diff --git a/.gitignore b/.gitignore index e26f3a5..b448f0e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ -SOURCES/NameConstraints_Certs.tar SOURCES/blank-cert8.db SOURCES/blank-cert9.db SOURCES/blank-key3.db SOURCES/blank-key4.db SOURCES/blank-secmod.db -SOURCES/nss-3.90.tar.gz +SOURCES/nss-3.101.tar.gz diff --git a/.nss.metadata b/.nss.metadata index 9b1febf..276f207 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,7 +1,6 @@ -39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db -1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz +90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz diff --git a/SOURCES/blinding_ct.patch b/SOURCES/blinding_ct.patch deleted file mode 100644 index 8d338a1..0000000 --- a/SOURCES/blinding_ct.patch +++ /dev/null @@ -1,949 +0,0 @@ -diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h ---- a/lib/freebl/mpi/mpi-priv.h -+++ b/lib/freebl/mpi/mpi-priv.h -@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d - void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, - mp_digit b, mp_digit *c); - - #endif - - void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a, - mp_size a_len, mp_digit b, - mp_digit *c); -+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a, -+ mp_size a_len, mp_digit b, -+ mp_digit *c, mp_size c_len); - void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a, - mp_size a_len, - mp_digit *sqrs); - - mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, - mp_digit divisor, mp_digit *quot, mp_digit *rem); - - /* c += a * b * (MP_RADIX ** offset); */ -diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c ---- a/lib/freebl/mpi/mpi.c -+++ b/lib/freebl/mpi/mpi.c -@@ -5,16 +5,18 @@ - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - - #include "mpi-priv.h" - #include "mplogic.h" - -+#include -+ - #if defined(__arm__) && \ - ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__)) - /* 16-bit thumb or ARM v3 doesn't work inlined assember version */ - #undef MP_ASSEMBLY_MULTIPLY - #undef MP_ASSEMBLY_SQUARE - #endif - - #if MP_LOGTAB -@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b, - - CLEANUP: - return res; - - } /* end mp_sub() */ - - /* }}} */ - --/* {{{ mp_mul(a, b, c) */ -+/* {{{ s_mp_mulg(a, b, c) */ - - /* -- mp_mul(a, b, c) -- -- Compute c = a * b. All parameters may be identical. -+ s_mp_mulg(a, b, c) -+ -+ Compute c = a * b. All parameters may be identical. if constantTime is set, -+ then the operations are done in constant time. The original is mostly -+ constant time as long as s_mpv_mul_d_add() is constant time. This is true -+ of the x86 assembler, as well as the current c code. - */ - mp_err --mp_mul(const mp_int *a, const mp_int *b, mp_int *c) -+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime) - { - mp_digit *pb; - mp_int tmp; - mp_err res; - mp_size ib; - mp_size useda, usedb; - - ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG); -@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b, - } - - MP_USED(c) = 1; - MP_DIGIT(c, 0) = 0; - if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY) - goto CLEANUP; - - #ifdef NSS_USE_COMBA -- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) { -+ /* comba isn't constant time because it clamps! If we cared -+ * (we needed a constant time version of multiply that was 'faster' -+ * we could easily pass constantTime down to the comba code and -+ * get it to skip the clamp... but here are assembler versions -+ * which add comba to platforms that can't compile the normal -+ * comba's imbedded assembler which would also need to change, so -+ * for now we just skip comba when we are running constant time. */ -+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) { - if (MP_USED(a) == 4) { - s_mp_mul_comba_4(a, b, c); - goto CLEANUP; - } - if (MP_USED(a) == 8) { - s_mp_mul_comba_8(a, b, c); - goto CLEANUP; - } -@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b, - - /* Outer loop: Digits of b */ - useda = MP_USED(a); - usedb = MP_USED(b); - for (ib = 1; ib < usedb; ib++) { - mp_digit b_i = *pb++; - - /* Inner product: Digits of a */ -- if (b_i) -+ if (constantTime || b_i) - s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib); - else - MP_DIGIT(c, ib + useda) = b_i; - } - -- s_mp_clamp(c); -+ if (!constantTime) { -+ s_mp_clamp(c); -+ } - - if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ) - SIGN(c) = ZPOS; - else - SIGN(c) = NEG; - - CLEANUP: - mp_clear(&tmp); - return res; -+} /* end smp_mulg() */ -+ -+/* }}} */ -+ -+/* {{{ mp_mul(a, b, c) */ -+ -+/* -+ mp_mul(a, b, c) -+ -+ Compute c = a * b. All parameters may be identical. -+ */ -+ -+mp_err -+mp_mul(const mp_int *a, const mp_int *b, mp_int *c) -+{ -+ return s_mp_mulg(a, b, c, 0); - } /* end mp_mul() */ - - /* }}} */ - -+/* {{{ mp_mulCT(a, b, c) */ -+ -+/* -+ mp_mulCT(a, b, c) -+ -+ Compute c = a * b. In constant time. Parameters may not be identical. -+ NOTE: a and b may be modified. -+ */ -+ -+mp_err -+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize) -+{ -+ mp_err res; -+ -+ /* make the multiply values fixed length so multiply -+ * doesn't leak the length. at this point all the -+ * values are blinded, but once we finish we want the -+ * output size to be hidden (so no clamping the out put) */ -+ MP_CHECKOK(s_mp_pad(a, setSize)); -+ MP_CHECKOK(s_mp_pad(b, setSize)); -+ MP_CHECKOK(s_mp_pad(c, 2*setSize)); -+ MP_CHECKOK(s_mp_mulg(a, b, c, 1)); -+CLEANUP: -+ return res; -+} /* end mp_mulCT() */ -+ -+/* }}} */ -+ - /* {{{ mp_sqr(a, sqr) */ - - #if MP_SQUARE - /* - Computes the square of a. This can be done more - efficiently than a general multiplication, because many of the - computation steps are redundant when squaring. The inner product - step is a bit more complicated, but we save a fair number of -@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m, - } - - return MP_OKAY; - - } /* end mp_mod() */ - - /* }}} */ - -+/* {{{ s_mp_subCT_d(a, b, borrow, c) */ -+ -+/* -+ s_mp_subCT_d(a, b, borrow, c) -+ -+ Compute c = (a -b) - subtract in constant time. returns borrow -+ */ -+mp_digit -+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) { -+ mp_digit borrow1, borrow2, t; -+#ifdef MP_COMPILER_USES_CARRY -+ /* while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction */ -+ t = a - borrow; -+ if (t > a) { -+ borrow1 = 1; -+ } else { -+ borrow1 = 0; -+ } -+ *ret = t - b; -+ if (*ret > t) { -+ borrow2 = 1; -+ } else { -+ borrow2 = 0; -+ } -+#else -+ mp_digit bitr, bitb, nbitt; -+ /* this is constant time independent of compilier */ -+ t = a - borrow; -+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1)); -+ *ret = t - b; -+ bitb = b >> (MP_DIGIT_BIT-1); -+ bitr = *ret >> (MP_DIGIT_BIT-1); -+ nbitt = (~t) >> (MP_DIGIT_BIT-1); -+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr); -+#endif -+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee -+ * the overall borrow is 1, so use | here */ -+ return borrow1 | borrow2; -+} /* s_mp_subCT_d() */ -+ -+/* }}} */ -+ -+/* {{{ mp_subCT(a, b, ret, borrow) */ -+ -+/* return ret= a - b and borrow in borrow. done in constant time. -+ * b could be modified. -+ */ -+mp_err -+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow) -+{ -+ mp_size used_a = MP_USED(a); -+ mp_size i; -+ mp_err res; -+ -+ MP_CHECKOK(s_mp_pad(b, used_a)); -+ MP_CHECKOK(s_mp_pad(ret, used_a)); -+ *borrow = 0; -+ for (i=0; i < used_a; i++) { -+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow, -+ &MP_DIGIT(ret,i)); -+ } -+ -+ res = MP_OKAY; -+CLEANUP: -+ return res; -+} /* end mp_subCT() */ -+ -+/* }}} */ -+ -+/* {{{ mp_selectCT(cond, a, b, ret) */ -+ -+/* -+ * return ret= cond ? a : b; cond should be either 0 or 1 -+ */ -+mp_err -+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret) -+{ -+ mp_size used_a = MP_USED(a); -+ mp_err res; -+ mp_size i; -+ -+ cond *= MP_DIGIT_MAX; -+ -+ /* we currently require these to be equal on input, -+ * we could use pad to extend one of them, but that might -+ * leak data as it wouldn't be constant time */ -+ assert(used_a == MP_USED(b)); -+ -+ MP_CHECKOK(s_mp_pad(ret, used_a)); -+ for (i=0; i < used_a; i++) { -+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond); -+ } -+ res = MP_OKAY; -+CLEANUP: -+ return res; -+} /* end mp_selectCT() */ -+ -+ -+/* {{{ mp_reduceCT(a, m, c) */ -+ -+/* -+ mp_reduceCT(a, m, c) -+ -+ Compute c = aR^-1 (mod m) in constant time. -+ input should be in montgomery form. If input is the -+ result of a montgomery multiply then out put will be -+ in mongomery form. -+ Result will be reduced to MP_USED(m), but not be -+ clamped. -+ */ -+ -+mp_err -+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c) -+{ -+ mp_size used_m = MP_USED(m); -+ mp_size used_c = used_m*2+1; -+ mp_digit *m_digits, *c_digits; -+ mp_size i; -+ mp_digit borrow, carry; -+ mp_err res; -+ mp_int sub; -+ -+ MP_DIGITS(&sub) = 0; -+ MP_CHECKOK(mp_init_size(&sub,used_m)); -+ -+ if (a != c) { -+ MP_CHECKOK(mp_copy(a, c)); -+ } -+ MP_CHECKOK(s_mp_pad(c, used_c)); -+ m_digits = MP_DIGITS(m); -+ c_digits = MP_DIGITS(c); -+ for (i=0; i < used_m; i++) { -+ mp_digit m_i = MP_DIGIT(c,i)*n0i; -+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--); -+ } -+ s_mp_rshd(c, used_m); -+ /* MP_USED(c) should be used_m+1 with the high word being any carry -+ * from the previous multiply, save that carry and drop the high -+ * word for the substraction below */ -+ carry = MP_DIGIT(c,used_m); -+ MP_DIGIT(c,used_m) = 0; -+ MP_USED(c) = used_m; -+ /* mp_subCT wants c and m to be the same size, we've already -+ * guarrenteed that in the previous statement, so mp_subCT won't actually -+ * modify m, so it's safe to recast */ -+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow)); -+ -+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */ -+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c)); -+ res = MP_OKAY; -+CLEANUP: -+ mp_clear(&sub); -+ return res; -+} /* end mp_reduceCT() */ -+ -+/* }}} */ -+ - /* {{{ mp_mod_d(a, d, c) */ - - /* - mp_mod_d(a, d, c) - - Compute c = a (mod d). Result will always be 0 <= c < d - */ - mp_err -@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int - if ((res = mp_mod(c, m, c)) != MP_OKAY) - return res; - - return MP_OKAY; - } - - /* }}} */ - -+/* {{{ mp_mulmontmodCT(a, b, m, c) */ -+ -+/* -+ mp_mulmontmodCT(a, b, m, c) -+ -+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b -+ should be in montgomery form and the output is native. If both a and b -+ are in montgomery form, then the output will also be in montgomery form -+ and can be recovered with an mp_reduceCT call. -+ NOTE: a and b may be modified. -+ */ -+ -+mp_err -+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, -+ mp_int *c) -+{ -+ mp_err res; -+ -+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG); -+ -+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY) -+ return res; -+ -+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY) -+ return res; -+ -+ return MP_OKAY; -+} -+ -+/* }}} */ -+ - /* {{{ mp_sqrmod(a, m, c) */ - - #if MP_SQUARE - mp_err - mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c) - { - mp_err res; - -@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b) - { \ - mp_digit a0b1, a1b0; \ - Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \ - Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \ - a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \ - a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \ - a1b0 += a0b1; \ - Phi += a1b0 >> MP_HALF_DIGIT_BIT; \ -- if (a1b0 < a0b1) \ -- Phi += MP_HALF_RADIX; \ -+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \ - a1b0 <<= MP_HALF_DIGIT_BIT; \ - Plo += a1b0; \ -- if (Plo < a1b0) \ -- ++Phi; \ -+ Phi += MP_CT_LTU(Plo, a1b0); \ - } - #endif - -+/* Constant time version of s_mpv_mul_d_add_prop. -+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */ -+/* c += a * b */ -+void -+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b, -+ mp_digit *c, mp_size c_len) -+{ -+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD) -+ mp_digit d = 0; -+ -+ c_len -= a_len; -+ /* Inner product: Digits of a */ -+ while (a_len--) { -+ mp_word w = ((mp_word)b * *a++) + *c + d; -+ *c++ = ACCUM(w); -+ d = CARRYOUT(w); -+ } -+ -+ /* propagate the carry to the end, even if carry is zero */ -+ while (c_len--) { -+ mp_word w = (mp_word)*c + d; -+ *c++ = ACCUM(w); -+ d = CARRYOUT(w); -+ } -+#else -+ mp_digit carry = 0; -+ c_len -= a_len; -+ while (a_len--) { -+ mp_digit a_i = *a++; -+ mp_digit a0b0, a1b1; -+ MP_MUL_DxD(a_i, b, a1b1, a0b0); -+ -+ a0b0 += carry; -+ a1b1 += MP_CT_LTU(a0b0, carry); -+ a0b0 += a_i = *c; -+ a1b1 += MP_CT_LTU(a0b0, a_i); -+ -+ *c++ = a0b0; -+ carry = a1b1; -+ } -+ /* propagate the carry to the end, even if carry is zero */ -+ while (c_len--) { -+ mp_digit c_i = *c; -+ carry += c_i; -+ *c++ = carry; -+ carry = MP_CT_LTU(carry, c_i); -+ } -+#endif -+} -+ - #if !defined(MP_ASSEMBLY_MULTIPLY) - /* c = a * b */ - void - s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) - { - #if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD) - mp_digit d = 0; - -@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a - mp_digit carry = 0; - while (a_len--) { - mp_digit a_i = *a++; - mp_digit a0b0, a1b1; - - MP_MUL_DxD(a_i, b, a1b1, a0b0); - - a0b0 += carry; -- if (a0b0 < carry) -- ++a1b1; -+ a1b1 += a0b0 < carry; - *c++ = a0b0; - carry = a1b1; - } - *c = carry; - #endif - } - - /* c += a * b */ -@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si - mp_digit carry = 0; - while (a_len--) { - mp_digit a_i = *a++; - mp_digit a0b0, a1b1; - - MP_MUL_DxD(a_i, b, a1b1, a0b0); - - a0b0 += carry; -- if (a0b0 < carry) -- ++a1b1; -+ a1b1 += (a0b0 < carry); - a0b0 += a_i = *c; -- if (a0b0 < a_i) -- ++a1b1; -+ a1b1 += (a0b0 < a_i); - *c++ = a0b0; - carry = a1b1; - } - *c = carry; - #endif - } - - /* Presently, this is only used by the Montgomery arithmetic code. */ -diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h ---- a/lib/freebl/mpi/mpi.h -+++ b/lib/freebl/mpi/mpi.h -@@ -145,16 +145,54 @@ typedef int mp_sword; - #define MP_USED(MP) ((MP)->used) - #define MP_ALLOC(MP) ((MP)->alloc) - #define MP_DIGITS(MP) ((MP)->dp) - #define MP_DIGIT(MP, N) (MP)->dp[(N)] - - /* This defines the maximum I/O base (minimum is 2) */ - #define MP_MAX_RADIX 64 - -+/* Constant Time Macros on mp_digits */ -+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1))) -+ -+/* basic zero and non zero tests */ -+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x))))) -+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x))))) -+ -+ -+/* basic constant-time helper macro for equalities and inequalities. -+ * The inequalities will produce incorrect results if -+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay -+ * within the range 0-MP_DIGIT_MAX/2. */ -+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b))) -+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b))) -+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a)) -+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b)) -+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b)) -+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b)) -+#define MP_CT_TRUE ((mp_digit)1) -+#define MP_CT_FALSE ((mp_digit)0) -+ -+/* use constant time result to select a boolean value */ -+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r))) -+ -+/* full inequalities that work with full mp_digit values */ -+#define MP_CT_OVERFLOW(a,b,c,d) \ -+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \ -+ (MP_CT_HIGH_TO_LOW(d)),c) -+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a) -+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b) -+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a) -+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b) -+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b) -+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a) -+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b) -+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a) -+ -+ - typedef struct { - mp_sign sign; /* sign of this quantity */ - mp_size alloc; /* how many digits allocated */ - mp_size used; /* how many digits used */ - mp_digit *dp; /* the digits themselves */ - } mp_int; - - /* Default precision */ -@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig - - /* Sign manipulations */ - mp_err mp_abs(const mp_int *a, mp_int *b); - mp_err mp_neg(const mp_int *a, mp_int *b); - - /* Full arithmetic */ - mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c); - mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c); -+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow); - mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c); -+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize); - #if MP_SQUARE - mp_err mp_sqr(const mp_int *a, mp_int *b); - #else - #define mp_sqr(a, b) mp_mul(a, a, b) - #endif - mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r); - mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r); - mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c); -@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const - mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c); - #else - #define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c) - #endif - mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c); - mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c); - #endif /* MP_MODARITH */ - -+/* montgomery math */ -+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont); -+mp_digit mp_calculate_mont_n0i(const mp_int *N); -+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct); -+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c); -+ - /* Comparisons */ - int mp_cmp_z(const mp_int *a); - int mp_cmp_d(const mp_int *a, mp_digit d); - int mp_cmp(const mp_int *a, const mp_int *b); - int mp_cmp_mag(const mp_int *a, const mp_int *b); - int mp_isodd(const mp_int *a); - int mp_iseven(const mp_int *a); -+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret); - - /* Number theoretic */ - mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c); - mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c); - mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y); - mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c); - mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c); - -diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c ---- a/lib/freebl/mpi/mpmontg.c -+++ b/lib/freebl/mpi/mpmontg.c -@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_ - } - res = MP_OKAY; - - CLEANUP: - return res; - } - #endif - --STATIC - mp_err --s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont) -+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont) - { - mp_err res; - - /* xMont = x * R mod N where N is modulus */ -- MP_CHECKOK(mp_copy(x, xMont)); -- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */ -- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */ -+ if (x != xMont) { -+ MP_CHECKOK(mp_copy(x, xMont)); -+ } -+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */ -+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */ - CLEANUP: - return res; - } - -+mp_digit -+mp_calculate_mont_n0i(const mp_int *N) -+{ -+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0)); -+} -+ - #ifdef MP_USING_MONT_MULF - - /* the floating point multiply is already cache safe, - * don't turn on cache safe unless we specifically - * force it */ - #ifndef MP_FORCE_CACHE_SAFE - #undef MP_USING_CACHE_SAFE_MOD_EXP - #endif -@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase, - MP_DIGITS(&accum1) = 0; - - for (i = 0; i < MAX_ODD_INTS; ++i) - oddPowers[i] = 0; - - MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2)); - - mp_set(&accum1, 1); -- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); -+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); - MP_CHECKOK(s_mp_pad(&accum1, nLen)); - - oddPowSize = 2 * nLen + 1; - dTmpSize = 2 * oddPowSize; - dSize = sizeof(double) * (nLen * 4 + 1 + - ((odd_ints + 1) * oddPowSize) + dTmpSize); - dBuf = malloc(dSize); - if (!dBuf) { -@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase, - for (i = 1; i < odd_ints; ++i) { - MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2)); - MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i)); - MP_CHECKOK(s_mp_redc(oddPowers + i, mmm)); - } - - /* set accumulator to montgomery residue of 1 */ - mp_set(&accum1, 1); -- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); -+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); - pa1 = &accum1; - pa2 = &accum2; - - for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) { - mp_size smallExp; - MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits)); - smallExp = (mp_size)res; - -@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase - /* build the first WEAVE_WORD powers inline */ - /* if WEAVE_WORD_SIZE is not 4, this code will have to change */ - if (num_powers > 2) { - MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2)); - MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2)); - MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2)); - MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2)); - mp_set(&accum[0], 1); -- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0])); -+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0])); - MP_CHECKOK(mp_copy(montBase, &accum[1])); - SQR(montBase, &accum[2]); - MUL_NOWEAVE(montBase, &accum[2], &accum[3]); - powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1)); - if (!powersArray) { - res = MP_MEM; - goto CLEANUP; - } -@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase - MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers)); - if (first_window < 4) { - MP_CHECKOK(mp_copy(&accum[first_window], &accum1)); - first_window = num_powers; - } - } else { - if (first_window == 0) { - mp_set(&accum1, 1); -- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); -+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); - } else { - /* assert first_window == 1? */ - MP_CHECKOK(mp_copy(montBase, &accum1)); - } - } - - /* - * calculate all the powers in the powers array. -@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m - nLen = MP_USED(modulus); - MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2)); - - mmm.N = *modulus; /* a copy of the mp_int struct */ - - /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX - ** where n0 = least significant mp_digit of N, the modulus. - */ -- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0)); -+ mmm.n0prime = mp_calculate_mont_n0i(modulus); - -- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase)); -+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase)); - - bits_in_exponent = mpl_significant_bits(exponent); - #ifdef MP_USING_CACHE_SAFE_MOD_EXP - if (mp_using_cache_safe_exp) { - if (bits_in_exponent > 780) - window_bits = 6; - else if (bits_in_exponent > 256) - window_bits = 5; -diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c ---- a/lib/freebl/rsa.c -+++ b/lib/freebl/rsa.c -@@ -65,16 +65,18 @@ struct blindingParamsStr { - ** the Handbook of Applied Cryptography, 11.118-11.119. - */ - struct RSABlindingParamsStr { - /* Blinding-specific parameters */ - PRCList link; /* link to list of structs */ - SECItem modulus; /* list element "key" */ - blindingParams *free, *bp; /* Blinding parameters queue */ - blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE]; -+ /* precalculate montegomery reduction value */ -+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */ - }; - typedef struct RSABlindingParamsStr RSABlindingParams; - - /* - ** RSABlindingParamsListStr - ** - ** List of key-specific blinding params. The arena holds the volatile pool - ** of memory for each entry and the list itself. The lock is for list -@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey * - CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen)); - CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen)); - /* k < n */ - CHECK_MPI_OK(mp_mod(&k, n, &k)); - /* f = k**e mod n */ - CHECK_MPI_OK(mp_exptmod(&k, &e, n, f)); - /* g = k**-1 mod n */ - CHECK_MPI_OK(mp_invmod(&k, n, g)); -+ /* g in montgomery form.. */ -+ CHECK_MPI_OK(mp_to_mont(g, n, g)); - cleanup: - if (kb) - PORT_ZFree(kb, modLen); - mp_clear(&k); - mp_clear(&e); - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; -@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams * - * of rsabp->array pointer and must be set to NULL - */ - rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL; - - bp = rsabp->array; - rsabp->bp = NULL; - rsabp->free = bp; - -+ /* precalculate montgomery reduction parameter */ -+ rsabp->n0i = mp_calculate_mont_n0i(n); -+ - /* List elements are keyed using the modulus */ - return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus); - } - - static SECStatus - get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen, -- mp_int *f, mp_int *g) -+ mp_int *f, mp_int *g, mp_digit *n0i) - { - RSABlindingParams *rsabp = NULL; - blindingParams *bpUnlinked = NULL; - blindingParams *bp; - PRCList *el; - SECStatus rv = SECSuccess; - mp_err err = MP_OKAY; - int cmp = -1; -@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key, - ** head (since el would have looped back to the head). - */ - PR_INSERT_BEFORE(&rsabp->link, el); - } - - /* We've found (or created) the RSAblindingParams struct for this key. - * Now, search its list of ready blinding params for a usable one. - */ -+ *n0i = rsabp->n0i; - while (0 != (bp = rsabp->bp)) { - #ifdef UNSAFE_FUZZER_MODE - /* Found a match and there are still remaining uses left */ - /* Return the parameters */ - CHECK_MPI_OK(mp_copy(&bp->f, f)); - CHECK_MPI_OK(mp_copy(&bp->g, g)); - - PZ_Unlock(blindingParamsList.lock); -@@ -1426,16 +1434,17 @@ cleanup: - rsabp->free = bp; - } - if (holdingLock) { - PZ_Unlock(blindingParamsList.lock); - } - if (err) { - MP_TO_SEC_ERROR(err); - } -+ *n0i = 0; - return SECFailure; - } - - /* - ** Perform a raw private-key operation - ** Length of input and output buffers are equal to key's modulus len. - */ - static SECStatus -@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, - PRBool check) - { - unsigned int modLen; - unsigned int offset; - SECStatus rv = SECSuccess; - mp_err err; - mp_int n, c, m; - mp_int f, g; -+ mp_digit n0i; - if (!key || !output || !input) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - /* check input out of range (needs to be in range [0..n-1]) */ - modLen = rsa_modulusLen(&key->modulus); - if (modLen == 0) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, - CHECK_MPI_OK(mp_init(&f)); - CHECK_MPI_OK(mp_init(&g)); - SECITEM_TO_MPINT(key->modulus, &n); - OCTETS_TO_MPINT(input, &c, modLen); - /* If blinding, compute pre-image of ciphertext by multiplying by - ** blinding factor - */ - if (nssRSAUseBlinding) { -- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g)); -+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i)); - /* c' = c*f mod n */ - CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c)); - } - /* Do the private key operation m = c**d mod n */ - if (key->prime1.len == 0 || - key->prime2.len == 0 || - key->exponent1.len == 0 || - key->exponent2.len == 0 || -@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, - } else { - CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c)); - } - /* If blinding, compute post-image of plaintext by multiplying by - ** blinding factor - */ - if (nssRSAUseBlinding) { - /* m = m'*g mod n */ -- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m)); -+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m)); - } - err = mp_to_fixlen_octets(&m, output, modLen); - if (err >= 0) - err = MP_OKAY; - cleanup: - mp_clear(&n); - mp_clear(&c); - mp_clear(&m); diff --git a/SOURCES/nss-3.101-add-certificate-compression-test.patch b/SOURCES/nss-3.101-add-certificate-compression-test.patch new file mode 100644 index 0000000..b2f073d --- /dev/null +++ b/SOURCES/nss-3.101-add-certificate-compression-test.patch @@ -0,0 +1,1383 @@ +diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c +--- a/cmd/lib/secutil.c ++++ b/cmd/lib/secutil.c +@@ -4487,16 +4487,114 @@ done: + return SECFailure; + } + + *enabledExporterCount = count; + *enabledExporters = exporters; + return SECSuccess; + } + ++typedef SECStatus (*secuEncodeFunc) (const SECItem *, SECItem *); ++typedef SECStatus (*secuDecodeFunc) (const SECItem *, unsigned char *, size_t, size_t *); ++#define EXT_COMP_MAX_ARGS 5 ++#define EXT_COMP_MIN_ARGS 4 ++#define EXT_COMP_ID 0 ++#define EXT_COMP_NAME 1 ++#define EXT_COMP_LIB 2 ++#define EXT_COMP_ENCODE 3 ++#define EXT_COMP_DECODE 4 ++SECStatus ++parseExternalCompessionString(secuExternalCompressionEntry *entry, ++ const char *opt) ++{ ++ SSLCertificateCompressionAlgorithm *alg = &entry->compAlg; ++ char *str = PORT_Strdup(opt); ++ char *save_ptr; ++ char *p; ++ char *args[EXT_COMP_MAX_ARGS] = { NULL }; ++ int i, arg_count=0; ++ PRLibSpec libSpec; ++ SECStatus rv = SECFailure; ++ ++ PORT_Memset(entry, 0, sizeof(secuExternalCompressionEntry)); ++ ++ if (!str) { ++ goto done; ++ } ++ ++ for (p = strtok_r(str, ",", &save_ptr), i=0; p && (i < EXT_COMP_MAX_ARGS) ; ++ i++, p = strtok_r(NULL, ",", &save_ptr)) { ++ args[i] = PORT_Strdup(p); ++ } ++ ++ arg_count = i; ++ if (arg_count < EXT_COMP_MIN_ARGS) { ++ goto done; ++ } ++ libSpec.type = PR_LibSpec_Pathname; ++ libSpec.value.pathname = args[EXT_COMP_LIB]; ++ entry->lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW|PR_LD_LOCAL); ++ if (entry->lib == NULL) { ++ goto done; ++ } ++ alg->id = atoi(args[EXT_COMP_ID]); ++ if (alg->id == 0) { ++ goto done; ++ } ++ alg->name = args[EXT_COMP_NAME]; ++ args[EXT_COMP_NAME] = NULL; ++ if (args[EXT_COMP_ENCODE] && *args[EXT_COMP_ENCODE]) { ++ alg->encode = (secuEncodeFunc) PR_FindFunctionSymbol(entry->lib, args[EXT_COMP_ENCODE]); ++ if (alg->encode == NULL) { ++ goto done; ++ } ++ } ++ if (args[EXT_COMP_DECODE] && *args[EXT_COMP_DECODE]) { ++ alg->decode = (secuDecodeFunc) PR_FindFunctionSymbol(entry->lib, args[EXT_COMP_DECODE]); ++ if (alg->decode == NULL) { ++ goto done; ++ } ++ } ++ /* make sure at least one of these has been set */ ++ if ((alg->encode == NULL) && (alg->decode == NULL)) { ++ goto done; ++ } ++ rv = SECSuccess; ++ ++done: ++ for (i=0; i < arg_count; i ++) { ++ if (args[i]) { ++ PORT_Free(args[i]); ++ } ++ } ++ if (str) { ++ PORT_Free(str); ++ } ++ ++ if (rv != SECSuccess) { ++ secuFreeExternalCompressionEntry(entry); ++ } ++ return rv; ++} ++ ++void ++secuFreeExternalCompressionEntry(secuExternalCompressionEntry *entry) ++{ ++ SSLCertificateCompressionAlgorithm *alg = &entry->compAlg; ++ if (entry->lib) { ++ PR_UnloadLibrary(entry->lib); ++ entry->lib = NULL; ++ } ++ if (alg->name) { ++ PORT_Free((char *)alg->name); ++ alg->name = NULL; ++ } ++} ++ ++ + static SECStatus + exportKeyingMaterial(PRFileDesc *fd, const secuExporter *exporter) + { + SECStatus rv = SECSuccess; + unsigned char *out = PORT_Alloc(exporter->outputLength); + + if (!out) { + fprintf(stderr, "Unable to allocate buffer for keying material\n"); +diff --git a/cmd/lib/secutil.h b/cmd/lib/secutil.h +--- a/cmd/lib/secutil.h ++++ b/cmd/lib/secutil.h +@@ -435,16 +435,27 @@ typedef struct { + SECStatus parseExporters(const char *arg, + const secuExporter **enabledExporters, + unsigned int *enabledExporterCount); + + SECStatus exportKeyingMaterials(PRFileDesc *fd, + const secuExporter *exporters, + unsigned int exporterCount); + ++typedef struct { ++ PRLibrary *lib; ++ SSLCertificateCompressionAlgorithm compAlg; ++} secuExternalCompressionEntry; ++ ++SECStatus ++parseExternalCompessionString(secuExternalCompressionEntry *, const char *opt); ++ ++void ++secuFreeExternalCompressionEntry(secuExternalCompressionEntry *); ++ + SECStatus readPSK(const char *arg, SECItem *psk, SECItem *label); + + /* + * + * Error messaging + * + */ + +diff --git a/cmd/selfserv/Makefile b/cmd/selfserv/Makefile +--- a/cmd/selfserv/Makefile ++++ b/cmd/selfserv/Makefile +@@ -1,10 +1,10 @@ + #! gmake +-# ++# + # This Source Code Form is subject to the terms of the Mozilla Public + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + + ####################################################################### + # (1) Include initial platform-independent assignments (MANDATORY). # + ####################################################################### + +@@ -18,29 +18,27 @@ include $(CORE_DEPTH)/coreconf/config.mk + + ####################################################################### + # (3) Include "component" configuration information. (OPTIONAL) # + ####################################################################### + + ####################################################################### + # (4) Include "local" platform-dependent assignments (OPTIONAL). # + ####################################################################### ++ + include ../platlibs.mk ++include $(CORE_DEPTH)/coreconf/zlib.mk + + ####################################################################### + # (5) Execute "global" rules. (OPTIONAL) # + ####################################################################### + + include $(CORE_DEPTH)/coreconf/rules.mk + + ####################################################################### + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- +- + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # + ####################################################################### + +- + include ../platrules.mk +- +diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c +--- a/cmd/selfserv/selfserv.c ++++ b/cmd/selfserv/selfserv.c +@@ -38,16 +38,17 @@ + #include "nss.h" + #include "ssl.h" + #include "sslproto.h" + #include "sslexp.h" + #include "cert.h" + #include "certt.h" + #include "ocsp.h" + #include "nssb64.h" ++#include "zlib.h" + + #ifndef PORT_Strstr + #define PORT_Strstr strstr + #endif + + #ifndef PORT_Malloc + #define PORT_Malloc PR_Malloc + #endif +@@ -56,16 +57,17 @@ int NumSidCacheEntries = 1024; + + static int handle_connection(PRFileDesc *, PRFileDesc *); + + static const char envVarName[] = { SSL_ENV_VAR_NAME }; + static const char inheritableSockName[] = { "SELFSERV_LISTEN_SOCKET" }; + + #define MAX_VIRT_SERVER_NAME_ARRAY_INDEX 10 + #define MAX_CERT_NICKNAME_ARRAY_INDEX 10 ++#define MAX_EXTERNAL_COMPRESSERS_INDEX 10 + + #define DEFAULT_BULK_TEST 16384 + #define MAX_BULK_TEST 1048576 /* 1 MB */ + static PRBool testBulk; + static PRUint32 testBulkSize = DEFAULT_BULK_TEST; + static PRInt32 testBulkTotal; + static char *testBulkBuf; + static PRDescIdentity log_layer_id = PR_INVALID_IO_LAYER; +@@ -162,17 +164,18 @@ PrintUsageHeader(const char *progName) + fprintf(stderr, + "Usage: %s -n rsa_nickname -p port [-BDENRZbjlmrsuvx] [-w password]\n" + " [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n" + " [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n" + " [-V [min-version]:[max-version]] [-a sni_name]\n" + " [ T ] [-A ca]\n" + " [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n" + " [-I groups] [-J signatureschemes] [-e ec_nickname]\n" +- " -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk]\n" ++ " -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk] -q\n" ++ " [-K compression_spec]\n" + "\n", + progName); + } + + static void + PrintParameterUsage() + { + fputs( +@@ -248,17 +251,28 @@ PrintParameterUsage() + " 0xAAAABBBBCCCCDDDD:mylabel. Otherwise, the default label of\n" + " 'Client_identity' will be used.\n" + "-X Configure the server for ECH via the given . ECHParams\n" + " are expected in one of two formats:\n" + " 1. A string containing the ECH public name prefixed by the substring\n" + " \"publicname:\". For example, \"publicname:example.com\". In this mode,\n" + " an ephemeral ECH keypair is generated and ECHConfigs are printed to stdout.\n" + " 2. As a Base64 tuple of || . In this mode, the\n" +- " raw private key is used to bootstrap the HPKE context.\n", ++ " raw private key is used to bootstrap the HPKE context.\n" ++ "-q Enable zlib certificate compression\n" ++ "-K compression_spec Enable certificate compression with an external\n" ++ " compresser. The compression_spec value has the following format:\n" ++ " id,name,dll,encode,decode\n" ++ " where:\n" ++ " id is an int matching the ssl spec for the compresser.\n" ++ " name is a friendly name for the compresser.\n" ++ " dll is the path to the implementation for the compresser.\n" ++ " encode is the name of the encode function which will compress.\n" ++ " decode is the name of the decode function which will decompress.\n", ++ + stderr); + } + + static void + Usage(const char *progName) + { + PrintUsageHeader(progName); + PrintParameterUsage(); +@@ -816,16 +830,17 @@ logger(void *arg) + + PRBool useModelSocket = PR_FALSE; + static SSLVersionRange enabledVersions; + PRBool disableRollBack = PR_FALSE; + PRBool NoReuse = PR_FALSE; + PRBool hasSidCache = PR_FALSE; + PRBool disableLocking = PR_FALSE; + PRBool enableSessionTickets = PR_FALSE; ++PRBool enableZlibCertificateCompression = PR_FALSE; + PRBool failedToNegotiateName = PR_FALSE; + PRBool enableExtendedMasterSecret = PR_FALSE; + PRBool zeroRTT = PR_FALSE; + SSLAntiReplayContext *antiReplay = NULL; + PRBool enableALPN = PR_FALSE; + PRBool enablePostHandshakeAuth = PR_FALSE; + SSLNamedGroup *enabledGroups = NULL; + unsigned int enabledGroupsCount = 0; +@@ -835,16 +850,19 @@ const secuExporter *enabledExporters = N + unsigned int enabledExporterCount = 0; + + static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX]; + static int virtServerNameIndex = 1; + + static char *certNicknameArray[MAX_CERT_NICKNAME_ARRAY_INDEX]; + static int certNicknameIndex = 0; + ++static secuExternalCompressionEntry externalCompressionValues[MAX_EXTERNAL_COMPRESSERS_INDEX]; ++static int externalCompressionCount = 0; ++ + static const char stopCmd[] = { "GET /stop " }; + static const char getCmd[] = { "GET " }; + static const char EOFmsg[] = { "EOF\r\n\r\n\r\n" }; + static const char outHeader[] = { + "HTTP/1.0 200 OK\r\n" + "Server: Generic Web Server\r\n" + "Date: Tue, 26 Aug 1997 22:10:05 GMT\r\n" + "Content-type: text/plain\r\n" +@@ -2062,16 +2080,92 @@ configureEch(PRFileDesc *model_sock) + { + if (!PORT_Strncmp(echParamsStr, "publicname:", PORT_Strlen("publicname:"))) { + return configureEchWithPublicName(model_sock, + &echParamsStr[PORT_Strlen("publicname:")]); + } + return configureEchWithData(model_sock); + } + ++SECStatus zlibCertificateDecode(const SECItem* input, unsigned char* output, ++ size_t outputLen, size_t* usedLen) ++{ ++ SECStatus rv = SECFailure; ++ if (!input || !input->data || input->len == 0 || !output || outputLen == 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return rv; ++ } ++ ++ z_stream strm = {}; ++ ++ if (inflateInit(&strm) != Z_OK) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return rv; ++ } ++ ++ strm.avail_in = input->len; ++ strm.next_in = input->data; ++ ++ strm.avail_out = outputLen; ++ strm.next_out = output; ++ ++ int ret = inflate(&strm, Z_FINISH); ++ if (ret != Z_STREAM_END || strm.avail_in == 0 || strm.avail_out == 0) { ++ PORT_SetError(SEC_ERROR_BAD_DATA); ++ return rv; ++ } ++ ++ *usedLen = strm.total_out; ++ rv = SECSuccess; ++ return rv; ++} ++ ++SECStatus zlibCertificateEncode(const SECItem* input, SECItem *output) ++{ ++ SECStatus rv = SECFailure; ++ if (!input || !input->data || input->len == 0 || !output || ++ !output->data || output->len == 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return rv; ++ } ++ ++ z_stream strm = {}; ++ ++ if (deflateInit(&strm, 9) != Z_OK) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return rv; ++ } ++ ++ strm.avail_in = input->len; ++ strm.next_in = input->data; ++ ++ strm.avail_out = output->len; ++ strm.next_out = output->data; ++ ++ int ret = deflate(&strm, Z_FINISH); ++ if (ret != Z_STREAM_END || strm.avail_in == 0 || strm.avail_out == 0) { ++ PORT_SetError(SEC_ERROR_BAD_DATA); ++ return rv; ++ } ++ ++ output->len = strm.total_out; ++ rv = SECSuccess; ++ return rv; ++} ++ ++static SECStatus ++configureZlibCompression(PRFileDesc *model_sock) ++{ ++ SSLCertificateCompressionAlgorithm zlibAlg = {1, "zlib", ++ zlibCertificateEncode, ++ zlibCertificateDecode}; ++ ++ return SSL_SetCertificateCompressionAlgorithm(model_sock, zlibAlg); ++} ++ + void + server_main( + PRFileDesc *listen_sock, + SECKEYPrivateKey **privKey, + CERTCertificate **cert, + const char *expectedHostNameVal) + { + int i; +@@ -2118,16 +2212,32 @@ server_main( + } + if (enableSessionTickets) { + rv = SSL_OptionSet(model_sock, SSL_ENABLE_SESSION_TICKETS, PR_TRUE); + if (rv != SECSuccess) { + errExit("error enabling Session Ticket extension "); + } + } + ++ if (enableZlibCertificateCompression) { ++ rv = configureZlibCompression(model_sock); ++ if (rv != SECSuccess) { ++ errExit("error enabling Zlib Certificate Compression"); ++ } ++ } ++ ++ for (i=0; i < externalCompressionCount; i++) { ++ secuExternalCompressionEntry *e = &externalCompressionValues[i]; ++ SSLCertificateCompressionAlgorithm alg = e->compAlg; ++ rv = SSL_SetCertificateCompressionAlgorithm(model_sock, alg); ++ if (rv != SECSuccess) { ++ errExit("error enabling External Certificate Compression"); ++ } ++ } ++ + if (virtServerNameIndex > 1) { + rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig, + (void *)&virtServerNameArray); + if (rv != SECSuccess) { + errExit("error enabling SNI extension "); + } + } + +@@ -2528,17 +2638,17 @@ main(int argc, char **argv) + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions); + + /* please keep this list of options in ASCII collating sequence. + ** numbers, then capital letters, then lower case, alphabetical. + ** XXX: 'B', and 'q' were used in the past but removed + ** in 3.28, please leave some time before resuing those. */ + optstate = PL_CreateOptState(argc, argv, +- "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:yz:"); ++ "2:A:C:DEGH:I:J:K:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:rqst:uvw:x:yz:"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + ++optionsFound; + switch (optstate->option) { + case '2': + fileName = optstate->value; + break; + + case 'A': +@@ -2553,22 +2663,56 @@ main(int argc, char **argv) + case 'D': + noDelay = PR_TRUE; + break; + + case 'E': + enablePostHandshakeAuth = PR_TRUE; + break; + ++ case 'G': ++ enableExtendedMasterSecret = PR_TRUE; ++ break; ++ + case 'H': + configureDHE = (PORT_Atoi(optstate->value) != 0); + break; + +- case 'G': +- enableExtendedMasterSecret = PR_TRUE; ++ case 'I': ++ rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount); ++ if (rv != SECSuccess) { ++ PL_DestroyOptState(optstate); ++ fprintf(stderr, "Bad group specified.\n"); ++ fprintf(stderr, "Run '%s -h' for usage information.\n", progName); ++ exit(5); ++ } ++ break; ++ ++ case 'J': ++ rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount); ++ if (rv != SECSuccess) { ++ PL_DestroyOptState(optstate); ++ fprintf(stderr, "Bad signature scheme specified.\n"); ++ fprintf(stderr, "Run '%s -h' for usage information.\n", progName); ++ exit(5); ++ } ++ break; ++ ++ case 'K': ++ if (externalCompressionCount >= MAX_EXTERNAL_COMPRESSERS_INDEX) { ++ Usage(progName); ++ break; ++ } ++ rv = parseExternalCompessionString(&externalCompressionValues ++ [externalCompressionCount++], ++ optstate->value); ++ if (rv != SECSuccess) { ++ Usage(progName); ++ break; ++ } + break; + + case 'L': + logStats = PR_TRUE; + if (optstate->value == NULL) { + logPeriod = 30; + } else { + logPeriod = PORT_Atoi(optstate->value); +@@ -2584,16 +2728,24 @@ main(int argc, char **argv) + if (maxProcs > MAX_PROCS) + maxProcs = MAX_PROCS; + break; + + case 'N': + NoReuse = PR_TRUE; + break; + ++ case 'P': ++ certPrefix = PORT_Strdup(optstate->value); ++ break; ++ ++ case 'Q': ++ enableALPN = PR_TRUE; ++ break; ++ + case 'R': + disableRollBack = PR_TRUE; + break; + + case 'S': + if (certNicknameIndex >= MAX_CERT_NICKNAME_ARRAY_INDEX) { + Usage(progName); + break; +@@ -2622,21 +2774,34 @@ main(int argc, char **argv) + exit(1); + } + break; + + case 'W': + configureWeakDHE = (PORT_Atoi(optstate->value) != 0); + break; + ++ case 'X': ++ echParamsStr = PORT_Strdup(optstate->value); ++ if (echParamsStr == NULL) { ++ PL_DestroyOptState(optstate); ++ fprintf(stderr, "echParamsStr copy failed.\n"); ++ exit(5); ++ } ++ break; ++ + case 'Y': + PrintCipherUsage(progName); + exit(0); + break; + ++ case 'Z': ++ zeroRTT = PR_TRUE; ++ break; ++ + case 'a': + if (virtServerNameIndex >= MAX_VIRT_SERVER_NAME_ARRAY_INDEX) { + Usage(progName); + break; + } + virtServerNameArray[virtServerNameIndex++] = + PORT_Strdup(optstate->value); + break; +@@ -2701,28 +2866,28 @@ main(int argc, char **argv) + if (certNicknameIndex >= MAX_CERT_NICKNAME_ARRAY_INDEX) { + Usage(progName); + break; + } + certNicknameArray[certNicknameIndex++] = PORT_Strdup(optstate->value); + virtServerNameArray[0] = PORT_Strdup(optstate->value); + break; + +- case 'P': +- certPrefix = PORT_Strdup(optstate->value); +- break; +- + case 'o': + MakeCertOK = 1; + break; + + case 'p': + port = PORT_Atoi(optstate->value); + break; + ++ case 'q': ++ enableZlibCertificateCompression = PR_TRUE; ++ break; ++ + case 'r': + ++requestCert; + break; + + case 's': + disableLocking = PR_TRUE; + break; + +@@ -2746,73 +2911,37 @@ main(int argc, char **argv) + pwdata.source = PW_PLAINTEXT; + pwdata.data = passwd = PORT_Strdup(optstate->value); + break; + + case 'y': + debugCache = PR_TRUE; + break; + +- case 'Z': +- zeroRTT = PR_TRUE; ++ case 'x': ++ rv = parseExporters(optstate->value, ++ &enabledExporters, &enabledExporterCount); ++ if (rv != SECSuccess) { ++ PL_DestroyOptState(optstate); ++ fprintf(stderr, "Bad exporter specified.\n"); ++ fprintf(stderr, "Run '%s -h' for usage information.\n", progName); ++ exit(5); ++ } + break; + + case 'z': + rv = readPSK(optstate->value, &psk, &pskLabel); + if (rv != SECSuccess) { + PL_DestroyOptState(optstate); + fprintf(stderr, "Bad PSK specified.\n"); + Usage(progName); + exit(1); + } + break; + +- case 'Q': +- enableALPN = PR_TRUE; +- break; +- +- case 'I': +- rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount); +- if (rv != SECSuccess) { +- PL_DestroyOptState(optstate); +- fprintf(stderr, "Bad group specified.\n"); +- fprintf(stderr, "Run '%s -h' for usage information.\n", progName); +- exit(5); +- } +- break; +- +- case 'J': +- rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount); +- if (rv != SECSuccess) { +- PL_DestroyOptState(optstate); +- fprintf(stderr, "Bad signature scheme specified.\n"); +- fprintf(stderr, "Run '%s -h' for usage information.\n", progName); +- exit(5); +- } +- break; +- +- case 'x': +- rv = parseExporters(optstate->value, +- &enabledExporters, &enabledExporterCount); +- if (rv != SECSuccess) { +- PL_DestroyOptState(optstate); +- fprintf(stderr, "Bad exporter specified.\n"); +- fprintf(stderr, "Run '%s -h' for usage information.\n", progName); +- exit(5); +- } +- break; +- +- case 'X': +- echParamsStr = PORT_Strdup(optstate->value); +- if (echParamsStr == NULL) { +- PL_DestroyOptState(optstate); +- fprintf(stderr, "echParamsStr copy failed.\n"); +- exit(5); +- } +- break; + default: + case '?': + fprintf(stderr, "Unrecognized or bad option specified: %c\n", optstate->option); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(4); + break; + } + } +@@ -3126,16 +3255,21 @@ cleanup: + PORT_Free(enabledGroups); + } + if (antiReplay) { + SSL_ReleaseAntiReplayContext(antiReplay); + } + SECITEM_ZfreeItem(&psk, PR_FALSE); + SECITEM_ZfreeItem(&pskLabel, PR_FALSE); + PORT_Free(echParamsStr); ++ ++ for (i=0; i < externalCompressionCount; i++) { ++ secuFreeExternalCompressionEntry(&externalCompressionValues[i]); ++ } ++ + if (NSS_Shutdown() != SECSuccess) { + SECU_PrintError(progName, "NSS_Shutdown"); + if (loggerThread) { + PR_JoinThread(loggerThread); + } + PR_Cleanup(); + exit(1); + } +diff --git a/cmd/selfserv/selfserv.gyp b/cmd/selfserv/selfserv.gyp +--- a/cmd/selfserv/selfserv.gyp ++++ b/cmd/selfserv/selfserv.gyp +@@ -11,20 +11,21 @@ + 'target_name': 'selfserv', + 'type': 'executable', + 'sources': [ + 'selfserv.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:dbm_exports', + '<(DEPTH)/exports.gyp:nss_exports' ++ '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'NSPR20' + ] + }, + 'variables': { + 'module': 'nss' + } +-} +\ No newline at end of file ++} +diff --git a/cmd/tstclnt/Makefile b/cmd/tstclnt/Makefile +--- a/cmd/tstclnt/Makefile ++++ b/cmd/tstclnt/Makefile +@@ -20,16 +20,17 @@ include $(CORE_DEPTH)/coreconf/config.mk + # (3) Include "component" configuration information. (OPTIONAL) # + ####################################################################### + + ####################################################################### + # (4) Include "local" platform-dependent assignments (OPTIONAL). # + ####################################################################### + + include ../platlibs.mk ++include $(CORE_DEPTH)/coreconf/zlib.mk + + ####################################################################### + # (5) Execute "global" rules. (OPTIONAL) # + ####################################################################### + + include $(CORE_DEPTH)/coreconf/rules.mk + + ####################################################################### +diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c +--- a/cmd/tstclnt/tstclnt.c ++++ b/cmd/tstclnt/tstclnt.c +@@ -18,16 +18,17 @@ + #endif + + #include + #include + #include + #include + #include + #include ++#include + + #include "nspr.h" + #include "prio.h" + #include "prnetdb.h" + #include "nss.h" + #include "nssb64.h" + #include "ocsp.h" + #include "ssl.h" +@@ -48,16 +49,17 @@ + printf + #define FPRINTF \ + if (verbose) \ + fprintf + + #define MAX_WAIT_FOR_SERVER 600 + #define WAIT_INTERVAL 100 + #define ZERO_RTT_MAX (2 << 16) ++#define MAX_EXTERNAL_COMPRESSERS_INDEX 10 + + #define EXIT_CODE_HANDSHAKE_FAILED 254 + + #define EXIT_CODE_SIDECHANNELTEST_GOOD 0 + #define EXIT_CODE_SIDECHANNELTEST_BADCERT 1 + #define EXIT_CODE_SIDECHANNELTEST_NODATA 2 + #define EXIT_CODE_SIDECHANNELTEST_REVOKED 3 + +@@ -228,17 +230,17 @@ PrintUsageHeader() + "Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n" + " [-D | -d certdir] [-C] [-b | -R root-module] \n" + " [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z] [-E]\n" + " [-V [min-version]:[max-version]] [-K] [-T] [-U]\n" + " [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n" + " [-I groups] [-J signatureschemes]\n" + " [-A requestfile] [-L totalconnections] [-P {client,server}]\n" + " [-N echConfigs] [-Q] [-z externalPsk]\n" +- " [-i echGreaseSize]\n" ++ " [-i echGreaseSize] [-j] [-k {compression_spec}]\n" + "\n", + progName); + } + + static void + PrintParameterUsage() + { + fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n" +@@ -332,16 +334,27 @@ PrintParameterUsage() + "-x", "", "", "", "", ""); + fprintf(stderr, + "%-20s Configure a TLS 1.3 External PSK with the given hex string for a key\n" + "%-20s To specify a label, use ':' as a delimiter. For example\n" + "%-20s 0xAAAABBBBCCCCDDDD:mylabel. Otherwise, the default label of\n" + "%-20s 'Client_identity' will be used.\n", + "-z externalPsk", "", "", ""); + fprintf(stderr, "%-20s Enable middlebox compatibility mode (TLS 1.3 only)\n", "-e"); ++ fprintf(stderr, "%-20s Enable zlib certificate compression\n", "-j"); ++ fprintf(stderr, "%-20s Enable certificate compression with an external\n", "-k {compression_spec}"); ++ fprintf(stderr, "%-20s compresser. The compression_spec value has the following format:\n" ++ "%-20s id,name,dll,encode,decode\n" ++ "%-20s where:\n" ++ "%-20s %-10s is an int matching the ssl spec for the compresser.\n" ++ "%-20s %-10s is a friendly name for the compresser.\n" ++ "%-20s %-10s is the path to the implementation for the compresser.\n" ++ "%-20s %-10s is the name of the encode function which will compress.\n" ++ "%-20s %-10s is the name of the decode function which will decompress.\n", "", "", "", "", "id", "", "name", "", "dll", "", "encode", "", "decode"); ++ + } + + static void + Usage() + { + PrintUsageHeader(); + PrintParameterUsage(); + exit(1); +@@ -1037,16 +1050,17 @@ restartHandshakeAfterServerCertIfNeeded( + + char *host = NULL; + char *nickname = NULL; + char *cipherString = NULL; + int multiplier = 0; + SSLVersionRange enabledVersions; + int disableLocking = 0; + int enableSessionTickets = 0; ++int enableZlibCertificateCompression = 0; + int enableFalseStart = 0; + int enableCertStatus = 0; + int enableSignedCertTimestamps = 0; + int forceFallbackSCSV = 0; + int enableExtendedMasterSecret = 0; + PRBool requireDHNamedGroups = 0; + PRBool middleboxCompatMode = 0; + PRSocketOptionData opt; +@@ -1073,16 +1087,19 @@ PRBool requestToExit = PR_FALSE; + char *versionString = NULL; + PRBool handshakeComplete = PR_FALSE; + char *echConfigs = NULL; + PRUint16 echGreaseSize = 0; + PRBool enablePostHandshakeAuth = PR_FALSE; + PRBool enableDelegatedCredentials = PR_FALSE; + const secuExporter *enabledExporters = NULL; + unsigned int enabledExporterCount = 0; ++secuExternalCompressionEntry externalCompressionValues[MAX_EXTERNAL_COMPRESSERS_INDEX]; ++int externalCompressionCount = 0; ++ + + static int + writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb) + { + SECStatus rv; + const PRUint8 *bufp = buf; + PRPollDesc pollDesc; + +@@ -1355,21 +1372,98 @@ printEchRetryConfigs(PRFileDesc *s) + } + fprintf(stderr, "Received ECH retry_configs: \n%s\n", retriesBase64); + PORT_Free(retriesBase64); + SECITEM_FreeItem(&retries, PR_FALSE); + } + return SECSuccess; + } + ++SECStatus zlibCertificateDecode(const SECItem* input, unsigned char* output, ++ size_t outputLen, size_t* usedLen) ++{ ++ SECStatus rv = SECFailure; ++ if (!input || !input->data || input->len == 0 || !output || outputLen == 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return rv; ++ } ++ ++ z_stream strm = {}; ++ ++ if (inflateInit(&strm) != Z_OK) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return rv; ++ } ++ ++ strm.avail_in = input->len; ++ strm.next_in = input->data; ++ ++ strm.avail_out = outputLen; ++ strm.next_out = output; ++ ++ int ret = inflate(&strm, Z_FINISH); ++ if (ret != Z_STREAM_END || strm.avail_in == 0 || strm.avail_out == 0) { ++ PORT_SetError(SEC_ERROR_BAD_DATA); ++ return rv; ++ } ++ ++ *usedLen = strm.total_out; ++ rv = SECSuccess; ++ return rv; ++} ++ ++SECStatus zlibCertificateEncode(const SECItem* input, SECItem *output) ++{ ++ SECStatus rv = SECFailure; ++ if (!input || !input->data || input->len == 0 || !output || ++ !output->data || output->len == 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return rv; ++ } ++ ++ z_stream strm = {}; ++ ++ if (deflateInit(&strm, 9) != Z_OK) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return rv; ++ } ++ ++ strm.avail_in = input->len; ++ strm.next_in = input->data; ++ ++ strm.avail_out = output->len; ++ strm.next_out = output->data; ++ ++ int ret = deflate(&strm, Z_FINISH); ++ if (ret != Z_STREAM_END || strm.avail_in == 0 || strm.avail_out == 0) { ++ PORT_SetError(SEC_ERROR_BAD_DATA); ++ return rv; ++ } ++ ++ output->len = strm.total_out; ++ rv = SECSuccess; ++ return rv; ++} ++ ++static SECStatus ++configureZlibCompression(PRFileDesc *model_sock) ++{ ++ SSLCertificateCompressionAlgorithm zlibAlg = {1, "zlib", ++ zlibCertificateEncode, ++ zlibCertificateDecode}; ++ ++ return SSL_SetCertificateCompressionAlgorithm(model_sock, zlibAlg); ++} ++ + static int + run() + { + int headerSeparatorPtrnId = 0; + int error = 0; ++ int i; + SECStatus rv; + PRStatus status; + PRInt32 filesReady; + PRFileDesc *s = NULL; + PRFileDesc *std_out; + PRPollDesc pollset[2] = { { 0 }, { 0 } }; + PRBool wrStarted = PR_FALSE; + +@@ -1511,16 +1605,36 @@ run() + rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error forcing fallback scsv"); + error = 1; + goto done; + } + } + ++ if (enableZlibCertificateCompression) { ++ rv = configureZlibCompression(s); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "error enabling Zlib Certificate Compression"); ++ error=1; ++ goto done; ++ } ++ } ++ ++ for (i=0; i < externalCompressionCount; i++) { ++ secuExternalCompressionEntry *e = &externalCompressionValues[i]; ++ SSLCertificateCompressionAlgorithm alg = e->compAlg; ++ rv = SSL_SetCertificateCompressionAlgorithm(s, alg); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "error enabling External Certificate Compression"); ++ error=1; ++ goto done; ++ } ++ } ++ + /* enable cert status (OCSP stapling). */ + rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling cert status (OCSP stapling)"); + error = 1; + goto done; + } + +@@ -1895,16 +2009,17 @@ main(int argc, char **argv) + char *tmp; + SECStatus rv; + char *certDir = NULL; + PRBool openDB = PR_TRUE; + PRBool loadDefaultRootCAs = PR_FALSE; + char *rootModule = NULL; + int numConnections = 1; + PRFileDesc *s = NULL; ++ int i; + + serverCertAuth.shouldPause = PR_TRUE; + serverCertAuth.isPaused = PR_FALSE; + serverCertAuth.dbHandle = NULL; + serverCertAuth.testFreshStatusFromSideChannel = PR_FALSE; + serverCertAuth.sideChannelRevocationTestResultCode = EXIT_CODE_HANDSHAKE_FAILED; + serverCertAuth.requireDataForIntermediates = PR_FALSE; + serverCertAuth.allowOCSPSideChannelData = PR_TRUE; +@@ -1919,29 +2034,30 @@ main(int argc, char **argv) + if (tmp && tmp[0]) { + int sec = PORT_Atoi(tmp); + if (sec > 0) { + maxInterval = PR_SecondsToInterval(sec); + } + } + + optstate = PL_CreateOptState(argc, argv, +- "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:efgh:i:m:n:op:qr:st:uvw:x:z:"); ++ "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:efgh:i:jk:m:n:op:qr:st:uvw:x:z:"); + while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case '?': + default: + Usage(); + break; + + case '4': + allowIPv6 = PR_FALSE; + if (!allowIPv4) + Usage(); + break; ++ + case '6': + allowIPv4 = PR_FALSE; + if (!allowIPv6) + Usage(); + break; + + case 'A': + requestFile = PORT_Strdup(optstate->value); +@@ -1974,19 +2090,32 @@ main(int argc, char **argv) + case 'G': + enableExtendedMasterSecret = PR_TRUE; + break; + + case 'H': + requireDHNamedGroups = PR_TRUE; + break; + +- case 'O': +- clientCertAsyncSelect = PR_FALSE; +- serverCertAuth.shouldPause = PR_FALSE; ++ case 'I': ++ rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount); ++ if (rv != SECSuccess) { ++ PL_DestroyOptState(optstate); ++ fprintf(stderr, "Bad group specified.\n"); ++ Usage(); ++ } ++ break; ++ ++ case 'J': ++ rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount); ++ if (rv != SECSuccess) { ++ PL_DestroyOptState(optstate); ++ fprintf(stderr, "Bad signature scheme specified.\n"); ++ Usage(); ++ } + break; + + case 'K': + forceFallbackSCSV = PR_TRUE; + break; + + case 'L': + numConnections = atoi(optstate->value); +@@ -2009,22 +2138,19 @@ main(int argc, char **argv) + break; + }; + break; + + case 'N': + echConfigs = PORT_Strdup(optstate->value); + break; + +- case 'i': +- echGreaseSize = PORT_Atoi(optstate->value); +- if (!echGreaseSize || echGreaseSize > 255) { +- fprintf(stderr, "ECH Grease size must be within 1..255 (inclusive).\n"); +- exit(-1); +- } ++ case 'O': ++ clientCertAsyncSelect = PR_FALSE; ++ serverCertAuth.shouldPause = PR_FALSE; + break; + + case 'P': + useDTLS = PR_TRUE; + if (!strcmp(optstate->value, "server")) { + actAsServer = 1; + } else { + if (strcmp(optstate->value, "client")) { +@@ -2052,23 +2178,29 @@ main(int argc, char **argv) + case 'U': + enableSignedCertTimestamps = 1; + break; + + case 'V': + versionString = PORT_Strdup(optstate->value); + break; + ++ case 'W': ++ pwdata.source = PW_FROMFILE; ++ pwdata.data = PORT_Strdup(optstate->value); ++ break; ++ + case 'X': + if (!strcmp(optstate->value, "alt-server-hello")) { + enableAltServerHello = PR_TRUE; + } else { + Usage(); + } + break; ++ + case 'Y': + PrintCipherUsage(); + exit(0); + break; + + case 'Z': + enableZeroRtt = PR_TRUE; + zeroRttData = PORT_ZAlloc(ZERO_RTT_MAX); +@@ -2091,36 +2223,62 @@ main(int argc, char **argv) + case 'b': + loadDefaultRootCAs = PR_TRUE; + break; + + case 'c': + cipherString = PORT_Strdup(optstate->value); + break; + +- case 'g': +- enableFalseStart = 1; +- break; +- + case 'd': + certDir = PORT_Strdup(optstate->value); + break; + + case 'e': + middleboxCompatMode = PR_TRUE; + break; + + case 'f': + clientSpeaksFirst = PR_TRUE; + break; + ++ case 'g': ++ enableFalseStart = 1; ++ break; ++ + case 'h': + host = PORT_Strdup(optstate->value); + break; + ++ case 'i': ++ echGreaseSize = PORT_Atoi(optstate->value); ++ if (!echGreaseSize || echGreaseSize > 255) { ++ fprintf(stderr, "ECH Grease size must be within 1..255 (inclusive).\n"); ++ exit(-1); ++ } ++ break; ++ ++ case 'j': ++ enableZlibCertificateCompression = PR_TRUE; ++ break; ++ ++ case 'k': ++ if (externalCompressionCount >= MAX_EXTERNAL_COMPRESSERS_INDEX) { ++ Usage(progName); ++ break; ++ } ++ rv = parseExternalCompessionString(&externalCompressionValues ++ [externalCompressionCount++], ++ optstate->value); ++ if (rv != SECSuccess) { ++ Usage(progName); ++ break; ++ } ++ break; ++ + case 'm': + multiplier = atoi(optstate->value); + if (multiplier < 0) + multiplier = 0; + break; + + case 'n': + nickname = PORT_Strdup(optstate->value); +@@ -2133,64 +2291,41 @@ main(int argc, char **argv) + case 'p': + portno = (PRUint16)atoi(optstate->value); + break; + + case 'q': + pingServerFirst = PR_TRUE; + break; + ++ case 'r': ++ renegotiationsToDo = atoi(optstate->value); ++ break; ++ + case 's': + disableLocking = 1; + break; + + case 't': + pingTimeoutSeconds = atoi(optstate->value); + break; + + case 'u': + enableSessionTickets = PR_TRUE; + break; + + case 'v': + verbose++; + break; + +- case 'r': +- renegotiationsToDo = atoi(optstate->value); +- break; +- + case 'w': + pwdata.source = PW_PLAINTEXT; + pwdata.data = PORT_Strdup(optstate->value); + break; + +- case 'W': +- pwdata.source = PW_FROMFILE; +- pwdata.data = PORT_Strdup(optstate->value); +- break; +- +- case 'I': +- rv = parseGroupList(optstate->value, &enabledGroups, &enabledGroupsCount); +- if (rv != SECSuccess) { +- PL_DestroyOptState(optstate); +- fprintf(stderr, "Bad group specified.\n"); +- Usage(); +- } +- break; +- +- case 'J': +- rv = parseSigSchemeList(optstate->value, &enabledSigSchemes, &enabledSigSchemeCount); +- if (rv != SECSuccess) { +- PL_DestroyOptState(optstate); +- fprintf(stderr, "Bad signature scheme specified.\n"); +- Usage(); +- } +- break; +- + case 'x': + rv = parseExporters(optstate->value, + &enabledExporters, + &enabledExporterCount); + if (rv != SECSuccess) { + PL_DestroyOptState(optstate); + fprintf(stderr, "Bad exporter specified.\n"); + Usage(); +@@ -2411,16 +2546,20 @@ done: + PORT_Free(nickname); + PORT_Free(pwdata.data); + PORT_Free(host); + PORT_Free(zeroRttData); + PORT_Free(echConfigs); + SECITEM_ZfreeItem(&psk, PR_FALSE); + SECITEM_ZfreeItem(&pskLabel, PR_FALSE); + ++ for (i=0; i < externalCompressionCount; i++) { ++ secuFreeExternalCompressionEntry(&externalCompressionValues[i]); ++ } ++ + if (enabledGroups) { + PORT_Free(enabledGroups); + } + if (NSS_IsInitialized()) { + SSL_ClearSessionCache(); + if (initializedServerSessionCache) { + if (SSL_ShutdownServerSessionIDCache() != SECSuccess) { + error = 1; +diff --git a/cmd/tstclnt/tstclnt.gyp b/cmd/tstclnt/tstclnt.gyp +--- a/cmd/tstclnt/tstclnt.gyp ++++ b/cmd/tstclnt/tstclnt.gyp +@@ -11,21 +11,22 @@ + 'target_name': 'tstclnt', + 'type': 'executable', + 'sources': [ + 'tstclnt.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:dbm_exports', + '<(DEPTH)/exports.gyp:nss_exports' ++ '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'DLL_PREFIX=\"<(dll_prefix)\"', + 'DLL_SUFFIX=\"<(dll_suffix)\"' + ] + }, + 'variables': { + 'module': 'nss' + } +-} +\ No newline at end of file ++} +diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt +--- a/tests/ssl/sslauth.txt ++++ b/tests/ssl/sslauth.txt +@@ -64,16 +64,19 @@ + ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth) + ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password) + ECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth) + ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256 -V_tls1.2:_-w_nss TLS 1.2 Require client auth auto select(EC) (client auth) + ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256,ecdsa\\_secp384r1\\_sha384 -V_tls1.3:_-w_nss TLS 1.3 Require client auth auto select (EC) (client auth) ++ ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256,ecdsa\\_secp384r1\\_sha384 -V_tls1.3:_-w_nss_-j TLS 1.3 client certificate compression ++ ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256,ecdsa\\_secp384r1\\_sha384_-q -V_tls1.3:_-w_nss TLS 1.3 server certificate compression ++ ECC 0 -r_-r_-J_ecdsa\\_secp256r1\\_sha256,ecdsa\\_secp384r1\\_sha384_-q -V_tls1.3:_-w_nss_-j TLS 1.3 client/server certificate comlpression + # + # SNI Tests + # + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions diff --git a/SOURCES/nss-3.90-add-ems-policy.patch b/SOURCES/nss-3.101-add-ems-policy.patch similarity index 73% rename from SOURCES/nss-3.90-add-ems-policy.patch rename to SOURCES/nss-3.101-add-ems-policy.patch index 18739d9..6464fbc 100644 --- a/SOURCES/nss-3.90-add-ems-policy.patch +++ b/SOURCES/nss-3.101-add-ems-policy.patch @@ -1,15 +1,15 @@ -diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c ---- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700 -+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700 -@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = { +diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c +--- ./lib/pk11wrap/pk11pars.c.ems 2024-06-11 13:09:25.956760476 -0700 ++++ ./lib/pk11wrap/pk11pars.c 2024-06-11 13:09:52.837067481 -0700 +@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = { { CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX }, { CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX }, { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, -+ /* not really a key exchange, but it's the closest fit */ + { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX }, ++ }; - static const oidValDef signOptList[] = { + static const oidValDef smimeKxOptList[] = { diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h --- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700 +++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700 @@ -65,40 +65,43 @@ diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c if (isTLS12) { if (isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; -diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c ---- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700 -+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700 -@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT - SEC_OID_EXT_KEY_USAGE_IPSEC_USER, - "IPsec User", - CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), +diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c +--- ./lib/util/secoid.c.ems 2024-06-11 13:11:28.078155282 -0700 ++++ ./lib/util/secoid.c 2024-06-11 13:12:58.511188172 -0700 +@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT + ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), + ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION), + ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION), + + /* this will change upstream. for now apps shouldn't use it */ + /* we need it for the policy code. */ + ODE(SEC_OID_PRIVATE_1, + "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ }; - + /* PRIVATE EXTENDED SECOID Table -@@ -2095,6 +2100,8 @@ SECOID_Init(void) - +@@ -2198,6 +2204,10 @@ SECOID_Init(void) + /* turn off NSS_USE_POLICY_IN_SSL by default */ xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; + /* turn off TLS REQUIRE EMS by default */ + xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0; - ++ ++ + envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); if (envVal) -diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h ---- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700 -+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700 -@@ -501,6 +501,9 @@ typedef enum { - SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361, - SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362, - SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, +diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h +--- ./lib/util/secoidt.h.ems 2024-06-11 13:16:13.212411967 -0700 ++++ ./lib/util/secoidt.h 2024-06-11 13:16:48.098810434 -0700 +@@ -530,6 +530,9 @@ typedef enum { + SEC_OID_RC2_64_CBC = 385, + SEC_OID_RC2_128_CBC = 386, + SEC_OID_ECDH_KEA = 387, + /* this will change upstream. for now apps shouldn't use it */ + /* give it an obscure name here */ -+ SEC_OID_PRIVATE_1 = 372, ++ SEC_OID_PRIVATE_1 = 388, SEC_OID_TOTAL } SECOidTag; diff --git a/SOURCES/nss-3.101-chacha-timing-fix.patch b/SOURCES/nss-3.101-chacha-timing-fix.patch new file mode 100644 index 0000000..ea8756a --- /dev/null +++ b/SOURCES/nss-3.101-chacha-timing-fix.patch @@ -0,0 +1,59 @@ +diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c +--- a/lib/freebl/chacha20poly1305.c ++++ b/lib/freebl/chacha20poly1305.c +@@ -213,27 +213,31 @@ + { + #ifdef NSS_X64 + #ifndef NSS_DISABLE_AVX2 + if (avx2_support()) { + Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr); ++ return; + } + #endif + + #ifndef NSS_DISABLE_SSE3 + if (ssse3_support() && sse4_1_support() && avx_support()) { + Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr); ++ return; + } + #endif + + #elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \ + !defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX) + if (ppc_crypto_support()) { + chacha20vsx(len, output, block, k, nonce, ctr); +- } else ++ return; ++ } + #endif + { + Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr); ++ return; + } + } + #endif /* NSS_DISABLE_CHACHAPOLY */ + + SECStatus +@@ -449,20 +453,18 @@ + (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen, + (uint8_t *)input, output, outTag); + goto finish; + } + #endif +- +- else + #elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \ + !defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX) + if (ppc_crypto_support()) { + Chacha20Poly1305_vsx_aead_encrypt( + (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen, + (uint8_t *)input, output, outTag); + goto finish; +- } else ++ } + #endif + { + Hacl_Chacha20Poly1305_32_aead_encrypt( + (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen, + (uint8_t *)input, output, outTag); + diff --git a/SOURCES/nss-3.101-default-libpkix.patch b/SOURCES/nss-3.101-default-libpkix.patch new file mode 100644 index 0000000..27119fc --- /dev/null +++ b/SOURCES/nss-3.101-default-libpkix.patch @@ -0,0 +1,133 @@ +diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c +--- a/lib/certhigh/certvfypkix.c ++++ b/lib/certhigh/certvfypkix.c +@@ -37,11 +37,11 @@ + pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable); + + PRInt32 parallelFnInvocationCount; + #endif /* PKIX_OBJECT_LEAK_TEST */ + +-static PRBool usePKIXValidationEngine = PR_FALSE; ++static PRBool usePKIXValidationEngine = PR_TRUE; + #endif /* NSS_DISABLE_LIBPKIX */ + + /* + * FUNCTION: CERT_SetUsePKIXForValidation + * DESCRIPTION: +diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c +--- a/lib/nss/nssinit.c ++++ b/lib/nss/nssinit.c +@@ -762,13 +762,13 @@ + PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); + + if (pkixError != NULL) { + goto loser; + } else { +- char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY"); ++ char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY"); + if (ev && ev[0]) { +- CERT_SetUsePKIXForValidation(PR_TRUE); ++ CERT_SetUsePKIXForValidation(PR_FALSE); + } + } + #endif /* NSS_DISABLE_LIBPKIX */ + } + +diff --git a/tests/all.sh b/tests/all.sh +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -141,17 +141,22 @@ + ######################################################################## + run_cycle_standard() + { + TEST_MODE=STANDARD + ++ NSS_DISABLE_LIBPKIX_VERIFY="1" ++ export NSS_DISABLE_LIBPKIX_VERIFY ++ + TESTS="${ALL_TESTS}" + TESTS_SKIP="libpkix pkits" + + NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"} + export NSS_DEFAULT_DB_TYPE + + run_tests ++ ++ unset NSS_DISABLE_LIBPKIX_VERIFY + } + + ############################ run_cycle_pkix ############################ + # run test suites with PKIX enabled + ######################################################################## +@@ -165,13 +170,10 @@ + + HOSTDIR="${HOSTDIR}/pkix" + mkdir -p "${HOSTDIR}" + init_directories + +- NSS_ENABLE_PKIX_VERIFY="1" +- export NSS_ENABLE_PKIX_VERIFY +- + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" + + export -n NSS_SSL_RUN + +diff --git a/tests/common/init.sh b/tests/common/init.sh +--- a/tests/common/init.sh ++++ b/tests/common/init.sh +@@ -138,12 +138,12 @@ + echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}" + echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\"" + echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\"" + echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}" + echo "export NSS_DEFAULT_DB_TYPE" +- echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}" +- echo "export NSS_ENABLE_PKIX_VERIFY" ++ echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}" ++ echo "export NSS_DISABLE_PKIX_VERIFY" + echo "init_directories" + } + + # Exit shellfunction to clean up at exit (error, regular or signal) + Exit() +diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh +--- a/tests/ssl/ssl.sh ++++ b/tests/ssl/ssl.sh +@@ -960,13 +960,12 @@ + ssl_policy_pkix_ocsp() + { + #verbose="-v" + html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE" + +- PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"} +- NSS_ENABLE_PKIX_VERIFY="1" +- export NSS_ENABLE_PKIX_VERIFY ++ PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"} ++ unset NSS_DISABLE_LIBPKIX_VERIFY + + testname="" + + if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then + html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized" +@@ -987,16 +986,14 @@ + grep 12276 ${P_R_SERVERDIR}/vfy.out + RET=$? + html_msg $RET $RET_EXP "${testname}" \ + "produced a returncode of $RET, expected is $RET_EXP" + +- if [ "${PKIX_SAVE}" = "unset" ]; then +- unset NSS_ENABLE_PKIX_VERIFY +- else +- NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE} +- export NSS_ENABLE_PKIX_VERIFY ++ if [ "{PKIX_SAVE}" != "unset" ]; then ++ export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE} + fi ++ + cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt + + html "
