx_u32(&x503, &x504, x502, x488, x485); + fiat_p256_addcarryx_u32(&x505, &x506, x504, x486, x483); + fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x467, x495); + fiat_p256_addcarryx_u32(&x509, &x510, x508, x469, x496); + fiat_p256_addcarryx_u32(&x511, &x512, x510, x471, x493); + fiat_p256_addcarryx_u32(&x513, &x514, x512, x473, x497); + fiat_p256_addcarryx_u32(&x515, &x516, x514, x475, x499); + fiat_p256_addcarryx_u32(&x517, &x518, x516, x477, x501); + fiat_p256_addcarryx_u32(&x519, &x520, x518, x479, x503); + fiat_p256_addcarryx_u32(&x521, &x522, x520, x481, x505); + fiat_p256_mulx_u32(&x523, &x524, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x531, &x532, 0x0, x530, x527); + fiat_p256_addcarryx_u32(&x533, &x534, x532, x528, x525); + fiat_p256_addcarryx_u32(&x535, &x536, 0x0, x507, x529); + fiat_p256_addcarryx_u32(&x537, &x538, x536, x509, x531); + fiat_p256_addcarryx_u32(&x539, &x540, x538, x511, x533); + fiat_p256_addcarryx_u32(&x541, &x542, x540, x513, (x534 + x526)); + fiat_p256_addcarryx_u32(&x543, &x544, x542, x515, 0x0); + fiat_p256_addcarryx_u32(&x545, &x546, x544, x517, 0x0); + fiat_p256_addcarryx_u32(&x547, &x548, x546, x519, x507); + fiat_p256_addcarryx_u32(&x549, &x550, x548, x521, x523); + fiat_p256_addcarryx_u32(&x551, &x552, x550, (((uint32_t)x522 + x482) + (x506 + x484)), x524); + fiat_p256_subborrowx_u32(&x553, &x554, 0x0, x537, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x555, &x556, x554, x539, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x557, &x558, x556, x541, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x559, &x560, x558, x543, 0x0); + fiat_p256_subborrowx_u32(&x561, &x562, x560, x545, 0x0); + fiat_p256_subborrowx_u32(&x563, &x564, x562, x547, 0x0); + fiat_p256_subborrowx_u32(&x565, &x566, x564, x549, 0x1); + fiat_p256_subborrowx_u32(&x567, &x568, x566, x551, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x569, &x570, x568, x552, 0x0); + fiat_p256_cmovznz_u32(&x571, x570, x553, x537); + fiat_p256_cmovznz_u32(&x572, x570, x555, x539); + fiat_p256_cmovznz_u32(&x573, x570, x557, x541); + fiat_p256_cmovznz_u32(&x574, x570, x559, x543); + fiat_p256_cmovznz_u32(&x575, x570, x561, x545); + fiat_p256_cmovznz_u32(&x576, x570, x563, x547); + fiat_p256_cmovznz_u32(&x577, x570, x565, x549); + fiat_p256_cmovznz_u32(&x578, x570, x567, x551); + out1[0] = x571; + out1[1] = x572; + out1[2] = x573; + out1[3] = x574; + out1[4] = x575; + out1[5] = x576; + out1[6] = x577; + out1[7] = x578; +} + +/* * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2920,13 +3897,15 @@ static void fiat_p256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) * Output Bounds: * out1: [0x0 ~> 0xffffffff] */ -static void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) { - uint32_t x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (uint32_t)0x0)))))))); +static FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) { + uint32_t x1; + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); *out1 = x1; } /* * The function fiat_p256_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -2937,22 +3916,22 @@ static void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const uint32_t arg2[8], const uint32_t arg3[8]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const uint32_t arg2[8], const uint32_t arg3[8]) { uint32_t x1; - fiat_p256_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); uint32_t x2; - fiat_p256_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); uint32_t x3; - fiat_p256_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); uint32_t x4; - fiat_p256_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); uint32_t x5; - fiat_p256_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); uint32_t x6; - fiat_p256_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); uint32_t x7; - fiat_p256_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); uint32_t x8; + fiat_p256_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); + fiat_p256_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); + fiat_p256_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); fiat_p256_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); out1[0] = x1; out1[1] = x2; @@ -2965,7 +3944,8 @@ static void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const ui } /* - * The function fiat_p256_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -2976,106 +3956,156 @@ static void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const ui * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ -static void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { - uint32_t x1 = (arg1[7]); - uint32_t x2 = (arg1[6]); - uint32_t x3 = (arg1[5]); - uint32_t x4 = (arg1[4]); - uint32_t x5 = (arg1[3]); - uint32_t x6 = (arg1[2]); - uint32_t x7 = (arg1[1]); - uint32_t x8 = (arg1[0]); - uint32_t x9 = (x8 >> 8); - uint8_t x10 = (uint8_t)(x8 & UINT8_C(0xff)); - uint32_t x11 = (x9 >> 8); - uint8_t x12 = (uint8_t)(x9 & UINT8_C(0xff)); - uint8_t x13 = (uint8_t)(x11 >> 8); - uint8_t x14 = (uint8_t)(x11 & UINT8_C(0xff)); - uint8_t x15 = (uint8_t)(x13 & UINT8_C(0xff)); - uint32_t x16 = (x7 >> 8); - uint8_t x17 = (uint8_t)(x7 & UINT8_C(0xff)); - uint32_t x18 = (x16 >> 8); - uint8_t x19 = (uint8_t)(x16 & UINT8_C(0xff)); - uint8_t x20 = (uint8_t)(x18 >> 8); - uint8_t x21 = (uint8_t)(x18 & UINT8_C(0xff)); - uint8_t x22 = (uint8_t)(x20 & UINT8_C(0xff)); - uint32_t x23 = (x6 >> 8); - uint8_t x24 = (uint8_t)(x6 & UINT8_C(0xff)); - uint32_t x25 = (x23 >> 8); - uint8_t x26 = (uint8_t)(x23 & UINT8_C(0xff)); - uint8_t x27 = (uint8_t)(x25 >> 8); - uint8_t x28 = (uint8_t)(x25 & UINT8_C(0xff)); - uint8_t x29 = (uint8_t)(x27 & UINT8_C(0xff)); - uint32_t x30 = (x5 >> 8); - uint8_t x31 = (uint8_t)(x5 & UINT8_C(0xff)); - uint32_t x32 = (x30 >> 8); - uint8_t x33 = (uint8_t)(x30 & UINT8_C(0xff)); - uint8_t x34 = (uint8_t)(x32 >> 8); - uint8_t x35 = (uint8_t)(x32 & UINT8_C(0xff)); - uint8_t x36 = (uint8_t)(x34 & UINT8_C(0xff)); - uint32_t x37 = (x4 >> 8); - uint8_t x38 = (uint8_t)(x4 & UINT8_C(0xff)); - uint32_t x39 = (x37 >> 8); - uint8_t x40 = (uint8_t)(x37 & UINT8_C(0xff)); - uint8_t x41 = (uint8_t)(x39 >> 8); - uint8_t x42 = (uint8_t)(x39 & UINT8_C(0xff)); - uint8_t x43 = (uint8_t)(x41 & UINT8_C(0xff)); - uint32_t x44 = (x3 >> 8); - uint8_t x45 = (uint8_t)(x3 & UINT8_C(0xff)); - uint32_t x46 = (x44 >> 8); - uint8_t x47 = (uint8_t)(x44 & UINT8_C(0xff)); - uint8_t x48 = (uint8_t)(x46 >> 8); - uint8_t x49 = (uint8_t)(x46 & UINT8_C(0xff)); - uint8_t x50 = (uint8_t)(x48 & UINT8_C(0xff)); - uint32_t x51 = (x2 >> 8); - uint8_t x52 = (uint8_t)(x2 & UINT8_C(0xff)); - uint32_t x53 = (x51 >> 8); - uint8_t x54 = (uint8_t)(x51 & UINT8_C(0xff)); - uint8_t x55 = (uint8_t)(x53 >> 8); - uint8_t x56 = (uint8_t)(x53 & UINT8_C(0xff)); - uint8_t x57 = (uint8_t)(x55 & UINT8_C(0xff)); - uint32_t x58 = (x1 >> 8); - uint8_t x59 = (uint8_t)(x1 & UINT8_C(0xff)); - uint32_t x60 = (x58 >> 8); - uint8_t x61 = (uint8_t)(x58 & UINT8_C(0xff)); - uint8_t x62 = (uint8_t)(x60 >> 8); - uint8_t x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x10; - out1[1] = x12; - out1[2] = x14; - out1[3] = x15; - out1[4] = x17; - out1[5] = x19; - out1[6] = x21; - out1[7] = x22; - out1[8] = x24; - out1[9] = x26; - out1[10] = x28; - out1[11] = x29; - out1[12] = x31; - out1[13] = x33; - out1[14] = x35; - out1[15] = x36; - out1[16] = x38; - out1[17] = x40; - out1[18] = x42; - out1[19] = x43; - out1[20] = x45; - out1[21] = x47; - out1[22] = x49; - out1[23] = x50; - out1[24] = x52; - out1[25] = x54; - out1[26] = x56; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; +static FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint8_t x9; + uint32_t x10; + uint8_t x11; + uint32_t x12; + uint8_t x13; + uint8_t x14; + uint8_t x15; + uint32_t x16; + uint8_t x17; + uint32_t x18; + uint8_t x19; + uint8_t x20; + uint8_t x21; + uint32_t x22; + uint8_t x23; + uint32_t x24; + uint8_t x25; + uint8_t x26; + uint8_t x27; + uint32_t x28; + uint8_t x29; + uint32_t x30; + uint8_t x31; + uint8_t x32; + uint8_t x33; + uint32_t x34; + uint8_t x35; + uint32_t x36; + uint8_t x37; + uint8_t x38; + uint8_t x39; + uint32_t x40; + uint8_t x41; + uint32_t x42; + uint8_t x43; + uint8_t x44; + uint8_t x45; + uint32_t x46; + uint8_t x47; + uint32_t x48; + uint8_t x49; + uint8_t x50; + uint8_t x51; + uint32_t x52; + uint8_t x53; + uint32_t x54; + uint8_t x55; + uint8_t x56; + x1 = (arg1[7]); + x2 = (arg1[6]); + x3 = (arg1[5]); + x4 = (arg1[4]); + x5 = (arg1[3]); + x6 = (arg1[2]); + x7 = (arg1[1]); + x8 = (arg1[0]); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (uint8_t)(x12 >> 8); + x15 = (uint8_t)(x7 & UINT8_C(0xff)); + x16 = (x7 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (x16 >> 8); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); + x20 = (uint8_t)(x18 >> 8); + x21 = (uint8_t)(x6 & UINT8_C(0xff)); + x22 = (x6 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (uint8_t)(x24 >> 8); + x27 = (uint8_t)(x5 & UINT8_C(0xff)); + x28 = (x5 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x4 & UINT8_C(0xff)); + x34 = (x4 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (uint8_t)(x36 >> 8); + x39 = (uint8_t)(x3 & UINT8_C(0xff)); + x40 = (x3 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (uint8_t)(x42 >> 8); + x45 = (uint8_t)(x2 & UINT8_C(0xff)); + x46 = (x2 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x52 = (x1 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (uint8_t)(x54 >> 8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; } /* - * The function fiat_p256_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -3087,61 +4117,644 @@ static void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) { - uint32_t x1 = ((uint32_t)(arg1[31]) << 24); - uint32_t x2 = ((uint32_t)(arg1[30]) << 16); - uint32_t x3 = ((uint32_t)(arg1[29]) << 8); - uint8_t x4 = (arg1[28]); - uint32_t x5 = ((uint32_t)(arg1[27]) << 24); - uint32_t x6 = ((uint32_t)(arg1[26]) << 16); - uint32_t x7 = ((uint32_t)(arg1[25]) << 8); - uint8_t x8 = (arg1[24]); - uint32_t x9 = ((uint32_t)(arg1[23]) << 24); - uint32_t x10 = ((uint32_t)(arg1[22]) << 16); - uint32_t x11 = ((uint32_t)(arg1[21]) << 8); - uint8_t x12 = (arg1[20]); - uint32_t x13 = ((uint32_t)(arg1[19]) << 24); - uint32_t x14 = ((uint32_t)(arg1[18]) << 16); - uint32_t x15 = ((uint32_t)(arg1[17]) << 8); - uint8_t x16 = (arg1[16]); - uint32_t x17 = ((uint32_t)(arg1[15]) << 24); - uint32_t x18 = ((uint32_t)(arg1[14]) << 16); - uint32_t x19 = ((uint32_t)(arg1[13]) << 8); - uint8_t x20 = (arg1[12]); - uint32_t x21 = ((uint32_t)(arg1[11]) << 24); - uint32_t x22 = ((uint32_t)(arg1[10]) << 16); - uint32_t x23 = ((uint32_t)(arg1[9]) << 8); - uint8_t x24 = (arg1[8]); - uint32_t x25 = ((uint32_t)(arg1[7]) << 24); - uint32_t x26 = ((uint32_t)(arg1[6]) << 16); - uint32_t x27 = ((uint32_t)(arg1[5]) << 8); - uint8_t x28 = (arg1[4]); - uint32_t x29 = ((uint32_t)(arg1[3]) << 24); - uint32_t x30 = ((uint32_t)(arg1[2]) << 16); - uint32_t x31 = ((uint32_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint32_t x33 = (x32 + (x31 + (x30 + x29))); - uint32_t x34 = (x33 & UINT32_C(0xffffffff)); - uint32_t x35 = (x4 + (x3 + (x2 + x1))); - uint32_t x36 = (x8 + (x7 + (x6 + x5))); - uint32_t x37 = (x12 + (x11 + (x10 + x9))); - uint32_t x38 = (x16 + (x15 + (x14 + x13))); - uint32_t x39 = (x20 + (x19 + (x18 + x17))); - uint32_t x40 = (x24 + (x23 + (x22 + x21))); - uint32_t x41 = (x28 + (x27 + (x26 + x25))); - uint32_t x42 = (x41 & UINT32_C(0xffffffff)); - uint32_t x43 = (x40 & UINT32_C(0xffffffff)); - uint32_t x44 = (x39 & UINT32_C(0xffffffff)); - uint32_t x45 = (x38 & UINT32_C(0xffffffff)); - uint32_t x46 = (x37 & UINT32_C(0xffffffff)); - uint32_t x47 = (x36 & UINT32_C(0xffffffff)); - out1[0] = x34; - out1[1] = x42; - out1[2] = x43; +static FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint8_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint8_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint8_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint8_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint8_t x20; + uint32_t x21; + uint32_t x22; + uint32_t x23; + uint8_t x24; + uint32_t x25; + uint32_t x26; + uint32_t x27; + uint8_t x28; + uint32_t