" + + } + diff --git a/SOURCES/nss-3.90-disable-ech.patch b/SOURCES/nss-3.101-disable-ech.patch similarity index 69% rename from SOURCES/nss-3.90-disable-ech.patch rename to SOURCES/nss-3.101-disable-ech.patch index eee8c39..3b6e399 100644 --- a/SOURCES/nss-3.90-disable-ech.patch +++ b/SOURCES/nss-3.101-disable-ech.patch @@ -1,12 +1,18 @@ -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f - } - PORT_Free(cursor); - } - } - +diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn +--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2024-06-12 13:29:17.162207862 -0700 ++++ ./gtests/ssl_gtest/manifest.mn 2024-06-12 13:30:25.699047788 -0700 +@@ -59,7 +59,6 @@ CPPSRCS = \ + tls_protect.cc \ + tls_psk_unittest.cc \ + tls_subcerts_unittest.cc \ +- tls_ech_unittest.cc \ + tls_xyber_unittest.cc \ + $(SSLKEYLOGFILE_FILES) \ + $(NULL) +diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c +--- ./lib/ssl/sslsock.c.disable_ech 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/ssl/sslsock.c 2024-06-12 13:29:17.162207862 -0700 +@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f SECStatus SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled) { @@ -30,13 +36,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c sslSocket *ss = ssl_FindSocket(fd); if (!ss || size == 0) { return SECFailure; - } - ssl_Get1stHandshakeLock(ss); - ssl_GetSSL3HandshakeLock(ss); - - ss->ssl3.hs.greaseEchSize = size; - - ssl_ReleaseSSL3HandshakeLock(ss); +@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc ssl_Release1stHandshakeLock(ss); return SECSuccess; @@ -79,18 +79,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c } SECStatus - SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled) - { - sslSocket *ss = ssl_FindSocket(fd); - if (!ss) { - return SECFailure; -diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn ---- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200 -+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200 -@@ -57,7 +57,6 @@ CPPSRCS = \ - tls_filter.cc \ - tls_protect.cc \ - tls_psk_unittest.cc \ -- tls_ech_unittest.cc \ - $(SSLKEYLOGFILE_FILES) \ - $(NULL) diff --git a/SOURCES/nss-3.101-disable-md5.patch b/SOURCES/nss-3.101-disable-md5.patch new file mode 100644 index 0000000..56e1c58 --- /dev/null +++ b/SOURCES/nss-3.101-disable-md5.patch @@ -0,0 +1,81 @@ +diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c +--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700 ++++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700 +@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] = + static const oidValDef hashOptList[] = { + /* Hashes */ + { CIPHER_NAME("MD2"), SEC_OID_MD2, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | +- NSS_USE_ALG_IN_PKCS12 }, ++ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT }, + { CIPHER_NAME("MD4"), SEC_OID_MD4, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | +- NSS_USE_ALG_IN_PKCS12 }, ++ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT }, + { CIPHER_NAME("MD5"), SEC_OID_MD5, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | +- NSS_USE_ALG_IN_PKCS12 }, ++ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT }, + { CIPHER_NAME("SHA1"), SEC_OID_SHA1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME | + NSS_USE_ALG_IN_PKCS12 }, +diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c +diff -r 699541a7793b lib/util/secoid.c +--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000 ++++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200 +@@ -2042,6 +2042,19 @@ + int i; + + for (i = 1; i < SEC_OID_TOTAL; i++) { ++ switch (i) { ++ case SEC_OID_MD2: ++ case SEC_OID_MD4: ++ case SEC_OID_MD5: ++ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: ++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: ++ continue; ++ default: ++ break; ++ } + if (oids[i].desc && strstr(arg, oids[i].desc)) { + xOids[i].notPolicyFlags = notEnable | + (xOids[i].notPolicyFlags & ~(DEF_FLAGS)); +diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt +--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700 ++++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700 +@@ -91,21 +91,21 @@ + 0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2 + # integrity policy check the various has based controls. + # NOTE: md4, md2, and md5 are turned off by policy by default for encrypting +-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the ++# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the + # encryption side. These tests purposefully tests that the default fails to encrypt + # but succeeds when decrypting. + 27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes +- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes +- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes +- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write ++ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes ++ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes ++ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write + 27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write +- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write +- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read +- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read +- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read +- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read +- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read +- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read ++ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write ++ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read ++ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read ++ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read ++ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read ++ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read ++ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read + 0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256 + 29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256 + 0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256 diff --git a/SOURCES/nss-3.66-disable-signature-policies.patch b/SOURCES/nss-3.101-disable-signature-policies.patch similarity index 94% rename from SOURCES/nss-3.66-disable-signature-policies.patch rename to SOURCES/nss-3.101-disable-signature-policies.patch index 001983d..c43eb41 100644 --- a/SOURCES/nss-3.66-disable-signature-policies.patch +++ b/SOURCES/nss-3.101-disable-signature-policies.patch @@ -14,6 +14,8 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c + { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0}, + { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0}, + { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0}, + { CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY, + NSS_USE_ALG_IN_SIGNATURE }, }; typedef struct { @@ -21,6 +23,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, + { smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE }, - { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE }, + { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE }, }; diff --git a/SOURCES/nss-3.101-ec-dbm-test.patch b/SOURCES/nss-3.101-ec-dbm-test.patch new file mode 100644 index 0000000..2464f78 --- /dev/null +++ b/SOURCES/nss-3.101-ec-dbm-test.patch @@ -0,0 +1,24 @@ +diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh +--- ./tests/ec/ectest.sh.dbm 2024-06-18 14:53:51.201438651 -0700 ++++ ./tests/ec/ectest.sh 2024-06-18 14:56:09.993993637 -0700 +@@ -45,12 +45,20 @@ ectest_genkeydb_test() + if [ $? -ne 0 ]; then + return $? + fi ++ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + curves=( \ + "curve25519" \ + "secp256r1" \ + "secp384r1" \ + "secp521r1" \ + ) ++ else ++ curves=( \ ++ "secp256r1" \ ++ "secp384r1" \ ++ "secp521r1" \ ++ ) ++ fi + for curve in "${curves[@]}"; do + echo "Test $curve key generation using certutil ..." + certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE} diff --git a/SOURCES/nss-3.101-el8-fix-rsa-policy-test.patch b/SOURCES/nss-3.101-el8-fix-rsa-policy-test.patch new file mode 100644 index 0000000..8c6774c --- /dev/null +++ b/SOURCES/nss-3.101-el8-fix-rsa-policy-test.patch @@ -0,0 +1,12 @@ +diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt +--- ./tests/ssl/sslpolicy.txt.rsa_disable_test 2024-06-19 11:17:10.261637015 -0700 ++++ ./tests/ssl/sslpolicy.txt 2024-06-19 11:18:22.797425628 -0700 +@@ -197,7 +197,7 @@ + # compatibility reasons + # 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification +- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing ++ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL + 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL + # test default settings diff --git a/SOURCES/nss-3.101-el8-no-p12-smime-policy.patch b/SOURCES/nss-3.101-el8-no-p12-smime-policy.patch new file mode 100644 index 0000000..a43f7ae --- /dev/null +++ b/SOURCES/nss-3.101-el8-no-p12-smime-policy.patch @@ -0,0 +1,89 @@ +diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c +--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700 +@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[] + static PRBool + sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed) + { ++#ifdef notdef + PRUint32 policy; + SECStatus rv; + +@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3 + return PR_TRUE; + } + return PR_FALSE; ++#else ++ return PR_TRUE; ++#endif + } + + PRBool +diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c +--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700 +@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC + PRBool + smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy) + { ++#ifdef notdef + PRUint32 policyFlags; + + /* some S/MIME algs map to the same underlying KEA mechanism, +@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + return PR_FALSE; + } ++#endif + return PR_TRUE; + } + +@@ -485,6 +487,7 @@ smime_init_once(void *arg) + return PR_FAILURE; + } + ++#ifdef notdef + /* At initialization time, we need to set up the defaults. We first + * look to see if the system or application has set up certain algorithms + * by policy. If they have set up values by policy we'll only allow those +@@ -497,6 +500,11 @@ smime_init_once(void *arg) + PORT_Free(tags); + tags = NULL; + } ++#else ++ /* just initialize the old maps */ ++ rv = SECSuccess; ++ tagCount = 0; ++#endif + if ((rv != SECSuccess) || (tagCount == 0)) { + /* No algorithms have been enabled by policy (either by the system + * or by the application, we then will use the traditional default +diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh +--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0 +700 ++++ ./tests/smime/smime.sh 2024-07-17 12:29:08.251207306 -0700 +@@ -872,8 +872,8 @@ smime_init + smime_main + smime_data_tb + smime_p7 +-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then +- smime_policy +-fi ++#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then ++# smime_policy ++#fi + smime_cleanup + +diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh +--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0 +700 ++++ ./tests/tools/tools.sh 2024-07-17 12:28:32.418778346 -0700 +@@ -586,7 +586,7 @@ tools_p12() + tools_p12_import_pbmac1_samples + if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + tools_p12_import_rsa_pss_private_key +- tools_p12_policy ++#tools_p12_policy + fi + } + diff --git a/SOURCES/nss-3.66-restore-old-pkcs12-default.patch b/SOURCES/nss-3.101-el8-restore-old-pkcs12-default.patch similarity index 78% rename from SOURCES/nss-3.66-restore-old-pkcs12-default.patch rename to SOURCES/nss-3.101-el8-restore-old-pkcs12-default.patch index 54f020c..ccbfde5 100644 --- a/SOURCES/nss-3.66-restore-old-pkcs12-default.patch +++ b/SOURCES/nss-3.101-el8-restore-old-pkcs12-default.patch @@ -26,6 +26,20 @@ diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c if (pk12util.options[opt_CertCipher].activated) { char *cipherString = pk12util.options[opt_CertCipher].arg; +--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.7732 +48450 -0700 ++++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700 +@@ -1165,10 +1165,6 @@ main(int argc, char **argv) + } + } + } +- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */ +- if (PK11_IsFIPS()) { +- hash = SEC_OID_HMAC_SHA256; +- } + if (pk12util.options[opt_Mac].activated) { + char *hashString = pk12util.options[opt_Mac].arg; + diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh --- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700 +++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700 diff --git a/SOURCES/nss-3.101-enable-kyber-policy.patch b/SOURCES/nss-3.101-enable-kyber-policy.patch new file mode 100644 index 0000000..374e4e6 --- /dev/null +++ b/SOURCES/nss-3.101-enable-kyber-policy.patch @@ -0,0 +1,13 @@ +diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c +--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700 ++++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700 +@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] = + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, +- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 }, ++ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, ++ NSS_USE_ALG_IN_SSL_KX }, + /* ANSI X9.62 named elliptic curves (characteristic two field) */ + { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, diff --git a/SOURCES/nss-3.90-extend-db-dump-time.patch b/SOURCES/nss-3.101-extend-db-dump-time.patch similarity index 83% rename from SOURCES/nss-3.90-extend-db-dump-time.patch rename to SOURCES/nss-3.101-extend-db-dump-time.patch index 9d26770..88a608b 100644 --- a/SOURCES/nss-3.90-extend-db-dump-time.patch +++ b/SOURCES/nss-3.101-extend-db-dump-time.patch @@ -5,8 +5,8 @@ diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh RARRAY=($dtime) TIMEARRAY=(${RARRAY[1]//./ }) echo "${TIMEARRAY[0]} seconds" -- test ${TIMEARRAY[0]} -lt 2 -+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3} +- test ${TIMEARRAY[0]} -lt 5 ++ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5} ret=$? html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" fi diff --git a/SOURCES/nss-3.90-fips-indicators.patch b/SOURCES/nss-3.101-fips-indicators.patch similarity index 85% rename from SOURCES/nss-3.90-fips-indicators.patch rename to SOURCES/nss-3.101-fips-indicators.patch index 961d64b..604d054 100644 --- a/SOURCES/nss-3.90-fips-indicators.patch +++ b/SOURCES/nss-3.101-fips-indicators.patch @@ -1,7 +1,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c ---- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800 -+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800 -@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C +--- ./lib/softoken/pkcs11c.c.fips_indicators 2024-06-12 13:38:15.995811284 -0700 ++++ ./lib/softoken/pkcs11c.c 2024-06-12 13:41:30.008188930 -0700 +@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C context->blockSize = 0; context->maxLen = 0; context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism, @@ -10,16 +10,16 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c *contextPtr = context; return CKR_OK; } -@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi crv = sftk_handleObject(key, session); - /* we need to do this check at the end, so we can check the generated + /* we need to do this check at the end, so we can check the generated * key length against fips requirements */ - key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); + key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0); session->lastOpWasFIPS = key->isFIPS; sftk_FreeSession(session); if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { -@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS return crv; } /* we need to do this check at the end to make sure the generated key meets the key length requirements */ @@ -28,7 +28,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c publicKey->isFIPS = privateKey->isFIPS; session->lastOpWasFIPS = privateKey->isFIPS; sftk_FreeSession(session); -@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ +@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ return CKR_TEMPLATE_INCONSISTENT; } @@ -39,7 +39,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c /* sourceKey is NULL if we are called from the POST, skip the * sensitiveCheck */ if (sourceKey != NULL) { -@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ +@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ mech.pParameter = params; mech.ulParameterLen = sizeof(*params); key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech, @@ -49,7 +49,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c } saltKeySource = saltKey->source; saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE); -@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ +@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ /* HKDF-Expand */ if (!params->bExpand) { okm = prk; @@ -58,7 +58,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c } else { /* T(1) = HMAC-Hash(prk, "" | info | 0x01) * T(n) = HMAC-Hash(prk, T(n-1) | info | n -@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession return CKR_KEY_HANDLE_INVALID; } } @@ -69,8 +69,8 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c switch (mechanism) { /* get a public key from a private key. nsslowkey_ConvertToPublickey() diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h ---- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800 -+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800 +--- ./lib/softoken/pkcs11i.h.fips_indicators 2024-06-12 13:38:15.988811198 -0700 ++++ ./lib/softoken/pkcs11i.h 2024-06-12 13:38:15.996811296 -0700 @@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB /* check the FIPS table to determine if this current operation is allowed by * FIPS security policy */ @@ -82,9 +82,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h CK_RV sftk_CreateValidationObjects(SFTKSlot *slot); diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c ---- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800 -+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800 -@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou +--- ./lib/softoken/pkcs11u.c.fips_indicators 2024-06-12 13:38:15.990811223 -0700 ++++ ./lib/softoken/pkcs11u.c 2024-06-12 13:38:15.996811296 -0700 +@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou static CK_ULONG sftk_getKeyLength(SFTKObject *source) { @@ -93,7 +93,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c CK_ATTRIBUTE_TYPE keyAttribute; CK_ULONG keyLength = 0; SFTKAttribute *attribute; -@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source) +@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source) return keyLength; } @@ -124,7 +124,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c { switch (mechInfo->special) { case SFTKFIPSDH: { -@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME +@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME if (hashObj == NULL) { return PR_FALSE; } @@ -141,7 +141,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c } case SFTKFIPSPBKDF2: { /* PBKDF2 must have the following addition restrictions -@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME +@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME } return PR_TRUE; } @@ -155,7 +155,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c default: break; } -@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME +@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op, @@ -164,7 +164,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c { #ifndef NSS_HAS_FIPS_INDICATORS return PR_FALSE; -@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ +@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i]; /* if we match the number of records exactly, then we are an * approved algorithm in the approved mode with an approved key */ diff --git a/SOURCES/nss-3.79-fips-review.patches b/SOURCES/nss-3.101-fips-review.patches similarity index 89% rename from SOURCES/nss-3.79-fips-review.patches rename to SOURCES/nss-3.101-fips-review.patches index 14c904a..755b087 100644 --- a/SOURCES/nss-3.79-fips-review.patches +++ b/SOURCES/nss-3.101-fips-review.patches @@ -1,6 +1,6 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c ---- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700 +--- ./lib/freebl/dh.c.fips-review 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/freebl/dh.c 2024-06-12 12:04:10.639360404 -0700 @@ -445,7 +445,7 @@ cleanup: PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) @@ -50,20 +50,28 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c MP_TO_SEC_ERROR(err); return PR_FALSE; diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c ---- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700 -+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700 -@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +--- ./lib/softoken/pkcs11c.c.fips-review 2024-06-12 12:04:10.638360392 -0700 ++++ ./lib/softoken/pkcs11c.c 2024-06-12 13:06:35.410551333 -0700 +@@ -43,6 +43,7 @@ + + #include "prprf.h" + #include "prenv.h" ++#include "prerror.h" + + #define __PASTE(x, y) x##y + #define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize) +@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi * handle the base object stuff */ crv = sftk_handleObject(key, session); -+ /* we need to do this check at the end, so we can check the generated ++ /* we need to do this check at the end, so we can check the generated + * key length against fips requirements */ + key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); + session->lastOpWasFIPS = key->isFIPS; sftk_FreeSession(session); if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); -@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) { crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); } @@ -73,7 +81,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c if (crv == CKR_OK) { *phKey = key->handle; } -@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION if (isDerivable) { SFTKAttribute *pubAttribute = NULL; @@ -156,7 +164,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c + } + /* make sure it has the same encoding */ + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || -+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) { ++ lowPrivKey->u.ec.ecParams.type != ec_params_named) { + lowPubValue = SECITEM_DupItem(&ecPriv->publicValue); + } else { + lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue, @@ -169,7 +177,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c + default: + return CKR_DEVICE_ERROR; } -- + - crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey); - if (crv != CKR_OK) { - sftk_FreeAttribute(pubAttribute); @@ -189,7 +197,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c /* FIPS requires full validation, but in fipx mode NSC_Derive * only does partial validation with approved primes, now handle * full validation */ -@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION SECItem pubKey; SECItem prime; SECItem subPrime; @@ -283,7 +291,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c } return CKR_OK; -@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS * created and linked. */ crv = sftk_handleObject(publicKey, session); @@ -293,7 +301,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c sftk_FreeObject(publicKey); NSC_DestroyObject(hSession, privateKey->handle); sftk_FreeObject(privateKey); -@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS } if (crv != CKR_OK) { @@ -301,7 +309,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c NSC_DestroyObject(hSession, publicKey->handle); sftk_FreeObject(publicKey); NSC_DestroyObject(hSession, privateKey->handle); -@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS /* we need to do this check at the end to make sure the generated key meets the key length requirements */ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); publicKey->isFIPS = privateKey->isFIPS; @@ -310,7 +318,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c *phPrivateKey = privateKey->handle; *phPublicKey = publicKey->handle; -@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession /* if the prime is an approved prime, we can skip all the other * checks. */ @@ -319,7 +327,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c if (subPrime == NULL) { SECItem dhSubPrime; /* If the caller set the subprime value, it means that -@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession secretlen = tmp.len; } else { secretlen = keySize; @@ -327,24 +335,9 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c crv = sftk_ANSI_X9_63_kdf(&secret, keySize, &tmp, mechParams->pSharedData, mechParams->ulSharedDataLen, mechParams->kdf); -diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c ---- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700 -@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess - if (object == NULL) { - return CKR_HOST_MEMORY; - } -- object->isFIPS = PR_FALSE; /* if we created the object on the fly, -+ /* object types that we aren't allowed to create in FIPS mode are -+ * already rejected explicitly. If we get here, then the object is -+ * FIPS OK (most notably public key objects )*/ -+ /* object->isFIPS = PR_FALSE; if we created the object on the fly, - * it's not a FIPS object */ - - /* diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h ---- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700 -+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700 +--- ./lib/softoken/pkcs11i.h.fips-review 2024-06-12 12:04:10.638360392 -0700 ++++ ./lib/softoken/pkcs11i.h 2024-06-12 12:04:10.640360416 -0700 @@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu /* dh verify functions */ /* verify that dhPrime matches one of our known primes, and if so return @@ -355,9 +348,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); /* map an operation Attribute to a Mechanism flag */ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c ---- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700 -+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700 -@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME +--- ./lib/softoken/pkcs11u.c.fips-review 2024-06-12 12:04:10.638360392 -0700 ++++ ./lib/softoken/pkcs11u.c 2024-06-12 12:04:10.640360416 -0700 +@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME switch (mechInfo->special) { case SFTKFIPSDH: { SECItem dhPrime; @@ -388,8 +381,8 @@ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c case SFTKFIPSNone: return PR_FALSE; diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c ---- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700 +--- ./lib/softoken/sftkdhverify.c.fips-review 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/softoken/sftkdhverify.c 2024-06-12 12:04:10.641360427 -0700 @@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 = (unsigned char *)subprime_tls_8192_data, sizeof(subprime_tls_8192_data) }; @@ -481,8 +474,8 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c } break; diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c ---- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700 +--- ./lib/softoken/sftkike.c.fips-review 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/softoken/sftkike.c 2024-06-12 12:04:10.641360427 -0700 @@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession, goto fail; } diff --git a/SOURCES/nss-3.101-fix-cms-abi-break.patch b/SOURCES/nss-3.101-fix-cms-abi-break.patch new file mode 100644 index 0000000..c60fab6 --- /dev/null +++ b/SOURCES/nss-3.101-fix-cms-abi-break.patch @@ -0,0 +1,115 @@ +diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c +--- ./lib/smime/cmsasn1.c.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmsasn1.c 2024-09-06 18:05:27.808338289 -0700 +@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + offsetof(NSSCMSKeyAgreeRecipientInfo, ukm), +- SEC_ASN1_SUB(SEC_OctetStringTemplate) }, ++ SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, +diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h +--- ./lib/smime/cmslocal.h.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmslocal.h 2024-09-06 18:04:47.647863624 -0700 +@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE + + extern SECStatus + NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key, +- SECItem *encKey, PRBool genUkm, SECItem *ukm, ++ SECItem *encKey, PRBool genUkm, SECItem **ukm, + SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx); + + PK11SymKey * +diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c +--- ./lib/smime/cmspubkey.c.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmspubkey.c 2024-09-06 18:04:47.647863624 -0700 +@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p + unsigned char suppPubInfo[4] = { 0 }; + + SI.keyInfo = keyInfo; +- SI.entityUInfo.type = ukm->type; +- SI.entityUInfo.data = ukm->data; +- SI.entityUInfo.len = ukm->len; ++ if (ukm) { ++ SI.entityUInfo.type = ukm->type; ++ SI.entityUInfo.data = ukm->data; ++ SI.entityUInfo.len = ukm->len; ++ } else { ++ SI.entityUInfo.type = siBuffer; ++ SI.entityUInfo.data = NULL; ++ SI.entityUInfo.len = 0; ++ } + + SI.suppPubInfo.type = siBuffer; + SI.suppPubInfo.data = suppPubInfo; +@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p + SECStatus + NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, + PK11SymKey *bulkkey, SECItem *encKey, +- PRBool genUkm, SECItem *ukm, ++ PRBool genUkm, SECItem **ukmp, + SECAlgorithmID *keyEncAlg, SECItem *pubKey, + void *wincx) + { +@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena + SECAlgorithmID keyWrapAlg; + SECOidTag keyEncAlgtag; + SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo; ++ SECItem *ukm = *ukmp; + CK_MECHANISM_TYPE keyDerivationType, keyWrapMech; + CK_ULONG kdf; + +- if (genUkm && (ukm->len != 0 || ukm->data != NULL)) { ++ if (genUkm && (ukm != NULL)) { + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return SECFailure; + } +@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena + * contain 512 bits for Diffie-Hellman key agreement. */ + + if (genUkm) { +- ukm->type = siBuffer; +- ukm->len = 64; +- ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len); +- +- if (ukm->data == NULL) { ++ ukm = SECITEM_AllocItem(poolp, NULL, 64); ++ if (ukm == NULL) { + goto loser; + } ++ ukm->type = siBuffer; ++ + rv = PK11_GenerateRandom(ukm->data, ukm->len); + if (rv != SECSuccess) { + goto loser; + } ++ *ukmp = ukm; /* return it */ + } + + SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg, +diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c +--- ./lib/smime/cmsrecinfo.c.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmsrecinfo.c 2024-09-06 18:04:47.647863624 -0700 +@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM + parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters); + enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); + oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); +- ukm = &(ri->ri.keyAgreeRecipientInfo.ukm); ++ ukm = ri->ri.keyAgreeRecipientInfo.ukm; + break; + case NSSCMSRecipientInfoID_KEK: + algid = &(ri->ri.kekRecipientInfo.keyEncAlg); +diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h +--- ./lib/smime/cmst.h.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmst.h 2024-09-06 18:04:47.647863624 -0700 +@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK + struct NSSCMSKeyAgreeRecipientInfoStr { + SECItem version; + NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey; +- SECItem ukm; /* optional */ ++ SECItem *ukm; /* optional */ + SECAlgorithmID keyEncAlg; + NSSCMSRecipientEncryptedKey **recipientEncryptedKeys; + }; diff --git a/SOURCES/nss-3.101-fix-missing-size-checks.patch b/SOURCES/nss-3.101-fix-missing-size-checks.patch new file mode 100644 index 0000000..067296c --- /dev/null +++ b/SOURCES/nss-3.101-fix-missing-size-checks.patch @@ -0,0 +1,126 @@ +diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc +--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc ++++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc +@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC + // Fail to connect with a weak RSA key. + TEST_P(TlsConnectTls13, DCWeakKey) { + Reset(kPssDelegatorId); + EnsureTlsSetup(); + static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256, + ssl_sig_rsa_pss_pss_sha256}; + client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); + server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); ++ PRInt32 keySizeFlags; ++ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags)); ++ // turn off the signing key sizes so we actually test the ssl tests ++ ASSERT_EQ(SECSuccess, ++ NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG )); + #if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY + // save the MIN POLICY length. + PRInt32 minRsa; + + ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa)); + #if RSA_MIN_MODULUS_BITS >= 2048 + ASSERT_EQ(SECSuccess, + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024)); +@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) { + client_->EnableDelegatedCredentials(); + + auto cfilter = MakeTlsFilter( + client_, ssl_delegated_credentials_xtn); + ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity); + #if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa)); + #endif ++ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags)); + } + + class ReplaceDCSigScheme : public TlsHandshakeFilter { + public: + ReplaceDCSigScheme(const std::shared_ptr& a) + : TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {} + + protected: +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE + return 0; + } + + /* interpret modulus length as key strength */ + switch (privk->keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: +- /* some tokens don't export CKA_MODULUS on the private key, +- * PK11_SignatureLen works around this if necessary */ +- bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; +- if (bitSize == -1) { +- bitSize = 0; ++ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, ++ CKA_MODULUS, NULL, ¶ms); ++ if ((rv != SECSuccess) || (params.data == NULL)) { ++ /* some tokens don't export CKA_MODULUS on the private key, ++ * PK11_SignatureLen works around this if necessary. This ++ * method is less percise because it returns bytes instead ++ * bits, so we only do it if we can't get the modulus */ ++ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; ++ if (bitSize == -1) { ++ return 0; ++ } ++ return bitSize; + } ++ bitSize = SECKEY_BigIntegerBitLength(¶ms); ++ PORT_Free(params.data); + return bitSize; + case dsaKey: + case fortezzaKey: + case dhKey: + case keaKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_PRIME, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h + PORT_SetError(SEC_ERROR_INVALID_KEY); + goto done; + } + PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len)); + + if (useRsaPss || hash->hashAlg == ssl_hash_none) { + CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType); + int signatureLen = PK11_SignatureLen(key); ++ PRInt32 optval; + + SECItem *params = NULL; + CK_RSA_PKCS_PSS_PARAMS pssParams; + SECItem pssParamsItem = { siBuffer, + (unsigned char *)&pssParams, + sizeof(pssParams) }; + + if (signatureLen <= 0) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + goto done; + } ++ /* since we are calling PK11_SignWithMechanism directly, we need to check the ++ * key policy ourselves (which is already checked in SGN_Digest */ ++ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); ++ if ((rv == SECSuccess) && ++ ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) { ++ rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key), ++ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); ++ if (rv != SECSuccess) { ++ goto done; /* error code already set */ ++ } ++ } + + buf->len = (unsigned)signatureLen; + buf->data = (unsigned char *)PORT_Alloc(signatureLen); + if (!buf->data) + goto done; /* error code was set. */ + + if (useRsaPss) { + pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg); diff --git a/SOURCES/nss-3.101-fix-pkcs12-md5-decode.patch b/SOURCES/nss-3.101-fix-pkcs12-md5-decode.patch new file mode 100644 index 0000000..a461852 --- /dev/null +++ b/SOURCES/nss-3.101-fix-pkcs12-md5-decode.patch @@ -0,0 +1,43 @@ +diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c +--- a/lib/util/nsshash.c ++++ b/lib/util/nsshash.c +@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy + SECOidTag + HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) + { + SECOidTag hashOid = SEC_OID_UNKNOWN; + + switch (hmacOid) { + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ ++ case SEC_OID_HMAC_MD5: ++ hashOid = SEC_OID_MD5; ++ break; + case SEC_OID_HMAC_SHA1: + hashOid = SEC_OID_SHA1; + break; + case SEC_OID_HMAC_SHA224: + hashOid = SEC_OID_SHA224; + break; + case SEC_OID_HMAC_SHA256: + hashOid = SEC_OID_SHA256; +@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag + SECOidTag + HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) + { + SECOidTag hmacOid = SEC_OID_UNKNOWN; + + switch (hashOid) { + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ ++ case SEC_OID_MD5: ++ hmacOid = SEC_OID_HMAC_MD5; ++ break; + case SEC_OID_SHA1: + hmacOid = SEC_OID_HMAC_SHA1; + break; + case SEC_OID_SHA224: + hmacOid = SEC_OID_HMAC_SHA224; + break; + case SEC_OID_SHA256: + hmacOid = SEC_OID_HMAC_SHA256; diff --git a/SOURCES/nss-3.101-fix-pkcs12-pbkdf1-encoding.patch b/SOURCES/nss-3.101-fix-pkcs12-pbkdf1-encoding.patch new file mode 100644 index 0000000..881a7c8 --- /dev/null +++ b/SOURCES/nss-3.101-fix-pkcs12-pbkdf1-encoding.patch @@ -0,0 +1,121 @@ +diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c +--- a/lib/pk11wrap/pk11mech.c ++++ b/lib/pk11wrap/pk11mech.c +@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: +- newParams = SEC_ASN1EncodeItem(NULL, NULL, param, +- SEC_ASN1_GET(SEC_OctetStringTemplate)); +- if (newParams == NULL) +- break; ++ /* if no parameters have been supplied, then encode a NULL params ++ */ ++ if (param && param->len > 0) { ++ newParams = SEC_ASN1EncodeItem(NULL, NULL, param, ++ SEC_ASN1_GET(SEC_OctetStringTemplate)); ++ if (newParams == NULL) ++ break; ++ } else { ++ newParams = NULL; ++ } + rv = SECSuccess; + break; + } + + if (rv != SECSuccess) { + if (newParams) + SECITEM_FreeItem(newParams, PR_TRUE); + return rv; +diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c +--- a/lib/pk11wrap/pk11pbe.c ++++ b/lib/pk11wrap/pk11pbe.c +@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg + * algorithm is). We use choose this algorithm oid based on the + * cipherAlgorithm to determine what this should be (MAC1 or PBES2). + */ + if (algorithm == SEC_OID_PKCS5_PBKDF2) { + /* choose mac or pbes */ + algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); + } + ++ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); ++ + /* set the PKCS5v2 specific parameters */ + if (keyLength == 0) { +- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); + if (hashAlg != SEC_OID_UNKNOWN) { + keyLength = HASH_ResultLenByOidTag(hashAlg); + } else { + keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm); + } + if (keyLength <= 0) { + goto loser; + } + } + /* currently SEC_OID_HMAC_SHA1 is the default */ + if (prfAlg == SEC_OID_UNKNOWN) { + prfAlg = SEC_OID_HMAC_SHA1; + } + +- /* build the PKCS5v2 cipher algorithm id */ +- cipherParams = pk11_GenerateNewParamWithKeyLen( +- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); +- if (!cipherParams) { +- goto loser; ++ /* build the PKCS5v2 cipher algorithm id, if cipher ++ * is an HMAC, the cipherParams should be NULL */ ++ if (hashAlg == SEC_OID_UNKNOWN) { ++ cipherParams = pk11_GenerateNewParamWithKeyLen( ++ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); ++ if (!cipherParams) { ++ goto loser; ++ } ++ } else { ++ cipherParams = NULL; + } + + PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param)); + + rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, + poolp, &pbeV2_param.cipherAlgId); +- SECITEM_FreeItem(cipherParams, PR_TRUE); ++ if (cipherParams) { ++ SECITEM_FreeItem(cipherParams, PR_TRUE); ++ } + if (rv != SECSuccess) { + goto loser; + } + } + + /* generate the parameter */ + pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration, + keyLength, prfAlg); +diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c +--- a/lib/util/secalgid.c ++++ b/lib/util/secalgid.c +@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; + } + + if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid)) + return SECFailure; + + if ((secoid_IsRSAPKCS1(which)) || +- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) { ++ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* || ++ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) { + add_null_param = PR_TRUE; + } else { + add_null_param = PR_FALSE; + } + + if (params) { + /* + * I am specifically *not* enforcing the following assertion diff --git a/SOURCES/nss-3.101-long-pwd-fix.patch b/SOURCES/nss-3.101-long-pwd-fix.patch new file mode 100644 index 0000000..f5efcff --- /dev/null +++ b/SOURCES/nss-3.101-long-pwd-fix.patch @@ -0,0 +1,12 @@ +diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c +--- ./lib/pkcs12/p12local.c.long_pw_fix 2024-09-06 17:58:39.905517185 -0700 ++++ ./lib/pkcs12/p12local.c 2024-09-06 17:59:19.568985976 -0700 +@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s + *hmacMech = PK11_AlgtagToMechanism(hmacAlg); + /* pkcs12v2 hmac uses UTF8 rather than unicode */ + if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem, +- PR_TRUE, PR_FALSE, PR_FALSE)) { ++ PR_FALSE, PR_FALSE, PR_FALSE)) { + return NULL; + } + symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg); diff --git a/SOURCES/nss-3.79-dbtool.patch b/SOURCES/nss-3.79-dbtool.patch deleted file mode 100644 index b61942b..0000000 --- a/SOURCES/nss-3.79-dbtool.patch +++ /dev/null @@ -1,3411 +0,0 @@ -diff --git a/cmd/dbtool/Makefile b/cmd/dbtool/Makefile -new file mode 100644 ---- /dev/null -+++ b/cmd/dbtool/Makefile -@@ -0,0 +1,46 @@ -+#! gmake -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ -+####################################################################### -+# (1) Include initial platform-independent assignments (MANDATORY). # -+####################################################################### -+ -+include manifest.mn -+ -+####################################################################### -+# (2) Include "global" configuration information. (OPTIONAL) # -+####################################################################### -+ -+include $(CORE_DEPTH)/coreconf/config.mk -+ -+####################################################################### -+# (3) Include "component" configuration information. (OPTIONAL) # -+####################################################################### -+ -+####################################################################### -+# (4) Include "local" platform-dependent assignments (OPTIONAL). # -+####################################################################### -+ -+include ../platlibs.mk -+ -+####################################################################### -+# (5) Execute "global" rules. (OPTIONAL) # -+####################################################################### -+ -+include $(CORE_DEPTH)/coreconf/rules.mk -+ -+####################################################################### -+# (6) Execute "component" rules. (OPTIONAL) # -+####################################################################### -+ -+#include ../platlibs.mk -+ -+####################################################################### -+# (7) Execute "local" rules. (OPTIONAL). # -+####################################################################### -+ -+include ../platrules.mk -+ -diff --git a/cmd/dbtool/dbtool.c b/cmd/dbtool/dbtool.c -new file mode 100644 ---- /dev/null -+++ b/cmd/dbtool/dbtool.c -@@ -0,0 +1,806 @@ -+/* This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -+ -+/* -+** dbtool.c -+** -+** tool to dump the underlying encoding of a database. This tool duplicates -+** some private functions in softoken. It uses libsec and libutil, but no -+** other portions of NSS. It currently only works on sqlite databases. For -+** an even more primitive dump, use sqlite3 on the individual files. -+** -+** TODO: dump the meta data for the databases. -+** optionally dump more PKCS5 information (KDF/salt/iterations) -+** take a password and decode encrypted attributes/verify signed -+** attributes. -+*/ -+#include -+#include -+ -+#if defined(WIN32) -+#include "fcntl.h" -+#include "io.h" -+#endif -+ -+#include "secutil.h" -+#include "pk11pub.h" -+ -+#if defined(XP_UNIX) -+#include -+#endif -+ -+#include "nspr.h" -+#include "prtypes.h" -+#include "certdb.h" -+#include "nss.h" -+#include "../modutil/modutil.h" -+#include "pk11table.h" -+#include "sftkdbt.h" -+#include "sdb.h" -+#include "secoid.h" -+ -+#include "plgetopt.h" -+ -+static char *progName; -+ -+char *dbDir = NULL; -+ -+static void -+Usage() -+{ -+ printf("Usage: %s [-c certprefix] [-k keyprefix] " -+ "[-V certversion] [-v keyversion]\n" -+ " [-d dbdir]\n", -+ progName); -+ printf("%-20s Directory with cert database (default is .)\n", -+ "-d certdir"); -+ printf("%-20s prefix for the cert database (default is \"\")\n", -+ "-c certprefix"); -+ printf("%-20s prefix for the key database (default is \"\")\n", -+ "-k keyprefix"); -+ printf("%-20s version of the cert database (default is 9)\n", -+ "-V certversion"); -+ printf("%-20s version of the key database (default is 4)\n", -+ "-v keyversion"); -+ exit(1); -+} -+#define SFTK_KEYDB_TYPE 0x40000000 -+#define SFTK_TOKEN_TYPE 0x80000000 -+ -+/* -+ * known attributes -+ */ -+static const CK_ATTRIBUTE_TYPE known_attributes[] = { -+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION, -+ CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER, -+ CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED, -+ CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL, -+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY, -+ CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE, -+ CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER, -+ CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE, -+ CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, -+ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT, -+ CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, -+ CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE, -+ CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, -+ CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS, -+ CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, -+ CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_WRAP_TEMPLATE, -+ CKA_UNWRAP_TEMPLATE, CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, -+ CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, CKA_RESOLUTION, CKA_CHAR_ROWS, -+ CKA_CHAR_COLUMNS, CKA_COLOR, CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, -+ CKA_ENCODING_METHODS, CKA_MIME_TYPES, CKA_MECHANISM_TYPE, -+ CKA_REQUIRED_CMS_ATTRIBUTES, CKA_DEFAULT_CMS_ATTRIBUTES, -+ CKA_SUPPORTED_CMS_ATTRIBUTES, CKA_NSS_URL, CKA_NSS_EMAIL, -+ CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP, -+ CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES, -+ CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, -+ CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC, -+ CKA_TRUST_DIGITAL_SIGNATURE, CKA_TRUST_NON_REPUDIATION, -+ CKA_TRUST_KEY_ENCIPHERMENT, CKA_TRUST_DATA_ENCIPHERMENT, -+ CKA_TRUST_KEY_AGREEMENT, CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, -+ CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, -+ CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM, -+ CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING, -+ CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH, -+ CKA_NSS_DB, CKA_NSS_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS, -+ CKA_PUBLIC_KEY_INFO -+}; -+ -+static unsigned int known_attributes_size = sizeof(known_attributes) / -+ sizeof(known_attributes[0]); -+ -+PRBool -+isULONGAttribute(CK_ATTRIBUTE_TYPE type) -+{ -+ switch (type) { -+ case CKA_CERTIFICATE_CATEGORY: -+ case CKA_CERTIFICATE_TYPE: -+ case CKA_CLASS: -+ case CKA_JAVA_MIDP_SECURITY_DOMAIN: -+ case CKA_KEY_GEN_MECHANISM: -+ case CKA_KEY_TYPE: -+ case CKA_MECHANISM_TYPE: -+ case CKA_MODULUS_BITS: -+ case CKA_PRIME_BITS: -+ case CKA_SUBPRIME_BITS: -+ case CKA_VALUE_BITS: -+ case CKA_VALUE_LEN: -+ -+ case CKA_TRUST_DIGITAL_SIGNATURE: -+ case CKA_TRUST_NON_REPUDIATION: -+ case CKA_TRUST_KEY_ENCIPHERMENT: -+ case CKA_TRUST_DATA_ENCIPHERMENT: -+ case CKA_TRUST_KEY_AGREEMENT: -+ case CKA_TRUST_KEY_CERT_SIGN: -+ case CKA_TRUST_CRL_SIGN: -+ -+ case CKA_TRUST_SERVER_AUTH: -+ case CKA_TRUST_CLIENT_AUTH: -+ case CKA_TRUST_CODE_SIGNING: -+ case CKA_TRUST_EMAIL_PROTECTION: -+ case CKA_TRUST_IPSEC_END_SYSTEM: -+ case CKA_TRUST_IPSEC_TUNNEL: -+ case CKA_TRUST_IPSEC_USER: -+ case CKA_TRUST_TIME_STAMPING: -+ case CKA_TRUST_STEP_UP_APPROVED: -+ return PR_TRUE; -+ default: -+ break; -+ } -+ return PR_FALSE; -+} -+ -+/* are the attributes private? */ -+static PRBool -+isPrivateAttribute(CK_ATTRIBUTE_TYPE type) -+{ -+ switch (type) { -+ case CKA_VALUE: -+ case CKA_PRIVATE_EXPONENT: -+ case CKA_PRIME_1: -+ case CKA_PRIME_2: -+ case CKA_EXPONENT_1: -+ case CKA_EXPONENT_2: -+ case CKA_COEFFICIENT: -+ return PR_TRUE; -+ default: -+ break; -+ } -+ return PR_FALSE; -+} -+ -+/* These attributes must be authenticated with an hmac. */ -+static PRBool -+isAuthenticatedAttribute(CK_ATTRIBUTE_TYPE type) -+{ -+ switch (type) { -+ case CKA_MODULUS: -+ case CKA_PUBLIC_EXPONENT: -+ case CKA_CERT_SHA1_HASH: -+ case CKA_CERT_MD5_HASH: -+ case CKA_TRUST_SERVER_AUTH: -+ case CKA_TRUST_CLIENT_AUTH: -+ case CKA_TRUST_EMAIL_PROTECTION: -+ case CKA_TRUST_CODE_SIGNING: -+ case CKA_TRUST_STEP_UP_APPROVED: -+ case CKA_NSS_OVERRIDE_EXTENSIONS: -+ return PR_TRUE; -+ default: -+ break; -+ } -+ return PR_FALSE; -+} -+ -+/* -+ * convert a database ulong back to a native ULONG. (reverse of the above -+ * function. -+ */ -+static CK_ULONG -+sdbULong2ULong(unsigned char *data) -+{ -+ int i; -+ CK_ULONG value = 0; -+ -+ for (i = 0; i < SDB_ULONG_SIZE; i++) { -+ value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) -+ * PR_BITS_PER_BYTE); -+ } -+ return value; -+} -+ -+/* PBE defines and functions */ -+ -+typedef struct EncryptedDataInfoStr { -+ SECAlgorithmID algorithm; -+ SECItem encryptedData; -+} EncryptedDataInfo; -+ -+static const SEC_ASN1Template encryptedDataInfoTemplate[] = { -+ { SEC_ASN1_SEQUENCE, -+ 0, NULL, sizeof(EncryptedDataInfo) }, -+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, -+ offsetof(EncryptedDataInfo, algorithm), -+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, -+ { SEC_ASN1_OCTET_STRING, -+ offsetof(EncryptedDataInfo, encryptedData) }, -+ { 0 } -+}; -+ -+typedef struct PBEParameterStr { -+ SECAlgorithmID prfAlg; -+ SECItem salt; -+ SECItem iteration; -+ SECItem keyLength; -+} PBEParameter; -+ -+static const SEC_ASN1Template pkcs5V1PBEParameterTemplate[] = -+ { -+ { SEC_ASN1_SEQUENCE, -+ 0, NULL, sizeof(PBEParameter) }, -+ { SEC_ASN1_OCTET_STRING, -+ offsetof(PBEParameter, salt) }, -+ { SEC_ASN1_INTEGER, -+ offsetof(PBEParameter, iteration) }, -+ { 0 } -+ }; -+ -+static const SEC_ASN1Template pkcs12V2PBEParameterTemplate[] = -+ { -+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PBEParameter) }, -+ { SEC_ASN1_OCTET_STRING, offsetof(PBEParameter, salt) }, -+ { SEC_ASN1_INTEGER, offsetof(PBEParameter, iteration) }, -+ { 0 } -+ }; -+ -+ -+static const SEC_ASN1Template pkcs5V2PBEParameterTemplate[] = -+ { -+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PBEParameter) }, -+ /* this is really a choice, but since we don't understand any other -+ * choice, just inline it. */ -+ { SEC_ASN1_OCTET_STRING, offsetof(PBEParameter, salt) }, -+ { SEC_ASN1_INTEGER, offsetof(PBEParameter, iteration) }, -+ { SEC_ASN1_INTEGER, offsetof(PBEParameter, keyLength) }, -+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, -+ offsetof(PBEParameter, prfAlg), -+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, -+ { 0 } -+ }; -+ -+typedef struct Pkcs5v2PBEParameterStr { -+ SECAlgorithmID keyParams; /* parameters of the key generation */ -+ SECAlgorithmID algParams; /* parameters for the encryption or mac op */ -+} Pkcs5v2PBEParameter; -+ -+static const SEC_ASN1Template pkcs5v2PBES2ParameterTemplate[] = { -+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(Pkcs5v2PBEParameter) }, -+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, -+ offsetof(Pkcs5v2PBEParameter, keyParams), -+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, -+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN, -+ offsetof(Pkcs5v2PBEParameter, algParams), -+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, -+ { 0 } -+}; -+ -+static inline PRBool -+isPKCS12PBE(SECOidTag alg) { -+ switch (alg) { -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4: -+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4: -+ return PR_TRUE; -+ default: -+ break; -+ } -+ return PR_FALSE; -+} -+ -+ -+/* helper functions */ -+ -+/* output an NSS specific attribute or name that wasn't found in our -+ * pkcs #11 table */ -+const char * -+makeNSSVendorName(CK_ATTRIBUTE_TYPE attribute, const char *nameType) -+{ -+ static char nss_name[256]; -+ const char *name = NULL; -+ if ((attribute >= CKA_NSS) && (attribute <= 0xffffffff)) { -+ sprintf(nss_name,"%s+%d", nameType, (int)(attribute-CKA_NSS)); -+ name = nss_name; -+ } -+ return name; -+} -+ -+/* turn and attribute into a name */ -+const char * -+AttributeName(CK_ATTRIBUTE_TYPE attribute) -+{ -+ const char *name = getNameFromAttribute(attribute); -+ if (!name) { -+ name = makeNSSVendorName(attribute, "CKA_NSS"); -+ } -+ -+ return name ? name : "UNKNOWN_ATTRIBUTE_TYPE"; -+} -+ -+/* turn and error code into a name */ -+const char * -+ErrorName(CK_RV crv) -+{ -+ const char *error = getName(crv, ConstResult); -+ if (!error) { -+ error = makeNSSVendorName(crv, "CKR_NSS"); -+ } -+ return error ? error : "UNKNOWN_ERROR"; -+} -+ -+/* turn an oud tag into a string */ -+const char * -+oid2string(SECOidTag alg) -+{ -+ const char *oidstring = SECOID_FindOIDTagDescription(alg); -+ const char *def="Invalid oid tag"; /* future build a dotted oid string value here */ -+ return oidstring ? oidstring : def; -+} -+ -+/* dump an arbitary data blob. Dump it has hex with ascii on the side */ -+#define ASCCHAR(val) ((val) >= ' ' && (val) <= 0x7e ? (val) : '.') -+#define LINE_LENGTH 16 -+void -+dumpValue(const unsigned char *v, int len) -+{ -+ int i, next = 0; -+ char string[LINE_LENGTH+1]; -+ char space[LINE_LENGTH*2+1]; -+ char *nl = ""; -+ char *sp = ""; -+ PORT_Memset(string, 0, sizeof(string)); -+ -+ for (i=0; i < len; i++) { -+ if ((i % LINE_LENGTH) == 0) { -+ printf("%s%s%s ", sp, string, nl); -+ PORT_Memset(string, 0, sizeof(string)); -+ next = 0; -+ nl = "\n"; -+ sp = " "; -+ } -+ printf("%02x", v[i]); -+ string[next++] = ASCCHAR(v[i]); -+ } -+ PORT_Memset(space, 0, sizeof(space)); -+ i = LINE_LENGTH - (len % LINE_LENGTH); -+ if (i != LINE_LENGTH) { -+ int j; -+ for (j=0 ; j < i; j++) { -+ space[j*2] = ' '; -+ space[j*2+1] = ' '; -+ } -+ } -+ printf("%s%s%s%s", space, sp, string, nl); -+} -+ -+/* dump a PKCS5/12 PBE blob */ -+void -+dumpPKCS(unsigned char *val, CK_ULONG len, PRBool *hasSig) -+{ -+ EncryptedDataInfo edi; -+ SECStatus rv; -+ SECItem data; -+ PLArenaPool *arena; -+ SECOidTag alg, prfAlg; -+ PBEParameter pbeParam; -+ unsigned char zero = 0; -+ const SEC_ASN1Template *template = pkcs5V1PBEParameterTemplate; -+ int iter, keyLen, i; -+ -+ if (hasSig) { *hasSig = PR_FALSE; } -+ -+ -+ data.data = val; -+ data.len = len; -+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); -+ if (arena == NULL) { -+ printf("Couldn't allocate arena\n"); -+ return; -+ } -+ -+ /* initialize default values */ -+ PORT_Memset(&pbeParam, 0, sizeof(pbeParam)); -+ pbeParam.keyLength.data = &zero; -+ pbeParam.keyLength.len = sizeof(zero); -+ SECOID_SetAlgorithmID(arena, &pbeParam.prfAlg, SEC_OID_SHA1, NULL); -+ -+ /* first crack the encrypted data from the PBE algorithm ID */ -+ rv = SEC_QuickDERDecodeItem(arena, &edi, encryptedDataInfoTemplate, &data); -+ if (rv != SECSuccess) { -+ printf("Encrypted Data, failed to decode\n"); -+ dumpValue(val,len); -+ PORT_FreeArena(arena, PR_FALSE); -+ return; -+ } -+ /* now use the pbe secalg to dump info on the pbe */ -+ alg = SECOID_GetAlgorithmTag(&edi.algorithm); -+ if ((alg == SEC_OID_PKCS5_PBES2) || (alg == SEC_OID_PKCS5_PBMAC1)){ -+ Pkcs5v2PBEParameter param; -+ SECOidTag palg; -+ const char *typeName = (alg == SEC_OID_PKCS5_PBES2) ? -+ "Encrypted Data PBES2" : -+ "Mac Data PBMAC1"; -+ -+ rv = SEC_QuickDERDecodeItem(arena, ¶m, -+ pkcs5v2PBES2ParameterTemplate, -+ &edi.algorithm.parameters); -+ if (rv != SECSuccess) { -+ printf("%s, failed to decode\n", typeName); -+ dumpValue(val,len); -+ PORT_FreeArena(arena, PR_FALSE); -+ return; -+ } -+ palg = SECOID_GetAlgorithmTag(¶m.algParams); -+ printf("%s alg=%s ", typeName, oid2string(palg)); -+ if (hasSig && palg == SEC_OID_AES_256_CBC) { -+ *hasSig = PR_TRUE; -+ } -+ template = pkcs5V2PBEParameterTemplate; -+ edi.algorithm.parameters = param.keyParams.parameters; -+ } else { -+ printf("Encrypted Data alg=%s ", oid2string(alg)); -+ if (alg == SEC_OID_PKCS5_PBKDF2) { -+ template = pkcs5V2PBEParameterTemplate; -+ } else if (isPKCS12PBE(alg)) { -+ template = pkcs12V2PBEParameterTemplate; -+ } else { -+ template = pkcs5V1PBEParameterTemplate; -+ } -+ } -+ rv = SEC_QuickDERDecodeItem(arena, &pbeParam, -+ template, -+ &edi.algorithm.parameters); -+ if (rv != SECSuccess) { -+ printf("( failed to decode params)\n"); -+ PORT_FreeArena(arena, PR_FALSE); -+ return; -+ } -+ /* dump the pbe parmeters */ -+ iter = DER_GetInteger(&pbeParam.iteration); -+ keyLen = DER_GetInteger(&pbeParam.keyLength); -+ prfAlg = SECOID_GetAlgorithmTag(&pbeParam.prfAlg); -+ printf("(prf=%s iter=%d keyLen=%d salt=0x", -+ oid2string(prfAlg), iter, keyLen); -+ for(i=0;i < pbeParam.salt.len; i++) printf("%02x",pbeParam.salt.data[i]); -+ printf(")\n"); -+ /* finally dump the raw encrypted data */ -+ dumpValue(edi.encryptedData.data, edi.encryptedData.len); -+ PORT_FreeArena(arena, PR_FALSE); -+} -+ -+/* dump a long attribute, convert to an unsigned long. PKCS #11 Longs are -+ * limited to 32 bits by the spec, even if the CK_ULONG is longer */ -+void -+dumpLongAttribute(CK_ATTRIBUTE_TYPE type, CK_ULONG value) -+{ -+ const char *nameType = "CK_NSS"; -+ ConstType constType = ConstNone; -+ const char *valueName = NULL; -+ -+ switch (type) { -+ case CKA_CLASS: -+ nameType = "CKO_NSS"; -+ constType = ConstObject; -+ break; -+ case CKA_CERTIFICATE_TYPE: -+ nameType = "CKC_NSS"; -+ constType = ConstCertType; -+ break; -+ case CKA_KEY_TYPE: -+ nameType = "CKK_NSS"; -+ constType = ConstKeyType; -+ break; -+ case CKA_MECHANISM_TYPE: -+ nameType = "CKM_NSS"; -+ constType = ConstMechanism; -+ break; -+ case CKA_TRUST_SERVER_AUTH: -+ case CKA_TRUST_CLIENT_AUTH: -+ case CKA_TRUST_CODE_SIGNING: -+ case CKA_TRUST_EMAIL_PROTECTION: -+ case CKA_TRUST_IPSEC_END_SYSTEM: -+ case CKA_TRUST_IPSEC_TUNNEL: -+ case CKA_TRUST_IPSEC_USER: -+ case CKA_TRUST_TIME_STAMPING: -+ nameType = "CKT_NSS"; -+ constType = ConstTrust; -+ break; -+ default: -+ break; -+ } -+ /* if value has a symbolic name, use it */ -+ if (constType != ConstNone) { -+ valueName = getName(value, constType); -+ } -+ if (!valueName) { -+ valueName = makeNSSVendorName(value, nameType); -+ } -+ if (!valueName) { -+ printf("%d (0x%08x)\n", (int) value, (int)value); -+ } else { -+ printf("%s (0x%08x)\n", valueName, (int)value); -+ } -+} -+ -+/* dump a signature for an object */ -+static const char META_SIG_TEMPLATE[] = "sig_%s_%08x_%08x"; -+void -+dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey, -+ CK_OBJECT_HANDLE objectID, PRBool force) -+{ -+ char id[30]; -+ CK_RV crv; -+ SECItem signText; -+ unsigned char signData[SDB_MAX_META_DATA_LEN]; -+ -+ if (!force && !isAuthenticatedAttribute(attribute)) { -+ return; -+ } -+ sprintf(id, META_SIG_TEMPLATE, -+ isKey ? "key" : "cert", -+ (unsigned int)objectID, (unsigned int)attribute); -+ printf(" Signature %s:",id); -+ signText.data = signData; -+ signText.len = sizeof(signData); -+ -+ -+ crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL); -+ if ((crv != CKR_OK) && isKey) { -+ sprintf(id, META_SIG_TEMPLATE, -+ isKey ? "key" : "cert", (unsigned int) -+ (objectID | SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE), -+ (unsigned int)attribute); -+ crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL); -+ } -+ if (crv != CKR_OK) { -+ printf(" FAILED %s with %s (0x%08x)\n", id, ErrorName(crv), (int) crv); -+ return; -+ } -+ dumpPKCS(signText.data, signText.len, NULL); -+ return; -+} -+ -+/* dump an attribute. use the helper functions above */ -+void -+dumpAttribute(CK_ATTRIBUTE *template, SDB *keydb, PRBool isKey, -+ CK_OBJECT_HANDLE id) -+{ -+ CK_ATTRIBUTE_TYPE attribute = template->type; -+ printf(" %s(0x%08x): ", AttributeName(attribute), (int)attribute); -+ if (template->pValue == NULL) { -+ printf("NULL (%d)\n", (int)template->ulValueLen); -+ return; -+ } -+ if (template->ulValueLen == SDB_ULONG_SIZE -+ && isULONGAttribute(attribute)) { -+ CK_ULONG value=sdbULong2ULong(template->pValue); -+ dumpLongAttribute(attribute, value); -+ return; -+ } -+ if (template->ulValueLen == 1) { -+ unsigned char val = *(unsigned char *)template->pValue; -+ switch (val) { -+ case 0: -+ printf("CK_FALSE\n"); -+ break; -+ case 1: -+ printf("CK_TRUE\n"); -+ break; -+ default: -+ printf("%d 0x%02x %c\n", val, val, ASCCHAR(val)); -+ break; -+ } -+ return; -+ } -+ if (isKey && isPrivateAttribute(attribute)) { -+ PRBool hasSig = PR_FALSE; -+ dumpPKCS(template->pValue, template->ulValueLen, &hasSig); -+ if (hasSig) { -+ dumpSignature(attribute, keydb, isKey, id, PR_TRUE); -+ } -+ return; -+ } -+ if (template->ulValueLen == 0) { printf("empty"); } -+ printf("\n"); -+ dumpValue(template->pValue, template->ulValueLen); -+} -+ -+/* dump all the attributes in an object */ -+void -+dumpObject(CK_OBJECT_HANDLE id, SDB *db, SDB *keydb, PRBool isKey) -+{ -+ CK_RV crv; -+ int i; -+ CK_ATTRIBUTE template; -+ char buffer[2048]; -+ char * alloc = NULL; -+ -+ printf(" Object 0x%08x:\n", (int)id); -+ for (i = 0; i < known_attributes_size; i++) { -+ CK_ATTRIBUTE_TYPE attribute = known_attributes[i]; -+ template.type = attribute; -+ template.pValue = NULL; -+ template.ulValueLen = 0; -+ crv = (*db->sdb_GetAttributeValue)(db, id, &template, 1); -+ -+ if (crv != CKR_OK) { -+ if (crv != CKR_ATTRIBUTE_TYPE_INVALID) { -+ PR_fprintf(PR_STDERR, " " -+ "Get Attribute %s (0x%08x):FAILED\"%s\"(0x%08x)\n", -+ AttributeName(attribute), (int)attribute, -+ ErrorName(crv), (int)crv); -+ } -+ continue; -+ } -+ -+ if (template.ulValueLen < sizeof(buffer)) { -+ template.pValue = buffer; -+ } else { -+ alloc = PORT_Alloc(template.ulValueLen); -+ template.pValue = alloc; -+ } -+ if (template.pValue == NULL) { -+ PR_fprintf(PR_STDERR, " " -+ "Could allocate %d bytes for Attribute %s (0x%08x)\n", -+ (int) template.ulValueLen, -+ AttributeName(attribute), (int)attribute); -+ continue; -+ } -+ crv = (*db->sdb_GetAttributeValue)(db, id, &template, 1); -+ -+ if (crv != CKR_OK) { -+ if (crv != CKR_ATTRIBUTE_TYPE_INVALID) { -+ PR_fprintf(PR_STDERR, " " -+ "Get Attribute %s (0x%08x):FAILED\"%s\"(0x%08x)\n", -+ AttributeName(attribute), (int)attribute, -+ ErrorName(crv), (int)crv); -+ } -+ if (alloc) { -+ PORT_Free(alloc); -+ alloc = NULL; -+ } -+ continue; -+ } -+ -+ dumpAttribute(&template, keydb, isKey, id); -+ dumpSignature(template.type, keydb, isKey, id, PR_FALSE); -+ if (alloc) { -+ PORT_Free(alloc); -+ alloc = NULL; -+ } -+ } -+} -+ -+/* dump all the objects in a database */ -+void -+dumpDB(SDB *db, const char *name, SDB *keydb, PRBool isKey) -+{ -+ SDBFind *findHandle= NULL; -+ CK_BBOOL isTrue = 1; -+ CK_ATTRIBUTE allObjectTemplate = {CKA_TOKEN, NULL, 1 }; -+ CK_ULONG allObjectTemplateCount = 1; -+ PRBool recordFound = PR_FALSE; -+ CK_RV crv = CKR_OK; -+ CK_ULONG objectCount = 0; -+ printf("%s:\n",name); -+ -+ allObjectTemplate.pValue = &isTrue; -+ crv = (*db->sdb_FindObjectsInit)(db, &allObjectTemplate, -+ allObjectTemplateCount, &findHandle); -+ do { -+ CK_OBJECT_HANDLE id; -+ recordFound = PR_FALSE; -+ crv =(*db->sdb_FindObjects)(db, findHandle, &id, 1, &objectCount); -+ if ((crv == CKR_OK) && (objectCount == 1)) { -+ recordFound = PR_TRUE; -+ dumpObject(id, db, keydb, isKey); -+ } -+ } while (recordFound); -+ if (crv != CKR_OK) { -+ PR_fprintf(PR_STDERR, -+ "Last record return PKCS #11 error = %s (0x%08x)\n", -+ ErrorName(crv), (int)crv); -+ } -+ (*db->sdb_FindObjectsFinal)(db,findHandle); -+} -+ -+int -+main(int argc, char **argv) -+{ -+ PLOptState *optstate; -+ PLOptStatus optstatus; -+ char *certPrefix="", *keyPrefix=""; -+ int cert_version = 9; -+ int key_version = 4; -+ SDB *certdb = NULL; -+ SDB *keydb = NULL; -+ PRBool isNew = PR_FALSE; -+ -+ CK_RV crv; -+ -+ progName = strrchr(argv[0], '/'); -+ if (!progName) -+ progName = strrchr(argv[0], '\\'); -+ progName = progName ? progName + 1 : argv[0]; -+ -+ optstate = PL_CreateOptState(argc, argv, "d:c:k:v:V:h"); -+ -+ while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { -+ switch (optstate->option) { -+ case 'h': -+ default: -+ Usage(); -+ break; -+ -+ case 'd': -+ dbDir = PORT_Strdup(optstate->value); -+ break; -+ -+ case 'c': -+ certPrefix = PORT_Strdup(optstate->value); -+ break; -+ -+ case 'k': -+ keyPrefix = PORT_Strdup(optstate->value); -+ break; -+ -+ case 'v': -+ key_version = atoi(optstate->value); -+ break; -+ -+ case 'V': -+ cert_version = atoi(optstate->value); -+ break; -+ -+ } -+ } -+ PL_DestroyOptState(optstate); -+ if (optstatus == PL_OPT_BAD) -+ Usage(); -+ -+ if (dbDir) { -+ char *tmp = dbDir; -+ dbDir = SECU_ConfigDirectory(tmp); -+ PORT_Free(tmp); -+ } else { -+ /* Look in $SSL_DIR */ -+ dbDir = SECU_ConfigDirectory(SECU_DefaultSSLDir()); -+ } -+ PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir); -+ -+ if (dbDir[0] == '\0') { -+ PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir); -+ return 1; -+ } -+ -+ PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); -+ SECOID_Init(); -+ -+ crv = s_open(dbDir, certPrefix, keyPrefix, cert_version, key_version, -+ SDB_RDONLY, &certdb, &keydb, &isNew); -+ if (crv != CKR_OK) { -+ PR_fprintf(PR_STDERR, -+ "Couldn't open databased in %s, error=%s (0x%08x)\n", -+ dbDir, ErrorName(crv), (int)crv); -+ return 1; -+ } -+ -+ /* now dump the objects in the cert database */ -+ dumpDB(certdb, "CertDB", keydb, PR_FALSE); -+ dumpDB(keydb, "KeyDB", keydb, PR_TRUE); -+ return 0; -+} -diff --git a/cmd/dbtool/dbtool.gyp b/cmd/dbtool/dbtool.gyp -new file mode 100644 ---- /dev/null -+++ b/cmd/dbtool/dbtool.gyp -@@ -0,0 +1,25 @@ -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+{ -+ 'includes': [ -+ '../../coreconf/config.gypi', -+ '../../cmd/platlibs.gypi' -+ ], -+ 'targets': [ -+ { -+ 'target_name': 'dbtest', -+ 'type': 'executable', -+ 'sources': [ -+ 'dbtest.c' -+ ], -+ 'dependencies': [ -+ '<(DEPTH)/exports.gyp:dbm_exports', -+ '<(DEPTH)/exports.gyp:nss_exports' -+ ] -+ } -+ ], -+ 'variables': { -+ 'module': 'nss' -+ } -+} -\ No newline at end of file -diff --git a/cmd/dbtool/manifest.mn b/cmd/dbtool/manifest.mn -new file mode 100644 ---- /dev/null -+++ b/cmd/dbtool/manifest.mn -@@ -0,0 +1,18 @@ -+# -+# This Source Code Form is subject to the terms of the Mozilla Public -+# License, v. 2.0. If a copy of the MPL was not distributed with this -+# file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ -+CORE_DEPTH = ../.. -+ -+# MODULE public and private header directories are implicitly REQUIRED. -+MODULE = nss -+ -+USE_STATIC_LIBS = 1 -+ -+# DIRS = -+ -+CSRCS = dbtool.c sdb.c -+ -+PROGRAM = dbtool -+ -diff --git a/cmd/dbtool/sdb.c b/cmd/dbtool/sdb.c -new file mode 100644 ---- /dev/null -+++ b/cmd/dbtool/sdb.c -@@ -0,0 +1,2469 @@ -+/* This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -+/* -+ * This file implements PKCS 11 on top of our existing security modules -+ * -+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. -+ * This implementation has two slots: -+ * slot 1 is our generic crypto support. It does not require login. -+ * It supports Public Key ops, and all they bulk ciphers and hashes. -+ * It can also support Private Key ops for imported Private keys. It does -+ * not have any token storage. -+ * slot 2 is our private key support. It requires a login before use. It -+ * can store Private Keys and Certs as token objects. Currently only private -+ * keys and their associated Certificates are saved on the token. -+ * -+ * In this implementation, session objects are only visible to the session -+ * that created or generated them. -+ */ -+ -+#include "sdb.h" -+#include "pkcs11t.h" -+#include "seccomon.h" -+#include -+#include "prthread.h" -+#include "prio.h" -+#include -+#include "secport.h" -+#include "prmon.h" -+#include "prenv.h" -+#include "prprf.h" -+#include "prsystem.h" /* for PR_GetDirectorySeparator() */ -+#include -+#if defined(_WIN32) -+#include -+#include -+#elif defined(XP_UNIX) -+#include -+#endif -+#if defined(LINUX) && !defined(ANDROID) -+#include -+#include -+#endif -+#include "utilpars.h" -+ -+#ifdef SQLITE_UNSAFE_THREADS -+#include "prlock.h" -+/* -+ * SQLite can be compiled to be thread safe or not. -+ * turn on SQLITE_UNSAFE_THREADS if the OS does not support -+ * a thread safe version of sqlite. -+ */ -+static PRLock *sqlite_lock = NULL; -+ -+#define LOCK_SQLITE() PR_Lock(sqlite_lock); -+#define UNLOCK_SQLITE() PR_Unlock(sqlite_lock); -+#else -+#define LOCK_SQLITE() -+#define UNLOCK_SQLITE() -+#endif -+ -+typedef enum { -+ SDB_CERT = 1, -+ SDB_KEY = 2 -+} sdbDataType; -+ -+/* -+ * defines controlling how long we wait to acquire locks. -+ * -+ * SDB_SQLITE_BUSY_TIMEOUT specifies how long (in milliseconds) -+ * sqlite will wait on lock. If that timeout expires, sqlite will -+ * return SQLITE_BUSY. -+ * SDB_BUSY_RETRY_TIME specifies how many seconds the sdb_ code waits -+ * after receiving a busy before retrying. -+ * SDB_MAX_BUSY_RETRIES specifies how many times the sdb_ will retry on -+ * a busy condition. -+ * -+ * SDB_SQLITE_BUSY_TIMEOUT affects all opertions, both manual -+ * (prepare/step/reset/finalize) and automatic (sqlite3_exec()). -+ * SDB_BUSY_RETRY_TIME and SDB_MAX_BUSY_RETRIES only affect manual operations -+ * -+ * total wait time for automatic operations: -+ * 1 second (SDB_SQLITE_BUSY_TIMEOUT/1000). -+ * total wait time for manual operations: -+ * (1 second + SDB_BUSY_RETRY_TIME) * 30 = 30 seconds. -+ * (SDB_SQLITE_BUSY_TIMEOUT/1000 + SDB_BUSY_RETRY_TIME)*SDB_MAX_BUSY_RETRIES -+ */ -+#define SDB_SQLITE_BUSY_TIMEOUT 1000 /* milliseconds */ -+#define SDB_BUSY_RETRY_TIME 5 /* 'ticks', varies by platforms */ -+#define SDB_MAX_BUSY_RETRIES 30 -+ -+/* -+ * known attributes -+ */ -+static const CK_ATTRIBUTE_TYPE known_attributes[] = { -+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION, -+ CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER, -+ CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED, -+ CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL, -+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY, -+ CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE, -+ CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER, -+ CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE, -+ CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT, -+ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT, -+ CKA_PUBLIC_KEY_INFO, CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS, -+ CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE, -+ CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE, -+ CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS, -+ CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS, -+ CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_HW_FEATURE_TYPE, -+ CKA_RESET_ON_INIT, CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, -+ CKA_RESOLUTION, CKA_CHAR_ROWS, CKA_CHAR_COLUMNS, CKA_COLOR, -+ CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, CKA_ENCODING_METHODS, CKA_MIME_TYPES, -+ CKA_MECHANISM_TYPE, CKA_REQUIRED_CMS_ATTRIBUTES, -+ CKA_DEFAULT_CMS_ATTRIBUTES, CKA_SUPPORTED_CMS_ATTRIBUTES, -+ CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, CKA_NSS_TRUST, CKA_NSS_URL, -+ CKA_NSS_EMAIL, CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP, -+ CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES, -+ CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED, -+ CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC, -+ CKA_NSS_OVERRIDE_EXTENSIONS, CKA_NSS_SERVER_DISTRUST_AFTER, -+ CKA_NSS_EMAIL_DISTRUST_AFTER, CKA_TRUST_DIGITAL_SIGNATURE, -+ CKA_TRUST_NON_REPUDIATION, CKA_TRUST_KEY_ENCIPHERMENT, -+ CKA_TRUST_DATA_ENCIPHERMENT, CKA_TRUST_KEY_AGREEMENT, -+ CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, CKA_TRUST_SERVER_AUTH, -+ CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION, -+ CKA_TRUST_IPSEC_END_SYSTEM, CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, -+ CKA_TRUST_TIME_STAMPING, CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, -+ CKA_CERT_MD5_HASH, CKA_NSS_DB -+}; -+ -+static const int known_attributes_size = PR_ARRAY_SIZE(known_attributes); -+ -+/* -+ * Note on use of sqlReadDB: Only one thread at a time may have an actual -+ * operation going on given sqlite3 * database. An operation is defined as -+ * the time from a sqlite3_prepare() until the sqlite3_finalize(). -+ * Multiple sqlite3 * databases can be open and have simultaneous operations -+ * going. We use the sqlXactDB for all write operations. This database -+ * is only opened when we first create a transaction and closed when the -+ * transaction is complete. sqlReadDB is open when we first opened the database -+ * and is used for all read operation. It's use is protected by a monitor. This -+ * is because an operation can span the use of FindObjectsInit() through the -+ * call to FindObjectsFinal(). In the intermediate time it is possible to call -+ * other operations like NSC_GetAttributeValue */ -+ -+struct SDBPrivateStr { -+ char *sqlDBName; /* invariant, path to this database */ -+ sqlite3 *sqlXactDB; /* access protected by dbMon, use protected -+ * by the transaction. Current transaction db*/ -+ PRThread *sqlXactThread; /* protected by dbMon, -+ * current transaction thread */ -+ sqlite3 *sqlReadDB; /* use protected by dbMon, value invariant */ -+ PRIntervalTime lastUpdateTime; /* last time the cache was updated */ -+ PRIntervalTime updateInterval; /* how long the cache can go before it -+ * must be updated again */ -+ sdbDataType type; /* invariant, database type */ -+ char *table; /* invariant, SQL table which contains the db */ -+ char *cacheTable; /* invariant, SQL table cache of db */ -+ PRMonitor *dbMon; /* invariant, monitor to protect -+ * sqlXact* fields, and use of the sqlReadDB */ -+ CK_ATTRIBUTE_TYPE *schemaAttrs; /* Attribute columns that exist in the table. */ -+ unsigned int numSchemaAttrs; -+}; -+ -+typedef struct SDBPrivateStr SDBPrivate; -+ -+/* Magic for an explicit NULL. NOTE: ideally this should be -+ * out of band data. Since it's not completely out of band, pick -+ * a value that has no meaning to any existing PKCS #11 attributes. -+ * This value is 1) not a valid string (imbedded '\0'). 