x29; + uint32_t x30; + uint32_t x31; + uint8_t x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint32_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint32_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; + x1 = ((uint32_t)(arg1[31]) << 24); + x2 = ((uint32_t)(arg1[30]) << 16); + x3 = ((uint32_t)(arg1[29]) << 8); + x4 = (arg1[28]); + x5 = ((uint32_t)(arg1[27]) << 24); + x6 = ((uint32_t)(arg1[26]) << 16); + x7 = ((uint32_t)(arg1[25]) << 8); + x8 = (arg1[24]); + x9 = ((uint32_t)(arg1[23]) << 24); + x10 = ((uint32_t)(arg1[22]) << 16); + x11 = ((uint32_t)(arg1[21]) << 8); + x12 = (arg1[20]); + x13 = ((uint32_t)(arg1[19]) << 24); + x14 = ((uint32_t)(arg1[18]) << 16); + x15 = ((uint32_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint32_t)(arg1[15]) << 24); + x18 = ((uint32_t)(arg1[14]) << 16); + x19 = ((uint32_t)(arg1[13]) << 8); + x20 = (arg1[12]); + x21 = ((uint32_t)(arg1[11]) << 24); + x22 = ((uint32_t)(arg1[10]) << 16); + x23 = ((uint32_t)(arg1[9]) << 8); + x24 = (arg1[8]); + x25 = ((uint32_t)(arg1[7]) << 24); + x26 = ((uint32_t)(arg1[6]) << 16); + x27 = ((uint32_t)(arg1[5]) << 8); + x28 = (arg1[4]); + x29 = ((uint32_t)(arg1[3]) << 24); + x30 = ((uint32_t)(arg1[2]) << 16); + x31 = ((uint32_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x27 + (uint32_t)x28); + x37 = (x26 + x36); + x38 = (x25 + x37); + x39 = (x23 + (uint32_t)x24); + x40 = (x22 + x39); + x41 = (x21 + x40); + x42 = (x19 + (uint32_t)x20); + x43 = (x18 + x42); + x44 = (x17 + x43); + x45 = (x15 + (uint32_t)x16); + x46 = (x14 + x45); + x47 = (x13 + x46); + x48 = (x11 + (uint32_t)x12); + x49 = (x10 + x48); + x50 = (x9 + x49); + x51 = (x7 + (uint32_t)x8); + x52 = (x6 + x51); + x53 = (x5 + x52); + x54 = (x3 + (uint32_t)x4); + x55 = (x2 + x54); + x56 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; out1[3] = x44; - out1[4] = x45; - out1[5] = x46; - out1[6] = x47; - out1[7] = x35; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; +} + +/* + * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * + * Postconditions: + * eval (from_montgomery out1) mod m = 1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) { + out1[0] = 0x1; + out1[1] = 0x0; + out1[2] = 0x0; + out1[3] = UINT32_C(0xffffffff); + out1[4] = UINT32_C(0xffffffff); + out1[5] = UINT32_C(0xffffffff); + out1[6] = UINT32_C(0xfffffffe); + out1[7] = 0x0; } +/* + * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * + * Postconditions: + * twos_complement_eval out1 = m + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint32_t out1[9]) { + out1[0] = UINT32_C(0xffffffff); + out1[1] = UINT32_C(0xffffffff); + out1[2] = UINT32_C(0xffffffff); + out1[3] = 0x0; + out1[4] = 0x0; + out1[5] = 0x0; + out1[6] = 0x1; + out1[7] = UINT32_C(0xffffffff); + out1[8] = 0x0; +} + +/* + * The function fiat_p256_divstep computes a divstep. + * + * Preconditions: + * 0 ≤ eval arg4 < m + * 0 ≤ eval arg5 < m + * Postconditions: + * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) + * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) + * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) + * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) + * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) + * 0 ≤ eval out5 < m + * 0 ≤ eval out5 < m + * 0 ≤ eval out2 < m + * 0 ≤ eval out3 < m + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffff] + * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * Output Bounds: + * out1: [0x0 ~> 0xffffffff] + * out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint32_t* out1, uint32_t out2[9], uint32_t out3[9], uint32_t out4[8], uint32_t out5[8], uint32_t arg1, const uint32_t arg2[9], const uint32_t arg3[9], const uint32_t arg4[8], const uint32_t arg5[8]) { + uint32_t x1; + fiat_p256_uint1 x2; + fiat_p256_uint1 x3; + uint32_t x4; + fiat_p256_uint1 x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + fiat_p256_uint1 x17; + uint32_t x18; + fiat_p256_uint1 x19; + uint32_t x20; + fiat_p256_uint1 x21; + uint32_t x22; + fiat_p256_uint1 x23; + uint32_t x24; + fiat_p256_uint1 x25; + uint32_t x26; + fiat_p256_uint1 x27; + uint32_t x28; + fiat_p256_uint1 x29; + uint32_t x30; + fiat_p256_uint1 x31; + uint32_t x32; + fiat_p256_uint1 x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint32_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + fiat_p256_uint1 x52; + uint32_t x53; + fiat_p256_uint1 x54; + uint32_t x55; + fiat_p256_uint1 x56; + uint32_t x57; + fiat_p256_uint1 x58; + uint32_t x59; + fiat_p256_uint1 x60; + uint32_t x61; + fiat_p256_uint1 x62; + uint32_t x63; + fiat_p256_uint1 x64; + uint32_t x65; + fiat_p256_uint1 x66; + uint32_t x67; + fiat_p256_uint1 x68; + uint32_t x69; + fiat_p256_uint1 x70; + uint32_t x71; + fiat_p256_uint1 x72; + uint32_t x73; + fiat_p256_uint1 x74; + uint32_t x75; + fiat_p256_uint1 x76; + uint32_t x77; + fiat_p256_uint1 x78; + uint32_t x79; + fiat_p256_uint1 x80; + uint32_t x81; + fiat_p256_uint1 x82; + uint32_t x83; + fiat_p256_uint1 x84; + uint32_t x85; + uint32_t x86; + uint32_t x87; + uint32_t x88; + uint32_t x89; + uint32_t x90; + uint32_t x91; + uint32_t x92; + uint32_t x93; + fiat_p256_uint1 x94; + uint32_t x95; + fiat_p256_uint1 x96; + uint32_t x97; + fiat_p256_uint1 x98; + uint32_t x99; + fiat_p256_uint1 x100; + uint32_t x101; + fiat_p256_uint1 x102; + uint32_t x103; + fiat_p256_uint1 x104; + uint32_t x105; + fiat_p256_uint1 x106; + uint32_t x107; + fiat_p256_uint1 x108; + uint32_t x109; + uint32_t x110; + fiat_p256_uint1 x111; + uint32_t x112; + fiat_p256_uint1 x113; + uint32_t x114; + fiat_p256_uint1 x115; + uint32_t x116; + fiat_p256_uint1 x117; + uint32_t x118; + fiat_p256_uint1 x119; + uint32_t x120; + fiat_p256_uint1 x121; + uint32_t x122; + fiat_p256_uint1 x123; + uint32_t x124; + fiat_p256_uint1 x125; + uint32_t x126; + uint32_t x127; + uint32_t x128; + uint32_t x129; + uint32_t x130; + uint32_t x131; + uint32_t x132; + uint32_t x133; + fiat_p256_uint1 x134; + uint32_t x135; + uint32_t x136; + uint32_t x137; + uint32_t x138; + uint32_t x139; + uint32_t x140; + uint32_t x141; + uint32_t x142; + uint32_t x143; + uint32_t x144; + fiat_p256_uint1 x145; + uint32_t x146; + fiat_p256_uint1 x147; + uint32_t x148; + fiat_p256_uint1 x149; + uint32_t x150; + fiat_p256_uint1 x151; + uint32_t x152; + fiat_p256_uint1 x153; + uint32_t x154; + fiat_p256_uint1 x155; + uint32_t x156; + fiat_p256_uint1 x157; + uint32_t x158; + fiat_p256_uint1 x159; + uint32_t x160; + fiat_p256_uint1 x161; + uint32_t x162; + uint32_t x163; + uint32_t x164; + uint32_t x165; + uint32_t x166; + uint32_t x167; + uint32_t x168; + uint32_t x169; + uint32_t x170; + fiat_p256_uint1 x171; + uint32_t x172; + fiat_p256_uint1 x173; + uint32_t x174; + fiat_p256_uint1 x175; + uint32_t x176; + fiat_p256_uint1 x177; + uint32_t x178; + fiat_p256_uint1 x179; + uint32_t x180; + fiat_p256_uint1 x181; + uint32_t x182; + fiat_p256_uint1 x183; + uint32_t x184; + fiat_p256_uint1 x185; + uint32_t x186; + fiat_p256_uint1 x187; + uint32_t x188; + fiat_p256_uint1 x189; + uint32_t x190; + fiat_p256_uint1 x191; + uint32_t x192; + fiat_p256_uint1 x193; + uint32_t x194; + fiat_p256_uint1 x195; + uint32_t x196; + fiat_p256_uint1 x197; + uint32_t x198; + fiat_p256_uint1 x199; + uint32_t x200; + fiat_p256_uint1 x201; + uint32_t x202; + fiat_p256_uint1 x203; + uint32_t x204; + fiat_p256_uint1 x205; + uint32_t x206; + uint32_t x207; + uint32_t x208; + uint32_t x209; + uint32_t x210; + uint32_t x211; + uint32_t x212; + uint32_t x213; + uint32_t x214; + uint32_t x215; + uint32_t x216; + uint32_t x217; + uint32_t x218; + uint32_t x219; + uint32_t x220; + uint32_t x221; + uint32_t x222; + uint32_t x223; + uint32_t x224; + uint32_t x225; + uint32_t x226; + uint32_t x227; + uint32_t x228; + uint32_t x229; + uint32_t x230; + fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (~arg1), 0x1); + x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 31) & (fiat_p256_uint1)((arg3[0]) & 0x1)); + fiat_p256_addcarryx_u32(&x4, &x5, 0x0, (~arg1), 0x1); + fiat_p256_cmovznz_u32(&x6, x3, arg1, x4); + fiat_p256_cmovznz_u32(&x7, x3, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u32(&x8, x3, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u32(&x9, x3, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u32(&x10, x3, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u32(&x11, x3, (arg2[4]), (arg3[4])); + fiat_p256_cmovznz_u32(&x12, x3, (arg2[5]), (arg3[5])); + fiat_p256_cmovznz_u32(&x13, x3, (arg2[6]), (arg3[6])); + fiat_p256_cmovznz_u32(&x14, x3, (arg2[7]), (arg3[7])); + fiat_p256_cmovznz_u32(&x15, x3, (arg2[8]), (arg3[8])); + fiat_p256_addcarryx_u32(&x16, &x17, 0x0, 0x1, (~(arg2[0]))); + fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, (~(arg2[1]))); + fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (~(arg2[2]))); + fiat_p256_addcarryx_u32(&x22, &x23, x21, 0x0, (~(arg2[3]))); + fiat_p256_addcarryx_u32(&x24, &x25, x23, 0x0, (~(arg2[4]))); + fiat_p256_addcarryx_u32(&x26, &x27, x25, 0x0, (~(arg2[5]))); + fiat_p256_addcarryx_u32(&x28, &x29, x27, 0x0, (~(arg2[6]))); + fiat_p256_addcarryx_u32(&x30, &x31, x29, 0x0, (~(arg2[7]))); + fiat_p256_addcarryx_u32(&x32, &x33, x31, 0x0, (~(arg2[8]))); + fiat_p256_cmovznz_u32(&x34, x3, (arg3[0]), x16); + fiat_p256_cmovznz_u32(&x35, x3, (arg3[1]), x18); + fiat_p256_cmovznz_u32(&x36, x3, (arg3[2]), x20); + fiat_p256_cmovznz_u32(&x37, x3, (arg3[3]), x22); + fiat_p256_cmovznz_u32(&x38, x3, (arg3[4]), x24); + fiat_p256_cmovznz_u32(&x39, x3, (arg3[5]), x26); + fiat_p256_cmovznz_u32(&x40, x3, (arg3[6]), x28); + fiat_p256_cmovznz_u32(&x41, x3, (arg3[7]), x30); + fiat_p256_cmovznz_u32(&x42, x3, (arg3[8]), x32); + fiat_p256_cmovznz_u32(&x43, x3, (arg4[0]), (arg5[0])); + fiat_p256_cmovznz_u32(&x44, x3, (arg4[1]), (arg5[1])); + fiat_p256_cmovznz_u32(&x45, x3, (arg4[2]), (arg5[2])); + fiat_p256_cmovznz_u32(&x46, x3, (arg4[3]), (arg5[3])); + fiat_p256_cmovznz_u32(&x47, x3, (arg4[4]), (arg5[4])); + fiat_p256_cmovznz_u32(&x48, x3, (arg4[5]), (arg5[5])); + fiat_p256_cmovznz_u32(&x49, x3, (arg4[6]), (arg5[6])); + fiat_p256_cmovznz_u32(&x50, x3, (arg4[7]), (arg5[7])); + fiat_p256_addcarryx_u32(&x51, &x52, 0x0, x43, x43); + fiat_p256_addcarryx_u32(&x53, &x54, x52, x44, x44); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x45, x45); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x46, x46); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x47, x47); + fiat_p256_addcarryx_u32(&x61, &x62, x60, x48, x48); + fiat_p256_addcarryx_u32(&x63, &x64, x62, x49, x49); + fiat_p256_addcarryx_u32(&x65, &x66, x64, x50, x50); + fiat_p256_subborrowx_u32(&x67, &x68, 0x0, x51, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x69, &x70, x68, x53, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x71, &x72, x70, x55, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x73, &x74, x72, x57, 0x0); + fiat_p256_subborrowx_u32(&x75, &x76, x74, x59, 0x0); + fiat_p256_subborrowx_u32(&x77, &x78, x76, x61, 0x0); + fiat_p256_subborrowx_u32(&x79, &x80, x78, x63, 0x1); + fiat_p256_subborrowx_u32(&x81, &x82, x80, x65, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x83, &x84, x82, x66, 0x0); + x85 = (arg4[7]); + x86 = (arg4[6]); + x87 = (arg4[5]); + x88 = (arg4[4]); + x89 = (arg4[3]); + x90 = (arg4[2]); + x91 = (arg4[1]); + x92 = (arg4[0]); + fiat_p256_subborrowx_u32(&x93, &x94, 0x0, 0x0, x92); + fiat_p256_subborrowx_u32(&x95, &x96, x94, 0x0, x91); + fiat_p256_subborrowx_u32(&x97, &x98, x96, 0x0, x90); + fiat_p256_subborrowx_u32(&x99, &x100, x98, 0x0, x89); + fiat_p256_subborrowx_u32(&x101, &x102, x100, 0x0, x88); + fiat_p256_subborrowx_u32(&x103, &x104, x102, 0x0, x87); + fiat_p256_subborrowx_u32(&x105, &x106, x104, 0x0, x86); + fiat_p256_subborrowx_u32(&x107, &x108, x106, 0x0, x85); + fiat_p256_cmovznz_u32(&x109, x108, 0x0, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x93, x109); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x95, x109); + fiat_p256_addcarryx_u32(&x114, &x115, x113, x97, x109); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x99, 0x0); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x101, 0x0); + fiat_p256_addcarryx_u32(&x120, &x121, x119, x103, 0x0); + fiat_p256_addcarryx_u32(&x122, &x123, x121, x105, (fiat_p256_uint1)(x109 & 