2) not a U_LONG -+ * or a normal key (too short). 3) not a bool (too long). 4) not an RSA -+ * public exponent (too many bits). -+ */ -+const unsigned char SQLITE_EXPLICIT_NULL[] = { 0xa5, 0x0, 0x5a }; -+#define SQLITE_EXPLICIT_NULL_LEN 3 -+ -+/* -+ * determine when we've completed our tasks -+ */ -+static int -+sdb_done(int err, int *count) -+{ -+ /* allow as many rows as the database wants to give */ -+ if (err == SQLITE_ROW) { -+ *count = 0; -+ return 0; -+ } -+ if (err != SQLITE_BUSY) { -+ return 1; -+ } -+ /* err == SQLITE_BUSY, Dont' retry forever in this case */ -+ if (++(*count) >= SDB_MAX_BUSY_RETRIES) { -+ return 1; -+ } -+ return 0; -+} -+ -+#if defined(_WIN32) -+/* -+ * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that -+ * sqlite3 expects. -+ */ -+ -+static int -+sdb_chmod(const char *filename, int pmode) -+{ -+ int result; -+ -+ if (!filename) { -+ return -1; -+ } -+ -+ wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); -+ if (!filenameWide) { -+ return -1; -+ } -+ result = _wchmod(filenameWide, pmode); -+ PORT_Free(filenameWide); -+ -+ return result; -+} -+#else -+#define sdb_chmod(filename, pmode) chmod((filename), (pmode)) -+#endif -+ -+/* -+ * find out where sqlite stores the temp tables. We do this by replicating -+ * the logic from sqlite. -+ */ -+#if defined(_WIN32) -+static char * -+sdb_getFallbackTempDir(void) -+{ -+ /* sqlite uses sqlite3_temp_directory if it is not NULL. We don't have -+ * access to sqlite3_temp_directory because it is not exported from -+ * sqlite3.dll. Assume sqlite3_win32_set_directory isn't called and -+ * sqlite3_temp_directory is NULL. -+ */ -+ char path[MAX_PATH]; -+ DWORD rv; -+ size_t len; -+ -+ rv = GetTempPathA(MAX_PATH, path); -+ if (rv > MAX_PATH || rv == 0) -+ return NULL; -+ len = strlen(path); -+ if (len == 0) -+ return NULL; -+ /* The returned string ends with a backslash, for example, "C:\TEMP\". */ -+ if (path[len - 1] == '\\') -+ path[len - 1] = '\0'; -+ return PORT_Strdup(path); -+} -+#elif defined(XP_UNIX) -+static char * -+sdb_getFallbackTempDir(void) -+{ -+ const char *azDirs[] = { -+ NULL, -+ NULL, -+ "/var/tmp", -+ "/usr/tmp", -+ "/tmp", -+ NULL /* List terminator */ -+ }; -+ unsigned int i; -+ struct stat buf; -+ const char *zDir = NULL; -+ -+ azDirs[0] = sqlite3_temp_directory; -+ azDirs[1] = PR_GetEnvSecure("TMPDIR"); -+ -+ for (i = 0; i < PR_ARRAY_SIZE(azDirs); i++) { -+ zDir = azDirs[i]; -+ if (zDir == NULL) -+ continue; -+ if (stat(zDir, &buf)) -+ continue; -+ if (!S_ISDIR(buf.st_mode)) -+ continue; -+ if (access(zDir, 07)) -+ continue; -+ break; -+ } -+ -+ if (zDir == NULL) -+ return NULL; -+ return PORT_Strdup(zDir); -+} -+#else -+#error "sdb_getFallbackTempDir not implemented" -+#endif -+ -+#ifndef SQLITE_FCNTL_TEMPFILENAME -+/* SQLITE_FCNTL_TEMPFILENAME was added in SQLite 3.7.15 */ -+#define SQLITE_FCNTL_TEMPFILENAME 16 -+#endif -+ -+static char * -+sdb_getTempDir(sqlite3 *sqlDB) -+{ -+ int sqlrv; -+ char *result = NULL; -+ char *tempName = NULL; -+ char *foundSeparator = NULL; -+ -+ /* Obtain temporary filename in sqlite's directory for temporary tables */ -+ sqlrv = sqlite3_file_control(sqlDB, 0, SQLITE_FCNTL_TEMPFILENAME, -+ (void *)&tempName); -+ if (sqlrv == SQLITE_NOTFOUND) { -+ /* SQLITE_FCNTL_TEMPFILENAME not implemented because we are using -+ * an older SQLite. */ -+ return sdb_getFallbackTempDir(); -+ } -+ if (sqlrv != SQLITE_OK) { -+ return NULL; -+ } -+ -+ /* We'll extract the temporary directory from tempName */ -+ foundSeparator = PORT_Strrchr(tempName, PR_GetDirectorySeparator()); -+ if (foundSeparator) { -+ /* We shorten the temp filename string to contain only -+ * the directory name (including the trailing separator). -+ * We know the byte after the foundSeparator position is -+ * safe to use, in the shortest scenario it contains the -+ * end-of-string byte. -+ * By keeping the separator at the found position, it will -+ * even work if tempDir consists of the separator, only. -+ * (In this case the toplevel directory will be used for -+ * access speed testing). */ -+ ++foundSeparator; -+ *foundSeparator = 0; -+ -+ /* Now we copy the directory name for our caller */ -+ result = PORT_Strdup(tempName); -+ } -+ -+ sqlite3_free(tempName); -+ return result; -+} -+ -+/* -+ * Map SQL_LITE errors to PKCS #11 errors as best we can. -+ */ -+static CK_RV -+sdb_mapSQLError(sdbDataType type, int sqlerr) -+{ -+ switch (sqlerr) { -+ /* good matches */ -+ case SQLITE_OK: -+ case SQLITE_DONE: -+ return CKR_OK; -+ case SQLITE_NOMEM: -+ return CKR_HOST_MEMORY; -+ case SQLITE_READONLY: -+ return CKR_TOKEN_WRITE_PROTECTED; -+ /* close matches */ -+ case SQLITE_AUTH: -+ case SQLITE_PERM: -+ /*return CKR_USER_NOT_LOGGED_IN; */ -+ case SQLITE_CANTOPEN: -+ case SQLITE_NOTFOUND: -+ /* NSS distiguishes between failure to open the cert and the key db */ -+ return type == SDB_CERT ? CKR_NSS_CERTDB_FAILED : CKR_NSS_KEYDB_FAILED; -+ case SQLITE_IOERR: -+ return CKR_DEVICE_ERROR; -+ default: -+ break; -+ } -+ return CKR_GENERAL_ERROR; -+} -+ -+/* -+ * build up database name from a directory, prefix, name, version and flags. -+ */ -+static char * -+sdb_BuildFileName(const char *directory, -+ const char *prefix, const char *type, -+ int version) -+{ -+ char *dbname = NULL; -+ /* build the full dbname */ -+ dbname = sqlite3_mprintf("%s%c%s%s%d.db", directory, -+ (int)(unsigned char)PR_GetDirectorySeparator(), -+ prefix, type, version); -+ return dbname; -+} -+ -+/* -+ * find out how expensive the access system call is for non-existant files -+ * in the given directory. Return the number of operations done in 33 ms. -+ */ -+static PRUint32 -+sdb_measureAccess(const char *directory) -+{ -+ PRUint32 i; -+ PRIntervalTime time; -+ PRIntervalTime delta; -+ PRIntervalTime duration = PR_MillisecondsToInterval(33); -+ const char *doesntExistName = "_dOeSnotExist_.db"; -+ char *temp, *tempStartOfFilename; -+ size_t maxTempLen, maxFileNameLen, directoryLength, tmpdirLength = 0; -+#ifdef SDB_MEASURE_USE_TEMP_DIR -+ /* -+ * on some OS's and Filesystems, creating a bunch of files and deleting -+ * them messes up the systems's caching, but if we create the files in -+ * a temp directory which we later delete, then the cache gets cleared -+ * up. This code uses several OS dependent calls, and it's not clear -+ * that temp directory use won't mess up other filesystems and OS caching, -+ * so if you need this for your OS, you can turn on the -+ * 'SDB_MEASURE_USE_TEMP_DIR' define in coreconf -+ */ -+ const char template[] = "dbTemp.XXXXXX"; -+ tmpdirLength = sizeof(template); -+#endif -+ /* no directory, just return one */ -+ if (directory == NULL) { -+ return 1; -+ } -+ -+ /* our calculation assumes time is a 4 bytes == 32 bit integer */ -+ PORT_Assert(sizeof(time) == 4); -+ -+ directoryLength = strlen(directory); -+ -+ maxTempLen = directoryLength + 1 /* dirname + / */ -+ + tmpdirLength /* tmpdirname includes / */ -+ + strlen(doesntExistName) /* filename base */ -+ + 11 /* max chars for 32 bit int plus potential sign */ -+ + 1; /* zero terminator */ -+ -+ temp = PORT_ZAlloc(maxTempLen); -+ if (!temp) { -+ return 1; -+ } -+ -+ /* We'll copy directory into temp just once, then ensure it ends -+ * with the directory separator. */ -+ -+ strcpy(temp, directory); -+ if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) { -+ temp[directoryLength++] = PR_GetDirectorySeparator(); -+ } -+ -+#ifdef SDB_MEASURE_USE_TEMP_DIR -+ /* add the template for a temporary subdir, and create it */ -+ strcat(temp, template); -+ if (!mkdtemp(temp)) { -+ PORT_Free(temp); -+ return 1; -+ } -+ /* and terminate that tmp subdir with a / */ -+ strcat(temp, "/"); -+#endif -+ -+ /* Remember the position after the last separator, and calculate the -+ * number of remaining bytes. */ -+ tempStartOfFilename = temp + directoryLength + tmpdirLength; -+ maxFileNameLen = maxTempLen - directoryLength; -+ -+ /* measure number of Access operations that can be done in 33 milliseconds -+ * (1/30'th of a second), or 10000 operations, which ever comes first. -+ */ -+ time = PR_IntervalNow(); -+ for (i = 0; i < 10000u; i++) { -+ PRIntervalTime next; -+ -+ /* We'll use the variable part first in the filename string, just in -+ * case it's longer than assumed, so if anything gets cut off, it -+ * will be cut off from the constant part. -+ * This code assumes the directory name at the beginning of -+ * temp remains unchanged during our loop. */ -+ PR_snprintf(tempStartOfFilename, maxFileNameLen, -+ ".%lu%s", (PRUint32)(time + i), doesntExistName); -+ PR_Access(temp, PR_ACCESS_EXISTS); -+ next = PR_IntervalNow(); -+ delta = next - time; -+ if (delta >= duration) -+ break; -+ } -+ -+#ifdef SDB_MEASURE_USE_TEMP_DIR -+ /* turn temp back into our tmpdir path by removing doesntExistName, and -+ * remove the tmp dir */ -+ *tempStartOfFilename = '\0'; -+ (void)rmdir(temp); -+#endif -+ PORT_Free(temp); -+ -+ /* always return 1 or greater */ -+ return i ? i : 1u; -+} -+ -+/* -+ * some file sytems are very slow to run sqlite3 on, particularly if the -+ * access count is pretty high. On these filesystems is faster to create -+ * a temporary database on the local filesystem and access that. This -+ * code uses a temporary table to create that cache. Temp tables are -+ * automatically cleared when the database handle it was created on -+ * Is freed. -+ */ -+static const char DROP_CACHE_CMD[] = "DROP TABLE %s"; -+static const char CREATE_CACHE_CMD[] = -+ "CREATE TEMPORARY TABLE %s AS SELECT * FROM %s"; -+static const char CREATE_ISSUER_INDEX_CMD[] = -+ "CREATE INDEX issuer ON %s (a81)"; -+static const char CREATE_SUBJECT_INDEX_CMD[] = -+ "CREATE INDEX subject ON %s (a101)"; -+static const char CREATE_LABEL_INDEX_CMD[] = "CREATE INDEX label ON %s (a3)"; -+static const char CREATE_ID_INDEX_CMD[] = "CREATE INDEX ckaid ON %s (a102)"; -+ -+static CK_RV -+sdb_buildCache(sqlite3 *sqlDB, sdbDataType type, -+ const char *cacheTable, const char *table) -+{ -+ char *newStr; -+ int sqlerr = SQLITE_OK; -+ -+ newStr = sqlite3_mprintf(CREATE_CACHE_CMD, cacheTable, table); -+ if (newStr == NULL) { -+ return CKR_HOST_MEMORY; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) { -+ return sdb_mapSQLError(type, sqlerr); -+ } -+ /* failure to create the indexes is not an issue */ -+ newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, cacheTable); -+ if (newStr == NULL) { -+ return CKR_OK; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, cacheTable); -+ if (newStr == NULL) { -+ return CKR_OK; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, cacheTable); -+ if (newStr == NULL) { -+ return CKR_OK; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, cacheTable); -+ if (newStr == NULL) { -+ return CKR_OK; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ return CKR_OK; -+} -+ -+/* -+ * update the cache and the data records describing it. -+ * The cache is updated by dropping the temp database and recreating it. -+ */ -+static CK_RV -+sdb_updateCache(SDBPrivate *sdb_p) -+{ -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ char *newStr; -+ -+ /* drop the old table */ -+ newStr = sqlite3_mprintf(DROP_CACHE_CMD, sdb_p->cacheTable); -+ if (newStr == NULL) { -+ return CKR_HOST_MEMORY; -+ } -+ sqlerr = sqlite3_exec(sdb_p->sqlReadDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if ((sqlerr != SQLITE_OK) && (sqlerr != SQLITE_ERROR)) { -+ /* something went wrong with the drop, don't try to refresh... -+ * NOTE: SQLITE_ERROR is returned if the table doesn't exist. In -+ * that case, we just continue on and try to reload it */ -+ return sdb_mapSQLError(sdb_p->type, sqlerr); -+ } -+ -+ /* set up the new table */ -+ error = sdb_buildCache(sdb_p->sqlReadDB, sdb_p->type, -+ sdb_p->cacheTable, sdb_p->table); -+ if (error == CKR_OK) { -+ /* we have a new cache! */ -+ sdb_p->lastUpdateTime = PR_IntervalNow(); -+ } -+ return error; -+} -+ -+/* -+ * The sharing of sqlite3 handles across threads is tricky. Older versions -+ * couldn't at all, but newer ones can under strict conditions. Basically -+ * no 2 threads can use the same handle while another thread has an open -+ * stmt running. Once the sqlite3_stmt is finalized, another thread can then -+ * use the database handle. -+ * -+ * We use monitors to protect against trying to use a database before -+ * it's sqlite3_stmt is finalized. This is preferable to the opening and -+ * closing the database each operation because there is significant overhead -+ * in the open and close. Also continually opening and closing the database -+ * defeats the cache code as the cache table is lost on close (thus -+ * requiring us to have to reinitialize the cache every operation). -+ * -+ * An execption to the shared handle is transations. All writes happen -+ * through a transaction. When we are in a transaction, we must use the -+ * same database pointer for that entire transation. In this case we save -+ * the transaction database and use it for all accesses on the transaction -+ * thread. Other threads use the common database. -+ * -+ * There can only be once active transaction on the database at a time. -+ * -+ * sdb_openDBLocal() provides us with a valid database handle for whatever -+ * state we are in (reading or in a transaction), and acquires any locks -+ * appropriate to that state. It also decides when it's time to refresh -+ * the cache before we start an operation. Any database handle returned -+ * just eventually be closed with sdb_closeDBLocal(). -+ * -+ * The table returned either points to the database's physical table, or -+ * to the cached shadow. Tranactions always return the physical table -+ * and read operations return either the physical table or the cache -+ * depending on whether or not the cache exists. -+ */ -+static CK_RV -+sdb_openDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB, const char **table) -+{ -+ *sqlDB = NULL; -+ -+ PR_EnterMonitor(sdb_p->dbMon); -+ -+ if (table) { -+ *table = sdb_p->table; -+ } -+ -+ /* We're in a transaction, use the transaction DB */ -+ if ((sdb_p->sqlXactDB) && (sdb_p->sqlXactThread == PR_GetCurrentThread())) { -+ *sqlDB = sdb_p->sqlXactDB; -+ /* only one thread can get here, safe to unlock */ -+ PR_ExitMonitor(sdb_p->dbMon); -+ return CKR_OK; -+ } -+ -+ /* -+ * if we are just reading from the table, we may have the table -+ * cached in a temporary table (especially if it's on a shared FS). -+ * In that case we want to see updates to the table, the the granularity -+ * is on order of human scale, not computer scale. -+ */ -+ if (table && sdb_p->cacheTable) { -+ PRIntervalTime now = PR_IntervalNow(); -+ if ((now - sdb_p->lastUpdateTime) > sdb_p->updateInterval) { -+ sdb_updateCache(sdb_p); -+ } -+ *table = sdb_p->cacheTable; -+ } -+ -+ *sqlDB = sdb_p->sqlReadDB; -+ -+ /* leave holding the lock. only one thread can actually use a given -+ * database connection at once */ -+ -+ return CKR_OK; -+} -+ -+/* closing the local database currenly means unlocking the monitor */ -+static CK_RV -+sdb_closeDBLocal(SDBPrivate *sdb_p, sqlite3 *sqlDB) -+{ -+ if (sdb_p->sqlXactDB != sqlDB) { -+ /* if we weren't in a transaction, we got a lock */ -+ PR_ExitMonitor(sdb_p->dbMon); -+ } -+ return CKR_OK; -+} -+ -+/* -+ * wrapper to sqlite3_open which also sets the busy_timeout -+ */ -+static int -+sdb_openDB(const char *name, sqlite3 **sqlDB, int flags) -+{ -+ int sqlerr; -+ int openFlags; -+ -+ *sqlDB = NULL; -+ -+ if (flags & SDB_RDONLY) { -+ openFlags = SQLITE_OPEN_READONLY; -+ } else { -+ openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; -+ /* sqlite 3.34 seem to incorrectly open readwrite. -+ * when the file is readonly. Explicitly reject that issue here */ -+ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { -+ return SQLITE_READONLY; -+ } -+ } -+ -+ /* Requires SQLite 3.5.0 or newer. */ -+ sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL); -+ if (sqlerr != SQLITE_OK) { -+ return sqlerr; -+ } -+ -+ sqlerr = sqlite3_busy_timeout(*sqlDB, SDB_SQLITE_BUSY_TIMEOUT); -+ if (sqlerr != SQLITE_OK) { -+ sqlite3_close(*sqlDB); -+ *sqlDB = NULL; -+ return sqlerr; -+ } -+ return SQLITE_OK; -+} -+ -+/* Sigh, if we created a new table since we opened the database, -+ * the database handle will not see the new table, we need to close this -+ * database and reopen it. Caller must be in a transaction or holding -+ * the dbMon. sqlDB is changed on success. */ -+static int -+sdb_reopenDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB) -+{ -+ sqlite3 *newDB; -+ int sqlerr; -+ -+ /* open a new database */ -+ sqlerr = sdb_openDB(sdb_p->sqlDBName, &newDB, SDB_RDONLY); -+ if (sqlerr != SQLITE_OK) { -+ return sqlerr; -+ } -+ -+ /* if we are in a transaction, we may not be holding the monitor. -+ * grab it before we update the transaction database. This is -+ * safe since are using monitors. */ -+ PR_EnterMonitor(sdb_p->dbMon); -+ /* update our view of the database */ -+ if (sdb_p->sqlReadDB == *sqlDB) { -+ sdb_p->sqlReadDB = newDB; -+ } else if (sdb_p->sqlXactDB == *sqlDB) { -+ sdb_p->sqlXactDB = newDB; -+ } -+ PR_ExitMonitor(sdb_p->dbMon); -+ -+ /* close the old one */ -+ sqlite3_close(*sqlDB); -+ -+ *sqlDB = newDB; -+ return SQLITE_OK; -+} -+ -+struct SDBFindStr { -+ sqlite3 *sqlDB; -+ sqlite3_stmt *findstmt; -+}; -+ -+static const char FIND_OBJECTS_CMD[] = "SELECT ALL id FROM %s WHERE %s;"; -+static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL id FROM %s;"; -+CK_RV -+sdb_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *template, CK_ULONG count, -+ SDBFind **find) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ const char *table; -+ char *newStr, *findStr = NULL; -+ sqlite3_stmt *findstmt = NULL; -+ char *join = ""; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ unsigned int i; -+ -+ LOCK_SQLITE() -+ *find = NULL; -+ error = sdb_openDBLocal(sdb_p, &sqlDB, &table); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ -+ findStr = sqlite3_mprintf(""); -+ for (i = 0; findStr && i < count; i++) { -+ newStr = sqlite3_mprintf("%s%sa%x=$DATA%d", findStr, join, -+ template[i].type, i); -+ join = " AND "; -+ sqlite3_free(findStr); -+ findStr = newStr; -+ } -+ -+ if (findStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ -+ if (count == 0) { -+ newStr = sqlite3_mprintf(FIND_OBJECTS_ALL_CMD, table); -+ } else { -+ newStr = sqlite3_mprintf(FIND_OBJECTS_CMD, table, findStr); -+ } -+ sqlite3_free(findStr); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &findstmt, NULL); -+ sqlite3_free(newStr); -+ for (i = 0; sqlerr == SQLITE_OK && i < count; i++) { -+ const void *blobData = template[i].pValue; -+ unsigned int blobSize = template[i].ulValueLen; -+ if (blobSize == 0) { -+ blobSize = SQLITE_EXPLICIT_NULL_LEN; -+ blobData = SQLITE_EXPLICIT_NULL; -+ } -+ sqlerr = sqlite3_bind_blob(findstmt, i + 1, blobData, blobSize, -+ SQLITE_TRANSIENT); -+ } -+ if (sqlerr == SQLITE_OK) { -+ *find = PORT_New(SDBFind); -+ if (*find == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ (*find)->findstmt = findstmt; -+ (*find)->sqlDB = sqlDB; -+ UNLOCK_SQLITE() -+ return CKR_OK; -+ } -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ -+loser: -+ if (findstmt) { -+ sqlite3_reset(findstmt); -+ sqlite3_finalize(findstmt); -+ } -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ UNLOCK_SQLITE() -+ return error; -+} -+ -+CK_RV -+sdb_FindObjects(SDB *sdb, SDBFind *sdbFind, CK_OBJECT_HANDLE *object, -+ CK_ULONG arraySize, CK_ULONG *count) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3_stmt *stmt = sdbFind->findstmt; -+ int sqlerr = SQLITE_OK; -+ int retry = 0; -+ -+ *count = 0; -+ -+ if (arraySize == 0) { -+ return CKR_OK; -+ } -+ LOCK_SQLITE() -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ if (sqlerr == SQLITE_ROW) { -+ /* only care about the id */ -+ *object++ = sqlite3_column_int(stmt, 0); -+ arraySize--; -+ (*count)++; -+ } -+ } while (!sdb_done(sqlerr, &retry) && (arraySize > 0)); -+ -+ /* we only have some of the objects, there is probably more, -+ * set the sqlerr to an OK value so we return CKR_OK */ -+ if (sqlerr == SQLITE_ROW && arraySize == 0) { -+ sqlerr = SQLITE_DONE; -+ } -+ UNLOCK_SQLITE() -+ -+ return sdb_mapSQLError(sdb_p->type, sqlerr); -+} -+ -+CK_RV -+sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3_stmt *stmt = sdbFind->findstmt; -+ sqlite3 *sqlDB = sdbFind->sqlDB; -+ int sqlerr = SQLITE_OK; -+ -+ LOCK_SQLITE() -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlerr = sqlite3_finalize(stmt); -+ } -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ PORT_Free(sdbFind); -+ -+ UNLOCK_SQLITE() -+ return sdb_mapSQLError(sdb_p->type, sqlerr); -+} -+ -+static CK_RV -+sdb_GetValidAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id, -+ CK_ATTRIBUTE *template, CK_ULONG count) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ sqlite3_stmt *stmt = NULL; -+ const char *table = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ int found = 0; -+ int retry = 0; -+ unsigned int i; -+ -+ if (count == 0) { -+ error = CKR_OBJECT_HANDLE_INVALID; -+ goto loser; -+ } -+ -+ /* open a new db if necessary */ -+ error = sdb_openDBLocal(sdb_p, &sqlDB, &table); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ -+ char *columns = NULL; -+ for (i = 0; i < count; i++) { -+ char *newColumns; -+ if (columns) { -+ newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type); -+ sqlite3_free(columns); -+ columns = NULL; -+ } else { -+ newColumns = sqlite3_mprintf("a%x", template[i].type); -+ } -+ if (!newColumns) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ columns = newColumns; -+ } -+ -+ PORT_Assert(columns); -+ -+ char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;", -+ columns, table); -+ sqlite3_free(columns); -+ columns = NULL; -+ if (!statement) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ -+ sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL); -+ sqlite3_free(statement); -+ statement = NULL; -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ -+ // NB: indices in sqlite3_bind_int are 1-indexed -+ sqlerr = sqlite3_bind_int(stmt, 1, object_id); -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ if (sqlerr == SQLITE_ROW) { -+ PORT_Assert(!found); -+ for (i = 0; i < count; i++) { -+ unsigned int blobSize; -+ const char *blobData; -+ -+ // NB: indices in sqlite_column_{bytes,blob} are 0-indexed -+ blobSize = sqlite3_column_bytes(stmt, i); -+ blobData = sqlite3_column_blob(stmt, i); -+ if (blobData == NULL) { -+ /* PKCS 11 requires that get attributes process all the -+ * attributes in the template, marking the attributes with -+ * issues with -1. Mark the error but continue */ -+ template[i].ulValueLen = -1; -+ error = CKR_ATTRIBUTE_TYPE_INVALID; -+ continue; -+ } -+ /* If the blob equals our explicit NULL value, then the -+ * attribute is a NULL. */ -+ if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) && -+ (PORT_Memcmp(blobData, SQLITE_EXPLICIT_NULL, -+ SQLITE_EXPLICIT_NULL_LEN) == 0)) { -+ blobSize = 0; -+ } -+ if (template[i].pValue) { -+ if (template[i].ulValueLen < blobSize) { -+ /* like CKR_ATTRIBUTE_TYPE_INVALID, continue processing */ -+ template[i].ulValueLen = -1; -+ error = CKR_BUFFER_TOO_SMALL; -+ continue; -+ } -+ PORT_Memcpy(template[i].pValue, blobData, blobSize); -+ } -+ template[i].ulValueLen = blobSize; -+ } -+ found = 1; -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ stmt = NULL; -+ -+loser: -+ /* fix up the error if necessary */ -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ if (!found && error == CKR_OK) { -+ error = CKR_OBJECT_HANDLE_INVALID; -+ } -+ } -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ /* if we had to open a new database, free it now */ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ return error; -+} -+ -+/* NOTE: requires sdb_p->schemaAttrs to be sorted asc. */ -+inline static PRBool -+sdb_attributeExists(SDB *sdb, CK_ATTRIBUTE_TYPE attr) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ int first = 0; -+ int last = (int)sdb_p->numSchemaAttrs - 1; -+ while (last >= first) { -+ int mid = first + (last - first) / 2; -+ if (sdb_p->schemaAttrs[mid] == attr) { -+ return PR_TRUE; -+ } -+ if (attr > sdb_p->schemaAttrs[mid]) { -+ first = mid + 1; -+ } else { -+ last = mid - 1; -+ } -+ } -+ -+ return PR_FALSE; -+} -+ -+CK_RV -+sdb_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, -+ CK_ATTRIBUTE *template, CK_ULONG count) -+{ -+ CK_RV crv = CKR_OK; -+ unsigned int tmplIdx; -+ unsigned int resIdx = 0; -+ unsigned int validCount = 0; -+ unsigned int i; -+ -+ if (count == 0) { -+ return crv; -+ } -+ -+ CK_ATTRIBUTE *validTemplate; -+ PRBool invalidExists = PR_FALSE; -+ for (tmplIdx = 0; tmplIdx < count; tmplIdx++) { -+ if (!sdb_attributeExists(sdb, template[tmplIdx].type)) { -+ template[tmplIdx].ulValueLen = -1; -+ crv = CKR_ATTRIBUTE_TYPE_INVALID; -+ invalidExists = PR_TRUE; -+ break; -+ } -+ } -+ -+ if (!invalidExists) { -+ validTemplate = template; -+ validCount = count; -+ } else { -+ /* Create a new template containing only the valid subset of -+ * input |template|, and query with that. */ -+ validCount = tmplIdx; -+ validTemplate = malloc(sizeof(CK_ATTRIBUTE) * count); -+ if (!validTemplate) { -+ return CKR_HOST_MEMORY; -+ } -+ /* Copy in what we already know is valid. */ -+ for (i = 0; i < validCount; i++) { -+ validTemplate[i] = template[i]; -+ } -+ -+ /* tmplIdx was left at the index of the first invalid -+ * attribute, which has been handled. We only need to -+ * deal with the remainder. */ -+ tmplIdx++; -+ for (; tmplIdx < count; tmplIdx++) { -+ if (sdb_attributeExists(sdb, template[tmplIdx].type)) { -+ validTemplate[validCount++] = template[tmplIdx]; -+ } else { -+ template[tmplIdx].ulValueLen = -1; -+ } -+ } -+ } -+ -+ if (validCount) { -+ LOCK_SQLITE() -+ CK_RV crv2 = sdb_GetValidAttributeValueNoLock(sdb, object_id, validTemplate, validCount); -+ UNLOCK_SQLITE() -+ -+ /* If an invalid attribute was removed above, let -+ * the caller know. Any other error from the actual -+ * query should propogate. */ -+ crv = (crv2 == CKR_OK) ? crv : crv2; -+ } -+ -+ if (invalidExists) { -+ /* Copy out valid lengths. */ -+ tmplIdx = 0; -+ for (resIdx = 0; resIdx < validCount; resIdx++) { -+ for (; tmplIdx < count; tmplIdx++) { -+ if (template[tmplIdx].type != validTemplate[resIdx].type) { -+ continue; -+ } -+ template[tmplIdx].ulValueLen = validTemplate[resIdx].ulValueLen; -+ tmplIdx++; -+ break; -+ } -+ } -+ free(validTemplate); -+ } -+ -+ return crv; -+} -+ -+static const char SET_ATTRIBUTE_CMD[] = "UPDATE %s SET %s WHERE id=$ID;"; -+CK_RV -+sdb_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id, -+ const CK_ATTRIBUTE *template, CK_ULONG count) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ sqlite3_stmt *stmt = NULL; -+ char *setStr = NULL; -+ char *newStr = NULL; -+ int sqlerr = SQLITE_OK; -+ int retry = 0; -+ CK_RV error = CKR_OK; -+ unsigned int i; -+ -+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { -+ return CKR_TOKEN_WRITE_PROTECTED; -+ } -+ -+ if (count == 0) { -+ return CKR_OK; -+ } -+ -+ LOCK_SQLITE() -+ setStr = sqlite3_mprintf(""); -+ for (i = 0; setStr && i < count; i++) { -+ if (i == 0) { -+ sqlite3_free(setStr); -+ setStr = sqlite3_mprintf("a%x=$VALUE%d", -+ template[i].type, i); -+ continue; -+ } -+ newStr = sqlite3_mprintf("%s,a%x=$VALUE%d", setStr, -+ template[i].type, i); -+ sqlite3_free(setStr); -+ setStr = newStr; -+ } -+ newStr = NULL; -+ -+ if (setStr == NULL) { -+ return CKR_HOST_MEMORY; -+ } -+ newStr = sqlite3_mprintf(SET_ATTRIBUTE_CMD, sdb_p->table, setStr); -+ sqlite3_free(setStr); -+ if (newStr == NULL) { -+ UNLOCK_SQLITE() -+ return CKR_HOST_MEMORY; -+ } -+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ for (i = 0; i < count; i++) { -+ if (template[i].ulValueLen != 0) { -+ sqlerr = sqlite3_bind_blob(stmt, i + 1, template[i].pValue, -+ template[i].ulValueLen, SQLITE_STATIC); -+ } else { -+ sqlerr = sqlite3_bind_blob(stmt, i + 1, SQLITE_EXPLICIT_NULL, -+ SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC); -+ } -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ } -+ sqlerr = sqlite3_bind_int(stmt, i + 1, object_id); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+loser: -+ if (newStr) { -+ sqlite3_free(newStr); -+ } -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ } -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ -+ UNLOCK_SQLITE() -+ return error; -+} -+ -+/* -+ * check to see if a candidate object handle already exists. -+ */ -+static PRBool -+sdb_objectExists(SDB *sdb, CK_OBJECT_HANDLE candidate) -+{ -+ CK_RV crv; -+ CK_ATTRIBUTE template = { CKA_LABEL, NULL, 0 }; -+ -+ crv = sdb_GetValidAttributeValueNoLock(sdb, candidate, &template, 1); -+ if (crv == CKR_OBJECT_HANDLE_INVALID) { -+ return PR_FALSE; -+ } -+ return PR_TRUE; -+} -+ -+/* -+ * if we're here, we are in a transaction, so it's safe -+ * to examine the current state of the database -+ */ -+static CK_OBJECT_HANDLE -+sdb_getObjectId(SDB *sdb) -+{ -+ CK_OBJECT_HANDLE candidate; -+ static CK_OBJECT_HANDLE next_obj = CK_INVALID_HANDLE; -+ int count; -+ /* -+ * get an initial object handle to use -+ */ -+ if (next_obj == CK_INVALID_HANDLE) { -+ PRTime time; -+ time = PR_Now(); -+ -+ next_obj = (CK_OBJECT_HANDLE)(time & 0x3fffffffL); -+ } -+ candidate = next_obj++; -+ /* detect that we've looped through all the handles... */ -+ for (count = 0; count < 0x40000000; count++, candidate = next_obj++) { -+ /* mask off excess bits */ -+ candidate &= 0x3fffffff; -+ /* if we hit zero, go to the next entry */ -+ if (candidate == CK_INVALID_HANDLE) { -+ continue; -+ } -+ /* make sure we aren't already using */ -+ if (!sdb_objectExists(sdb, candidate)) { -+ /* this one is free */ -+ return candidate; -+ } -+ } -+ -+ /* no handle is free, fail */ -+ return CK_INVALID_HANDLE; -+} -+ -+CK_RV -+sdb_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *object) -+{ -+ CK_OBJECT_HANDLE id; -+ -+ id = sdb_getObjectId(sdb); -+ if (id == CK_INVALID_HANDLE) { -+ return CKR_DEVICE_MEMORY; /* basically we ran out of resources */ -+ } -+ *object = id; -+ return CKR_OK; -+} -+ -+static const char CREATE_CMD[] = "INSERT INTO %s (id%s) VALUES($ID%s);"; -+CK_RV -+sdb_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *object_id, -+ const CK_ATTRIBUTE *template, CK_ULONG count) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ sqlite3_stmt *stmt = NULL; -+ char *columnStr = NULL; -+ char *valueStr = NULL; -+ char *newStr = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ CK_OBJECT_HANDLE this_object = CK_INVALID_HANDLE; -+ int retry = 0; -+ unsigned int i; -+ -+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { -+ return CKR_TOKEN_WRITE_PROTECTED; -+ } -+ -+ LOCK_SQLITE() -+ if ((*object_id != CK_INVALID_HANDLE) && -+ !sdb_objectExists(sdb, *object_id)) { -+ this_object = *object_id; -+ } else { -+ this_object = sdb_getObjectId(sdb); -+ } -+ if (this_object == CK_INVALID_HANDLE) { -+ UNLOCK_SQLITE(); -+ return CKR_HOST_MEMORY; -+ } -+ columnStr = sqlite3_mprintf(""); -+ valueStr = sqlite3_mprintf(""); -+ *object_id = this_object; -+ for (i = 0; columnStr && valueStr && i < count; i++) { -+ newStr = sqlite3_mprintf("%s,a%x", columnStr, template[i].type); -+ sqlite3_free(columnStr); -+ columnStr = newStr; -+ newStr = sqlite3_mprintf("%s,$VALUE%d", valueStr, i); -+ sqlite3_free(valueStr); -+ valueStr = newStr; -+ } -+ newStr = NULL; -+ if ((columnStr == NULL) || (valueStr == NULL)) { -+ if (columnStr) { -+ sqlite3_free(columnStr); -+ } -+ if (valueStr) { -+ sqlite3_free(valueStr); -+ } -+ UNLOCK_SQLITE() -+ return CKR_HOST_MEMORY; -+ } -+ newStr = sqlite3_mprintf(CREATE_CMD, sdb_p->table, columnStr, valueStr); -+ sqlite3_free(columnStr); -+ sqlite3_free(valueStr); -+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ sqlerr = sqlite3_bind_int(stmt, 1, *object_id); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ for (i = 0; i < count; i++) { -+ if (template[i].ulValueLen) { -+ sqlerr = sqlite3_bind_blob(stmt, i + 2, template[i].pValue, -+ template[i].ulValueLen, SQLITE_STATIC); -+ } else { -+ sqlerr = sqlite3_bind_blob(stmt, i + 2, SQLITE_EXPLICIT_NULL, -+ SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC); -+ } -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ } -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+loser: -+ if (newStr) { -+ sqlite3_free(newStr); -+ } -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ } -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ UNLOCK_SQLITE() -+ -+ return error; -+} -+ -+/* -+ * Generic destroy that can destroy metadata or objects -+ */ -+static const char DESTROY_CMD[] = "DELETE FROM %s WHERE (id=$ID);"; -+CK_RV -+sdb_destroyAnyObject(SDB *sdb, const char *table, -+ CK_OBJECT_HANDLE object_id, const char *string_id) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ sqlite3_stmt *stmt = NULL; -+ char *newStr = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ int retry = 0; -+ -+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { -+ return CKR_TOKEN_WRITE_PROTECTED; -+ } -+ -+ LOCK_SQLITE() -+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ newStr = sqlite3_mprintf(DESTROY_CMD, table); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ if (string_id == NULL) { -+ sqlerr = sqlite3_bind_int(stmt, 1, object_id); -+ } else { -+ sqlerr = sqlite3_bind_text(stmt, 1, string_id, -+ PORT_Strlen(string_id), SQLITE_STATIC); -+ } -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+loser: -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ } -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ -+ UNLOCK_SQLITE() -+ return error; -+} -+ -+CK_RV -+sdb_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ return sdb_destroyAnyObject(sdb, sdb_p->table, object_id, NULL); -+} -+ -+CK_RV -+sdb_DestroyMetaData(SDB *sdb, const char *id) -+{ -+ return sdb_destroyAnyObject(sdb, "metaData", 0, id); -+} -+ -+static const char BEGIN_CMD[] = "BEGIN IMMEDIATE TRANSACTION;"; -+ -+/* -+ * start a transaction. -+ * -+ * We need to open a new database, then store that new database into -+ * the private data structure. We open the database first, then use locks -+ * to protect storing the data to prevent deadlocks. -+ */ -+CK_RV -+sdb_Begin(SDB *sdb) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ sqlite3_stmt *stmt = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ int retry = 0; -+ -+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { -+ return CKR_TOKEN_WRITE_PROTECTED; -+ } -+ -+ LOCK_SQLITE() -+ -+ /* get a new version that we will use for the entire transaction */ -+ sqlerr = sdb_openDB(sdb_p->sqlDBName, &sqlDB, SDB_RDWR); -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ -+ sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL); -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ /* don't retry BEGIN transaction*/ -+ retry = 0; -+ } while (!sdb_done(sqlerr, &retry)); -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+loser: -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ -+ /* we are starting a new transaction, -+ * and if we succeeded, then save this database for the rest of -+ * our transaction */ -+ if (error == CKR_OK) { -+ /* we hold a 'BEGIN TRANSACTION' and a sdb_p->lock. At this point -+ * sdb_p->sqlXactDB MUST be null */ -+ PR_EnterMonitor(sdb_p->dbMon); -+ PORT_Assert(sdb_p->sqlXactDB == NULL); -+ sdb_p->sqlXactDB = sqlDB; -+ sdb_p->sqlXactThread = PR_GetCurrentThread(); -+ PR_ExitMonitor(sdb_p->dbMon); -+ } else { -+ /* we failed to start our transaction, -+ * free any databases we opened. */ -+ if (sqlDB) { -+ sqlite3_close(sqlDB); -+ } -+ } -+ -+ UNLOCK_SQLITE() -+ return error; -+} -+ -+/* -+ * Complete a transaction. Basically undo everything we did in begin. -+ * There are 2 flavors Abort and Commit. Basically the only differerence between -+ * these 2 are what the database will show. (no change in to former, change in -+ * the latter). -+ */ -+static CK_RV -+sdb_complete(SDB *sdb, const char *cmd) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ sqlite3_stmt *stmt = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ int retry = 0; -+ -+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { -+ return CKR_TOKEN_WRITE_PROTECTED; -+ } -+ -+ /* We must have a transation database, or we shouldn't have arrived here */ -+ PR_EnterMonitor(sdb_p->dbMon); -+ PORT_Assert(sdb_p->sqlXactDB); -+ if (sdb_p->sqlXactDB == NULL) { -+ PR_ExitMonitor(sdb_p->dbMon); -+ return CKR_GENERAL_ERROR; /* shouldn't happen */ -+ } -+ PORT_Assert(sdb_p->sqlXactThread == PR_GetCurrentThread()); -+ if (sdb_p->sqlXactThread != PR_GetCurrentThread()) { -+ PR_ExitMonitor(sdb_p->dbMon); -+ return CKR_GENERAL_ERROR; /* shouldn't happen */ -+ } -+ sqlDB = sdb_p->sqlXactDB; -+ sdb_p->sqlXactDB = NULL; /* no one else can get to this DB, -+ * safe to unlock */ -+ sdb_p->sqlXactThread = NULL; -+ PR_ExitMonitor(sdb_p->dbMon); -+ -+ sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL); -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+ /* Pending BEGIN TRANSACTIONS Can move forward at this point. */ -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ /* we we have a cached DB image, update it as well */ -+ if (sdb_p->cacheTable) { -+ PR_EnterMonitor(sdb_p->dbMon); -+ sdb_updateCache(sdb_p); -+ PR_ExitMonitor(sdb_p->dbMon); -+ } -+ -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ -+ /* We just finished a transaction. -+ * Free the database, and remove it from the list */ -+ sqlite3_close(sqlDB); -+ -+ return error; -+} -+ -+static const char COMMIT_CMD[] = "COMMIT TRANSACTION;"; -+CK_RV -+sdb_Commit(SDB *sdb) -+{ -+ CK_RV crv; -+ LOCK_SQLITE() -+ crv = sdb_complete(sdb, COMMIT_CMD); -+ UNLOCK_SQLITE() -+ return crv; -+} -+ -+static const char ROLLBACK_CMD[] = "ROLLBACK TRANSACTION;"; -+CK_RV -+sdb_Abort(SDB *sdb) -+{ -+ CK_RV crv; -+ LOCK_SQLITE() -+ crv = sdb_complete(sdb, ROLLBACK_CMD); -+ UNLOCK_SQLITE() -+ return crv; -+} -+ -+static int tableExists(sqlite3 *sqlDB, const char *tableName); -+ -+static const char GET_PW_CMD[] = "SELECT ALL * FROM metaData WHERE id=$ID;"; -+CK_RV -+sdb_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = sdb_p->sqlXactDB; -+ sqlite3_stmt *stmt = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ int found = 0; -+ int retry = 0; -+ -+ LOCK_SQLITE() -+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ -+ /* handle 'test' versions of the sqlite db */ -+ sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL); -+ /* Sigh, if we created a new table since we opened the database, -+ * the database handle will not see the new table, we need to close this -+ * database and reopen it. This is safe because we are holding the lock -+ * still. */ -+ if (sqlerr == SQLITE_SCHEMA) { -+ sqlerr = sdb_reopenDBLocal(sdb_p, &sqlDB); -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL); -+ } -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC); -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ if (sqlerr == SQLITE_ROW) { -+ const char *blobData; -+ unsigned int len = item1->len; -+ item1->len = sqlite3_column_bytes(stmt, 1); -+ if (item1->len > len) { -+ error = CKR_BUFFER_TOO_SMALL; -+ continue; -+ } -+ blobData = sqlite3_column_blob(stmt, 1); -+ PORT_Memcpy(item1->data, blobData, item1->len); -+ if (item2) { -+ len = item2->len; -+ item2->len = sqlite3_column_bytes(stmt, 2); -+ if (item2->len > len) { -+ error = CKR_BUFFER_TOO_SMALL; -+ continue; -+ } -+ blobData = sqlite3_column_blob(stmt, 2); -+ PORT_Memcpy(item2->data, blobData, item2->len); -+ } -+ found = 1; -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+loser: -+ /* fix up the error if necessary */ -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ if (!found && error == CKR_OK) { -+ error = CKR_OBJECT_HANDLE_INVALID; -+ } -+ } -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ UNLOCK_SQLITE() -+ -+ return error; -+} -+ -+static const char PW_CREATE_TABLE_CMD[] = -+ "CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);"; -+static const char PW_CREATE_CMD[] = -+ "INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);"; -+static const char MD_CREATE_CMD[] = -+ "INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);"; -+ -+CK_RV -+sdb_PutMetaData(SDB *sdb, const char *id, const SECItem *item1, -+ const SECItem *item2) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = sdb_p->sqlXactDB; -+ sqlite3_stmt *stmt = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ int retry = 0; -+ const char *cmd = PW_CREATE_CMD; -+ -+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) { -+ return CKR_TOKEN_WRITE_PROTECTED; -+ } -+ -+ LOCK_SQLITE() -+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ -+ if (!tableExists(sqlDB, "metaData")) { -+ sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ } -+ if (item2 == NULL) { -+ cmd = MD_CREATE_CMD; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ sqlerr = sqlite3_bind_blob(stmt, 2, item1->data, item1->len, SQLITE_STATIC); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ if (item2) { -+ sqlerr = sqlite3_bind_blob(stmt, 3, item2->data, -+ item2->len, SQLITE_STATIC); -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ } -+ -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+loser: -+ /* fix up the error if necessary */ -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ } -+ -+ if (stmt) { -+ sqlite3_reset(stmt); -+ sqlite3_finalize(stmt); -+ } -+ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ UNLOCK_SQLITE() -+ -+ return error; -+} -+ -+static const char RESET_CMD[] = "DELETE FROM %s;"; -+CK_RV -+sdb_Reset(SDB *sdb) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ sqlite3 *sqlDB = NULL; -+ char *newStr; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ -+ /* only Key databases can be reset */ -+ if (sdb_p->type != SDB_KEY) { -+ return CKR_OBJECT_HANDLE_INVALID; -+ } -+ -+ LOCK_SQLITE() -+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ -+ if (tableExists(sqlDB, sdb_p->table)) { -+ /* delete the contents of the key table */ -+ newStr = sqlite3_mprintf(RESET_CMD, sdb_p->table); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ -+ if (sqlerr != SQLITE_OK) -+ goto loser; -+ } -+ -+ /* delete the password entry table */ -+ sqlerr = sqlite3_exec(sqlDB, "DROP TABLE IF EXISTS metaData;", -+ NULL, 0, NULL); -+ -+loser: -+ /* fix up the error if necessary */ -+ if (error == CKR_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ } -+ -+ if (sqlDB) { -+ sdb_closeDBLocal(sdb_p, sqlDB); -+ } -+ -+ UNLOCK_SQLITE() -+ return error; -+} -+ -+CK_RV -+sdb_Close(SDB *sdb) -+{ -+ SDBPrivate *sdb_p = sdb->private; -+ int sqlerr = SQLITE_OK; -+ sdbDataType type = sdb_p->type; -+ -+ sqlerr = sqlite3_close(sdb_p->sqlReadDB); -+ PORT_Free(sdb_p->sqlDBName); -+ if (sdb_p->cacheTable) { -+ sqlite3_free(sdb_p->cacheTable); -+ } -+ if (sdb_p->dbMon) { -+ PR_DestroyMonitor(sdb_p->dbMon); -+ } -+ free(sdb_p->schemaAttrs); -+ free(sdb_p); -+ free(sdb); -+ return sdb_mapSQLError(type, sqlerr); -+} -+ -+/* -+ * functions to support open -+ */ -+ -+static const char CHECK_TABLE_CMD[] = "SELECT ALL * FROM %s LIMIT 0;"; -+ -+/* return 1 if sqlDB contains table 'tableName */ -+static int -+tableExists(sqlite3 *sqlDB, const char *tableName) -+{ -+ char *cmd = sqlite3_mprintf(CHECK_TABLE_CMD, tableName); -+ int sqlerr = SQLITE_OK; -+ -+ if (cmd == NULL) { -+ return 0; -+ } -+ -+ sqlerr = sqlite3_exec(sqlDB, cmd, NULL, 0, 0); -+ sqlite3_free(cmd); -+ -+ return (sqlerr == SQLITE_OK) ? 1 : 0; -+} -+ -+void -+sdb_SetForkState(PRBool forked) -+{ -+ /* XXXright now this is a no-op. The global fork state in the softokn3 -+ * shared library is already taken care of at the PKCS#11 level. -+ * If and when we add fork state to the sqlite shared library and extern -+ * interface, we will need to set it and reset it from here */ -+} -+ -+static int -+sdb_attributeComparator(const void *a, const void *b) -+{ -+ if (*(CK_ATTRIBUTE_TYPE *)a < *(CK_ATTRIBUTE_TYPE *)b) { -+ return -1; -+ } -+ if (*(CK_ATTRIBUTE_TYPE *)a > *(CK_ATTRIBUTE_TYPE *)b) { -+ return 1; -+ } -+ return 0; -+} -+ -+/* -+ * initialize a single database -+ */ -+static const char INIT_CMD[] = -+ "CREATE TABLE %s (id PRIMARY KEY UNIQUE ON CONFLICT ABORT%s)"; -+ -+CK_RV -+sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, -+ int *newInit, int inFlags, PRUint32 accessOps, SDB **pSdb) -+{ -+ int i; -+ char *initStr = NULL; -+ char *newStr; -+ char *queryStr = NULL; -+ int inTransaction = 0; -+ SDB *sdb = NULL; -+ SDBPrivate *sdb_p = NULL; -+ sqlite3 *sqlDB = NULL; -+ int sqlerr = SQLITE_OK; -+ CK_RV error = CKR_OK; -+ char *cacheTable = NULL; -+ PRIntervalTime now = 0; -+ char *env; -+ PRBool enableCache = PR_FALSE; -+ PRBool checkFSType = PR_FALSE; -+ PRBool measureSpeed = PR_FALSE; -+ PRBool create; -+ int flags = inFlags & 0x7; -+ -+ *pSdb = NULL; -+ *inUpdate = 0; -+ -+ /* sqlite3 doesn't have a flag to specify that we want to -+ * open the database read only. If the db doesn't exist, -+ * sqlite3 will always create it. -+ */ -+ LOCK_SQLITE(); -+ create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS); -+ if ((flags == SDB_RDONLY) && create) { -+ error = sdb_mapSQLError(type, SQLITE_CANTOPEN); -+ goto loser; -+ } -+ sqlerr = sdb_openDB(dbname, &sqlDB, flags); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ -+ /* -+ * SQL created the file, but it doesn't set appropriate modes for -+ * a database. -+ * -+ * NO NSPR call for chmod? :( -+ */ -+ if (create && sdb_chmod(dbname, 0600) != 0) { -+ error = sdb_mapSQLError(type, SQLITE_CANTOPEN); -+ goto loser; -+ } -+ -+ if (flags != SDB_RDONLY) { -+ sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ inTransaction = 1; -+ } -+ if (!tableExists(sqlDB, table)) { -+ *newInit = 1; -+ if (flags != SDB_CREATE) { -+ error = sdb_mapSQLError(type, SQLITE_CANTOPEN); -+ goto loser; -+ } -+ initStr = sqlite3_mprintf(""); -+ for (i = 0; initStr && i < known_attributes_size; i++) { -+ newStr = sqlite3_mprintf("%s, a%x", initStr, known_attributes[i]); -+ sqlite3_free(initStr); -+ initStr = newStr; -+ } -+ if (initStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ -+ newStr = sqlite3_mprintf(INIT_CMD, table, initStr); -+ sqlite3_free(initStr); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ -+ newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, table); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ -+ newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, table); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ -+ newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, table); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ -+ newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, table); -+ if (newStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL); -+ sqlite3_free(newStr); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(type, sqlerr); -+ goto loser; -+ } -+ } -+ /* -+ * detect the case where we have created the database, but have -+ * not yet updated it. -+ * -+ * We only check the Key database because only the key database has -+ * a metaData table. The metaData table is created when a password -+ * is set, or in the case of update, when a password is supplied. -+ * If no key database exists, then the update would have happened immediately -+ * on noticing that the cert database didn't exist (see newInit set above). -+ */ -+ if (type == SDB_KEY && !tableExists(sqlDB, "metaData")) { -+ *newInit = 1; -+ } -+ -+ /* access to network filesystems are significantly slower than local ones -+ * for database operations. In those cases we need to create a cached copy -+ * of the database in a temporary location on the local disk. SQLITE -+ * already provides a way to create a temporary table and initialize it, -+ * so we use it for the cache (see sdb_buildCache for how it's done).*/ -+ -+ /* -+ * we decide whether or not to use the cache based on the following input. -+ * -+ * NSS_SDB_USE_CACHE environment variable is set to anything other than -+ * "yes" or "no" (for instance, "auto"): NSS will measure the performance -+ * of access to the temp database versus the access to the user's -+ * passed-in database location. If the temp database location is -+ * "significantly" faster we will use the cache. -+ * -+ * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no": -+ * cache will not be used. -+ * -+ * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will -+ * always be used. -+ * -+ * It is expected that most applications will not need this feature, and -+ * thus it is disabled by default. -+ */ -+ -+ env = PR_GetEnvSecure("NSS_SDB_USE_CACHE"); -+ -+ /* Variables enableCache, checkFSType, measureSpeed are PR_FALSE by default, -+ * which is the expected behavior for NSS_SDB_USE_CACHE="no". -+ * We don't need to check for "no" here. */ -+ if (!env) { -+ /* By default, with no variable set, we avoid expensive measuring for -+ * most FS types. We start with inexpensive FS type checking, and -+ * might perform measuring for some types. */ -+ checkFSType = PR_TRUE; -+ } else if (PORT_Strcasecmp(env, "yes") == 0) { -+ enableCache = PR_TRUE; -+ } else if (PORT_Strcasecmp(env, "no") != 0) { /* not "no" => "auto" */ -+ measureSpeed = PR_TRUE; -+ } -+ -+ if (checkFSType) { -+#if defined(LINUX) && !defined(ANDROID) -+ struct statfs statfs_s; -+ if (statfs(dbname, &statfs_s) == 0) { -+ switch (statfs_s.f_type) { -+ case SMB_SUPER_MAGIC: -+ case 0xff534d42: /* CIFS_MAGIC_NUMBER */ -+ case NFS_SUPER_MAGIC: -+ /* We assume these are slow. */ -+ enableCache = PR_TRUE; -+ break; -+ case CODA_SUPER_MAGIC: -+ case 0x65735546: /* FUSE_SUPER_MAGIC */ -+ case NCP_SUPER_MAGIC: -+ /* It's uncertain if this FS is fast or slow. -+ * It seems reasonable to perform slow measuring for users -+ * with questionable FS speed. */ -+ measureSpeed = PR_TRUE; -+ break; -+ case AFS_SUPER_MAGIC: /* Already implements caching. */ -+ default: -+ break; -+ } -+ } -+#endif -+ } -+ -+ if (measureSpeed) { -+ char *tempDir = NULL; -+ PRUint32 tempOps = 0; -+ /* -+ * Use PR_Access to determine how expensive it -+ * is to check for the existance of a local file compared to the same -+ * check in the temp directory. If the temp directory is faster, cache -+ * the database there. */ -+ tempDir = sdb_getTempDir(sqlDB); -+ if (tempDir) { -+ tempOps = sdb_measureAccess(tempDir); -+ PORT_Free(tempDir); -+ -+ /* There is a cost to continually copying the database. -+ * Account for that cost with the arbitrary factor of 10 */ -+ enableCache = (PRBool)(tempOps > accessOps * 10); -+ } -+ } -+ -+ if (enableCache) { -+ /* try to set the temp store to memory.*/ -+ sqlite3_exec(sqlDB, "PRAGMA temp_store=MEMORY", NULL, 0, NULL); -+ /* Failure to set the temp store to memory is not fatal, -+ * ignore the error */ -+ -+ cacheTable = sqlite3_mprintf("%sCache", table); -+ if (cacheTable == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ /* build the cache table */ -+ error = sdb_buildCache(sqlDB, type, cacheTable, table); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ /* initialize the last cache build time */ -+ now = PR_IntervalNow(); -+ } -+ -+ sdb = (SDB *)malloc(sizeof(SDB)); -+ if (!sdb) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sdb_p = (SDBPrivate *)malloc(sizeof(SDBPrivate)); -+ if (!sdb_p) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ -+ /* Cache the attributes that are held in the table, so we can later check -+ * that queried attributes actually exist. We don't assume the schema -+ * to be exactly |known_attributes|, as it may change over time. */ -+ sdb_p->schemaAttrs = NULL; -+ if (!PORT_Strcmp("nssPublic", table) || -+ !PORT_Strcmp("nssPrivate", table)) { -+ sqlite3_stmt *stmt = NULL; -+ int retry = 0; -+ unsigned int backedAttrs = 0; -+ -+ /* Can't bind parameters to a PRAGMA. */ -+ queryStr = sqlite3_mprintf("PRAGMA table_info(%s);", table); -+ if (queryStr == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ sqlerr = sqlite3_prepare_v2(sqlDB, queryStr, -1, &stmt, NULL); -+ sqlite3_free(queryStr); -+ queryStr = NULL; -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ unsigned int schemaAttrsCapacity = known_attributes_size; -+ sdb_p->schemaAttrs = malloc(schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE)); -+ if (!sdb_p->schemaAttrs) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ do { -+ sqlerr = sqlite3_step(stmt); -+ if (sqlerr == SQLITE_BUSY) { -+ PR_Sleep(SDB_BUSY_RETRY_TIME); -+ } -+ if (sqlerr == SQLITE_ROW) { -+ if (backedAttrs == schemaAttrsCapacity) { -+ schemaAttrsCapacity += known_attributes_size; -+ sdb_p->schemaAttrs = realloc(sdb_p->schemaAttrs, -+ schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE)); -+ if (!sdb_p->schemaAttrs) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ } -+ /* Record the ULONG attribute value. */ -+ char *val = (char *)sqlite3_column_text(stmt, 1); -+ if (val && val[0] == 'a') { -+ CK_ATTRIBUTE_TYPE attr = strtoul(&val[1], NULL, 16); -+ sdb_p->schemaAttrs[backedAttrs++] = attr; -+ } -+ } -+ } while (!sdb_done(sqlerr, &retry)); -+ -+ if (sqlerr != SQLITE_DONE) { -+ goto loser; -+ } -+ sqlerr = sqlite3_reset(stmt); -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ sqlerr = sqlite3_finalize(stmt); -+ if (sqlerr != SQLITE_OK) { -+ goto loser; -+ } -+ -+ sdb_p->numSchemaAttrs = backedAttrs; -+ -+ /* Sort these once so we can shortcut invalid attribute searches. */ -+ qsort(sdb_p->schemaAttrs, sdb_p->numSchemaAttrs, -+ sizeof(CK_ATTRIBUTE_TYPE), sdb_attributeComparator); -+ } -+ -+ /* invariant fields */ -+ sdb_p->sqlDBName = PORT_Strdup(dbname); -+ sdb_p->type = type; -+ sdb_p->table = table; -+ sdb_p->cacheTable = cacheTable; -+ sdb_p->lastUpdateTime = now; -+ /* set the cache delay time. This is how long we will wait before we -+ * decide the existing cache is stale. Currently set to 10 sec */ -+ sdb_p->updateInterval = PR_SecondsToInterval(10); -+ sdb_p->dbMon = PR_NewMonitor(); -+ /* these fields are protected by the lock */ -+ sdb_p->sqlXactDB = NULL; -+ sdb_p->sqlXactThread = NULL; -+ sdb->private = sdb_p; -+ sdb->version = 1; -+ sdb->sdb_flags = inFlags | SDB_HAS_META; -+ sdb->app_private = NULL; -+ sdb->sdb_FindObjectsInit = sdb_FindObjectsInit; -+ sdb->sdb_FindObjects = sdb_FindObjects; -+ sdb->sdb_FindObjectsFinal = sdb_FindObjectsFinal; -+ sdb->sdb_GetAttributeValue = sdb_GetAttributeValue; -+ sdb->sdb_SetAttributeValue = sdb_SetAttributeValue; -+ sdb->sdb_CreateObject = sdb_CreateObject; -+ sdb->sdb_DestroyObject = sdb_DestroyObject; -+ sdb->sdb_GetMetaData = sdb_GetMetaData; -+ sdb->sdb_PutMetaData = sdb_PutMetaData; -+ sdb->sdb_DestroyMetaData = sdb_DestroyMetaData; -+ sdb->sdb_Begin = sdb_Begin; -+ sdb->sdb_Commit = sdb_Commit; -+ sdb->sdb_Abort = sdb_Abort; -+ sdb->sdb_Reset = sdb_Reset; -+ sdb->sdb_Close = sdb_Close; -+ sdb->sdb_SetForkState = sdb_SetForkState; -+ sdb->sdb_GetNewObjectID = sdb_GetNewObjectID; -+ -+ if (inTransaction) { -+ sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL); -+ if (sqlerr != SQLITE_OK) { -+ error = sdb_mapSQLError(sdb_p->type, sqlerr); -+ goto loser; -+ } -+ inTransaction = 0; -+ } -+ -+ sdb_p->sqlReadDB = sqlDB; -+ -+ *pSdb = sdb; -+ UNLOCK_SQLITE(); -+ return CKR_OK; -+ -+loser: -+ /* lots of stuff to do */ -+ if (inTransaction) { -+ sqlite3_exec(sqlDB, ROLLBACK_CMD, NULL, 0, NULL); -+ } -+ if (sdb) { -+ free(sdb); -+ } -+ if (sdb_p) { -+ if (sdb_p->schemaAttrs) { -+ free(sdb_p->schemaAttrs); -+ } -+ free(sdb_p); -+ } -+ if (sqlDB) { -+ sqlite3_close(sqlDB); -+ } -+ UNLOCK_SQLITE(); -+ return error; -+} -+ -+/* sdbopen */ -+CK_RV -+s_open(const char *directory, const char *certPrefix, const char *keyPrefix, -+ int cert_version, int key_version, int flags, -+ SDB **certdb, SDB **keydb, int *newInit) -+{ -+ char *cert = sdb_BuildFileName(directory, certPrefix, -+ "cert", cert_version); -+ char *key = sdb_BuildFileName(directory, keyPrefix, -+ "key", key_version); -+ CK_RV error = CKR_OK; -+ int inUpdate; -+ PRUint32 accessOps; -+ -+ if (certdb) -+ *certdb = NULL; -+ if (keydb) -+ *keydb = NULL; -+ *newInit = 0; -+ -+#ifdef SQLITE_UNSAFE_THREADS -+ if (sqlite_lock == NULL) { -+ sqlite_lock = PR_NewLock(); -+ if (sqlite_lock == NULL) { -+ error = CKR_HOST_MEMORY; -+ goto loser; -+ } -+ } -+#endif -+ -+ /* how long does it take to test for a non-existant file in our working -+ * directory? Allows us to test if we may be on a network file system */ -+ accessOps = 1; -+ { -+ char *env; -+ env = PR_GetEnvSecure("NSS_SDB_USE_CACHE"); -+ /* If the environment variable is undefined or set to yes or no, -+ * sdb_init() will ignore the value of accessOps, and we can skip the -+ * measuring.*/ -+ if (env && PORT_Strcasecmp(env, "no") != 0 && -+ PORT_Strcasecmp(env, "yes") != 0) { -+ accessOps = sdb_measureAccess(directory); -+ } -+ } -+ -+ /* -+ * open the cert data base -+ */ -+ if (certdb) { -+ /* initialize Certificate database */ -+ error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate, -+ newInit, flags, accessOps, certdb); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ } -+ -+ /* -+ * open the key data base: -+ * NOTE:if we want to implement a single database, we open -+ * the same database file as the certificate here. -+ * -+ * cert an key db's have different tables, so they will not -+ * conflict. -+ */ -+ if (keydb) { -+ /* initialize the Key database */ -+ error = sdb_init(key, "nssPrivate", SDB_KEY, &inUpdate, -+ newInit, flags, accessOps, keydb); -+ if (error != CKR_OK) { -+ goto loser; -+ } -+ } -+ -+loser: -+ if (cert) { -+ sqlite3_free(cert); -+ } -+ if (key) { -+ sqlite3_free(key); -+ } -+ -+ if (error != CKR_OK) { -+ /* currently redundant, but could be necessary if more code is added -+ * just before loser */ -+ if (keydb && *keydb) { -+ sdb_Close(*keydb); -+ } -+ if (certdb && *certdb) { -+ sdb_Close(*certdb); -+ } -+ } -+ -+ return error; -+} -+ -+CK_RV -+s_shutdown() -+{ -+#ifdef SQLITE_UNSAFE_THREADS -+ if (sqlite_lock) { -+ PR_DestroyLock(sqlite_lock); -+ sqlite_lock = NULL; -+ } -+#endif -+ return CKR_OK; -+} -diff --git a/cmd/manifest.mn b/cmd/manifest.mn ---- a/cmd/manifest.mn -+++ b/cmd/manifest.mn -@@ -36,16 +36,17 @@ NSS_SRCDIRS = \ - addbuiltin \ - atob \ - btoa \ - certutil \ - chktest \ - crlutil \ - crmftest \ - dbtest \ -+ dbtool \ - derdump \ - digest \ - httpserv \ - listsuites \ - makepqg \ - multinit \ - nss-policy-check \ - ocspclnt \ diff --git a/SOURCES/nss-3.90-DisablingASM.patch b/SOURCES/nss-3.90-DisablingASM.patch deleted file mode 100644 index 7d1a17f..0000000 --- a/SOURCES/nss-3.90-DisablingASM.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile -index 74e8e65..8995752 100644 ---- a/lib/freebl/Makefile -+++ b/lib/freebl/Makefile -@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null - -+typedef struct KeyLengthEntryStr { -+ SECOidTag tag; -+ unsigned int len; -+ PRBool encoded; -+} KeyLengthEntry; -+ -+const KeyLengthEntry keyLengthTable[] = { -+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE }, -+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE }, -+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE }, -+ { SEC_OID_CURVE25519, 32, PR_FALSE } -+}; -+ -+const KeyLengthEntry * -+getKeyLengthEntry(SECOidTag tag) -+{ -+ int i; -+ -+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) { -+ if (keyLengthTable[i].tag == tag) { -+ return &keyLengthTable[i]; -+ } -+ } -+ return NULL; -+} -+ - void - printBuf(const SECItem *item) - { -@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid) - CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH; - PK11SymKey *symKey = NULL; - SECStatus rv = SECFailure; -+ const KeyLengthEntry *keyLengthEntry; -+ SECItem point = { siBuffer, NULL, 0 }; -+ SECItem value = { siBuffer, NULL, 0 }; -+ PLArenaPool *arena = NULL; - - oidData = SECOID_FindOIDByTag(oid); - if (oidData == NULL) { -@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid) - goto cleanup; - } - PrintKey(symKey); -- rv = SECSuccess; - -+ keyLengthEntry = getKeyLengthEntry(oid); -+ /* this shouldn't happen unless new curves are added without adding them -+ * to the keyLengthTable */ -+ PR_ASSERT(keyLengthEntry); -+ -+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard. -+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place -+ * our test will detect incorrect behavior */ -+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point); -+ if (rv == SECFailure) { -+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n"); -+ goto cleanup; -+ } -+ rv = SECFailure; -+ if (keyLengthEntry->encoded) { -+ if (point.len == keyLengthEntry->len) { -+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n"); -+ printBuf(&point); -+ goto cleanup; -+ } -+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); -+ if (arena == NULL) { -+ printf(" >>> arena alloc failed.\n"); -+ goto cleanup; -+ } -+ -+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate), -+ &point); -+ if (rv != SECSuccess) { -+ printf(" >>> invalid endoded CKA_EC_POINT.