0x1)); + fiat_p256_addcarryx_u32(&x124, &x125, x123, x107, x109); + fiat_p256_cmovznz_u32(&x126, x3, (arg5[0]), x110); + fiat_p256_cmovznz_u32(&x127, x3, (arg5[1]), x112); + fiat_p256_cmovznz_u32(&x128, x3, (arg5[2]), x114); + fiat_p256_cmovznz_u32(&x129, x3, (arg5[3]), x116); + fiat_p256_cmovznz_u32(&x130, x3, (arg5[4]), x118); + fiat_p256_cmovznz_u32(&x131, x3, (arg5[5]), x120); + fiat_p256_cmovznz_u32(&x132, x3, (arg5[6]), x122); + fiat_p256_cmovznz_u32(&x133, x3, (arg5[7]), x124); + x134 = (fiat_p256_uint1)(x34 & 0x1); + fiat_p256_cmovznz_u32(&x135, x134, 0x0, x7); + fiat_p256_cmovznz_u32(&x136, x134, 0x0, x8); + fiat_p256_cmovznz_u32(&x137, x134, 0x0, x9); + fiat_p256_cmovznz_u32(&x138, x134, 0x0, x10); + fiat_p256_cmovznz_u32(&x139, x134, 0x0, x11); + fiat_p256_cmovznz_u32(&x140, x134, 0x0, x12); + fiat_p256_cmovznz_u32(&x141, x134, 0x0, x13); + fiat_p256_cmovznz_u32(&x142, x134, 0x0, x14); + fiat_p256_cmovznz_u32(&x143, x134, 0x0, x15); + fiat_p256_addcarryx_u32(&x144, &x145, 0x0, x34, x135); + fiat_p256_addcarryx_u32(&x146, &x147, x145, x35, x136); + fiat_p256_addcarryx_u32(&x148, &x149, x147, x36, x137); + fiat_p256_addcarryx_u32(&x150, &x151, x149, x37, x138); + fiat_p256_addcarryx_u32(&x152, &x153, x151, x38, x139); + fiat_p256_addcarryx_u32(&x154, &x155, x153, x39, x140); + fiat_p256_addcarryx_u32(&x156, &x157, x155, x40, x141); + fiat_p256_addcarryx_u32(&x158, &x159, x157, x41, x142); + fiat_p256_addcarryx_u32(&x160, &x161, x159, x42, x143); + fiat_p256_cmovznz_u32(&x162, x134, 0x0, x43); + fiat_p256_cmovznz_u32(&x163, x134, 0x0, x44); + fiat_p256_cmovznz_u32(&x164, x134, 0x0, x45); + fiat_p256_cmovznz_u32(&x165, x134, 0x0, x46); + fiat_p256_cmovznz_u32(&x166, x134, 0x0, x47); + fiat_p256_cmovznz_u32(&x167, x134, 0x0, x48); + fiat_p256_cmovznz_u32(&x168, x134, 0x0, x49); + fiat_p256_cmovznz_u32(&x169, x134, 0x0, x50); + fiat_p256_addcarryx_u32(&x170, &x171, 0x0, x126, x162); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x127, x163); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x128, x164); + fiat_p256_addcarryx_u32(&x176, &x177, x175, x129, x165); + fiat_p256_addcarryx_u32(&x178, &x179, x177, x130, x166); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x131, x167); + fiat_p256_addcarryx_u32(&x182, &x183, x181, x132, x168); + fiat_p256_addcarryx_u32(&x184, &x185, x183, x133, x169); + fiat_p256_subborrowx_u32(&x186, &x187, 0x0, x170, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x188, &x189, x187, x172, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x190, &x191, x189, x174, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x192, &x193, x191, x176, 0x0); + fiat_p256_subborrowx_u32(&x194, &x195, x193, x178, 0x0); + fiat_p256_subborrowx_u32(&x196, &x197, x195, x180, 0x0); + fiat_p256_subborrowx_u32(&x198, &x199, x197, x182, 0x1); + fiat_p256_subborrowx_u32(&x200, &x201, x199, x184, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x202, &x203, x201, x185, 0x0); + fiat_p256_addcarryx_u32(&x204, &x205, 0x0, x6, 0x1); + x206 = ((x144 >> 1) | ((x146 << 31) & UINT32_C(0xffffffff))); + x207 = ((x146 >> 1) | ((x148 << 31) & UINT32_C(0xffffffff))); + x208 = ((x148 >> 1) | ((x150 << 31) & UINT32_C(0xffffffff))); + x209 = ((x150 >> 1) | ((x152 << 31) & UINT32_C(0xffffffff))); + x210 = ((x152 >> 1) | ((x154 << 31) & UINT32_C(0xffffffff))); + x211 = ((x154 >> 1) | ((x156 << 31) & UINT32_C(0xffffffff))); + x212 = ((x156 >> 1) | ((x158 << 31) & UINT32_C(0xffffffff))); + x213 = ((x158 >> 1) | ((x160 << 31) & UINT32_C(0xffffffff))); + x214 = ((x160 & UINT32_C(0x80000000)) | (x160 >> 1)); + fiat_p256_cmovznz_u32(&x215, x84, x67, x51); + fiat_p256_cmovznz_u32(&x216, x84, x69, x53); + fiat_p256_cmovznz_u32(&x217, x84, x71, x55); + fiat_p256_cmovznz_u32(&x218, x84, x73, x57); + fiat_p256_cmovznz_u32(&x219, x84, x75, x59); + fiat_p256_cmovznz_u32(&x220, x84, x77, x61); + fiat_p256_cmovznz_u32(&x221, x84, x79, x63); + fiat_p256_cmovznz_u32(&x222, x84, x81, x65); + fiat_p256_cmovznz_u32(&x223, x203, x186, x170); + fiat_p256_cmovznz_u32(&x224, x203, x188, x172); + fiat_p256_cmovznz_u32(&x225, x203, x190, x174); + fiat_p256_cmovznz_u32(&x226, x203, x192, x176); + fiat_p256_cmovznz_u32(&x227, x203, x194, x178); + fiat_p256_cmovznz_u32(&x228, x203, x196, x180); + fiat_p256_cmovznz_u32(&x229, x203, x198, x182); + fiat_p256_cmovznz_u32(&x230, x203, x200, x184); + *out1 = x204; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out2[5] = x12; + out2[6] = x13; + out2[7] = x14; + out2[8] = x15; + out3[0] = x206; + out3[1] = x207; + out3[2] = x208; + out3[3] = x209; + out3[4] = x210; + out3[5] = x211; + out3[6] = x212; + out3[7] = x213; + out3[8] = x214; + out4[0] = x215; + out4[1] = x216; + out4[2] = x217; + out4[3] = x218; + out4[4] = x219; + out4[5] = x220; + out4[6] = x221; + out4[7] = x222; + out5[0] = x223; + out5[1] = x224; + out5[2] = x225; + out5[3] = x226; + out5[4] = x227; + out5[5] = x228; + out5[6] = x229; + out5[7] = x230; +} + +/* + * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * + * Postconditions: + * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋) + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint32_t out1[8]) { + out1[0] = UINT32_C(0xb8000000); + out1[1] = UINT32_C(0x67ffffff); + out1[2] = UINT32_C(0x38000000); + out1[3] = UINT32_C(0xc0000000); + out1[4] = UINT32_C(0x7fffffff); + out1[5] = UINT32_C(0xd8000000); + out1[6] = UINT32_C(0xffffffff); + out1[7] = UINT32_C(0x2fffffff); +} diff --git a/src/third_party/fiat/p256_64.h b/src/third_party/fiat/p256_64.h index 773266a0..c7726384 100644 --- a/src/third_party/fiat/p256_64.h +++ b/src/third_party/fiat/p256_64.h @@ -1,8 +1,8 @@ -/* Autogenerated: src/ExtractionOCaml/word_by_word_montgomery --static p256 '2^256 - 2^224 + 2^192 + 2^96 - 1' 64 mul square add sub opp from_montgomery nonzero selectznz to_bytes from_bytes */ +/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ /* curve description: p256 */ -/* requested operations: mul, square, add, sub, opp, from_montgomery, nonzero, selectznz, to_bytes, from_bytes */ -/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* machine_wordsize = 64 (from "64") */ +/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */ +/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* */ /* NOTE: In addition to the bounds specified above each function, all */ /* functions synthesized for this Montgomery arithmetic require the */ @@ -10,20 +10,52 @@ /* require the input to be in the unique saturated representation. */ /* All functions also ensure that these two properties are true of */ /* return values. */ +/* */ +/* Computed values: */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include <stdint.h> typedef unsigned char fiat_p256_uint1; typedef signed char fiat_p256_int1; -typedef signed __int128 fiat_p256_int128; -typedef unsigned __int128 fiat_p256_uint128; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_P256_FIAT_EXTENSION __extension__ +# define FIAT_P256_FIAT_INLINE __inline__ +#else +# define FIAT_P256_FIAT_EXTENSION +# define FIAT_P256_FIAT_INLINE +#endif + +FIAT_P256_FIAT_EXTENSION typedef signed __int128 fiat_p256_int128; +FIAT_P256_FIAT_EXTENSION typedef unsigned __int128 fiat_p256_uint128; + +/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ +typedef uint64_t fiat_p256_montgomery_domain_field_element[4]; + +/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ +typedef uint64_t fiat_p256_non_montgomery_domain_field_element[4]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_P256_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t fiat_p256_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_p256_value_barrier_u64(x) (x) +#endif + /* * The function fiat_p256_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -36,16 +68,20 @@ typedef unsigned __int128 fiat_p256_uint128; * out1: [0x0 ~> 0xffffffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p256_uint128 x1 = ((arg1 + (fiat_p256_uint128)arg2) + arg3); - uint64_t x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - fiat_p256_uint1 x3 = (fiat_p256_uint1)(x1 >> 64); +static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_uint128 x1; + uint64_t x2; + fiat_p256_uint1 x3; + x1 = ((arg1 + (fiat_p256_uint128)arg2) + arg3); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (fiat_p256_uint1)(x1 >> 64); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -58,16 +94,20 @@ static void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_ * out1: [0x0 ~> 0xffffffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p256_int128 x1 = ((arg2 - (fiat_p256_int128)arg1) - arg3); - fiat_p256_int1 x2 = (fiat_p256_int1)(x1 >> 64); - uint64_t x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); +static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_int128 x1; + fiat_p256_int1 x2; + uint64_t x3; + x1 = ((arg2 - (fiat_p256_int128)arg1) - arg3); + x2 = (fiat_p256_int1)(x1 >> 64); + x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); *out1 = x3; *out2 = (fiat_p256_uint1)(0x0 - x2); } /* * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -79,16 +119,20 @@ static void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat * out1: [0x0 ~> 0xffffffffffffffff] * out2: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { - fiat_p256_uint128 x1 = ((fiat_p256_uint128)arg1 * arg2); - uint64_t x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - uint64_t x3 = (uint64_t)(x1 >> 64); +static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { + fiat_p256_uint128 x1; + uint64_t x2; + uint64_t x3; + x1 = ((fiat_p256_uint128)arg1 * arg2); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (uint64_t)(x1 >> 64); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -99,21 +143,19 @@ static void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, ui * Output Bounds: * out1: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p256_uint1 x1 = (!(!arg1)); - uint64_t x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint64_t x3 = ((value_barrier_u64(x2) & arg3) | (value_barrier_u64(~x2) & arg2)); +static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_p256_value_barrier_u64(x2) & arg3) | (fiat_p256_value_barrier_u64((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -121,287 +163,297 @@ static void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1 = (arg1[1]); - uint64_t x2 = (arg1[2]); - uint64_t x3 = (arg1[3]); - uint64_t x4 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; uint64_t x5; uint64_t x6; - fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3])); uint64_t x7; uint64_t x8; - fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2])); uint64_t x9; uint64_t x10; - fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1])); uint64_t x11; uint64_t x12; - fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0])); uint64_t x13; fiat_p256_uint1 x14; - fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); uint64_t x15; fiat_p256_uint1 x16; - fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); uint64_t x17; fiat_p256_uint1 x18; - fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); - uint64_t x19 = (x18 + x6); + uint64_t x19; uint64_t x20; uint64_t x21; - fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); uint64_t x22; uint64_t x23; - fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); uint64_t x24; uint64_t x25; - fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); uint64_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); - uint64_t x28 = (x27 + x23); + uint64_t x28; uint64_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); uint64_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); uint64_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); uint64_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); uint64_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); uint64_t x39; uint64_t x40; - fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3])); uint64_t x41; uint64_t x42; - fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2])); uint64_t x43; uint64_t x44; - fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1])); uint64_t x45; uint64_t x46; - fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0])); uint64_t x47; fiat_p256_uint1 