\n"); -+ printBuf(&point); -+ goto cleanup; -+ } -+ rv = SECFailure; -+ if (value.len != keyLengthEntry->len) { -+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n", -+ value.len, keyLengthEntry->len); -+ printBuf(&value); -+ goto cleanup; -+ } -+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n", -+ value.data[0], EC_POINT_FORM_UNCOMPRESSED); -+ printBuf(&value); -+ goto cleanup; -+ } -+ } else { -+ if (point.len != keyLengthEntry->len) { -+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n", -+ point.len, keyLengthEntry->len); -+ printBuf(&point); -+ goto cleanup; -+ } -+ } -+ -+ rv = SECSuccess; - cleanup: - if (privKey) { - SECKEY_DestroyPrivateKey(privKey); -@@ -91,7 +176,11 @@ cleanup: - if (symKey) { - PK11_FreeSymKey(symKey); - } -+ if (arena) { -+ PORT_FreeArena(arena, PR_TRUE); -+ } - SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE); -+ SECITEM_FreeItem(&point, PR_FALSE); - - return rv; - } -diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h ---- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800 -@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate - */ - - typedef enum { ec_params_explicit, -- ec_params_named -+ ec_params_named, -+ ec_params_edwards_named, -+ ec_params_montgomery_named, - } ECParamsType; - - typedef enum { ec_field_GFp = 1, -diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c ---- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800 -+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800 -@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const - - case SEC_OID_CURVE25519: - /* Populate params for Curve25519 */ -+ params->type = ec_params_montgomery_named; - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, - ec_field_plain, - params)); -diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c ---- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800 -+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800 -@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION - } - /* make sure it has the same encoding */ - if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || -- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) { -+ lowPrivKey->u.ec.ecParams.type != ec_params_named) { - lowPubValue = SECITEM_DupItem(&ecPriv->publicValue); - } else { - lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue, -@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS - } - - if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || -- ecParams->fieldID.type == ec_field_plain) { -+ ecParams->type != ec_params_named) { - PORT_FreeArena(ecParams->arena, PR_TRUE); - crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, - sftk_item_expand(&ecPriv->publicValue)); -diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c ---- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800 -+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800 -@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE - /* Handle the non-DER encoded case. - * Some curves are always pressumed to be non-DER. - */ -- if (pubKey->u.ec.publicValue.len == keyLen && -- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || -+ if (pubKey->u.ec.ecParams.type != ec_params_named || -+ (pubKey->u.ec.publicValue.len == keyLen && - pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { - break; /* key was not DER encoded, no need to unwrap */ - } -@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE - break; - } - /* we don't handle compressed points except in the case of ECCurve25519 */ -- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && -- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { -+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { - crv = CKR_ATTRIBUTE_VALUE_INVALID; - break; - } diff --git a/SOURCES/nss-3.90-ecdsa-sign-padding-fix.patch b/SOURCES/nss-3.90-ecdsa-sign-padding-fix.patch deleted file mode 100644 index 6c9c744..0000000 --- a/SOURCES/nss-3.90-ecdsa-sign-padding-fix.patch +++ /dev/null @@ -1,335 +0,0 @@ ---- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200 -+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200 -@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[] - 0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77, - 0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77}; - -+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'}; -+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',}; -+const uint8_t kP521SpkiUnpaddedSig[] = { -+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, -+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86, -+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29, -+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a, -+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18, -+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7, -+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52, -+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88, -+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57, -+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd, -+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b, -+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35, -+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c, -+ 0xe2, 0x9f}; -+const uint8_t kP521SignatureUnpaddedSigLong[] = { -+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe, -+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4, -+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42, -+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde, -+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e, -+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89, -+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b, -+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40, -+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb, -+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b, -+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a}; -+const uint8_t kP521SignatureUnpaddedSigShort[] = { -+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11, -+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde, -+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99, -+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9, -+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65, -+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38, -+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75, -+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95, -+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c, -+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5, -+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e}; -+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'}; -+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'}; -+const uint8_t kP384SpkiUnpaddedSig[] = { -+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, -+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, -+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa, -+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e, -+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3, -+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e, -+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf, -+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d, -+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5, -+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a}; -+const uint8_t kP384SignatureUnpaddedSigLong[] = { -+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58, -+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59, -+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0, -+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde, -+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc, -+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c, -+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc, -+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6}; -+const uint8_t kP384SignatureUnpaddedSigShort[] = { -+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13, -+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e, -+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b, -+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf, -+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc, -+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50, -+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f, -+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9}; -+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'}; -+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'}; -+const uint8_t kP256SpkiUnpaddedSig[] = { -+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, -+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, -+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b, -+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa, -+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e, -+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f, -+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75, -+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 }; -+const uint8_t kP256SignatureUnpaddedSigLong[] = { -+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56, -+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6, -+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11, -+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80, -+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47, -+ 0xcf, 0x61, 0x91, 0x5f}; -+const uint8_t kP256SignatureUnpaddedSigShort[] = { -+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61, -+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28, -+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16, -+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c, -+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9, -+ 0x78, 0xc4}; - } // namespace nss_test ---- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200 -+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200 -@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun - SEC_OID_SECG_EC_SECP521R1, - SEC_OID_CURVE25519)); - -+class Pkcs11EcdsaUnpaddedSignatureTest -+ : public Pkcs11EcdsaTestBase, -+ public ::testing::WithParamInterface { -+ public: -+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {} -+}; -+ -+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = { -+ {SEC_OID_SHA512, -+ {DataBuffer(NULL, 0), -+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), -+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)), -+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}}, -+ {SEC_OID_SHA512, -+ {DataBuffer(NULL, 0), -+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), -+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)), -+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}}, -+ {SEC_OID_SHA512, -+ {DataBuffer(NULL, 0), -+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), -+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)), -+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}}, -+ {SEC_OID_SHA512, -+ {DataBuffer(NULL, 0), -+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), -+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)), -+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}}, -+ {SEC_OID_SHA512, -+ {DataBuffer(NULL, 0), -+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), -+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)), -+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}}, -+ {SEC_OID_SHA512, -+ {DataBuffer(NULL, 0), -+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), -+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)), -+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}} -+}; -+ -+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); } -+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest, -+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors)); - } // namespace nss_test ---- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200 -+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200 -@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey * - { - SECStatus res = SECSuccess; - -+ unsigned char _padded_sig_data[64] = { 0 }; -+ unsigned char *sig_r, *sig_s; -+ - if (!key || !signature || !digest || - !key->publicValue.data || - !signature->data || !digest->data || -@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey * - return res; - } - -- if (key->publicValue.len != 65 || -- digest->len == 0 || -- signature->len != 64) { -+ unsigned int olen = key->ecParams.order.len; -+ if (signature->len == 0 || signature->len % 2 != 0 || -+ signature->len > 2 * olen || -+ digest->len == 0 || key->publicValue.len != 65) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - res = SECFailure; - return res; -@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey * - return res; - } - -+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */ -+ if (signature->len != 64) { -+ unsigned split = signature->len / 2; -+ unsigned pad = 32 - split; -+ -+ unsigned char *o_sig = signature->data; -+ unsigned char *p_sig = _padded_sig_data; -+ -+ memcpy(p_sig + pad, o_sig, split); -+ memcpy(p_sig + 32 + pad, o_sig + split, split); -+ -+ sig_r = p_sig; -+ sig_s = p_sig + 32; -+ } else { -+ sig_r = signature->data; -+ sig_s = signature->data + 32; -+ } -+ -+ - uint8_t hash[32] = { 0 }; - if (digest->len < 32) { - memcpy(hash + 32 - digest->len, digest->data, digest->len); -@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey * - bool b = Hacl_P256_ecdsa_verif_without_hash( - 32, hash, - key->publicValue.data + 1, -- signature->data, signature->data + 32); -+ sig_r, sig_s); - if (!b) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - res = SECFailure; ---- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200 -+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200 -@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey * - { - SECStatus res = SECSuccess; - -+ unsigned char _padded_sig_data[96] = { 0 }; -+ unsigned char *sig_r, *sig_s; -+ - if (!key || !signature || !digest || - !key->publicValue.data || - !signature->data || !digest->data || -@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey * - return res; - } - -- if (key->publicValue.len != 97 || -- digest->len == 0 || -- signature->len != 96) { -+ unsigned int olen = key->ecParams.order.len; -+ if (signature->len == 0 || signature->len % 2 != 0 || -+ signature->len > 2 * olen || -+ digest->len == 0 || key->publicValue.len != 97) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - res = SECFailure; - return res; -@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey * - return res; - } - -+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */ -+ if (signature->len != 96) { -+ unsigned split = signature->len / 2; -+ unsigned pad = 48 - split; -+ -+ unsigned char *o_sig = signature->data; -+ unsigned char *p_sig = _padded_sig_data; -+ -+ memcpy(p_sig + pad, o_sig, split); -+ memcpy(p_sig + 48 + pad, o_sig + split, split); -+ -+ sig_r = p_sig; -+ sig_s = p_sig + 48; -+ } else { -+ sig_r = signature->data; -+ sig_s = signature->data + 48; -+ } -+ - uint8_t hash[48] = { 0 }; - if (digest->len < 48) { - memcpy(hash + 48 - digest->len, digest->data, digest->len); -@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey * - bool b = Hacl_P384_ecdsa_verif_without_hash( - 48, hash, - key->publicValue.data + 1, -- signature->data, signature->data + 48); -+ sig_r, sig_s); - if (!b) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - res = SECFailure; ---- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200 -+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200 -@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey * - { - SECStatus res = SECSuccess; - -+ unsigned char _padded_sig_data[132] = { 0 }; -+ unsigned char *sig_r, *sig_s; -+ - if (!key || !signature || !digest || - !key->publicValue.data || - !signature->data || !digest->data || -@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey * - return res; - } - -- if (key->publicValue.len != 133 || -- digest->len == 0 || -- signature->len != 132) { -+ unsigned int olen = key->ecParams.order.len; -+ if (signature->len == 0 || signature->len % 2 != 0 || -+ signature->len > 2 * olen || -+ digest->len == 0 || key->publicValue.len != 133) { - PORT_SetError(SEC_ERROR_INPUT_LEN); - res = SECFailure; - return res; -@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey * - return res; - } - -+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */ -+ if (signature->len != 132) { -+ unsigned split = signature->len / 2; -+ unsigned pad = 66 - split; -+ -+ unsigned char *o_sig = signature->data; -+ unsigned char *p_sig = _padded_sig_data; -+ -+ memcpy(p_sig + pad, o_sig, split); -+ memcpy(p_sig + 66 + pad, o_sig + split, split); -+ -+ sig_r = p_sig; -+ sig_s = p_sig + 66; -+ } else { -+ sig_r = signature->data; -+ sig_s = signature->data + 66; -+ } -+ - uint8_t hash[66] = { 0 }; - if (digest->len < 66) { - memcpy(hash + 66 - digest->len, digest->data, digest->len); -@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey * - bool b = Hacl_P521_ecdsa_verif_without_hash( - 66, hash, - key->publicValue.data + 1, -- signature->data, signature->data + 66); -+ sig_r, sig_s); - if (!b) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - res = SECFailure; diff --git a/SOURCES/nss-3.90-fips-pkcs11-long-hash.patch b/SOURCES/nss-3.90-fips-pkcs11-long-hash.patch deleted file mode 100644 index 7728732..0000000 --- a/SOURCES/nss-3.90-fips-pkcs11-long-hash.patch +++ /dev/null @@ -1,83 +0,0 @@ -diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c ---- a/lib/softoken/pkcs11c.c -+++ b/lib/softoken/pkcs11c.c -@@ -15,10 +15,13 @@ - * keys and their associated Certificates are saved on the token. - * - * In this implementation, session objects are only visible to the session - * that created or generated them. - */ -+ -+#include /* for UINT_MAX and ULONG_MAX */ -+ - #include "seccomon.h" - #include "secitem.h" - #include "secport.h" - #include "blapi.h" - #include "pkcs11.h" -@@ -1954,12 +1957,21 @@ - if (pDigest == NULL) { - *pulDigestLen = context->maxLen; - goto finish; - } - -- /* do it: */ -+#if (ULONG_MAX > UINT_MAX) -+ /* The context->hashUpdate function takes an unsigned int for its data -+ * length argument, but NSC_Digest takes an unsigned long. */ -+ while (ulDataLen > UINT_MAX) { -+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX); -+ pData += UINT_MAX; -+ ulDataLen -= UINT_MAX; -+ } -+#endif - (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen); -+ - /* NOTE: this assumes buf size is bigenough for the algorithm */ - (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); - *pulDigestLen = digestLen; - - sftk_TerminateOp(session, SFTK_HASH, context); -@@ -1980,12 +1992,22 @@ - - /* make sure we're legal */ - crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL); - if (crv != CKR_OK) - return crv; -- /* do it: */ -+ -+#if (ULONG_MAX > UINT_MAX) -+ /* The context->hashUpdate function takes an unsigned int for its data -+ * length argument, but NSC_DigestUpdate takes an unsigned long. */ -+ while (ulPartLen > UINT_MAX) { -+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); -+ pPart += UINT_MAX; -+ ulPartLen -= UINT_MAX; -+ } -+#endif - (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen); -+ - return CKR_OK; - } - - /* NSC_DigestFinal finishes a multiple-part message-digesting operation. */ - CK_RV -@@ -3166,10 +3188,17 @@ - crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session); - if (crv != CKR_OK) - return crv; - - if (context->hashInfo) { -+#if (ULONG_MAX > UINT_MAX) -+ while (ulPartLen > UINT_MAX) { -+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); -+ pPart += UINT_MAX; -+ ulPartLen -= UINT_MAX; -+ } -+#endif - (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen); - } else { - /* must be block cipher MACing */ - - unsigned int blkSize = context->blockSize; - diff --git a/SOURCES/nss-3.90-no-dbm-25519.patch b/SOURCES/nss-3.90-no-dbm-25519.patch deleted file mode 100644 index 3c7c614..0000000 --- a/SOURCES/nss-3.90-no-dbm-25519.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh ---- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700 -+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700 -@@ -46,11 +46,13 @@ ectest_genkeydb_test() - return $? - fi - curves=( \ -- "curve25519" \ - "secp256r1" \ - "secp384r1" \ - "secp521r1" \ - ) -+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then -+ curves=( "curve25519" "${curves[@]}" ) -+ fi - for curve in "${curves[@]}"; do - echo "Test $curve key generation using certutil ..." - certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE} diff --git a/SOURCES/nss-3.90-ppc_no_init.patch b/SOURCES/nss-3.90-ppc_no_init.patch new file mode 100644 index 0000000..134955a --- /dev/null +++ b/SOURCES/nss-3.90-ppc_no_init.patch @@ -0,0 +1,36 @@ +diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile +--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700 ++++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700 +@@ -303,7 +303,7 @@ endif + ifeq ($(CPU_ARCH),ppc) + EXTRA_SRCS += gcm-ppc.c + ifdef USE_64 +- DEFINES += -DNSS_NO_INIT_SUPPORT ++# DEFINES += -DNSS_NO_INIT_SUPPORT + PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}') + ifeq ($(PPC_ABI),2) + ASFILES += sha512-p8.s +diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile +--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700 ++++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700 +@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk + ifdef NSS_NO_INIT_SUPPORT + DEFINES += -DNSS_NO_INIT_SUPPORT + endif +-ifeq ($(OS_TARGET),Linux) +-ifeq ($(CPU_ARCH),ppc) +-ifdef USE_64 +- DEFINES += -DNSS_NO_INIT_SUPPORT +-endif # USE_64 +-endif # ppc +-endif # Linux ++#ifeq ($(OS_TARGET),Linux) ++#ifeq ($(CPU_ARCH),ppc) ++#ifdef USE_64 ++# DEFINES += -DNSS_NO_INIT_SUPPORT ++#endif # USE_64 ++#endif # ppc ++#endif # Linux + + + ####################################################################### diff --git a/SOURCES/nss-disable-dc.patch b/SOURCES/nss-disable-dc.patch deleted file mode 100644 index 6eae5e4..0000000 --- a/SOURCES/nss-disable-dc.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn ---- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700 -+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700 -@@ -57,7 +57,6 @@ CPPSRCS = \ - tls_filter.cc \ - tls_protect.cc \ - tls_psk_unittest.cc \ -- tls_subcerts_unittest.cc \ - tls_ech_unittest.cc \ - $(SSLKEYLOGFILE_FILES) \ - $(NULL) -diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c ---- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700 -+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700 -@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh - break; - - case SSL_ENABLE_DELEGATED_CREDENTIALS: -- ss->opt.enableDelegatedCredentials = val; -+ /* disable it for now */ - break; - - case SSL_ENABLE_NPN: -@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn - break; - - case SSL_ENABLE_DELEGATED_CREDENTIALS: -- ssl_defaults.enableDelegatedCredentials = val; -+ /* disable it for now */ - break; - - case SSL_ENABLE_NPN: diff --git a/SOURCES/nss-disable-md5.patch b/SOURCES/nss-disable-md5.patch deleted file mode 100644 index 827928f..0000000 --- a/SOURCES/nss-disable-md5.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -r 699541a7793b lib/pk11wrap/pk11pars.c ---- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700 -+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700 -@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] = - static const oidValDef hashOptList[] = { - /* Hashes */ - { CIPHER_NAME("MD2"), SEC_OID_MD2, -- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, -+ 0 }, - { CIPHER_NAME("MD4"), SEC_OID_MD4, -- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, -+ 0 }, - { CIPHER_NAME("MD5"), SEC_OID_MD5, -- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, -+ 0 }, - { CIPHER_NAME("SHA1"), SEC_OID_SHA1, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, - { CIPHER_NAME("SHA224"), SEC_OID_SHA224, -diff -r 699541a7793b lib/util/secoid.c ---- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000 -+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200 -@@ -2042,6 +2042,19 @@ - int i; - - for (i = 1; i < SEC_OID_TOTAL; i++) { -+ switch (i) { -+ case SEC_OID_MD2: -+ case SEC_OID_MD4: -+ case SEC_OID_MD5: -+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: -+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: -+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: -+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: -+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: -+ continue; -+ default: -+ break; -+ } - if (oids[i].desc && strstr(arg, oids[i].desc)) { - xOids[i].notPolicyFlags = notEnable | - (xOids[i].notPolicyFlags & ~(DEF_FLAGS)); diff --git a/SOURCES/nss_p256_scalar_validated.patch b/SOURCES/nss_p256_scalar_validated.patch deleted file mode 100644 index 7d2dfde..0000000 --- a/SOURCES/nss_p256_scalar_validated.patch +++ /dev/null @@ -1,4210 +0,0 @@ -diff -up ./lib/freebl/blapi.h.p256 ./lib/freebl/blapi.h ---- ./lib/freebl/blapi.h.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/blapi.h 2024-01-09 11:25:43.802382184 -0800 -@@ -1791,6 +1791,11 @@ extern SECStatus EC_CopyParams(PLArenaPo - */ - extern int EC_GetPointSize(const ECParams *params); - -+/* -+ * use the internal table to get the size in bytes of a single EC coordinate -+ */ -+extern int EC_GetScalarSize(const ECParams *params); -+ - SEC_END_PROTOS - - #endif /* _BLAPI_H_ */ -diff -up ./lib/freebl/ec.c.p256 ./lib/freebl/ec.c ---- ./lib/freebl/ec.c.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ec.c 2024-01-09 11:43:03.868335326 -0800 -@@ -21,7 +21,17 @@ - static const ECMethod kMethods[] = { - { ECCurve25519, - ec_Curve25519_pt_mul, -- ec_Curve25519_pt_validate } -+ ec_Curve25519_pt_validate, -+ ec_Curve25519_scalar_validate, -+ NULL, NULL }, -+ { -+ ECCurve_NIST_P256, -+ ec_secp256r1_pt_mul, -+ ec_secp256r1_pt_validate, -+ ec_secp256r1_scalar_validate, -+ ec_secp256r1_sign_digest, -+ ec_secp256r1_verify_digest, -+ } - }; - - static const ECMethod * -@@ -281,13 +291,17 @@ ec_NewKey(ECParams *ecParams, ECPrivateK - /* Use curve specific code for point multiplication */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); -- if (method == NULL || method->mul == NULL) { -+ if (method == NULL || method->pt_mul == NULL) { - /* unknown curve */ - rv = SECFailure; - goto cleanup; - } -- rv = method->mul(&key->publicValue, &key->privateValue, NULL); -- goto done; -+ rv = method->pt_mul(&key->publicValue, &key->privateValue, NULL); -+ if (rv != SECSuccess) { -+ goto cleanup; -+ } else { -+ goto done; -+ } - } - - CHECK_MPI_OK(mp_init(&k)); -@@ -330,25 +344,54 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC - return rv; - } - --/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62, -+/* Generate a random private key using the algorithm A.4.1 or A.4.2 of ANSI X9.62, - * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the - * random number generator. -- * -- * Parameters -- * - order: a buffer that holds the curve's group order -- * - len: the length in octets of the order buffer -- * -- * Return Value -- * Returns a buffer of len octets that holds the private key. The caller -- * is responsible for freeing the buffer with PORT_ZFree. - */ --static unsigned char * --ec_GenerateRandomPrivateKey(const unsigned char *order, int len) -+ -+SECStatus -+ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey) - { - SECStatus rv = SECSuccess; - mp_err err; -- unsigned char *privKeyBytes = NULL; -+ -+ unsigned int len = EC_GetScalarSize(ecParams); -+ -+ if (privKey->len != len || privKey->data == NULL) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ -+ /* For known curves, use rejection sampling A.4.2 */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ rv = SECFailure; -+ if (method == NULL || method->scalar_validate == NULL) { -+ /* unknown curve */ -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ goto done; -+ } -+ int count = 100; -+ while (rv != SECSuccess && count >= 0) { -+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_NEED_RANDOM); -+ goto done; -+ } -+ rv = method->scalar_validate(privKey); -+ count--; -+ } -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ } -+ goto done; -+ } -+ -+ /* For unknown curves, use algotithm A.4.1 */ -+ -+ unsigned char *order = ecParams->order.data; - mp_int privKeyVal, order_1, one; -+ unsigned char *privKeyBytes = NULL; - - MP_DIGITS(&privKeyVal) = 0; - MP_DIGITS(&order_1) = 0; -@@ -361,8 +404,13 @@ ec_GenerateRandomPrivateKey(const unsign - * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then - * reduces modulo the group order. - */ -- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) -+ -+ if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ rv = SECFailure; - goto cleanup; -+ } -+ - CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len)); - CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len)); - CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len)); -@@ -371,20 +419,26 @@ ec_GenerateRandomPrivateKey(const unsign - CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal)); - CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal)); - CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len)); -- memset(privKeyBytes + len, 0, len); -+ memcpy(privKey->data, privKeyBytes, len); -+ - cleanup: - mp_clear(&privKeyVal); - mp_clear(&order_1); - mp_clear(&one); -+ if (privKeyBytes) { -+ PORT_ZFree(privKeyBytes, 2 * len); -+ } - if (err < MP_OKAY) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } -- if (rv != SECSuccess && privKeyBytes) { -- PORT_ZFree(privKeyBytes, 2 * len); -- privKeyBytes = NULL; -+ -+done: -+ if (rv != SECSuccess && privKey->data) { -+ SECITEM_ZfreeItem(privKey, PR_FALSE); -+ return rv; - } -- return privKeyBytes; -+ return rv; - } - - /* Generates a new EC key pair. The private key is a random value and -@@ -395,24 +449,28 @@ SECStatus - EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey) - { - SECStatus rv = SECFailure; -- int len; -- unsigned char *privKeyBytes = NULL; -+ SECItem privKeyRand = { siBuffer, NULL, 0 }; - - if (!ecParams || ecParams->name == ECCurve_noName || !privKey) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - -- len = ecParams->order.len; -- privKeyBytes = ec_GenerateRandomPrivateKey(ecParams->order.data, len); -- if (privKeyBytes == NULL) -+ SECITEM_AllocItem(NULL, &privKeyRand, EC_GetScalarSize(ecParams)); -+ if (privKeyRand.data == NULL) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ rv = SECFailure; -+ goto cleanup; -+ } -+ rv = ec_GenerateRandomPrivateKey(ecParams, &privKeyRand); -+ if (rv != SECSuccess || privKeyRand.data == NULL) - goto cleanup; - /* generate public key */ -- CHECK_SEC_OK(ec_NewKey(ecParams, privKey, privKeyBytes, len)); -+ CHECK_SEC_OK(ec_NewKey(ecParams, privKey, privKeyRand.data, privKeyRand.len)); - - cleanup: -- if (privKeyBytes) { -- PORT_ZFree(privKeyBytes, len); -+ if (privKeyRand.data) { -+ SECITEM_ZfreeItem(&privKeyRand, PR_FALSE); - } - #if EC_DEBUG - printf("EC_NewKey returning %s\n", -@@ -440,18 +498,24 @@ EC_ValidatePublicKey(ECParams *ecParams, - if (!ecParams || ecParams->name == ECCurve_noName || - !publicValue || !publicValue->len) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* Uses curve specific code for point validation. */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); -- if (method == NULL || method->validate == NULL) { -+ if (method == NULL || method->pt_validate == NULL) { - /* unknown curve */ - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } -- return method->validate(publicValue); -+ rv = method->pt_validate(publicValue); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ } -+ return rv; - } - - /* NOTE: We only support uncompressed points for now */ -@@ -510,6 +574,7 @@ cleanup: - ECGroup_free(group); - mp_clear(&Px); - mp_clear(&Py); -+ - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; -@@ -536,18 +601,14 @@ ECDH_Derive(SECItem *publicValue, - { - SECStatus rv = SECFailure; - unsigned int len = 0; -- SECItem pointQ = { siBuffer, NULL, 0 }; -- mp_int k; /* to hold the private value */ - mp_err err = MP_OKAY; --#if EC_DEBUG -- int i; --#endif - - if (!publicValue || !publicValue->len || - !ecParams || ecParams->name == ECCurve_noName || - !privateValue || !privateValue->len || !derivedSecret) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* -@@ -556,31 +617,40 @@ ECDH_Derive(SECItem *publicValue, - */ - if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_KEY); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* Perform curve specific multiplication using ECMethod */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method; - memset(derivedSecret, 0, sizeof(*derivedSecret)); -- derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetPointSize(ecParams)); -+ derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetScalarSize(ecParams)); - if (derivedSecret == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - method = ec_get_method_from_name(ecParams->name); -- if (method == NULL || method->validate == NULL || -- method->mul == NULL) { -+ if (method == NULL || method->pt_validate == NULL || -+ method->pt_mul == NULL) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -- return SECFailure; -+ rv = SECFailure; -+ goto done; - } -- rv = method->mul(derivedSecret, privateValue, publicValue); -+ rv = method->pt_mul(derivedSecret, privateValue, publicValue); - if (rv != SECSuccess) { -- SECITEM_ZfreeItem(derivedSecret, PR_FALSE); -+ PORT_SetError(SEC_ERROR_BAD_KEY); - } -- return rv; -+ goto done; - } - -+ SECItem pointQ = { siBuffer, NULL, 0 }; -+ mp_int k; /* to hold the private value */ -+#if EC_DEBUG -+ int i; -+#endif -+ - /* - * We fail if the public value is the point at infinity, since - * this produces predictable results. -@@ -638,14 +708,18 @@ ECDH_Derive(SECItem *publicValue, - cleanup: - mp_clear(&k); - -- if (err) { -- MP_TO_SEC_ERROR(err); -- } -- - if (pointQ.data) { - PORT_ZFree(pointQ.data, pointQ.len); - } - -+done: -+ -+ if (err) { -+ MP_TO_SEC_ERROR(err); -+ } -+ if (rv != SECSuccess) { -+ SECITEM_ZfreeItem(derivedSecret, PR_FALSE); -+ } - return rv; - } - -@@ -659,19 +733,57 @@ ec_SignDigestWithSeed(ECPrivateKey *key, - const SECItem *digest, const unsigned char *kb, const int kblen) - { - SECStatus rv = SECFailure; -+ ECParams *ecParams = NULL; -+ mp_err err = MP_OKAY; -+ int flen = 0; /* length in bytes of the field size */ -+ unsigned olen; /* length in bytes of the base point order */ -+ -+ /* Check args */ -+ if (!key || !signature || !digest || !kb || (kblen <= 0)) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ ecParams = &(key->ecParams); -+ flen = (ecParams->fieldID.size + 7) >> 3; -+ olen = ecParams->order.len; -+ if (signature->data == NULL) { -+ /* a call to get the signature length only */ -+ signature->len = 2 * olen; -+ rv = SECSuccess; -+ goto done; -+ } -+ if (signature->len < 2 * olen) { -+ PORT_SetError(SEC_ERROR_OUTPUT_LEN); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ /* Perform curve specific signature using ECMethod */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ if (method == NULL || method->sign_digest == NULL) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -+ rv = SECFailure; -+ goto done; -+ } -+ rv = method->sign_digest(key, signature, digest, kb, kblen); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ } -+ goto done; -+ } -+ - mp_int x1; - mp_int d, k; /* private key, random integer */ - mp_int r, s; /* tuple (r, s) is the signature */ - mp_int t; /* holding tmp values */ - mp_int n; - mp_int ar; /* blinding value */ -- mp_err err = MP_OKAY; -- ECParams *ecParams = NULL; - SECItem kGpoint = { siBuffer, NULL, 0 }; -- int flen = 0; /* length in bytes of the field size */ -- unsigned olen; /* length in bytes of the base point order */ -- unsigned obits; /* length in bits of the base point order */ - unsigned char *t2 = NULL; -+ unsigned obits; /* length in bits of the base point order */ - - #if EC_DEBUG - char mpstr[256]; -@@ -688,24 +800,6 @@ ec_SignDigestWithSeed(ECPrivateKey *key, - MP_DIGITS(&t) = 0; - MP_DIGITS(&ar) = 0; - -- /* Check args */ -- if (!key || !signature || !digest || !kb || (kblen < 0)) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- goto cleanup; -- } -- -- ecParams = &(key->ecParams); -- flen = (ecParams->fieldID.size + 7) >> 3; -- olen = ecParams->order.len; -- if (signature->data == NULL) { -- /* a call to get the signature length only */ -- goto finish; -- } -- if (signature->len < 2 * olen) { -- PORT_SetError(SEC_ERROR_OUTPUT_LEN); -- goto cleanup; -- } -- - CHECK_MPI_OK(mp_init(&x1)); - CHECK_MPI_OK(mp_init(&d)); - CHECK_MPI_OK(mp_init(&k)); -@@ -851,11 +945,11 @@ ec_SignDigestWithSeed(ECPrivateKey *key, - */ - CHECK_MPI_OK(mp_to_fixlen_octets(&r, signature->data, olen)); - CHECK_MPI_OK(mp_to_fixlen_octets(&s, signature->data + olen, olen)); --finish: -- signature->len = 2 * olen; - -+ signature->len = 2 * olen; - rv = SECSuccess; - err = MP_OKAY; -+ - cleanup: - mp_clear(&x1); - mp_clear(&d); -@@ -874,6 +968,7 @@ cleanup: - PORT_ZFree(kGpoint.data, kGpoint.len); - } - -+done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; -@@ -892,12 +987,12 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *k - const SECItem *digest, const unsigned char *kb, const int kblen) - { - #if EC_DEBUG || EC_DOUBLECHECK -- - SECItem *signature2 = SECITEM_AllocItem(NULL, NULL, signature->len); - SECStatus signSuccess = ec_SignDigestWithSeed(key, signature, digest, kb, kblen); - SECStatus signSuccessDouble = ec_SignDigestWithSeed(key, signature2, digest, kb, kblen); -- int signaturesEqual = NSS_SecureMemcmp(signature, signature2, signature->len); -+ int signaturesEqual = NSS_SecureMemcmp(signature->data, signature2->data, signature->len); - SECStatus rv; -+ - if ((signaturesEqual == 0) && (signSuccess == SECSuccess) && (signSuccessDouble == SECSuccess)) { - rv = SECSuccess; - } else { -@@ -923,8 +1018,7 @@ SECStatus - ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest) - { - SECStatus rv = SECFailure; -- int len; -- unsigned char *kBytes = NULL; -+ SECItem nonceRand = { siBuffer, NULL, 0 }; - - if (!key) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -@@ -932,17 +1026,22 @@ ECDSA_SignDigest(ECPrivateKey *key, SECI - } - - /* Generate random value k */ -- len = key->ecParams.order.len; -- kBytes = ec_GenerateRandomPrivateKey(key->ecParams.order.data, len); -- if (kBytes == NULL) -+ SECITEM_AllocItem(NULL, &nonceRand, EC_GetScalarSize(&key->ecParams)); -+ if (nonceRand.data == NULL) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ rv = SECFailure; -+ goto cleanup; -+ } -+ rv = ec_GenerateRandomPrivateKey(&key->ecParams, &nonceRand); -+ if (rv != SECSuccess || nonceRand.data == NULL) - goto cleanup; - - /* Generate ECDSA signature with the specified k value */ -- rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len); -+ rv = ECDSA_SignDigestWithSeed(key, signature, digest, nonceRand.data, nonceRand.len); - - cleanup: -- if (kBytes) { -- PORT_ZFree(kBytes, len); -+ if (nonceRand.data) { -+ SECITEM_ZfreeItem(&nonceRand, PR_FALSE); - } - - #if EC_DEBUG -@@ -966,12 +1065,37 @@ ECDSA_VerifyDigest(ECPublicKey *key, con - const SECItem *digest) - { - SECStatus rv = SECFailure; -+ ECParams *ecParams = NULL; -+ mp_err err = MP_OKAY; -+ -+ /* Check args */ -+ if (!key || !signature || !digest) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ ecParams = &(key->ecParams); -+ -+ /* Perform curve specific signature verification using ECMethod */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ if (method == NULL || method->verify_digest == NULL) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -+ rv = SECFailure; -+ goto done; -+ } -+ rv = method->verify_digest(key, signature, digest); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ } -+ goto done; -+ } -+ - mp_int r_, s_; /* tuple (r', s') is received signature) */ - mp_int c, u1, u2, v; /* intermediate values used in verification */ - mp_int x1; - mp_int n; -- mp_err err = MP_OKAY; -- ECParams *ecParams = NULL; - SECItem pointC = { siBuffer, NULL, 0 }; - int slen; /* length in bytes of a half signature (r or s) */ - int flen; /* length in bytes of the field size */ -@@ -983,6 +1107,15 @@ ECDSA_VerifyDigest(ECPublicKey *key, con - printf("ECDSA verification called\n"); - #endif - -+ flen = (ecParams->fieldID.size + 7) >> 3; -+ olen = ecParams->order.len; -+ if (signature->len == 0 || signature->len % 2 != 0 || -+ signature->len > 2 * olen) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ goto cleanup; -+ } -+ slen = signature->len / 2; -+ - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&r_) = 0; -@@ -994,22 +1127,6 @@ ECDSA_VerifyDigest(ECPublicKey *key, con - MP_DIGITS(&v) = 0; - MP_DIGITS(&n) = 0; - -- /* Check args */ -- if (!key || !signature || !digest) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- goto cleanup; -- } -- -- ecParams = &(key->ecParams); -- flen = (ecParams->fieldID.size + 7) >> 3; -- olen = ecParams->order.len; -- if (signature->len == 0 || signature->len % 2 != 0 || -- signature->len > 2 * olen) { -- PORT_SetError(SEC_ERROR_INPUT_LEN); -- goto cleanup; -- } -- slen = signature->len / 2; -- - /* - * The incoming point has been verified in sftk_handlePublicKeyObject. - */ -@@ -1156,6 +1273,8 @@ cleanup: - - if (pointC.data) - SECITEM_ZfreeItem(&pointC, PR_FALSE); -+ -+done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; -diff -up ./lib/freebl/ecdecode.c.p256 ./lib/freebl/ecdecode.c ---- ./lib/freebl/ecdecode.c.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ecdecode.c 2024-01-09 11:25:43.802382184 -0800 -@@ -155,7 +155,7 @@ EC_FillParams(PLArenaPool *arena, const - * (the NIST P-256 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_X9_62_PRIME_256V1, -- ec_field_GFp, params)); -+ ec_field_plain, params)); - break; - - case SEC_OID_SECG_EC_SECP384R1: -@@ -176,7 +176,8 @@ EC_FillParams(PLArenaPool *arena, const - - case SEC_OID_CURVE25519: - /* Populate params for Curve25519 */ -- CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain, -+ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, -+ ec_field_plain, - params)); - break; - -@@ -250,3 +251,18 @@ EC_GetPointSize(const ECParams *params) - } - return curveParams->pointSize - 1; - } -+ -+int -+EC_GetScalarSize(const ECParams *params) -+{ -+ ECCurveName name = params->name; -+ const ECCurveBytes *curveParams; -+ -+ if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve) || -+ ((curveParams = ecCurve_map[name]) == NULL)) { -+ /* unknown curve, calculate scalar size from field size in params */ -+ int sizeInBytes = (params->fieldID.size + 7) / 8; -+ return sizeInBytes; -+ } -+ return curveParams->scalarSize; -+} -diff -up ./lib/freebl/ec.h.p256 ./lib/freebl/ec.h ---- ./lib/freebl/ec.h.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ec.h 2024-01-09 11:43:03.868335326 -0800 -@@ -13,8 +13,11 @@ - - struct ECMethodStr { - ECCurveName name; -- SECStatus (*mul)(SECItem *result, SECItem *scalar, SECItem *point); -- SECStatus (*validate)(const SECItem *point); -+ SECStatus (*pt_mul)(SECItem *result, SECItem *scalar, SECItem *point); -+ SECStatus (*pt_validate)(const SECItem *point); -+ SECStatus (*scalar_validate)(const SECItem *scalar); -+ SECStatus (*sign_digest)(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const unsigned int kblen); -+ SECStatus (*verify_digest)(ECPublicKey *key, const SECItem *signature, const SECItem *digest); - }; - typedef struct ECMethodStr ECMethod; - -diff -up ./lib/freebl/ecl/ecl.h.p256 ./lib/freebl/ecl/ecl.h ---- ./lib/freebl/ecl/ecl.h.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:43:03.868335326 -0800 -@@ -45,5 +45,16 @@ mp_err ECPoint_validate(const ECGroup *g - - SECStatus ec_Curve25519_pt_mul(SECItem *X, SECItem *k, SECItem *P); - SECStatus ec_Curve25519_pt_validate(const SECItem *px); -+SECStatus ec_Curve25519_scalar_validate(const SECItem *scalar); -+ -+SECStatus ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); -+SECStatus ec_secp256r1_pt_validate(const SECItem *px); -+SECStatus ec_secp256r1_scalar_validate(const SECItem *scalar); -+ -+SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen); -+SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest); - - #endif /* __ecl_h_ */ -diff -up ./lib/freebl/ecl/ecp_25519.c.p256 ./lib/freebl/ecl/ecp_25519.c ---- ./lib/freebl/ecl/ecp_25519.c.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ecl/ecp_25519.c 2024-01-09 11:43:03.868335326 -0800 -@@ -15,6 +15,7 @@ - #include "mpi-priv.h" - #include "secmpi.h" - #include "secitem.h" -+#include "secerr.h" - #include "secport.h" - #include - #include -@@ -94,6 +95,24 @@ ec_Curve25519_pt_validate(const SECItem - return SECSuccess; - } - -+/* -+ * scalar validation is not necessary. -+ */ -+SECStatus -+ec_Curve25519_scalar_validate(const SECItem *scalar) -+{ -+ if (!scalar || !scalar->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ -+ if (scalar->len != 32) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ return SECFailure; -+ } -+ return SECSuccess; -+} -+ - /* - * Scalar multiplication for Curve25519. - * If P == NULL, the base point is used. -diff -up ./lib/freebl/ecl/ecp_secp256r1.c.p256 ./lib/freebl/ecl/ecp_secp256r1.c ---- ./lib/freebl/ecl/ecp_secp256r1.c.p256 2024-01-09 11:25:43.802382184 -0800 -+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-01-09 11:43:03.868335326 -0800 -@@ -0,0 +1,258 @@ -+/* P-256 from HACL* */ -+ -+#ifdef FREEBL_NO_DEPEND -+#include "../stubs.h" -+#endif -+ -+#include "ecl-priv.h" -+#include "secitem.h" -+#include "secerr.h" -+#include "secmpi.h" -+#include "../verified/Hacl_P256.h" -+ -+/* -+ * Point Validation for P-256. -+ */ -+ -+SECStatus -+ec_secp256r1_pt_validate(const SECItem *pt) -+{ -+ SECStatus res = SECSuccess; -+ if (!pt || !pt->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (pt->len != 65) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_validate_public_key(pt->data + 1); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ } -+ return res; -+} -+ -+/* -+ * Scalar Validation for P-256. -+ */ -+ -+SECStatus -+ec_secp256r1_scalar_validate(const SECItem *scalar) -+{ -+ SECStatus res = SECSuccess; -+ if (!scalar || !scalar->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (scalar->len != 32) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_validate_private_key(scalar->data); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ } -+ return res; -+} -+ -+/* -+ * Scalar multiplication for P-256. -+ * If P == NULL, the base point is used. -+ * Returns X = k*P -+ */ -+ -+SECStatus -+ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) -+{ -+ SECStatus res = SECSuccess; -+ if (!P) { -+ uint8_t derived[64] = { 0 }; -+ -+ if (!X || !k || !X->data || !k->data || -+ X->len < 65 || k->len != 32) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_dh_initiator(derived, k->data); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ X->len = 65; -+ X->data[0] = EC_POINT_FORM_UNCOMPRESSED; -+ memcpy(X->data + 1, derived, 64); -+ -+ } else { -+ uint8_t full_key[32] = { 0 }; -+ uint8_t *key; -+ uint8_t derived[64] = { 0 }; -+ -+ if (!X || !k || !P || !X->data || !k->data || !P->data || -+ X->len < 32 || P->len != 65 || -+ P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ /* We consider keys of up to size 32, or of size 33 with a single leading 0 */ -+ if (k->len < 32) { -+ memcpy(full_key + 32 - k->len, k->data, k->len); -+ key = full_key; -+ } else if (k->len == 32) { -+ key = k->data; -+ } else if (k->len == 33 && k->data[0] == 0) { -+ key = k->data + 1; -+ } else { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_dh_responder(derived, P->data + 1, key); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ X->len = 32; -+ memcpy(X->data, derived, 32); -+ } -+ -+ return res; -+} -+ -+/* -+ * ECDSA Signature for P-256 -+ */ -+ -+SECStatus -+ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen) -+{ -+ SECStatus res = SECSuccess; -+ -+ if (!key || !signature || !digest || !kb || -+ !key->privateValue.data || -+ !signature->data || !digest->data || -+ key->ecParams.name != ECCurve_NIST_P256) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->privateValue.len != 32 || -+ kblen == 0 || -+ digest->len == 0 || -+ signature->len < 64) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ res = SECFailure; -+ return res; -+ } -+ -+ uint8_t hash[32] = { 0 }; -+ if (digest->len < 32) { -+ memcpy(hash + 32 - digest->len, digest->data, digest->len); -+ } else { -+ memcpy(hash, digest->data, 32); -+ } -+ -+ uint8_t nonce[32] = { 0 }; -+ if (kblen < 32) { -+ memcpy(nonce + 32 - kblen, kb, kblen); -+ } else { -+ memcpy(nonce, kb, 32); -+ } -+ -+ bool b = Hacl_P256_ecdsa_sign_p256_without_hash( -+ signature->data, 32, hash, -+ key->privateValue.data, nonce); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ signature->len = 64; -+ return res; -+} -+ -+/* -+ * ECDSA Signature Verification for P-256 -+ */ -+ -+SECStatus -+ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest) -+{ -+ SECStatus res = SECSuccess; -+ -+ if (!key || !signature || !digest || -+ !key->publicValue.data || -+ !signature->data || !digest->data || -+ key->ecParams.name != ECCurve_NIST_P256) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->publicValue.len != 65 || -+ digest->len == 0 || -+ signature->len != 64) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; -+ } -+ -+ uint8_t hash[32] = { 0 }; -+ if (digest->len < 32) { -+ memcpy(hash + 32 - digest->len, digest->data, digest->len); -+ } else { -+ memcpy(hash, digest->data, 32); -+ } -+ -+ bool b = Hacl_P256_ecdsa_verif_without_hash( -+ 32, hash, -+ key->publicValue.data + 1, -+ signature->data, signature->data + 32); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ res = SECFailure; -+ return res; -+ } -+ -+ return res; -+} -diff -up ./lib/freebl/freebl_base.gypi.p256 ./lib/freebl/freebl_base.gypi ---- ./lib/freebl/freebl_base.gypi.p256 2024-01-09 11:22:17.628127464 -0800 -+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:25:43.802382184 -0800 -@@ -34,8 +34,10 @@ - 'ecl/ecp_jac.c', - 'ecl/ecp_jm.c', - 'ecl/ecp_mont.c', -+ 'ecl/ecp_secp256r1.c', - 'ecl/ecp_secp384r1.c', - 'ecl/ecp_secp521r1.c', -+ 'verified/Hacl_P256.c', - 'fipsfreebl.c', - 'blinit.c', - 'freeblver.c', -diff -up ./lib/freebl/freebl.gyp.p256 ./lib/freebl/freebl.gyp ---- ./lib/freebl/freebl.gyp.p256 2024-01-09 11:22:17.628127464 -0800 -+++ ./lib/freebl/freebl.gyp 2024-01-09 11:25:43.802382184 -0800 -@@ -839,6 +839,7 @@ - 'defines':[ - 'HACL_CAN_COMPILE_VEC128', - 'HACL_CAN_COMPILE_VEC256', -+ 'HACL_CAN_COMPILE_INTRINSICS', - ], - }], - # MSVC has no __int128 type. Use emulated int128 and leave -@@ -847,6 +848,7 @@ - 'defines': [ - # The Makefile does version-tests on GCC, but we're not doing that here. - 'HAVE_INT128_SUPPORT', -+ 'HACL_CAN_COMPILE_UINT128' - ], - }, { - 'defines': [ -diff -up ./lib/freebl/Makefile.p256 ./lib/freebl/Makefile ---- ./lib/freebl/Makefile.p256 2024-01-09 11:25:43.802382184 -0800 -+++ ./lib/freebl/Makefile 2024-01-09 11:27:42.154676474 -0800 -@@ -612,6 +612,8 @@ ifndef NSS_DISABLE_CHACHAPOLY - VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c - endif # NSS_DISABLE_CHACHAPOLY - -+VERIFIED_SRCS += Hacl_P256.c -+ - ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH))) - # All 64-bit architectures get the 64 bit version. - ECL_SRCS += curve25519_64.c -diff -up ./lib/freebl/manifest.mn.p256 ./lib/freebl/manifest.mn ---- ./lib/freebl/manifest.mn.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/manifest.mn 2024-01-09 11:25:43.803382195 -0800 -@@ -107,7 +107,7 @@ ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-pri - ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ - ecp_aff.c ecp_jac.c ecp_mont.c \ - ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ -- ecp_256_32.c ecp_25519.c ecp_secp384r1.c ecp_secp521r1.c -+ ecp_256_32.c ecp_25519.c ecp_secp256r1.c ecp_secp384r1.c ecp_secp521r1.c - SHA_SRCS = sha_fast.c - MPCPU_SRCS = mpcpucache.c - VERIFIED_SRCS = $(NULL) -diff -up ./lib/freebl/verified/Hacl_P256.c.p256 ./lib/freebl/verified/Hacl_P256.c ---- ./lib/freebl/verified/Hacl_P256.c.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/Hacl_P256.c 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,1832 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#include "internal/Hacl_P256.h" -+ -+#include "internal/Hacl_P256_PrecompTable.h" -+#include "internal/Hacl_Krmllib.h" -+#include "internal/Hacl_Bignum_Base.h" -+#include "lib_intrinsics.h" -+ -+static inline uint64_t -+bn_is_zero_mask4(uint64_t *f) -+{ -+ uint64_t bn_zero[4U] = { 0U }; -+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t uu____0 = FStar_UInt64_eq_mask(f[i], bn_zero[i]); -+ mask = uu____0 & mask;); -+ uint64_t mask1 = mask; -+ uint64_t res = mask1; -+ return res; -+} -+ -+static inline bool -+bn_is_zero_vartime4(uint64_t *f) -+{ -+ uint64_t m = bn_is_zero_mask4(f); -+ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+static inline uint64_t -+bn_is_eq_mask4(uint64_t *a, uint64_t *b) -+{ -+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); -+ mask = uu____0 & mask;); -+ uint64_t mask1 = mask; -+ return mask1; -+} -+ -+static inline bool -+bn_is_eq_vartime4(uint64_t *a, uint64_t *b) -+{ -+ uint64_t m = bn_is_eq_mask4(a, b); -+ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+static inline void -+bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x, uint64_t *y) -+{ -+ uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t uu____0 = x[i]; -+ uint64_t x1 = uu____0 ^ (mask & (y[i] ^ uu____0)); -+ os[i] = x1;); -+} -+ -+static inline void -+bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c0 = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); -+ } -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline uint64_t -+bn_sub4(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c0 = c; -+ return c0; -+} -+ -+static inline void -+bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c0 = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); -+ } -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ // TODO: remove unused variable -+ (void)c1; -+ uint64_t c2 = (uint64_t)0U - c00; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & tmp[i]) | (~c2 & res[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+bn_mul4(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t bj = y[i0]; -+ uint64_t *res_j = res + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); -+ uint64_t a_i0 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); -+ uint64_t a_i1 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); -+ uint64_t a_i2 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); -+ } uint64_t r = c; -+ res[(uint32_t)4U + i0] = r;); -+} -+ -+static inline void -+bn_sqr4(uint64_t *res, uint64_t *x) -+{ -+ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *ab = x; -+ uint64_t a_j = x[i0]; -+ uint64_t *res_j = res + i0; -+ uint64_t c = (uint64_t)0U; -+ for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) { -+ uint64_t a_i = ab[(uint32_t)4U * i]; -+ uint64_t *res_i0 = res_j + (uint32_t)4U * i; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); -+ uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); -+ uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); -+ uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); -+ } -+ for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) { -+ uint64_t a_i = ab[i]; -+ uint64_t *res_i = res_j + i; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); -+ } -+ uint64_t r = c; -+ res[i0 + i0] = r;); -+ uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); -+ // TODO: remove unused variable -+ (void)c0; -+ uint64_t tmp[8U] = { 0U }; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(x[i], x[i]); -+ uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); -+ uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); -+ tmp[(uint32_t)2U * i] = lo; -+ tmp[(uint32_t)2U * i + (uint32_t)1U] = hi;); -+ uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); -+ // TODO: remove unused variable -+ (void)c1; -+} -+ -+static inline void -+bn_to_bytes_be4(uint8_t *res, uint64_t *f) -+{ -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ store64_be(res + i * (uint32_t)8U, f[(uint32_t)4U - i - (uint32_t)1U]);); -+} -+ -+static inline void -+bn_from_bytes_be4(uint64_t *res, uint8_t *b) -+{ -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t u = load64_be(b + ((uint32_t)4U - i - (uint32_t)1U) * (uint32_t)8U); -+ uint64_t x = u; -+ os[i] = x;); -+} -+ -+static inline void -+bn2_to_bytes_be4(uint8_t *res, uint64_t *x, uint64_t *y) -+{ -+ bn_to_bytes_be4(res, x); -+ bn_to_bytes_be4(res + (uint32_t)32U, y); -+} -+ -+static inline void -+make_prime(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xffffffffffffffffU; -+ n[1U] = (uint64_t)0xffffffffU; -+ n[2U] = (uint64_t)0x0U; -+ n[3U] = (uint64_t)0xffffffff00000001U; -+} -+ -+static inline void -+make_order(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xf3b9cac2fc632551U; -+ n[1U] = (uint64_t)0xbce6faada7179e84U; -+ n[2U] = (uint64_t)0xffffffffffffffffU; -+ n[3U] = (uint64_t)0xffffffff00000000U; -+} -+ -+static inline void -+make_a_coeff(uint64_t *a) -+{ -+ a[0U] = (uint64_t)0xfffffffffffffffcU; -+ a[1U] = (uint64_t)0x3ffffffffU; -+ a[2U] = (uint64_t)0x0U; -+ a[3U] = (uint64_t)0xfffffffc00000004U; -+} -+ -+static inline void -+make_b_coeff(uint64_t *b) -+{ -+ b[0U] = (uint64_t)0xd89cdf6229c4bddfU; -+ b[1U] = (uint64_t)0xacf005cd78843090U; -+ b[2U] = (uint64_t)0xe5a220abf7212ed6U; -+ b[3U] = (uint64_t)0xdc30061d04874834U; -+} -+ -+static inline void -+make_g_x(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x79e730d418a9143cU; -+ n[1U] = (uint64_t)0x75ba95fc5fedb601U; -+ n[2U] = (uint64_t)0x79fb732b77622510U; -+ n[3U] = (uint64_t)0x18905f76a53755c6U; -+} -+ -+static inline void -+make_g_y(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xddf25357ce95560aU; -+ n[1U] = (uint64_t)0x8b4ab8e4ba19e45cU; -+ n[2U] = (uint64_t)0xd2e88688dd21f325U; -+ n[3U] = (uint64_t)0x8571ff1825885d85U; -+} -+ -+static inline void -+make_fmont_R2(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x3U; -+ n[1U] = (uint64_t)0xfffffffbffffffffU; -+ n[2U] = (uint64_t)0xfffffffffffffffeU; -+ n[3U] = (uint64_t)0x4fffffffdU; -+} -+ -+static inline void -+make_fzero(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0U; -+ n[1U] = (uint64_t)0U; -+ n[2U] = (uint64_t)0U; -+ n[3U] = (uint64_t)0U; -+} -+ -+static inline void -+make_fone(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x1U; -+ n[1U] = (uint64_t)0xffffffff00000000U; -+ n[2U] = (uint64_t)0xffffffffffffffffU; -+ n[3U] = (uint64_t)0xfffffffeU; -+} -+ -+static inline uint64_t -+bn_is_lt_prime_mask4(uint64_t *f) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_prime(tmp); -+ uint64_t c = bn_sub4(tmp, f, tmp); -+ return (uint64_t)0U - c; -+} -+ -+static inline uint64_t -+feq_mask(uint64_t *a, uint64_t *b) -+{ -+ uint64_t r = bn_is_eq_mask4(a, b); -+ return r; -+} -+ -+static inline void -+fadd0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ bn_add_mod4(res, n, x, y); -+} -+ -+static inline void -+fsub0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ bn_sub_mod4(res, n, x, y); -+} -+ -+static inline void -+fnegate_conditional_vartime(uint64_t *f, bool is_negate) -+{ -+ uint64_t zero[4U] = { 0U }; -+ if (is_negate) { -+ fsub0(f, zero, f); -+ } -+} -+ -+static inline void -+mont_reduction(uint64_t *res, uint64_t *x) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ uint64_t c0 = (uint64_t)0U; -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t qj = (uint64_t)1U * x[i0]; -+ uint64_t *res_j0 = x + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); -+ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); -+ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); -+ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); -+ } uint64_t r = c; -+ uint64_t c1 = r; -+ uint64_t *resb = x + (uint32_t)4U + i0; -+ uint64_t res_j = x[(uint32_t)4U + i0]; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); -+ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+fmul0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_mul4(tmp, x, y); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+fsqr0(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_sqr4(tmp, x); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+from_mont(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ memcpy(tmp, a, (uint32_t)4U * sizeof(uint64_t)); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+to_mont(uint64_t *res, uint64_t *a) -+{ -+ uint64_t r2modn[4U] = { 0U }; -+ make_fmont_R2(r2modn); -+ fmul0(res, a, r2modn); -+} -+ -+static inline void -+fmul_by_b_coeff(uint64_t *res, uint64_t *x) -+{ -+ uint64_t b_coeff[4U] = { 0U }; -+ make_b_coeff(b_coeff); -+ fmul0(res, b_coeff, x); -+} -+ -+static inline void -+fcube(uint64_t *res, uint64_t *x) -+{ -+ fsqr0(res, x); -+ fmul0(res, res, x); -+} -+ -+static inline void -+finv(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *x30 = tmp; -+ uint64_t *x2 = tmp + (uint32_t)4U; -+ uint64_t *tmp1 = tmp + (uint32_t)8U; -+ uint64_t *tmp2 = tmp + (uint32_t)12U; -+ memcpy(x2, a, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, a); -+ memcpy(x30, x2, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(x30, x30); -+ } -+ fmul0(x30, x30, a); -+ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x30); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x30); -+ memcpy(x30, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i, (uint32_t)0U, (uint32_t)15U, (uint32_t)1U, fsqr0(x30, x30);); -+ fmul0(x30, x30, tmp1); -+ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x2); -+ memcpy(x2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, tmp1); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, tmp1); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)30U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, x30); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(x2, x2);); -+ fmul0(tmp1, x2, a); -+ memcpy(res, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+fsqrt(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ uint64_t *tmp1 = tmp; -+ uint64_t *tmp2 = tmp + (uint32_t)4U; -+ memcpy(tmp1, a, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(tmp1, tmp1); -+ } -+ fmul0(tmp1, tmp1, a); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, tmp2); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, tmp2); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ fmul0(tmp2, tmp2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)96U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ fmul0(tmp2, tmp2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)94U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ memcpy(res, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+make_base_point(uint64_t *p) -+{ -+ uint64_t *x = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z = p + (uint32_t)8U; -+ make_g_x(x); -+ make_g_y(y); -+ make_fone(z); -+} -+ -+static inline void -+make_point_at_inf(uint64_t *p) -+{ -+ uint64_t *x = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z = p + (uint32_t)8U; -+ make_fzero(x); -+ make_fone(y); -+ make_fzero(z); -+} -+ -+static inline bool -+is_point_at_inf_vartime(uint64_t *p) -+{ -+ uint64_t *pz = p + (uint32_t)8U; -+ return bn_is_zero_vartime4(pz); -+} -+ -+static inline void -+to_aff_point(uint64_t *res, uint64_t *p) -+{ -+ uint64_t zinv[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t *pz = p + (uint32_t)8U; -+ uint64_t *x = res; -+ uint64_t *y = res + (uint32_t)4U; -+ finv(zinv, pz); -+ fmul0(x, px, zinv); -+ fmul0(y, py, zinv); -+ from_mont(x, x); -+ from_mont(y, y); -+} -+ -+static inline void -+to_aff_point_x(uint64_t *res, uint64_t *p) -+{ -+ uint64_t zinv[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *pz = p + (uint32_t)8U; -+ finv(zinv, pz); -+ fmul0(res, px, zinv); -+ from_mont(res, res); -+} -+ -+static inline void -+to_proj_point(uint64_t *res, uint64_t *p) -+{ -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t *rx = res; -+ uint64_t *ry = res + (uint32_t)4U; -+ uint64_t *rz = res + (uint32_t)8U; -+ to_mont(rx, px); -+ to_mont(ry, py); -+ make_fone(rz); -+} -+ -+static inline bool -+is_on_curve_vartime(uint64_t *p) -+{ -+ uint64_t rp[4U] = { 0U }; -+ uint64_t tx[4U] = { 0U }; -+ uint64_t ty[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ to_mont(tx, px); -+ to_mont(ty, py); -+ uint64_t tmp[4U] = { 0U }; -+ fcube(rp, tx); -+ make_a_coeff(tmp); -+ fmul0(tmp, tmp, tx); -+ fadd0(rp, tmp, rp); -+ make_b_coeff(tmp); -+ fadd0(rp, tmp, rp); -+ fsqr0(ty, ty); -+ uint64_t r = feq_mask(ty, rp); -+ bool r0 = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ return r0; -+} -+ -+static inline void -+aff_point_store(uint8_t *res, uint64_t *p) -+{ -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ bn2_to_bytes_be4(res, px, py); -+} -+ -+static inline void -+point_store(uint8_t *res, uint64_t *p) -+{ -+ uint64_t aff_p[8U] = { 0U }; -+ to_aff_point(aff_p, p); -+ aff_point_store(res, aff_p); -+} -+ -+static inline bool -+aff_point_load_vartime(uint64_t *p, uint8_t *b) -+{ -+ uint8_t *p_x = b; -+ uint8_t *p_y = b + (uint32_t)32U; -+ uint64_t *bn_p_x = p; -+ uint64_t *bn_p_y = p + (uint32_t)4U; -+ bn_from_bytes_be4(bn_p_x, p_x); -+ bn_from_bytes_be4(bn_p_y, p_y); -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t lessX = bn_is_lt_prime_mask4(px); -+ uint64_t lessY = bn_is_lt_prime_mask4(py); -+ uint64_t res = lessX & lessY; -+ bool is_xy_valid = res == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ if (!is_xy_valid) { -+ return false; -+ } -+ return is_on_curve_vartime(p); -+} -+ -+static inline bool -+load_point_vartime(uint64_t *p, uint8_t *b) -+{ -+ uint64_t p_aff[8U] = { 0U }; -+ bool res = aff_point_load_vartime(p_aff, b); -+ if (res) { -+ to_proj_point(p, p_aff); -+ } -+ return res; -+} -+ -+static inline bool -+aff_point_decompress_vartime(uint64_t *x, uint64_t *y, uint8_t *s) -+{ -+ uint8_t s0 = s[0U]; -+ uint8_t s01 = s0; -+ if (!(s01 == (uint8_t)0x02U || s01 == (uint8_t)0x03U)) { -+ return false; -+ } -+ uint8_t *xb = s + (uint32_t)1U; -+ bn_from_bytes_be4(x, xb); -+ uint64_t is_x_valid = bn_is_lt_prime_mask4(x); -+ bool is_x_valid1 = is_x_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ bool is_y_odd = s01 == (uint8_t)0x03U; -+ if (!is_x_valid1) { -+ return false; -+ } -+ uint64_t y2M[4U] = { 0U }; -+ uint64_t xM[4U] = { 0U }; -+ uint64_t yM[4U] = { 0U }; -+ to_mont(xM, x); -+ uint64_t tmp[4U] = { 0U }; -+ fcube(y2M, xM); -+ make_a_coeff(tmp); -+ fmul0(tmp, tmp, xM); -+ fadd0(y2M, tmp, y2M); -+ make_b_coeff(tmp); -+ fadd0(y2M, tmp, y2M); -+ fsqrt(yM, y2M); -+ from_mont(y, yM); -+ fsqr0(yM, yM); -+ uint64_t r = feq_mask(yM, y2M); -+ bool is_y_valid = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ bool is_y_valid0 = is_y_valid; -+ if (!is_y_valid0) { -+ return false; -+ } -+ uint64_t is_y_odd1 = y[0U] & (uint64_t)1U; -+ bool is_y_odd2 = is_y_odd1 == (uint64_t)1U; -+ fnegate_conditional_vartime(y, is_y_odd2 != is_y_odd); -+ return true; -+} -+ -+static inline void -+point_double(uint64_t *res, uint64_t *p) -+{ -+ uint64_t tmp[20U] = { 0U }; -+ uint64_t *x = p; -+ uint64_t *z = p + (uint32_t)8U; -+ uint64_t *x3 = res; -+ uint64_t *y3 = res + (uint32_t)4U; -+ uint64_t *z3 = res + (uint32_t)8U; -+ uint64_t *t0 = tmp; -+ uint64_t *t1 = tmp + (uint32_t)4U; -+ uint64_t *t2 = tmp + (uint32_t)8U; -+ uint64_t *t3 = tmp + (uint32_t)12U; -+ uint64_t *t4 = tmp + (uint32_t)16U; -+ uint64_t *x1 = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z1 = p + (uint32_t)8U; -+ fsqr0(t0, x1); -+ fsqr0(t1, y); -+ fsqr0(t2, z1); -+ fmul0(t3, x1, y); -+ fadd0(t3, t3, t3); -+ fmul0(t4, y, z1); -+ fmul0(z3, x, z); -+ fadd0(z3, z3, z3); -+ fmul_by_b_coeff(y3, t2); -+ fsub0(y3, y3, z3); -+ fadd0(x3, y3, y3); -+ fadd0(y3, x3, y3); -+ fsub0(x3, t1, y3); -+ fadd0(y3, t1, y3); -+ fmul0(y3, x3, y3); -+ fmul0(x3, x3, t3); -+ fadd0(t3, t2, t2); -+ fadd0(t2, t2, t3); -+ fmul_by_b_coeff(z3, z3); -+ fsub0(z3, z3, t2); -+ fsub0(z3, z3, t0); -+ fadd0(t3, z3, z3); -+ fadd0(z3, z3, t3); -+ fadd0(t3, t0, t0); -+ fadd0(t0, t3, t0); -+ fsub0(t0, t0, t2); -+ fmul0(t0, t0, z3); -+ fadd0(y3, y3, t0); -+ fadd0(t0, t4, t4); -+ fmul0(z3, t0, z3); -+ fsub0(x3, x3, z3); -+ fmul0(z3, t0, t1); -+ fadd0(z3, z3, z3); -+ fadd0(z3, z3, z3); -+} -+ -+static inline void -+point_add(uint64_t *res, uint64_t *p, uint64_t *q) -+{ -+ uint64_t tmp[36U] = { 0U }; -+ uint64_t *t0 = tmp; -+ uint64_t *t1 = tmp + (uint32_t)24U; -+ uint64_t *x3 = t1; -+ uint64_t *y3 = t1 + (uint32_t)4U; -+ uint64_t *z3 = t1 + (uint32_t)8U; -+ uint64_t *t01 = t0; -+ uint64_t *t11 = t0 + (uint32_t)4U; -+ uint64_t *t2 = t0 + (uint32_t)8U; -+ uint64_t *t3 = t0 + (uint32_t)12U; -+ uint64_t *t4 = t0 + (uint32_t)16U; -+ uint64_t *t5 = t0 + (uint32_t)20U; -+ uint64_t *x1 = p; -+ uint64_t *y1 = p + (uint32_t)4U; -+ uint64_t *z10 = p + (uint32_t)8U; -+ uint64_t *x20 = q; -+ uint64_t *y20 = q + (uint32_t)4U; -+ uint64_t *z20 = q + (uint32_t)8U; -+ fmul0(t01, x1, x20); -+ fmul0(t11, y1, y20); -+ fmul0(t2, z10, z20); -+ fadd0(t3, x1, y1); -+ fadd0(t4, x20, y20); -+ fmul0(t3, t3, t4); -+ fadd0(t4, t01, t11); -+ uint64_t *y10 = p + (uint32_t)4U; -+ uint64_t *z11 = p + (uint32_t)8U; -+ uint64_t *y2 = q + (uint32_t)4U; -+ uint64_t *z21 = q + (uint32_t)8U; -+ fsub0(t3, t3, t4); -+ fadd0(t4, y10, z11); -+ fadd0(t5, y2, z21); -+ fmul0(t4, t4, t5); -+ fadd0(t5, t11, t2); -+ fsub0(t4, t4, t5); -+ uint64_t *x10 = p; -+ uint64_t *z1 = p + (uint32_t)8U; -+ uint64_t *x2 = q; -+ uint64_t *z2 = q + (uint32_t)8U; -+ fadd0(x3, x10, z1); -+ fadd0(y3, x2, z2); -+ fmul0(x3, x3, y3); -+ fadd0(y3, t01, t2); -+ fsub0(y3, x3, y3); -+ fmul_by_b_coeff(z3, t2); -+ fsub0(x3, y3, z3); -+ fadd0(z3, x3, x3); -+ fadd0(x3, x3, z3); -+ fsub0(z3, t11, x3); -+ fadd0(x3, t11, x3); -+ fmul_by_b_coeff(y3, y3); -+ fadd0(t11, t2, t2); -+ fadd0(t2, t11, t2); -+ fsub0(y3, y3, t2); -+ fsub0(y3, y3, t01); -+ fadd0(t11, y3, y3); -+ fadd0(y3, t11, y3); -+ fadd0(t11, t01, t01); -+ fadd0(t01, t11, t01); -+ fsub0(t01, t01, t2); -+ fmul0(t11, t4, y3); -+ fmul0(t2, t01, y3); -+ fmul0(y3, x3, z3); -+ fadd0(y3, y3, t2); -+ fmul0(x3, t3, x3); -+ fsub0(x3, x3, t11); -+ fmul0(z3, t4, z3); -+ fmul0(t11, t3, t01); -+ fadd0(z3, z3, t11); -+ memcpy(res, t1, (uint32_t)12U * sizeof(uint64_t)); -+} -+ -+static inline void -+point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) -+{ -+ uint64_t table[192U] = { 0U }; -+ uint64_t tmp[12U] = { 0U }; -+ uint64_t *t0 = table; -+ uint64_t *t1 = table + (uint32_t)12U; -+ make_point_at_inf(t0); -+ memcpy(t1, p, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR7(i, -+ (uint32_t)0U, -+ (uint32_t)7U, -+ (uint32_t)1U, -+ uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)12U; -+ point_double(tmp, t11); -+ memcpy(table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t)); -+ uint64_t *t2 = table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; -+ point_add(tmp, p, t2); -+ memcpy(table + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t));); -+ make_point_at_inf(res); -+ uint64_t tmp0[12U] = { 0U }; -+ for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) { -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)256U - (uint32_t)4U * i0 - (uint32_t)4U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar, k, (uint32_t)4U); -+ memcpy(tmp0, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i1, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i1 + (uint32_t)1U)); -+ const uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)12U; -+ KRML_MAYBE_FOR12(i, -+ (uint32_t)0U, -+ (uint32_t)12U, -+ (uint32_t)1U, -+ uint64_t *os = tmp0; -+ uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); -+ os[i] = x;);); -+ point_add(res, res, tmp0); -+ } -+} -+ -+static inline void -+precomp_get_consttime(const uint64_t *table, uint64_t bits_l, uint64_t *tmp) -+{ -+ memcpy(tmp, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i0, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i0 + (uint32_t)1U)); -+ const uint64_t *res_j = table + (i0 + (uint32_t)1U) * (uint32_t)12U; -+ KRML_MAYBE_FOR12(i, -+ (uint32_t)0U, -+ (uint32_t)12U, -+ (uint32_t)1U, -+ uint64_t *os = tmp; -+ uint64_t x = (c & res_j[i]) | (~c & tmp[i]); -+ os[i] = x;);); -+} -+ -+static inline void -+point_mul_g(uint64_t *res, uint64_t *scalar) -+{ -+ uint64_t q1[12U] = { 0U }; -+ make_base_point(q1); -+ /* -+ uint64_t -+ q2[12U] = -+ { -+ (uint64_t)1499621593102562565U, (uint64_t)16692369783039433128U, -+ (uint64_t)15337520135922861848U, (uint64_t)5455737214495366228U, -+ (uint64_t)17827017231032529600U, (uint64_t)12413621606240782649U, -+ (uint64_t)2290483008028286132U, (uint64_t)15752017553340844820U, -+ (uint64_t)4846430910634234874U, (uint64_t)10861682798464583253U, -+ (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U -+ }; -+ uint64_t -+ q3[12U] = -+ { -+ (uint64_t)14619254753077084366U, (uint64_t)13913835116514008593U, -+ (uint64_t)15060744674088488145U, (uint64_t)17668414598203068685U, -+ (uint64_t)10761169236902342334U, (uint64_t)15467027479157446221U, -+ (uint64_t)14989185522423469618U, (uint64_t)14354539272510107003U, -+ (uint64_t)14298211796392133693U, (uint64_t)13270323784253711450U, -+ (uint64_t)13380964971965046957U, (uint64_t)8686204248456909699U -+ }; -+ uint64_t -+ q4[12U] = -+ { -+ (uint64_t)7870395003430845958U, (uint64_t)18001862936410067720U, -+ (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, -+ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, -+ (uint64_t)7139806720777708306U, (uint64_t)8253938546650739833U, -+ (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, -+ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U -+ }; -+ */ -+ uint64_t *r1 = scalar; -+ uint64_t *r2 = scalar + (uint32_t)1U; -+ uint64_t *r3 = scalar + (uint32_t)2U; -+ uint64_t *r4 = scalar + (uint32_t)3U; -+ make_point_at_inf(res); -+ uint64_t tmp[12U] = { 0U }; -+ KRML_MAYBE_FOR16(i, -+ (uint32_t)0U, -+ (uint32_t)16U, -+ (uint32_t)1U, -+ KRML_MAYBE_FOR4(i0, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r4, k, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4, bits_l, tmp); -+ point_add(res, res, tmp); -+ uint32_t k0 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r3, k0, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4, bits_l0, tmp); -+ point_add(res, res, tmp); -+ uint32_t k1 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l1 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r2, k1, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4, bits_l1, tmp); -+ point_add(res, res, tmp); -+ uint32_t k2 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l2 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r1, k2, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_basepoint_table_w4, bits_l2, tmp); -+ point_add(res, res, tmp);); -+} -+ -+static inline void -+point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t *q2) -+{ -+ uint64_t q1[12U] = { 0U }; -+ make_base_point(q1); -+ uint64_t table2[384U] = { 0U }; -+ uint64_t tmp[12U] = { 0U }; -+ uint64_t *t0 = table2; -+ uint64_t *t1 = table2 + (uint32_t)12U; -+ make_point_at_inf(t0); -+ memcpy(t1, q2, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)12U; -+ point_double(tmp, t11); -+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t)); -+ uint64_t *t2 = table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; -+ point_add(tmp, q2, t2); -+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t));); -+ uint64_t tmp0[12U] = { 0U }; -+ uint32_t i0 = (uint32_t)255U; -+ uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, i0, (uint32_t)5U); -+ uint32_t bits_l32 = (uint32_t)bits_c; -+ const uint64_t -+ *a_bits_l = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l32 * (uint32_t)12U; -+ memcpy(res, (uint64_t *)a_bits_l, (uint32_t)12U * sizeof(uint64_t)); -+ uint32_t i1 = (uint32_t)255U; -+ uint64_t bits_c0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, i1, (uint32_t)5U); -+ uint32_t bits_l320 = (uint32_t)bits_c0; -+ const uint64_t *a_bits_l0 = table2 + bits_l320 * (uint32_t)12U; -+ memcpy(tmp0, (uint64_t *)a_bits_l0, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp0); -+ uint64_t tmp1[12U] = { 0U }; -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)51U; i++) { -+ KRML_MAYBE_FOR5(i2, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, k, (uint32_t)5U); -+ uint32_t bits_l321 = (uint32_t)bits_l; -+ const uint64_t *a_bits_l1 = table2 + bits_l321 * (uint32_t)12U; -+ memcpy(tmp1, (uint64_t *)a_bits_l1, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp1); -+ uint32_t k0 = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; -+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, k0, (uint32_t)5U); -+ uint32_t bits_l322 = (uint32_t)bits_l0; -+ const uint64_t -+ *a_bits_l2 = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l322 * (uint32_t)12U; -+ memcpy(tmp1, (uint64_t *)a_bits_l2, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp1); -+ } -+} -+ -+static inline uint64_t -+bn_is_lt_order_mask4(uint64_t *f) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_order(tmp); -+ uint64_t c = bn_sub4(tmp, f, tmp); -+ return (uint64_t)0U - c; -+} -+ -+static inline uint64_t -+bn_is_lt_order_and_gt_zero_mask4(uint64_t *f) -+{ -+ uint64_t is_lt_order = bn_is_lt_order_mask4(f); -+ uint64_t is_eq_zero = bn_is_zero_mask4(f); -+ return is_lt_order & ~is_eq_zero; -+} -+ -+static inline void -+qmod_short(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_order(tmp); -+ uint64_t c = bn_sub4(tmp, x, tmp); -+ bn_cmovznz4(res, c, tmp, x); -+} -+ -+static inline void -+qadd(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_order(n); -+ bn_add_mod4(res, n, x, y); -+} -+ -+static inline void -+qmont_reduction(uint64_t *res, uint64_t *x) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_order(n); -+ uint64_t c0 = (uint64_t)0U; -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t qj = (uint64_t)0xccd1c8aaee00bc4fU * x[i0]; -+ uint64_t *res_j0 = x + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); -+ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); -+ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); -+ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); -+ } uint64_t r = c; -+ uint64_t c1 = r; -+ uint64_t *resb = x + (uint32_t)4U + i0; -+ uint64_t res_j = x[(uint32_t)4U + i0]; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); -+ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+from_qmont(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ memcpy(tmp, x, (uint32_t)4U * sizeof(uint64_t)); -+ qmont_reduction(res, tmp); -+} -+ -+static inline void -+qmul(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_mul4(tmp, x, y); -+ qmont_reduction(res, tmp); -+} -+ -+static inline void -+qsqr(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_sqr4(tmp, x); -+ qmont_reduction(res, tmp); -+} -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *sk = tmp; -+ uint64_t *pk = tmp + (uint32_t)4U; -+ bn_from_bytes_be4(sk, private_key); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = sk; -+ uint64_t uu____0 = oneq[i]; -+ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid; -+ point_mul_g(pk, sk); -+ point_store(public_key, pk); -+ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_r( -+ uint8_t *shared_secret, -+ uint8_t *their_pubkey, -+ uint8_t *private_key) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *sk = tmp; -+ uint64_t *pk = tmp + (uint32_t)4U; -+ bool is_pk_valid = load_point_vartime(pk, their_pubkey); -+ bn_from_bytes_be4(sk, private_key); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = sk; -+ uint64_t uu____0 = oneq[i]; -+ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid; -+ uint64_t ss_proj[12U] = { 0U }; -+ if (is_pk_valid) { -+ point_mul(ss_proj, sk, pk); -+ point_store(shared_secret, ss_proj); -+ } -+ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_pk_valid; -+} -+ -+static inline void -+qinv(uint64_t *res, uint64_t *r) -+{ -+ uint64_t tmp[28U] = { 0U }; -+ uint64_t *x6 = tmp; -+ uint64_t *x_11 = tmp + (uint32_t)4U; -+ uint64_t *x_101 = tmp + (uint32_t)8U; -+ uint64_t *x_111 = tmp + (uint32_t)12U; -+ uint64_t *x_1111 = tmp + (uint32_t)16U; -+ uint64_t *x_10101 = tmp + (uint32_t)20U; -+ uint64_t *x_101111 = tmp + (uint32_t)24U; -+ memcpy(x6, r, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_11, x6, r); -+ qmul(x_101, x6, x_11); -+ qmul(x_111, x6, x_101); -+ memcpy(x6, x_101, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_1111, x_101, x6); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_10101, x6, r); -+ memcpy(x6, x_10101, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_101111, x_101, x6); -+ qmul(x6, x_10101, x6); -+ uint64_t tmp1[4U] = { 0U }; -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(x6, x6);); -+ qmul(x6, x6, x_11); -+ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x6); -+ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, qsqr(x6, x6);); -+ qmul(x6, x6, tmp1); -+ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) { -+ qsqr(tmp1, tmp1); -+ } -+ qmul(tmp1, tmp1, x6); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ qsqr(tmp1, tmp1); -+ } -+ qmul(tmp1, tmp1, x6); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_10101); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR9(i, (uint32_t)0U, (uint32_t)9U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR10(i, (uint32_t)0U, (uint32_t)10U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR7(i, (uint32_t)0U, (uint32_t)7U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_10101); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ memcpy(res, x6, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+qmul_mont(uint64_t *sinv, uint64_t *b, uint64_t *res) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ from_qmont(tmp, b); -+ qmul(res, sinv, tmp); -+} -+ -+static inline bool -+ecdsa_verify_msg_as_qelem( -+ uint64_t *m_q, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s) -+{ -+ uint64_t tmp[28U] = { 0U }; -+ uint64_t *pk = tmp; -+ uint64_t *r_q = tmp + (uint32_t)12U; -+ uint64_t *s_q = tmp + (uint32_t)16U; -+ uint64_t *u1 = tmp + (uint32_t)20U; -+ uint64_t *u2 = tmp + (uint32_t)24U; -+ bool is_pk_valid = load_point_vartime(pk, public_key); -+ bn_from_bytes_be4(r_q, signature_r); -+ bn_from_bytes_be4(s_q, signature_s); -+ uint64_t is_r_valid = bn_is_lt_order_and_gt_zero_mask4(r_q); -+ uint64_t is_s_valid = bn_is_lt_order_and_gt_zero_mask4(s_q); -+ bool -+ is_rs_valid = -+ is_r_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_s_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ if (!(is_pk_valid && is_rs_valid)) { -+ return false; -+ } -+ uint64_t sinv[4U] = { 0U }; -+ qinv(sinv, s_q); -+ qmul_mont(sinv, m_q, u1); -+ qmul_mont(sinv, r_q, u2); -+ uint64_t res[12U] = { 0U }; -+ point_mul_double_g(res, u1, u2, pk); -+ if (is_point_at_inf_vartime(res)) { -+ return false; -+ } -+ uint64_t x[4U] = { 0U }; -+ to_aff_point_x(x, res); -+ qmod_short(x, x); -+ bool res1 = bn_is_eq_vartime4(x, r_q); -+ return res1; -+} -+ -+static inline bool -+ecdsa_sign_msg_as_qelem( -+ uint8_t *signature, -+ uint64_t *m_q, -+ uint8_t *private_key, -+ uint8_t *nonce) -+{ -+ uint64_t rsdk_q[16U] = { 0U }; -+ uint64_t *r_q = rsdk_q; -+ uint64_t *s_q = rsdk_q + (uint32_t)4U; -+ uint64_t *d_a = rsdk_q + (uint32_t)8U; -+ uint64_t *k_q = rsdk_q + (uint32_t)12U; -+ bn_from_bytes_be4(d_a, private_key); -+ uint64_t is_b_valid0 = bn_is_lt_order_and_gt_zero_mask4(d_a); -+ uint64_t oneq0[4U] = { 0U }; -+ oneq0[0U] = (uint64_t)1U; -+ oneq0[1U] = (uint64_t)0U; -+ oneq0[2U] = (uint64_t)0U; -+ oneq0[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = d_a; -+ uint64_t uu____0 = oneq0[i]; -+ uint64_t x = uu____0 ^ (is_b_valid0 & (d_a[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid0; -+ bn_from_bytes_be4(k_q, nonce); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(k_q); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = k_q; -+ uint64_t uu____1 = oneq[i]; -+ uint64_t x = uu____1 ^ (is_b_valid & (k_q[i] ^ uu____1)); -+ os[i] = x;); -+ uint64_t is_nonce_valid = is_b_valid; -+ uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; -+ uint64_t p[12U] = { 0U }; -+ point_mul_g(p, k_q); -+ to_aff_point_x(r_q, p); -+ qmod_short(r_q, r_q); -+ uint64_t kinv[4U] = { 0U }; -+ qinv(kinv, k_q); -+ qmul(s_q, r_q, d_a); -+ from_qmont(m_q, m_q); -+ qadd(s_q, m_q, s_q); -+ qmul(s_q, kinv, s_q); -+ bn2_to_bytes_be4(signature, r_q, s_q); -+ uint64_t is_r_zero = bn_is_zero_mask4(r_q); -+ uint64_t is_s_zero = bn_is_zero_mask4(s_q); -+ uint64_t m = are_sk_nonce_valid & (~is_r_zero & ~is_s_zero); -+ bool res = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ return res; -+} -+ -+/******************************************************************************* -+ -+ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. -+ -+ This module implements signing and verification, key validation, conversions -+ between various point representations, and ECDH key agreement. -+ -+*******************************************************************************/ -+ -+/*****************/ -+/* ECDSA signing */ -+/*****************/ -+ -+/** -+Create an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-sign combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs -+ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to -+ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL -+ need to perform the left-padding themselves. -+ -+ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. -+ -+ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `nonce` are valid values: -+ • 0 < `private_key` < the order of the curve -+ • 0 < `nonce` < the order of the curve -+*/ -+bool -+Hacl_P256_ecdsa_sign_p256_without_hash( -+ uint8_t *signature, -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *private_key, -+ uint8_t *nonce) -+{ -+ uint64_t m_q[4U] = { 0U }; -+ uint8_t mHash[32U] = { 0U }; -+ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); -+ uint8_t *mHash32 = mHash; -+ bn_from_bytes_be4(m_q, mHash32); -+ qmod_short(m_q, m_q); -+ bool res = ecdsa_sign_msg_as_qelem(signature, m_q, private_key, nonce); -+ return res; -+} -+ -+/**********************/ -+/* ECDSA verification */ -+/**********************/ -+ -+/** -+Verify an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-verify combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ The function returns `true` if the signature is valid and `false` otherwise. -+ -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `public_key` is valid -+*/ -+bool -+Hacl_P256_ecdsa_verif_without_hash( -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s) -+{ -+ uint64_t m_q[4U] = { 0U }; -+ uint8_t mHash[32U] = { 0U }; -+ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); -+ uint8_t *mHash32 = mHash; -+ bn_from_bytes_be4(m_q, mHash32); -+ qmod_short(m_q, m_q); -+ bool res = ecdsa_verify_msg_as_qelem(m_q, public_key, signature_r, signature_s); -+ return res; -+} -+ -+/******************/ -+/* Key validation */ -+/******************/ -+ -+/** -+Public key validation. -+ -+ The function returns `true` if a public key is valid and `false` otherwise. -+ -+ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The public key (x || y) is valid (with respect to SP 800-56A): -+ • the public key is not the “point at infinity”, represented as O. -+ • the affine x and y coordinates of the point represented by the public key are -+ in the range [0, p – 1] where p is the prime defining the finite field. -+ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. -+ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ -+*/ -+bool -+Hacl_P256_validate_public_key(uint8_t *public_key) -+{ -+ uint64_t point_jac[12U] = { 0U }; -+ bool res = load_point_vartime(point_jac, public_key); -+ return res; -+} -+ -+/** -+Private key validation. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve -+*/ -+bool -+Hacl_P256_validate_private_key(uint8_t *private_key) -+{ -+ uint64_t bn_sk[4U] = { 0U }; -+ bn_from_bytes_be4(bn_sk, private_key); -+ uint64_t res = bn_is_lt_order_and_gt_zero_mask4(bn_sk); -+ return res == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+/******************************************************************************* -+ Parsing and Serializing public keys. -+ -+ A public key is a point (x, y) on the P-256 NIST curve. -+ -+ The point can be represented in the following three ways. -+ • raw = [ x || y ], 64 bytes -+ • uncompressed = [ 0x04 || x || y ], 65 bytes -+ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes -+ -+*******************************************************************************/ -+ -+/** -+Convert a public key from uncompressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+bool -+Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw) -+{ -+ uint8_t pk0 = pk[0U]; -+ if (pk0 != (uint8_t)0x04U) { -+ return false; -+ } -+ memcpy(pk_raw, pk + (uint32_t)1U, (uint32_t)64U * sizeof(uint8_t)); -+ return true; -+} -+ -+/** -+Convert a public key from compressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ -+ The function also checks whether (x, y) is a valid point. -+*/ -+bool -+Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw) -+{ -+ uint64_t xa[4U] = { 0U }; -+ uint64_t ya[4U] = { 0U }; -+ uint8_t *pk_xb = pk + (uint32_t)1U; -+ bool b = aff_point_decompress_vartime(xa, ya, pk); -+ if (b) { -+ memcpy(pk_raw, pk_xb, (uint32_t)32U * sizeof(uint8_t)); -+ bn_to_bytes_be4(pk_raw + (uint32_t)32U, ya); -+ } -+ return b; -+} -+ -+/** -+Convert a public key from raw to its uncompressed form. -+ -+ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void -+Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk) -+{ -+ pk[0U] = (uint8_t)0x04U; -+ memcpy(pk + (uint32_t)1U, pk_raw, (uint32_t)64U * sizeof(uint8_t)); -+} -+ -+/** -+Convert a public key from raw to its compressed form. -+ -+ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void -+Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk) -+{ -+ uint8_t *pk_x = pk_raw; -+ uint8_t *pk_y = pk_raw + (uint32_t)32U; -+ uint64_t bn_f[4U] = { 0U }; -+ bn_from_bytes_be4(bn_f, pk_y); -+ uint64_t is_odd_f = bn_f[0U] & (uint64_t)1U; -+ pk[0U] = (uint8_t)is_odd_f + (uint8_t)0x02U; -+ memcpy(pk + (uint32_t)1U, pk_x, (uint32_t)32U * sizeof(uint8_t)); -+} -+ -+/******************/ -+/* ECDH agreement */ -+/******************/ -+ -+/** -+Compute the public key from the private key. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve. -+*/ -+bool -+Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key) -+{ -+ return Hacl_Impl_P256_DH_ecp256dh_i(public_key, private_key); -+} -+ -+/** -+Execute the diffie-hellmann key exchange. -+ -+ The function returns `true` for successful creation of an ECDH shared secret and -+ `false` otherwise. -+ -+ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `their_pubkey` are valid. -+*/ -+bool -+Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key) -+{ -+ return Hacl_Impl_P256_DH_ecp256dh_r(shared_secret, their_pubkey, private_key); -+} -+ -diff -up ./lib/freebl/verified/Hacl_P256.h.p256 ./lib/freebl/verified/Hacl_P256.h ---- ./lib/freebl/verified/Hacl_P256.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/Hacl_P256.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,237 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_P256_H -+#define __Hacl_P256_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+#include "lib_intrinsics.h" -+ -+/******************************************************************************* -+ -+ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. -+ -+ This module implements signing and verification, key validation, conversions -+ between various point representations, and ECDH key agreement. -+ -+*******************************************************************************/ -+ -+/*****************/ -+/* ECDSA signing */ -+/*****************/ -+ -+/** -+Create an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-sign combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs -+ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to -+ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL -+ need to perform the left-padding themselves. -+ -+ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. -+ -+ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `nonce` are valid values: -+ • 0 < `private_key` < the order of the curve -+ • 0 < `nonce` < the order of the curve -+*/ -+bool -+Hacl_P256_ecdsa_sign_p256_without_hash( -+ uint8_t *signature, -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *private_key, -+ uint8_t *nonce); -+ -+/**********************/ -+/* ECDSA verification */ -+/**********************/ -+ -+/** -+Verify an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-verify combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ The function returns `true` if the signature is valid and `false` otherwise. -+ -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `public_key` is valid -+*/ -+bool -+Hacl_P256_ecdsa_verif_without_hash( -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s); -+ -+/******************/ -+/* Key validation */ -+/******************/ -+ -+/** -+Public key validation. -+ -+ The function returns `true` if a public key is valid and `false` otherwise. -+ -+ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The public key (x || y) is valid (with respect to SP 800-56A): -+ • the public key is not the “point at infinity”, represented as O. -+ • the affine x and y coordinates of the point represented by the public key are -+ in the range [0, p – 1] where p is the prime defining the finite field. -+ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. -+ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ -+*/ -+bool Hacl_P256_validate_public_key(uint8_t *public_key); -+ -+/** -+Private key validation. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve -+*/ -+bool Hacl_P256_validate_private_key(uint8_t *private_key); -+ -+/******************************************************************************* -+ Parsing and Serializing public keys. -+ -+ A public key is a point (x, y) on the P-256 NIST curve. -+ -+ The point can be represented in the following three ways. -+ • raw = [ x || y ], 64 bytes -+ • uncompressed = [ 0x04 || x || y ], 65 bytes -+ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes -+ -+*******************************************************************************/ -+ -+/** -+Convert a public key from uncompressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw); -+ -+/** -+Convert a public key from compressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ -+ The function also checks whether (x, y) is a valid point. -+*/ -+bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw); -+ -+/** -+Convert a public key from raw to its uncompressed form. -+ -+ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk); -+ -+/** -+Convert a public key from raw to its compressed form. -+ -+ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk); -+ -+/******************/ -+/* ECDH agreement */ -+/******************/ -+ -+/** -+Compute the public key from the private key. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve. -+*/ -+bool Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key); -+ -+/** -+Execute the diffie-hellmann key exchange. -+ -+ The function returns `true` for successful creation of an ECDH shared secret and -+ `false` otherwise. -+ -+ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `their_pubkey` are valid. -+*/ -+bool -+Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key); -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_P256_H_DEFINED -+#endif -diff -up ./lib/freebl/verified/internal/Hacl_Bignum_Base.h.p256 ./lib/freebl/verified/internal/Hacl_Bignum_Base.h ---- ./lib/freebl/verified/internal/Hacl_Bignum_Base.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/internal/Hacl_Bignum_Base.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,114 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_Bignum_Base_H -+#define __internal_Hacl_Bignum_Base_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "internal/Hacl_Krmllib.h" -+#include "Hacl_Krmllib.h" -+#include "internal/lib_intrinsics.h" -+ -+static inline uint32_t -+Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) -+{ -+ uint32_t out0 = out[0U]; -+ uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; -+ out[0U] = (uint32_t)res; -+ return (uint32_t)(res >> (uint32_t)32U); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) -+{ -+ uint64_t out0 = out[0U]; -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), -+ FStar_UInt128_uint64_to_uint128(c_in)), -+ FStar_UInt128_uint64_to_uint128(out0)); -+ out[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Lib_bn_get_bits_u64(uint32_t len, uint64_t *b, uint32_t i, uint32_t l) -+{ -+ uint32_t i1 = i / (uint32_t)64U; -+ uint32_t j = i % (uint32_t)64U; -+ uint64_t p1 = b[i1] >> j; -+ uint64_t ite; -+ if (i1 + (uint32_t)1U < len && (uint32_t)0U < j) { -+ ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); -+ } else { -+ ite = p1; -+ } -+ return ite & (((uint64_t)1U << l) - (uint64_t)1U); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) -+{ -+ uint64_t c = (uint64_t)0U; -+ for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) { -+ uint64_t t1 = a[(uint32_t)4U * i]; -+ uint64_t t20 = b[(uint32_t)4U * i]; -+ uint64_t *res_i0 = res + (uint32_t)4U * i; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); -+ uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); -+ uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); -+ uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); -+ } -+ for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) { -+ uint64_t t1 = a[i]; -+ uint64_t t2 = b[i]; -+ uint64_t *res_i = res + i; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); -+ } -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_Bignum_Base_H_DEFINED -+#endif -diff -up ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h.p256 ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h ---- ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,72 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_IntTypes_Intrinsics_128_H -+#define __Hacl_IntTypes_Intrinsics_128_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), -+ FStar_UInt128_uint64_to_uint128(cin)), -+ FStar_UInt128_uint64_to_uint128(y)); -+ uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); -+ r[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), -+ FStar_UInt128_uint64_to_uint128(y)), -+ FStar_UInt128_uint64_to_uint128(cin)); -+ uint64_t -+ c = -+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) & (uint64_t)1U; -+ r[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED -+#endif -diff -up ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h.p256 ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h ---- ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,83 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_IntTypes_Intrinsics_H -+#define __Hacl_IntTypes_Intrinsics_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+ -+static inline uint32_t -+Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) -+{ -+ uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; -+ uint32_t c = (uint32_t)(res >> (uint32_t)32U); -+ r[0U] = (uint32_t)res; -+ return c; -+} -+ -+static inline uint32_t -+Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) -+{ -+ uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; -+ uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; -+ r[0U] = (uint32_t)res; -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ uint64_t res = x + cin + y; -+ uint64_t -+ c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; -+ r[0U] = res; -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ uint64_t res = x - y - cin; -+ uint64_t -+ c = -+ ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; -+ r[0U] = res; -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_IntTypes_Intrinsics_H_DEFINED -+#endif -diff -up ./lib/freebl/verified/internal/Hacl_P256.h.p256 ./lib/freebl/verified/internal/Hacl_P256.h ---- ./lib/freebl/verified/internal/Hacl_P256.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/internal/Hacl_P256.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,56 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_P256_H -+#define __internal_Hacl_P256_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "internal/Hacl_P256_PrecompTable.h" -+#include "internal/Hacl_Krmllib.h" -+#include "internal/Hacl_Bignum_Base.h" -+#include "../Hacl_P256.h" -+//#include "lib_intrinsics.h" -+ -+bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key); -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_r( -+ uint8_t *shared_secret, -+ uint8_t *their_pubkey, -+ uint8_t *private_key); -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_P256_H_DEFINED -+#endif -diff -up ./lib/freebl/verified/internal/Hacl_P256_PrecompTable.h.p256 ./lib/freebl/verified/internal/Hacl_P256_PrecompTable.h ---- ./lib/freebl/verified/internal/Hacl_P256_PrecompTable.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/internal/Hacl_P256_PrecompTable.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,508 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_P256_PrecompTable_H -+#define __internal_Hacl_P256_PrecompTable_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_basepoint_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, -+ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, -+ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, -+ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, -+ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, -+ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, -+ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, -+ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, -+ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, -+ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, -+ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, -+ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, -+ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, -+ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, -+ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, -+ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, -+ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, -+ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, -+ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, -+ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, -+ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, -+ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, -+ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, -+ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, -+ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, -+ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, -+ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, -+ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, -+ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, -+ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, -+ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, -+ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, -+ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, -+ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, -+ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, -+ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, -+ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, -+ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, -+ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, -+ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, -+ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, -+ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, -+ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, -+ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, -+ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, -+ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, -+ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, -+ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, -+ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, -+ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, -+ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, -+ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, -+ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, -+ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, -+ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, -+ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, -+ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, -+ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, -+ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, -+ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, -+ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, -+ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, -+ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, -+ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, -+ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, -+ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, -+ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, -+ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1499621593102562565U, -+ (uint64_t)16692369783039433128U, (uint64_t)15337520135922861848U, -+ (uint64_t)5455737214495366228U, (uint64_t)17827017231032529600U, -+ (uint64_t)12413621606240782649U, (uint64_t)2290483008028286132U, -+ (uint64_t)15752017553340844820U, (uint64_t)4846430910634234874U, -+ (uint64_t)10861682798464583253U, (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U, -+ (uint64_t)9866710912401645115U, (uint64_t)1162548847543228595U, (uint64_t)7649967190445130486U, -+ (uint64_t)5212340432230915749U, (uint64_t)7572620550182916491U, (uint64_t)14876145112448665096U, -+ (uint64_t)2063227348838176167U, (uint64_t)3519435548295415847U, (uint64_t)8390400282019023103U, -+ (uint64_t)17666843593163037841U, (uint64_t)9450204148816496323U, (uint64_t)8483374507652916768U, -+ (uint64_t)6254661047265818424U, (uint64_t)16382127809582285023U, (uint64_t)125359443771153172U, -+ (uint64_t)1374336701588437897U, (uint64_t)11362596098420127726U, (uint64_t)2101654420738681387U, -+ (uint64_t)12772780342444840510U, (uint64_t)12546934328908550060U, -+ (uint64_t)8331880412333790397U, (uint64_t)11687262051473819904U, (uint64_t)8926848496503457587U, -+ (uint64_t)9603974142010467857U, (uint64_t)13199952163826973175U, (uint64_t)2189856264898797734U, -+ (uint64_t)11356074861870267226U, (uint64_t)2027714896422561895U, (uint64_t)5261606367808050149U, -+ (uint64_t)153855954337762312U, (uint64_t)6375919692894573986U, (uint64_t)12364041207536146533U, -+ (uint64_t)1891896010455057160U, (uint64_t)1568123795087313171U, (uint64_t)18138710056556660101U, -+ (uint64_t)6004886947510047736U, (uint64_t)4811859325589542932U, (uint64_t)3618763430148954981U, -+ (uint64_t)11434521746258554122U, (uint64_t)10086341535864049427U, -+ (uint64_t)8073421629570399570U, (uint64_t)12680586148814729338U, (uint64_t)9619958020761569612U, -+ (uint64_t)15827203580658384478U, (uint64_t)12832694810937550406U, -+ (uint64_t)14977975484447400910U, (uint64_t)5478002389061063653U, -+ (uint64_t)14731136312639060880U, (uint64_t)4317867687275472033U, (uint64_t)6642650962855259884U, -+ (uint64_t)2514254944289495285U, (uint64_t)14231405641534478436U, (uint64_t)4045448346091518946U, -+ (uint64_t)8985477013445972471U, (uint64_t)8869039454457032149U, (uint64_t)4356978486208692970U, -+ (uint64_t)10805288613335538577U, (uint64_t)12832353127812502042U, -+ (uint64_t)4576590051676547490U, (uint64_t)6728053735138655107U, (uint64_t)17814206719173206184U, -+ (uint64_t)79790138573994940U, (uint64_t)17920293215101822267U, (uint64_t)13422026625585728864U, -+ (uint64_t)5018058010492547271U, (uint64_t)110232326023384102U, (uint64_t)10834264070056942976U, -+ (uint64_t)15222249086119088588U, (uint64_t)15119439519142044997U, -+ (uint64_t)11655511970063167313U, (uint64_t)1614477029450566107U, (uint64_t)3619322817271059794U, -+ (uint64_t)9352862040415412867U, (uint64_t)14017522553242747074U, -+ (uint64_t)13138513643674040327U, (uint64_t)3610195242889455765U, (uint64_t)8371069193996567291U, -+ (uint64_t)12670227996544662654U, (uint64_t)1205961025092146303U, -+ (uint64_t)13106709934003962112U, (uint64_t)4350113471327723407U, -+ (uint64_t)15060941403739680459U, (uint64_t)13639127647823205030U, -+ (uint64_t)10790943339357725715U, (uint64_t)498760574280648264U, (uint64_t)17922071907832082887U, -+ (uint64_t)15122670976670152145U, (uint64_t)6275027991110214322U, (uint64_t)7250912847491816402U, -+ (uint64_t)15206617260142982380U, (uint64_t)3385668313694152877U, -+ (uint64_t)17522479771766801905U, (uint64_t)2965919117476170655U, (uint64_t)1553238516603269404U, -+ (uint64_t)5820770015631050991U, (uint64_t)4999445222232605348U, (uint64_t)9245650860833717444U, -+ (uint64_t)1508811811724230728U, (uint64_t)5190684913765614385U, (uint64_t)15692927070934536166U, -+ (uint64_t)12981978499190500902U, (uint64_t)5143491963193394698U, (uint64_t)7705698092144084129U, -+ (uint64_t)581120653055084783U, (uint64_t)13886552864486459714U, (uint64_t)6290301270652587255U, -+ (uint64_t)8663431529954393128U, (uint64_t)17033405846475472443U, (uint64_t)5206780355442651635U, -+ (uint64_t)12580364474736467688U, (uint64_t)17934601912005283310U, -+ (uint64_t)15119491731028933652U, (uint64_t)17848231399859044858U, -+ (uint64_t)4427673319524919329U, (uint64_t)2673607337074368008U, (uint64_t)14034876464294699949U, -+ (uint64_t)10938948975420813697U, (uint64_t)15202340615298669183U, -+ (uint64_t)5496603454069431071U, (uint64_t)2486526142064906845U, (uint64_t)4507882119510526802U, -+ (uint64_t)13888151172411390059U, (uint64_t)15049027856908071726U, -+ (uint64_t)9667231543181973158U, (uint64_t)6406671575277563202U, (uint64_t)3395801050331215139U, -+ (uint64_t)9813607433539108308U, (uint64_t)2681417728820980381U, (uint64_t)18407064643927113994U, -+ (uint64_t)7707177692113485527U, (uint64_t)14218149384635317074U, (uint64_t)3658668346206375919U, -+ (uint64_t)15404713991002362166U, (uint64_t)10152074687696195207U, -+ (uint64_t)10926946599582128139U, (uint64_t)16907298600007085320U, -+ (uint64_t)16544287219664720279U, (uint64_t)11007075933432813205U, -+ (uint64_t)8652245965145713599U, (uint64_t)7857626748965990384U, (uint64_t)5602306604520095870U, -+ (uint64_t)2525139243938658618U, (uint64_t)14405696176872077447U, -+ (uint64_t)18432270482137885332U, (uint64_t)9913880809120071177U, -+ (uint64_t)16896141737831216972U, (uint64_t)7484791498211214829U, -+ (uint64_t)15635259968266497469U, (uint64_t)8495118537612215624U, (uint64_t)4915477980562575356U, -+ (uint64_t)16453519279754924350U, (uint64_t)14462108244565406969U, -+ (uint64_t)14837837755237096687U, (uint64_t)14130171078892575346U, -+ (uint64_t)15423793222528491497U, (uint64_t)5460399262075036084U, -+ (uint64_t)16085440580308415349U, (uint64_t)26873200736954488U, (uint64_t)5603655807457499550U, -+ (uint64_t)3342202915871129617U, (uint64_t)1604413932150236626U, (uint64_t)9684226585089458974U, -+ (uint64_t)1213229904006618539U, (uint64_t)6782978662408837236U, (uint64_t)11197029877749307372U, -+ (uint64_t)14085968786551657744U, (uint64_t)17352273610494009342U, -+ (uint64_t)7876582961192434984U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)14619254753077084366U, -+ (uint64_t)13913835116514008593U, (uint64_t)15060744674088488145U, -+ (uint64_t)17668414598203068685U, (uint64_t)10761169236902342334U, -+ (uint64_t)15467027479157446221U, (uint64_t)14989185522423469618U, -+ (uint64_t)14354539272510107003U, (uint64_t)14298211796392133693U, -+ (uint64_t)13270323784253711450U, (uint64_t)13380964971965046957U, -+ (uint64_t)8686204248456909699U, (uint64_t)17434630286744937066U, (uint64_t)1355903775279084720U, -+ (uint64_t)7554695053550308662U, (uint64_t)11354971222741863570U, (uint64_t)564601613420749879U, -+ (uint64_t)8466325837259054896U, (uint64_t)10752965181772434263U, -+ (uint64_t)11405876547368426319U, (uint64_t)13791894568738930940U, -+ (uint64_t)8230587134406354675U, (uint64_t)12415514098722758608U, -+ (uint64_t)18414183046995786744U, (uint64_t)15508000368227372870U, -+ (uint64_t)5781062464627999307U, (uint64_t)15339429052219195590U, -+ (uint64_t)16038703753810741903U, (uint64_t)9587718938298980714U, (uint64_t)4822658817952386407U, -+ (uint64_t)1376351024833260660U, (uint64_t)1120174910554766702U, (uint64_t)1730170933262569274U, -+ (uint64_t)5187428548444533500U, (uint64_t)16242053503368957131U, (uint64_t)3036811119519868279U, -+ (uint64_t)1760267587958926638U, (uint64_t)170244572981065185U, (uint64_t)8063080791967388171U, -+ (uint64_t)4824892826607692737U, (uint64_t)16286391083472040552U, -+ (uint64_t)11945158615253358747U, (uint64_t)14096887760410224200U, -+ (uint64_t)1613720831904557039U, (uint64_t)14316966673761197523U, -+ (uint64_t)17411006201485445341U, (uint64_t)8112301506943158801U, (uint64_t)2069889233927989984U, -+ (uint64_t)10082848378277483927U, (uint64_t)3609691194454404430U, (uint64_t)6110437205371933689U, -+ (uint64_t)9769135977342231601U, (uint64_t)11977962151783386478U, -+ (uint64_t)18088718692559983573U, (uint64_t)11741637975753055U, (uint64_t)11110390325701582190U, -+ (uint64_t)1341402251566067019U, (uint64_t)3028229550849726478U, (uint64_t)10438984083997451310U, -+ (uint64_t)12730851885100145709U, (uint64_t)11524169532089894189U, -+ (uint64_t)4523375903229602674U, (uint64_t)2028602258037385622U, (uint64_t)17082839063089388410U, -+ (uint64_t)6103921364634113167U, (uint64_t)17066180888225306102U, -+ (uint64_t)11395680486707876195U, (uint64_t)10952892272443345484U, -+ (uint64_t)8792831960605859401U, (uint64_t)14194485427742325139U, -+ (uint64_t)15146020821144305250U, (uint64_t)1654766014957123343U, (uint64_t)7955526243090948551U, -+ (uint64_t)3989277566080493308U, (uint64_t)12229385116397931231U, -+ (uint64_t)13430548930727025562U, (uint64_t)3434892688179800602U, (uint64_t)8431998794645622027U, -+ (uint64_t)12132530981596299272U, (uint64_t)2289461608863966999U, -+ (uint64_t)18345870950201487179U, (uint64_t)13517947207801901576U, -+ (uint64_t)5213113244172561159U, (uint64_t)17632986594098340879U, (uint64_t)4405251818133148856U, -+ (uint64_t)11783009269435447793U, (uint64_t)9332138983770046035U, -+ (uint64_t)12863411548922539505U, (uint64_t)3717030292816178224U, -+ (uint64_t)10026078446427137374U, (uint64_t)11167295326594317220U, -+ (uint64_t)12425328773141588668U, (uint64_t)5760335125172049352U, (uint64_t)9016843701117277863U, -+ (uint64_t)5657892835694680172U, (uint64_t)11025130589305387464U, (uint64_t)1368484957977406173U, -+ (uint64_t)17361351345281258834U, (uint64_t)1907113641956152700U, -+ (uint64_t)16439233413531427752U, (uint64_t)5893322296986588932U, -+ (uint64_t)14000206906171746627U, (uint64_t)14979266987545792900U, -+ (uint64_t)6926291766898221120U, (uint64_t)7162023296083360752U, (uint64_t)14762747553625382529U, -+ (uint64_t)12610831658612406849U, (uint64_t)10462926899548715515U, -+ (uint64_t)4794017723140405312U, (uint64_t)5234438200490163319U, (uint64_t)8019519110339576320U, -+ (uint64_t)7194604241290530100U, (uint64_t)12626770134810813246U, -+ (uint64_t)10793074474236419890U, (uint64_t)11323224347913978783U, -+ (uint64_t)16831128015895380245U, (uint64_t)18323094195124693378U, -+ (uint64_t)2361097165281567692U, (uint64_t)15755578675014279498U, -+ (uint64_t)14289876470325854580U, (uint64_t)12856787656093616839U, -+ (uint64_t)3578928531243900594U, (uint64_t)3847532758790503699U, (uint64_t)8377953190224748743U, -+ (uint64_t)3314546646092744596U, (uint64_t)800810188859334358U, (uint64_t)4626344124229343596U, -+ (uint64_t)6620381605850876621U, (uint64_t)11422073570955989527U, -+ (uint64_t)12676813626484814469U, (uint64_t)16725029886764122240U, -+ (uint64_t)16648497372773830008U, (uint64_t)9135702594931291048U, -+ (uint64_t)16080949688826680333U, (uint64_t)11528096561346602947U, -+ (uint64_t)2632498067099740984U, (uint64_t)11583842699108800714U, (uint64_t)8378404864573610526U, -+ (uint64_t)1076560261627788534U, (uint64_t)13836015994325032828U, -+ (uint64_t)11234295937817067909U, (uint64_t)5893659808396722708U, -+ (uint64_t)11277421142886984364U, (uint64_t)8968549037166726491U, -+ (uint64_t)14841374331394032822U, (uint64_t)9967344773947889341U, (uint64_t)8799244393578496085U, -+ (uint64_t)5094686877301601410U, (uint64_t)8780316747074726862U, (uint64_t)9119697306829835718U, -+ (uint64_t)15381243327921855368U, (uint64_t)2686250164449435196U, -+ (uint64_t)16466917280442198358U, (uint64_t)13791704489163125216U, -+ (uint64_t)16955859337117924272U, (uint64_t)17112836394923783642U, -+ (uint64_t)4639176427338618063U, (uint64_t)16770029310141094964U, -+ (uint64_t)11049953922966416185U, (uint64_t)12012669590884098968U, -+ (uint64_t)4859326885929417214U, (uint64_t)896380084392586061U, (uint64_t)7153028362977034008U, -+ (uint64_t)10540021163316263301U, (uint64_t)9318277998512936585U, -+ (uint64_t)18344496977694796523U, (uint64_t)11374737400567645494U, -+ (uint64_t)17158800051138212954U, (uint64_t)18343197867863253153U, -+ (uint64_t)18204799297967861226U, (uint64_t)15798973531606348828U, -+ (uint64_t)9870158263408310459U, (uint64_t)17578869832774612627U, (uint64_t)8395748875822696932U, -+ (uint64_t)15310679007370670872U, (uint64_t)11205576736030808860U, -+ (uint64_t)10123429210002838967U, (uint64_t)5910544144088393959U, -+ (uint64_t)14016615653353687369U, (uint64_t)11191676704772957822U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)7870395003430845958U, -+ (uint64_t)18001862936410067720U, (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, -+ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, (uint64_t)7139806720777708306U, -+ (uint64_t)8253938546650739833U, (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, -+ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U, (uint64_t)8392845221328116213U, -+ (uint64_t)14630296398338540788U, (uint64_t)4268947906723414372U, (uint64_t)9231207002243517909U, -+ (uint64_t)14261219637616504262U, (uint64_t)7786881626982345356U, -+ (uint64_t)11412720751765882139U, (uint64_t)14119585051365330009U, -+ (uint64_t)15281626286521302128U, (uint64_t)6350171933454266732U, -+ (uint64_t)16559468304937127866U, (uint64_t)13200760478271693417U, -+ (uint64_t)6733381546280350776U, (uint64_t)3801404890075189193U, (uint64_t)2741036364686993903U, -+ (uint64_t)3218612940540174008U, (uint64_t)10894914335165419505U, -+ (uint64_t)11862941430149998362U, (uint64_t)4223151729402839584U, (uint64_t)2913215088487087887U, -+ (uint64_t)14562168920104952953U, (uint64_t)2170089393468287453U, -+ (uint64_t)10520900655016579352U, (uint64_t)7040362608949989273U, (uint64_t)8376510559381705307U, -+ (uint64_t)9142237200448131532U, (uint64_t)5696859948123854080U, (uint64_t)925422306716081180U, -+ (uint64_t)11155545953469186421U, (uint64_t)1888208646862572812U, -+ (uint64_t)11151095998248845721U, (uint64_t)15793503271680275267U, -+ (uint64_t)7729877044494854851U, (uint64_t)6235134673193032913U, (uint64_t)7364280682182401564U, -+ (uint64_t)5479679373325519985U, (uint64_t)17966037684582301763U, -+ (uint64_t)14140891609330279185U, (uint64_t)5814744449740463867U, (uint64_t)5652588426712591652U, -+ (uint64_t)774745682988690912U, (uint64_t)13228255573220500373U, (uint64_t)11949122068786859397U, -+ (uint64_t)8021166392900770376U, (uint64_t)7994323710948720063U, (uint64_t)9924618472877849977U, -+ (uint64_t)17618517523141194266U, (uint64_t)2750424097794401714U, -+ (uint64_t)15481749570715253207U, (uint64_t)14646964509921760497U, -+ (uint64_t)1037442848094301355U, (uint64_t)6295995947389299132U, (uint64_t)16915049722317579514U, -+ (uint64_t)10493877400992990313U, (uint64_t)18391008753060553521U, (uint64_t)483942209623707598U, -+ (uint64_t)2017775662838016613U, (uint64_t)5933251998459363553U, (uint64_t)11789135019970707407U, -+ (uint64_t)5484123723153268336U, (uint64_t)13246954648848484954U, (uint64_t)4774374393926023505U, -+ (uint64_t)14863995618704457336U, (uint64_t)13220153167104973625U, -+ (uint64_t)5988445485312390826U, (uint64_t)17580359464028944682U, (uint64_t)7297100131969874771U, -+ (uint64_t)379931507867989375U, (uint64_t)10927113096513421444U, (uint64_t)17688881974428340857U, -+ (uint64_t)4259872578781463333U, (uint64_t)8573076295966784472U, (uint64_t)16389829450727275032U, -+ (uint64_t)1667243868963568259U, (uint64_t)17730726848925960919U, -+ (uint64_t)11408899874569778008U, (uint64_t)3576527582023272268U, -+ (uint64_t)16492920640224231656U, (uint64_t)7906130545972460130U, -+ (uint64_t)13878604278207681266U, (uint64_t)41446695125652041U, (uint64_t)8891615271337333503U, -+ (uint64_t)2594537723613594470U, (uint64_t)7699579176995770924U, (uint64_t)147458463055730655U, -+ (uint64_t)12120406862739088406U, (uint64_t)12044892493010567063U, -+ (uint64_t)8554076749615475136U, (uint64_t)1005097692260929999U, (uint64_t)2687202654471188715U, -+ (uint64_t)9457588752176879209U, (uint64_t)17472884880062444019U, (uint64_t)9792097892056020166U, -+ (uint64_t)2525246678512797150U, (uint64_t)15958903035313115662U, -+ (uint64_t)11336038170342247032U, (uint64_t)11560342382835141123U, -+ (uint64_t)6212009033479929024U, (uint64_t)8214308203775021229U, (uint64_t)8475469210070503698U, -+ (uint64_t)13287024123485719563U, (uint64_t)12956951963817520723U, -+ (uint64_t)10693035819908470465U, (uint64_t)11375478788224786725U, -+ (uint64_t)16934625208487120398U, (uint64_t)10094585729115874495U, -+ (uint64_t)2763884524395905776U, (uint64_t)13535890148969964883U, -+ (uint64_t)13514657411765064358U, (uint64_t)9903074440788027562U, -+ (uint64_t)17324720726421199990U, (uint64_t)2273931039117368789U, (uint64_t)3442641041506157854U, -+ (uint64_t)1119853641236409612U, (uint64_t)12037070344296077989U, (uint64_t)581736433335671746U, -+ (uint64_t)6019150647054369174U, (uint64_t)14864096138068789375U, (uint64_t)6652995210998318662U, -+ (uint64_t)12773883697029175304U, (uint64_t)12751275631451845119U, -+ (uint64_t)11449095003038250478U, (uint64_t)1025805267334366480U, (uint64_t)2764432500300815015U, -+ (uint64_t)18274564429002844381U, (uint64_t)10445634195592600351U, -+ (uint64_t)11814099592837202735U, (uint64_t)5006796893679120289U, (uint64_t)6908397253997261914U, -+ (uint64_t)13266696965302879279U, (uint64_t)7768715053015037430U, (uint64_t)3569923738654785686U, -+ (uint64_t)5844853453464857549U, (uint64_t)1837340805629559110U, (uint64_t)1034657624388283114U, -+ (uint64_t)711244516069456460U, (uint64_t)12519286026957934814U, (uint64_t)2613464944620837619U, -+ (uint64_t)10003023321338286213U, (uint64_t)7291332092642881376U, (uint64_t)9832199564117004897U, -+ (uint64_t)3280736694860799890U, (uint64_t)6416452202849179874U, (uint64_t)7326961381798642069U, -+ (uint64_t)8435688798040635029U, (uint64_t)16630141263910982958U, -+ (uint64_t)17222635514422533318U, (uint64_t)9482787389178881499U, (uint64_t)836561194658263905U, -+ (uint64_t)3405319043337616649U, (uint64_t)2786146577568026518U, (uint64_t)7625483685691626321U, -+ (uint64_t)6728084875304656716U, (uint64_t)1140997959232544268U, (uint64_t)12847384827606303792U, -+ (uint64_t)1719121337754572070U, (uint64_t)12863589482936438532U, (uint64_t)3880712899640530862U, -+ (uint64_t)2748456882813671564U, (uint64_t)4775988900044623019U, (uint64_t)8937847374382191162U, -+ (uint64_t)3767367347172252295U, (uint64_t)13468672401049388646U, -+ (uint64_t)14359032216842397576U, (uint64_t)2002555958685443975U, -+ (uint64_t)16488678606651526810U, (uint64_t)11826135409597474760U, -+ (uint64_t)15296495673182508601U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_basepoint_table_w5[384U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, -+ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, -+ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, -+ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, -+ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, -+ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, -+ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, -+ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, -+ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, -+ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, -+ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, -+ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, -+ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, -+ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, -+ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, -+ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, -+ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, -+ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, -+ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, -+ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, -+ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, -+ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, -+ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, -+ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, -+ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, -+ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, -+ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, -+ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, -+ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, -+ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, -+ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, -+ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, -+ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, -+ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, -+ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, -+ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, -+ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, -+ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, -+ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, -+ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, -+ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, -+ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, -+ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, -+ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, -+ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, -+ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, -+ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, -+ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, -+ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, -+ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, -+ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, -+ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, -+ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, -+ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, -+ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, -+ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, -+ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, -+ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, -+ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, -+ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, -+ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, -+ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, -+ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, -+ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, -+ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, -+ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, -+ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, -+ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U, -+ (uint64_t)13240193491554624643U, (uint64_t)12365034249541329920U, -+ (uint64_t)2924326828590977357U, (uint64_t)5687195797140589099U, (uint64_t)16880427227292834531U, -+ (uint64_t)9691471435758991112U, (uint64_t)16642385273732487288U, -+ (uint64_t)12173806747523009914U, (uint64_t)13142722756877876849U, -+ (uint64_t)8370377548305121979U, (uint64_t)17988526053752025426U, (uint64_t)4818750752684100334U, -+ (uint64_t)5669241919350361655U, (uint64_t)4964810303238518540U, (uint64_t)16709712747671533191U, -+ (uint64_t)4461414404267448242U, (uint64_t)3971798785139504238U, (uint64_t)6276818948740422136U, -+ (uint64_t)1426735892164275762U, (uint64_t)7943622674892418919U, (uint64_t)9864274225563929680U, -+ (uint64_t)57815533745003233U, (uint64_t)10893588105168960233U, (uint64_t)15739162732907069535U, -+ (uint64_t)3923866849462073470U, (uint64_t)12279826158399226875U, (uint64_t)1533015761334846582U, -+ (uint64_t)15860156818568437510U, (uint64_t)8252625373831297988U, (uint64_t)9666953804812706358U, -+ (uint64_t)8767785238646914634U, (uint64_t)14382179044941403551U, -+ (uint64_t)10401039907264254245U, (uint64_t)8584860003763157350U, (uint64_t)3120462679504470266U, -+ (uint64_t)8670255778748340069U, (uint64_t)5313789577940369984U, (uint64_t)16977072364454789224U, -+ (uint64_t)12199578693972188324U, (uint64_t)18211098771672599237U, -+ (uint64_t)12868831556008795030U, (uint64_t)5310155061431048194U, -+ (uint64_t)18114153238435112606U, (uint64_t)14482365809278304512U, -+ (uint64_t)12520721662723001511U, (uint64_t)405943624021143002U, (uint64_t)8146944101507657423U, -+ (uint64_t)181739317780393495U, (uint64_t)81743892273670099U, (uint64_t)14759561962550473930U, -+ (uint64_t)4592623849546992939U, (uint64_t)6916440441743449719U, (uint64_t)1304610503530809833U, -+ (uint64_t)5464930909232486441U, (uint64_t)15414883617496224671U, (uint64_t)8129283345256790U, -+ (uint64_t)18294252198413739489U, (uint64_t)17394115281884857288U, -+ (uint64_t)7808348415224731235U, (uint64_t)13195566655747230608U, (uint64_t)8568194219353949094U, -+ (uint64_t)15329813048672122440U, (uint64_t)9604275495885785744U, (uint64_t)1577712551205219835U, -+ (uint64_t)15964209008022052790U, (uint64_t)15087297920782098160U, -+ (uint64_t)3946031512438511898U, (uint64_t)10050061168984440631U, -+ (uint64_t)11382452014533138316U, (uint64_t)6313670788911952792U, -+ (uint64_t)12015989229696164014U, (uint64_t)5946702628076168852U, (uint64_t)5219995658774362841U, -+ (uint64_t)12230141881068377972U, (uint64_t)12361195202673441956U, -+ (uint64_t)4732862275653856711U, (uint64_t)17221430380805252370U, -+ (uint64_t)15397525953897375810U, (uint64_t)16557437297239563045U, -+ (uint64_t)10101683801868971351U, (uint64_t)1402611372245592868U, (uint64_t)1931806383735563658U, -+ (uint64_t)10991705207471512479U, (uint64_t)861333583207471392U, (uint64_t)15207766844626322355U, -+ (uint64_t)9224628129811432393U, (uint64_t)3497069567089055613U, (uint64_t)11956632757898590316U, -+ (uint64_t)8733729372586312960U, (uint64_t)18091521051714930927U, (uint64_t)77582787724373283U, -+ (uint64_t)9922437373519669237U, (uint64_t)3079321456325704615U, (uint64_t)12171198408512478457U, -+ (uint64_t)17179130884012147596U, (uint64_t)6839115479620367181U, (uint64_t)4421032569964105406U, -+ (uint64_t)10353331468657256053U, (uint64_t)17400988720335968824U, -+ (uint64_t)17138855889417480540U, (uint64_t)4507980080381370611U, -+ (uint64_t)10703175719793781886U, (uint64_t)12598516658725890426U, -+ (uint64_t)8353463412173898932U, (uint64_t)17703029389228422404U, (uint64_t)9313111267107226233U, -+ (uint64_t)5441322942995154196U, (uint64_t)8952817660034465484U, (uint64_t)17571113341183703118U, -+ (uint64_t)7375087953801067019U, (uint64_t)13381466302076453648U, (uint64_t)3218165271423914596U, -+ (uint64_t)16956372157249382685U, (uint64_t)509080090049418841U, (uint64_t)13374233893294084913U, -+ (uint64_t)2988537624204297086U, (uint64_t)4979195832939384620U, (uint64_t)3803931594068976394U, -+ (uint64_t)10731535883829627646U, (uint64_t)12954845047607194278U, -+ (uint64_t)10494298062560667399U, (uint64_t)4967351022190213065U, -+ (uint64_t)13391917938145756456U, (uint64_t)951370484866918160U, (uint64_t)13531334179067685307U, -+ (uint64_t)12868421357919390599U, (uint64_t)15918857042998130258U, -+ (uint64_t)17769743831936974016U, (uint64_t)7137921979260368809U, -+ (uint64_t)12461369180685892062U, (uint64_t)827476514081935199U, (uint64_t)15107282134224767230U, -+ (uint64_t)10084765752802805748U, (uint64_t)3303739059392464407U, -+ (uint64_t)17859532612136591428U, (uint64_t)10949414770405040164U, -+ (uint64_t)12838613589371008785U, (uint64_t)5554397169231540728U, -+ (uint64_t)18375114572169624408U, (uint64_t)15649286703242390139U, -+ (uint64_t)2957281557463706877U, (uint64_t)14000350446219393213U, -+ (uint64_t)14355199721749620351U, (uint64_t)2730856240099299695U, -+ (uint64_t)17528131000714705752U, (uint64_t)2537498525883536360U, (uint64_t)6121058967084509393U, -+ (uint64_t)16897667060435514221U, (uint64_t)12367869599571112440U, -+ (uint64_t)3388831797050807508U, (uint64_t)16791449724090982798U, (uint64_t)2673426123453294928U, -+ (uint64_t)11369313542384405846U, (uint64_t)15641960333586432634U, -+ (uint64_t)15080962589658958379U, (uint64_t)7747943772340226569U, (uint64_t)8075023376199159152U, -+ (uint64_t)8485093027378306528U, (uint64_t)13503706844122243648U, (uint64_t)8401961362938086226U, -+ (uint64_t)8125426002124226402U, (uint64_t)9005399361407785203U, (uint64_t)6847968030066906634U, -+ (uint64_t)11934937736309295197U, (uint64_t)5116750888594772351U, (uint64_t)2817039227179245227U, -+ (uint64_t)17724206901239332980U, (uint64_t)4985702708254058578U, (uint64_t)5786345435756642871U, -+ (uint64_t)17772527414940936938U, (uint64_t)1201320251272957006U, -+ (uint64_t)15787430120324348129U, (uint64_t)6305488781359965661U, -+ (uint64_t)12423900845502858433U, (uint64_t)17485949424202277720U, -+ (uint64_t)2062237315546855852U, (uint64_t)10353639467860902375U, (uint64_t)2315398490451287299U, -+ (uint64_t)15394572894814882621U, (uint64_t)232866113801165640U, (uint64_t)7413443736109338926U, -+ (uint64_t)902719806551551191U, (uint64_t)16568853118619045174U, (uint64_t)14202214862428279177U, -+ (uint64_t)11719595395278861192U, (uint64_t)5890053236389907647U, (uint64_t)9996196494965833627U, -+ (uint64_t)12967056942364782577U, (uint64_t)9034128755157395787U, -+ (uint64_t)17898204904710512655U, (uint64_t)8229373445062993977U, -+ (uint64_t)13580036169519833644U -+ }; -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_P256_PrecompTable_H_DEFINED -+#endif -diff -up ./lib/freebl/verified/internal/lib_intrinsics.h.p256 ./lib/freebl/verified/internal/lib_intrinsics.h ---- ./lib/freebl/verified/internal/lib_intrinsics.h.p256 2024-01-09 11:25:43.803382195 -0800 -+++ ./lib/freebl/verified/internal/lib_intrinsics.h 2024-01-09 11:25:43.803382195 -0800 -@@ -0,0 +1,81 @@ -+#pragma once -+ -+#include -+ -+#if defined(__has_include) -+#if __has_include("config.h") -+#include "config.h" -+#endif -+#endif -+ -+#if !defined(HACL_CAN_COMPILE_INTRINSICS) || \ -+ (defined(__clang__) && (__clang_major__ < 5)) -+ -+#include "Hacl_IntTypes_Intrinsics.h" -+ -+#if defined(HACL_CAN_COMPILE_UINT128) -+ -+#include "Hacl_IntTypes_Intrinsics_128.h" -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) -+ -+#else -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) -+ -+#endif // defined(HACL_CAN_COMPILE_UINT128) -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) -+ -+#else // !defined(HACL_CAN_COMPILE_INTRINSICS) -+ -+#if defined(_MSC_VER) -+#include -+#else -+#include -+#endif -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ -+ (_addcarry_u32(x1, x2, x3, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (_addcarry_u64(x1, x2, x3, (long long unsigned int *)x4)) -+ -+/* -+ GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} -+ in an incorrect order. -+ -+ See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 -+*/ -+#if defined(__GNUC__) && !defined(__clang__) && \ -+ (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (_subborrow_u32(x1, x3, x2, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (_subborrow_u64(x1, x3, x2, (long long unsigned int *)x4)) -+ -+#else -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (_subborrow_u32(x1, x2, x3, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (_subborrow_u64(x1, x2, x3, (long long unsigned int *)x4)) -+ -+#endif // GCC < 7.2 -+ -+#endif // !HACL_CAN_COMPILE_INTRINSICS -diff -up ./lib/freebl/verified/karamel/include/krml/internal/target.h.p256 ./lib/freebl/verified/karamel/include/krml/internal/target.h ---- ./lib/freebl/verified/karamel/include/krml/internal/target.h.