x48; - fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); uint64_t x49; fiat_p256_uint1 x50; - fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); uint64_t x51; fiat_p256_uint1 x52; - fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); - uint64_t x53 = (x52 + x40); + uint64_t x53; uint64_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); uint64_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); uint64_t x58; fiat_p256_uint1 x59; - fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); uint64_t x60; fiat_p256_uint1 x61; - fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); uint64_t x62; fiat_p256_uint1 x63; - fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); uint64_t x64; uint64_t x65; - fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); uint64_t x66; uint64_t x67; - fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); uint64_t x68; uint64_t x69; - fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); uint64_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); - uint64_t x72 = (x71 + x67); + uint64_t x72; uint64_t x73; fiat_p256_uint1 x74; - fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); uint64_t x75; fiat_p256_uint1 x76; - fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); uint64_t x77; fiat_p256_uint1 x78; - fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); uint64_t x79; fiat_p256_uint1 x80; - fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); uint64_t x81; fiat_p256_uint1 x82; - fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); - uint64_t x83 = ((uint64_t)x82 + x63); + uint64_t x83; uint64_t x84; uint64_t x85; - fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3])); uint64_t x86; uint64_t x87; - fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2])); uint64_t x88; uint64_t x89; - fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1])); uint64_t x90; uint64_t x91; - fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0])); uint64_t x92; fiat_p256_uint1 x93; - fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); uint64_t x94; fiat_p256_uint1 x95; - fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); uint64_t x96; fiat_p256_uint1 x97; - fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); - uint64_t x98 = (x97 + x85); + uint64_t x98; uint64_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); uint64_t x101; fiat_p256_uint1 x102; - fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); uint64_t x103; fiat_p256_uint1 x104; - fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); uint64_t x105; fiat_p256_uint1 x106; - fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); uint64_t x107; fiat_p256_uint1 x108; - fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); uint64_t x109; uint64_t x110; - fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); uint64_t x111; uint64_t x112; - fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); uint64_t x113; uint64_t x114; - fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); uint64_t x115; fiat_p256_uint1 x116; - fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); - uint64_t x117 = (x116 + x112); + uint64_t x117; uint64_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); uint64_t x120; fiat_p256_uint1 x121; - fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); uint64_t x122; fiat_p256_uint1 x123; - fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); uint64_t x124; fiat_p256_uint1 x125; - fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); uint64_t x126; fiat_p256_uint1 x127; - fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); - uint64_t x128 = ((uint64_t)x127 + x108); + uint64_t x128; uint64_t x129; uint64_t x130; - fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3])); uint64_t x131; uint64_t x132; - fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2])); uint64_t x133; uint64_t x134; - fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1])); uint64_t x135; uint64_t x136; - fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0])); uint64_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); uint64_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); uint64_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); - uint64_t x143 = (x142 + x130); + uint64_t x143; uint64_t x144; fiat_p256_uint1 x145; - fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); uint64_t x146; fiat_p256_uint1 x147; - fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); uint64_t x148; fiat_p256_uint1 x149; - fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); uint64_t x150; fiat_p256_uint1 x151; - fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); uint64_t x152; fiat_p256_uint1 x153; - fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); uint64_t x154; uint64_t x155; - fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); uint64_t x156; uint64_t x157; - fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); uint64_t x158; uint64_t x159; - fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); uint64_t x160; fiat_p256_uint1 x161; - fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); - uint64_t x162 = (x161 + x157); + uint64_t x162; uint64_t x163; fiat_p256_uint1 x164; - fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); uint64_t x165; fiat_p256_uint1 x166; - fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); uint64_t x167; fiat_p256_uint1 x168; - fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); uint64_t x169; fiat_p256_uint1 x170; - fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); uint64_t x171; fiat_p256_uint1 x172; - fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); - uint64_t x173 = ((uint64_t)x172 + x153); + uint64_t x173; uint64_t x174; fiat_p256_uint1 x175; - fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); uint64_t x176; fiat_p256_uint1 x177; - fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); uint64_t x178; fiat_p256_uint1 x179; - fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); uint64_t x180; fiat_p256_uint1 x181; - fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); uint64_t x182; fiat_p256_uint1 x183; - fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); uint64_t x184; - fiat_p256_cmovznz_u64(&x184, x183, x174, x165); uint64_t x185; - fiat_p256_cmovznz_u64(&x185, x183, x176, x167); uint64_t x186; - fiat_p256_cmovznz_u64(&x186, x183, x178, x169); uint64_t x187; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3])); + fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2])); + fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1])); + fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0])); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + x19 = (x18 + x6); + fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); + x28 = (x27 + x23); + fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); + fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3])); + fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2])); + fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1])); + fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0])); + fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); + fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); + x53 = (x52 + x40); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); + fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); + fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); + x72 = (x71 + x67); + fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); + fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); + fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); + fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); + fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); + x83 = ((uint64_t)x82 + x63); + fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3])); + fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2])); + fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1])); + fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0])); + fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); + fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); + x98 = (x97 + x85); + fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); + fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); + fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); + fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); + fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); + fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); + x117 = (x116 + x112); + fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); + fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); + fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); + fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); + fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); + x128 = ((uint64_t)x127 + x108); + fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3])); + fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2])); + fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1])); + fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0])); + fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); + fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); + fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); + x143 = (x142 + x130); + fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); + fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); + fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); + fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); + fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); + fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); + x162 = (x161 + x157); + fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); + fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); + fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); + fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); + fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); + x173 = ((uint64_t)x172 + x153); + fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); + fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); + fiat_p256_cmovznz_u64(&x184, x183, x174, x165); + fiat_p256_cmovznz_u64(&x185, x183, x176, x167); + fiat_p256_cmovznz_u64(&x186, x183, x178, x169); fiat_p256_cmovznz_u64(&x187, x183, x180, x171); out1[0] = x184; out1[1] = x185; @@ -411,292 +463,304 @@ static void fiat_p256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { - uint64_t x1 = (arg1[1]); - uint64_t x2 = (arg1[2]); - uint64_t x3 = (arg1[3]); - uint64_t x4 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; uint64_t x5; uint64_t x6; - fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3])); uint64_t x7; uint64_t x8; - fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2])); uint64_t x9; uint64_t x10; - fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1])); uint64_t x11; uint64_t x12; - fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0])); uint64_t x13; fiat_p256_uint1 x14; - fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); uint64_t x15; fiat_p256_uint1 x16; - fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); uint64_t x17; fiat_p256_uint1 x18; - fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); - uint64_t x19 = (x18 + x6); + uint64_t x19; uint64_t x20; uint64_t x21; - fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); uint64_t x22; uint64_t x23; - fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); uint64_t x24; uint64_t x25; - fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); uint64_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); - uint64_t x28 = (x27 + x23); + uint64_t x28; uint64_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); uint64_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); uint64_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); uint64_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); uint64_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); uint64_t x39; uint64_t x40; - fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3])); uint64_t x41; uint64_t x42; - fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2])); uint64_t