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/verified/karamel/include/krml/internal/target.h 2024-01-09 11:35:15.323632291 -0800 -@@ -4,11 +4,13 @@ - #ifndef __KRML_TARGET_H - #define __KRML_TARGET_H - --#include --#include --#include -+#include - #include - #include -+#include -+#include -+#include -+#include - - #include "krml/internal/callconv.h" - -@@ -46,6 +48,23 @@ - #define KRML_HOST_FREE free - #endif - -+#ifndef KRML_HOST_IGNORE -+#define KRML_HOST_IGNORE(x) (void)(x) -+#endif -+ -+#ifndef KRML_NOINLINE -+#if defined(_MSC_VER) -+#define KRML_NOINLINE __declspec(noinline) -+#elif defined(__GNUC__) -+#define KRML_NOINLINE __attribute__((noinline)) -+#else -+#define KRML_NOINLINE -+#warning "The KRML_NOINLINE macro is not defined for this toolchain!" -+#warning "The compiler may defeat side-channel resistance with optimizations." -+#warning "Please locate target.h and try to fill it out with a suitable definition for this compiler." -+#endif -+#endif -+ - #ifndef KRML_PRE_ALIGN - #ifdef _MSC_VER - #define KRML_PRE_ALIGN(X) __declspec(align(X)) -@@ -130,7 +149,8 @@ krml_time() - } while (0) - - #if defined(_MSC_VER) && _MSC_VER < 1900 --#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) -+#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) \ -+ _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) - #else - #define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) - #endif -@@ -149,6 +169,7 @@ krml_time() - { \ - x \ - i += n; \ -+ (void)i; \ - } - - #define KRML_LOOP2(i, n, x) \ -diff -up ./lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h.p256 ./lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h ---- ./lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h.p256 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h 2024-01-09 11:41:47.873587264 -0800 -@@ -12,15 +12,26 @@ - #include "krml/lowstar_endianness.h" - #include "krml/internal/types.h" - #include "krml/internal/target.h" --extern Prims_int FStar_UInt64_n; -+ -+#if defined(__clang__) -+#pragma clang diagnostic push -+#pragma clang diagnostic ignored "-Wunused-function" -+#endif -+ -+#if defined(__GNUC__) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-function" -+#endif -+ -+extern krml_checked_int_t FStar_UInt64_n; - - extern bool FStar_UInt64_uu___is_Mk(uint64_t projectee); - --extern Prims_int FStar_UInt64___proj__Mk__item__v(uint64_t projectee); -+extern krml_checked_int_t FStar_UInt64___proj__Mk__item__v(uint64_t projectee); - --extern Prims_int FStar_UInt64_v(uint64_t x); -+extern krml_checked_int_t FStar_UInt64_v(uint64_t x); - --extern uint64_t FStar_UInt64_uint_to_t(Prims_int x); -+extern uint64_t FStar_UInt64_uint_to_t(krml_checked_int_t x); - - extern uint64_t FStar_UInt64_zero; - -@@ -62,15 +73,15 @@ extern Prims_string FStar_UInt64_to_stri - - extern uint64_t FStar_UInt64_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt32_n; -+extern krml_checked_int_t FStar_UInt32_n; - - extern bool FStar_UInt32_uu___is_Mk(uint32_t projectee); - --extern Prims_int FStar_UInt32___proj__Mk__item__v(uint32_t projectee); -+extern krml_checked_int_t FStar_UInt32___proj__Mk__item__v(uint32_t projectee); - --extern Prims_int FStar_UInt32_v(uint32_t x); -+extern krml_checked_int_t FStar_UInt32_v(uint32_t x); - --extern uint32_t FStar_UInt32_uint_to_t(Prims_int x); -+extern uint32_t FStar_UInt32_uint_to_t(krml_checked_int_t x); - - extern uint32_t FStar_UInt32_zero; - -@@ -112,15 +123,15 @@ extern Prims_string FStar_UInt32_to_stri - - extern uint32_t FStar_UInt32_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt16_n; -+extern krml_checked_int_t FStar_UInt16_n; - - extern bool FStar_UInt16_uu___is_Mk(uint16_t projectee); - --extern Prims_int FStar_UInt16___proj__Mk__item__v(uint16_t projectee); -+extern krml_checked_int_t FStar_UInt16___proj__Mk__item__v(uint16_t projectee); - --extern Prims_int FStar_UInt16_v(uint16_t x); -+extern krml_checked_int_t FStar_UInt16_v(uint16_t x); - --extern uint16_t FStar_UInt16_uint_to_t(Prims_int x); -+extern uint16_t FStar_UInt16_uint_to_t(krml_checked_int_t x); - - extern uint16_t FStar_UInt16_zero; - -@@ -162,15 +173,15 @@ extern Prims_string FStar_UInt16_to_stri - - extern uint16_t FStar_UInt16_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt8_n; -+extern krml_checked_int_t FStar_UInt8_n; - - extern bool FStar_UInt8_uu___is_Mk(uint8_t projectee); - --extern Prims_int FStar_UInt8___proj__Mk__item__v(uint8_t projectee); -+extern krml_checked_int_t FStar_UInt8___proj__Mk__item__v(uint8_t projectee); - --extern Prims_int FStar_UInt8_v(uint8_t x); -+extern krml_checked_int_t FStar_UInt8_v(uint8_t x); - --extern uint8_t FStar_UInt8_uint_to_t(Prims_int x); -+extern uint8_t FStar_UInt8_uint_to_t(krml_checked_int_t x); - - extern uint8_t FStar_UInt8_zero; - -@@ -214,5 +225,13 @@ extern uint8_t FStar_UInt8_of_string(Pri - - typedef uint8_t FStar_UInt8_byte; - -+#if defined(__clang__) -+#pragma clang diagnostic pop -+#endif -+ -+#if defined(__GNUC__) -+#pragma GCC diagnostic pop -+#endif -+ - #define __FStar_UInt_8_16_32_64_H_DEFINED - #endif diff --git a/SOURCES/nss_p384_hacl.patch b/SOURCES/nss_p384_hacl.patch deleted file mode 100644 index a87c425..0000000 --- a/SOURCES/nss_p384_hacl.patch +++ /dev/null @@ -1,22992 +0,0 @@ -diff -up ./lib/freebl/ec.c.p384_hacl ./lib/freebl/ec.c ---- ./lib/freebl/ec.c.p384_hacl 2024-01-10 11:26:31.223118100 -0800 -+++ ./lib/freebl/ec.c 2024-01-10 11:33:09.022333901 -0800 -@@ -78,7 +78,16 @@ static const ECMethod kMethods[] = { - ec_secp256r1_scalar_validate, - ec_secp256r1_sign_digest, - ec_secp256r1_verify_digest, -- } -+ }, -+ { -+ ECCurve_NIST_P384, -+ ec_secp384r1_pt_mul, -+ ec_secp384r1_pt_validate, -+ ec_secp384r1_scalar_validate, -+ ec_secp384r1_sign_digest, -+ ec_secp384r1_verify_digest, -+ } -+ - }; - - static const ECMethod * -diff -up ./lib/freebl/ecdecode.c.p384_hacl ./lib/freebl/ecdecode.c ---- ./lib/freebl/ecdecode.c.p384_hacl 2024-01-10 11:24:58.252096085 -0800 -+++ ./lib/freebl/ecdecode.c 2024-01-10 11:26:31.223118100 -0800 -@@ -163,7 +163,7 @@ EC_FillParams(PLArenaPool *arena, const - * (the NIST P-384 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_384R1, -- ec_field_GFp, params)); -+ ec_field_plain, params)); - break; - - case SEC_OID_SECG_EC_SECP521R1: -diff -up ./lib/freebl/ecl/ecl.c.p384_hacl ./lib/freebl/ecl/ecl.c ---- ./lib/freebl/ecl/ecl.c.p384_hacl 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ecl/ecl.c 2024-01-10 11:26:31.223118100 -0800 -@@ -172,7 +172,8 @@ construct_ecgroup(const ECCurveName name - res = MP_UNDEF; - goto CLEANUP; - } -- MP_CHECKOK(ec_group_set_secp384r1(group, name)); -+ MP_CHECKOK(ec_group_set_gfp384(group, name)); -+ //MP_CHECKOK(ec_group_set_secp384r1(group, name)); - break; - case ECCurve_SECG_PRIME_521R1: - group = -diff -up ./lib/freebl/ecl/ecl.h.p384_hacl ./lib/freebl/ecl/ecl.h ---- ./lib/freebl/ecl/ecl.h.p384_hacl 2024-01-10 11:26:31.223118100 -0800 -+++ ./lib/freebl/ecl/ecl.h 2024-01-10 11:32:08.180720657 -0800 -@@ -57,8 +57,16 @@ SECStatus ec_secp256r1_sign_digest(ECPri - SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, - const SECItem *digest); - -+SECStatus ec_secp384r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); -+SECStatus ec_secp384r1_pt_validate(const SECItem *px); - SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar); - -+SECStatus ec_secp384r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen); -+SECStatus ec_secp384r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest); -+ - SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar); - - #endif /* __ecl_h_ */ -diff -up ./lib/freebl/ecl/ecp_secp384r1.c.p384_hacl ./lib/freebl/ecl/ecp_secp384r1.c ---- ./lib/freebl/ecl/ecp_secp384r1.c.p384_hacl 2023-06-04 01:42:53.000000000 -0700 -+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-01-10 11:26:31.227118144 -0800 -@@ -1,20817 +1,229 @@ --/* Autogenerated: ECCKiila https://gitlab.com/nisec/ecckiila */ --/*- -- * MIT License -- * - -- * Copyright (c) 2020 Luis Rivera-Zamarripa, Jesús-Javier Chi-Domínguez, Billy Bob Brumley -- * - -- * Permission is hereby granted, free of charge, to any person obtaining a copy -- * of this software and associated documentation files (the "Software"), to deal -- * in the Software without restriction, including without limitation the rights -- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -- * copies of the Software, and to permit persons to whom the Software is -- * furnished to do so, subject to the following conditions: -- * - -- * The above copyright notice and this permission notice shall be included in all -- * copies or substantial portions of the Software. -- * - -- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -- * SOFTWARE. -- */ --#if defined(__SIZEOF_INT128__) && !defined(PEDANTIC) -- --#include --#include --#define LIMB_BITS 64 --#define LIMB_CNT 6 --/* Field elements */ --typedef uint64_t fe_t[LIMB_CNT]; --typedef uint64_t limb_t; -- --#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) --#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) -- --/* Projective points */ --typedef struct { -- fe_t X; -- fe_t Y; -- fe_t Z; --} pt_prj_t; -- --/* Affine points */ --typedef struct { -- fe_t X; -- fe_t Y; --} pt_aff_t; -- --/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ --/*- -- * MIT License -- * -- * Copyright (c) 2015-2021 the fiat-crypto authors (see the AUTHORS file). -- * https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS -- * -- * Permission is hereby granted, free of charge, to any person obtaining a copy -- * of this software and associated documentation files (the "Software"), to deal -- * in the Software without restriction, including without limitation the rights -- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -- * copies of the Software, and to permit persons to whom the Software is -- * furnished to do so, subject to the following conditions: -- * -- * The above copyright notice and this permission notice shall be included in -- * all copies or substantial portions of the Software. -- * -- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -- * SOFTWARE. -- */ -- --/* Autogenerated: word_by_word_montgomery --static --use-value-barrier secp384r1 64 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ --/* curve description: secp384r1 */ --/* machine_wordsize = 64 (from "64") */ --/* requested operations: (all) */ --/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ --/* */ --/* NOTE: In addition to the bounds specified above each function, all */ --/* functions synthesized for this Montgomery arithmetic require the */ --/* input to be strictly less than the prime modulus (m), and also */ --/* require the input to be in the unique saturated representation. */ --/* All functions also ensure that these two properties are true of */ --/* return values. */ --/* */ --/* Computed values: */ --/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) */ --/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ --/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) + (z[4] << 256) + (z[5] << 0x140) in */ --/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ -- --#include --typedef unsigned char fiat_secp384r1_uint1; --typedef signed char fiat_secp384r1_int1; --#ifdef __GNUC__ --#define FIAT_SECP384R1_FIAT_EXTENSION __extension__ --#define FIAT_SECP384R1_FIAT_INLINE __inline__ --#else --#define FIAT_SECP384R1_FIAT_EXTENSION --#define FIAT_SECP384R1_FIAT_INLINE --#endif -- --FIAT_SECP384R1_FIAT_EXTENSION typedef signed __int128 fiat_secp384r1_int128; --FIAT_SECP384R1_FIAT_EXTENSION typedef unsigned __int128 fiat_secp384r1_uint128; -- --/* The type fiat_secp384r1_montgomery_domain_field_element is a field element in the Montgomery domain. */ --/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ --typedef uint64_t fiat_secp384r1_montgomery_domain_field_element[6]; -- --/* The type fiat_secp384r1_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ --/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ --typedef uint64_t fiat_secp384r1_non_montgomery_domain_field_element[6]; -- --#if (-1 & 3) != 3 --#error "This code only works on a two's complement system" --#endif -+/* P-384 from HACL* */ - --#if !defined(FIAT_SECP384R1_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) --static __inline__ uint64_t --fiat_secp384r1_value_barrier_u64(uint64_t a) --{ -- __asm__("" -- : "+r"(a) -- : /* no inputs */); -- return a; --} --#else --#define fiat_secp384r1_value_barrier_u64(x) (x) -+#ifdef FREEBL_NO_DEPEND -+#include "../stubs.h" - #endif - --/* -- * The function fiat_secp384r1_addcarryx_u64 is an addition with carry. -- * -- * Postconditions: -- * out1 = (arg1 + arg2 + arg3) mod 2^64 -- * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [0x0 ~> 0xffffffffffffffff] -- * arg3: [0x0 ~> 0xffffffffffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffffffffffff] -- * out2: [0x0 ~> 0x1] -- */ --static void --fiat_secp384r1_addcarryx_u64(uint64_t *out1, -- fiat_secp384r1_uint1 *out2, -- fiat_secp384r1_uint1 arg1, -- uint64_t arg2, uint64_t arg3) --{ -- fiat_secp384r1_uint128 x1; -- uint64_t x2; -- fiat_secp384r1_uint1 x3; -- x1 = ((arg1 + (fiat_secp384r1_uint128)arg2) + arg3); -- x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); -- x3 = (fiat_secp384r1_uint1)(x1 >> 64); -- *out1 = x2; -- *out2 = x3; --} -- --/* -- * The function fiat_secp384r1_subborrowx_u64 is a subtraction with borrow. -- * -- * Postconditions: -- * out1 = (-arg1 + arg2 + -arg3) mod 2^64 -- * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [0x0 ~> 0xffffffffffffffff] -- * arg3: [0x0 ~> 0xffffffffffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffffffffffff] -- * out2: [0x0 ~> 0x1] -- */ --static void --fiat_secp384r1_subborrowx_u64(uint64_t *out1, -- fiat_secp384r1_uint1 *out2, -- fiat_secp384r1_uint1 arg1, -- uint64_t arg2, uint64_t arg3) --{ -- fiat_secp384r1_int128 x1; -- fiat_secp384r1_int1 x2; -- uint64_t x3; -- x1 = ((arg2 - (fiat_secp384r1_int128)arg1) - arg3); -- x2 = (fiat_secp384r1_int1)(x1 >> 64); -- x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); -- *out1 = x3; -- *out2 = (fiat_secp384r1_uint1)(0x0 - x2); --} -- --/* -- * The function fiat_secp384r1_mulx_u64 is a multiplication, returning the full double-width result. -- * -- * Postconditions: -- * out1 = (arg1 * arg2) mod 2^64 -- * out2 = ⌊arg1 * arg2 / 2^64⌋ -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0xffffffffffffffff] -- * arg2: [0x0 ~> 0xffffffffffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffffffffffff] -- * out2: [0x0 ~> 0xffffffffffffffff] -- */ --static void --fiat_secp384r1_mulx_u64(uint64_t *out1, uint64_t *out2, -- uint64_t arg1, uint64_t arg2) --{ -- fiat_secp384r1_uint128 x1; -- uint64_t x2; -- uint64_t x3; -- x1 = ((fiat_secp384r1_uint128)arg1 * arg2); -- x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); -- x3 = (uint64_t)(x1 >> 64); -- *out1 = x2; -- *out2 = x3; --} -- --/* -- * The function fiat_secp384r1_cmovznz_u64 is a single-word conditional move. -- * -- * Postconditions: -- * out1 = (if arg1 = 0 then arg2 else arg3) -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [0x0 ~> 0xffffffffffffffff] -- * arg3: [0x0 ~> 0xffffffffffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffffffffffff] -- */ --static void --fiat_secp384r1_cmovznz_u64(uint64_t *out1, -- fiat_secp384r1_uint1 arg1, uint64_t arg2, -- uint64_t arg3) --{ -- fiat_secp384r1_uint1 x1; -- uint64_t x2; -- uint64_t x3; -- x1 = (!(!arg1)); -- x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); -- x3 = ((fiat_secp384r1_value_barrier_u64(x2) & arg3) | -- (fiat_secp384r1_value_barrier_u64((~x2)) & arg2)); -- *out1 = x3; --} -- --/* -- * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * 0 ≤ eval arg2 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_mul( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1, -- const fiat_secp384r1_montgomery_domain_field_element arg2) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- uint64_t x7; -- uint64_t x8; -- uint64_t x9; -- uint64_t x10; -- uint64_t x11; -- uint64_t x12; -- uint64_t x13; -- uint64_t x14; -- uint64_t x15; -- uint64_t x16; -- uint64_t x17; -- uint64_t x18; -- uint64_t x19; -- fiat_secp384r1_uint1 x20; -- uint64_t x21; -- fiat_secp384r1_uint1 x22; -- uint64_t x23; -- fiat_secp384r1_uint1 x24; -- uint64_t x25; -- fiat_secp384r1_uint1 x26; -- uint64_t x27; -- fiat_secp384r1_uint1 x28; -- uint64_t x29; -- uint64_t x30; -- uint64_t x31; -- uint64_t x32; -- uint64_t x33; -- uint64_t x34; -- uint64_t x35; -- uint64_t x36; -- uint64_t x37; -- uint64_t x38; -- uint64_t x39; -- uint64_t x40; -- uint64_t x41; -- uint64_t x42; -- uint64_t x43; -- uint64_t x44; -- fiat_secp384r1_uint1 x45; -- uint64_t x46; -- fiat_secp384r1_uint1 x47; -- uint64_t x48; -- fiat_secp384r1_uint1 x49; -- uint64_t x50; -- fiat_secp384r1_uint1 x51; -- uint64_t x52; -- fiat_secp384r1_uint1 x53; -- uint64_t x54; -- uint64_t x55; -- fiat_secp384r1_uint1 x56; -- uint64_t x57; -- fiat_secp384r1_uint1 x58; -- uint64_t x59; -- fiat_secp384r1_uint1 x60; -- uint64_t x61; -- fiat_secp384r1_uint1 x62; -- uint64_t x63; -- fiat_secp384r1_uint1 x64; -- uint64_t x65; -- fiat_secp384r1_uint1 x66; -- uint64_t x67; -- fiat_secp384r1_uint1 x68; -- uint64_t x69; -- uint64_t x70; -- uint64_t x71; -- uint64_t x72; -- uint64_t x73; -- uint64_t x74; -- uint64_t x75; -- uint64_t x76; -- uint64_t x77; -- uint64_t x78; -- uint64_t x79; -- uint64_t x80; -- uint64_t x81; -- fiat_secp384r1_uint1 x82; -- uint64_t x83; -- fiat_secp384r1_uint1 x84; -- uint64_t x85; -- fiat_secp384r1_uint1 x86; -- uint64_t x87; -- fiat_secp384r1_uint1 x88; -- uint64_t x89; -- fiat_secp384r1_uint1 x90; -- uint64_t x91; -- uint64_t x92; -- fiat_secp384r1_uint1 x93; -- uint64_t x94; -- fiat_secp384r1_uint1 x95; -- uint64_t x96; -- fiat_secp384r1_uint1 x97; -- uint64_t x98; -- fiat_secp384r1_uint1 x99; -- uint64_t x100; -- fiat_secp384r1_uint1 x101; -- uint64_t x102; -- fiat_secp384r1_uint1 x103; -- uint64_t x104; -- fiat_secp384r1_uint1 x105; -- uint64_t x106; -- uint64_t x107; -- uint64_t x108; -- uint64_t x109; -- uint64_t x110; -- uint64_t x111; -- uint64_t x112; -- uint64_t x113; -- uint64_t x114; -- uint64_t x115; -- uint64_t x116; -- uint64_t x117; -- uint64_t x118; -- uint64_t x119; -- uint64_t x120; -- fiat_secp384r1_uint1 x121; -- uint64_t x122; -- fiat_secp384r1_uint1 x123; -- uint64_t x124; -- fiat_secp384r1_uint1 x125; -- uint64_t x126; -- fiat_secp384r1_uint1 x127; -- uint64_t x128; -- fiat_secp384r1_uint1 x129; -- uint64_t x130; -- uint64_t x131; -- fiat_secp384r1_uint1 x132; -- uint64_t x133; -- fiat_secp384r1_uint1 x134; -- uint64_t x135; -- fiat_secp384r1_uint1 x136; -- uint64_t x137; -- fiat_secp384r1_uint1 x138; -- uint64_t x139; -- fiat_secp384r1_uint1 x140; -- uint64_t x141; -- fiat_secp384r1_uint1 x142; -- uint64_t x143; -- fiat_secp384r1_uint1 x144; -- uint64_t x145; -- uint64_t x146; -- uint64_t x147; -- uint64_t x148; -- uint64_t x149; -- uint64_t x150; -- uint64_t x151; -- uint64_t x152; -- uint64_t x153; -- uint64_t x154; -- uint64_t x155; -- uint64_t x156; -- uint64_t x157; -- uint64_t x158; -- fiat_secp384r1_uint1 x159; -- uint64_t x160; -- fiat_secp384r1_uint1 x161; -- uint64_t x162; -- fiat_secp384r1_uint1 x163; -- uint64_t x164; -- fiat_secp384r1_uint1 x165; -- uint64_t x166; -- fiat_secp384r1_uint1 x167; -- uint64_t x168; -- uint64_t x169; -- fiat_secp384r1_uint1 x170; -- uint64_t x171; -- fiat_secp384r1_uint1 x172; -- uint64_t x173; -- fiat_secp384r1_uint1 x174; -- uint64_t x175; -- fiat_secp384r1_uint1 x176; -- uint64_t x177; -- fiat_secp384r1_uint1 x178; -- uint64_t x179; -- fiat_secp384r1_uint1 x180; -- uint64_t x181; -- fiat_secp384r1_uint1 x182; -- uint64_t x183; -- uint64_t x184; -- uint64_t x185; -- uint64_t x186; -- uint64_t x187; -- uint64_t x188; -- uint64_t x189; -- uint64_t x190; -- uint64_t x191; -- uint64_t x192; -- uint64_t x193; -- uint64_t x194; -- uint64_t x195; -- uint64_t x196; -- uint64_t x197; -- fiat_secp384r1_uint1 x198; -- uint64_t x199; -- fiat_secp384r1_uint1 x200; -- uint64_t x201; -- fiat_secp384r1_uint1 x202; -- uint64_t x203; -- fiat_secp384r1_uint1 x204; -- uint64_t x205; -- fiat_secp384r1_uint1 x206; -- uint64_t x207; -- uint64_t x208; -- fiat_secp384r1_uint1 x209; -- uint64_t x210; -- fiat_secp384r1_uint1 x211; -- uint64_t x212; -- fiat_secp384r1_uint1 x213; -- uint64_t x214; -- fiat_secp384r1_uint1 x215; -- uint64_t x216; -- fiat_secp384r1_uint1 x217; -- uint64_t x218; -- fiat_secp384r1_uint1 x219; -- uint64_t x220; -- fiat_secp384r1_uint1 x221; -- uint64_t x222; -- uint64_t x223; -- uint64_t x224; -- uint64_t x225; -- uint64_t x226; -- uint64_t x227; -- uint64_t x228; -- uint64_t x229; -- uint64_t x230; -- uint64_t x231; -- uint64_t x232; -- uint64_t x233; -- uint64_t x234; -- uint64_t x235; -- fiat_secp384r1_uint1 x236; -- uint64_t x237; -- fiat_secp384r1_uint1 x238; -- uint64_t x239; -- fiat_secp384r1_uint1 x240; -- uint64_t x241; -- fiat_secp384r1_uint1 x242; -- uint64_t x243; -- fiat_secp384r1_uint1 x244; -- uint64_t x245; -- uint64_t x246; -- fiat_secp384r1_uint1 x247; -- uint64_t x248; -- fiat_secp384r1_uint1 x249; -- uint64_t x250; -- fiat_secp384r1_uint1 x251; -- uint64_t x252; -- fiat_secp384r1_uint1 x253; -- uint64_t x254; -- fiat_secp384r1_uint1 x255; -- uint64_t x256; -- fiat_secp384r1_uint1 x257; -- uint64_t x258; -- fiat_secp384r1_uint1 x259; -- uint64_t x260; -- uint64_t x261; -- uint64_t x262; -- uint64_t x263; -- uint64_t x264; -- uint64_t x265; -- uint64_t x266; -- uint64_t x267; -- uint64_t x268; -- uint64_t x269; -- uint64_t x270; -- uint64_t x271; -- uint64_t x272; -- uint64_t x273; -- uint64_t x274; -- fiat_secp384r1_uint1 x275; -- uint64_t x276; -- fiat_secp384r1_uint1 x277; -- uint64_t x278; -- fiat_secp384r1_uint1 x279; -- uint64_t x280; -- fiat_secp384r1_uint1 x281; -- uint64_t x282; -- fiat_secp384r1_uint1 x283; -- uint64_t x284; -- uint64_t x285; -- fiat_secp384r1_uint1 x286; -- uint64_t x287; -- fiat_secp384r1_uint1 x288; -- uint64_t x289; -- fiat_secp384r1_uint1 x290; -- uint64_t x291; -- fiat_secp384r1_uint1 x292; -- uint64_t x293; -- fiat_secp384r1_uint1 x294; -- uint64_t x295; -- fiat_secp384r1_uint1 x296; -- uint64_t x297; -- fiat_secp384r1_uint1 x298; -- uint64_t x299; -- uint64_t x300; -- uint64_t x301; -- uint64_t x302; -- uint64_t x303; -- uint64_t x304; -- uint64_t x305; -- uint64_t x306; -- uint64_t x307; -- uint64_t x308; -- uint64_t x309; -- uint64_t x310; -- uint64_t x311; -- uint64_t x312; -- fiat_secp384r1_uint1 x313; -- uint64_t x314; -- fiat_secp384r1_uint1 x315; -- uint64_t x316; -- fiat_secp384r1_uint1 x317; -- uint64_t x318; -- fiat_secp384r1_uint1 x319; -- uint64_t x320; -- fiat_secp384r1_uint1 x321; -- uint64_t x322; -- uint64_t x323; -- fiat_secp384r1_uint1 x324; -- uint64_t x325; -- fiat_secp384r1_uint1 x326; -- uint64_t x327; -- fiat_secp384r1_uint1 x328; -- uint64_t x329; -- fiat_secp384r1_uint1 x330; -- uint64_t x331; -- fiat_secp384r1_uint1 x332; -- uint64_t x333; -- fiat_secp384r1_uint1 x334; -- uint64_t x335; -- fiat_secp384r1_uint1 x336; -- uint64_t x337; -- uint64_t x338; -- uint64_t x339; -- uint64_t x340; -- uint64_t x341; -- uint64_t x342; -- uint64_t x343; -- uint64_t x344; -- uint64_t x345; -- uint64_t x346; -- uint64_t x347; -- uint64_t x348; -- uint64_t x349; -- uint64_t x350; -- uint64_t x351; -- fiat_secp384r1_uint1 x352; -- uint64_t x353; -- fiat_secp384r1_uint1 x354; -- uint64_t x355; -- fiat_secp384r1_uint1 x356; -- uint64_t x357; -- fiat_secp384r1_uint1 x358; -- uint64_t x359; -- fiat_secp384r1_uint1 x360; -- uint64_t x361; -- uint64_t x362; -- fiat_secp384r1_uint1 x363; -- uint64_t x364; -- fiat_secp384r1_uint1 x365; -- uint64_t x366; -- fiat_secp384r1_uint1 x367; -- uint64_t x368; -- fiat_secp384r1_uint1 x369; -- uint64_t x370; -- fiat_secp384r1_uint1 x371; -- uint64_t x372; -- fiat_secp384r1_uint1 x373; -- uint64_t x374; -- fiat_secp384r1_uint1 x375; -- uint64_t x376; -- uint64_t x377; -- uint64_t x378; -- uint64_t x379; -- uint64_t x380; -- uint64_t x381; -- uint64_t x382; -- uint64_t x383; -- uint64_t x384; -- uint64_t x385; -- uint64_t x386; -- uint64_t x387; -- uint64_t x388; -- uint64_t x389; -- fiat_secp384r1_uint1 x390; -- uint64_t x391; -- fiat_secp384r1_uint1 x392; -- uint64_t x393; -- fiat_secp384r1_uint1 x394; -- uint64_t x395; -- fiat_secp384r1_uint1 x396; -- uint64_t x397; -- fiat_secp384r1_uint1 x398; -- uint64_t x399; -- uint64_t x400; -- fiat_secp384r1_uint1 x401; -- uint64_t x402; -- fiat_secp384r1_uint1 x403; -- uint64_t x404; -- fiat_secp384r1_uint1 x405; -- uint64_t x406; -- fiat_secp384r1_uint1 x407; -- uint64_t x408; -- fiat_secp384r1_uint1 x409; -- uint64_t x410; -- fiat_secp384r1_uint1 x411; -- uint64_t x412; -- fiat_secp384r1_uint1 x413; -- uint64_t x414; -- uint64_t x415; -- uint64_t x416; -- uint64_t x417; -- uint64_t x418; -- uint64_t x419; -- uint64_t x420; -- uint64_t x421; -- uint64_t x422; -- uint64_t x423; -- uint64_t x424; -- uint64_t x425; -- uint64_t x426; -- uint64_t x427; -- uint64_t x428; -- fiat_secp384r1_uint1 x429; -- uint64_t x430; -- fiat_secp384r1_uint1 x431; -- uint64_t x432; -- fiat_secp384r1_uint1 x433; -- uint64_t x434; -- fiat_secp384r1_uint1 x435; -- uint64_t x436; -- fiat_secp384r1_uint1 x437; -- uint64_t x438; -- uint64_t x439; -- fiat_secp384r1_uint1 x440; -- uint64_t x441; -- fiat_secp384r1_uint1 x442; -- uint64_t x443; -- fiat_secp384r1_uint1 x444; -- uint64_t x445; -- fiat_secp384r1_uint1 x446; -- uint64_t x447; -- fiat_secp384r1_uint1 x448; -- uint64_t x449; -- fiat_secp384r1_uint1 x450; -- uint64_t x451; -- fiat_secp384r1_uint1 x452; -- uint64_t x453; -- uint64_t x454; -- fiat_secp384r1_uint1 x455; -- uint64_t x456; -- fiat_secp384r1_uint1 x457; -- uint64_t x458; -- fiat_secp384r1_uint1 x459; -- uint64_t x460; -- fiat_secp384r1_uint1 x461; -- uint64_t x462; -- fiat_secp384r1_uint1 x463; -- uint64_t x464; -- fiat_secp384r1_uint1 x465; -- uint64_t x466; -- fiat_secp384r1_uint1 x467; -- uint64_t x468; -- uint64_t x469; -- uint64_t x470; -- uint64_t x471; -- uint64_t x472; -- uint64_t x473; -- x1 = (arg1[1]); -- x2 = (arg1[2]); -- x3 = (arg1[3]); -- x4 = (arg1[4]); -- x5 = (arg1[5]); -- x6 = (arg1[0]); -- fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg2[5])); -- fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg2[4])); -- fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg2[3])); -- fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg2[2])); -- fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg2[1])); -- fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); -- fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); -- fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); -- fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); -- fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); -- x29 = (x28 + x8); -- fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); -- fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); -- fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); -- fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); -- fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); -- x54 = (x53 + x33); -- fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); -- fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); -- fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); -- fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); -- fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); -- fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); -- fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); -- fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg2[5])); -- fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg2[4])); -- fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg2[3])); -- fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg2[2])); -- fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg2[1])); -- fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); -- fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); -- fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); -- fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); -- fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); -- x91 = (x90 + x70); -- fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); -- fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); -- fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); -- fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); -- fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); -- fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); -- fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); -- fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); -- fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); -- fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); -- fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); -- fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); -- x130 = (x129 + x109); -- fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); -- fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); -- fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); -- fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); -- fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); -- fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); -- fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); -- x145 = ((uint64_t)x144 + x105); -- fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg2[5])); -- fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg2[4])); -- fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg2[3])); -- fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg2[2])); -- fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg2[1])); -- fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); -- fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); -- fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); -- fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); -- fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); -- x168 = (x167 + x147); -- fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); -- fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); -- fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); -- fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); -- fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); -- fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); -- fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); -- fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); -- fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); -- fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); -- fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); -- fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); -- x207 = (x206 + x186); -- fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); -- fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); -- fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); -- fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); -- fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); -- fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); -- fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); -- x222 = ((uint64_t)x221 + x182); -- fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg2[5])); -- fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg2[4])); -- fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg2[3])); -- fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg2[2])); -- fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg2[1])); -- fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); -- fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); -- fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); -- fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); -- fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); -- x245 = (x244 + x224); -- fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); -- fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); -- fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); -- fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); -- fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); -- fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); -- fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); -- fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); -- fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); -- fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); -- fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); -- fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); -- x284 = (x283 + x263); -- fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); -- fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); -- fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); -- fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); -- fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); -- fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); -- fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); -- x299 = ((uint64_t)x298 + x259); -- fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg2[5])); -- fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg2[4])); -- fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg2[3])); -- fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg2[2])); -- fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg2[1])); -- fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); -- fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); -- fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); -- fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); -- fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); -- x322 = (x321 + x301); -- fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); -- fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); -- fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); -- fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); -- fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); -- fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); -- fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); -- fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); -- fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); -- fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); -- fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); -- fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); -- x361 = (x360 + x340); -- fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); -- fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); -- fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); -- fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); -- fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); -- fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); -- fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); -- x376 = ((uint64_t)x375 + x336); -- fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg2[5])); -- fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg2[4])); -- fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg2[3])); -- fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg2[2])); -- fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg2[1])); -- fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); -- fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); -- fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); -- fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); -- fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); -- x399 = (x398 + x378); -- fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); -- fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); -- fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); -- fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); -- fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); -- fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); -- fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); -- fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); -- fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); -- fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); -- fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); -- fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); -- x438 = (x437 + x417); -- fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); -- fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); -- fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); -- fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); -- fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); -- fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); -- fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); -- x453 = ((uint64_t)x452 + x413); -- fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); -- fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); -- fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); -- fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); -- fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); -- fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); -- fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); -- out1[0] = x468; -- out1[1] = x469; -- out1[2] = x470; -- out1[3] = x471; -- out1[4] = x472; -- out1[5] = x473; --} -- --/* -- * The function fiat_secp384r1_square squares a field element in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_square( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- uint64_t x7; -- uint64_t x8; -- uint64_t x9; -- uint64_t x10; -- uint64_t x11; -- uint64_t x12; -- uint64_t x13; -- uint64_t x14; -- uint64_t x15; -- uint64_t x16; -- uint64_t x17; -- uint64_t x18; -- uint64_t x19; -- fiat_secp384r1_uint1 x20; -- uint64_t x21; -- fiat_secp384r1_uint1 x22; -- uint64_t x23; -- fiat_secp384r1_uint1 x24; -- uint64_t x25; -- fiat_secp384r1_uint1 x26; -- uint64_t x27; -- fiat_secp384r1_uint1 x28; -- uint64_t x29; -- uint64_t x30; -- uint64_t x31; -- uint64_t x32; -- uint64_t x33; -- uint64_t x34; -- uint64_t x35; -- uint64_t x36; -- uint64_t x37; -- uint64_t x38; -- uint64_t x39; -- uint64_t x40; -- uint64_t x41; -- uint64_t x42; -- uint64_t x43; -- uint64_t x44; -- fiat_secp384r1_uint1 x45; -- uint64_t x46; -- fiat_secp384r1_uint1 x47; -- uint64_t x48; -- fiat_secp384r1_uint1 x49; -- uint64_t x50; -- fiat_secp384r1_uint1 x51; -- uint64_t x52; -- fiat_secp384r1_uint1 x53; -- uint64_t x54; -- uint64_t x55; -- fiat_secp384r1_uint1 x56; -- uint64_t x57; -- fiat_secp384r1_uint1 x58; -- uint64_t x59; -- fiat_secp384r1_uint1 x60; -- uint64_t x61; -- fiat_secp384r1_uint1 x62; -- uint64_t x63; -- fiat_secp384r1_uint1 x64; -- uint64_t x65; -- fiat_secp384r1_uint1 x66; -- uint64_t x67; -- fiat_secp384r1_uint1 x68; -- uint64_t x69; -- uint64_t x70; -- uint64_t x71; -- uint64_t x72; -- uint64_t x73; -- uint64_t x74; -- uint64_t x75; -- uint64_t x76; -- uint64_t x77; -- uint64_t x78; -- uint64_t x79; -- uint64_t x80; -- uint64_t x81; -- fiat_secp384r1_uint1 x82; -- uint64_t x83; -- fiat_secp384r1_uint1 x84; -- uint64_t x85; -- fiat_secp384r1_uint1 x86; -- uint64_t x87; -- fiat_secp384r1_uint1 x88; -- uint64_t x89; -- fiat_secp384r1_uint1 x90; -- uint64_t x91; -- uint64_t x92; -- fiat_secp384r1_uint1 x93; -- uint64_t x94; -- fiat_secp384r1_uint1 x95; -- uint64_t x96; -- fiat_secp384r1_uint1 x97; -- uint64_t x98; -- fiat_secp384r1_uint1 x99; -- uint64_t x100; -- fiat_secp384r1_uint1 x101; -- uint64_t x102; -- fiat_secp384r1_uint1 x103; -- uint64_t x104; -- fiat_secp384r1_uint1 x105; -- uint64_t x106; -- uint64_t x107; -- uint64_t x108; -- uint64_t x109; -- uint64_t x110; -- uint64_t x111; -- uint64_t x112; -- uint64_t x113; -- uint64_t x114; -- uint64_t x115; -- uint64_t x116; -- uint64_t x117; -- uint64_t x118; -- uint64_t x119; -- uint64_t x120; -- fiat_secp384r1_uint1 x121; -- uint64_t x122; -- fiat_secp384r1_uint1 x123; -- uint64_t x124; -- fiat_secp384r1_uint1 x125; -- uint64_t x126; -- fiat_secp384r1_uint1 x127; -- uint64_t x128; -- fiat_secp384r1_uint1 x129; -- uint64_t x130; -- uint64_t x131; -- fiat_secp384r1_uint1 x132; -- uint64_t x133; -- fiat_secp384r1_uint1 x134; -- uint64_t x135; -- fiat_secp384r1_uint1 x136; -- uint64_t x137; -- fiat_secp384r1_uint1 x138; -- uint64_t x139; -- fiat_secp384r1_uint1 x140; -- uint64_t x141; -- fiat_secp384r1_uint1 x142; -- uint64_t x143; -- fiat_secp384r1_uint1 x144; -- uint64_t x145; -- uint64_t x146; -- uint64_t x147; -- uint64_t x148; -- uint64_t x149; -- uint64_t x150; -- uint64_t x151; -- uint64_t x152; -- uint64_t x153; -- uint64_t x154; -- uint64_t x155; -- uint64_t x156; -- uint64_t x157; -- uint64_t x158; -- fiat_secp384r1_uint1 x159; -- uint64_t x160; -- fiat_secp384r1_uint1 x161; -- uint64_t x162; -- fiat_secp384r1_uint1 x163; -- uint64_t x164; -- fiat_secp384r1_uint1 x165; -- uint64_t x166; -- fiat_secp384r1_uint1 x167; -- uint64_t x168; -- uint64_t x169; -- fiat_secp384r1_uint1 x170; -- uint64_t x171; -- fiat_secp384r1_uint1 x172; -- uint64_t x173; -- fiat_secp384r1_uint1 x174; -- uint64_t x175; -- fiat_secp384r1_uint1 x176; -- uint64_t x177; -- fiat_secp384r1_uint1 x178; -- uint64_t x179; -- fiat_secp384r1_uint1 x180; -- uint64_t x181; -- fiat_secp384r1_uint1 x182; -- uint64_t x183; -- uint64_t x184; -- uint64_t x185; -- uint64_t x186; -- uint64_t x187; -- uint64_t x188; -- uint64_t x189; -- uint64_t x190; -- uint64_t x191; -- uint64_t x192; -- uint64_t x193; -- uint64_t x194; -- uint64_t x195; -- uint64_t x196; -- uint64_t x197; -- fiat_secp384r1_uint1 x198; -- uint64_t x199; -- fiat_secp384r1_uint1 x200; -- uint64_t x201; -- fiat_secp384r1_uint1 x202; -- uint64_t x203; -- fiat_secp384r1_uint1 x204; -- uint64_t x205; -- fiat_secp384r1_uint1 x206; -- uint64_t x207; -- uint64_t x208; -- fiat_secp384r1_uint1 x209; -- uint64_t x210; -- fiat_secp384r1_uint1 x211; -- uint64_t x212; -- fiat_secp384r1_uint1 x213; -- uint64_t x214; -- fiat_secp384r1_uint1 x215; -- uint64_t x216; -- fiat_secp384r1_uint1 x217; -- uint64_t x218; -- fiat_secp384r1_uint1 x219; -- uint64_t x220; -- fiat_secp384r1_uint1 x221; -- uint64_t x222; -- uint64_t x223; -- uint64_t x224; -- uint64_t x225; -- uint64_t x226; -- uint64_t x227; -- uint64_t x228; -- uint64_t x229; -- uint64_t x230; -- uint64_t x231; -- uint64_t x232; -- uint64_t x233; -- uint64_t x234; -- uint64_t x235; -- fiat_secp384r1_uint1 x236; -- uint64_t x237; -- fiat_secp384r1_uint1 x238; -- uint64_t x239; -- fiat_secp384r1_uint1 x240; -- uint64_t x241; -- fiat_secp384r1_uint1 x242; -- uint64_t x243; -- fiat_secp384r1_uint1 x244; -- uint64_t x245; -- uint64_t x246; -- fiat_secp384r1_uint1 x247; -- uint64_t x248; -- fiat_secp384r1_uint1 x249; -- uint64_t x250; -- fiat_secp384r1_uint1 x251; -- uint64_t x252; -- fiat_secp384r1_uint1 x253; -- uint64_t x254; -- fiat_secp384r1_uint1 x255; -- uint64_t x256; -- fiat_secp384r1_uint1 x257; -- uint64_t x258; -- fiat_secp384r1_uint1 x259; -- uint64_t x260; -- uint64_t x261; -- uint64_t x262; -- uint64_t x263; -- uint64_t x264; -- uint64_t x265; -- uint64_t x266; -- uint64_t x267; -- uint64_t x268; -- uint64_t x269; -- uint64_t x270; -- uint64_t x271; -- uint64_t x272; -- uint64_t x273; -- uint64_t x274; -- fiat_secp384r1_uint1 x275; -- uint64_t x276; -- fiat_secp384r1_uint1 x277; -- uint64_t x278; -- fiat_secp384r1_uint1 x279; -- uint64_t x280; -- fiat_secp384r1_uint1 x281; -- uint64_t x282; -- fiat_secp384r1_uint1 x283; -- uint64_t x284; -- uint64_t x285; -- fiat_secp384r1_uint1 x286; -- uint64_t x287; -- fiat_secp384r1_uint1 x288; -- uint64_t x289; -- fiat_secp384r1_uint1 x290; -- uint64_t x291; -- fiat_secp384r1_uint1 x292; -- uint64_t x293; -- fiat_secp384r1_uint1 x294; -- uint64_t x295; -- fiat_secp384r1_uint1 x296; -- uint64_t x297; -- fiat_secp384r1_uint1 x298; -- uint64_t x299; -- uint64_t x300; -- uint64_t x301; -- uint64_t x302; -- uint64_t x303; -- uint64_t x304; -- uint64_t x305; -- uint64_t x306; -- uint64_t x307; -- uint64_t x308; -- uint64_t x309; -- uint64_t x310; -- uint64_t x311; -- uint64_t x312; -- fiat_secp384r1_uint1 x313; -- uint64_t x314; -- fiat_secp384r1_uint1 x315; -- uint64_t x316; -- fiat_secp384r1_uint1 x317; -- uint64_t x318; -- fiat_secp384r1_uint1 x319; -- uint64_t x320; -- fiat_secp384r1_uint1 x321; -- uint64_t x322; -- uint64_t x323; -- fiat_secp384r1_uint1 x324; -- uint64_t x325; -- fiat_secp384r1_uint1 x326; -- uint64_t x327; -- fiat_secp384r1_uint1 x328; -- uint64_t x329; -- fiat_secp384r1_uint1 x330; -- uint64_t x331; -- fiat_secp384r1_uint1 x332; -- uint64_t x333; -- fiat_secp384r1_uint1 x334; -- uint64_t x335; -- fiat_secp384r1_uint1 x336; -- uint64_t x337; -- uint64_t x338; -- uint64_t x339; -- uint64_t x340; -- uint64_t x341; -- uint64_t x342; -- uint64_t x343; -- uint64_t x344; -- uint64_t x345; -- uint64_t x346; -- uint64_t x347; -- uint64_t x348; -- uint64_t x349; -- uint64_t x350; -- uint64_t x351; -- fiat_secp384r1_uint1 x352; -- uint64_t x353; -- fiat_secp384r1_uint1 x354; -- uint64_t x355; -- fiat_secp384r1_uint1 x356; -- uint64_t x357; -- fiat_secp384r1_uint1 x358; -- uint64_t x359; -- fiat_secp384r1_uint1 x360; -- uint64_t x361; -- uint64_t x362; -- fiat_secp384r1_uint1 x363; -- uint64_t x364; -- fiat_secp384r1_uint1 x365; -- uint64_t x366; -- fiat_secp384r1_uint1 x367; -- uint64_t x368; -- fiat_secp384r1_uint1 x369; -- uint64_t x370; -- fiat_secp384r1_uint1 x371; -- uint64_t x372; -- fiat_secp384r1_uint1 x373; -- uint64_t x374; -- fiat_secp384r1_uint1 x375; -- uint64_t x376; -- uint64_t x377; -- uint64_t x378; -- uint64_t x379; -- uint64_t x380; -- uint64_t x381; -- uint64_t x382; -- uint64_t x383; -- uint64_t x384; -- uint64_t x385; -- uint64_t x386; -- uint64_t x387; -- uint64_t x388; -- uint64_t x389; -- fiat_secp384r1_uint1 x390; -- uint64_t x391; -- fiat_secp384r1_uint1 x392; -- uint64_t x393; -- fiat_secp384r1_uint1 x394; -- uint64_t x395; -- fiat_secp384r1_uint1 x396; -- uint64_t x397; -- fiat_secp384r1_uint1 x398; -- uint64_t x399; -- uint64_t x400; -- fiat_secp384r1_uint1 x401; -- uint64_t x402; -- fiat_secp384r1_uint1 x403; -- uint64_t x404; -- fiat_secp384r1_uint1 x405; -- uint64_t x406; -- fiat_secp384r1_uint1 x407; -- uint64_t x408; -- fiat_secp384r1_uint1 x409; -- uint64_t x410; -- fiat_secp384r1_uint1 x411; -- uint64_t x412; -- fiat_secp384r1_uint1 x413; -- uint64_t x414; -- uint64_t x415; -- uint64_t x416; -- uint64_t x417; -- uint64_t x418; -- uint64_t x419; -- uint64_t x420; -- uint64_t x421; -- uint64_t x422; -- uint64_t x423; -- uint64_t x424; -- uint64_t x425; -- uint64_t x426; -- uint64_t x427; -- uint64_t x428; -- fiat_secp384r1_uint1 x429; -- uint64_t x430; -- fiat_secp384r1_uint1 x431; -- uint64_t x432; -- fiat_secp384r1_uint1 x433; -- uint64_t x434; -- fiat_secp384r1_uint1 x435; -- uint64_t x436; -- fiat_secp384r1_uint1 x437; -- uint64_t x438; -- uint64_t x439; -- fiat_secp384r1_uint1 x440; -- uint64_t x441; -- fiat_secp384r1_uint1 x442; -- uint64_t x443; -- fiat_secp384r1_uint1 x444; -- uint64_t x445; -- fiat_secp384r1_uint1 x446; -- uint64_t x447; -- fiat_secp384r1_uint1 x448; -- uint64_t x449; -- fiat_secp384r1_uint1 x450; -- uint64_t x451; -- fiat_secp384r1_uint1 x452; -- uint64_t x453; -- uint64_t x454; -- fiat_secp384r1_uint1 x455; -- uint64_t x456; -- fiat_secp384r1_uint1 x457; -- uint64_t x458; -- fiat_secp384r1_uint1 x459; -- uint64_t x460; -- fiat_secp384r1_uint1 x461; -- uint64_t x462; -- fiat_secp384r1_uint1 x463; -- uint64_t x464; -- fiat_secp384r1_uint1 x465; -- uint64_t x466; -- fiat_secp384r1_uint1 x467; -- uint64_t x468; -- uint64_t x469; -- uint64_t x470; -- uint64_t x471; -- uint64_t x472; -- uint64_t x473; -- x1 = (arg1[1]); -- x2 = (arg1[2]); -- x3 = (arg1[3]); -- x4 = (arg1[4]); -- x5 = (arg1[5]); -- x6 = (arg1[0]); -- fiat_secp384r1_mulx_u64(&x7, &x8, x6, (arg1[5])); -- fiat_secp384r1_mulx_u64(&x9, &x10, x6, (arg1[4])); -- fiat_secp384r1_mulx_u64(&x11, &x12, x6, (arg1[3])); -- fiat_secp384r1_mulx_u64(&x13, &x14, x6, (arg1[2])); -- fiat_secp384r1_mulx_u64(&x15, &x16, x6, (arg1[1])); -- fiat_secp384r1_mulx_u64(&x17, &x18, x6, (arg1[0])); -- fiat_secp384r1_addcarryx_u64(&x19, &x20, 0x0, x18, x15); -- fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x16, x13); -- fiat_secp384r1_addcarryx_u64(&x23, &x24, x22, x14, x11); -- fiat_secp384r1_addcarryx_u64(&x25, &x26, x24, x12, x9); -- fiat_secp384r1_addcarryx_u64(&x27, &x28, x26, x10, x7); -- x29 = (x28 + x8); -- fiat_secp384r1_mulx_u64(&x30, &x31, x17, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x32, &x33, x30, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x34, &x35, x30, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x36, &x37, x30, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x38, &x39, x30, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x40, &x41, x30, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x42, &x43, x30, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x44, &x45, 0x0, x43, x40); -- fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x41, x38); -- fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x39, x36); -- fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x37, x34); -- fiat_secp384r1_addcarryx_u64(&x52, &x53, x51, x35, x32); -- x54 = (x53 + x33); -- fiat_secp384r1_addcarryx_u64(&x55, &x56, 0x0, x17, x42); -- fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x19, x44); -- fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, x21, x46); -- fiat_secp384r1_addcarryx_u64(&x61, &x62, x60, x23, x48); -- fiat_secp384r1_addcarryx_u64(&x63, &x64, x62, x25, x50); -- fiat_secp384r1_addcarryx_u64(&x65, &x66, x64, x27, x52); -- fiat_secp384r1_addcarryx_u64(&x67, &x68, x66, x29, x54); -- fiat_secp384r1_mulx_u64(&x69, &x70, x1, (arg1[5])); -- fiat_secp384r1_mulx_u64(&x71, &x72, x1, (arg1[4])); -- fiat_secp384r1_mulx_u64(&x73, &x74, x1, (arg1[3])); -- fiat_secp384r1_mulx_u64(&x75, &x76, x1, (arg1[2])); -- fiat_secp384r1_mulx_u64(&x77, &x78, x1, (arg1[1])); -- fiat_secp384r1_mulx_u64(&x79, &x80, x1, (arg1[0])); -- fiat_secp384r1_addcarryx_u64(&x81, &x82, 0x0, x80, x77); -- fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x78, x75); -- fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x76, x73); -- fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x74, x71); -- fiat_secp384r1_addcarryx_u64(&x89, &x90, x88, x72, x69); -- x91 = (x90 + x70); -- fiat_secp384r1_addcarryx_u64(&x92, &x93, 0x0, x57, x79); -- fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x59, x81); -- fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x61, x83); -- fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x63, x85); -- fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x65, x87); -- fiat_secp384r1_addcarryx_u64(&x102, &x103, x101, x67, x89); -- fiat_secp384r1_addcarryx_u64(&x104, &x105, x103, x68, x91); -- fiat_secp384r1_mulx_u64(&x106, &x107, x92, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x108, &x109, x106, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x110, &x111, x106, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x112, &x113, x106, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x114, &x115, x106, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x116, &x117, x106, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x118, &x119, x106, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x120, &x121, 0x0, x119, x116); -- fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x117, x114); -- fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x115, x112); -- fiat_secp384r1_addcarryx_u64(&x126, &x127, x125, x113, x110); -- fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x111, x108); -- x130 = (x129 + x109); -- fiat_secp384r1_addcarryx_u64(&x131, &x132, 0x0, x92, x118); -- fiat_secp384r1_addcarryx_u64(&x133, &x134, x132, x94, x120); -- fiat_secp384r1_addcarryx_u64(&x135, &x136, x134, x96, x122); -- fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x98, x124); -- fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x100, x126); -- fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x102, x128); -- fiat_secp384r1_addcarryx_u64(&x143, &x144, x142, x104, x130); -- x145 = ((uint64_t)x144 + x105); -- fiat_secp384r1_mulx_u64(&x146, &x147, x2, (arg1[5])); -- fiat_secp384r1_mulx_u64(&x148, &x149, x2, (arg1[4])); -- fiat_secp384r1_mulx_u64(&x150, &x151, x2, (arg1[3])); -- fiat_secp384r1_mulx_u64(&x152, &x153, x2, (arg1[2])); -- fiat_secp384r1_mulx_u64(&x154, &x155, x2, (arg1[1])); -- fiat_secp384r1_mulx_u64(&x156, &x157, x2, (arg1[0])); -- fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x157, x154); -- fiat_secp384r1_addcarryx_u64(&x160, &x161, x159, x155, x152); -- fiat_secp384r1_addcarryx_u64(&x162, &x163, x161, x153, x150); -- fiat_secp384r1_addcarryx_u64(&x164, &x165, x163, x151, x148); -- fiat_secp384r1_addcarryx_u64(&x166, &x167, x165, x149, x146); -- x168 = (x167 + x147); -- fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x133, x156); -- fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x135, x158); -- fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x137, x160); -- fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x139, x162); -- fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x141, x164); -- fiat_secp384r1_addcarryx_u64(&x179, &x180, x178, x143, x166); -- fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x168); -- fiat_secp384r1_mulx_u64(&x183, &x184, x169, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x185, &x186, x183, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x187, &x188, x183, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x189, &x190, x183, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x191, &x192, x183, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x193, &x194, x183, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x195, &x196, x183, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x197, &x198, 0x0, x196, x193); -- fiat_secp384r1_addcarryx_u64(&x199, &x200, x198, x194, x191); -- fiat_secp384r1_addcarryx_u64(&x201, &x202, x200, x192, x189); -- fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x190, x187); -- fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x188, x185); -- x207 = (x206 + x186); -- fiat_secp384r1_addcarryx_u64(&x208, &x209, 0x0, x169, x195); -- fiat_secp384r1_addcarryx_u64(&x210, &x211, x209, x171, x197); -- fiat_secp384r1_addcarryx_u64(&x212, &x213, x211, x173, x199); -- fiat_secp384r1_addcarryx_u64(&x214, &x215, x213, x175, x201); -- fiat_secp384r1_addcarryx_u64(&x216, &x217, x215, x177, x203); -- fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x179, x205); -- fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x181, x207); -- x222 = ((uint64_t)x221 + x182); -- fiat_secp384r1_mulx_u64(&x223, &x224, x3, (arg1[5])); -- fiat_secp384r1_mulx_u64(&x225, &x226, x3, (arg1[4])); -- fiat_secp384r1_mulx_u64(&x227, &x228, x3, (arg1[3])); -- fiat_secp384r1_mulx_u64(&x229, &x230, x3, (arg1[2])); -- fiat_secp384r1_mulx_u64(&x231, &x232, x3, (arg1[1])); -- fiat_secp384r1_mulx_u64(&x233, &x234, x3, (arg1[0])); -- fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); -- fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); -- fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); -- fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); -- fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); -- x245 = (x244 + x224); -- fiat_secp384r1_addcarryx_u64(&x246, &x247, 0x0, x210, x233); -- fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x212, x235); -- fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x214, x237); -- fiat_secp384r1_addcarryx_u64(&x252, &x253, x251, x216, x239); -- fiat_secp384r1_addcarryx_u64(&x254, &x255, x253, x218, x241); -- fiat_secp384r1_addcarryx_u64(&x256, &x257, x255, x220, x243); -- fiat_secp384r1_addcarryx_u64(&x258, &x259, x257, x222, x245); -- fiat_secp384r1_mulx_u64(&x260, &x261, x246, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x262, &x263, x260, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x264, &x265, x260, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x266, &x267, x260, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x268, &x269, x260, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x270, &x271, x260, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x272, &x273, x260, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x274, &x275, 0x0, x273, x270); -- fiat_secp384r1_addcarryx_u64(&x276, &x277, x275, x271, x268); -- fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x269, x266); -- fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x267, x264); -- fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x265, x262); -- x284 = (x283 + x263); -- fiat_secp384r1_addcarryx_u64(&x285, &x286, 0x0, x246, x272); -- fiat_secp384r1_addcarryx_u64(&x287, &x288, x286, x248, x274); -- fiat_secp384r1_addcarryx_u64(&x289, &x290, x288, x250, x276); -- fiat_secp384r1_addcarryx_u64(&x291, &x292, x290, x252, x278); -- fiat_secp384r1_addcarryx_u64(&x293, &x294, x292, x254, x280); -- fiat_secp384r1_addcarryx_u64(&x295, &x296, x294, x256, x282); -- fiat_secp384r1_addcarryx_u64(&x297, &x298, x296, x258, x284); -- x299 = ((uint64_t)x298 + x259); -- fiat_secp384r1_mulx_u64(&x300, &x301, x4, (arg1[5])); -- fiat_secp384r1_mulx_u64(&x302, &x303, x4, (arg1[4])); -- fiat_secp384r1_mulx_u64(&x304, &x305, x4, (arg1[3])); -- fiat_secp384r1_mulx_u64(&x306, &x307, x4, (arg1[2])); -- fiat_secp384r1_mulx_u64(&x308, &x309, x4, (arg1[1])); -- fiat_secp384r1_mulx_u64(&x310, &x311, x4, (arg1[0])); -- fiat_secp384r1_addcarryx_u64(&x312, &x313, 0x0, x311, x308); -- fiat_secp384r1_addcarryx_u64(&x314, &x315, x313, x309, x306); -- fiat_secp384r1_addcarryx_u64(&x316, &x317, x315, x307, x304); -- fiat_secp384r1_addcarryx_u64(&x318, &x319, x317, x305, x302); -- fiat_secp384r1_addcarryx_u64(&x320, &x321, x319, x303, x300); -- x322 = (x321 + x301); -- fiat_secp384r1_addcarryx_u64(&x323, &x324, 0x0, x287, x310); -- fiat_secp384r1_addcarryx_u64(&x325, &x326, x324, x289, x312); -- fiat_secp384r1_addcarryx_u64(&x327, &x328, x326, x291, x314); -- fiat_secp384r1_addcarryx_u64(&x329, &x330, x328, x293, x316); -- fiat_secp384r1_addcarryx_u64(&x331, &x332, x330, x295, x318); -- fiat_secp384r1_addcarryx_u64(&x333, &x334, x332, x297, x320); -- fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x299, x322); -- fiat_secp384r1_mulx_u64(&x337, &x338, x323, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x339, &x340, x337, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x341, &x342, x337, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x343, &x344, x337, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x345, &x346, x337, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x347, &x348, x337, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x349, &x350, x337, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x351, &x352, 0x0, x350, x347); -- fiat_secp384r1_addcarryx_u64(&x353, &x354, x352, x348, x345); -- fiat_secp384r1_addcarryx_u64(&x355, &x356, x354, x346, x343); -- fiat_secp384r1_addcarryx_u64(&x357, &x358, x356, x344, x341); -- fiat_secp384r1_addcarryx_u64(&x359, &x360, x358, x342, x339); -- x361 = (x360 + x340); -- fiat_secp384r1_addcarryx_u64(&x362, &x363, 0x0, x323, x349); -- fiat_secp384r1_addcarryx_u64(&x364, &x365, x363, x325, x351); -- fiat_secp384r1_addcarryx_u64(&x366, &x367, x365, x327, x353); -- fiat_secp384r1_addcarryx_u64(&x368, &x369, x367, x329, x355); -- fiat_secp384r1_addcarryx_u64(&x370, &x371, x369, x331, x357); -- fiat_secp384r1_addcarryx_u64(&x372, &x373, x371, x333, x359); -- fiat_secp384r1_addcarryx_u64(&x374, &x375, x373, x335, x361); -- x376 = ((uint64_t)x375 + x336); -- fiat_secp384r1_mulx_u64(&x377, &x378, x5, (arg1[5])); -- fiat_secp384r1_mulx_u64(&x379, &x380, x5, (arg1[4])); -- fiat_secp384r1_mulx_u64(&x381, &x382, x5, (arg1[3])); -- fiat_secp384r1_mulx_u64(&x383, &x384, x5, (arg1[2])); -- fiat_secp384r1_mulx_u64(&x385, &x386, x5, (arg1[1])); -- fiat_secp384r1_mulx_u64(&x387, &x388, x5, (arg1[0])); -- fiat_secp384r1_addcarryx_u64(&x389, &x390, 0x0, x388, x385); -- fiat_secp384r1_addcarryx_u64(&x391, &x392, x390, x386, x383); -- fiat_secp384r1_addcarryx_u64(&x393, &x394, x392, x384, x381); -- fiat_secp384r1_addcarryx_u64(&x395, &x396, x394, x382, x379); -- fiat_secp384r1_addcarryx_u64(&x397, &x398, x396, x380, x377); -- x399 = (x398 + x378); -- fiat_secp384r1_addcarryx_u64(&x400, &x401, 0x0, x364, x387); -- fiat_secp384r1_addcarryx_u64(&x402, &x403, x401, x366, x389); -- fiat_secp384r1_addcarryx_u64(&x404, &x405, x403, x368, x391); -- fiat_secp384r1_addcarryx_u64(&x406, &x407, x405, x370, x393); -- fiat_secp384r1_addcarryx_u64(&x408, &x409, x407, x372, x395); -- fiat_secp384r1_addcarryx_u64(&x410, &x411, x409, x374, x397); -- fiat_secp384r1_addcarryx_u64(&x412, &x413, x411, x376, x399); -- fiat_secp384r1_mulx_u64(&x414, &x415, x400, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x416, &x417, x414, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x418, &x419, x414, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x420, &x421, x414, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x422, &x423, x414, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x424, &x425, x414, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x426, &x427, x414, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x428, &x429, 0x0, x427, x424); -- fiat_secp384r1_addcarryx_u64(&x430, &x431, x429, x425, x422); -- fiat_secp384r1_addcarryx_u64(&x432, &x433, x431, x423, x420); -- fiat_secp384r1_addcarryx_u64(&x434, &x435, x433, x421, x418); -- fiat_secp384r1_addcarryx_u64(&x436, &x437, x435, x419, x416); -- x438 = (x437 + x417); -- fiat_secp384r1_addcarryx_u64(&x439, &x440, 0x0, x400, x426); -- fiat_secp384r1_addcarryx_u64(&x441, &x442, x440, x402, x428); -- fiat_secp384r1_addcarryx_u64(&x443, &x444, x442, x404, x430); -- fiat_secp384r1_addcarryx_u64(&x445, &x446, x444, x406, x432); -- fiat_secp384r1_addcarryx_u64(&x447, &x448, x446, x408, x434); -- fiat_secp384r1_addcarryx_u64(&x449, &x450, x448, x410, x436); -- fiat_secp384r1_addcarryx_u64(&x451, &x452, x450, x412, x438); -- x453 = ((uint64_t)x452 + x413); -- fiat_secp384r1_subborrowx_u64(&x454, &x455, 0x0, x441, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x456, &x457, x455, x443, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x458, &x459, x457, x445, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x460, &x461, x459, x447, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x462, &x463, x461, x449, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x464, &x465, x463, x451, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x466, &x467, x465, x453, 0x0); -- fiat_secp384r1_cmovznz_u64(&x468, x467, x454, x441); -- fiat_secp384r1_cmovznz_u64(&x469, x467, x456, x443); -- fiat_secp384r1_cmovznz_u64(&x470, x467, x458, x445); -- fiat_secp384r1_cmovznz_u64(&x471, x467, x460, x447); -- fiat_secp384r1_cmovznz_u64(&x472, x467, x462, x449); -- fiat_secp384r1_cmovznz_u64(&x473, x467, x464, x451); -- out1[0] = x468; -- out1[1] = x469; -- out1[2] = x470; -- out1[3] = x471; -- out1[4] = x472; -- out1[5] = x473; --} -- --/* -- * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * 0 ≤ eval arg2 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_add( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1, -- const fiat_secp384r1_montgomery_domain_field_element arg2) --{ -- uint64_t x1; -- fiat_secp384r1_uint1 x2; -- uint64_t x3; -- fiat_secp384r1_uint1 x4; -- uint64_t x5; -- fiat_secp384r1_uint1 x6; -- uint64_t x7; -- fiat_secp384r1_uint1 x8; -- uint64_t x9; -- fiat_secp384r1_uint1 x10; -- uint64_t x11; -- fiat_secp384r1_uint1 x12; -- uint64_t x13; -- fiat_secp384r1_uint1 x14; -- uint64_t x15; -- fiat_secp384r1_uint1 x16; -- uint64_t x17; -- fiat_secp384r1_uint1 x18; -- uint64_t x19; -- fiat_secp384r1_uint1 x20; -- uint64_t x21; -- fiat_secp384r1_uint1 x22; -- uint64_t x23; -- fiat_secp384r1_uint1 x24; -- uint64_t x25; -- fiat_secp384r1_uint1 x26; -- uint64_t x27; -- uint64_t x28; -- uint64_t x29; -- uint64_t x30; -- uint64_t x31; -- uint64_t x32; -- fiat_secp384r1_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); -- fiat_secp384r1_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); -- fiat_secp384r1_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); -- fiat_secp384r1_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); -- fiat_secp384r1_addcarryx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); -- fiat_secp384r1_addcarryx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); -- fiat_secp384r1_subborrowx_u64(&x13, &x14, 0x0, x1, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x15, &x16, x14, x3, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x17, &x18, x16, x5, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x19, &x20, x18, x7, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x21, &x22, x20, x9, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x23, &x24, x22, x11, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x25, &x26, x24, x12, 0x0); -- fiat_secp384r1_cmovznz_u64(&x27, x26, x13, x1); -- fiat_secp384r1_cmovznz_u64(&x28, x26, x15, x3); -- fiat_secp384r1_cmovznz_u64(&x29, x26, x17, x5); -- fiat_secp384r1_cmovznz_u64(&x30, x26, x19, x7); -- fiat_secp384r1_cmovznz_u64(&x31, x26, x21, x9); -- fiat_secp384r1_cmovznz_u64(&x32, x26, x23, x11); -- out1[0] = x27; -- out1[1] = x28; -- out1[2] = x29; -- out1[3] = x30; -- out1[4] = x31; -- out1[5] = x32; --} -- --/* -- * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * 0 ≤ eval arg2 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_sub( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1, -- const fiat_secp384r1_montgomery_domain_field_element arg2) --{ -- uint64_t x1; -- fiat_secp384r1_uint1 x2; -- uint64_t x3; -- fiat_secp384r1_uint1 x4; -- uint64_t x5; -- fiat_secp384r1_uint1 x6; -- uint64_t x7; -- fiat_secp384r1_uint1 x8; -- uint64_t x9; -- fiat_secp384r1_uint1 x10; -- uint64_t x11; -- fiat_secp384r1_uint1 x12; -- uint64_t x13; -- uint64_t x14; -- fiat_secp384r1_uint1 x15; -- uint64_t x16; -- fiat_secp384r1_uint1 x17; -- uint64_t x18; -- fiat_secp384r1_uint1 x19; -- uint64_t x20; -- fiat_secp384r1_uint1 x21; -- uint64_t x22; -- fiat_secp384r1_uint1 x23; -- uint64_t x24; -- fiat_secp384r1_uint1 x25; -- fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); -- fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); -- fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); -- fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); -- fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, (arg1[4]), (arg2[4])); -- fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, (arg1[5]), (arg2[5])); -- fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, -- (x13 & UINT32_C(0xffffffff))); -- fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, -- (x13 & UINT64_C(0xffffffff00000000))); -- fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, -- (x13 & UINT64_C(0xfffffffffffffffe))); -- fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, x13); -- fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x13); -- fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, x13); -- out1[0] = x14; -- out1[1] = x16; -- out1[2] = x18; -- out1[3] = x20; -- out1[4] = x22; -- out1[5] = x24; --} -- --/* -- * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_opp( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1) --{ -- uint64_t x1; -- fiat_secp384r1_uint1 x2; -- uint64_t x3; -- fiat_secp384r1_uint1 x4; -- uint64_t x5; -- fiat_secp384r1_uint1 x6; -- uint64_t x7; -- fiat_secp384r1_uint1 x8; -- uint64_t x9; -- fiat_secp384r1_uint1 x10; -- uint64_t x11; -- fiat_secp384r1_uint1 x12; -- uint64_t x13; -- uint64_t x14; -- fiat_secp384r1_uint1 x15; -- uint64_t x16; -- fiat_secp384r1_uint1 x17; -- uint64_t x18; -- fiat_secp384r1_uint1 x19; -- uint64_t x20; -- fiat_secp384r1_uint1 x21; -- uint64_t x22; -- fiat_secp384r1_uint1 x23; -- uint64_t x24; -- fiat_secp384r1_uint1 x25; -- fiat_secp384r1_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); -- fiat_secp384r1_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); -- fiat_secp384r1_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); -- fiat_secp384r1_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); -- fiat_secp384r1_subborrowx_u64(&x9, &x10, x8, 0x0, (arg1[4])); -- fiat_secp384r1_subborrowx_u64(&x11, &x12, x10, 0x0, (arg1[5])); -- fiat_secp384r1_cmovznz_u64(&x13, x12, 0x0, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, x1, -- (x13 & UINT32_C(0xffffffff))); -- fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, x3, -- (x13 & UINT64_C(0xffffffff00000000))); -- fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x5, -- (x13 & UINT64_C(0xfffffffffffffffe))); -- fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x7, x13); -- fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x13); -- fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x11, x13); -- out1[0] = x14; -- out1[1] = x16; -- out1[2] = x18; -- out1[3] = x20; -- out1[4] = x22; -- out1[5] = x24; --} -- --/* -- * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^6) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_from_montgomery( -- fiat_secp384r1_non_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- uint64_t x7; -- uint64_t x8; -- uint64_t x9; -- uint64_t x10; -- uint64_t x11; -- uint64_t x12; -- uint64_t x13; -- uint64_t x14; -- uint64_t x15; -- uint64_t x16; -- fiat_secp384r1_uint1 x17; -- uint64_t x18; -- fiat_secp384r1_uint1 x19; -- uint64_t x20; -- fiat_secp384r1_uint1 x21; -- uint64_t x22; -- fiat_secp384r1_uint1 x23; -- uint64_t x24; -- fiat_secp384r1_uint1 x25; -- uint64_t x26; -- fiat_secp384r1_uint1 x27; -- uint64_t x28; -- fiat_secp384r1_uint1 x29; -- uint64_t x30; -- fiat_secp384r1_uint1 x31; -- uint64_t x32; -- fiat_secp384r1_uint1 x33; -- uint64_t x34; -- fiat_secp384r1_uint1 x35; -- uint64_t x36; -- fiat_secp384r1_uint1 x37; -- uint64_t x38; -- fiat_secp384r1_uint1 x39; -- uint64_t x40; -- fiat_secp384r1_uint1 x41; -- uint64_t x42; -- fiat_secp384r1_uint1 x43; -- uint64_t x44; -- fiat_secp384r1_uint1 x45; -- uint64_t x46; -- fiat_secp384r1_uint1 x47; -- uint64_t x48; -- fiat_secp384r1_uint1 x49; -- uint64_t x50; -- fiat_secp384r1_uint1 x51; -- uint64_t x52; -- uint64_t x53; -- uint64_t x54; -- uint64_t x55; -- uint64_t x56; -- uint64_t x57; -- uint64_t x58; -- uint64_t x59; -- uint64_t x60; -- uint64_t x61; -- uint64_t x62; -- uint64_t x63; -- uint64_t x64; -- uint64_t x65; -- uint64_t x66; -- fiat_secp384r1_uint1 x67; -- uint64_t x68; -- fiat_secp384r1_uint1 x69; -- uint64_t x70; -- fiat_secp384r1_uint1 x71; -- uint64_t x72; -- fiat_secp384r1_uint1 x73; -- uint64_t x74; -- fiat_secp384r1_uint1 x75; -- uint64_t x76; -- fiat_secp384r1_uint1 x77; -- uint64_t x78; -- fiat_secp384r1_uint1 x79; -- uint64_t x80; -- fiat_secp384r1_uint1 x81; -- uint64_t x82; -- fiat_secp384r1_uint1 x83; -- uint64_t x84; -- fiat_secp384r1_uint1 x85; -- uint64_t x86; -- fiat_secp384r1_uint1 x87; -- uint64_t x88; -- fiat_secp384r1_uint1 x89; -- uint64_t x90; -- fiat_secp384r1_uint1 x91; -- uint64_t x92; -- fiat_secp384r1_uint1 x93; -- uint64_t x94; -- fiat_secp384r1_uint1 x95; -- uint64_t x96; -- fiat_secp384r1_uint1 x97; -- uint64_t x98; -- fiat_secp384r1_uint1 x99; -- uint64_t x100; -- fiat_secp384r1_uint1 x101; -- uint64_t x102; -- uint64_t x103; -- uint64_t x104; -- uint64_t x105; -- uint64_t x106; -- uint64_t x107; -- uint64_t x108; -- uint64_t x109; -- uint64_t x110; -- uint64_t x111; -- uint64_t x112; -- uint64_t x113; -- uint64_t x114; -- uint64_t x115; -- uint64_t x116; -- fiat_secp384r1_uint1 x117; -- uint64_t x118; -- fiat_secp384r1_uint1 x119; -- uint64_t x120; -- fiat_secp384r1_uint1 x121; -- uint64_t x122; -- fiat_secp384r1_uint1 x123; -- uint64_t x124; -- fiat_secp384r1_uint1 x125; -- uint64_t x126; -- fiat_secp384r1_uint1 x127; -- uint64_t x128; -- fiat_secp384r1_uint1 x129; -- uint64_t x130; -- fiat_secp384r1_uint1 x131; -- uint64_t x132; -- fiat_secp384r1_uint1 x133; -- uint64_t x134; -- fiat_secp384r1_uint1 x135; -- uint64_t x136; -- fiat_secp384r1_uint1 x137; -- uint64_t x138; -- fiat_secp384r1_uint1 x139; -- uint64_t x140; -- fiat_secp384r1_uint1 x141; -- uint64_t x142; -- fiat_secp384r1_uint1 x143; -- uint64_t x144; -- fiat_secp384r1_uint1 x145; -- uint64_t x146; -- fiat_secp384r1_uint1 x147; -- uint64_t x148; -- fiat_secp384r1_uint1 x149; -- uint64_t x150; -- fiat_secp384r1_uint1 x151; -- uint64_t x152; -- uint64_t x153; -- uint64_t x154; -- uint64_t x155; -- uint64_t x156; -- uint64_t x157; -- uint64_t x158; -- uint64_t x159; -- uint64_t x160; -- uint64_t x161; -- uint64_t x162; -- uint64_t x163; -- uint64_t x164; -- uint64_t x165; -- uint64_t x166; -- fiat_secp384r1_uint1 x167; -- uint64_t x168; -- fiat_secp384r1_uint1 x169; -- uint64_t x170; -- fiat_secp384r1_uint1 x171; -- uint64_t x172; -- fiat_secp384r1_uint1 x173; -- uint64_t x174; -- fiat_secp384r1_uint1 x175; -- uint64_t x176; -- fiat_secp384r1_uint1 x177; -- uint64_t x178; -- fiat_secp384r1_uint1 x179; -- uint64_t x180; -- fiat_secp384r1_uint1 x181; -- uint64_t x182; -- fiat_secp384r1_uint1 x183; -- uint64_t x184; -- fiat_secp384r1_uint1 x185; -- uint64_t x186; -- fiat_secp384r1_uint1 x187; -- uint64_t x188; -- fiat_secp384r1_uint1 x189; -- uint64_t x190; -- fiat_secp384r1_uint1 x191; -- uint64_t x192; -- fiat_secp384r1_uint1 x193; -- uint64_t x194; -- fiat_secp384r1_uint1 x195; -- uint64_t x196; -- fiat_secp384r1_uint1 x197; -- uint64_t x198; -- fiat_secp384r1_uint1 x199; -- uint64_t x200; -- fiat_secp384r1_uint1 x201; -- uint64_t x202; -- uint64_t x203; -- uint64_t x204; -- uint64_t x205; -- uint64_t x206; -- uint64_t x207; -- uint64_t x208; -- uint64_t x209; -- uint64_t x210; -- uint64_t x211; -- uint64_t x212; -- uint64_t x213; -- uint64_t x214; -- uint64_t x215; -- uint64_t x216; -- fiat_secp384r1_uint1 x217; -- uint64_t x218; -- fiat_secp384r1_uint1 x219; -- uint64_t x220; -- fiat_secp384r1_uint1 x221; -- uint64_t x222; -- fiat_secp384r1_uint1 x223; -- uint64_t x224; -- fiat_secp384r1_uint1 x225; -- uint64_t x226; -- fiat_secp384r1_uint1 x227; -- uint64_t x228; -- fiat_secp384r1_uint1 x229; -- uint64_t x230; -- fiat_secp384r1_uint1 x231; -- uint64_t x232; -- fiat_secp384r1_uint1 x233; -- uint64_t x234; -- fiat_secp384r1_uint1 x235; -- uint64_t x236; -- fiat_secp384r1_uint1 x237; -- uint64_t x238; -- fiat_secp384r1_uint1 x239; -- uint64_t x240; -- fiat_secp384r1_uint1 x241; -- uint64_t x242; -- fiat_secp384r1_uint1 x243; -- uint64_t x244; -- fiat_secp384r1_uint1 x245; -- uint64_t x246; -- fiat_secp384r1_uint1 x247; -- uint64_t x248; -- fiat_secp384r1_uint1 x249; -- uint64_t x250; -- fiat_secp384r1_uint1 x251; -- uint64_t x252; -- uint64_t x253; -- uint64_t x254; -- uint64_t x255; -- uint64_t x256; -- uint64_t x257; -- uint64_t x258; -- uint64_t x259; -- uint64_t x260; -- uint64_t x261; -- uint64_t x262; -- uint64_t x263; -- uint64_t x264; -- uint64_t x265; -- uint64_t x266; -- fiat_secp384r1_uint1 x267; -- uint64_t x268; -- fiat_secp384r1_uint1 x269; -- uint64_t x270; -- fiat_secp384r1_uint1 x271; -- uint64_t x272; -- fiat_secp384r1_uint1 x273; -- uint64_t x274; -- fiat_secp384r1_uint1 x275; -- uint64_t x276; -- fiat_secp384r1_uint1 x277; -- uint64_t x278; -- fiat_secp384r1_uint1 x279; -- uint64_t x280; -- fiat_secp384r1_uint1 x281; -- uint64_t x282; -- fiat_secp384r1_uint1 x283; -- uint64_t x284; -- fiat_secp384r1_uint1 x285; -- uint64_t x286; -- fiat_secp384r1_uint1 x287; -- uint64_t x288; -- fiat_secp384r1_uint1 x289; -- uint64_t x290; -- fiat_secp384r1_uint1 x291; -- uint64_t x292; -- fiat_secp384r1_uint1 x293; -- uint64_t x294; -- fiat_secp384r1_uint1 x295; -- uint64_t x296; -- fiat_secp384r1_uint1 x297; -- uint64_t x298; -- fiat_secp384r1_uint1 x299; -- uint64_t x300; -- fiat_secp384r1_uint1 x301; -- uint64_t x302; -- fiat_secp384r1_uint1 x303; -- uint64_t x304; -- uint64_t x305; -- uint64_t x306; -- uint64_t x307; -- uint64_t x308; -- uint64_t x309; -- x1 = (arg1[0]); -- fiat_secp384r1_mulx_u64(&x2, &x3, x1, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x4, &x5, x2, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x6, &x7, x2, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x8, &x9, x2, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x10, &x11, x2, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x12, &x13, x2, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x14, &x15, x2, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x16, &x17, 0x0, x15, x12); -- fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, x13, x10); -- fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, x11, x8); -- fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, x9, x6); -- fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, x7, x4); -- fiat_secp384r1_addcarryx_u64(&x26, &x27, 0x0, x1, x14); -- fiat_secp384r1_addcarryx_u64(&x28, &x29, x27, 0x0, x16); -- fiat_secp384r1_addcarryx_u64(&x30, &x31, x29, 0x0, x18); -- fiat_secp384r1_addcarryx_u64(&x32, &x33, x31, 0x0, x20); -- fiat_secp384r1_addcarryx_u64(&x34, &x35, x33, 0x0, x22); -- fiat_secp384r1_addcarryx_u64(&x36, &x37, x35, 0x0, x24); -- fiat_secp384r1_addcarryx_u64(&x38, &x39, x37, 0x0, (x25 + x5)); -- fiat_secp384r1_addcarryx_u64(&x40, &x41, 0x0, x28, (arg1[1])); -- fiat_secp384r1_addcarryx_u64(&x42, &x43, x41, x30, 0x0); -- fiat_secp384r1_addcarryx_u64(&x44, &x45, x43, x32, 0x0); -- fiat_secp384r1_addcarryx_u64(&x46, &x47, x45, x34, 0x0); -- fiat_secp384r1_addcarryx_u64(&x48, &x49, x47, x36, 0x0); -- fiat_secp384r1_addcarryx_u64(&x50, &x51, x49, x38, 