x43; uint64_t x44; - fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1])); uint64_t x45; uint64_t x46; - fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0])); uint64_t x47; fiat_p256_uint1 x48; - fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); uint64_t x49; fiat_p256_uint1 x50; - fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); uint64_t x51; fiat_p256_uint1 x52; - fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); - uint64_t x53 = (x52 + x40); + uint64_t x53; uint64_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); uint64_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); uint64_t x58; fiat_p256_uint1 x59; - fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); uint64_t x60; fiat_p256_uint1 x61; - fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); uint64_t x62; fiat_p256_uint1 x63; - fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); uint64_t x64; uint64_t x65; - fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); uint64_t x66; uint64_t x67; - fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); uint64_t x68; uint64_t x69; - fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); uint64_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); - uint64_t x72 = (x71 + x67); + uint64_t x72; uint64_t x73; fiat_p256_uint1 x74; - fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); uint64_t x75; fiat_p256_uint1 x76; - fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); uint64_t x77; fiat_p256_uint1 x78; - fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); uint64_t x79; fiat_p256_uint1 x80; - fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); uint64_t x81; fiat_p256_uint1 x82; - fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); - uint64_t x83 = ((uint64_t)x82 + x63); + uint64_t x83; uint64_t x84; uint64_t x85; - fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3])); uint64_t x86; uint64_t x87; - fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2])); uint64_t x88; uint64_t x89; - fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1])); uint64_t x90; uint64_t x91; - fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0])); uint64_t x92; fiat_p256_uint1 x93; - fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); uint64_t x94; fiat_p256_uint1 x95; - fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); uint64_t x96; fiat_p256_uint1 x97; - fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); - uint64_t x98 = (x97 + x85); + uint64_t x98; uint64_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); uint64_t x101; fiat_p256_uint1 x102; - fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); uint64_t x103; fiat_p256_uint1 x104; - fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); uint64_t x105; fiat_p256_uint1 x106; - fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); uint64_t x107; fiat_p256_uint1 x108; - fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); uint64_t x109; uint64_t x110; - fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); uint64_t x111; uint64_t x112; - fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); uint64_t x113; uint64_t x114; - fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); uint64_t x115; fiat_p256_uint1 x116; - fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); - uint64_t x117 = (x116 + x112); + uint64_t x117; uint64_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); uint64_t x120; fiat_p256_uint1 x121; - fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); uint64_t x122; fiat_p256_uint1 x123; - fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); uint64_t x124; fiat_p256_uint1 x125; - fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); uint64_t x126; fiat_p256_uint1 x127; - fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); - uint64_t x128 = ((uint64_t)x127 + x108); + uint64_t x128; uint64_t x129; uint64_t x130; - fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3])); uint64_t x131; uint64_t x132; - fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2])); uint64_t x133; uint64_t x134; - fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1])); uint64_t x135; uint64_t x136; - fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0])); uint64_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); uint64_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); uint64_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); - uint64_t x143 = (x142 + x130); + uint64_t x143; uint64_t x144; fiat_p256_uint1 x145; - fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); uint64_t x146; fiat_p256_uint1 x147; - fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); uint64_t x148; fiat_p256_uint1 x149; - fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); uint64_t x150; fiat_p256_uint1 x151; - fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); uint64_t x152; fiat_p256_uint1 x153; - fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); uint64_t x154; uint64_t x155; - fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); uint64_t x156; uint64_t x157; - fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); uint64_t x158; uint64_t x159; - fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); uint64_t x160; fiat_p256_uint1 x161; - fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); - uint64_t x162 = (x161 + x157); + uint64_t x162; uint64_t x163; fiat_p256_uint1 x164; - fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); uint64_t x165; fiat_p256_uint1 x166; - fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); uint64_t x167; fiat_p256_uint1 x168; - fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); uint64_t x169; fiat_p256_uint1 x170; - fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); uint64_t x171; fiat_p256_uint1 x172; - fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); - uint64_t x173 = ((uint64_t)x172 + x153); + uint64_t x173; uint64_t x174; fiat_p256_uint1 x175; - fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); uint64_t x176; fiat_p256_uint1 x177; - fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); uint64_t x178; fiat_p256_uint1 x179; - fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); uint64_t x180; fiat_p256_uint1 x181; - fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); uint64_t x182; fiat_p256_uint1 x183; - fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); uint64_t x184; - fiat_p256_cmovznz_u64(&x184, x183, x174, x165); uint64_t x185; - fiat_p256_cmovznz_u64(&x185, x183, x176, x167); uint64_t x186; - fiat_p256_cmovznz_u64(&x186, x183, x178, x169); uint64_t x187; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3])); + fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2])); + fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1])); + fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0])); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + x19 = (x18 + x6); + fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); + x28 = (x27 + x23); + fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); + fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3])); + fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2])); + fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1])); + fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0])); + fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); + fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); + x53 = (x52 + x40); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); + fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); + fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); + x72 = (x71 + x67); + fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); + fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); + fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); + fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); + fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); + x83 = ((uint64_t)x82 + x63); + fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3])); + fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2])); + fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1])); + fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0])); + fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); + fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); + x98 = (x97 + x85); + fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); + fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); + fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); + fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); + fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); + fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); + x117 = (x116 + x112); + fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); + fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); + fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); + fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); + fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); + x128 = ((uint64_t)x127 + x108); + fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3])); + fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2])); + fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1])); + fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0])); + fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); + fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); + fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); + x143 = (x142 + x130); + fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); + fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); + fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); + fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); + fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); + fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); + x162 = (x161 + x157); + fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); + fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); + fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); + fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); + fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); + x173 = ((uint64_t)x172 + x153); + fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); + fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); + fiat_p256_cmovznz_u64(&x184, x183, x174, x165); + fiat_p256_cmovznz_u64(&x185, x183, x176, x167); + fiat_p256_cmovznz_u64(&x186, x183, x178, x169); fiat_p256_cmovznz_u64(&x187, x183, x180, x171); out1[0] = x184; out1[1] = x185; @@ -706,6 +770,7 @@ static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -713,47 +778,42 @@ static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { uint64_t x1; fiat_p256_uint1 x2; - fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); uint64_t x3; fiat_p256_uint1 x4; - fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); uint64_t x5; fiat_p256_uint1 x6; - fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); uint64_t x7; fiat_p256_uint1 x8; - fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); uint64_t x9; fiat_p256_uint1 x10; - fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff)); uint64_t x11; fiat_p256_uint1 x12; - fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff)); uint64_t x13; fiat_p256_uint1 x14; - fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0); uint64_t x15; fiat_p256_uint1 x16; - fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001)); uint64_t x17; fiat_p256_uint1 x18; - fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0); uint64_t x19; - fiat_p256_cmovznz_u64(&x19, x18, x9, x1); uint64_t x20; - fiat_p256_cmovznz_u64(&x20, x18, x11, x3); uint64_t x21; - fiat_p256_cmovznz_u64(&x21, x18, x13, x5); uint64_t x22; + fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0); + fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0); + fiat_p256_cmovznz_u64(&x19, x18, x9, x1); + fiat_p256_cmovznz_u64(&x20, x18, x11, x3); + fiat_p256_cmovznz_u64(&x21, x18, x13, x5); fiat_p256_cmovznz_u64(&x22, x18, x15, x7); out1[0] = x19; out1[1] = x20; @@ -763,6 +823,7 @@ static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -770,38 +831,33 @@ static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64 * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { uint64_t x1; fiat_p256_uint1 x2; - fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); uint64_t x3; fiat_p256_uint1 x4; - fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); uint64_t x5; fiat_p256_uint1 x6; - fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); uint64_t x7; fiat_p256_uint1 x8; - fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); uint64_t x9; - fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); uint64_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, (x9 & UINT64_C(0xffffffffffffffff))); uint64_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); uint64_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); uint64_t x16; fiat_p256_uint1 x17; + fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001))); out1[0] = x10; out1[1] = x12; @@ -811,43 +867,40 @@ static void fiat_p256_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_opp(uint64_t out1[4], const uint64_t arg1[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { uint64_t x1; fiat_p256_uint1 x2; - fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); uint64_t x3; fiat_p256_uint1 x4; - fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); uint64_t x5; fiat_p256_uint1 x6; - fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); uint64_t x7; fiat_p256_uint1 x8; - fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); uint64_t x9; - fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); uint64_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, (x9 & UINT64_C(0xffffffffffffffff))); uint64_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); uint64_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); uint64_t x16; fiat_p256_uint1 x17; + fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); + fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); + fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); + fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); + fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001))); out1[0] = x10; out1[1] = x12; @@ -857,153 +910,152 @@ static void fiat_p256_opp(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) { - uint64_t x1 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; uint64_t x2; uint64_t x3; - fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001)); uint64_t x4; uint64_t x5; - fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff)); uint64_t x6; uint64_t x7; - fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff)); uint64_t x8; fiat_p256_uint1 x9; - fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4); uint64_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6); uint64_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8); uint64_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1])); uint64_t x16; uint64_t x17; - fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001)); uint64_t x18; uint64_t x19; - fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff)); uint64_t x20; uint64_t x21; - fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff)); uint64_t x22; fiat_p256_uint1 x23; - fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18); uint64_t x24; fiat_p256_uint1 x25; - fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20); uint64_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22); uint64_t x28; fiat_p256_uint1 x29; - fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19)); uint64_t x30; fiat_p256_uint1 x31; - fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16); uint64_t x32; fiat_p256_uint1 x33; - fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2])); uint64_t x34; fiat_p256_uint1 x35; - fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0); uint64_t x36; fiat_p256_uint1 x37; - fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0); uint64_t x38; uint64_t x39; - fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001)); uint64_t x40; uint64_t x41; - fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff)); uint64_t x42; uint64_t x43; - fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff)); uint64_t x44; fiat_p256_uint1 x45; - fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40); uint64_t x46; fiat_p256_uint1 x47; - fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42); uint64_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44); uint64_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41)); uint64_t x52; fiat_p256_uint1 x53; - fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38); uint64_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3])); uint64_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0); uint64_t x58; fiat_p256_uint1 x59; - fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0); uint64_t x60; uint64_t x61; - fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001)); uint64_t x62; uint64_t x63; - fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff)); uint64_t x64; uint64_t x65; - fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff)); uint64_t x66; fiat_p256_uint1 x67; - fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62); uint64_t x68; fiat_p256_uint1 x69; - fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64); uint64_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66); uint64_t x72; fiat_p256_uint1 x73; - fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63)); uint64_t x74; fiat_p256_uint1 x75; - fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60); - uint64_t x76 = (x75 + x61); + uint64_t x76; uint64_t x77; fiat_p256_uint1 x78; - fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff)); uint64_t x79; fiat_p256_uint1 x80; - fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff)); uint64_t x81; fiat_p256_uint1 x82; - fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0); uint64_t x83; fiat_p256_uint1 x84; - fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001)); uint64_t x85; fiat_p256_uint1 x86; - fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0); uint64_t x87; - fiat_p256_cmovznz_u64(&x87, x86, x77, x70); uint64_t x88; - fiat_p256_cmovznz_u64(&x88, x86, x79, x72); uint64_t x89; - fiat_p256_cmovznz_u64(&x89, x86, x81, x74); uint64_t x90; + x1 = (arg1[0]); + fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6); + fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8); + fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1])); + fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18); + fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20); + fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22); + fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19)); + fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16); + fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2])); + fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0); + fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0); + fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40); + fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42); + fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44); + fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41)); + fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3])); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0); + fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62); + fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64); + fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66); + fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63)); + fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60); + x76 = (x75 + x61); + fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0); + fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0); + fiat_p256_cmovznz_u64(&x87, x86, x77, x70); + fiat_p256_cmovznz_u64(&x88, x86, x79, x72); + fiat_p256_cmovznz_u64(&x89, x86, x81, x74); fiat_p256_cmovznz_u64(&x90, x86, x83, x76); out1[0] = x87; out1[1] = x88; @@ -1012,7 +1064,284 @@ static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) } /* + * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = eval arg1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_p256_uint1 x14; + uint64_t x15; + fiat_p256_uint1 x16; + uint64_t x17; + fiat_p256_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + fiat_p256_uint1 x26; + uint64_t x27; + fiat_p256_uint1 x28; + uint64_t x29; + fiat_p256_uint1 x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + fiat_p256_uint1 x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + fiat_p256_uint1 x50; + uint64_t x51; + fiat_p256_uint1 x52; + uint64_t x53; + fiat_p256_uint1 x54; + uint64_t x55; + fiat_p256_uint1 x56; + uint64_t x57; + fiat_p256_uint1 x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + fiat_p256_uint1 x66; + uint64_t x67; + fiat_p256_uint1 x68; + uint64_t x69; + fiat_p256_uint1 x70; + uint64_t x71; + fiat_p256_uint1 x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + fiat_p256_uint1 x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + fiat_p256_uint1 x86; + uint64_t x87; + fiat_p256_uint1 x88; + uint64_t x89; + fiat_p256_uint1 x90; + uint64_t x91; + fiat_p256_uint1 x92; + uint64_t x93; + fiat_p256_uint1 x94; + uint64_t x95; + fiat_p256_uint1 x96; + uint64_t x97; + fiat_p256_uint1 x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + fiat_p256_uint1 x106; + uint64_t x107; + fiat_p256_uint1 x108; + uint64_t x109; + fiat_p256_uint1 x110; + uint64_t x111; + fiat_p256_uint1 x112; + uint64_t x113; + fiat_p256_uint1 x114; + uint64_t x115; + fiat_p256_uint1 x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + fiat_p256_uint1 x126; + uint64_t x127; + fiat_p256_uint1 x128; + uint64_t x129; + fiat_p256_uint1 x130; + uint64_t x131; + fiat_p256_uint1 x132; + uint64_t x133; + fiat_p256_uint1 x134; + uint64_t x135; + fiat_p256_uint1 x136; + uint64_t x137; + fiat_p256_uint1 x138; + uint64_t x139; + uint64_t x140; + uint64_t x141; + uint64_t x142; + uint64_t x143; + uint64_t x144; + uint64_t x145; + fiat_p256_uint1 x146; + uint64_t x147; + fiat_p256_uint1 x148; + uint64_t x149; + fiat_p256_uint1 x150; + uint64_t x151; + fiat_p256_uint1 x152; + uint64_t x153; + fiat_p256_uint1 x154; + uint64_t x155; + fiat_p256_uint1 x156; + uint64_t x157; + fiat_p256_uint1 x158; + uint64_t x159; + fiat_p256_uint1 x160; + uint64_t x161; + fiat_p256_uint1 x162; + uint64_t x163; + fiat_p256_uint1 x164; + uint64_t x165; + fiat_p256_uint1 x166; + uint64_t x167; + uint64_t x168; + uint64_t x169; + uint64_t x170; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x7, &x8, x4, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x9, &x10, x4, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x11, &x12, x4, 0x3); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + fiat_p256_mulx_u64(&x19, &x20, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x21, &x22, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x23, &x24, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x25, &x26, 0x0, x24, x21); + fiat_p256_addcarryx_u64(&x27, &x28, 0x0, x11, x23); + fiat_p256_addcarryx_u64(&x29, &x30, x28, x13, x25); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x15, (x26 + x22)); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x17, x19); + fiat_p256_addcarryx_u64(&x35, &x36, x34, (x18 + x6), x20); + fiat_p256_mulx_u64(&x37, &x38, x1, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x39, &x40, x1, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x41, &x42, x1, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x43, &x44, x1, 0x3); + fiat_p256_addcarryx_u64(&x45, &x46, 0x0, x44, x41); + fiat_p256_addcarryx_u64(&x47, &x48, x46, x42, x39); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x40, x37); + fiat_p256_addcarryx_u64(&x51, &x52, 0x0, x29, x43); + fiat_p256_addcarryx_u64(&x53, &x54, x52, x31, x45); + fiat_p256_addcarryx_u64(&x55, &x56, x54, x33, x47); + fiat_p256_addcarryx_u64(&x57, &x58, x56, x35, x49); + fiat_p256_mulx_u64(&x59, &x60, x51, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x61, &x62, x51, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x63, &x64, x51, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x65, &x66, 