0x0); -- fiat_secp384r1_mulx_u64(&x52, &x53, x40, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x54, &x55, x52, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x56, &x57, x52, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x58, &x59, x52, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x60, &x61, x52, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x62, &x63, x52, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x64, &x65, x52, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x66, &x67, 0x0, x65, x62); -- fiat_secp384r1_addcarryx_u64(&x68, &x69, x67, x63, x60); -- fiat_secp384r1_addcarryx_u64(&x70, &x71, x69, x61, x58); -- fiat_secp384r1_addcarryx_u64(&x72, &x73, x71, x59, x56); -- fiat_secp384r1_addcarryx_u64(&x74, &x75, x73, x57, x54); -- fiat_secp384r1_addcarryx_u64(&x76, &x77, 0x0, x40, x64); -- fiat_secp384r1_addcarryx_u64(&x78, &x79, x77, x42, x66); -- fiat_secp384r1_addcarryx_u64(&x80, &x81, x79, x44, x68); -- fiat_secp384r1_addcarryx_u64(&x82, &x83, x81, x46, x70); -- fiat_secp384r1_addcarryx_u64(&x84, &x85, x83, x48, x72); -- fiat_secp384r1_addcarryx_u64(&x86, &x87, x85, x50, x74); -- fiat_secp384r1_addcarryx_u64(&x88, &x89, x87, ((uint64_t)x51 + x39), -- (x75 + x55)); -- fiat_secp384r1_addcarryx_u64(&x90, &x91, 0x0, x78, (arg1[2])); -- fiat_secp384r1_addcarryx_u64(&x92, &x93, x91, x80, 0x0); -- fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x82, 0x0); -- fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x84, 0x0); -- fiat_secp384r1_addcarryx_u64(&x98, &x99, x97, x86, 0x0); -- fiat_secp384r1_addcarryx_u64(&x100, &x101, x99, x88, 0x0); -- fiat_secp384r1_mulx_u64(&x102, &x103, x90, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x104, &x105, x102, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x106, &x107, x102, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x108, &x109, x102, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x110, &x111, x102, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x112, &x113, x102, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x114, &x115, x102, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x116, &x117, 0x0, x115, x112); -- fiat_secp384r1_addcarryx_u64(&x118, &x119, x117, x113, x110); -- fiat_secp384r1_addcarryx_u64(&x120, &x121, x119, x111, x108); -- fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x109, x106); -- fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x107, x104); -- fiat_secp384r1_addcarryx_u64(&x126, &x127, 0x0, x90, x114); -- fiat_secp384r1_addcarryx_u64(&x128, &x129, x127, x92, x116); -- fiat_secp384r1_addcarryx_u64(&x130, &x131, x129, x94, x118); -- fiat_secp384r1_addcarryx_u64(&x132, &x133, x131, x96, x120); -- fiat_secp384r1_addcarryx_u64(&x134, &x135, x133, x98, x122); -- fiat_secp384r1_addcarryx_u64(&x136, &x137, x135, x100, x124); -- fiat_secp384r1_addcarryx_u64(&x138, &x139, x137, ((uint64_t)x101 + x89), -- (x125 + x105)); -- fiat_secp384r1_addcarryx_u64(&x140, &x141, 0x0, x128, (arg1[3])); -- fiat_secp384r1_addcarryx_u64(&x142, &x143, x141, x130, 0x0); -- fiat_secp384r1_addcarryx_u64(&x144, &x145, x143, x132, 0x0); -- fiat_secp384r1_addcarryx_u64(&x146, &x147, x145, x134, 0x0); -- fiat_secp384r1_addcarryx_u64(&x148, &x149, x147, x136, 0x0); -- fiat_secp384r1_addcarryx_u64(&x150, &x151, x149, x138, 0x0); -- fiat_secp384r1_mulx_u64(&x152, &x153, x140, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x154, &x155, x152, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x156, &x157, x152, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x158, &x159, x152, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x160, &x161, x152, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x162, &x163, x152, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x164, &x165, x152, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x166, &x167, 0x0, x165, x162); -- fiat_secp384r1_addcarryx_u64(&x168, &x169, x167, x163, x160); -- fiat_secp384r1_addcarryx_u64(&x170, &x171, x169, x161, x158); -- fiat_secp384r1_addcarryx_u64(&x172, &x173, x171, x159, x156); -- fiat_secp384r1_addcarryx_u64(&x174, &x175, x173, x157, x154); -- fiat_secp384r1_addcarryx_u64(&x176, &x177, 0x0, x140, x164); -- fiat_secp384r1_addcarryx_u64(&x178, &x179, x177, x142, x166); -- fiat_secp384r1_addcarryx_u64(&x180, &x181, x179, x144, x168); -- fiat_secp384r1_addcarryx_u64(&x182, &x183, x181, x146, x170); -- fiat_secp384r1_addcarryx_u64(&x184, &x185, x183, x148, x172); -- fiat_secp384r1_addcarryx_u64(&x186, &x187, x185, x150, x174); -- fiat_secp384r1_addcarryx_u64(&x188, &x189, x187, ((uint64_t)x151 + x139), -- (x175 + x155)); -- fiat_secp384r1_addcarryx_u64(&x190, &x191, 0x0, x178, (arg1[4])); -- fiat_secp384r1_addcarryx_u64(&x192, &x193, x191, x180, 0x0); -- fiat_secp384r1_addcarryx_u64(&x194, &x195, x193, x182, 0x0); -- fiat_secp384r1_addcarryx_u64(&x196, &x197, x195, x184, 0x0); -- fiat_secp384r1_addcarryx_u64(&x198, &x199, x197, x186, 0x0); -- fiat_secp384r1_addcarryx_u64(&x200, &x201, x199, x188, 0x0); -- fiat_secp384r1_mulx_u64(&x202, &x203, x190, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x204, &x205, x202, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x206, &x207, x202, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x208, &x209, x202, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x210, &x211, x202, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x212, &x213, x202, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x214, &x215, x202, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x216, &x217, 0x0, x215, x212); -- fiat_secp384r1_addcarryx_u64(&x218, &x219, x217, x213, x210); -- fiat_secp384r1_addcarryx_u64(&x220, &x221, x219, x211, x208); -- fiat_secp384r1_addcarryx_u64(&x222, &x223, x221, x209, x206); -- fiat_secp384r1_addcarryx_u64(&x224, &x225, x223, x207, x204); -- fiat_secp384r1_addcarryx_u64(&x226, &x227, 0x0, x190, x214); -- fiat_secp384r1_addcarryx_u64(&x228, &x229, x227, x192, x216); -- fiat_secp384r1_addcarryx_u64(&x230, &x231, x229, x194, x218); -- fiat_secp384r1_addcarryx_u64(&x232, &x233, x231, x196, x220); -- fiat_secp384r1_addcarryx_u64(&x234, &x235, x233, x198, x222); -- fiat_secp384r1_addcarryx_u64(&x236, &x237, x235, x200, x224); -- fiat_secp384r1_addcarryx_u64(&x238, &x239, x237, ((uint64_t)x201 + x189), -- (x225 + x205)); -- fiat_secp384r1_addcarryx_u64(&x240, &x241, 0x0, x228, (arg1[5])); -- fiat_secp384r1_addcarryx_u64(&x242, &x243, x241, x230, 0x0); -- fiat_secp384r1_addcarryx_u64(&x244, &x245, x243, x232, 0x0); -- fiat_secp384r1_addcarryx_u64(&x246, &x247, x245, x234, 0x0); -- fiat_secp384r1_addcarryx_u64(&x248, &x249, x247, x236, 0x0); -- fiat_secp384r1_addcarryx_u64(&x250, &x251, x249, x238, 0x0); -- fiat_secp384r1_mulx_u64(&x252, &x253, x240, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x254, &x255, x252, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x256, &x257, x252, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x258, &x259, x252, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x260, &x261, x252, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x262, &x263, x252, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x264, &x265, x252, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x266, &x267, 0x0, x265, x262); -- fiat_secp384r1_addcarryx_u64(&x268, &x269, x267, x263, x260); -- fiat_secp384r1_addcarryx_u64(&x270, &x271, x269, x261, x258); -- fiat_secp384r1_addcarryx_u64(&x272, &x273, x271, x259, x256); -- fiat_secp384r1_addcarryx_u64(&x274, &x275, x273, x257, x254); -- fiat_secp384r1_addcarryx_u64(&x276, &x277, 0x0, x240, x264); -- fiat_secp384r1_addcarryx_u64(&x278, &x279, x277, x242, x266); -- fiat_secp384r1_addcarryx_u64(&x280, &x281, x279, x244, x268); -- fiat_secp384r1_addcarryx_u64(&x282, &x283, x281, x246, x270); -- fiat_secp384r1_addcarryx_u64(&x284, &x285, x283, x248, x272); -- fiat_secp384r1_addcarryx_u64(&x286, &x287, x285, x250, x274); -- fiat_secp384r1_addcarryx_u64(&x288, &x289, x287, ((uint64_t)x251 + x239), -- (x275 + x255)); -- fiat_secp384r1_subborrowx_u64(&x290, &x291, 0x0, x278, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x292, &x293, x291, x280, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x294, &x295, x293, x282, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x296, &x297, x295, x284, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x298, &x299, x297, x286, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x300, &x301, x299, x288, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x302, &x303, x301, x289, 0x0); -- fiat_secp384r1_cmovznz_u64(&x304, x303, x290, x278); -- fiat_secp384r1_cmovznz_u64(&x305, x303, x292, x280); -- fiat_secp384r1_cmovznz_u64(&x306, x303, x294, x282); -- fiat_secp384r1_cmovznz_u64(&x307, x303, x296, x284); -- fiat_secp384r1_cmovznz_u64(&x308, x303, x298, x286); -- fiat_secp384r1_cmovznz_u64(&x309, x303, x300, x288); -- out1[0] = x304; -- out1[1] = x305; -- out1[2] = x306; -- out1[3] = x307; -- out1[4] = x308; -- out1[5] = x309; --} -- --/* -- * The function fiat_secp384r1_to_montgomery translates a field element into the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = eval arg1 mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_to_montgomery( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_non_montgomery_domain_field_element arg1) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- uint64_t x7; -- uint64_t x8; -- uint64_t x9; -- uint64_t x10; -- uint64_t x11; -- uint64_t x12; -- uint64_t x13; -- uint64_t x14; -- uint64_t x15; -- fiat_secp384r1_uint1 x16; -- uint64_t x17; -- fiat_secp384r1_uint1 x18; -- uint64_t x19; -- fiat_secp384r1_uint1 x20; -- uint64_t x21; -- fiat_secp384r1_uint1 x22; -- uint64_t x23; -- uint64_t x24; -- uint64_t x25; -- uint64_t x26; -- uint64_t x27; -- uint64_t x28; -- uint64_t x29; -- uint64_t x30; -- uint64_t x31; -- uint64_t x32; -- uint64_t x33; -- uint64_t x34; -- uint64_t x35; -- uint64_t x36; -- uint64_t x37; -- fiat_secp384r1_uint1 x38; -- uint64_t x39; -- fiat_secp384r1_uint1 x40; -- uint64_t x41; -- fiat_secp384r1_uint1 x42; -- uint64_t x43; -- fiat_secp384r1_uint1 x44; -- uint64_t x45; -- fiat_secp384r1_uint1 x46; -- uint64_t x47; -- fiat_secp384r1_uint1 x48; -- uint64_t x49; -- fiat_secp384r1_uint1 x50; -- uint64_t x51; -- fiat_secp384r1_uint1 x52; -- uint64_t x53; -- fiat_secp384r1_uint1 x54; -- uint64_t x55; -- fiat_secp384r1_uint1 x56; -- uint64_t x57; -- fiat_secp384r1_uint1 x58; -- uint64_t x59; -- fiat_secp384r1_uint1 x60; -- uint64_t x61; -- uint64_t x62; -- uint64_t x63; -- uint64_t x64; -- uint64_t x65; -- uint64_t x66; -- uint64_t x67; -- uint64_t x68; -- uint64_t x69; -- fiat_secp384r1_uint1 x70; -- uint64_t x71; -- fiat_secp384r1_uint1 x72; -- uint64_t x73; -- fiat_secp384r1_uint1 x74; -- uint64_t x75; -- fiat_secp384r1_uint1 x76; -- uint64_t x77; -- fiat_secp384r1_uint1 x78; -- uint64_t x79; -- fiat_secp384r1_uint1 x80; -- uint64_t x81; -- fiat_secp384r1_uint1 x82; -- uint64_t x83; -- fiat_secp384r1_uint1 x84; -- uint64_t x85; -- fiat_secp384r1_uint1 x86; -- uint64_t x87; -- fiat_secp384r1_uint1 x88; -- uint64_t x89; -- uint64_t x90; -- uint64_t x91; -- uint64_t x92; -- uint64_t x93; -- uint64_t x94; -- uint64_t x95; -- uint64_t x96; -- uint64_t x97; -- uint64_t x98; -- uint64_t x99; -- uint64_t x100; -- uint64_t x101; -- uint64_t x102; -- uint64_t x103; -- fiat_secp384r1_uint1 x104; -- uint64_t x105; -- fiat_secp384r1_uint1 x106; -- uint64_t x107; -- fiat_secp384r1_uint1 x108; -- uint64_t x109; -- fiat_secp384r1_uint1 x110; -- uint64_t x111; -- fiat_secp384r1_uint1 x112; -- uint64_t x113; -- fiat_secp384r1_uint1 x114; -- uint64_t x115; -- fiat_secp384r1_uint1 x116; -- uint64_t x117; -- fiat_secp384r1_uint1 x118; -- uint64_t x119; -- fiat_secp384r1_uint1 x120; -- uint64_t x121; -- fiat_secp384r1_uint1 x122; -- uint64_t x123; -- fiat_secp384r1_uint1 x124; -- uint64_t x125; -- fiat_secp384r1_uint1 x126; -- uint64_t x127; -- uint64_t x128; -- uint64_t x129; -- uint64_t x130; -- uint64_t x131; -- uint64_t x132; -- uint64_t x133; -- uint64_t x134; -- uint64_t x135; -- fiat_secp384r1_uint1 x136; -- uint64_t x137; -- fiat_secp384r1_uint1 x138; -- uint64_t x139; -- fiat_secp384r1_uint1 x140; -- uint64_t x141; -- fiat_secp384r1_uint1 x142; -- uint64_t x143; -- fiat_secp384r1_uint1 x144; -- uint64_t x145; -- fiat_secp384r1_uint1 x146; -- uint64_t x147; -- fiat_secp384r1_uint1 x148; -- uint64_t x149; -- fiat_secp384r1_uint1 x150; -- uint64_t x151; -- fiat_secp384r1_uint1 x152; -- uint64_t x153; -- fiat_secp384r1_uint1 x154; -- uint64_t x155; -- uint64_t x156; -- uint64_t x157; -- uint64_t x158; -- uint64_t x159; -- uint64_t x160; -- uint64_t x161; -- uint64_t x162; -- uint64_t x163; -- uint64_t x164; -- uint64_t x165; -- uint64_t x166; -- uint64_t x167; -- uint64_t x168; -- uint64_t x169; -- fiat_secp384r1_uint1 x170; -- uint64_t x171; -- fiat_secp384r1_uint1 x172; -- uint64_t x173; -- fiat_secp384r1_uint1 x174; -- uint64_t x175; -- fiat_secp384r1_uint1 x176; -- uint64_t x177; -- fiat_secp384r1_uint1 x178; -- uint64_t x179; -- fiat_secp384r1_uint1 x180; -- uint64_t x181; -- fiat_secp384r1_uint1 x182; -- uint64_t x183; -- fiat_secp384r1_uint1 x184; -- uint64_t x185; -- fiat_secp384r1_uint1 x186; -- uint64_t x187; -- fiat_secp384r1_uint1 x188; -- uint64_t x189; -- fiat_secp384r1_uint1 x190; -- uint64_t x191; -- fiat_secp384r1_uint1 x192; -- uint64_t x193; -- uint64_t x194; -- uint64_t x195; -- uint64_t x196; -- uint64_t x197; -- uint64_t x198; -- uint64_t x199; -- uint64_t x200; -- uint64_t x201; -- fiat_secp384r1_uint1 x202; -- uint64_t x203; -- fiat_secp384r1_uint1 x204; -- uint64_t x205; -- fiat_secp384r1_uint1 x206; -- uint64_t x207; -- fiat_secp384r1_uint1 x208; -- uint64_t x209; -- fiat_secp384r1_uint1 x210; -- uint64_t x211; -- fiat_secp384r1_uint1 x212; -- uint64_t x213; -- fiat_secp384r1_uint1 x214; -- uint64_t x215; -- fiat_secp384r1_uint1 x216; -- uint64_t x217; -- fiat_secp384r1_uint1 x218; -- uint64_t x219; -- fiat_secp384r1_uint1 x220; -- uint64_t x221; -- uint64_t x222; -- uint64_t x223; -- uint64_t x224; -- uint64_t x225; -- uint64_t x226; -- uint64_t x227; -- uint64_t x228; -- uint64_t x229; -- uint64_t x230; -- uint64_t x231; -- uint64_t x232; -- uint64_t x233; -- uint64_t x234; -- uint64_t x235; -- fiat_secp384r1_uint1 x236; -- uint64_t x237; -- fiat_secp384r1_uint1 x238; -- uint64_t x239; -- fiat_secp384r1_uint1 x240; -- uint64_t x241; -- fiat_secp384r1_uint1 x242; -- uint64_t x243; -- fiat_secp384r1_uint1 x244; -- uint64_t x245; -- fiat_secp384r1_uint1 x246; -- uint64_t x247; -- fiat_secp384r1_uint1 x248; -- uint64_t x249; -- fiat_secp384r1_uint1 x250; -- uint64_t x251; -- fiat_secp384r1_uint1 x252; -- uint64_t x253; -- fiat_secp384r1_uint1 x254; -- uint64_t x255; -- fiat_secp384r1_uint1 x256; -- uint64_t x257; -- fiat_secp384r1_uint1 x258; -- uint64_t x259; -- uint64_t x260; -- uint64_t x261; -- uint64_t x262; -- uint64_t x263; -- uint64_t x264; -- uint64_t x265; -- uint64_t x266; -- uint64_t x267; -- fiat_secp384r1_uint1 x268; -- uint64_t x269; -- fiat_secp384r1_uint1 x270; -- uint64_t x271; -- fiat_secp384r1_uint1 x272; -- uint64_t x273; -- fiat_secp384r1_uint1 x274; -- uint64_t x275; -- fiat_secp384r1_uint1 x276; -- uint64_t x277; -- fiat_secp384r1_uint1 x278; -- uint64_t x279; -- fiat_secp384r1_uint1 x280; -- uint64_t x281; -- fiat_secp384r1_uint1 x282; -- uint64_t x283; -- fiat_secp384r1_uint1 x284; -- uint64_t x285; -- fiat_secp384r1_uint1 x286; -- uint64_t x287; -- uint64_t x288; -- uint64_t x289; -- uint64_t x290; -- uint64_t x291; -- uint64_t x292; -- uint64_t x293; -- uint64_t x294; -- uint64_t x295; -- uint64_t x296; -- uint64_t x297; -- uint64_t x298; -- uint64_t x299; -- uint64_t x300; -- uint64_t x301; -- fiat_secp384r1_uint1 x302; -- uint64_t x303; -- fiat_secp384r1_uint1 x304; -- uint64_t x305; -- fiat_secp384r1_uint1 x306; -- uint64_t x307; -- fiat_secp384r1_uint1 x308; -- uint64_t x309; -- fiat_secp384r1_uint1 x310; -- uint64_t x311; -- fiat_secp384r1_uint1 x312; -- uint64_t x313; -- fiat_secp384r1_uint1 x314; -- uint64_t x315; -- fiat_secp384r1_uint1 x316; -- uint64_t x317; -- fiat_secp384r1_uint1 x318; -- uint64_t x319; -- fiat_secp384r1_uint1 x320; -- uint64_t x321; -- fiat_secp384r1_uint1 x322; -- uint64_t x323; -- fiat_secp384r1_uint1 x324; -- uint64_t x325; -- uint64_t x326; -- uint64_t x327; -- uint64_t x328; -- uint64_t x329; -- uint64_t x330; -- uint64_t x331; -- uint64_t x332; -- uint64_t x333; -- fiat_secp384r1_uint1 x334; -- uint64_t x335; -- fiat_secp384r1_uint1 x336; -- uint64_t x337; -- fiat_secp384r1_uint1 x338; -- uint64_t x339; -- fiat_secp384r1_uint1 x340; -- uint64_t x341; -- fiat_secp384r1_uint1 x342; -- uint64_t x343; -- fiat_secp384r1_uint1 x344; -- uint64_t x345; -- fiat_secp384r1_uint1 x346; -- uint64_t x347; -- fiat_secp384r1_uint1 x348; -- uint64_t x349; -- fiat_secp384r1_uint1 x350; -- uint64_t x351; -- fiat_secp384r1_uint1 x352; -- uint64_t x353; -- uint64_t x354; -- uint64_t x355; -- uint64_t x356; -- uint64_t x357; -- uint64_t x358; -- uint64_t x359; -- uint64_t x360; -- uint64_t x361; -- uint64_t x362; -- uint64_t x363; -- uint64_t x364; -- uint64_t x365; -- uint64_t x366; -- uint64_t x367; -- fiat_secp384r1_uint1 x368; -- uint64_t x369; -- fiat_secp384r1_uint1 x370; -- uint64_t x371; -- fiat_secp384r1_uint1 x372; -- uint64_t x373; -- fiat_secp384r1_uint1 x374; -- uint64_t x375; -- fiat_secp384r1_uint1 x376; -- uint64_t x377; -- fiat_secp384r1_uint1 x378; -- uint64_t x379; -- fiat_secp384r1_uint1 x380; -- uint64_t x381; -- fiat_secp384r1_uint1 x382; -- uint64_t x383; -- fiat_secp384r1_uint1 x384; -- uint64_t x385; -- fiat_secp384r1_uint1 x386; -- uint64_t x387; -- fiat_secp384r1_uint1 x388; -- uint64_t x389; -- fiat_secp384r1_uint1 x390; -- uint64_t x391; -- fiat_secp384r1_uint1 x392; -- uint64_t x393; -- fiat_secp384r1_uint1 x394; -- uint64_t x395; -- fiat_secp384r1_uint1 x396; -- uint64_t x397; -- fiat_secp384r1_uint1 x398; -- uint64_t x399; -- fiat_secp384r1_uint1 x400; -- uint64_t x401; -- fiat_secp384r1_uint1 x402; -- uint64_t x403; -- fiat_secp384r1_uint1 x404; -- uint64_t x405; -- uint64_t x406; -- uint64_t x407; -- uint64_t x408; -- uint64_t x409; -- uint64_t x410; -- x1 = (arg1[1]); -- x2 = (arg1[2]); -- x3 = (arg1[3]); -- x4 = (arg1[4]); -- x5 = (arg1[5]); -- x6 = (arg1[0]); -- fiat_secp384r1_mulx_u64(&x7, &x8, x6, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x9, &x10, x6, UINT64_C(0xfffffffe00000000)); -- fiat_secp384r1_mulx_u64(&x11, &x12, x6, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x13, &x14, x6, UINT64_C(0xfffffffe00000001)); -- fiat_secp384r1_addcarryx_u64(&x15, &x16, 0x0, x14, x11); -- fiat_secp384r1_addcarryx_u64(&x17, &x18, x16, x12, x9); -- fiat_secp384r1_addcarryx_u64(&x19, &x20, x18, x10, x7); -- fiat_secp384r1_addcarryx_u64(&x21, &x22, x20, x8, x6); -- fiat_secp384r1_mulx_u64(&x23, &x24, x13, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x25, &x26, x23, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x27, &x28, x23, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x29, &x30, x23, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x31, &x32, x23, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x33, &x34, x23, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x35, &x36, x23, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x37, &x38, 0x0, x36, x33); -- fiat_secp384r1_addcarryx_u64(&x39, &x40, x38, x34, x31); -- fiat_secp384r1_addcarryx_u64(&x41, &x42, x40, x32, x29); -- fiat_secp384r1_addcarryx_u64(&x43, &x44, x42, x30, x27); -- fiat_secp384r1_addcarryx_u64(&x45, &x46, x44, x28, x25); -- fiat_secp384r1_addcarryx_u64(&x47, &x48, 0x0, x13, x35); -- fiat_secp384r1_addcarryx_u64(&x49, &x50, x48, x15, x37); -- fiat_secp384r1_addcarryx_u64(&x51, &x52, x50, x17, x39); -- fiat_secp384r1_addcarryx_u64(&x53, &x54, x52, x19, x41); -- fiat_secp384r1_addcarryx_u64(&x55, &x56, x54, x21, x43); -- fiat_secp384r1_addcarryx_u64(&x57, &x58, x56, x22, x45); -- fiat_secp384r1_addcarryx_u64(&x59, &x60, x58, 0x0, (x46 + x26)); -- fiat_secp384r1_mulx_u64(&x61, &x62, x1, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x63, &x64, x1, UINT64_C(0xfffffffe00000000)); -- fiat_secp384r1_mulx_u64(&x65, &x66, x1, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x67, &x68, x1, UINT64_C(0xfffffffe00000001)); -- fiat_secp384r1_addcarryx_u64(&x69, &x70, 0x0, x68, x65); -- fiat_secp384r1_addcarryx_u64(&x71, &x72, x70, x66, x63); -- fiat_secp384r1_addcarryx_u64(&x73, &x74, x72, x64, x61); -- fiat_secp384r1_addcarryx_u64(&x75, &x76, x74, x62, x1); -- fiat_secp384r1_addcarryx_u64(&x77, &x78, 0x0, x49, x67); -- fiat_secp384r1_addcarryx_u64(&x79, &x80, x78, x51, x69); -- fiat_secp384r1_addcarryx_u64(&x81, &x82, x80, x53, x71); -- fiat_secp384r1_addcarryx_u64(&x83, &x84, x82, x55, x73); -- fiat_secp384r1_addcarryx_u64(&x85, &x86, x84, x57, x75); -- fiat_secp384r1_addcarryx_u64(&x87, &x88, x86, x59, x76); -- fiat_secp384r1_mulx_u64(&x89, &x90, x77, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x91, &x92, x89, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x93, &x94, x89, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x95, &x96, x89, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x97, &x98, x89, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x99, &x100, x89, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x101, &x102, x89, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x103, &x104, 0x0, x102, x99); -- fiat_secp384r1_addcarryx_u64(&x105, &x106, x104, x100, x97); -- fiat_secp384r1_addcarryx_u64(&x107, &x108, x106, x98, x95); -- fiat_secp384r1_addcarryx_u64(&x109, &x110, x108, x96, x93); -- fiat_secp384r1_addcarryx_u64(&x111, &x112, x110, x94, x91); -- fiat_secp384r1_addcarryx_u64(&x113, &x114, 0x0, x77, x101); -- fiat_secp384r1_addcarryx_u64(&x115, &x116, x114, x79, x103); -- fiat_secp384r1_addcarryx_u64(&x117, &x118, x116, x81, x105); -- fiat_secp384r1_addcarryx_u64(&x119, &x120, x118, x83, x107); -- fiat_secp384r1_addcarryx_u64(&x121, &x122, x120, x85, x109); -- fiat_secp384r1_addcarryx_u64(&x123, &x124, x122, x87, x111); -- fiat_secp384r1_addcarryx_u64(&x125, &x126, x124, ((uint64_t)x88 + x60), -- (x112 + x92)); -- fiat_secp384r1_mulx_u64(&x127, &x128, x2, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x129, &x130, x2, UINT64_C(0xfffffffe00000000)); -- fiat_secp384r1_mulx_u64(&x131, &x132, x2, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x133, &x134, x2, UINT64_C(0xfffffffe00000001)); -- fiat_secp384r1_addcarryx_u64(&x135, &x136, 0x0, x134, x131); -- fiat_secp384r1_addcarryx_u64(&x137, &x138, x136, x132, x129); -- fiat_secp384r1_addcarryx_u64(&x139, &x140, x138, x130, x127); -- fiat_secp384r1_addcarryx_u64(&x141, &x142, x140, x128, x2); -- fiat_secp384r1_addcarryx_u64(&x143, &x144, 0x0, x115, x133); -- fiat_secp384r1_addcarryx_u64(&x145, &x146, x144, x117, x135); -- fiat_secp384r1_addcarryx_u64(&x147, &x148, x146, x119, x137); -- fiat_secp384r1_addcarryx_u64(&x149, &x150, x148, x121, x139); -- fiat_secp384r1_addcarryx_u64(&x151, &x152, x150, x123, x141); -- fiat_secp384r1_addcarryx_u64(&x153, &x154, x152, x125, x142); -- fiat_secp384r1_mulx_u64(&x155, &x156, x143, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x157, &x158, x155, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x159, &x160, x155, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x161, &x162, x155, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x163, &x164, x155, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x165, &x166, x155, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x167, &x168, x155, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x169, &x170, 0x0, x168, x165); -- fiat_secp384r1_addcarryx_u64(&x171, &x172, x170, x166, x163); -- fiat_secp384r1_addcarryx_u64(&x173, &x174, x172, x164, x161); -- fiat_secp384r1_addcarryx_u64(&x175, &x176, x174, x162, x159); -- fiat_secp384r1_addcarryx_u64(&x177, &x178, x176, x160, x157); -- fiat_secp384r1_addcarryx_u64(&x179, &x180, 0x0, x143, x167); -- fiat_secp384r1_addcarryx_u64(&x181, &x182, x180, x145, x169); -- fiat_secp384r1_addcarryx_u64(&x183, &x184, x182, x147, x171); -- fiat_secp384r1_addcarryx_u64(&x185, &x186, x184, x149, x173); -- fiat_secp384r1_addcarryx_u64(&x187, &x188, x186, x151, x175); -- fiat_secp384r1_addcarryx_u64(&x189, &x190, x188, x153, x177); -- fiat_secp384r1_addcarryx_u64(&x191, &x192, x190, ((uint64_t)x154 + x126), -- (x178 + x158)); -- fiat_secp384r1_mulx_u64(&x193, &x194, x3, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x195, &x196, x3, UINT64_C(0xfffffffe00000000)); -- fiat_secp384r1_mulx_u64(&x197, &x198, x3, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x199, &x200, x3, UINT64_C(0xfffffffe00000001)); -- fiat_secp384r1_addcarryx_u64(&x201, &x202, 0x0, x200, x197); -- fiat_secp384r1_addcarryx_u64(&x203, &x204, x202, x198, x195); -- fiat_secp384r1_addcarryx_u64(&x205, &x206, x204, x196, x193); -- fiat_secp384r1_addcarryx_u64(&x207, &x208, x206, x194, x3); -- fiat_secp384r1_addcarryx_u64(&x209, &x210, 0x0, x181, x199); -- fiat_secp384r1_addcarryx_u64(&x211, &x212, x210, x183, x201); -- fiat_secp384r1_addcarryx_u64(&x213, &x214, x212, x185, x203); -- fiat_secp384r1_addcarryx_u64(&x215, &x216, x214, x187, x205); -- fiat_secp384r1_addcarryx_u64(&x217, &x218, x216, x189, x207); -- fiat_secp384r1_addcarryx_u64(&x219, &x220, x218, x191, x208); -- fiat_secp384r1_mulx_u64(&x221, &x222, x209, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x223, &x224, x221, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x225, &x226, x221, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x227, &x228, x221, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x229, &x230, x221, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x231, &x232, x221, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x233, &x234, x221, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x235, &x236, 0x0, x234, x231); -- fiat_secp384r1_addcarryx_u64(&x237, &x238, x236, x232, x229); -- fiat_secp384r1_addcarryx_u64(&x239, &x240, x238, x230, x227); -- fiat_secp384r1_addcarryx_u64(&x241, &x242, x240, x228, x225); -- fiat_secp384r1_addcarryx_u64(&x243, &x244, x242, x226, x223); -- fiat_secp384r1_addcarryx_u64(&x245, &x246, 0x0, x209, x233); -- fiat_secp384r1_addcarryx_u64(&x247, &x248, x246, x211, x235); -- fiat_secp384r1_addcarryx_u64(&x249, &x250, x248, x213, x237); -- fiat_secp384r1_addcarryx_u64(&x251, &x252, x250, x215, x239); -- fiat_secp384r1_addcarryx_u64(&x253, &x254, x252, x217, x241); -- fiat_secp384r1_addcarryx_u64(&x255, &x256, x254, x219, x243); -- fiat_secp384r1_addcarryx_u64(&x257, &x258, x256, ((uint64_t)x220 + x192), -- (x244 + x224)); -- fiat_secp384r1_mulx_u64(&x259, &x260, x4, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x261, &x262, x4, UINT64_C(0xfffffffe00000000)); -- fiat_secp384r1_mulx_u64(&x263, &x264, x4, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x265, &x266, x4, UINT64_C(0xfffffffe00000001)); -- fiat_secp384r1_addcarryx_u64(&x267, &x268, 0x0, x266, x263); -- fiat_secp384r1_addcarryx_u64(&x269, &x270, x268, x264, x261); -- fiat_secp384r1_addcarryx_u64(&x271, &x272, x270, x262, x259); -- fiat_secp384r1_addcarryx_u64(&x273, &x274, x272, x260, x4); -- fiat_secp384r1_addcarryx_u64(&x275, &x276, 0x0, x247, x265); -- fiat_secp384r1_addcarryx_u64(&x277, &x278, x276, x249, x267); -- fiat_secp384r1_addcarryx_u64(&x279, &x280, x278, x251, x269); -- fiat_secp384r1_addcarryx_u64(&x281, &x282, x280, x253, x271); -- fiat_secp384r1_addcarryx_u64(&x283, &x284, x282, x255, x273); -- fiat_secp384r1_addcarryx_u64(&x285, &x286, x284, x257, x274); -- fiat_secp384r1_mulx_u64(&x287, &x288, x275, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x289, &x290, x287, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x291, &x292, x287, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x293, &x294, x287, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x295, &x296, x287, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x297, &x298, x287, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x299, &x300, x287, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x301, &x302, 0x0, x300, x297); -- fiat_secp384r1_addcarryx_u64(&x303, &x304, x302, x298, x295); -- fiat_secp384r1_addcarryx_u64(&x305, &x306, x304, x296, x293); -- fiat_secp384r1_addcarryx_u64(&x307, &x308, x306, x294, x291); -- fiat_secp384r1_addcarryx_u64(&x309, &x310, x308, x292, x289); -- fiat_secp384r1_addcarryx_u64(&x311, &x312, 0x0, x275, x299); -- fiat_secp384r1_addcarryx_u64(&x313, &x314, x312, x277, x301); -- fiat_secp384r1_addcarryx_u64(&x315, &x316, x314, x279, x303); -- fiat_secp384r1_addcarryx_u64(&x317, &x318, x316, x281, x305); -- fiat_secp384r1_addcarryx_u64(&x319, &x320, x318, x283, x307); -- fiat_secp384r1_addcarryx_u64(&x321, &x322, x320, x285, x309); -- fiat_secp384r1_addcarryx_u64(&x323, &x324, x322, ((uint64_t)x286 + x258), -- (x310 + x290)); -- fiat_secp384r1_mulx_u64(&x325, &x326, x5, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x327, &x328, x5, UINT64_C(0xfffffffe00000000)); -- fiat_secp384r1_mulx_u64(&x329, &x330, x5, UINT64_C(0x200000000)); -- fiat_secp384r1_mulx_u64(&x331, &x332, x5, UINT64_C(0xfffffffe00000001)); -- fiat_secp384r1_addcarryx_u64(&x333, &x334, 0x0, x332, x329); -- fiat_secp384r1_addcarryx_u64(&x335, &x336, x334, x330, x327); -- fiat_secp384r1_addcarryx_u64(&x337, &x338, x336, x328, x325); -- fiat_secp384r1_addcarryx_u64(&x339, &x340, x338, x326, x5); -- fiat_secp384r1_addcarryx_u64(&x341, &x342, 0x0, x313, x331); -- fiat_secp384r1_addcarryx_u64(&x343, &x344, x342, x315, x333); -- fiat_secp384r1_addcarryx_u64(&x345, &x346, x344, x317, x335); -- fiat_secp384r1_addcarryx_u64(&x347, &x348, x346, x319, x337); -- fiat_secp384r1_addcarryx_u64(&x349, &x350, x348, x321, x339); -- fiat_secp384r1_addcarryx_u64(&x351, &x352, x350, x323, x340); -- fiat_secp384r1_mulx_u64(&x353, &x354, x341, UINT64_C(0x100000001)); -- fiat_secp384r1_mulx_u64(&x355, &x356, x353, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x357, &x358, x353, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x359, &x360, x353, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_mulx_u64(&x361, &x362, x353, UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_mulx_u64(&x363, &x364, x353, UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_mulx_u64(&x365, &x366, x353, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u64(&x367, &x368, 0x0, x366, x363); -- fiat_secp384r1_addcarryx_u64(&x369, &x370, x368, x364, x361); -- fiat_secp384r1_addcarryx_u64(&x371, &x372, x370, x362, x359); -- fiat_secp384r1_addcarryx_u64(&x373, &x374, x372, x360, x357); -- fiat_secp384r1_addcarryx_u64(&x375, &x376, x374, x358, x355); -- fiat_secp384r1_addcarryx_u64(&x377, &x378, 0x0, x341, x365); -- fiat_secp384r1_addcarryx_u64(&x379, &x380, x378, x343, x367); -- fiat_secp384r1_addcarryx_u64(&x381, &x382, x380, x345, x369); -- fiat_secp384r1_addcarryx_u64(&x383, &x384, x382, x347, x371); -- fiat_secp384r1_addcarryx_u64(&x385, &x386, x384, x349, x373); -- fiat_secp384r1_addcarryx_u64(&x387, &x388, x386, x351, x375); -- fiat_secp384r1_addcarryx_u64(&x389, &x390, x388, ((uint64_t)x352 + x324), -- (x376 + x356)); -- fiat_secp384r1_subborrowx_u64(&x391, &x392, 0x0, x379, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x393, &x394, x392, x381, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x395, &x396, x394, x383, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x397, &x398, x396, x385, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x399, &x400, x398, x387, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x401, &x402, x400, x389, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x403, &x404, x402, x390, 0x0); -- fiat_secp384r1_cmovznz_u64(&x405, x404, x391, x379); -- fiat_secp384r1_cmovznz_u64(&x406, x404, x393, x381); -- fiat_secp384r1_cmovznz_u64(&x407, x404, x395, x383); -- fiat_secp384r1_cmovznz_u64(&x408, x404, x397, x385); -- fiat_secp384r1_cmovznz_u64(&x409, x404, x399, x387); -- fiat_secp384r1_cmovznz_u64(&x410, x404, x401, x389); -- out1[0] = x405; -- out1[1] = x406; -- out1[2] = x407; -- out1[3] = x408; -- out1[4] = x409; -- out1[5] = x410; --} -- --/* -- * The function fiat_secp384r1_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 -- * -- * Input Bounds: -- * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffffffffffff] -- */ --static void --fiat_secp384r1_nonzero(uint64_t *out1, const uint64_t arg1[6]) --{ -- uint64_t x1; -- x1 = ((arg1[0]) | -- ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | (arg1[5])))))); -- *out1 = x1; --} -- --/* -- * The function fiat_secp384r1_selectznz is a multi-limb conditional select. -- * -- * Postconditions: -- * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * Output Bounds: -- * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- */ --static void --fiat_secp384r1_selectznz(uint64_t out1[6], -- fiat_secp384r1_uint1 arg1, -- const uint64_t arg2[6], -- const uint64_t arg3[6]) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- fiat_secp384r1_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); -- fiat_secp384r1_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); -- fiat_secp384r1_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); -- fiat_secp384r1_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); -- fiat_secp384r1_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); -- fiat_secp384r1_cmovznz_u64(&x6, arg1, (arg2[5]), (arg3[5])); -- out1[0] = x1; -- out1[1] = x2; -- out1[2] = x3; -- out1[3] = x4; -- out1[4] = x5; -- out1[5] = x6; --} -- --/* -- * The function fiat_secp384r1_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..47] -- * -- * Input Bounds: -- * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * Output Bounds: -- * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -- */ --static void --fiat_secp384r1_to_bytes(uint8_t out1[48], const uint64_t arg1[6]) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- uint8_t x7; -- uint64_t x8; -- uint8_t x9; -- uint64_t x10; -- uint8_t x11; -- uint64_t x12; -- uint8_t x13; -- uint64_t x14; -- uint8_t x15; -- uint64_t x16; -- uint8_t x17; -- uint64_t x18; -- uint8_t x19; -- uint8_t x20; -- uint8_t x21; -- uint64_t x22; -- uint8_t x23; -- uint64_t x24; -- uint8_t x25; -- uint64_t x26; -- uint8_t x27; -- uint64_t x28; -- uint8_t x29; -- uint64_t x30; -- uint8_t x31; -- uint64_t x32; -- uint8_t x33; -- uint8_t x34; -- uint8_t x35; -- uint64_t x36; -- uint8_t x37; -- uint64_t x38; -- uint8_t x39; -- uint64_t x40; -- uint8_t x41; -- uint64_t x42; -- uint8_t x43; -- uint64_t x44; -- uint8_t x45; -- uint64_t x46; -- uint8_t x47; -- uint8_t x48; -- uint8_t x49; -- uint64_t x50; -- uint8_t x51; -- uint64_t x52; -- uint8_t x53; -- uint64_t x54; -- uint8_t x55; -- uint64_t x56; -- uint8_t x57; -- uint64_t x58; -- uint8_t x59; -- uint64_t x60; -- uint8_t x61; -- uint8_t x62; -- uint8_t x63; -- uint64_t x64; -- uint8_t x65; -- uint64_t x66; -- uint8_t x67; -- uint64_t x68; -- uint8_t x69; -- uint64_t x70; -- uint8_t x71; -- uint64_t x72; -- uint8_t x73; -- uint64_t x74; -- uint8_t x75; -- uint8_t x76; -- uint8_t x77; -- uint64_t x78; -- uint8_t x79; -- uint64_t x80; -- uint8_t x81; -- uint64_t x82; -- uint8_t x83; -- uint64_t x84; -- uint8_t x85; -- uint64_t x86; -- uint8_t x87; -- uint64_t x88; -- uint8_t x89; -- uint8_t x90; -- x1 = (arg1[5]); -- x2 = (arg1[4]); -- x3 = (arg1[3]); -- x4 = (arg1[2]); -- x5 = (arg1[1]); -- x6 = (arg1[0]); -- x7 = (uint8_t)(x6 & UINT8_C(0xff)); -- x8 = (x6 >> 8); -- x9 = (uint8_t)(x8 & UINT8_C(0xff)); -- x10 = (x8 >> 8); -- x11 = (uint8_t)(x10 & UINT8_C(0xff)); -- x12 = (x10 >> 8); -- x13 = (uint8_t)(x12 & UINT8_C(0xff)); -- x14 = (x12 >> 8); -- x15 = (uint8_t)(x14 & UINT8_C(0xff)); -- x16 = (x14 >> 8); -- x17 = (uint8_t)(x16 & UINT8_C(0xff)); -- x18 = (x16 >> 8); -- x19 = (uint8_t)(x18 & UINT8_C(0xff)); -- x20 = (uint8_t)(x18 >> 8); -- x21 = (uint8_t)(x5 & UINT8_C(0xff)); -- x22 = (x5 >> 8); -- x23 = (uint8_t)(x22 & UINT8_C(0xff)); -- x24 = (x22 >> 8); -- x25 = (uint8_t)(x24 & UINT8_C(0xff)); -- x26 = (x24 >> 8); -- x27 = (uint8_t)(x26 & UINT8_C(0xff)); -- x28 = (x26 >> 8); -- x29 = (uint8_t)(x28 & UINT8_C(0xff)); -- x30 = (x28 >> 8); -- x31 = (uint8_t)(x30 & UINT8_C(0xff)); -- x32 = (x30 >> 8); -- x33 = (uint8_t)(x32 & UINT8_C(0xff)); -- x34 = (uint8_t)(x32 >> 8); -- x35 = (uint8_t)(x4 & UINT8_C(0xff)); -- x36 = (x4 >> 8); -- x37 = (uint8_t)(x36 & UINT8_C(0xff)); -- x38 = (x36 >> 8); -- x39 = (uint8_t)(x38 & UINT8_C(0xff)); -- x40 = (x38 >> 8); -- x41 = (uint8_t)(x40 & UINT8_C(0xff)); -- x42 = (x40 >> 8); -- x43 = (uint8_t)(x42 & UINT8_C(0xff)); -- x44 = (x42 >> 8); -- x45 = (uint8_t)(x44 & UINT8_C(0xff)); -- x46 = (x44 >> 8); -- x47 = (uint8_t)(x46 & UINT8_C(0xff)); -- x48 = (uint8_t)(x46 >> 8); -- x49 = (uint8_t)(x3 & UINT8_C(0xff)); -- x50 = (x3 >> 8); -- x51 = (uint8_t)(x50 & UINT8_C(0xff)); -- x52 = (x50 >> 8); -- x53 = (uint8_t)(x52 & UINT8_C(0xff)); -- x54 = (x52 >> 8); -- x55 = (uint8_t)(x54 & UINT8_C(0xff)); -- x56 = (x54 >> 8); -- x57 = (uint8_t)(x56 & UINT8_C(0xff)); -- x58 = (x56 >> 8); -- x59 = (uint8_t)(x58 & UINT8_C(0xff)); -- x60 = (x58 >> 8); -- x61 = (uint8_t)(x60 & UINT8_C(0xff)); -- x62 = (uint8_t)(x60 >> 8); -- x63 = (uint8_t)(x2 & UINT8_C(0xff)); -- x64 = (x2 >> 8); -- x65 = (uint8_t)(x64 & UINT8_C(0xff)); -- x66 = (x64 >> 8); -- x67 = (uint8_t)(x66 & UINT8_C(0xff)); -- x68 = (x66 >> 8); -- x69 = (uint8_t)(x68 & UINT8_C(0xff)); -- x70 = (x68 >> 8); -- x71 = (uint8_t)(x70 & UINT8_C(0xff)); -- x72 = (x70 >> 8); -- x73 = (uint8_t)(x72 & UINT8_C(0xff)); -- x74 = (x72 >> 8); -- x75 = (uint8_t)(x74 & UINT8_C(0xff)); -- x76 = (uint8_t)(x74 >> 8); -- x77 = (uint8_t)(x1 & UINT8_C(0xff)); -- x78 = (x1 >> 8); -- x79 = (uint8_t)(x78 & UINT8_C(0xff)); -- x80 = (x78 >> 8); -- x81 = (uint8_t)(x80 & UINT8_C(0xff)); -- x82 = (x80 >> 8); -- x83 = (uint8_t)(x82 & UINT8_C(0xff)); -- x84 = (x82 >> 8); -- x85 = (uint8_t)(x84 & UINT8_C(0xff)); -- x86 = (x84 >> 8); -- x87 = (uint8_t)(x86 & UINT8_C(0xff)); -- x88 = (x86 >> 8); -- x89 = (uint8_t)(x88 & UINT8_C(0xff)); -- x90 = (uint8_t)(x88 >> 8); -- out1[0] = x7; -- out1[1] = x9; -- out1[2] = x11; -- out1[3] = x13; -- out1[4] = x15; -- out1[5] = x17; -- out1[6] = x19; -- out1[7] = x20; -- out1[8] = x21; -- out1[9] = x23; -- out1[10] = x25; -- out1[11] = x27; -- out1[12] = x29; -- out1[13] = x31; -- out1[14] = x33; -- out1[15] = x34; -- out1[16] = x35; -- out1[17] = x37; -- out1[18] = x39; -- out1[19] = x41; -- out1[20] = x43; -- out1[21] = x45; -- out1[22] = x47; -- out1[23] = x48; -- out1[24] = x49; -- out1[25] = x51; -- out1[26] = x53; -- out1[27] = x55; -- out1[28] = x57; -- out1[29] = x59; -- out1[30] = x61; -- out1[31] = x62; -- out1[32] = x63; -- out1[33] = x65; -- out1[34] = x67; -- out1[35] = x69; -- out1[36] = x71; -- out1[37] = x73; -- out1[38] = x75; -- out1[39] = x76; -- out1[40] = x77; -- out1[41] = x79; -- out1[42] = x81; -- out1[43] = x83; -- out1[44] = x85; -- out1[45] = x87; -- out1[46] = x89; -- out1[47] = x90; --} -+#include "ecl-priv.h" -+#include "secitem.h" -+#include "secerr.h" -+#include "secmpi.h" -+#include "../verified/Hacl_P384.h" - - /* -- * The function fiat_secp384r1_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. -- * -- * Preconditions: -- * 0 ≤ bytes_eval arg1 < m -- * Postconditions: -- * eval out1 mod m = bytes_eval arg1 mod m -- * 0 ≤ eval out1 < m -- * -- * Input Bounds: -- * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] -- * Output Bounds: -- * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -+ * Point Validation for P-384. - */ --static void --fiat_secp384r1_from_bytes(uint64_t out1[6], -- const uint8_t arg1[48]) --{ -- uint64_t x1; -- uint64_t x2; -- uint64_t x3; -- uint64_t x4; -- uint64_t x5; -- uint64_t x6; -- uint64_t x7; -- uint8_t x8; -- uint64_t x9; -- uint64_t x10; -- uint64_t x11; -- uint64_t x12; -- uint64_t x13; -- uint64_t x14; -- uint64_t x15; -- uint8_t x16; -- uint64_t x17; -- uint64_t x18; -- uint64_t x19; -- uint64_t x20; -- uint64_t x21; -- uint64_t x22; -- uint64_t x23; -- uint8_t x24; -- uint64_t x25; -- uint64_t x26; -- uint64_t x27; -- uint64_t x28; -- uint64_t x29; -- uint64_t x30; -- uint64_t x31; -- uint8_t x32; -- uint64_t x33; -- uint64_t x34; -- uint64_t x35; -- uint64_t x36; -- uint64_t x37; -- uint64_t x38; -- uint64_t x39; -- uint8_t x40; -- uint64_t x41; -- uint64_t x42; -- uint64_t x43; -- uint64_t x44; -- uint64_t x45; -- uint64_t x46; -- uint64_t x47; -- uint8_t x48; -- uint64_t x49; -- uint64_t x50; -- uint64_t x51; -- uint64_t x52; -- uint64_t x53; -- uint64_t x54; -- uint64_t x55; -- uint64_t x56; -- uint64_t x57; -- uint64_t x58; -- uint64_t x59; -- uint64_t x60; -- uint64_t x61; -- uint64_t x62; -- uint64_t x63; -- uint64_t x64; -- uint64_t x65; -- uint64_t x66; -- uint64_t x67; -- uint64_t x68; -- uint64_t x69; -- uint64_t x70; -- uint64_t x71; -- uint64_t x72; -- uint64_t x73; -- uint64_t x74; -- uint64_t x75; -- uint64_t x76; -- uint64_t x77; -- uint64_t x78; -- uint64_t x79; -- uint64_t x80; -- uint64_t x81; -- uint64_t x82; -- uint64_t x83; -- uint64_t x84; -- uint64_t x85; -- uint64_t x86; -- uint64_t x87; -- uint64_t x88; -- uint64_t x89; -- uint64_t x90; -- x1 = ((uint64_t)(arg1[47]) << 56); -- x2 = ((uint64_t)(arg1[46]) << 48); -- x3 = ((uint64_t)(arg1[45]) << 40); -- x4 = ((uint64_t)(arg1[44]) << 32); -- x5 = ((uint64_t)(arg1[43]) << 24); -- x6 = ((uint64_t)(arg1[42]) << 16); -- x7 = ((uint64_t)(arg1[41]) << 8); -- x8 = (arg1[40]); -- x9 = ((uint64_t)(arg1[39]) << 56); -- x10 = ((uint64_t)(arg1[38]) << 48); -- x11 = ((uint64_t)(arg1[37]) << 40); -- x12 = ((uint64_t)(arg1[36]) << 32); -- x13 = ((uint64_t)(arg1[35]) << 24); -- x14 = ((uint64_t)(arg1[34]) << 16); -- x15 = ((uint64_t)(arg1[33]) << 8); -- x16 = (arg1[32]); -- x17 = ((uint64_t)(arg1[31]) << 56); -- x18 = ((uint64_t)(arg1[30]) << 48); -- x19 = ((uint64_t)(arg1[29]) << 40); -- x20 = ((uint64_t)(arg1[28]) << 32); -- x21 = ((uint64_t)(arg1[27]) << 24); -- x22 = ((uint64_t)(arg1[26]) << 16); -- x23 = ((uint64_t)(arg1[25]) << 8); -- x24 = (arg1[24]); -- x25 = ((uint64_t)(arg1[23]) << 56); -- x26 = ((uint64_t)(arg1[22]) << 48); -- x27 = ((uint64_t)(arg1[21]) << 40); -- x28 = ((uint64_t)(arg1[20]) << 32); -- x29 = ((uint64_t)(arg1[19]) << 24); -- x30 = ((uint64_t)(arg1[18]) << 16); -- x31 = ((uint64_t)(arg1[17]) << 8); -- x32 = (arg1[16]); -- x33 = ((uint64_t)(arg1[15]) << 56); -- x34 = ((uint64_t)(arg1[14]) << 48); -- x35 = ((uint64_t)(arg1[13]) << 40); -- x36 = ((uint64_t)(arg1[12]) << 32); -- x37 = ((uint64_t)(arg1[11]) << 24); -- x38 = ((uint64_t)(arg1[10]) << 16); -- x39 = ((uint64_t)(arg1[9]) << 8); -- x40 = (arg1[8]); -- x41 = ((uint64_t)(arg1[7]) << 56); -- x42 = ((uint64_t)(arg1[6]) << 48); -- x43 = ((uint64_t)(arg1[5]) << 40); -- x44 = ((uint64_t)(arg1[4]) << 32); -- x45 = ((uint64_t)(arg1[3]) << 24); -- x46 = ((uint64_t)(arg1[2]) << 16); -- x47 = ((uint64_t)(arg1[1]) << 8); -- x48 = (arg1[0]); -- x49 = (x47 + (uint64_t)x48); -- x50 = (x46 + x49); -- x51 = (x45 + x50); -- x52 = (x44 + x51); -- x53 = (x43 + x52); -- x54 = (x42 + x53); -- x55 = (x41 + x54); -- x56 = (x39 + (uint64_t)x40); -- x57 = (x38 + x56); -- x58 = (x37 + x57); -- x59 = (x36 + x58); -- x60 = (x35 + x59); -- x61 = (x34 + x60); -- x62 = (x33 + x61); -- x63 = (x31 + (uint64_t)x32); -- x64 = (x30 + x63); -- x65 = (x29 + x64); -- x66 = (x28 + x65); -- x67 = (x27 + x66); -- x68 = (x26 + x67); -- x69 = (x25 + x68); -- x70 = (x23 + (uint64_t)x24); -- x71 = (x22 + x70); -- x72 = (x21 + x71); -- x73 = (x20 + x72); -- x74 = (x19 + x73); -- x75 = (x18 + x74); -- x76 = (x17 + x75); -- x77 = (x15 + (uint64_t)x16); -- x78 = (x14 + x77); -- x79 = (x13 + x78); -- x80 = (x12 + x79); -- x81 = (x11 + x80); -- x82 = (x10 + x81); -- x83 = (x9 + x82); -- x84 = (x7 + (uint64_t)x8); -- x85 = (x6 + x84); -- x86 = (x5 + x85); -- x87 = (x4 + x86); -- x88 = (x3 + x87); -- x89 = (x2 + x88); -- x90 = (x1 + x89); -- out1[0] = x55; -- out1[1] = x62; -- out1[2] = x69; -- out1[3] = x76; -- out1[4] = x83; -- out1[5] = x90; --} - --/* -- * The function fiat_secp384r1_divstep computes a divstep. -- * -- * Preconditions: -- * 0 ≤ eval arg4 < m -- * 0 ≤ eval arg5 < m -- * Postconditions: -- * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) -- * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) -- * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) -- * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) -- * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) -- * 0 ≤ eval out5 < m -- * 0 ≤ eval out5 < m -- * 0 ≤ eval out2 < m -- * 0 ≤ eval out3 < m -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0xffffffffffffffff] -- * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffffffffffff] -- * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] -- */ --static void --fiat_secp384r1_divstep( -- uint64_t *out1, uint64_t out2[7], uint64_t out3[7], uint64_t out4[6], -- uint64_t out5[6], uint64_t arg1, const uint64_t arg2[7], -- const uint64_t arg3[7], const uint64_t arg4[6], const uint64_t arg5[6]) -+SECStatus -+ec_secp384r1_pt_validate(const SECItem *pt) - { -- uint64_t x1; -- fiat_secp384r1_uint1 x2; -- fiat_secp384r1_uint1 x3; -- uint64_t x4; -- fiat_secp384r1_uint1 x5; -- uint64_t x6; -- uint64_t x7; -- uint64_t x8; -- uint64_t x9; -- uint64_t x10; -- uint64_t x11; -- uint64_t x12; -- uint64_t x13; -- uint64_t x14; -- fiat_secp384r1_uint1 x15; -- uint64_t x16; -- fiat_secp384r1_uint1 x17; -- uint64_t x18; -- fiat_secp384r1_uint1 x19; -- uint64_t x20; -- fiat_secp384r1_uint1 x21; -- uint64_t x22; -- fiat_secp384r1_uint1 x23; -- uint64_t x24; -- fiat_secp384r1_uint1 x25; -- uint64_t x26; -- fiat_secp384r1_uint1 x27; -- uint64_t x28; -- uint64_t x29; -- uint64_t x30; -- uint64_t x31; -- uint64_t x32; -- uint64_t x33; -- uint64_t x34; -- uint64_t x35; -- uint64_t x36; -- uint64_t x37; -- uint64_t x38; -- uint64_t x39; -- uint64_t x40; -- uint64_t x41; -- fiat_secp384r1_uint1 x42; -- uint64_t x43; -- fiat_secp384r1_uint1 x44; -- uint64_t x45; -- fiat_secp384r1_uint1 x46; -- uint64_t x47; -- fiat_secp384r1_uint1 x48; -- uint64_t x49; -- fiat_secp384r1_uint1 x50; -- uint64_t x51; -- fiat_secp384r1_uint1 x52; -- uint64_t x53; -- fiat_secp384r1_uint1 x54; -- uint64_t x55; -- fiat_secp384r1_uint1 x56; -- uint64_t x57; -- fiat_secp384r1_uint1 x58; -- uint64_t x59; -- fiat_secp384r1_uint1 x60; -- uint64_t x61; -- fiat_secp384r1_uint1 x62; -- uint64_t x63; -- fiat_secp384r1_uint1 x64; -- uint64_t x65; -- fiat_secp384r1_uint1 x66; -- uint64_t x67; -- uint64_t x68; -- uint64_t x69; -- uint64_t x70; -- uint64_t x71; -- uint64_t x72; -- uint64_t x73; -- fiat_secp384r1_uint1 x74; -- uint64_t x75; -- fiat_secp384r1_uint1 x76; -- uint64_t x77; -- fiat_secp384r1_uint1 x78; -- uint64_t x79; -- fiat_secp384r1_uint1 x80; -- uint64_t x81; -- fiat_secp384r1_uint1 x82; -- uint64_t x83; -- fiat_secp384r1_uint1 x84; -- uint64_t x85; -- uint64_t x86; -- fiat_secp384r1_uint1 x87; -- uint64_t x88; -- fiat_secp384r1_uint1 x89; -- uint64_t x90; -- fiat_secp384r1_uint1 x91; -- uint64_t x92; -- fiat_secp384r1_uint1 x93; -- uint64_t x94; -- fiat_secp384r1_uint1 x95; -- uint64_t x96; -- fiat_secp384r1_uint1 x97; -- uint64_t x98; -- uint64_t x99; -- uint64_t x100; -- uint64_t x101; -- uint64_t x102; -- uint64_t x103; -- fiat_secp384r1_uint1 x104; -- uint64_t x105; -- uint64_t x106; -- uint64_t x107; -- uint64_t x108; -- uint64_t x109; -- uint64_t x110; -- uint64_t x111; -- uint64_t x112; -- fiat_secp384r1_uint1 x113; -- uint64_t x114; -- fiat_secp384r1_uint1 x115; -- uint64_t x116; -- fiat_secp384r1_uint1 x117; -- uint64_t x118; -- fiat_secp384r1_uint1 x119; -- uint64_t x120; -- fiat_secp384r1_uint1 x121; -- uint64_t x122; -- fiat_secp384r1_uint1 x123; -- uint64_t x124; -- fiat_secp384r1_uint1 x125; -- uint64_t x126; -- uint64_t x127; -- uint64_t x128; -- uint64_t x129; -- uint64_t x130; -- uint64_t x131; -- uint64_t x132; -- fiat_secp384r1_uint1 x133; -- uint64_t x134; -- fiat_secp384r1_uint1 x135; -- uint64_t x136; -- fiat_secp384r1_uint1 x137; -- uint64_t x138; -- fiat_secp384r1_uint1 x139; -- uint64_t x140; -- fiat_secp384r1_uint1 x141; -- uint64_t x142; -- fiat_secp384r1_uint1 x143; -- uint64_t x144; -- fiat_secp384r1_uint1 x145; -- uint64_t x146; -- fiat_secp384r1_uint1 x147; -- uint64_t x148; -- fiat_secp384r1_uint1 x149; -- uint64_t x150; -- fiat_secp384r1_uint1 x151; -- uint64_t x152; -- fiat_secp384r1_uint1 x153; -- uint64_t x154; -- fiat_secp384r1_uint1 x155; -- uint64_t x156; -- fiat_secp384r1_uint1 x157; -- uint64_t x158; -- fiat_secp384r1_uint1 x159; -- uint64_t x160; -- uint64_t x161; -- uint64_t x162; -- uint64_t x163; -- uint64_t x164; -- uint64_t x165; -- uint64_t x166; -- uint64_t x167; -- uint64_t x168; -- uint64_t x169; -- uint64_t x170; -- uint64_t x171; -- uint64_t x172; -- uint64_t x173; -- uint64_t x174; -- uint64_t x175; -- uint64_t x176; -- uint64_t x177; -- uint64_t x178; -- fiat_secp384r1_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1); -- x3 = (fiat_secp384r1_uint1)((fiat_secp384r1_uint1)(x1 >> 63) & -- (fiat_secp384r1_uint1)((arg3[0]) & 0x1)); -- fiat_secp384r1_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1); -- fiat_secp384r1_cmovznz_u64(&x6, x3, arg1, x4); -- fiat_secp384r1_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0])); -- fiat_secp384r1_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1])); -- fiat_secp384r1_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2])); -- fiat_secp384r1_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3])); -- fiat_secp384r1_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4])); -- fiat_secp384r1_cmovznz_u64(&x12, x3, (arg2[5]), (arg3[5])); -- fiat_secp384r1_cmovznz_u64(&x13, x3, (arg2[6]), (arg3[6])); -- fiat_secp384r1_addcarryx_u64(&x14, &x15, 0x0, 0x1, (~(arg2[0]))); -- fiat_secp384r1_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[1]))); -- fiat_secp384r1_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[2]))); -- fiat_secp384r1_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[3]))); -- fiat_secp384r1_addcarryx_u64(&x22, &x23, x21, 0x0, (~(arg2[4]))); -- fiat_secp384r1_addcarryx_u64(&x24, &x25, x23, 0x0, (~(arg2[5]))); -- fiat_secp384r1_addcarryx_u64(&x26, &x27, x25, 0x0, (~(arg2[6]))); -- fiat_secp384r1_cmovznz_u64(&x28, x3, (arg3[0]), x14); -- fiat_secp384r1_cmovznz_u64(&x29, x3, (arg3[1]), x16); -- fiat_secp384r1_cmovznz_u64(&x30, x3, (arg3[2]), x18); -- fiat_secp384r1_cmovznz_u64(&x31, x3, (arg3[3]), x20); -- fiat_secp384r1_cmovznz_u64(&x32, x3, (arg3[4]), x22); -- fiat_secp384r1_cmovznz_u64(&x33, x3, (arg3[5]), x24); -- fiat_secp384r1_cmovznz_u64(&x34, x3, (arg3[6]), x26); -- fiat_secp384r1_cmovznz_u64(&x35, x3, (arg4[0]), (arg5[0])); -- fiat_secp384r1_cmovznz_u64(&x36, x3, (arg4[1]), (arg5[1])); -- fiat_secp384r1_cmovznz_u64(&x37, x3, (arg4[2]), (arg5[2])); -- fiat_secp384r1_cmovznz_u64(&x38, x3, (arg4[3]), (arg5[3])); -- fiat_secp384r1_cmovznz_u64(&x39, x3, (arg4[4]), (arg5[4])); -- fiat_secp384r1_cmovznz_u64(&x40, x3, (arg4[5]), (arg5[5])); -- fiat_secp384r1_addcarryx_u64(&x41, &x42, 0x0, x35, x35); -- fiat_secp384r1_addcarryx_u64(&x43, &x44, x42, x36, x36); -- fiat_secp384r1_addcarryx_u64(&x45, &x46, x44, x37, x37); -- fiat_secp384r1_addcarryx_u64(&x47, &x48, x46, x38, x38); -- fiat_secp384r1_addcarryx_u64(&x49, &x50, x48, x39, x39); -- fiat_secp384r1_addcarryx_u64(&x51, &x52, x50, x40, x40); -- fiat_secp384r1_subborrowx_u64(&x53, &x54, 0x0, x41, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x55, &x56, x54, x43, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x57, &x58, x56, x45, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x59, &x60, x58, x47, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x61, &x62, x60, x49, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x63, &x64, x62, x51, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x65, &x66, x64, x52, 0x0); -- x67 = (arg4[5]); -- x68 = (arg4[4]); -- x69 = (arg4[3]); -- x70 = (arg4[2]); -- x71 = (arg4[1]); -- x72 = (arg4[0]); -- fiat_secp384r1_subborrowx_u64(&x73, &x74, 0x0, 0x0, x72); -- fiat_secp384r1_subborrowx_u64(&x75, &x76, x74, 0x0, x71); -- fiat_secp384r1_subborrowx_u64(&x77, &x78, x76, 0x0, x70); -- fiat_secp384r1_subborrowx_u64(&x79, &x80, x78, 0x0, x69); -- fiat_secp384r1_subborrowx_u64(&x81, &x82, x80, 0x0, x68); -- fiat_secp384r1_subborrowx_u64(&x83, &x84, x82, 0x0, x67); -- fiat_secp384r1_cmovznz_u64(&x85, x84, 0x0, UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_addcarryx_u64(&x86, &x87, 0x0, x73, -- (x85 & UINT32_C(0xffffffff))); -- fiat_secp384r1_addcarryx_u64(&x88, &x89, x87, x75, -- (x85 & UINT64_C(0xffffffff00000000))); -- fiat_secp384r1_addcarryx_u64(&x90, &x91, x89, x77, -- (x85 & UINT64_C(0xfffffffffffffffe))); -- fiat_secp384r1_addcarryx_u64(&x92, &x93, x91, x79, x85); -- fiat_secp384r1_addcarryx_u64(&x94, &x95, x93, x81, x85); -- fiat_secp384r1_addcarryx_u64(&x96, &x97, x95, x83, x85); -- fiat_secp384r1_cmovznz_u64(&x98, x3, (arg5[0]), x86); -- fiat_secp384r1_cmovznz_u64(&x99, x3, (arg5[1]), x88); -- fiat_secp384r1_cmovznz_u64(&x100, x3, (arg5[2]), x90); -- fiat_secp384r1_cmovznz_u64(&x101, x3, (arg5[3]), x92); -- fiat_secp384r1_cmovznz_u64(&x102, x3, (arg5[4]), x94); -- fiat_secp384r1_cmovznz_u64(&x103, x3, (arg5[5]), x96); -- x104 = (fiat_secp384r1_uint1)(x28 & 0x1); -- fiat_secp384r1_cmovznz_u64(&x105, x104, 0x0, x7); -- fiat_secp384r1_cmovznz_u64(&x106, x104, 0x0, x8); -- fiat_secp384r1_cmovznz_u64(&x107, x104, 0x0, x9); -- fiat_secp384r1_cmovznz_u64(&x108, x104, 0x0, x10); -- fiat_secp384r1_cmovznz_u64(&x109, x104, 0x0, x11); -- fiat_secp384r1_cmovznz_u64(&x110, x104, 0x0, x12); -- fiat_secp384r1_cmovznz_u64(&x111, x104, 0x0, x13); -- fiat_secp384r1_addcarryx_u64(&x112, &x113, 0x0, x28, x105); -- fiat_secp384r1_addcarryx_u64(&x114, &x115, x113, x29, x106); -- fiat_secp384r1_addcarryx_u64(&x116, &x117, x115, x30, x107); -- fiat_secp384r1_addcarryx_u64(&x118, &x119, x117, x31, x108); -- fiat_secp384r1_addcarryx_u64(&x120, &x121, x119, x32, x109); -- fiat_secp384r1_addcarryx_u64(&x122, &x123, x121, x33, x110); -- fiat_secp384r1_addcarryx_u64(&x124, &x125, x123, x34, x111); -- fiat_secp384r1_cmovznz_u64(&x126, x104, 0x0, x35); -- fiat_secp384r1_cmovznz_u64(&x127, x104, 0x0, x36); -- fiat_secp384r1_cmovznz_u64(&x128, x104, 0x0, x37); -- fiat_secp384r1_cmovznz_u64(&x129, x104, 0x0, x38); -- fiat_secp384r1_cmovznz_u64(&x130, x104, 0x0, x39); -- fiat_secp384r1_cmovznz_u64(&x131, x104, 0x0, x40); -- fiat_secp384r1_addcarryx_u64(&x132, &x133, 0x0, x98, x126); -- fiat_secp384r1_addcarryx_u64(&x134, &x135, x133, x99, x127); -- fiat_secp384r1_addcarryx_u64(&x136, &x137, x135, x100, x128); -- fiat_secp384r1_addcarryx_u64(&x138, &x139, x137, x101, x129); -- fiat_secp384r1_addcarryx_u64(&x140, &x141, x139, x102, x130); -- fiat_secp384r1_addcarryx_u64(&x142, &x143, x141, x103, x131); -- fiat_secp384r1_subborrowx_u64(&x144, &x145, 0x0, x132, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u64(&x146, &x147, x145, x134, -- UINT64_C(0xffffffff00000000)); -- fiat_secp384r1_subborrowx_u64(&x148, &x149, x147, x136, -- UINT64_C(0xfffffffffffffffe)); -- fiat_secp384r1_subborrowx_u64(&x150, &x151, x149, x138, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x152, &x153, x151, x140, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x154, &x155, x153, x142, -- UINT64_C(0xffffffffffffffff)); -- fiat_secp384r1_subborrowx_u64(&x156, &x157, x155, x143, 0x0); -- fiat_secp384r1_addcarryx_u64(&x158, &x159, 0x0, x6, 0x1); -- x160 = ((x112 >> 1) | ((x114 << 63) & UINT64_C(0xffffffffffffffff))); -- x161 = ((x114 >> 1) | ((x116 << 63) & UINT64_C(0xffffffffffffffff))); -- x162 = ((x116 >> 1) | ((x118 << 63) & UINT64_C(0xffffffffffffffff))); -- x163 = ((x118 >> 1) | ((x120 << 63) & UINT64_C(0xffffffffffffffff))); -- x164 = ((x120 >> 1) | ((x122 << 63) & UINT64_C(0xffffffffffffffff))); -- x165 = ((x122 >> 1) | ((x124 << 63) & UINT64_C(0xffffffffffffffff))); -- x166 = ((x124 & UINT64_C(0x8000000000000000)) | (x124 >> 1)); -- fiat_secp384r1_cmovznz_u64(&x167, x66, x53, x41); -- fiat_secp384r1_cmovznz_u64(&x168, x66, x55, x43); -- fiat_secp384r1_cmovznz_u64(&x169, x66, x57, x45); -- fiat_secp384r1_cmovznz_u64(&x170, x66, x59, x47); -- fiat_secp384r1_cmovznz_u64(&x171, x66, x61, x49); -- fiat_secp384r1_cmovznz_u64(&x172, x66, x63, x51); -- fiat_secp384r1_cmovznz_u64(&x173, x157, x144, x132); -- fiat_secp384r1_cmovznz_u64(&x174, x157, x146, x134); -- fiat_secp384r1_cmovznz_u64(&x175, x157, x148, x136); -- fiat_secp384r1_cmovznz_u64(&x176, x157, x150, x138); -- fiat_secp384r1_cmovznz_u64(&x177, x157, x152, x140); -- fiat_secp384r1_cmovznz_u64(&x178, x157, x154, x142); -- *out1 = x158; -- out2[0] = x7; -- out2[1] = x8; -- out2[2] = x9; -- out2[3] = x10; -- out2[4] = x11; -- out2[5] = x12; -- out2[6] = x13; -- out3[0] = x160; -- out3[1] = x161; -- out3[2] = x162; -- out3[3] = x163; -- out3[4] = x164; -- out3[5] = x165; -- out3[6] = x166; -- out4[0] = x167; -- out4[1] = x168; -- out4[2] = x169; -- out4[3] = x170; -- out4[4] = x171; -- out4[5] = x172; -- out5[0] = x173; -- out5[1] = x174; -- out5[2] = x175; -- out5[3] = x176; -- out5[4] = x177; -- out5[5] = x178; --} -- --/* END verbatim fiat code */ -- --/* curve-related constants */ -- --static const limb_t const_one[6] = { -- UINT64_C(0xFFFFFFFF00000001), UINT64_C(0x00000000FFFFFFFF), -- UINT64_C(0x0000000000000001), UINT64_C(0x0000000000000000), -- UINT64_C(0x0000000000000000), UINT64_C(0x0000000000000000) --}; -- --static const limb_t const_b[6] = { -- UINT64_C(0x081188719D412DCC), UINT64_C(0xF729ADD87A4C32EC), -- UINT64_C(0x77F2209B1920022E), UINT64_C(0xE3374BEE94938AE2), -- UINT64_C(0xB62B21F41F022094), UINT64_C(0xCD08114B604FBFF9) --}; -- --static const limb_t const_divstep[6] = { -- UINT64_C(0xFFFFC80000005000), UINT64_C(0xFFFFB3FFFFFF83FF), -- UINT64_C(0xFFFFF7FFFFFFFFFF), UINT64_C(0xFFFFEBFFFFFFEFFF), -- UINT64_C(0x00000BFFFFFFF3FF), UINT64_C(0x0000500000003000) --}; -- --static const limb_t const_psat[6] = { -- UINT64_C(0x00000000FFFFFFFF), UINT64_C(0xFFFFFFFF00000000), -- UINT64_C(0xFFFFFFFFFFFFFFFE), UINT64_C(0xFFFFFFFFFFFFFFFF), -- UINT64_C(0xFFFFFFFFFFFFFFFF), UINT64_C(0xFFFFFFFFFFFFFFFF) --}; -- --/* LUT for scalar multiplication by comb interleaving */ --static const pt_aff_t lut_cmb[21][16] = { -- { -- { { UINT64_C(0x3DD0756649C0B528), UINT64_C(0x20E378E2A0D6CE38), -- UINT64_C(0x879C3AFC541B4D6E), UINT64_C(0x6454868459A30EFF), -- UINT64_C(0x812FF723614EDE2B), UINT64_C(0x4D3AADC2299E1513) }, -- { UINT64_C(0x23043DAD4B03A4FE), UINT64_C(0xA1BFA8BF7BB4A9AC), -- UINT64_C(0x8BADE7562E83B050), UINT64_C(0xC6C3521968F4FFD9), -- UINT64_C(0xDD8002263969A840), UINT64_C(0x2B78ABC25A15C5E9) } }, -- { { UINT64_C(0x05E4DBE6C1DC4073), UINT64_C(0xC54EA9FFF04F779C), -- UINT64_C(0x6B2034E9A170CCF0), UINT64_C(0x3A48D732D51C6C3E), -- UINT64_C(0xE36F7E2D263AA470), UINT64_C(0xD283FE68E7C1C3AC) }, -- { UINT64_C(0x7E284821C04EE157), UINT64_C(0x92D789A77AE0E36D), -- UINT64_C(0x132663C04EF67446), UINT64_C(0x68012D5AD2E1D0B4), -- UINT64_C(0xF6DB68B15102B339), UINT64_C(0x465465FC983292AF) } }, -- { { UINT64_C(0xBB595EBA68F1F0DF), UINT64_C(0xC185C0CBCC873466), -- UINT64_C(0x7F1EB1B5293C703B), UINT64_C(0x60DB2CF5AACC05E6), -- UINT64_C(0xC676B987E2E8E4C6), UINT64_C(0xE1BB26B11D178FFB) }, -- { UINT64_C(0x2B694BA07073FA21), UINT64_C(0x22C16E2E72F34566), -- UINT64_C(0x80B61B3101C35B99), UINT64_C(0x4B237FAF982C0411), -- UINT64_C(0xE6C5944024DE236D), UINT64_C(0x4DB1C9D6E209E4A3) } }, -- { { UINT64_C(0xDF13B9D17D69222B), UINT64_C(0x4CE6415F874774B1), -- UINT64_C(0x731EDCF8211FAA95), UINT64_C(0x5F4215D1659753ED), -- UINT64_C(0xF893DB589DB2DF55), UINT64_C(0x932C9F811C89025B) }, -- { UINT64_C(0x0996B2207706A61E), UINT64_C(0x135349D5A8641C79), -- UINT64_C(0x65AAD76F50130844), UINT64_C(0x0FF37C0401FFF780), -- UINT64_C(0xF57F238E693B0706), UINT64_C(0xD90A16B6AF6C9B3E) } }, -- { { UINT64_C(0x2F5D200E2353B92F), UINT64_C(0xE35D87293FD7E4F9), -- UINT64_C(0x26094833A96D745D), UINT64_C(0xDC351DC13CBFFF3F), -- UINT64_C(0x26D464C6DAD54D6A), UINT64_C(0x5CAB1D1D53636C6A) }, -- { UINT64_C(0xF2813072B18EC0B0), UINT64_C(0x3777E270D742AA2F), -- UINT64_C(0x27F061C7033CA7C2), UINT64_C(0xA6ECACCC68EAD0D8), -- UINT64_C(0x7D9429F4EE69A754), UINT64_C(0xE770633431E8F5C6) } }, -- { { UINT64_C(0xC7708B19B68B8C7D), UINT64_C(0x4532077C44377ABA), -- UINT64_C(0x0DCC67706CDAD64F), UINT64_C(0x01B8BF56147B6602), -- UINT64_C(0xF8D89885F0561D79), UINT64_C(0x9C19E9FC7BA9C437) }, -- { UINT64_C(0x764EB146BDC4BA25), UINT64_C(0x604FE46BAC144B83), -- UINT64_C(0x3CE813298A77E780), UINT64_C(0x2E070F36FE9E682E), -- UINT64_C(0x41821D0C3A53287A), UINT64_C(0x9AA62F9F3533F918) } }, -- { { UINT64_C(0x9B7AEB7E75CCBDFB), UINT64_C(0xB25E28C5F6749A95), -- UINT64_C(0x8A7A8E4633B7D4AE), UINT64_C(0xDB5203A8D9C1BD56), -- UINT64_C(0xD2657265ED22DF97), UINT64_C(0xB51C56E18CF23C94) }, -- { UINT64_C(0xF4D394596C3D812D), UINT64_C(0xD8E88F1A87CAE0C2), -- UINT64_C(0x789A2A48CF4D0FE3), UINT64_C(0xB7FEAC2DFEC38D60), -- UINT64_C(0x81FDBD1C3B490EC3), UINT64_C(0x4617ADB7CC6979E1) } }, -- { { UINT64_C(0x446AD8884709F4A9), UINT64_C(0x2B7210E2EC3DABD8), -- UINT64_C(0x83CCF19550E07B34), UINT64_C(0x59500917789B3075), -- UINT64_C(0x0FC01FD4EB085993), UINT64_C(0xFB62D26F4903026B) }, -- { UINT64_C(0x2309CC9D6FE989BB), UINT64_C(0x61609CBD144BD586), -- UINT64_C(0x4B23D3A0DE06610C), UINT64_C(0xDDDC2866D898F470), -- UINT64_C(0x8733FC41400C5797), UINT64_C(0x5A68C6FED0BC2716) } }, -- { { UINT64_C(0x8903E1304B4A3CD0), UINT64_C(0x3EA4EA4C8FF1F43E), -- UINT64_C(0xE6FC3F2AF655A10D), UINT64_C(0x7BE3737D524FFEFC), -- UINT64_C(0x9F6928555330455E), UINT64_C(0x524F166EE475CE70) }, -- { UINT64_C(0x3FCC69CD6C12F055), UINT64_C(0x4E23B6FFD5B9C0DA), -- UINT64_C(0x49CE6993336BF183), UINT64_C(0xF87D6D854A54504A), -- UINT64_C(0x25EB5DF1B3C2677A), UINT64_C(0xAC37986F55B164C9) } }, -- { { UINT64_C(0x82A2ED4ABAA84C08), UINT64_C(0x22C4CC5F41A8C912), -- UINT64_C(0xCA109C3B154AAD5E), UINT64_C(0x23891298FC38538E), -- UINT64_C(0xB3B6639C539802AE), UINT64_C(0xFA0F1F450390D706) }, -- { UINT64_C(0x46B78E5DB0DC21D0), UINT64_C(0xA8C72D3CC3DA2EAC), -- UINT64_C(0x9170B3786FF2F643), UINT64_C(0x3F5A799BB67F30C3), -- UINT64_C(0x15D1DC778264B672), UINT64_C(0xA1D47B23E9577764) } }, -- { { UINT64_C(0x08265E510422CE2F), UINT64_C(0x88E0D496DD2F9E21), -- UINT64_C(0x30128AA06177F75D), UINT64_C(0x2E59AB62BD9EBE69), -- UINT64_C(0x1B1A0F6C5DF0E537), UINT64_C(0xAB16C626DAC012B5) }, -- { UINT64_C(0x8014214B008C5DE7), UINT64_C(0xAA740A9E38F17BEA), -- UINT64_C(0x262EBB498A149098), UINT64_C(0xB454111E8527CD59), -- UINT64_C(0x266AD15AACEA5817), UINT64_C(0x21824F411353CCBA) } }, -- { { UINT64_C(0xD1B4E74D12E3683B), UINT64_C(0x990ED20B569B8EF6), -- UINT64_C(0xB9D3DD25429C0A18), UINT64_C(0x1C75B8AB2A351783), -- UINT64_C(0x61E4CA2B905432F0), UINT64_C(0x80826A69EEA8F224) }, -- { UINT64_C(0x7FC33A6BEC52ABAD), UINT64_C(0x0BCCA3F0A65E4813), -- UINT64_C(0x7AD8A132A527CEBE), UINT64_C(0xF0138950EAF22C7E), -- UINT64_C(0x282D2437566718C1), UINT64_C(0x9DFCCB0DE2212559) } }, -- { { UINT64_C(0x1E93722758CE3B83), UINT64_C(0xBB280DFA3CB3FB36), -- UINT64_C(0x57D0F3D2E2BE174A), UINT64_C(0x9BD51B99208ABE1E), -- UINT64_C(0x3809AB50DE248024), UINT64_C(0xC29C6E2CA5BB7331) }, -- { UINT64_C(0x9944FD2E61124F05), UINT64_C(0x83CCBC4E9009E391), -- UINT64_C(0x01628F059424A3CC), UINT64_C(0xD6A2F51DEA8E4344), -- UINT64_C(0xDA3E1A3D4CEBC96E), UINT64_C(0x1FE6FB42E97809DC) } }, -- { { UINT64_C(0xA04482D2467D66E4), UINT64_C(0xCF1912934D78291D), -- UINT64_C(0x8E0D4168482396F9), UINT64_C(0x7228E2D5D18F14D0), -- UINT64_C(0x2F7E8D509C6A58FE), UINT64_C(0xE8CA780E373E5AEC) }, -- { UINT64_C(0x42AAD1D61B68E9F8), UINT64_C(0x58A6D7F569E2F8F4), -- UINT64_C(0xD779ADFE31DA1BEA), UINT64_C(0x7D26540638C85A85), -- UINT64_C(0x67E67195D44D3CDF), UINT64_C(0x17820A0BC5134ED7) } }, -- { { UINT64_C(0x019D6AC5D3021470), UINT64_C(0x25846B66780443D6), -- UINT64_C(0xCE3C15ED55C97647), UINT64_C(0x3DC22D490E3FEB0F), -- UINT64_C(0x2065B7CBA7DF26E4), UINT64_C(0xC8B00AE8187CEA1F) }, -- { UINT64_C(0x1A5284A0865DDED3), UINT64_C(0x293C164920C83DE2), -- UINT64_C(0xAB178D26CCE851B3), UINT64_C(0x8E6DB10B404505FB), -- UINT64_C(0xF6F57E7190C82033), UINT64_C(0x1D2A1C015977F16C) } }, -- { { UINT64_C(0xA39C89317C8906A4), UINT64_C(0xB6E7ECDD9E821EE6), -- UINT64_C(0x2ECF8340F0DF4FE6), UINT64_C(0xD42F7DC953C14965), -- UINT64_C(0x1AFB51A3E3BA8285), UINT64_C(0x6C07C4040A3305D1) }, -- { UINT64_C(0xDAB83288127FC1DA), UINT64_C(0xBC0A699B374C4B08), -- UINT64_C(0x402A9BAB42EB20DD), UINT64_C(0xD7DD464F045A7A1C), -- UINT64_C(0x5B3D0D6D36BEECC4), UINT64_C(0x475A3E756398A19D) } }, -- }, -- { -- { { UINT64_C(0x31BDB48372876AE8), UINT64_C(0xE3325D98961ED1BF), -- UINT64_C(0x18C042469B6FC64D), UINT64_C(0x0DCC15FA15786B8C), -- UINT64_C(0x81ACDB068E63DA4A), UINT64_C(0xD3A4B643DADA70FB) }, -- { UINT64_C(0x46361AFEDEA424EB), UINT64_C(0xDC2D2CAE89B92970), -- UINT64_C(0xF389B61B615694E6), UINT64_C(0x7036DEF1872951D2), -- UINT64_C(0x40FD3BDAD93BADC7), UINT64_C(0x45AB6321380A68D3) } }, -- { { UINT64_C(0x23C1F74481A2703A), UINT64_C(0x1A5D075CB9859136), -- UINT64_C(0xA4F82C9D5AFD1BFD), UINT64_C(0xA3D1E9A4F89D76FE), -- UINT64_C(0x964F705075702F80), UINT64_C(0x182BF349F56C089D) }, -- { UINT64_C(0xE205FA8FBE0DA6E1), UINT64_C(0x32905EB90A40F8F3), -- UINT64_C(0x331A1004356D4395), UINT64_C(0x58B78901FDBBDFDE), -- UINT64_C(0xA52A15979BA00E71), UINT64_C(0xE0092E1F55497A30) } }, -- { { UINT64_C(0x5562A85670EE8F39), UINT64_C(0x86B0C11764E52A9C), -- UINT64_C(0xC19F317409C75B8C), UINT64_C(0x21C7CC3124923F80), -- UINT64_C(0xE63FE47F8F5B291E), UINT64_C(0x3D6D3C050DC08B05) }, -- { UINT64_C(0x58AE455EEE0C39A1), UINT64_C(0x78BEA4310AD97942), -- UINT64_C(0x42C7C97F3EE3989C), UINT64_C(0xC1B03AF5F38759AE), -- UINT64_C(0x1A673C75BCF46899), UINT64_C(0x4831B7D38D508C7D) } }, -- { { UINT64_C(0x76512D1BC552E354), UINT64_C(0x2B7EB6DF273020FD), -- UINT64_C(0xD1C73AA8025A5F25), UINT64_C(0x2ABA19295CBD2A40), -- UINT64_C(0xB53CADC3C88D61C6), UINT64_C(0x7E66A95E098290F3) }, -- { UINT64_C(0x72800ECBAF4C5073), UINT64_C(0x81F2725E9DC63FAF), -- UINT64_C(0x14BF92A7282BA9D1), UINT64_C(0x90629672BD5F1BB2), -- UINT64_C(0x362F68EBA97C6C96), UINT64_C(0xB1D3BB8B7EA9D601) } }, -- { { UINT64_C(0x73878F7FA9C94429), UINT64_C(0xB35C3BC8456CA6D8), -- UINT64_C(0xD96F0B3CF721923A), UINT64_C(0x28D8F06CE6D44FA1), -- UINT64_C(0x94EFDCDCD5CD671A), UINT64_C(0x0299AB933F97D481) }, -- { UINT64_C(0xB7CED6EA2FD1D324), UINT64_C(0xBD6832087E932EC2), -- UINT64_C(0x24ED31FBCB755A6E), UINT64_C(0xA636098EE48781D2), -- UINT64_C(0x8687C63CF0A4F297), UINT64_C(0xBB52344007478526) } }, -- { { UINT64_C(0x2E5F741934124B56), UINT64_C(0x1F223AE14B3F02CA), -- UINT64_C(0x6345B427E8336C7E), UINT64_C(0x92123E16F5D0E3D0), -- UINT64_C(0xDAF0D14D45E79F3A), UINT64_C(0x6ACA67656F3BD0C6) }, -- { UINT64_C(0xF6169FAB403813F4), UINT64_C(0x31DC39C0334A4C59), -- UINT64_C(0x74C46753D589866D), UINT64_C(0x5741511D984C6A5D), -- UINT64_C(0xF263128797FED2D3), UINT64_C(0x5687CA1B11614886) } }, -- { { UINT64_C(0x076D902A33836D4B), UINT64_C(0xEC6C5C4324AFB557), -- UINT64_C(0xA0FE2D1CA0516A0F), UINT64_C(0x6FB8D73700D22ECC), -- UINT64_C(0xF1DE9077DAF1D7B3), UINT64_C(0xE4695F77D4C0C1EB) }, -- { UINT64_C(0x5F0FD8A8B4375573), UINT64_C(0x762383595E50944F), -- UINT64_C(0x65EA2F28635CD76F), UINT64_C(0x0854776925FDE7B0), -- UINT64_C(0xB2345A2E51944304), UINT64_C(0x86EFA2F7A16C980D) } }, -- { { UINT64_C(0x4CCBE2D0BF4D1D63), UINT64_C(0x32E33401397366D5), -- UINT64_C(0xC83AFDDE71BDA2CE), UINT64_C(0x8DACE2AC478ED9E6), -- UINT64_C(0x3AC6A559763FDD9E), UINT64_C(0x0FFDB04CB398558F) }, -- { UINT64_C(0x6C1B99B2AFB9D6B8), UINT64_C(0x572BA39C27F815DD), -- UINT64_C(0x9DE73EE70DBCF842), UINT64_C(0x2A3ED58929267B88), -- UINT64_C(0xD46A7FD315EBBBB3), UINT64_C(0xD1D01863E29400C7) } }, -- { { UINT64_C(0x8FB101D1E1F89EC5), UINT64_C(0xB87A1F53F8508042), -- UINT64_C(0x28C8DB240ED7BEEF), UINT64_C(0x3940F845ACE8660A), -- UINT64_C(0x4EACB619C6D453FD), UINT64_C(0x2E044C982BAD6160) }, -- { UINT64_C(0x8792854880B16C02), UINT64_C(0xF0D4BEB3C0A9EB64), -- UINT64_C(0xD785B4AFC183C195), UINT64_C(0x23AAB0E65E6C46EA), -- UINT64_C(0x30F7E104A930FECA), UINT64_C(0x6A1A7B8BD55C10FB) } }, -- { { UINT64_C(0xDA74EAEBDBFED1AA), UINT64_C(0xC8A59223DF0B025C), -- UINT64_C(0x7EF7DC85D5B627F7), UINT64_C(0x02A13AE1197D7624), -- UINT64_C(0x119E9BE12F785A9B), UINT64_C(0xC0B7572F00D6B219) }, -- { UINT64_C(0x9B1E51266D4CAF30), UINT64_C(0xA16A51170A840BD1), -- UINT64_C(0x5BE17B910E9CCF43), UINT64_C(0x5BDBEDDD69CF2C9C), -- UINT64_C(0x9FFBFBCF4CF4F289), UINT64_C(0xE1A621836C355CE9) } }, -- { { UINT64_C(0x056199D9A7B2FCCF), UINT64_C(0x51F2E7B6CE1D784E), -- UINT64_C(0xA1D09C47339E2FF0), UINT64_C(0xC8E64890B836D0A9), -- UINT64_C(0x2F781DCBC0D07EBE), UINT64_C(0x5CF3C2AD3ACF934C) }, -- { UINT64_C(0xE55DB190A17E26AE), UINT64_C(0xC9C61E1F91245513), -- UINT64_C(0x83D7E6CF61998C15), UINT64_C(0x4DB33C85E41D38E3), -- UINT64_C(0x74D5F91DC2FEE43D), UINT64_C(0x7EBBDB4536BBC826) } }, -- { { UINT64_C(0xE20EC7E9CB655A9D), UINT64_C(0x4977EB925C47D421), -- UINT64_C(0xA237E12C3B9D72FA), UINT64_C(0xCAAEDBC1CBF7B145), -- UINT64_C(0x5200F5B23B77AAA3), UINT64_C(0x32EDED55BDBE5380) }, -- { UINT64_C(0x74E38A40E7C9B80A), UINT64_C(0x3A3F0CF8AB6DE911), -- UINT64_C(0x56DCDD7AAD16AAF0), UINT64_C(0x3D2924498E861D5E), -- UINT64_C(0xD6C61878985733E2), UINT64_C(0x2401FE7D6AA6CD5B) } }, -- { { UINT64_C(0xABB3DC75B42E3686), UINT64_C(0xAE712419B4C57E61), -- UINT64_C(0x2C565F72B21B009B), UINT64_C(0xA5F1DA2E710C3699), -- UINT64_C(0x771099A0A5EBA59A), UINT64_C(0x4DA88F4AC10017A0) }, -- { UINT64_C(0x987FFFD31927B56D), UINT64_C(0xB98CB8ECC4E33478), -- UINT64_C(0xB224A971C2248166), UINT64_C(0x5470F554DE1DC794), -- UINT64_C(0xD747CC24E31FF983), UINT64_C(0xB91745E9B5B22DAE) } }, -- { { UINT64_C(0x6CCBFED072F34420), UINT64_C(0x95045E4DA53039D2), -- UINT64_C(0x3B6C11545A793944), UINT64_C(0xAA114145DDB6B799), -- UINT64_C(0xABC15CA4252B7637), UINT64_C(0x5745A35BA5744634) }, -- { UINT64_C(0x05DC6BDEDA596FC0), UINT64_C(0xCD52C18CA8020881), -- UINT64_C(0x03FA9F47D296BAD0), UINT64_C(0xD8E2C1297268E139), -- UINT64_C(0x58C1A98D9EC450B0), UINT64_C(0x909638DADE48B20D) } }, -- { { UINT64_C(0x7AFC30D49B7F8311), UINT64_C(0x82A0042242368EA3), -- UINT64_C(0xBFF951986F5F9865), UINT64_C(0x9B24F612FC0A070F), -- UINT64_C(0x22C06CF2620F489D), UINT64_C(0x3C7ED052780F7DBB) }, -- { UINT64_C(0xDB87AB1834DAFE9B), UINT64_C(0x20C03B409C4BBCA1), -- UINT64_C(0x5D718CF059A42341), UINT64_C(0x9863170669E84538), -- UINT64_C(0x5557192BD27D64E1), UINT64_C(0x08B4EC52DA822766) } }, -- { { UINT64_C(0xB2D986F6D66C1A59), UINT64_C(0x927DEB1678E0E423), -- UINT64_C(0x9E673CDE49C3DEDC), UINT64_C(0xFA362D84F7ECB6CF), -- UINT64_C(0x078E5F401BA17340), UINT64_C(0x934CA5D11F4E489C) }, -- { UINT64_C(0xC03C073164EEF493), UINT64_C(0x631A353BD7931A7E), -- UINT64_C(0x8E7CC3BB65DD74F1), UINT64_C(0xD55864C5702676A5), -- UINT64_C(0x6D306AC4439F04BD), UINT64_C(0x58544F672BAFED57) } }, -- }, -- { -- { { UINT64_C(0xB083BA6AEC074AEA), UINT64_C(0x46FAC5EF7F0B505B), -- UINT64