0x0, x64, x61); + fiat_p256_addcarryx_u64(&x67, &x68, 0x0, x51, x63); + fiat_p256_addcarryx_u64(&x69, &x70, x68, x53, x65); + fiat_p256_addcarryx_u64(&x71, &x72, x70, x55, (x66 + x62)); + fiat_p256_addcarryx_u64(&x73, &x74, x72, x57, x59); + fiat_p256_addcarryx_u64(&x75, &x76, x74, (((uint64_t)x58 + x36) + (x50 + x38)), x60); + fiat_p256_mulx_u64(&x77, &x78, x2, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x79, &x80, x2, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x81, &x82, x2, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x83, &x84, x2, 0x3); + fiat_p256_addcarryx_u64(&x85, &x86, 0x0, x84, x81); + fiat_p256_addcarryx_u64(&x87, &x88, x86, x82, x79); + fiat_p256_addcarryx_u64(&x89, &x90, x88, x80, x77); + fiat_p256_addcarryx_u64(&x91, &x92, 0x0, x69, x83); + fiat_p256_addcarryx_u64(&x93, &x94, x92, x71, x85); + fiat_p256_addcarryx_u64(&x95, &x96, x94, x73, x87); + fiat_p256_addcarryx_u64(&x97, &x98, x96, x75, x89); + fiat_p256_mulx_u64(&x99, &x100, x91, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x101, &x102, x91, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x103, &x104, x91, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x105, &x106, 0x0, x104, x101); + fiat_p256_addcarryx_u64(&x107, &x108, 0x0, x91, x103); + fiat_p256_addcarryx_u64(&x109, &x110, x108, x93, x105); + fiat_p256_addcarryx_u64(&x111, &x112, x110, x95, (x106 + x102)); + fiat_p256_addcarryx_u64(&x113, &x114, x112, x97, x99); + fiat_p256_addcarryx_u64(&x115, &x116, x114, (((uint64_t)x98 + x76) + (x90 + x78)), x100); + fiat_p256_mulx_u64(&x117, &x118, x3, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x119, &x120, x3, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x121, &x122, x3, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x123, &x124, x3, 0x3); + fiat_p256_addcarryx_u64(&x125, &x126, 0x0, x124, x121); + fiat_p256_addcarryx_u64(&x127, &x128, x126, x122, x119); + fiat_p256_addcarryx_u64(&x129, &x130, x128, x120, x117); + fiat_p256_addcarryx_u64(&x131, &x132, 0x0, x109, x123); + fiat_p256_addcarryx_u64(&x133, &x134, x132, x111, x125); + fiat_p256_addcarryx_u64(&x135, &x136, x134, x113, x127); + fiat_p256_addcarryx_u64(&x137, &x138, x136, x115, x129); + fiat_p256_mulx_u64(&x139, &x140, x131, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x141, &x142, x131, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x143, &x144, x131, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x145, &x146, 0x0, x144, x141); + fiat_p256_addcarryx_u64(&x147, &x148, 0x0, x131, x143); + fiat_p256_addcarryx_u64(&x149, &x150, x148, x133, x145); + fiat_p256_addcarryx_u64(&x151, &x152, x150, x135, (x146 + x142)); + fiat_p256_addcarryx_u64(&x153, &x154, x152, x137, x139); + fiat_p256_addcarryx_u64(&x155, &x156, x154, (((uint64_t)x138 + x116) + (x130 + x118)), x140); + fiat_p256_subborrowx_u64(&x157, &x158, 0x0, x149, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x159, &x160, x158, x151, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x161, &x162, x160, x153, 0x0); + fiat_p256_subborrowx_u64(&x163, &x164, x162, x155, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x165, &x166, x164, x156, 0x0); + fiat_p256_cmovznz_u64(&x167, x166, x157, x149); + fiat_p256_cmovznz_u64(&x168, x166, x159, x151); + fiat_p256_cmovznz_u64(&x169, x166, x161, x153); + fiat_p256_cmovznz_u64(&x170, x166, x163, x155); + out1[0] = x167; + out1[1] = x168; + out1[2] = x169; + out1[3] = x170; +} + +/* * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1023,13 +1352,15 @@ static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) * Output Bounds: * out1: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { - uint64_t x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | (uint64_t)0x0)))); +static FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { + uint64_t x1; + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); *out1 = x1; } /* * The function fiat_p256_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -1040,14 +1371,14 @@ static void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) { uint64_t x1; - fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); uint64_t x2; - fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); uint64_t x3; - fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); uint64_t x4; + fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); fiat_p256_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); out1[0] = x1; out1[1] = x2; @@ -1056,7 +1387,8 @@ static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const ui } /* - * The function fiat_p256_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1067,106 +1399,164 @@ static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const ui * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ -static void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { - uint64_t x1 = (arg1[3]); - uint64_t x2 = (arg1[2]); - uint64_t x3 = (arg1[1]); - uint64_t x4 = (arg1[0]); - uint64_t x5 = (x4 >> 8); - uint8_t x6 = (uint8_t)(x4 & UINT8_C(0xff)); - uint64_t x7 = (x5 >> 8); - uint8_t x8 = (uint8_t)(x5 & UINT8_C(0xff)); - uint64_t x9 = (x7 >> 8); - uint8_t x10 = (uint8_t)(x7 & UINT8_C(0xff)); - uint64_t x11 = (x9 >> 8); - uint8_t x12 = (uint8_t)(x9 & UINT8_C(0xff)); - uint64_t x13 = (x11 >> 8); - uint8_t x14 = (uint8_t)(x11 & UINT8_C(0xff)); - uint64_t x15 = (x13 >> 8); - uint8_t x16 = (uint8_t)(x13 & UINT8_C(0xff)); - uint8_t x17 = (uint8_t)(x15 >> 8); - uint8_t x18 = (uint8_t)(x15 & UINT8_C(0xff)); - uint8_t x19 = (uint8_t)(x17 & UINT8_C(0xff)); - uint64_t x20 = (x3 >> 8); - uint8_t x21 = (uint8_t)(x3 & UINT8_C(0xff)); - uint64_t x22 = (x20 >> 8); - uint8_t x23 = (uint8_t)(x20 & UINT8_C(0xff)); - uint64_t x24 = (x22 >> 8); - uint8_t x25 = (uint8_t)(x22 & UINT8_C(0xff)); - uint64_t x26 = (x24 >> 8); - uint8_t x27 = (uint8_t)(x24 & UINT8_C(0xff)); - uint64_t x28 = (x26 >> 8); - uint8_t x29 = (uint8_t)(x26 & UINT8_C(0xff)); - uint64_t x30 = (x28 >> 8); - uint8_t x31 = (uint8_t)(x28 & UINT8_C(0xff)); - uint8_t x32 = (uint8_t)(x30 >> 8); - uint8_t x33 = (uint8_t)(x30 & UINT8_C(0xff)); - uint8_t x34 = (uint8_t)(x32 & UINT8_C(0xff)); - uint64_t x35 = (x2 >> 8); - uint8_t x36 = (uint8_t)(x2 & UINT8_C(0xff)); - uint64_t x37 = (x35 >> 8); - uint8_t x38 = (uint8_t)(x35 & UINT8_C(0xff)); - uint64_t x39 = (x37 >> 8); - uint8_t x40 = (uint8_t)(x37 & UINT8_C(0xff)); - uint64_t x41 = (x39 >> 8); - uint8_t x42 = (uint8_t)(x39 & UINT8_C(0xff)); - uint64_t x43 = (x41 >> 8); - uint8_t x44 = (uint8_t)(x41 & UINT8_C(0xff)); - uint64_t x45 = (x43 >> 8); - uint8_t x46 = (uint8_t)(x43 & UINT8_C(0xff)); - uint8_t x47 = (uint8_t)(x45 >> 8); - uint8_t x48 = (uint8_t)(x45 & UINT8_C(0xff)); - uint8_t x49 = (uint8_t)(x47 & UINT8_C(0xff)); - uint64_t x50 = (x1 >> 8); - uint8_t x51 = (uint8_t)(x1 & UINT8_C(0xff)); - uint64_t x52 = (x50 >> 8); - uint8_t x53 = (uint8_t)(x50 & UINT8_C(0xff)); - uint64_t x54 = (x52 >> 8); - uint8_t x55 = (uint8_t)(x52 & UINT8_C(0xff)); - uint64_t x56 = (x54 >> 8); - uint8_t x57 = (uint8_t)(x54 & UINT8_C(0xff)); - uint64_t x58 = (x56 >> 8); - uint8_t x59 = (uint8_t)(x56 & UINT8_C(0xff)); - uint64_t x60 = (x58 >> 8); - uint8_t x61 = (uint8_t)(x58 & UINT8_C(0xff)); - uint8_t x62 = (uint8_t)(x60 >> 8); - uint8_t x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x6; - out1[1] = x8; - out1[2] = x10; - out1[3] = x12; - out1[4] = x14; - out1[5] = x16; - out1[6] = x18; - out1[7] = x19; - out1[8] = x21; - out1[9] = x23; - out1[10] = x25; - out1[11] = x27; - out1[12] = x29; - out1[13] = x31; - out1[14] = x33; - out1[15] = x34; - out1[16] = x36; - out1[17] = x38; - out1[18] = x40; - out1[19] = x42; - out1[20] = x44; - out1[21] = x46; - out1[22] = x48; - out1[23] = x49; - out1[24] = x51; - out1[25] = x53; - out1[26] = x55; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; +static FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint8_t x5; + uint64_t x6; + uint8_t x7; + uint64_t x8; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; + uint8_t x17; + uint8_t x18; + uint8_t x19; + uint64_t x20; + uint8_t x21; + uint64_t x22; + uint8_t x23; + uint64_t x24; + uint8_t x25; + uint64_t x26; + uint8_t x27; + uint64_t x28; + uint8_t x29; + uint64_t x30; + uint8_t x31; + uint8_t x32; + uint8_t x33; + uint64_t x34; + uint8_t x35; + uint64_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint8_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; + uint64_t x50; + uint8_t x51; + uint64_t x52; + uint8_t x53; + uint64_t x54; + uint8_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint8_t x59; + uint8_t x60; + x1 = (arg1[3]); + x2 = (arg1[2]); + x3 = (arg1[1]); + x4 = (arg1[0]); + x5 = (uint8_t)(x4 & UINT8_C(0xff)); + x6 = (x4 >> 8); + x7 = (uint8_t)(x6 & UINT8_C(0xff)); + x8 = (x6 >> 8); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (uint8_t)(x16 >> 8); + x19 = (uint8_t)(x3 & UINT8_C(0xff)); + x20 = (x3 >> 8); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); + x22 = (x20 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (x24 >> 8); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); + x28 = (x26 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x2 & UINT8_C(0xff)); + x34 = (x2 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x1 & UINT8_C(0xff)); + x48 = (x1 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); + x52 = (x50 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (x54 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (x56 >> 8); + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (uint8_t)(x58 >> 8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; } /* - * The function fiat_p256_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1178,49 +1568,444 @@ static void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) { - uint64_t x1 = ((uint64_t)(arg1[31]) << 56); - uint64_t x2 = ((uint64_t)(arg1[30]) << 48); - uint64_t x3 = ((uint64_t)(arg1[29]) << 40); - uint64_t x4 = ((uint64_t)(arg1[28]) << 32); - uint64_t x5 = ((uint64_t)(arg1[27]) << 24); - uint64_t x6 = ((uint64_t)(arg1[26]) << 16); - uint64_t x7 = ((uint64_t)(arg1[25]) << 8); - uint8_t x8 = (arg1[24]); - uint64_t x9 = ((uint64_t)(arg1[23]) << 56); - uint64_t x10 = ((uint64_t)(arg1[22]) << 48); - uint64_t x11 = ((uint64_t)(arg1[21]) << 40); - uint64_t x12 = ((uint64_t)(arg1[20]) << 32); - uint64_t x13 = ((uint64_t)(arg1[19]) << 24); - uint64_t x14 = ((uint64_t)(arg1[18]) << 16); - uint64_t x15 = ((uint64_t)(arg1[17]) << 8); - uint8_t x16 = (arg1[16]); - uint64_t x17 = ((uint64_t)(arg1[15]) << 56); - uint64_t x18 = ((uint64_t)(arg1[14]) << 48); - uint64_t x19 = ((uint64_t)(arg1[13]) << 40); - uint64_t x20 = ((uint64_t)(arg1[12]) << 32); - uint64_t x21 = ((uint64_t)(arg1[11]) << 24); - uint64_t x22 = ((uint64_t)(arg1[10]) << 16); - uint64_t x23 = ((uint64_t)(arg1[9]) << 8); - uint8_t x24 = (arg1[8]); - uint64_t x25 = ((uint64_t)(arg1[7]) << 56); - uint64_t x26 = ((uint64_t)(arg1[6]) << 48); - uint64_t x27 = ((uint64_t)(arg1[5]) << 40); - uint64_t x28 = ((uint64_t)(arg1[4]) << 32); - uint64_t x29 = ((uint64_t)(arg1[3]) << 24); - uint64_t x30 = ((uint64_t)(arg1[2]) << 16); - uint64_t x31 = ((uint64_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint64_t x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); - uint64_t x34 = (x33 & UINT64_C(0xffffffffffffffff)); - uint64_t x35 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); - uint64_t x36 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); - uint64_t x37 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); - uint64_t x38 = (x37 & UINT64_C(0xffffffffffffffff)); - uint64_t x39 = (x36 & UINT64_C(0xffffffffffffffff)); - out1[0] = x34; - out1[1] = x38; - out1[2] = x39; - out1[3] = x35; +static FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint8_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint8_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint8_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + x1 = ((uint64_t)(arg1[31]) << 56); + x2 = ((uint64_t)(arg1[30]) << 48); + x3 = ((uint64_t)(arg1[29]) << 40); + x4 = ((uint64_t)(arg1[28]) << 32); + x5 = ((uint64_t)(arg1[27]) << 24); + x6 = ((uint64_t)(arg1[26]) << 16); + x7 = ((uint64_t)(arg1[25]) << 8); + x8 = (arg1[24]); + x9 = ((uint64_t)(arg1[23]) << 56); + x10 = ((uint64_t)(arg1[22]) << 48); + x11 = ((uint64_t)(arg1[21]) << 40); + x12 = ((uint64_t)(arg1[20]) << 32); + x13 = ((uint64_t)(arg1[19]) << 24); + x14 = ((uint64_t)(arg1[18]) << 16); + x15 = ((uint64_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint64_t)(arg1[15]) << 56); + x18 = ((uint64_t)(arg1[14]) << 48); + x19 = ((uint64_t)(arg1[13]) << 40); + x20 = ((uint64_t)(arg1[12]) << 32); + x21 = ((uint64_t)(arg1[11]) << 24); + x22 = ((uint64_t)(arg1[10]) << 16); + x23 = ((uint64_t)(arg1[9]) << 8); + x24 = (arg1[8]); + x25 = ((uint64_t)(arg1[7]) << 56); + x26 = ((uint64_t)(arg1[6]) << 48); + x27 = ((uint64_t)(arg1[5]) << 40); + x28 = ((uint64_t)(arg1[4]) << 32); + x29 = ((uint64_t)(arg1[3]) << 24); + x30 = ((uint64_t)(arg1[2]) << 16); + x31 = ((uint64_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x25 + x38); + x40 = (x23 + (uint64_t)x24); + x41 = (x22 + x40); + x42 = (x21 + x41); + x43 = (x20 + x42); + x44 = (x19 + x43); + x45 = (x18 + x44); + x46 = (x17 + x45); + x47 = (x15 + (uint64_t)x16); + x48 = (x14 + x47); + x49 = (x13 + x48); + x50 = (x12 + x49); + x51 = (x11 + x50); + x52 = (x10 + x51); + x53 = (x9 + x52); + x54 = (x7 + (uint64_t)x8); + x55 = (x6 + x54); + x56 = (x5 + x55); + x57 = (x4 + x56); + x58 = (x3 + x57); + x59 = (x2 + x58); + x60 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; +} + +/* + * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * + * Postconditions: + * eval (from_montgomery out1) mod m = 1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) { + out1[0] = 0x1; + out1[1] = UINT64_C(0xffffffff00000000); + out1[2] = UINT64_C(0xffffffffffffffff); + out1[3] = UINT32_C(0xfffffffe); +} + +/* + * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * + * Postconditions: + * twos_complement_eval out1 = m + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint64_t out1[5]) { + out1[0] = UINT64_C(0xffffffffffffffff); + out1[1] = UINT32_C(0xffffffff); + out1[2] = 0x0; + out1[3] = UINT64_C(0xffffffff00000001); + out1[4] = 0x0; +} + +/* + * The function fiat_p256_divstep computes a divstep. + * + * Preconditions: + * 0 ≤ eval arg4 < m + * 0 ≤ eval arg5 < m + * Postconditions: + * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) + * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) + * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) + * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) + * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) + * 0 ≤ eval out5 < m + * 0 ≤ eval out5 < m + * 0 ≤ eval out2 < m + * 0 ≤ eval out3 < m + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5], uint64_t out4[4], uint64_t out5[4], uint64_t arg1, const uint64_t arg2[5], const uint64_t arg3[5], const uint64_t arg4[4], const uint64_t arg5[4]) { + uint64_t x1; + fiat_p256_uint1 x2; + fiat_p256_uint1 x3; + uint64_t x4; + fiat_p256_uint1 x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + fiat_p256_uint1 x13; + uint64_t x14; + fiat_p256_uint1 x15; + uint64_t x16; + fiat_p256_uint1 x17; + uint64_t x18; + fiat_p256_uint1 x19; + uint64_t x20; + fiat_p256_uint1 x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + fiat_p256_uint1 x38; + uint64_t x39; + fiat_p256_uint1 x40; + uint64_t x41; + fiat_p256_uint1 x42; + uint64_t x43; + fiat_p256_uint1 x44; + uint64_t x45; + fiat_p256_uint1 x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + fiat_p256_uint1 x54; + uint64_t x55; + fiat_p256_uint1 x56; + uint64_t x57; + fiat_p256_uint1 x58; + uint64_t x59; + fiat_p256_uint1 x60; + uint64_t x61; + uint64_t x62; + fiat_p256_uint1 x63; + uint64_t x64; + fiat_p256_uint1 x65; + uint64_t x66; + fiat_p256_uint1 x67; + uint64_t x68; + fiat_p256_uint1 x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + uint64_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + fiat_p256_uint1 x81; + uint64_t x82; + fiat_p256_uint1 x83; + uint64_t x84; + fiat_p256_uint1 x85; + uint64_t x86; + fiat_p256_uint1 x87; + uint64_t x88; + fiat_p256_uint1 x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + uint64_t x93; + uint64_t x94; + fiat_p256_uint1 x95; + uint64_t x96; + fiat_p256_uint1 x97; + uint64_t x98; + fiat_p256_uint1 x99; + uint64_t x100; + fiat_p256_uint1 x101; + uint64_t x102; + fiat_p256_uint1 x103; + uint64_t x104; + fiat_p256_uint1 x105; + uint64_t x106; + fiat_p256_uint1 x107; + uint64_t x108; + fiat_p256_uint1 x109; + uint64_t x110; + fiat_p256_uint1 x111; + uint64_t x112; + fiat_p256_uint1 x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + uint64_t x126; + fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1); + x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 63) & (fiat_p256_uint1)((arg3[0]) & 0x1)); + fiat_p256_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1); + fiat_p256_cmovznz_u64(&x6, x3, arg1, x4); + fiat_p256_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4])); + fiat_p256_addcarryx_u64(&x12, &x13, 0x0, 0x1, (~(arg2[0]))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, 0x0, (~(arg2[1]))); + fiat_p256_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[2]))); + fiat_p256_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[3]))); + fiat_p256_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[4]))); + fiat_p256_cmovznz_u64(&x22, x3, (arg3[0]), x12); + fiat_p256_cmovznz_u64(&x23, x3, (arg3[1]), x14); + fiat_p256_cmovznz_u64(&x24, x3, (arg3[2]), x16); + fiat_p256_cmovznz_u64(&x25, x3, (arg3[3]), x18); + fiat_p256_cmovznz_u64(&x26, x3, (arg3[4]), x20); + fiat_p256_cmovznz_u64(&x27, x3, (arg4[0]), (arg5[0])); + fiat_p256_cmovznz_u64(&x28, x3, (arg4[1]), (arg5[1])); + fiat_p256_cmovznz_u64(&x29, x3, (arg4[2]), (arg5[2])); + fiat_p256_cmovznz_u64(&x30, x3, (arg4[3]), (arg5[3])); + fiat_p256_addcarryx_u64(&x31, &x32, 0x0, x27, x27); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x28, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x29, x29); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x30, x30); + fiat_p256_subborrowx_u64(&x39, &x40, 0x0, x31, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x41, &x42, x40, x33, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x43, &x44, x42, x35, 0x0); + fiat_p256_subborrowx_u64(&x45, &x46, x44, x37, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x47, &x48, x46, x38, 0x0); + x49 = (arg4[3]); + x50 = (arg4[2]); + x51 = (arg4[1]); + x52 = (arg4[0]); + fiat_p256_subborrowx_u64(&x53, &x54, 0x0, 0x0, x52); + fiat_p256_subborrowx_u64(&x55, &x56, x54, 0x0, x51); + fiat_p256_subborrowx_u64(&x57, &x58, x56, 0x0, x50); + fiat_p256_subborrowx_u64(&x59, &x60, x58, 0x0, x49); + fiat_p256_cmovznz_u64(&x61, x60, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x62, &x63, 0x0, x53, x61); + fiat_p256_addcarryx_u64(&x64, &x65, x63, x55, (x61 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x66, &x67, x65, x57, 0x0); + fiat_p256_addcarryx_u64(&x68, &x69, x67, x59, (x61 & UINT64_C(0xffffffff00000001))); + fiat_p256_cmovznz_u64(&x70, x3, (arg5[0]), x62); + fiat_p256_cmovznz_u64(&x71, x3, (arg5[1]), x64); + fiat_p256_cmovznz_u64(&x72, x3, (arg5[2]), x66); + fiat_p256_cmovznz_u64(&x73, x3, (arg5[3]), x68); + x74 = (fiat_p256_uint1)(x22 & 0x1); + fiat_p256_cmovznz_u64(&x75, x74, 0x0, x7); + fiat_p256_cmovznz_u64(&x76, x74, 0x0, x8); + fiat_p256_cmovznz_u64(&x77, x74, 0x0, x9); + fiat_p256_cmovznz_u64(&x78, x74, 0x0, x10); + fiat_p256_cmovznz_u64(&x79, x74, 0x0, x11); + fiat_p256_addcarryx_u64(&x80, &x81, 0x0, x22, x75); + fiat_p256_addcarryx_u64(&x82, &x83, x81, x23, x76); + fiat_p256_addcarryx_u64(&x84, &x85, x83, x24, x77); + fiat_p256_addcarryx_u64(&x86, &x87, x85, x25, x78); + fiat_p256_addcarryx_u64(&x88, &x89, x87, x26, x79); + fiat_p256_cmovznz_u64(&x90, x74, 0x0, x27); + fiat_p256_cmovznz_u64(&x91, x74, 0x0, x28); + fiat_p256_cmovznz_u64(&x92, x74, 0x0, x29); + fiat_p256_cmovznz_u64(&x93, x74, 0x0, x30); + fiat_p256_addcarryx_u64(&x94, &x95, 0x0, x70, x90); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x71, x91); + fiat_p256_addcarryx_u64(&x98, &x99, x97, x72, x92); + fiat_p256_addcarryx_u64(&x100, &x101, x99, x73, x93); + fiat_p256_subborrowx_u64(&x102, &x103, 0x0, x94, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x104, &x105, x103, x96, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x106, &x107, x105, x98, 0x0); + fiat_p256_subborrowx_u64(&x108, &x109, x107, x100, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x110, &x111, x109, x101, 0x0); + fiat_p256_addcarryx_u64(&x112, &x113, 0x0, x6, 0x1); + x114 = ((x80 >> 1) | ((x82 << 63) & UINT64_C(0xffffffffffffffff))); + x115 = ((x82 >> 1) | ((x84 << 63) & UINT64_C(0xffffffffffffffff))); + x116 = ((x84 >> 1) | ((x86 << 63) & UINT64_C(0xffffffffffffffff))); + x117 = ((x86 >> 1) | ((x88 << 63) & UINT64_C(0xffffffffffffffff))); + x118 = ((x88 & UINT64_C(0x8000000000000000)) | (x88 >> 1)); + fiat_p256_cmovznz_u64(&x119, x48, x39, x31); + fiat_p256_cmovznz_u64(&x120, x48, x41, x33); + fiat_p256_cmovznz_u64(&x121, x48, x43, x35); + fiat_p256_cmovznz_u64(&x122, x48, x45, x37); + fiat_p256_cmovznz_u64(&x123, x111, x102, x94); + fiat_p256_cmovznz_u64(&x124, x111, x104, x96); + fiat_p256_cmovznz_u64(&x125, x111, x106, x98); + fiat_p256_cmovznz_u64(&x126, x111, x108, x100); + *out1 = x112; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out3[0] = x114; + out3[1] = x115; + out3[2] = x116; + out3[3] = x117; + out3[4] = x118; + out4[0] = x119; + out4[1] = x120; + out4[2] = x121; + out4[3] = x122; + out5[0] = x123; + out5[1] = x124; + out5[2] = x125; + out5[3] = x126; } +/* + * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * + * Postconditions: + * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋) + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint64_t out1[4]) { + out1[0] = UINT64_C(0x67ffffffb8000000); + out1[1] = UINT64_C(0xc000000038000000); + out1[2] = UINT64_C(0xd80000007fffffff); + out1[3] = UINT64_C(0x2fffffffffffffff); +} diff --git a/src/util/bot/DEPS b/src/util/bot/DEPS index 574d94bf..b9d42eff 100644 --- a/src/util/bot/DEPS +++ b/src/util/bot/DEPS @@ -19,7 +19,7 @@ vars = { 'checkout_sde': False, 'checkout_nasm': False, 'checkout_libcxx': False, - 'vs_version': '2015', + 'vs_version': '2017', # Run the following command to see the latest builds in CIPD: # cipd describe PACKAGE_NAME -version latest diff --git a/src/util/bot/vs_toolchain.py b/src/util/bot/vs_toolchain.py index 051d78b1..09f407d4 100644 --- a/src/util/bot/vs_toolchain.py +++ b/src/util/bot/vs_toolchain.py @@ -62,14 +62,15 @@ def FindDepotTools(): def _GetDesiredVsToolchainHashes(version): """Load a list of SHA1s corresponding to the toolchains that we want installed to build with.""" - if version == '2015': - # Update 3 final with 10.0.15063.468 SDK and no vctip.exe. - return ['f53e4598951162bad6330f7a167486c7ae5db1e5'] if version == '2017': # VS 2017 Update 9 (15.9.12) with 10.0.18362 SDK, 10.0.17763 version of # Debuggers, and 10.0.17134 version of d3dcompiler_47.dll, with ARM64 # libraries. return ['418b3076791776573a815eb298c8aa590307af63'] + if version == '2019': + # VS 2019 16.61 with 10.0.19041 SDK, and 10.0.20348 version of + # d3dcompiler_47.dll, with ARM64 libraries and UWP support. + return ['3bda71a11e'] raise Exception('Unsupported VS version %s' % version) diff --git a/src/util/fipstools/test_fips.c b/src/util/fipstools/test_fips.c index b3d5521b..e192b616 100644 --- a/src/util/fipstools/test_fips.c +++ b/src/util/fipstools/test_fips.c @@ -47,6 +47,13 @@ static void hexdump(const void *a, size_t len) { int main(int argc, char **argv) { CRYPTO_library_init(); + const uint32_t module_version = FIPS_version(); + if (module_version == 0) { + printf("No module version set\n"); + goto err; + } + printf("Module version: %" PRIu32 "\n", module_version); + static const uint8_t kAESKey[16] = "BoringCrypto Key"; static const uint8_t kPlaintext[64] = "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!"; diff --git a/src/util/whitespace.txt b/src/util/whitespace.txt index c311da36..08ccc0a1 100644 --- a/src/util/whitespace.txt +++ b/src/util/whitespace.txt @@ -1 +1 @@ -This file is ignored. It exists to make no-op commits to trigger new builds. +This file is ignored. It exists to make no-op commits to trigger new builds. |