_C(0x95367A21FC82DC03), UINT64_C(0x227BE26A9D3679D8), -- UINT64_C(0xC70F6D6C7E9724C0), UINT64_C(0xCD68C757F9EBEC0F) }, -- { UINT64_C(0x29DDE03E8FF321B2), UINT64_C(0xF84AD7BB031939DC), -- UINT64_C(0xDAF590C90F602F4B), UINT64_C(0x17C5288849722BC4), -- UINT64_C(0xA8DF99F0089B22B6), UINT64_C(0xC21BC5D4E59B9B90) } }, -- { { UINT64_C(0x4936C6A08A31973F), UINT64_C(0x54D442FA83B8C205), -- UINT64_C(0x03AEE8B45714F2C6), UINT64_C(0x139BD6923F5AC25A), -- UINT64_C(0x6A2E42BAB5B33794), UINT64_C(0x50FA11643FF7BBA9) }, -- { UINT64_C(0xB61D8643F7E2C099), UINT64_C(0x2366C993BD5C6637), -- UINT64_C(0x62110E1472EB77FA), UINT64_C(0x3D5B96F13B99C635), -- UINT64_C(0x956ECF64F674C9F2), UINT64_C(0xC56F7E51EF2BA250) } }, -- { { UINT64_C(0x246FFCB6FF602C1B), UINT64_C(0x1E1A1D746E1258E0), -- UINT64_C(0xB4B43AE2250E6676), UINT64_C(0x95C1B5F0924CE5FA), -- UINT64_C(0x2555795BEBD8C776), UINT64_C(0x4C1E03DCACD9D9D0) }, -- { UINT64_C(0xE1D74AA69CE90C61), UINT64_C(0xA88C0769A9C4B9F9), -- UINT64_C(0xDF74DF2795AF56DE), UINT64_C(0x24B10C5FB331B6F4), -- UINT64_C(0xB0A6DF9A6559E137), UINT64_C(0x6ACC1B8FC06637F2) } }, -- { { UINT64_C(0xBD8C086834B4E381), UINT64_C(0x278CACC730DFF271), -- UINT64_C(0x87ED12DE02459389), UINT64_C(0x3F7D98FFDEF840B6), -- UINT64_C(0x71EEE0CB5F0B56E1), UINT64_C(0x462B5C9BD8D9BE87) }, -- { UINT64_C(0xE6B50B5A98094C0F), UINT64_C(0x26F3B274508C67CE), -- UINT64_C(0x418B1BD17CB1F992), UINT64_C(0x607818ED4FF11827), -- UINT64_C(0xE630D93A9B042C63), UINT64_C(0x38B9EFF38C779AE3) } }, -- { { UINT64_C(0xE8767D36729C5431), UINT64_C(0xA8BD07C0BB94642C), -- UINT64_C(0x0C11FC8E58F2E5B2), UINT64_C(0xD8912D48547533FE), -- UINT64_C(0xAAE14F5E230D91FB), UINT64_C(0xC122051A676DFBA0) }, -- { UINT64_C(0x9ED4501F5EA93078), UINT64_C(0x2758515CBD4BEE0A), -- UINT64_C(0x97733C6C94D21F52), UINT64_C(0x139BCD6D4AD306A2), -- UINT64_C(0x0AAECBDC298123CC), UINT64_C(0x102B8A311CB7C7C9) } }, -- { { UINT64_C(0x22A28E59FAF46675), UINT64_C(0x1075730810A31E7D), -- UINT64_C(0xC7EEAC842B4C2F4F), UINT64_C(0xBA370148B5EF5184), -- UINT64_C(0x4A5A28668732E055), UINT64_C(0x14B8DCDCB887C36F) }, -- { UINT64_C(0xDBA8C85C433F093D), UINT64_C(0x73DF549D1C9A201C), -- UINT64_C(0x69AA0D7B70F927D8), UINT64_C(0xFA3A8685D7D2493A), -- UINT64_C(0x6F48A2550A7F4013), UINT64_C(0xD20C8BF9DD393067) } }, -- { { UINT64_C(0x4EC874EA81625E78), UINT64_C(0x8B8D8B5A3FBE9267), -- UINT64_C(0xA3D9D1649421EC2F), UINT64_C(0x490E92D9880EA295), -- UINT64_C(0x745D1EDCD8F3B6DA), UINT64_C(0x0116628B8F18BA03) }, -- { UINT64_C(0x0FF6BCE0834EADCE), UINT64_C(0x464697F2000827F7), -- UINT64_C(0x08DCCF84498D724E), UINT64_C(0x7896D3651E88304C), -- UINT64_C(0xE63EBCCE135E3622), UINT64_C(0xFB942E8EDC007521) } }, -- { { UINT64_C(0xBB155A66A3688621), UINT64_C(0xED2FD7CDF91B52A3), -- UINT64_C(0x52798F5DEA20CB88), UINT64_C(0x069CE105373F7DD8), -- UINT64_C(0xF9392EC78CA78F6B), UINT64_C(0xB3013E256B335169) }, -- { UINT64_C(0x1D92F8006B11715C), UINT64_C(0xADD4050EFF9DC464), -- UINT64_C(0x2AC226598465B84A), UINT64_C(0x2729D646465B2BD6), -- UINT64_C(0x6202344AE4EFF9DD), UINT64_C(0x51F3198FCD9B90B9) } }, -- { { UINT64_C(0x17CE54EFE5F0AE1D), UINT64_C(0x984E8204B09852AF), -- UINT64_C(0x3365B37AC4B27A71), UINT64_C(0x720E3152A00E0A9C), -- UINT64_C(0x3692F70D925BD606), UINT64_C(0xBE6E699D7BC7E9AB) }, -- { UINT64_C(0xD75C041F4C89A3C0), UINT64_C(0x8B9F592D8DC100C0), -- UINT64_C(0x30750F3AAD228F71), UINT64_C(0x1B9ECF84E8B17A11), -- UINT64_C(0xDF2025620FBFA8A2), UINT64_C(0x45C811FCAA1B6D67) } }, -- { { UINT64_C(0xEC5B84B71A5151F8), UINT64_C(0x118E59E8550AB2D2), -- UINT64_C(0x2CCDEDA4049BD735), UINT64_C(0xC99CBA719CD62F0F), -- UINT64_C(0x69B8040A62C9E4F8), UINT64_C(0x16F1A31A110B8283) }, -- { UINT64_C(0x53F6380298E908A3), UINT64_C(0x308CB6EFD862F9DE), -- UINT64_C(0xE185DAD8A521A95A), UINT64_C(0x4D8FE9A4097F75CA), -- UINT64_C(0xD1ECCEC71CA07D53), UINT64_C(0x13DFA1DC0DB07E83) } }, -- { { UINT64_C(0xDDAF9DC60F591A76), UINT64_C(0xE1A6D7CC1685F412), -- UINT64_C(0x153DE557002B6E8D), UINT64_C(0x730C38BCC6DA37D9), -- UINT64_C(0xAE1806220914B597), UINT64_C(0x84F98103DD8C3A0A) }, -- { UINT64_C(0x369C53988DA205B0), UINT64_C(0xA3D95B813888A720), -- UINT64_C(0x1F3F8BBFE10E2806), UINT64_C(0x48663DF54530D1F3), -- UINT64_C(0x320523B43E377713), UINT64_C(0xE8B1A575C7894814) } }, -- { { UINT64_C(0x330668712EE8EA07), UINT64_C(0xC6FB4EC560DA199D), -- UINT64_C(0x33231860F4370A05), UINT64_C(0x7ABECE72C6DE4E26), -- UINT64_C(0xDE8D4BD8EBDECE7A), UINT64_C(0xC90EE6571CBE93C7) }, -- { UINT64_C(0x0246751B85AC2509), UINT64_C(0xD0EF142C30380245), -- UINT64_C(0x086DF9C47C76E39C), UINT64_C(0x68F1304FB789FB56), -- UINT64_C(0x23E4CB98A5E4BD56), UINT64_C(0x69A4C63C64663DCA) } }, -- { { UINT64_C(0x6C72B6AF7CB34E63), UINT64_C(0x073C40CD6DFC23FE), -- UINT64_C(0xBDEEE7A1C936693A), UINT64_C(0xBC858E806EFAD378), -- UINT64_C(0xEAD719FFF5BE55D4), UINT64_C(0xC8C3238F04552F5F) }, -- { UINT64_C(0x0952C068928D5784), UINT64_C(0x89DFDF2294C58F2B), -- UINT64_C(0x332DEDF367502C50), UINT64_C(0x3ED2FA3AAC0BE258), -- UINT64_C(0xAEDC9B8A7C5C8244), UINT64_C(0x43A761B9DC0EA34F) } }, -- { { UINT64_C(0x8FD683A2CC5E21A5), UINT64_C(0x5F444C6EFBA2BB68), -- UINT64_C(0x709ACD0EAF05586D), UINT64_C(0x8EFA54D2DE8FB348), -- UINT64_C(0x35276B7134CFE29E), UINT64_C(0x77A06FCD941EAC8C) }, -- { UINT64_C(0x5815792D928322DD), UINT64_C(0x82FF356B67F7CB59), -- UINT64_C(0x71E40A78304980F4), UINT64_C(0xC8645C273667D021), -- UINT64_C(0xE785741CAEBAE28F), UINT64_C(0xB2C1BC7553ECAC37) } }, -- { { UINT64_C(0x633EB24F1D0A74DB), UINT64_C(0xF1F55E56FA752512), -- UINT64_C(0x75FECA688EFE11DE), UINT64_C(0xC80FD91CE6BF19EC), -- UINT64_C(0xAD0BAFEC2A14C908), UINT64_C(0x4E1C4ACAADE4031F) }, -- { UINT64_C(0x463A815B1EB1549A), UINT64_C(0x5AD4253C668F1298), -- UINT64_C(0x5CB3866238A37151), UINT64_C(0x34BB1CCFAFF16B96), -- UINT64_C(0xDCA93B13EE731AB0), UINT64_C(0x9F3CE5CC9BE01A0B) } }, -- { { UINT64_C(0x75DB5723A110D331), UINT64_C(0x67C66F6A7123D89F), -- UINT64_C(0x27ABBD4B4009D570), UINT64_C(0xACDA6F84C73451BC), -- UINT64_C(0xE4B9A23905575ACF), UINT64_C(0x3C2DB7EFAB2D3D6C) }, -- { UINT64_C(0x01CCDD0829115145), UINT64_C(0x9E0602FE57B5814A), -- UINT64_C(0x679B35C287862838), UINT64_C(0x0277DC4C38AD598D), -- UINT64_C(0xEF80A2136D896DD4), UINT64_C(0xC8812213E7B9047B) } }, -- }, -- { -- { { UINT64_C(0xAC6DBDF6EDC9CE62), UINT64_C(0xA58F5B440F9C006E), -- UINT64_C(0x16694DE3DC28E1B0), UINT64_C(0x2D039CF2A6647711), -- UINT64_C(0xA13BBE6FC5B08B4B), UINT64_C(0xE44DA93010EBD8CE) }, -- { UINT64_C(0xCD47208719649A16), UINT64_C(0xE18F4E44683E5DF1), -- UINT64_C(0xB3F66303929BFA28), UINT64_C(0x7C378E43818249BF), -- UINT64_C(0x76068C80847F7CD9), UINT64_C(0xEE3DB6D1987EBA16) } }, -- { { UINT64_C(0xCBBD8576C42A2F52), UINT64_C(0x9ACC6F709D2B06BB), -- UINT64_C(0xE5CB56202E6B72A4), UINT64_C(0x5738EA0E7C024443), -- UINT64_C(0x8ED06170B55368F3), UINT64_C(0xE54C99BB1AEED44F) }, -- { UINT64_C(0x3D90A6B2E2E0D8B2), UINT64_C(0x21718977CF7B2856), -- UINT64_C(0x089093DCC5612AEC), UINT64_C(0xC272EF6F99C1BACC), -- UINT64_C(0x47DB3B43DC43EAAD), UINT64_C(0x730F30E40832D891) } }, -- { { UINT64_C(0x9FFE55630C7FECDB), UINT64_C(0x55CC67B6F88101E5), -- UINT64_C(0x3039F981CBEFA3C7), UINT64_C(0x2AB06883667BFD64), -- UINT64_C(0x9007A2574340E3DF), UINT64_C(0x1AC3F3FA5A3A49CA) }, -- { UINT64_C(0x9C7BE629C97E20FD), UINT64_C(0xF61823D3A3DAE003), -- UINT64_C(0xFFE7FF39E7380DBA), UINT64_C(0x620BB9B59FACC3B8), -- UINT64_C(0x2DDCB8CD31AE422C), UINT64_C(0x1DE3BCFAD12C3C43) } }, -- { { UINT64_C(0x8C074946D6E0F9A9), UINT64_C(0x662FA99551C3B05B), -- UINT64_C(0x6CDAE96904BB2048), UINT64_C(0x6DEC9594D6DC8B60), -- UINT64_C(0x8D26586954438BBC), UINT64_C(0x88E983E31B0E95A5) }, -- { UINT64_C(0x8189F11460CBF838), UINT64_C(0x77190697771DC46B), -- UINT64_C(0x775775A227F8EC1A), UINT64_C(0x7A125240607E3739), -- UINT64_C(0xAFAE84E74F793E4E), UINT64_C(0x44FA17F35BF5BAF4) } }, -- { { UINT64_C(0xA21E69A5D03AC439), UINT64_C(0x2069C5FC88AA8094), -- UINT64_C(0xB041EEA78C08F206), UINT64_C(0x55B9D4613D65B8ED), -- UINT64_C(0x951EA25CD392C7C4), UINT64_C(0x4B9A1CEC9D166232) }, -- { UINT64_C(0xC184FCD8FCF931A4), UINT64_C(0xBA59AD44063AD374), -- UINT64_C(0x1868AD2A1AA9796F), UINT64_C(0x38A34018DFF29832), -- UINT64_C(0x01FC880103DF8070), UINT64_C(0x1282CCE048DD334A) } }, -- { { UINT64_C(0x76AA955726D8503C), UINT64_C(0xBE962B636BC3E3D0), -- UINT64_C(0xF5CA93E597DE8841), UINT64_C(0x1561B05EAF3F2C16), -- UINT64_C(0x34BE00AAD34BFF98), UINT64_C(0xEA21E6E9D23D2925) }, -- { UINT64_C(0x55713230394C3AFB), UINT64_C(0xEAF0529BD6C8BECA), -- UINT64_C(0xFF38A743202B9A11), UINT64_C(0xA13E39FC6D3A398B), -- UINT64_C(0x8CBD644B86E2615A), UINT64_C(0x92063988191057EC) } }, -- { { UINT64_C(0x787835CE13F89146), UINT64_C(0x7FCD42CC69446C3F), -- UINT64_C(0x0DA2AA98840E679D), UINT64_C(0x44F2052318779A1B), -- UINT64_C(0xE3A3B34FEFBF5935), UINT64_C(0xA5D2CFD0B9947B70) }, -- { UINT64_C(0xAE2AF4EF27F4E16F), UINT64_C(0xA7FA70D2B9D21322), -- UINT64_C(0x68084919B3FD566B), UINT64_C(0xF04D71C8D7AAD6AB), -- UINT64_C(0xDBEA21E410BC4260), UINT64_C(0xAA7DC6658D949B42) } }, -- { { UINT64_C(0xD8E958A06CCB8213), UINT64_C(0x118D9DB991900B54), -- UINT64_C(0x09BB9D4985E8CED6), UINT64_C(0x410E9FB524019281), -- UINT64_C(0x3B31B4E16D74C86E), UINT64_C(0x52BC0252020BB77D) }, -- { UINT64_C(0x5616A26F27092CE4), UINT64_C(0x67774DBCA08F65CD), -- UINT64_C(0x560AD494C08BD569), UINT64_C(0xBE26DA36AD498783), -- UINT64_C(0x0276C8AB7F019C91), UINT64_C(0x09843ADA5248266E) } }, -- { { UINT64_C(0xA0AE88A77D963CF2), UINT64_C(0x91EF8986D0E84920), -- UINT64_C(0xC7EFE344F8C58104), UINT64_C(0x0A25D9FDECA20773), -- UINT64_C(0x9D989FAA00D8F1D5), UINT64_C(0x4204C8CEC8B06264) }, -- { UINT64_C(0x717C12E0BE1A2796), UINT64_C(0x1FA4BA8CC190C728), -- UINT64_C(0xA245CA8D8C8A59BA), UINT64_C(0xE3C374757672B935), -- UINT64_C(0x083D5E402E4D6375), UINT64_C(0x0B8D5AB35455E16E) } }, -- { { UINT64_C(0x1DB17DBFEED765D4), UINT64_C(0xBBC9B1BEA5DDB965), -- UINT64_C(0x1948F76DDFC12ABC), UINT64_C(0x2C2714E5134EF489), -- UINT64_C(0x60CE2EE8741C600F), UINT64_C(0x32396F22F80E6E63) }, -- { UINT64_C(0x421DAC7522537F59), UINT64_C(0x58FB73C649475DF5), -- UINT64_C(0x0ABF28856F18F1C7), UINT64_C(0x364744689A398D16), -- UINT64_C(0x87A661A7BF673B87), UINT64_C(0x3E80698F73819E17) } }, -- { { UINT64_C(0xDFE4979353784CC4), UINT64_C(0x4280EAB0486D508F), -- UINT64_C(0x119593FFE534F5A4), UINT64_C(0x98AEFADD9F63242F), -- UINT64_C(0x9AE6A24AC4829CAE), UINT64_C(0xF2373CA558E8BA80) }, -- { UINT64_C(0x4017AF7E51765FB3), UINT64_C(0xD1E40F7CAF4AEC4B), -- UINT64_C(0x87372C7A0898E3BC), UINT64_C(0x688982B285452CA9), -- UINT64_C(0x71E0B4BFB1E50BCA), UINT64_C(0x21FD2DBFF70E714A) } }, -- { { UINT64_C(0xEE6E8820FB78DDAC), UINT64_C(0x0BAED29C063892CD), -- UINT64_C(0x5F33049C28C0588D), UINT64_C(0x90C2515E18DBC432), -- UINT64_C(0xB8A1B1433B4CB0BD), UINT64_C(0x0AB5C0C968103043) }, -- { UINT64_C(0xF3788FA04005EC40), UINT64_C(0x82571C99039EE115), -- UINT64_C(0xEE8FCED593260BED), UINT64_C(0x5A9BAF7910836D18), -- UINT64_C(0x7C258B09C46AA4F6), UINT64_C(0x46ECC5E837F53D31) } }, -- { { UINT64_C(0xFA32C0DCBFE0DD98), UINT64_C(0x66EFAFC4962B1066), -- UINT64_C(0xBA81D33E64BDF5EB), UINT64_C(0x36C28536FC7FC512), -- UINT64_C(0x0C95176BE0B4FA97), UINT64_C(0x47DDE29B3B9BC64A) }, -- { UINT64_C(0x08D986FD5C173B36), UINT64_C(0x46D84B526CF3F28C), -- UINT64_C(0x6F6ED6C3F026BDB9), UINT64_C(0xAC90668B68206DC5), -- UINT64_C(0xE8ED5D98ECBE4E70), UINT64_C(0xCFFF61DDDC1A6974) } }, -- { { UINT64_C(0xFF5C3A2977B1A5C1), UINT64_C(0x10C27E4A0DDF995D), -- UINT64_C(0xCB745F77E23363E3), UINT64_C(0xD765DF6F32F399A3), -- UINT64_C(0xF0CA0C2F8A99E109), UINT64_C(0xC3A6BFB71E025CA0) }, -- { UINT64_C(0x830B2C0A4F9D9FA5), UINT64_C(0xAE914CACBD1A84E5), -- UINT64_C(0x30B35ED8A4FEBCC1), UINT64_C(0xCB902B4684CFBF2E), -- UINT64_C(0x0BD4762825FC6375), UINT64_C(0xA858A53C85509D04) } }, -- { { UINT64_C(0x8B995D0C552E0A3F), UINT64_C(0xEDBD4E9417BE9FF7), -- UINT64_C(0x3432E83995085178), UINT64_C(0x0FE5C18180C256F5), -- UINT64_C(0x05A64EA8EBF9597C), UINT64_C(0x6ED44BB13F80371F) }, -- { UINT64_C(0x6A29A05EFE4C12EE), UINT64_C(0x3E436A43E0BB83B3), -- UINT64_C(0x38365D9A74D72921), UINT64_C(0x3F5EE823C38E1ED7), -- UINT64_C(0x09A53213E8FA063F), UINT64_C(0x1E7FE47AB435E713) } }, -- { { UINT64_C(0xE4D9BC94FDDD17F3), UINT64_C(0xC74B8FEDC1016C20), -- UINT64_C(0x095DE39BB49C060E), UINT64_C(0xDBCC67958AC0DF00), -- UINT64_C(0x4CF6BAEB1C34F4DF), UINT64_C(0x72C55C21E8390170) }, -- { UINT64_C(0x4F17BFD2F6C48E79), UINT64_C(0x18BF4DA0017A80BA), -- UINT64_C(0xCF51D829BCF4B138), UINT64_C(0x598AEE5FF48F8B0D), -- UINT64_C(0x83FAEE5620F10809), UINT64_C(0x4615D4DC779F0850) } }, -- }, -- { -- { { UINT64_C(0x22313DEE5852B59B), UINT64_C(0x6F56C8E8B6A0B37F), -- UINT64_C(0x43D6EEAEA76EC380), UINT64_C(0xA16551360275AD36), -- UINT64_C(0xE5C1B65ADF095BDA), UINT64_C(0xBD1FFA8D367C44B0) }, -- { UINT64_C(0xE2B419C26B48AF2B), UINT64_C(0x57BBBD973DA194C8), -- UINT64_C(0xB5FBE51FA2BAFF05), UINT64_C(0xA0594D706269B5D0), -- UINT64_C(0x0B07B70523E8D667), UINT64_C(0xAE1976B563E016E7) } }, -- { { UINT64_C(0x2FDE4893FBECAAAE), UINT64_C(0x444346DE30332229), -- UINT64_C(0x157B8A5B09456ED5), UINT64_C(0x73606A7925797C6C), -- UINT64_C(0xA9D0F47C33C14C06), UINT64_C(0x7BC8962CFAF971CA) }, -- { UINT64_C(0x6E763C5165909DFD), UINT64_C(0x1BBBE41B14A9BF42), -- UINT64_C(0xD95B7ECBC49E9EFC), UINT64_C(0x0C317927B38F2B59), -- UINT64_C(0x97912B53B3C397DB), UINT64_C(0xCB3879AA45C7ABC7) } }, -- { { UINT64_C(0xCD81BDCF24359B81), UINT64_C(0x6FD326E2DB4C321C), -- UINT64_C(0x4CB0228BF8EBE39C), UINT64_C(0x496A9DCEB2CDD852), -- UINT64_C(0x0F115A1AD0E9B3AF), UINT64_C(0xAA08BF36D8EEEF8A) }, -- { UINT64_C(0x5232A51506E5E739), UINT64_C(0x21FAE9D58407A551), -- UINT64_C(0x289D18B08994B4E8), UINT64_C(0xB4E346A809097A52), -- UINT64_C(0xC641510F324621D0), UINT64_C(0xC567FD4A95A41AB8) } }, -- { { UINT64_C(0x261578C7D57C8DE9), UINT64_C(0xB9BC491F3836C5C8), -- UINT64_C(0x993266B414C8038F), UINT64_C(0xBACAD755FAA7CC39), -- UINT64_C(0x418C4DEFD69B7E27), UINT64_C(0x53FDC5CDAE751533) }, -- { UINT64_C(0x6F3BD329C3EEA63A), UINT64_C(0xA7A22091E53DD29E), -- UINT64_C(0xB7164F73DC4C54EC), UINT64_C(0xCA66290D44D3D74E), -- UINT64_C(0xF77C62424C9EA511), UINT64_C(0x34337F551F714C49) } }, -- { { UINT64_C(0x5ED2B216A64B6C4B), UINT64_C(0x1C38794F3AAE640D), -- UINT64_C(0x30BBAEE08905794F), UINT64_C(0x0D9EE41EC8699CFB), -- UINT64_C(0xAF38DAF2CF7B7C29), UINT64_C(0x0D6A05CA43E53513) }, -- { UINT64_C(0xBE96C6442606AB56), UINT64_C(0x13E7A072E9EB9734), -- UINT64_C(0xF96694455FF50CD7), UINT64_C(0x68EF26B547DA6F1D), -- UINT64_C(0xF002873823687CB7), UINT64_C(0x5ED9C8766217C1CE) } }, -- { { UINT64_C(0x423BA5130A3A9691), UINT64_C(0xF421B1E7B3179296), -- UINT64_C(0x6B51BCDB1A871E1B), UINT64_C(0x6E3BB5B5464E4300), -- UINT64_C(0x24171E2EFC6C54CC), UINT64_C(0xA9DFA947D3E58DC2) }, -- { UINT64_C(0x175B33099DE9CFA7), UINT64_C(0x707B25292D1015DA), -- UINT64_C(0xCBB95F17993EA65A), UINT64_C(0x935150630447450D), -- UINT64_C(0x0F47B2051B2753C9), UINT64_C(0x4A0BAB14E7D427CF) } }, -- { { UINT64_C(0xA39DEF39B5AA7CA1), UINT64_C(0x591CB173C47C33DF), -- UINT64_C(0xA09DAC796BBAB872), UINT64_C(0x3EF9D7CF7208BA2F), -- UINT64_C(0x3CC189317A0A34FC), UINT64_C(0xAE31C62BBCC3380F) }, -- { UINT64_C(0xD72A67940287C0B4), UINT64_C(0x3373382C68E334F1), -- UINT64_C(0xD0310CA8BD20C6A6), UINT64_C(0xA2734B8742C033FD), -- UINT64_C(0xA5D390F18DCE4509), UINT64_C(0xFC84E74B3E1AFCB5) } }, -- { { UINT64_C(0xB028334DF2CD8A9C), UINT64_C(0xB8719291570F76F6), -- UINT64_C(0x662A386E01065A2D), UINT64_C(0xDF1634CB53D940AE), -- UINT64_C(0x625A7B838F5B41F9), UINT64_C(0xA033E4FEEE6AA1B4) }, -- { UINT64_C(0x51E9D4631E42BABB), UINT64_C(0x660BC2E40D388468), -- UINT64_C(0x3F702189FCBB114A), UINT64_C(0x6B46FE35B414CA78), -- UINT64_C(0x328F6CF24A57316B), UINT64_C(0x917423B5381AD156) } }, -- { { UINT64_C(0xAC19306E5373A607), UINT64_C(0x471DF8E3191D0969), -- UINT64_C(0x380ADE35B9720D83), UINT64_C(0x7423FDF548F1FD5C), -- UINT64_C(0x8B090C9F49CABC95), UINT64_C(0xB768E8CDC9842F2F) }, -- { UINT64_C(0x399F456DE56162D6), UINT64_C(0xBB6BA2404F326791), -- UINT64_C(0x8F4FBA3B342590BE), UINT64_C(0x053986B93DFB6B3E), -- UINT64_C(0xBB6739F1190C7425), UINT64_C(0x32D4A55332F7E95F) } }, -- { { UINT64_C(0x0205A0EC0DDBFB21), UINT64_C(0x3010327D33AC3407), -- UINT64_C(0xCF2F4DB33348999B), UINT64_C(0x660DB9F41551604A), -- UINT64_C(0xC346C69A5D38D335), UINT64_C(0x64AAB3D338882479) }, -- { UINT64_C(0xA096B5E76AE44403), UINT64_C(0x6B4C9571645F76CD), -- UINT64_C(0x72E1CD5F4711120F), UINT64_C(0x93EC42ACF27CC3E1), -- UINT64_C(0x2D18D004A72ABB12), UINT64_C(0x232E9568C9841A04) } }, -- { { UINT64_C(0xFF01DB223CC7F908), UINT64_C(0x9F214F8FD13CDD3B), -- UINT64_C(0x38DADBB7E0B014B5), UINT64_C(0x2C548CCC94245C95), -- UINT64_C(0x714BE331809AFCE3), UINT64_C(0xBCC644109BFE957E) }, -- { UINT64_C(0xC21C2D215B957F80), UINT64_C(0xBA2D4FDCBB8A4C42), -- UINT64_C(0xFA6CD4AF74817CEC), UINT64_C(0x9E7FB523C528EAD6), -- UINT64_C(0xAED781FF7714B10E), UINT64_C(0xB52BB59294F04455) } }, -- { { UINT64_C(0xA578BD69868CC68B), UINT64_C(0xA40FDC8D603F2C08), -- UINT64_C(0x53D79BD12D81B042), UINT64_C(0x1B136AF3A7587EAB), -- UINT64_C(0x1ED4F939868A16DB), UINT64_C(0x775A61FBD0B98273) }, -- { UINT64_C(0xBA5C12A6E56BEF8C), UINT64_C(0xF926CE52DDDC8595), -- UINT64_C(0xA13F5C8F586FE1F8), UINT64_C(0xEAC9F7F2060DBB54), -- UINT64_C(0x70C0AC3A51AF4342), UINT64_C(0xC16E303C79CDA450) } }, -- { { UINT64_C(0xD0DADD6C8113F4EA), UINT64_C(0xF14E392207BDF09F), -- UINT64_C(0x3FE5E9C2AA7D877C), UINT64_C(0x9EA95C1948779264), -- UINT64_C(0xE93F65A74FCB8344), UINT64_C(0x9F40837E76D925A4) }, -- { UINT64_C(0x0EA6DA3F8271FFC7), UINT64_C(0x557FA529CC8F9B19), -- UINT64_C(0x2613DBF178E6DDFD), UINT64_C(0x7A7523B836B1E954), -- UINT64_C(0x20EB3168406A87FB), UINT64_C(0x64C21C1403ABA56A) } }, -- { { UINT64_C(0xE86C9C2DC032DD5F), UINT64_C(0x158CEB8E86F16A21), -- UINT64_C(0x0279FF5368326AF1), UINT64_C(0x1FFE2E2B59F12BA5), -- UINT64_C(0xD75A46DB86826D45), UINT64_C(0xE19B48411E33E6AC) }, -- { UINT64_C(0x5F0CC5240E52991C), UINT64_C(0x645871F98B116286), -- UINT64_C(0xAB3B4B1EFCAEC5D3), UINT64_C(0x994C8DF051D0F698), -- UINT64_C(0x06F890AFE5D13040), UINT64_C(0x72D9DC235F96C7C2) } }, -- { { UINT64_C(0x7C018DEEE7886A80), UINT64_C(0xFA2093308786E4A3), -- UINT64_C(0xCEC8E2A3A4415CA1), UINT64_C(0x5C736FC1CC83CC60), -- UINT64_C(0xFEF9788CF00C259F), UINT64_C(0xED5C01CBDD29A6AD) }, -- { UINT64_C(0x87834A033E20825B), UINT64_C(0x13B1239D123F9358), -- UINT64_C(0x7E8869D0FBC286C1), UINT64_C(0xC4AB5AA324CE8609), -- UINT64_C(0x38716BEEB6349208), UINT64_C(0x0BDF4F99B322AE21) } }, -- { { UINT64_C(0x6B97A2BF53E3494B), UINT64_C(0xA8AA05C570F7A13E), -- UINT64_C(0x209709C2F1305B51), UINT64_C(0x57B31888DAB76F2C), -- UINT64_C(0x75B2ECD7AA2A406A), UINT64_C(0x88801A00A35374A4) }, -- { UINT64_C(0xE1458D1C45C0471B), UINT64_C(0x5760E306322C1AB0), -- UINT64_C(0x789A0AF1AD6AB0A6), UINT64_C(0x74398DE1F458B9CE), -- UINT64_C(0x1652FF9F32E0C65F), UINT64_C(0xFAF1F9D5FFFB3A52) } }, -- }, -- { -- { { UINT64_C(0xA05C751CD1D1B007), UINT64_C(0x016C213B0213E478), -- UINT64_C(0x9C56E26CF4C98FEE), UINT64_C(0x6084F8B9E7B3A7C7), -- UINT64_C(0xA0B042F6DECC1646), UINT64_C(0x4A6F3C1AFBF3A0BC) }, -- { UINT64_C(0x94524C2C51C9F909), UINT64_C(0xF3B3AD403A6D3748), -- UINT64_C(0x18792D6E7CE1F9F5), UINT64_C(0x8EBC2FD7FC0C34FA), -- UINT64_C(0x032A9F41780A1693), UINT64_C(0x34F9801E56A60019) } }, -- { { UINT64_C(0xB398290CF0DB3751), UINT64_C(0x01170580BA42C976), -- UINT64_C(0x3E71AA2956560B89), UINT64_C(0x80817AAC50E6647B), -- UINT64_C(0x35C833ADA0BE42DA), UINT64_C(0xFA3C6148F1BABA4E) }, -- { UINT64_C(0xC57BE645CD8F6253), UINT64_C(0x77CEE46BC657AD0D), -- UINT64_C(0x830077310DEFD908), UINT64_C(0x92FE9BCE899CBA56), -- UINT64_C(0x48450EC4BCEFFB5A), UINT64_C(0xE615148DF2F5F4BF) } }, -- { { UINT64_C(0xF55EDABB90B86166), UINT64_C(0x27F7D784075430A2), -- UINT64_C(0xF53E822B9BF17161), UINT64_C(0x4A5B3B93AFE808DC), -- UINT64_C(0x590BBBDED7272F55), UINT64_C(0x233D63FAEAEA79A1) }, -- { UINT64_C(0xD7042BEAFE1EBA07), UINT64_C(0xD2B9AEA010750D7E), -- UINT64_C(0xD8D1E69031078AA5), UINT64_C(0x9E837F187E37BC8B), -- UINT64_C(0x9558FF4F85008975), UINT64_C(0x93EDB837421FE867) } }, -- { { UINT64_C(0xAA6489DF83D55B5A), UINT64_C(0xEA092E4986BF27F7), -- UINT64_C(0x4D8943A95FA2EFEC), UINT64_C(0xC9BAAE53720E1A8C), -- UINT64_C(0xC055444B95A4F8A3), UINT64_C(0x93BD01E8A7C1206B) }, -- { UINT64_C(0xD97765B6714A27DF), UINT64_C(0xD622D954193F1B16), -- UINT64_C(0x115CC35AF1503B15), UINT64_C(0x1DD5359FA9FA21F8), -- UINT64_C(0x197C32996DFED1F1), UINT64_C(0xDEE8B7C9F77F2679) } }, -- { { UINT64_C(0x5405179F394FD855), UINT64_C(0xC9D6E24449FDFB33), -- UINT64_C(0x70EBCAB4BD903393), UINT64_C(0x0D3A3899A2C56780), -- UINT64_C(0x012C7256683D1A0A), UINT64_C(0xC688FC8880A48F3B) }, -- { UINT64_C(0x180957546F7DF527), UINT64_C(0x9E339B4B71315D16), -- UINT64_C(0x90560C28A956BB12), UINT64_C(0x2BECEA60D42EEE8D), -- UINT64_C(0x82AEB9A750632653), UINT64_C(0xED34353EDFA5CD6A) } }, -- { { UINT64_C(0x82154D2C91AECCE4), UINT64_C(0x312C60705041887F), -- UINT64_C(0xECF589F3FB9FBD71), UINT64_C(0x67660A7DB524BDE4), -- UINT64_C(0xE99B029D724ACF23), UINT64_C(0xDF06E4AF6D1CD891) }, -- { UINT64_C(0x07806CB580EE304D), UINT64_C(0x0C70BB9F7443A8F8), -- UINT64_C(0x01EC341408B0830A), UINT64_C(0xFD7B63C35A81510B), -- UINT64_C(0xE90A0A39453B5F93), UINT64_C(0xAB700F8F9BC71725) } }, -- { { UINT64_C(0x9401AEC2B9F00793), UINT64_C(0x064EC4F4B997F0BF), -- UINT64_C(0xDC0CC1FD849240C8), UINT64_C(0x39A75F37B6E92D72), -- UINT64_C(0xAA43CA5D0224A4AB), UINT64_C(0x9C4D632554614C47) }, -- { UINT64_C(0x1767366FC6709DA3), UINT64_C(0xA6B482D123479232), -- UINT64_C(0x54DC6DDC84D63E85), UINT64_C(0x0ACCB5ADC99D3B9E), -- UINT64_C(0x211716BBE8AA3ABF), UINT64_C(0xD0FE25AD69EC6406) } }, -- { { UINT64_C(0x0D5C1769DF85C705), UINT64_C(0x7086C93DA409DCD1), -- UINT64_C(0x9710839D0E8D75D8), UINT64_C(0x17B7DB75EBDD4177), -- UINT64_C(0xAF69EB58F649A809), UINT64_C(0x6EF19EA28A84E220) }, -- { UINT64_C(0x36EB5C6665C278B2), UINT64_C(0xD2A1512881EA9D65), -- UINT64_C(0x4FCBA840769300AD), UINT64_C(0xC2052CCDC8E536E5), -- UINT64_C(0x9CAEE014AC263B8F), UINT64_C(0x56F7ED7AF9239663) } }, -- { { UINT64_C(0xF6FA251FAC9E09E1), UINT64_C(0xA3775605955A2853), -- UINT64_C(0x977B8D21F2A4BD78), UINT64_C(0xF68AA7FF3E096410), -- UINT64_C(0x01AB055265F88419), UINT64_C(0xC4C8D77EBB93F64E) }, -- { UINT64_C(0x718251113451FE64), UINT64_C(0xFA0F905B46F9BAF0), -- UINT64_C(0x79BE3BF3CA49EF1A), UINT64_C(0x831109B26CB02071), -- UINT64_C(0x765F935FC4DDBFE5), UINT64_C(0x6F99CD1480E5A3BA) } }, -- { { UINT64_C(0xD2E8DA04234F91FF), UINT64_C(0x4DED4D6D813867AA), -- UINT64_C(0x3B50175DE0A0D945), UINT64_C(0x55AC74064EB78137), -- UINT64_C(0xE9FA7F6EE1D47730), UINT64_C(0x2C1715315CBF2176) }, -- { UINT64_C(0xA521788F2BE7A47D), UINT64_C(0x95B15A273FCF1AB3), -- UINT64_C(0xAADA6401F28A946A), UINT64_C(0x628B2EF48B4E898B), -- UINT64_C(0x0E6F46296D6592CC), UINT64_C(0x997C7094A723CADD) } }, -- { { UINT64_C(0x878BCE116AFE80C6), UINT64_C(0xA89ABC9D007BBA38), -- UINT64_C(0xB0C1F87BA7CC267F), UINT64_C(0x86D33B9D5104FF04), -- UINT64_C(0xB0504B1B2EF1BA42), UINT64_C(0x21693048B2827E88) }, -- { UINT64_C(0x11F1CCD579CFCD14), UINT64_C(0x59C09FFA94AD227E), -- UINT64_C(0x95A4ADCB3EA91ACF), UINT64_C(0x1346238BB4370BAA), -- UINT64_C(0xB099D2023E1367B0), UINT64_C(0xCF5BBDE690F23CEA) } }, -- { { UINT64_C(0x453299BBBCB3BE5E), UINT64_C(0x123C588E38E9FF97), -- UINT64_C(0x8C115DD9F6A2E521), UINT64_C(0x6E333C11FF7D4B98), -- UINT64_C(0x9DD061E5DA73E736), UINT64_C(0xC6AB7B3A5CA53056) }, -- { UINT64_C(0xF1EF3EE35B30A76B), UINT64_C(0xADD6B44A961BA11F), -- UINT64_C(0x7BB00B752CA6E030), UINT64_C(0x270272E82FE270AD), -- UINT64_C(0x23BC6F4F241A9239), UINT64_C(0x88581E130BB94A94) } }, -- { { UINT64_C(0xBD225A6924EEF67F), UINT64_C(0x7CFD96140412CEB7), -- UINT64_C(0xF6DE167999AC298E), UINT64_C(0xB20FD895ED6C3571), -- UINT64_C(0x03C73B7861836C56), UINT64_C(0xEE3C3A16ABA6CB34) }, -- { UINT64_C(0x9E8C56674138408A), UINT64_C(0xEC25FCB12DD6EBDF), -- UINT64_C(0xC54C33FDDBBDF6E3), UINT64_C(0x93E0913B4A3C9DD4), -- UINT64_C(0x66D7D13535EDEED4), UINT64_C(0xD29A36C4453FB66E) } }, -- { { UINT64_C(0x7F192F039F1943AF), UINT64_C(0x6488163F4E0B5FB0), -- UINT64_C(0x66A45C6953599226), UINT64_C(0x924E2E439AD15A73), -- UINT64_C(0x8B553DB742A99D76), UINT64_C(0x4BC6B53B0451F521) }, -- { UINT64_C(0xC029B5EF101F8AD6), UINT64_C(0x6A4DA71CC507EED9), -- UINT64_C(0x3ADFAEC030BB22F3), UINT64_C(0x81BCAF7AB514F85B), -- UINT64_C(0x2E1E6EFF5A7E60D3), UINT64_C(0x5270ABC0AE39D42F) } }, -- { { UINT64_C(0x86D56DEB3901F0F8), UINT64_C(0x1D0BC792EED5F650), -- UINT64_C(0x1A2DDFD8CA1114A3), UINT64_C(0x94ABF4B1F1DD316D), -- UINT64_C(0xF72179E43D9F18EF), UINT64_C(0x52A0921E9AA2CABF) }, -- { UINT64_C(0xECDA9E27A7452883), UINT64_C(0x7E90850AAFD771B4), -- UINT64_C(0xD40F87EA9CC0465C), UINT64_C(0x8CFCB60A865CDA36), -- UINT64_C(0x3DBEC2CC7C650942), UINT64_C(0x071A4EE7E718CA9D) } }, -- { { UINT64_C(0x73C0E4FF276AC5F3), UINT64_C(0xE7BA5A6ABDB97EA1), -- UINT64_C(0x638CA54EC5808398), UINT64_C(0x8258DC82413855E5), -- UINT64_C(0x35DDD2E957F07614), UINT64_C(0xF98DD6921DC13BF9) }, -- { UINT64_C(0x3A4C0088F16DCD84), UINT64_C(0xF192EADD833D83F9), -- UINT64_C(0x3C26C931A6D61D29), UINT64_C(0x589FDD52DE0AD7A1), -- UINT64_C(0x7CD83DD20442D37F), UINT64_C(0x1E47E777403ECBFC) } }, -- }, -- { -- { { UINT64_C(0x2AF8ED8170D4D7BC), UINT64_C(0xABC3E15FB632435C), -- UINT64_C(0x4C0E726F78219356), UINT64_C(0x8C1962A1B87254C4), -- UINT64_C(0x30796A71C9E7691A), UINT64_C(0xD453EF19A75A12EE) }, -- { UINT64_C(0x535F42C213AE4964), UINT64_C(0x86831C3C0DA9586A), -- UINT64_C(0xB7F1EF35E39A7A58), UINT64_C(0xA2789AE2D459B91A), -- UINT64_C(0xEADBCA7F02FD429D), UINT64_C(0x94F215D465290F57) } }, -- { { UINT64_C(0x37ED2BE51CFB79AC), UINT64_C(0x801946F3E7AF84C3), -- UINT64_C(0xB061AD8AE77C2F00), UINT64_C(0xE87E1A9A44DE16A8), -- UINT64_C(0xDF4F57C87EE490FF), UINT64_C(0x4E793B49005993ED) }, -- { UINT64_C(0xE1036387BCCB593F), UINT64_C(0xF174941195E09B80), -- UINT64_C(0x59CB20D15AB42F91), UINT64_C(0xA738A18DAC0FF033), -- UINT64_C(0xDA501A2E2AC1E7F4), UINT64_C(0x1B67EDA084D8A6E0) } }, -- { { UINT64_C(0x1D27EFCE1080E90B), UINT64_C(0xA28152463FD01DC6), -- UINT64_C(0x99A3FB83CAA26D18), UINT64_C(0xD27E6133B82BABBE), -- UINT64_C(0x61030DFDD783DD60), UINT64_C(0x295A291373C78CB8) }, -- { UINT64_C(0x8707A2CF68BE6A92), UINT64_C(0xC9C2FB98EEB3474A), -- UINT64_C(0x7C3FD412A2B176B8), UINT64_C(0xD5B52E2FC7202101), -- UINT64_C(0x24A63030F0A6D536), UINT64_C(0x05842DE304648EC0) } }, -- { { UINT64_C(0x67477CDC30577AC9), UINT64_C(0x51DD9775244F92A8), -- UINT64_C(0x31FD60B9917EEC66), UINT64_C(0xACD95BD4D66C5C1D), -- UINT64_C(0x2E0551F3BF9508BA), UINT64_C(0x121168E1688CB243) }, -- { UINT64_C(0x8C0397404540D230), UINT64_C(0xC4ED3CF6009ECDF9), -- UINT64_C(0x191825E144DB62AF), UINT64_C(0x3EE8ACABC4A030DA), -- UINT64_C(0x8AB154A894081504), UINT64_C(0x1FE09E4B486C9CD0) } }, -- { { UINT64_C(0x512F82F9D113450B), UINT64_C(0x5878C9012DBC9197), -- UINT64_C(0xDB87412BE13F355B), UINT64_C(0x0A0A4A9B935B8A5E), -- UINT64_C(0x818587BDF25A5351), UINT64_C(0xE807931031E3D9C7) }, -- { UINT64_C(0x8B1D47C7611BC1B1), UINT64_C(0x51722B5872A823F2), -- UINT64_C(0x6F97EE8A53B36B3E), UINT64_C(0x6E085AAC946DD453), -- UINT64_C(0x2EC5057DE65E6533), UINT64_C(0xF82D9D714BB18801) } }, -- { { UINT64_C(0xAD81FA938BA5AA8E), UINT64_C(0x723E628E8F7AA69E), -- UINT64_C(0x0BA7C2DEEF35937C), UINT64_C(0x83A43EC56DECFB40), -- UINT64_C(0xF520F849E60C4F2D), UINT64_C(0x8260E8AE457E3B5E) }, -- { UINT64_C(0x7CE874F0BF1D9ED7), UINT64_C(0x5FDE35537F1A5466), -- UINT64_C(0x5A63777C0C162DBB), UINT64_C(0x0FD04F8CDAD87289), -- UINT64_C(0xCA2D9E0E640761D5), UINT64_C(0x4615CFF838501ADB) } }, -- { { UINT64_C(0x9422789B110B4A25), UINT64_C(0x5C26779F70AD8CC1), -- UINT64_C(0x4EE6A748EC4F1E14), UINT64_C(0xFB584A0D5C7AB5E0), -- UINT64_C(0xED1DCB0BFB21EE66), UINT64_C(0xDBED1F0011C6863C) }, -- { UINT64_C(0xD2969269B1B1D187), UINT64_C(0xF7D0C3F2AFE964E6), -- UINT64_C(0xE05EE93F12BB865E), UINT64_C(0x1AFB7BEEED79118E), -- UINT64_C(0x220AF1380F0FE453), UINT64_C(0x1463AA1A52782AB9) } }, -- { { UINT64_C(0x7C139D56D7DBE5F9), UINT64_C(0xFC16E6110B83685B), -- UINT64_C(0xFA723C029018463C), UINT64_C(0xC472458C840BF5D7), -- UINT64_C(0x4D8093590AF07591), UINT64_C(0x418D88303308DFD9) }, -- { UINT64_C(0x9B381E040C365AE3), UINT64_C(0x3780BF33F8190FD1), -- UINT64_C(0x45397418DD03E854), UINT64_C(0xA95D030F4E51E491), -- UINT64_C(0x87C8C686E3286CEA), UINT64_C(0x01C773BF900B5F83) } }, -- { { UINT64_C(0xDABE347578673B02), UINT64_C(0x4F0F25CEF6E7395E), -- UINT64_C(0x3117ABB9D181AD45), UINT64_C(0x4B559F88AA13DE0B), -- UINT64_C(0xFD8EFE78EA7C9745), UINT64_C(0x080600475DD21682) }, -- { UINT64_C(0xC0F5DE4BD4C86FFC), UINT64_C(0x4BB14B1EF21AB6A2), -- UINT64_C(0xACB53A6CF50C1D12), UINT64_C(0x46AAC4505CC9162E), -- UINT64_C(0x049C51E02DE240B6), UINT64_C(0xBB2DC016E383C3B0) } }, -- { { UINT64_C(0xA3C56AD28E438C92), UINT64_C(0x7C43F98FB2CEAF1A), -- UINT64_C(0x397C44F7E2150778), UINT64_C(0x48D17AB771A24131), -- UINT64_C(0xCC5138631E2ACDA9), UINT64_C(0x2C76A55EF0C9BAC9) }, -- { UINT64_C(0x4D74CDCE7EA4BB7B), UINT64_C(0x834BD5BFB1B3C2BA), -- UINT64_C(0x46E2911ECCC310A4), UINT64_C(0xD3DE84AA0FC1BF13), -- UINT64_C(0x27F2892F80A03AD3), UINT64_C(0x85B476203BD2F08B) } }, -- { { UINT64_C(0xAB1CB818567AF533), UINT64_C(0x273B4537BAC2705A), -- UINT64_C(0x133066C422C84AB6), UINT64_C(0xC3590DE64830BFC1), -- UINT64_C(0xEA2978695E4742D0), UINT64_C(0xF6D8C6944F3164C0) }, -- { UINT64_C(0x09E85F3DC1249588), UINT64_C(0x6C2BB05D4EC64DF7), -- UINT64_C(0xD267115E8B78000F), UINT64_C(0x07C5D7AEC7E4A316), -- UINT64_C(0xCB1187BA4619E5BD), UINT64_C(0x57B1D4EFA43F7EEE) } }, -- { { UINT64_C(0x3618891FC8176A96), UINT64_C(0x62C4B084E5808B97), -- UINT64_C(0xDE5585464DD95D6E), UINT64_C(0x27A8133E730B2EA4), -- UINT64_C(0xE07CEEC36AF318A0), UINT64_C(0x0ACC1286CE24FD2C) }, -- { UINT64_C(0x8A48FE4ADD4D307C), UINT64_C(0x71A9BA9C18CDE0DA), -- UINT64_C(0x655E2B66D5D79747), UINT64_C(0x409FE856A79AEDC7), -- UINT64_C(0xC5A9F244D287E5CF), UINT64_C(0xCCE103844E82EC39) } }, -- { { UINT64_C(0x00675BA7F25D364C), UINT64_C(0x7A7F162968D36BDF), -- UINT64_C(0x35EC468AA9E23F29), UINT64_C(0xF797AC502D926E6C), -- UINT64_C(0x639BA4534B4F4376), UINT64_C(0xD71B430F51FF9519) }, -- { UINT64_C(0xB8C439EC2CF5635C), UINT64_C(0x0CE4C8D181980393), -- UINT64_C(0x4C5362A964123B15), UINT64_C(0x6E0421E0FFDCF096), -- UINT64_C(0x624A855F10D1F914), UINT64_C(0x7D8F3AB7614DCD29) } }, -- { { UINT64_C(0xD9219ADAB3493CE0), UINT64_C(0x971B243A52F09AE5), -- UINT64_C(0xC16C9BF8E24E3674), UINT64_C(0x026D408DCE68C7CD), -- UINT64_C(0xF9B33DD9358209E3), UINT64_C(0x02D0595DF3B2A206) }, -- { UINT64_C(0xBF99427160D15640), UINT64_C(0x6DA7A04E15B5466A), -- UINT64_C(0x03AA4ED81CADB50D), UINT64_C(0x1548F029129A4253), -- UINT64_C(0x41741F7EB842865A), UINT64_C(0x859FE0A4A3F88C98) } }, -- { { UINT64_C(0x80DE085A05FD7553), UINT64_C(0x4A4AB91EB897566B), -- UINT64_C(0x33BCD4752F1C173F), UINT64_C(0x4E238896C100C013), -- UINT64_C(0x1C88500DD614B34B), UINT64_C(0x0401C5F6C3BA9E23) }, -- { UINT64_C(0x8E8003C4D0AF0DE5), UINT64_C(0x19B1DFB59D0DCBB9), -- UINT64_C(0x4A3640A9EBEF7AB6), UINT64_C(0xEDAFD65B959B15F6), -- UINT64_C(0x8092EF7F7FB95821), UINT64_C(0xAB8DD52ECE2E45D1) } }, -- { { UINT64_C(0xD1F2D6B8B9CFE6BF), UINT64_C(0x6358810B00073F6F), -- UINT64_C(0x5FCE5993D712106E), UINT64_C(0x5EE6B2711C024C91), -- UINT64_C(0xD0248FF5453DB663), UINT64_C(0xD6D81CB2ADB835E8) }, -- { UINT64_C(0x8696CFECFDFCB4C7), UINT64_C(0x696B7FCB53BC9045), -- UINT64_C(0xAB4D3807DDA56981), UINT64_C(0x2F9980521E4B943B), -- UINT64_C(0x8AA76ADB166B7F18), UINT64_C(0x6393430152A2D7ED) } }, -- }, -- { -- { { UINT64_C(0xBBCCCE39A368EFF6), UINT64_C(0xD8CAABDF8CEB5C43), -- UINT64_C(0x9EAE35A5D2252FDA), UINT64_C(0xA8F4F20954E7DD49), -- UINT64_C(0xA56D72A6295100FD), UINT64_C(0x20FC1FE856767727) }, -- { UINT64_C(0xBF60B2480BBAA5AB), UINT64_C(0xA4F3CE5A313911F2), -- UINT64_C(0xC2A67AD4B93DAB9C), UINT64_C(0x18CD0ED022D71F39), -- UINT64_C(0x04380C425F304DB2), UINT64_C(0x26420CBB6729C821) } }, -- { { UINT64_C(0x26BD07D6BDFBCAE8), UINT64_C(0x10B5173FDF01A80A), -- UINT64_C(0xD831C5466798B96C), UINT64_C(0x1D6B41081D3F3859), -- UINT64_C(0x501D38EC991B9EC7), UINT64_C(0x26319283D78431A9) }, -- { UINT64_C(0x8B85BAF7118B343C), UINT64_C(0x4696CDDD58DEF7D0), -- UINT64_C(0xEFC7C1107ACDCF58), UINT64_C(0xD9AF415C848D5842), -- UINT64_C(0x6B5A06BC0AC7FDAC), UINT64_C(0x7D623E0DA344319B) } }, -- { { UINT64_C(0x4C0D78060C9D3547), UINT64_C(0x993F048DCF2AED47), -- UINT64_C(0x5217C453E4B57E22), UINT64_C(0xB4669E35F4172B28), -- UINT64_C(0x509A3CD049F999F8), UINT64_C(0xD19F863287C69D41) }, -- { UINT64_C(0xE14D01E84C8FDED0), UINT64_C(0x342880FDEAFD9E1C), -- UINT64_C(0x0E17BFF270DC2BF0), UINT64_C(0x46560B7BC0186400), -- UINT64_C(0xE28C7B9C49A4DD34), UINT64_C(0x182119160F325D06) } }, -- { { UINT64_C(0x46D70888D7E02E18), UINT64_C(0x7C806954D9F11FD9), -- UINT64_C(0xE4948FCA4FBEA271), UINT64_C(0x7D6C7765BD80A9DF), -- UINT64_C(0x1B470EA6F3871C71), UINT64_C(0xD62DE2448330A570) }, -- { UINT64_C(0xDAECDDC1C659C3A7), UINT64_C(0x8621E513077F7AFC), -- UINT64_C(0x56C7CD84CAEEEF13), UINT64_C(0xC60C910FC685A356), -- UINT64_C(0xE68BC5C59DD93DDC), UINT64_C(0xD904E89FFEB64895) } }, -- { { UINT64_C(0x75D874FB8BA7917A), UINT64_C(0x18FA7F53FD043BD4), -- UINT64_C(0x212A0AD71FC3979E), UINT64_C(0x5703A7D95D6EAC0E), -- UINT64_C(0x222F7188017DEAD5), UINT64_C(0x1EC687B70F6C1817) }, -- { UINT64_C(0x23412FC3238BACB6), UINT64_C(0xB85D70E954CED154), -- UINT64_C(0xD4E06722BDA674D0), UINT64_C(0x3EA5F17836F5A0C2), -- UINT64_C(0x7E7D79CFF5C6D2CA), UINT64_C(0x1FFF94643DBB3C73) } }, -- { { UINT64_C(0x916E19D0F163E4A8), UINT64_C(0x1E6740E71489DF17), -- UINT64_C(0x1EAF9723339F3A47), UINT64_C(0x22F0ED1A124B8DAD), -- UINT64_C(0x39C9166C49C3DD04), UINT64_C(0x628E7FD4CE1E9ACC) }, -- { UINT64_C(0x124DDF2740031676), UINT64_C(0x002569391EDDB9BE), -- UINT64_C(0xD39E25E7D360B0DA), UINT64_C(0x6E3015A84AA6C4C9), -- UINT64_C(0xC6A2F643623EDA09), UINT64_C(0xBEFF2D1250AA99FB) } }, -- { { UINT64_C(0x1FEEF7CE93EE8089), UINT64_C(0xC6B180BC252DD7BD), -- UINT64_C(0xA16FB20B1788F051), UINT64_C(0xD86FD392E046ED39), -- UINT64_C(0xDA0A36119378CE1D), UINT64_C(0x121EF3E7A5F7A61D) }, -- { UINT64_C(0x94D2206192D13CAE), UINT64_C(0x5076046A77C72E08), -- UINT64_C(0xF18BC2337D2308B9), UINT64_C(0x004DB3C517F977B1), -- UINT64_C(0xD05AE3990471C11D), UINT64_C(0x86A2A55785CD1726) } }, -- { { UINT64_C(0xB8D9B28672107804), UINT64_C(0xB5A7C4133303B79B), -- UINT64_C(0x927EEF785FA37DED), UINT64_C(0xA1C5CF1EAD67DABA), -- UINT64_C(0xAA5E3FB27360E7C7), UINT64_C(0x8354E61A0A0C0993) }, -- { UINT64_C(0x2EC73AF97F5458CC), UINT64_C(0xDE4CB48848474325), -- UINT64_C(0x2DD134C77209BC69), UINT64_C(0xB70C5567451A2ABE), -- UINT64_C(0x2CD1B2008E293018), UINT64_C(0x15F8DA7AD33C0D72) } }, -- { { UINT64_C(0x5DC386D0A8790657), UINT64_C(0xA4FDF676BC4D88BB), -- UINT64_C(0x1B21F38F48BC6C49), UINT64_C(0xCDCC7FAA543A7003), -- UINT64_C(0xEA97E7AA8C9CF72C), UINT64_C(0xA6B883F450D938A8) }, -- { UINT64_C(0x51936F3AA3A10F27), UINT64_C(0x0170785FDECC76BF), -- UINT64_C(0x7539ECE1908C578A), UINT64_C(0x5D9C8A8E0F3E8C25), -- UINT64_C(0x8681B43B9E4717A7), UINT64_C(0x94F42507A9D83E39) } }, -- { { UINT64_C(0xBBE11CA8A55ADDE7), UINT64_C(0x39E6F5CF3BC0896B), -- UINT64_C(0x1447314E1D2D8D94), UINT64_C(0x45B481255B012F8A), -- UINT64_C(0x41AD23FA08AD5283), UINT64_C(0x837243E241D13774) }, -- { UINT64_C(0x1FC0BD9DBADCAA46), UINT64_C(0x8DF164ED26E84CAE), -- UINT64_C(0x8FF70EC041017176), UINT64_C(0x23AD4BCE5C848BA7), -- UINT64_C(0x89246FDE97A19CBB), UINT64_C(0xA5EF987B78397991) } }, -- { { UINT64_C(0x111AF1B74757964D), UINT64_C(0x1D25D351DDBBF258), -- UINT64_C(0x4161E7767D2B06D6), UINT64_C(0x6EFD26911CAC0C5B), -- UINT64_C(0x633B95DB211BFAEB), UINT64_C(0x9BEDFA5AE2BDF701) }, -- { UINT64_C(0xADAC2B0B73E099C8), UINT64_C(0x436F0023BFB16BFF), -- UINT64_C(0xB91B100230F55854), UINT64_C(0xAF6A2097F4C6C8B7), -- UINT64_C(0x3FF65CED3AD7B3D9), UINT64_C(0x6FA2626F330E56DF) } }, -- { { UINT64_C(0x3D28BF2DFFCCFD07), UINT64_C(0x0514F6FFD989603B), -- UINT64_C(0xB95196295514787A), UINT64_C(0xA1848121C3DB4E9C), -- UINT64_C(0x47FE2E392A3D4595), UINT64_C(0x506F5D8211B73ED4) }, -- { UINT64_C(0xA2257AE7A600D8BB), UINT64_C(0xD659DBD10F9F122C), -- UINT64_C(0xDB0FDC6764DF160F), UINT64_C(0xFF3793397CB19690), -- UINT64_C(0xDF4366B898E72EC1), UINT64_C(0x97E72BECDF437EB8) } }, -- { { UINT64_C(0x81DCEA271C81E5D9), UINT64_C(0x7E1B6CDA6717FC49), -- UINT64_C(0xAA36B3B511EAE80D), UINT64_C(0x1306687C3CD7CBB3), -- UINT64_C(0xED670235C4E89064), UINT64_C(0x9D3B000958A94760) }, -- { UINT64_C(0x5A64E158E6A6333C), UINT64_C(0x1A8B4A3649453203), -- UINT64_C(0xF1CAD7241F77CC21), UINT64_C(0x693EBB4B70518EF7), -- UINT64_C(0xFB47BD810F39C91A), UINT64_C(0xCFE63DA2FA4BC64B) } }, -- { { UINT64_C(0x82C1C684EAA66108), UINT64_C(0xE32262184CFE79FC), -- UINT64_C(0x3F28B72B849C720E), UINT64_C(0x137FB3558FEE1CA8), -- UINT64_C(0x4D18A9CDE4F90C4E), UINT64_C(0xC0344227CC3E46FA) }, -- { UINT64_C(0x4FD5C08E79CDA392), UINT64_C(0x65DB20DB8ADC87B5), -- UINT64_C(0x86F95D5B916C1B84), UINT64_C(0x7EDA387117BB2B7C), -- UINT64_C(0x18CCF7E7669A533B), UINT64_C(0x5E92421CECAD0E06) } }, -- { { UINT64_C(0x26063E124174B08B), UINT64_C(0xE621D9BE70DE8E4D), -- UINT64_C(0xAEA0FD0F5ECDF350), UINT64_C(0x0D9F69E49C20E5C9), -- UINT64_C(0xD3DADEB90BBE2918), UINT64_C(0xD7B9B5DB58AA2F71) }, -- { UINT64_C(0x7A971DD73364CAF8), UINT64_C(0x702616A3C25D4BE4), -- UINT64_C(0xA30F0FA1A9E30071), UINT64_C(0x98AB24385573BC69), -- UINT64_C(0xCBC63CDF6FEC2E22), UINT64_C(0x965F90EDCC901B9B) } }, -- { { UINT64_C(0xD53B592D71E15BB3), UINT64_C(0x1F03C0E98820E0D0), -- UINT64_C(0xCE93947D3CCCB726), UINT64_C(0x2790FEE01D547590), -- UINT64_C(0x4401D847C59CDD7A), UINT64_C(0x72D69120A926DD9D) }, -- { UINT64_C(0x38B8F21D4229F289), UINT64_C(0x9F412E407FE978AF), -- UINT64_C(0xAE07901BCDB59AF1), UINT64_C(0x1E6BE5EBD1D4715E), -- UINT64_C(0x3715BD8B18C96BEF), UINT64_C(0x4B71F6E6E11B3798) } }, -- }, -- { -- { { UINT64_C(0x11A8FDE5F0CE2DF4), UINT64_C(0xBC70CA3EFA8D26DF), -- UINT64_C(0x6818C275C74DFE82), UINT64_C(0x2B0294AC38373A50), -- UINT64_C(0x584C4061E8E5F88F), UINT64_C(0x1C05C1CA7342383A) }, -- { UINT64_C(0x263895B3911430EC), UINT64_C(0xEF9B0032A5171453), -- UINT64_C(0x144359DA84DA7F0C), UINT64_C(0x76E3095A924A09F2), -- UINT64_C(0x612986E3D69AD835), UINT64_C(0x70E03ADA392122AF) } }, -- { { UINT64_C(0xFEB707EE67AAD17B), UINT64_C(0xBB21B28783042995), -- UINT64_C(0x26DE16459A0D32BA), UINT64_C(0x9A2FF38A1FFB9266), -- UINT64_C(0x4E5AD96D8F578B4A), UINT64_C(0x26CC0655883E7443) }, -- { UINT64_C(0x1D8EECAB2EE9367A), UINT64_C(0x42B84337881DE2F8), -- UINT64_C(0xE49B2FAED758AE41), UINT64_C(0x6A9A22904A85D867), -- UINT64_C(0x2FB89DCEE68CBA86), UINT64_C(0xBC2526357F09A982) } }, -- { { UINT64_C(0xADC794368C61AAAC), UINT64_C(0x24C7FD135E926563), -- UINT64_C(0xEF9FAAA40406C129), UINT64_C(0xF4E6388C8B658D3C), -- UINT64_C(0x7262BEB41E435BAF), UINT64_C(0x3BF622CCFDAEAC99) }, -- { UINT64_C(0xD359F7D84E1AEDDC), UINT64_C(0x05DC4F8CD78C17B7), -- UINT64_C(0xB18CF03229498BA5), UINT64_C(0xC67388CA85BF35AD), -- UINT64_C(0x8A7A6AA262AA4BC8), UINT64_C(0x0B8F458E72F4627A) } }, -- { { UINT64_C(0x3FB812EEC68E4488), UINT64_C(0x53C5EAA460EF7281), -- UINT64_C(0xE57241838FBEFBE4), UINT64_C(0x2B7D49F4A4B24A05), -- UINT64_C(0x23B138D0710C0A43), UINT64_C(0x16A5B4C1A85EC1DB) }, -- { UINT64_C(0x7CC1F3D7305FEB02), UINT64_C(0x52F7947D5B6C1B54), -- UINT64_C(0x1BDA23128F56981C), UINT64_C(0x68663EAEB4080A01), -- UINT64_C(0x8DD7BA7E9F999B7F), UINT64_C(0xD8768D19B686580C) } }, -- { { UINT64_C(0xBCD0E0AD7AFDDA94), UINT64_C(0x95A0DBBE34A30687), -- UINT64_C(0xBBE3C3DF8C5E2665), UINT64_C(0x742BECD8EBF2BC16), -- UINT64_C(0x300CEB483FA163A6), UINT64_C(0x0C5D02EE4663354B) }, -- { UINT64_C(0xE4FB9AD6B5E606A4), UINT64_C(0x93F507B8CF49FF95), -- UINT64_C(0x9406A90C585C193B), UINT64_C(0xAD1440C14ECF9517), -- UINT64_C(0x184CB4759CEA53F1), UINT64_C(0x6855C4748EF11302) } }, -- { { UINT64_C(0x00ECB523EDCAFA52), UINT64_C(0x0DA0AE0E086F69D3), -- UINT64_C(0xC384DE15C242F347), UINT64_C(0xFB050E6E848C12B7), -- UINT64_C(0x22F6765464E015CE), UINT64_C(0xCBDC2A487CA122F2) }, -- { UINT64_C(0xA940D973445FB02C), UINT64_C(0x00F31E783767D89D), -- UINT64_C(0x2B65A237613DABDD), UINT64_C(0x2BE0AB05C875AE09), -- UINT64_C(0xB22E54FDBA204F8E), UINT64_C(0x65E2029D0F7687B9) } }, -- { { UINT64_C(0xFFD825381855A71C), UINT64_C(0x26A330B3438BD8D8), -- UINT64_C(0x89628311F9D8C5F9), UINT64_C(0x8D5FB9CF953738A0), -- UINT64_C(0xCB7159C9EDFCD4E5), UINT64_C(0xD64E52302064C7C2) }, -- { UINT64_C(0xF858ED80689F3CFE), UINT64_C(0x4830E30956128B67), -- UINT64_C(0x2E1692DAE0E90688), UINT64_C(0xAB818913CA9CC232), -- UINT64_C(0xE2E30C23A5D229A6), UINT64_C(0xA544E8B10E740E23) } }, -- { { UINT64_C(0x1C15E569DC61E6CC), UINT64_C(0x8FD7296758FC7800), -- UINT64_C(0xE61E7DB737A9DFC5), UINT64_C(0x3F34A9C65AFD7822), -- UINT64_C(0x0A11274219E80773), UINT64_C(0xA353460C4760FC58) }, -- { UINT64_C(0x2FB7DEEBB3124C71), UINT64_C(0x484636272D4009CC), -- UINT64_C(0x399D1933C3A10370), UINT64_C(0x7EB1945054388DBD), -- UINT64_C(0x8ECCE6397C2A006A), UINT64_C(0x3D565DAF55C932A0) } }, -- { { UINT64_C(0xCEF57A9FD9ADAE53), UINT64_C(0xE2EB27D7F83FD8CD), -- UINT64_C(0x4AC8F7199BBD2DDE), UINT64_C(0x604283AAE91ABFB7), -- UINT64_C(0xB6A4E11534799F87), UINT64_C(0x2B253224E4C2A8F3) }, -- { UINT64_C(0xC34F8B92C8782294), UINT64_C(0xC74D697DFCC2CB6B), -- UINT64_C(0xD990411BC2C84C46), UINT64_C(0x2807B5C631EA4955), -- UINT64_C(0x14AE2B93B9EB27F5), UINT64_C(0xF0AE96A76163EDFA) } }, -- { { UINT64_C(0xA7BDCBB442DB7180), UINT64_C(0xC9FAA41FEDCA752F), -- UINT64_C(0x147F91B4E820F401), UINT64_C(0x1E6CEF86F5F2645F), -- UINT64_C(0xB4AB4D7F31FE711D), UINT64_C(0xCE68FB3C743EF882) }, -- { UINT64_C(0xB9D7D6823EF2FCFF), UINT64_C(0xF6893811020DCAFD), -- UINT64_C(0x30D9A50CBF81E760), UINT64_C(0x7F247D06B9B87228), -- UINT64_C(0x143D4FEC5F40CFC0), UINT64_C(0x21D78D73329B2A88) } }, -- { { UINT64_C(0x06B3FF8AED3F2055), UINT64_C(0x50482C77522BE214), -- UINT64_C(0x8DF69CD8DDF54620), UINT64_C(0x6D1DB204F78A1165), -- UINT64_C(0x459AE4A29AFE6BF2), UINT64_C(0xC23A9FFD24AC871E) }, -- { UINT64_C(0xB7FD22E389E85D81), UINT64_C(0x297F1F6B122E9978), -- UINT64_C(0xAB283D66144BE1CE), UINT64_C(0xC1F90AC2C00C614E), -- UINT64_C(0x5465576E3224CD09), UINT64_C(0x8E8D910D441B6059) } }, -- { { UINT64_C(0xF73A060AAAA228BC), UINT64_C(0xCF1B078356EFF87D), -- UINT64_C(0x11EF17C0A54C9133), UINT64_C(0x9E476B1576A4DAA5), -- UINT64_C(0x5624FEAC8018FB92), UINT64_C(0x9826A0FCCFEEC1B9) }, -- { UINT64_C(0xB732F7FE2DFE2046), UINT64_C(0x9260BD9F3B40DA6A), -- UINT64_C(0xCC9F908F4F231773), UINT64_C(0x4827FEB9DAFC0D55), -- UINT64_C(0x07D32E85538ACE95), UINT64_C(0xAD9F897CB8EDAF37) } }, -- { { UINT64_C(0x2F75B82FE3415498), UINT64_C(0xF99CAC5FF1015F30), -- UINT64_C(0x766408247D7F25DE), UINT64_C(0x714BC9CDEE74C047), -- UINT64_C(0x70F847BF07448879), UINT64_C(0xA14481DE072165C0) }, -- { UINT64_C(0x9BFA59E3DB1140A8), UINT64_C(0x7B9C7FF0FCD13502), -- UINT64_C(0xF4D7538E68459ABF), UINT64_C(0xED93A791C8FC6AD2), -- UINT64_C(0xA8BBE2A8B51BD9B2), UINT64_C(0x084B5A279FB34008) } }, -- { { UINT64_C(0xB3BB9545EB138C84), UINT64_C(0x59C3489C3FC88BFD), -- UINT64_C(0x3A97FF6385F53EC7), UINT64_C(0x40FDF5A60AA69C3D), -- UINT64_C(0x0E8CCEC753D19668), UINT64_C(0x0AA72EF933FAA661) }, -- { UINT64_C(0xF5C5A6CF9B1E684B), UINT64_C(0x630F937131A22EA1), -- UINT64_C(0x06B2AAC2AC60F7EA), UINT64_C(0xB181CAE25BC37D80), -- UINT64_C(0x4601A929247B13EA), UINT64_C(0x8A71C3865F739797) } }, -- { { UINT64_C(0x545387B3AB134786), UINT64_C(0x3179BB061599B64A), -- UINT64_C(0xB0A6198607593574), UINT64_C(0xC7E39B2163FA7C3B), -- UINT64_C(0xA1173F8691585D13), UINT64_C(0x09D5CC8ECB9525CD) }, -- { UINT64_C(0xAAD44FFD8F3A3451), UINT64_C(0x702B04F225820CC5), -- UINT64_C(0xE90CAC491CB66C17), UINT64_C(0x40F6B547EE161DC4), -- UINT64_C(0xC08BB8B41BA4AC4E), UINT64_C(0x7DC064FBAE5A6BC1) } }, -- { { UINT64_C(0x90A5E8719D76DDC7), UINT64_C(0x39DC8FAEEDFC8E2E), -- UINT64_C(0x98467A235B079C62), UINT64_C(0xE25E378505450C98), -- UINT64_C(0x2FE23A4D96140083), UINT64_C(0x65CE3B9AE9900312) }, -- { UINT64_C(0x1D87D0886B72B5D9), UINT64_C(0x72F53220FD9AFC82), -- UINT64_C(0xC63C7C159E1F71FA), UINT64_C(0x90DF26EA8D449637), -- UINT64_C(0x97089F40C1C2B215), UINT64_C(0x83AF266442317FAA) } }, -- }, -- { -- { { UINT64_C(0xFA2DB51A8D688E31), UINT64_C(0x225B696CA09C88D4), -- UINT64_C(0x9F88AF1D6059171F), UINT64_C(0x1C5FEA5E782A0993), -- UINT64_C(0xE0FB15884EC710D3), UINT64_C(0xFAF372E5D32CE365) }, -- { UINT64_C(0xD9F896AB26506F45), UINT64_C(0x8D3503388373C724), -- UINT64_C(0x1B76992DCA6E7342), UINT64_C(0x76338FCA6FD0C08B), -- UINT64_C(0xC3EA4C65A00F5C23), UINT64_C(0xDFAB29B3B316B35B) } }, -- { { UINT64_C(0x84E5541F483AEBF9), UINT64_C(0x8ADFF7DC49165772), -- UINT64_C(0xE0A43AD69BEAAD3C), UINT64_C(0x97DD1820F51C2714), -- UINT64_C(0xAC2B4CB457EA5B0C), UINT64_C(0x87DBD011D11767CA) }, -- { UINT64_C(0x18CCF36CBFC7957A), UINT64_C(0xD4A088411BC79227), -- UINT64_C(0x9811CE43D8D292A8), UINT64_C(0x72C5FC68D58C4EE7), -- UINT64_C(0x5BC0F0BED35C65A7), UINT64_C(0x0B446DBCCBBF9669) } }, -- { { UINT64_C(0x7EBA3DA69CEE9BCE), UINT64_C(0x3E2C1248D5377750), -- UINT64_C(0x8C917D982B93D8B2), UINT64_C(0xCA8FC6AC7CAD1F75), -- UINT64_C(0x5F581F19A0FF150A), UINT64_C(0x872CC14AE08327FA) }, -- { UINT64_C(0xC774F187E9333188), UINT64_C(0x528ED4AC497AF7E8), -- UINT64_C(0xCE036E9B8AD72B10), UINT64_C(0x463F9EBB917986CF), -- UINT64_C(0xBE5163281325CF9B), UINT64_C(0xD28D5C50DD7E5FEA) } }, -- { { UINT64_C(0x714C1D1BDD58BBE3), UINT64_C(0x85BA01AE039AFD0F), -- UINT64_C(0x7F23EA3A6951AC80), UINT64_C(0x5C599290AC00C837), -- UINT64_C(0xF6EFA2B3BF24CC1B), UINT64_C(0x393D8E421E84462B) }, -- { UINT64_C(0x9BDA627DF8B89453), UINT64_C(0xE66FFF2EB23E0D1B), -- UINT64_C(0xD1EE7089C3B94EC2), UINT64_C(0xF75DBA6E3031699A), -- UINT64_C(0x8FF75F79242B2453), UINT64_C(0xE721EDEB289BFED4) } }, -- { { UINT64_C(0x083215A1C1390FA8), UINT64_C(0x901D686A6DCE8CE0), -- UINT64_C(0x4AB1BA62837073FF), UINT64_C(0x10C287AA34BEABA5), -- UINT64_C(0xB4931AF446985239), UINT64_C(0x07639899B053C4DC) }, -- { UINT64_C(0x29E7F44DE721EECD), UINT64_C(0x6581718257B3FF48), -- UINT64_C(0x198542E25054E2E0), UINT64_C(0x923C9E1584616DE8), -- UINT64_C(0x2A9C15E1AD465BB9), UINT64_C(0xD8D4EFC716319245) } }, -- { { UINT64_C(0x72DC79439961A674), UINT64_C(0x839A0A52A0E13668), -- UINT64_C(0xD7A53FA9334945EA), UINT64_C(0xDB21DB77E7AA25DB), -- UINT64_C(0xB6675A7D66E96DA3), UINT64_C(0x2C31C406E66F33C0) }, -- { UINT64_C(0x45020B626EC7B9CB), UINT64_C(0xFF46E9CD0391F267), -- UINT64_C(0x7DABD7440FA2F221), UINT64_C(0x9A32364B9D4A2A3E), -- UINT64_C(0xF0F84AE852D2E47A), UINT64_C(0xD0B872BB888F488A) } }, -- { { UINT64_C(0x531E4CEFC9790EEF), UINT64_C(0xF7B5735E2B8D1A58), -- UINT64_C(0xB8882F1EEF568511), UINT64_C(0xAFB08D1C86A86DB3), -- UINT64_C(0x88CB9DF2F54DE8C7), UINT64_C(0xA44234F19A683282) }, -- { UINT64_C(0xBC1B3D3AA6E9AB2E), UINT64_C(0xEFA071FB87FC99EE), -- UINT64_C(0xFA3C737DA102DC0F), UINT64_C(0xDF3248A6D6A0CBD2), -- UINT64_C(0x6E62A4FF1ECC1BF4), UINT64_C(0xF718F940C8F1BC17) } }, -- { { UINT64_C(0x2C8B0AAD4F63F026), UINT64_C(0x2AFF623850B253CC), -- UINT64_C(0xCAB3E94210C4D122), UINT64_C(0x52B59F0407CD2816), -- UINT64_C(0x22322803982C41FC), UINT64_C(0x38844E668CF50B19) }, -- { UINT64_C(0x42A959F7BE3264CD), UINT64_C(0xBDDC24BD6C983524), -- UINT64_C(0xA489EB0C462B8640), UINT64_C(0xB7C0509298029BE7), -- UINT64_C(0xD5546B5FA1ADDC64), UINT64_C(0xE7CAC1FCA0C655AF) } }, -- { { UINT64_C(0x1454719847636F97), UINT64_C(0x6FA67481EBCDCCFF), -- UINT64_C(0xC164872F395D3258), UINT64_C(0xB8CECAFEEE6ACDBC), -- UINT64_C(0x3FBFE5F3A933F180), UINT64_C(0xEC20CAC2898C3B1E) }, -- { UINT64_C(0x6A031BEE87DA73F9), UINT64_C(0xD1E667D15C5AF46E), -- UINT64_C(0xCB3DC1681DC6EEF9), UINT64_C(0x2DD1BD9433D310C0), -- UINT64_C(0x0F78D4939207E438), UINT64_C(0xC233D544A99C0E75) } }, -- { { UINT64_C(0x228F19F19E2A0113), UINT64_C(0x58495BE50E1A5D37), -- UINT64_C(0x97E08F6938D7F364), UINT64_C(0x1EC3BA3E510759B0), -- UINT64_C(0x3682F19AE03CD40D), UINT64_C(0xC87745D8F9E16D68) }, -- { UINT64_C(0xFD527AB509A642EA), UINT64_C(0x6308EEBDF9C81F27), -- UINT64_C(0xFA9F666C550C5D68), UINT64_C(0xDEBA436F584AB153), -- UINT64_C(0x1D4861D35B63E939), UINT64_C(0x073BED9BC9850221) } }, -- { { UINT64_C(0x802BCCF08B171246), UINT64_C(0xFFF7D15A733B072F), -- UINT64_C(0xEA3862664CBFA4EF), UINT64_C(0x9E5B5073D635946B), -- UINT64_C(0x16E9A979FA81BE95), UINT64_C(0x41E8716EB14F701F) }, -- { UINT64_C(0x25782E0F101A6719), UINT64_C(0x442C4875C9D66959), -- UINT64_C(0x52D845D92B85D153), UINT64_C(0xFF9251382E831117), -- UINT64_C(0x01B700CC8E02434B), UINT64_C(0xD2DB7F8EEC0BAE3E) } }, -- { { UINT64_C(0x1B225300966A4872), UINT64_C(0x40C149BE566F537B), -- UINT64_C(0x3335F4D2CB680021), UINT64_C(0x773D0263778E5F5F), -- UINT64_C(0x1D9B7602666FA9ED), UINT64_C(0x52490A102E6200CF) }, -- { UINT64_C(0x8434C7DD961F290B), UINT64_C(0x773AC15664456446), -- UINT64_C(0x5E2BB78947B712BB), UINT64_C(0xFD3BCBFDBE0974AD), -- UINT64_C(0x71AE9351791AD5D8), UINT64_C(0x1EE738BA6F4E1400) } }, -- { { UINT64_C(0x2FA428AB0BE8E26E), UINT64_C(0xFEFF0600BB4CF9FC), -- UINT64_C(0x76F25CA9B2EA5FB0), UINT64_C(0xAB7FECF06835C5F4), -- UINT64_C(0x649D077219D5F328), UINT64_C(0xABE7B895ACBCB12E) }, -- { UINT64_C(0xF2D1031AD69B1EA8), UINT64_C(0x46065D5DC60B0BBB), -- UINT64_C(0xB0908DC185D798FF), UINT64_C(0x4E2420F0D2C9B18A), -- UINT64_C(0x6B3A9BDDD30432A2), UINT64_C(0x501C3383C9B134AD) } }, -- { { UINT64_C(0x608F096798A21284), UINT64_C(0x5361BE86059CCEDE), -- UINT64_C(0x3A40655CAFD87EF7), UINT64_C(0x03CF311759083AA2), -- UINT64_C(0x57DB5F61B6C366D9), UINT64_C(0x29DC275B6DD0D232) }, -- { UINT64_C(0xBDAB24DD8FA67501), UINT64_C(0x5928F77565D08C37), -- UINT64_C(0x9448A856645D466A), UINT64_C(0x6E6B5E2EC0E927A5), -- UINT64_C(0xE884D546E80C6871), UINT64_C(0x10C881C953A9A851) } }, -- { { UINT64_C(0x355053749B627AA5), UINT64_C(0xE7CA1B577976677B), -- UINT64_C(0x812397124976CE17), UINT64_C(0x96E9080B96DA31B9), -- UINT64_C(0x458254ABCC64AA1F), UINT64_C(0xFEFF682148E674C9) }, -- { UINT64_C(0x8772F37A021F1488), UINT64_C(0x2E274E18AB56345C), -- UINT64_C(0x7C7BE61C29823B76), UINT64_C(0x275DB7B29EEFB39E), -- UINT64_C(0x83B10ED4BF5CBCEF), UINT64_C(0x40D7F5B4518E5183) } }, -- { { UINT64_C(0x315CCC01F960B41B), UINT64_C(0x90B417C91D99E722), -- UINT64_C(0x84AFAA0D013463E0), UINT64_C(0xF133C5D813E6D9E1), -- UINT64_C(0xD95C6ADC525B7430), UINT64_C(0x082C61AD7A25106A) }, -- { UINT64_C(0xABC1966DBA1CE179), UINT64_C(0xE0578B77A5DB529A), -- UINT64_C(0x10988C05EC84107D), UINT64_C(0xFCADE5D71B207F83), -- UINT64_C(0x0BEB6FDBC5BA83DB), UINT64_C(0x1C39B86D57537E34) } }, -- }, -- { -- { { UINT64_C(0x5B0B5D692A7AECED), UINT64_C(0x4C03450C01DC545F), -- UINT64_C(0x72AD0A4A404A3458), UINT64_C(0x1DE8E2559F467B60), -- UINT64_C(0xA4B3570590634809), UINT64_C(0x76F30205706F0178) }, -- { UINT64_C(0x588D21AB4454F0E5), UINT64_C(0xD22DF54964134928), -- UINT64_C(0xF4E7E73D241BCD90), UINT64_C(0xB8D8A1D22FACC7CC), -- UINT64_C(0x483C35A71D25D2A0), UINT64_C(0x7F8D25451EF9F608) } }, -- { { UINT64_C(0xCB51F03954EBC926), UINT64_C(0xE235D356B8D4A7BB), -- UINT64_C(0x93C8FAFAB41FE1A6), UINT64_C(0x6297701DA719F254), -- UINT64_C(0x6E9165BC644F5CDE), UINT64_C(0x6506329D0C11C542) }, -- { UINT64_C(0xA2564809A92B4250), UINT64_C(0x0E9AC173889C2E3E), -- UINT64_C(0x286A592622B1D1BE), UINT64_C(0x86A3D7526ECDD041), -- UINT64_C(0x4B867E0A649F9524), UINT64_C(0x1FE7D95A0629CB0F) } }, -- { { UINT64_C(0xF4F66843CA5BAF54), UINT64_C(0x298DB357EFE7DB78), -- UINT64_C(0xF607E86E7365712F), UINT64_C(0xD58822988A822BC0), -- UINT64_C(0x2CFBD63AC61299B3), UINT64_C(0x6F713D9B67167B1A) }, -- { UINT64_C(0x750F673FDE0B077A), UINT64_C(0x07482708EE2178DA), -- UINT64_C(0x5E6D5BD169123C75), UINT64_C(0x6A93D1B6EAB99B37), -- UINT64_C(0x6EF4F7E68CAEC6A3), UINT64_C(0x7BE411D6CF3ED818) } }, -- { { UINT64_C(0xF92B307363A0A7D2), UINT64_C(0x32DA431C881DC8CF), -- UINT64_C(0xE51BD5EDC578E3A3), UINT64_C(0xEFDA70D29587FA22), -- UINT64_C(0xCFEC17089B2EBA85), UINT64_C(0x6AB51A4BAF7BA530) }, -- { UINT64_C(0x5AC155AE98174812), UINT64_C(0xCAF07A71CCB076E3), -- UINT64_C(0x280E86C2C38718A7), UINT64_C(0x9D12DE73D63745B7), -- UINT64_C(0x0E8EA855BF8A79AA), UINT64_C(0x5EB2BED8BD705BF7) } }, -- { { UINT64_C(0x33FE9578AE16DE53), UINT64_C(0x3AE85EB510BEC902), -- UINT64_C(0xC4F4965844AF850E), UINT64_C(0x6EA222B3087DD658), -- UINT64_C(0xB255E6FDA51F1447), UINT64_C(0xB35E4997117E3F48) }, -- { UINT64_C(0x562E813B05616CA1), UINT64_C(0xDF5925D68A61E156), -- UINT64_C(0xB2FA8125571C728B), UINT64_C(0x00864805A2F2D1CF), -- UINT64_C(0x2DC26F411BCCB6FF), UINT64_C(0xEBD5E09363AE37DD) } }, -- { { UINT64_C(0xD2D68BB30A285611), UINT64_C(0x3EAE7596DC8378F2), -- UINT64_C(0x2DC6CCC66CC688A3), UINT64_C(0xC45E5713011F5DFB), -- UINT64_C(0x6B9C4F6C62D34487), UINT64_C(0xFAD6F0771FC65551) }, -- { UINT64_C(0x5E3266E062B23B52), UINT64_C(0xF1DAF319E98F4715), -- UINT64_C(0x064D12EA3ED0AE83), UINT64_C(0x5CCF9326564125CB), -- UINT64_C(0x09057022C63C1E9F), UINT64_C(0x7171972CDC9B5D2E) } }, -- { { UINT64_C(0x2364FD9AEABD21B2), UINT64_C(0x3CE5F4BB9174AD6D), -- UINT64_C(0xA4D6D5D0B38688C0), UINT64_C(0x2292A2D26D87FD7D), -- UINT64_C(0x2A7D1B534CA02E54), UINT64_C(0x7BEE6E7EB4185715) }, -- { UINT64_C(0x73E546098FC63ACD), UINT64_C(0xF4D93A124064E09D), -- UINT64_C(0xD20E157A2B92DAA5), UINT64_C(0x90D125DBC4B81A00), -- UINT64_C(0xCB951C9E7682DE13), UINT64_C(0x1ABE58F427987545) } }, -- { { UINT64_C(0x6D35164030C70C8D), UINT64_C(0x8047D811CE2361B8), -- UINT64_C(0x3F8B3D4FDF8E2C81), UINT64_C(0x5D59547733FA1F6C), -- UINT64_C(0xF769FE5AE29B8A91), UINT64_C(0x26F0E606D737B2A2) }, -- { UINT64_C(0x70CBFA5DB8B31C6A), UINT64_C(0x0F883B4A863D3AEA), -- UINT64_C(0x156A4479E386AE2F), UINT64_C(0xA17A2FCDADE8A684), -- UINT64_C(0x78BDF958E2A7E335), UINT64_C(0xD1B4E6733B9E3041) } }, -- { { UINT64_C(0x1EAF48EC449A6D11), UINT64_C(0x6B94B8E46D2FA7B9), -- UINT64_C(0x1D75D269728E4C1B), UINT64_C(0x91123819DD304E2C), -- UINT64_C(0x0B34CAE388804F4B), UINT64_C(0x2BA192FBC5495E9A) }, -- { UINT64_C(0xC93FF6EFFF4D24BF), UINT64_C(0xF8C2C0B00342BA78), -- UINT64_C(0x8041F769831EB94C), UINT64_C(0x353100747782985E), -- UINT64_C(0xC755320B3AF84E83), UINT64_C(0x384B6D266F497E7F) } }, -- { { UINT64_C(0xEF92CD5917E6BD17), UINT64_C(0xA087305BA426965C), -- UINT64_C(0x13895CE7AC47F773), UINT64_C(0xB85F2A9FE0BB2867), -- UINT64_C(0x2926E6AA7CD7C58E), UINT64_C(0xE544EDA6450459C5) }, -- { UINT64_C(0x73DBC351B90A9849), UINT64_C(0x961183F6848EBE86), -- UINT64_C(0xC45BB21080534712), UINT64_C(0x379D08D7A654D9A3), -- UINT64_C(0x5B97CEF2BD3FFA9C), UINT64_C(0x0F469F34DDC2FCE5) } }, -- { { UINT64_C(0x6D1461080642F38D), UINT64_C(0x055171A0D21EB887), -- UINT64_C(0x28DFFAB4D0DCEB28), UINT64_C(0x0D0E631298DE9CCD), -- UINT64_C(0x750A9156118C3C3F), UINT64_C(0x8C1F1390B049D799) }, -- { UINT64_C(0xE4823858439607C5), UINT64_C(0x947E9BA05C111EAB), -- UINT64_C(0x39C95616A355DF2E), UINT64_C(0xF5F6B98E10E54BDA), -- UINT64_C(0xB0E0B33D142B876A), UINT64_C(0x71197D73EA18C90C) } }, -- { { UINT64_C(0x36A5139DF52BE819), UINT64_C(0xF60DDF3429A45D2B), -- UINT64_C(0x0727EFECE9220E34), UINT64_C(0x431D33864EF7F446), -- UINT64_C(0xC3165A64FCC4962C), UINT64_C(0xB7D926E1D64362BB) }, -- { UINT64_C(0x216BC61FD45F9350), UINT64_C(0xA974CB2FBBAED815), -- UINT64_C(0x31DF342D86FB2F76), UINT64_C(0x3AB67E0501D78314), -- UINT64_C(0x7AA951E0DEE33ED2), UINT64_C(0x318FBBBDCEC78D94) } }, -- { { UINT64_C(0xAD7EFB65B8FE0204), UINT64_C(0x0432E1C5230AB7F7), -- UINT64_C(0x7563A62D9C967400), UINT64_C(0xD88B9C743524D4FF), -- UINT64_C(0x16A1991CF1A823E3), UINT64_C(0xCF2F9BFEFA6F0FFB) }, -- { UINT64_C(0x55AAA946A50CA61F), UINT64_C(0x8CBBD3C8FED4CAB3), -- UINT64_C(0x03A0FAB87651365A), UINT64_C(0x46B5234B62DC3913), -- UINT64_C(0xFD875B28B558CBBD), UINT64_C(0xA48EC3AE11CEB361) } }, -- { { UINT64_C(0x5DD131A1B3ADBD8B), UINT64_C(0xF9FBCA3A29B45EF8), -- UINT64_C(0x022048669341EE18), UINT64_C(0x8D13B89583BF9618), -- UINT64_C(0x0E395BAEE807459C), UINT64_C(0xB9C110CCB190E7DB) }, -- { UINT64_C(0xA0DC345225D25063), UINT64_C(0x2FB78EC802371462), -- UINT64_C(0xC3A9E7BB8975C2D5), UINT64_C(0x9466687285A78264), -- UINT64_C(0x480D2CC28029AA92), UINT64_C(0x237086C75655726D) } }, -- { { UINT64_C(0x197F14BB65EB9EEE), UINT64_C(0xFC93125C9F12E5FD), -- UINT64_C(0x9C20BC538BFBAE5E), UINT64_C(0xB35E21544BC053BA), -- UINT64_C(0xE5FA9CC721C3898E), UINT64_C(0x502D72FFD42F950F) }, -- { UINT64_C(0x6812D38AD1EB8C31), UINT64_C(0x1F77F3F1080D30BB), -- UINT64_C(0x18D128335A8B1E98), UINT64_C(0x7FD39FA9299196CE), -- UINT64_C(0xFB8C9F11CF4ED6D6), UINT64_C(0x4C00F604D6363194) } }, -- { { UINT64_C(0x5C8AFCF9FA2A21C2), UINT64_C(0x71CBF2821928D133), -- UINT64_C(0x56BEF28E42B29506), UINT64_C(0xAFBA250C70323DE2), -- UINT64_C(0x3FE208D17DED2C30), UINT64_C(0xBD2CD213CE9AA598) }, -- { UINT64_C(0x52C5EC52CFEED070), UINT64_C(0x0A7223E7D3DA336B), -- UINT64_C(0x7156A4EDCE156B46), UINT64_C(0x9AF6C499ED7E6159), -- UINT64_C(0x9D7A679713C029AD), UINT64_C(0xE5B5C9249018DC77) } }, -- }, -- { -- { { UINT64_C(0x3F2EFF53DE1E4E55), UINT64_C(0x6B749943E4D3ECC4), -- UINT64_C(0xAF10B18A0DDE190D), UINT64_C(0xF491B98DA26B0409), -- UINT64_C(0x66080782A2B1D944), UINT64_C(0x59277DC697E8C541) }, -- { UINT64_C(0xFDBFC5F6006F18AA), UINT64_C(0x435D165BFADD8BE1), -- UINT64_C(0x8E5D263857645EF4), UINT64_C(0x31BCFDA6A0258363), -- UINT64_C(0xF5330AB8D35D2503), UINT64_C(0xB71369F0C7CAB285) } }, -- { { UINT64_C(0xE6A19DCC40ACC5A8), UINT64_C(0x1C3A1FF1DBC6DBF8), -- UINT64_C(0xB4D89B9FC6455613), UINT64_C(0x6CB0FE44A7390D0E), -- UINT64_C(0xADE197A459EA135A), UINT64_C(0xDA6AA86520680982) }, -- { UINT64_C(0x03DB9BE95A442C1B), UINT64_C(0x221A2D732BFB93F2), -- UINT64_C(0x44DEE8D4753C196C), UINT64_C(0x59ADCC700B7C6FF5), -- UINT64_C(0xC6260EC24CA1B142), UINT64_C(0x4C3CB5C646CBD4F2) } }, -- { { UINT64_C(0x8A15D6FEA417111F), UINT64_C(0xFE4A16BD71D93FCC), -- UINT64_C(0x7A7EE38C55BBE732), UINT64_C(0xEFF146A51FF94A9D), -- UINT64_C(0xE572D13EDD585AB5), UINT64_C(0xD879790E06491A5D) }, -- { UINT64_C(0x9C84E1C52A58CB2E), UINT64_C(0xD79D13746C938630), -- UINT64_C(0xDB12CD9B385F06C7), UINT64_C(0x0C93EB977A7759C3), -- UINT64_C(0xF1F5B0FE683BD706), UINT64_C(0x541E4F7285EC3D50) } }, -- { { UINT64_C(0x9A0E153581833608), UINT64_C(0x5CCE871E6E2833AC), -- UINT64_C(0xC17059EAFB29777C), UINT64_C(0x7E40E5FAE354CAFD), -- UINT64_C(0x9CF594054D07C371), UINT64_C(0x64CE36B2A71C3945) }, -- { UINT64_C(0x69309E9656CAF487), UINT64_C(0x3D719E9F1AE3454B), -- UINT64_C(0xF2164070E25823B6), UINT64_C(0xEAD851BD0BC27359), -- UINT64_C(0x3D21BFE8B0925094), UINT64_C(0xA783B1E934A97F4E) } }, -- { { UINT64_C(0x406B0C269546491A), UINT64_C(0x9E5E15E2F293C4E5), -- UINT64_C(0xC60D641315B164DB), UINT64_C(0x0DA46F530C75A78E), -- UINT64_C(0x7C599BB7EA0C656B), UINT64_C(0x0F07A5121B1A8122) }, -- { UINT64_C(0x14C7204A15172686), UINT64_C(0x8FAEDFF85165625D), -- UINT64_C(0x20F260CE37AEDE40), UINT64_C(0xC81F771E8F357FFE), -- UINT64_C(0x25499197B0912557), UINT64_C(0x736197DC4C739C74) } }, -- { { UINT64_C(0x6151BAB1381B3462), UINT64_C(0x27E5A07843DBD344), -- UINT64_C(0x2CB05BD6A1C3E9FB), UINT64_C(0x2A75976027CF2A11), -- UINT64_C(0x0ADCF9DBFF43E702), UINT64_C(0x4BBF03E21F484146) }, -- { UINT64_C(0x0E74997F55B6521A), UINT64_C(0x15629231ADE17086), -- UINT64_C(0x7F143E867493FC58), UINT64_C(0x60869095AF8B9670), -- UINT64_C(0x482CFCD77E524869), UINT64_C(0x9E8060C31D454756) } }, -- { { UINT64_C(0xE495747AC88B4D3B), UINT64_C(0xB7559835AE8A948F), -- UINT64_C(0x67EEF3A9DEB56853), UINT64_C(0x0E20E2699DEE5ADF), -- UINT64_C(0x9031AF6761F0A1AA), UINT64_C(0x76669D32683402BC) }, -- { UINT64_C(0x90BD231306718B16), UINT64_C(0xE1B22A21864EFDAC), -- UINT64_C(0xE4FFE9096620089F), UINT64_C(0xB84C842E3428E2D9), -- UINT64_C(0x0E28C880FE3871FC), UINT64_C(0x8932F6983F21C200) } }, -- { { UINT64_C(0x603F00CE6C90EA5D), UINT64_C(0x6473930740A2F693), -- UINT64_C(0xAF65148B2174E517), UINT64_C(0x162FC2CAF784AE74), -- UINT64_C(0x0D9A88254D5F6458), UINT64_C(0x0C2D586143AACE93) }, -- { UINT64_C(0xBF1EADDE9F73CBFC), UINT64_C(0xDE9C34C09C68BBCA), -- UINT64_C(0x6D95602D67EF8A1A), UINT64_C(0x0AF2581BA791B241), -- UINT64_C(0x14F7736112CAD604), UINT64_C(0x19F2354DE2ACD1AD) } }, -- { { UINT64_C(0x272F78F60D60F263), UINT64_C(0xE7A8F4AF208FD785), -- UINT64_C(0x10E191C636554F2C), UINT64_C(0x06D88551FD5CD0B3), -- UINT64_C(0x29BF856857069C27), UINT64_C(0x3CE7ECD828AA6FAD) }, -- { UINT64_C(0x7D8A92D0E9F1A1D8), UINT64_C(0xD40C7FF8D30B5725), -- UINT64_C(0x16BE6CB2F54CAEB8), UINT64_C(0x14CA471A14CB0A91), -- UINT64_C(0xD5FF15B802733CAE), UINT64_C(0xCAF88D87DAA76580) } }, -- { { UINT64_C(0x39430E222C046592), UINT64_C(0x6CDAE81F1AD26706), -- UINT64_C(0x8C102159A25D9106), UINT64_C(0x9A44057227CA9F30), -- UINT64_C(0x8D34C43070287FBC), UINT64_C(0x9003A45529DB8AFA) }, -- { UINT64_C(0x91364CC37FD971AD), UINT64_C(0x7B3AA0489C60EDB7), -- UINT64_C(0x58B0E008526F4DD8), UINT64_C(0xB7674454D86D98AE), -- UINT64_C(0xC25F4051B2B45747), UINT64_C(0x8243BF9CCC043E8F) } }, -- { { UINT64_C(0xA89641C643A0C387), UINT64_C(0x6D92205C87B9AB17), -- UINT64_C(0x37D691F4DAA0E102), UINT64_C(0xEB3E52D7CDE5312E), -- UINT64_C(0x60D3C09916F518A2), UINT64_C(0x7854C0518A378EEB) }, -- { UINT64_C(0x7359DB514BBCAAC5), UINT64_C(0xF5B1B68C1713F102), -- UINT64_C(0xDAEAE645E4398DE5), UINT64_C(0x8C8ACB6CD1ABFB82), -- UINT64_C(0x2E8B76C3136423E2), UINT64_C(0x509DCB2DA8BA015E) } }, -- { { UINT64_C(0x2FF368159AD9C59C), UINT64_C(0xB189A4E8658E65B9), -- UINT64_C(0x7D33DDBBEA786AD2), UINT64_C(0x96D0D648C0D2DC05), -- UINT64_C(0x05E49256BFA03BE9), UINT64_C(0x0EA4E7A68BAF5A1C) }, -- { UINT64_C(0x3DDCE0B09F9AD5A8), UINT64_C(0xF78091959E49C2CB), -- UINT64_C(0xBFCEF29D21782C2F), UINT64_C(0xE57AD39FC41BFD97), -- UINT64_C(0xC04B93E81355AD19), UINT64_C(0xAABC9E6E59440F9F) } }, -- { { UINT64_C(0x7AA481035B6459DA), UINT64_C(0x83EF74770166E880), -- UINT64_C(0x536182B1511CCE80), UINT64_C(0xAFDD2EEE73CA55AA), -- UINT64_C(0xAB910D0DA8716143), UINT64_C(0x8BEAA42B83707250) }, -- { UINT64_C(0x4BCCFD898DA2AB3D), UINT64_C(0x1DBF68A9EC6AA105), -- UINT64_C(0x32CE610868EB42DA), UINT64_C(0x5C2C2C858EA62E37), -- UINT64_C(0x1ED2791FCD3088A7), UINT64_C(0x496B4FEBFF05070C) } }, -- { { UINT64_C(0x9FA9121A0AA629C5), UINT64_C(0xE286CFF157558BEC), -- UINT64_C(0x4D9D657E59813A4D), UINT64_C(0xC4676A1626103519), -- UINT64_C(0x616160B32BD4DF80), UINT64_C(0x26FB78CC30FBAE87) }, -- { UINT64_C(0x096070138F0F66BD), UINT64_C(0xDD4E2D0C03D9B90D), -- UINT64_C(0x5D3A8912600D1B12), UINT64_C(0xF76DD52F4308E126), -- UINT64_C(0x97CC04099E4FCCA6), UINT64_C(0x0CFBE31104C4DF7B) } }, -- { { UINT64_C(0x6CA62C1228437A23), UINT64_C(0x0DAF335340E7A003), -- UINT64_C(0x1FD07DF0D20F8079), UINT64_C(0xEAE7969C3BBC9749), -- UINT64_C(0x55861AFA9ECAD022), UINT64_C(0xEC41DAD91FBC3D4C) }, -- { UINT64_C(0x1FE4CB40DA8B261B), UINT64_C(0xC2671AB6427C5C9D), -- UINT64_C(0xDFCDA7B8261D4939), UINT64_C(0x9E7B802B2072C0B9), -- UINT64_C(0x3AFEE900C7828CC2), UINT64_C(0x3488BF28F6DE987F) } }, -- { { UINT64_C(0x33B9F2DE7BE1F89E), UINT64_C(0xD4E80821299B15C9), -- UINT64_C(0x87A3067A0E13F37F), UINT64_C(0x6D4C09ED55FD239F), -- UINT64_C(0x48B1042D92EF014F), UINT64_C(0xA382B2E0B385A759) }, -- { UINT64_C(0xBF571BB07F6F84F8), UINT64_C(0x25AFFA370CE87F50), -- UINT64_C(0x826906D3FE54F1BC), UINT64_C(0x6B0421F4C53AE76A), -- UINT64_C(0x44F85A3A4855EB3C), UINT64_C(0xF49E21518D1F2B27) } }, -- }, -- { -- { { UINT64_C(0xC0426B775E3C647B), UINT64_C(0xBFCBD9398CF05348), -- UINT64_C(0x31D312E3172C0D3D), UINT64_C(0x5F49FDE6EE754737), -- UINT64_C(0x895530F06DA7EE61), UINT64_C(0xCF281B0AE8B3A5FB) }, -- { UINT64_C(0xFD14973541B8A543), UINT64_C(0x41A625A73080DD30), -- UINT64_C(0xE2BAAE07653908CF), UINT64_C(0xC3D01436BA02A278), -- UINT64_C(0xA0D0222E7B21B8F8), UINT64_C(0xFDC270E9D7EC1297) } }, -- { { UINT64_C(0x06A67BD29F101E64), UINT64_C(0xCB6E0AC7E1733A4A), -- UINT64_C(0xEE0B5D5197BC62D2), UINT64_C(0x52B1703924C51874), -- UINT64_C(0xFED1F42382A1A0D5), UINT64_C(0x55D90569DB6270AC) }, -- { UINT64_C(0x36BE4A9C5D73D533), UINT64_C(0xBE9266D6976ED4D5), -- UINT64_C(0xC17436D3B8F8074B), UINT64_C(0x3BB4D399718545C6), -- UINT64_C(0x8E1EA3555C757D21), UINT64_C(0xF7EDBC978C474366) } }, -- { { UINT64_C(0xEC72C6506EA83242), UINT64_C(0xF7DE7BE51B2D237F), -- UINT64_C(0x3C5E22001819EFB0), UINT64_C(0xDF5AB6D68CDDE870), -- UINT64_C(0x75A44E9D92A87AEE), UINT64_C(0xBDDC46F4BCF77F19) }, -- { UINT64_C(0x8191EFBD669B674D), UINT64_C(0x52884DF9ED71768F), -- UINT64_C(0xE62BE58265CF242C), UINT64_C(0xAE99A3B180B1D17B), -- UINT64_C(0x48CBB44692DE59A9), UINT64_C(0xD3C226CF2DCB3CE2) } }, -- { { UINT64_C(0x9580CDFB9FD94EC4), UINT64_C(0xED273A6C28631AD9), -- UINT64_C(0x5D3D5F77C327F3E7), UINT64_C(0x05D5339C35353C5F), -- UINT64_C(0xC56FB5FE5C258EB1), UINT64_C(0xEFF8425EEDCE1F79) }, -- { UINT64_C(0xAB7AA141CF83CF9C), UINT64_C(0xBD2A690A207D6D4F), -- UINT64_C(0xE1241491458D9E52), UINT64_C(0xDD2448CCAA7F0F31), -- UINT64_C(0xEC58D3C7F0FDA7AB), UINT64_C(0x7B6E122DC91BBA4D) } }, -- { { UINT64_C(0x2A2DEDAFB1B48156), UINT64_C(0xA0A2C63ABB93DB87), -- UINT64_C(0xC655907808ACD99E), UINT64_C(0x03EA42AFFE4AC331), -- UINT64_C(0x43D2C14AEB180ED6), UINT64_C(0xC2F293DDB1156A1A) }, -- { UINT64_C(0x1FAFABF5A9D81249), UINT64_C(0x39ADDEAD9A8EEE87), -- UINT64_C(0x21E206F2119E2E92), UINT64_C(0xBC5DCC2ED74DCEB6), -- UINT64_C(0x86647FA30A73A358), UINT64_C(0xEAD8BEA42F53F642) } }, -- { { UINT64_C(0x636225F591C09091), UINT64_C(0xCCF5070A71BDCFDF), -- UINT64_C(0x0EF8D625B9668EE2), UINT64_C(0x57BDF6CDB5E04E4F), -- UINT64_C(0xFC6AB0A67C75EA43), UINT64_C(0xEB6B8AFBF7FD6EF3) }, -- { UINT64_C(0x5B2AEEF02A3DF404), UINT64_C(0x31FD3B48B9823197), -- UINT64_C(0x56226DB683A7EB23), UINT64_C(0x3772C21E5BB1ED2F), -- UINT64_C(0x3E833624CD1ABA6A), UINT64_C(0xBAE58FFAAC672DAD) } }, -- { { UINT64_C(0xCE92224D31BA1705), UINT64_C(0x022C6ED2F0197F63), -- UINT64_C(0x21F18D99A4DC1113), UINT64_C(0x5CD04DE803616BF1), -- UINT64_C(0x6F9006799FF12E08), UINT64_C(0xF59A331548E61DDF) }, -- { UINT64_C(0x9474D42CB51BD024), UINT64_C(0x11A0A4139051E49D), -- UINT64_C(0x79C92705DCE70EDB), UINT64_C(0x113CE27834198426), -- UINT64_C(0x8978396FEA8616D2), UINT64_C(0x9A2A14D0EA894C36) } }, -- { { UINT64_C(0x4F1E1254604F6E4A), UINT64_C(0x4513B0880187D585), -- UINT64_C(0x9022F25719E0F482), UINT64_C(0x51FB2A80E2239DBF), -- UINT64_C(0x49940D9E998ED9D5), UINT64_C(0x0583D2416C932C5D) }, -- { UINT64_C(0x1188CEC8F25B73F7), UINT64_C(0xA28788CB3B3D06CD), -- UINT64_C(0xDEA194ECA083DB5A), UINT64_C(0xD93A4F7E22DF4272), -- UINT64_C(0x8D84E4BF6A009C49), UINT64_C(0x893D8DD93E3E4A9E) } }, -- { { UINT64_C(0x35E909EA33D31160), UINT64_C(0x5020316857172F1E), -- UINT64_C(0x2707FC4451F3D866), UINT64_C(0xEB9D2018D2442A5D), -- UINT64_C(0x904D72095DBFE378), UINT64_C(0x6DB132A35F13CF77) }, -- { UINT64_C(0x9D842BA67A3AF54B), UINT64_C(0x4E16EA195AA5B4F9), -- UINT64_C(0x2BBA457CAF24228E), UINT64_C(0xCC04B3BB16F3C5FE), -- UINT64_C(0xBAFAC51677E64944), UINT64_C(0x31580A34F08BCEE0) } }, -- { { UINT64_C(0xC6808DEE20C30ACA), UINT64_C(0xDADD216FA3EA2056), -- UINT64_C(0xD331394E7A4A9F9D), UINT64_C(0x9E0441AD424C4026), -- UINT64_C(0xAEED102F0AEB5350), UINT64_C(0xC6697FBBD45B09DA) }, -- { UINT64_C(0x52A2590EDEAC1496), UINT64_C(0x7142B831250B87AF), -- UINT64_C(0xBEF2E68B6D0784A8), UINT64_C(0x5F62593AA5F71CEF), -- UINT64_C(0x3B8F7616B5DA51A3), UINT64_C(0xC7A6FA0DB680F5FE) } }, -- { { UINT64_C(0x36C21DE699C8227C), UINT64_C(0xBEE3E867C26813B1), -- UINT64_C(0x9B05F2E6BDD91549), UINT64_C(0x34FF2B1FA7D1110F), -- UINT64_C(0x8E6953B937F67FD0), UINT64_C(0x56C7F18BC3183E20) }, -- { UINT64_C(0x48AF46DE9E2019ED), UINT64_C(0xDEAF972EF551BBBF), -- UINT64_C(0x88EE38F8CC5E3EEF), UINT64_C(0xFB8D7A44392D6BAF), -- UINT64_C(0x32293BFC0127187D), UINT64_C(0x7689E767E58647CC) } }, -- { { UINT64_C(0x00CE901B52168013), UINT64_C(0xC6BF8E38837AAE71), -- UINT64_C(0xD6F11EFA167677D8), UINT64_C(0xE53BB48586C8E5CF), -- UINT64_C(0x671167CEC48E74AB), UINT64_C(0x8A40218C8AD720A7) }, -- { UINT64_C(0x81E827A6E7C1191A), UINT64_C(0x54058F8DADDB153D), -- UINT64_C(0x0BAF29250D950FA2), UINT64_C(0xC244674D576DDA13), -- UINT64_C(0x8C4630AE41BCD13B), UINT64_C(0x6C2127BF5A077419) } }, -- { { UINT64_C(0xCF977FD5A83C501F), UINT64_C(0xD7C6DF36B6AB176F), -- UINT64_C(0x117F6331397BC6B5), UINT64_C(0x72A6078BF7A2D491), -- UINT64_C(0xE5A2AAED5242FE2E), UINT64_C(0x88ECFFDCFEBDC212) }, -- { UINT64_C(0xF2DBBF50CE33BA21), UINT64_C(0xE1343B76CEB19F07), -- UINT64_C(0x1F32D4C9D2C28F71), UINT64_C(0x93FC64B418587685), -- UINT64_C(0x39CEEF9BBA1F8BD1), UINT64_C(0x99C36A788D6D6BB0) } }, -- { { UINT64_C(0x0D0638173E9561CF), UINT64_C(0x1D8646AA3D33704D), -- UINT64_C(0x8C4513847A08BA33), UINT64_C(0x96446BD3E02D6624), -- UINT64_C(0x749849F02D6F4166), UINT64_C(0xE364DA0114268BF0) }, -- { UINT64_C(0x7CE4587E9AEBFCFD), UINT64_C(0xD468606456234393), -- UINT64_C(0x00231D5116DF73B2), UINT64_C(0xF6A969B77279C78C), -- UINT64_C(0x1FF1F6B66CB4117C), UINT64_C(0x30AEBC39D3EAB680) } }, -- { { UINT64_C(0x5CC97E6493EF00B9), UINT64_C(0xDAE13841972345AE), -- UINT64_C(0x858391844788F43C), UINT64_C(0xD0FF521EE2E6CF3E), -- UINT64_C(0xAED14A5B4B707C86), UINT64_C(0x7EAAE4A6D2523CF7) }, -- { UINT64_C(0x266472C5024C8AC6), UINT64_C(0xE47E1522C0170051), -- UINT64_C(0x7B83DA6173826BAE), UINT64_C(0xE97E19F5CF543F0D), -- UINT64_C(0x5D5248FA20BF38E2), UINT64_C(0x8A7C2F7DDF56A037) } }, -- { { UINT64_C(0xB04659DD87B0526C), UINT64_C(0x593C604A2307565E), -- UINT64_C(0x49E522257C630AB8), UINT64_C(0x24C1D0C6DCE9CD23), -- UINT64_C(0x6FDB241C85177079), UINT64_C(0x5F521D19F250C351) }, -- { UINT64_C(0xFB56134BA6FB61DF), UINT64_C(0xA4E70D69D75C07ED), -- UINT64_C(0xB7A824487D8825A8), UINT64_C(0xA3AEA7D4DD64BBCC), -- UINT64_C(0xD53E6E6C8692F539), UINT64_C(0x8DDDA83BF7AA4BC0) } }, -- }, -- { -- { { UINT64_C(0x140A0F9FDD93D50A), UINT64_C(0x4799FFDE83B7ABAC), -- UINT64_C(0x78FF7C2304A1F742), UINT64_C(0xC0568F51195BA34E), -- UINT64_C(0xE97183603B7F78B4), UINT64_C(0x9CFD1FF1F9EFAA53) }, -- { UINT64_C(0xE924D2C5BB06022E), UINT64_C(0x9987FA86FAA2AF6D), -- UINT64_C(0x4B12E73F6EE37E0F), UINT64_C(0x1836FDFA5E5A1DDE), -- UINT64_C(0x7F1B92259DCD6416), UINT64_C(0xCB2C1B4D677544D8) } }, -- { { UINT64_C(0x0254486D9C213D95), UINT64_C(0x68A9DB56CB2F6E94), -- UINT64_C(0xFB5858BA000F5491), UINT64_C(0x1315BDD934009FB6), -- UINT64_C(0xB18A8E0AC42BDE30), UINT64_C(0xFDCF93D1F1070358) }, -- { UINT64_C(0xBEB1DB753022937E), UINT64_C(0x9B9ECA7ACAC20DB4), -- UINT64_C(0x152214D4E4122B20), UINT64_C(0xD3E673F2AABCCC7B), -- UINT64_C(0x94C50F64AED07571), UINT64_C(0xD767059AE66B4F17) } }, -- { { UINT64_C(0x40336B12DCD6D14B), UINT64_C(0xF6BCFF5DE3B4919C), -- UINT64_C(0xC337048D9C841F0C), UINT64_C(0x4CE6D0251D617F50), -- UINT64_C(0x00FEF2198117D379), UINT64_C(0x18B7C4E9F95BE243) }, -- { UINT64_C(0x98DE119E38DF08FF), UINT64_C(0xDFD803BD8D772D20), -- UINT64_C(0x94125B720F9678BD), UINT64_C(0xFC5B57CD334ACE30), -- UINT64_C(0x09486527B7E86E04), UINT64_C(0xFE9F8BCC6E552039) } }, -- { { UINT64_C(0x3B75C45BD6F5A10E), UINT64_C(0xFD4680F4C1C35F38), -- UINT64_C(0x5450227DF8E0A113), UINT64_C(0x5E69F1AE73DDBA24), -- UINT64_C(0x2007B80E57F24645), UINT64_C(0xC63695DC3D159741) }, -- { UINT64_C(0xCBE54D294530F623), UINT64_C(0x986AD5732869586B), -- UINT64_C(0xE19F70594CC39F73), UINT64_C(0x80F00AB32B1B8DA9), -- UINT64_C(0xB765AAF973F68D26), UINT64_C(0xBC79A394E993F829) } }, -- { { UINT64_C(0x9C441043F310D2A0), UINT64_C(0x2865EE58DC5EB106), -- UINT64_C(0x71A959229CB8065C), UINT64_C(0x8EB3A733A052AF0F), -- UINT64_C(0x56009F42B09D716E), UINT64_C(0xA7F923C5ABCBE6AD) }, -- { UINT64_C(0x263B7669FA375C01), UINT64_C(0x641C47E521EF27A2), -- UINT64_C(0xA89B474EB08FFD25), UINT64_C(0x5BE8EC3FF0A239F3), -- UINT64_C(0x0E79957A242A6C5A), UINT64_C(0x1DFB26D00C6C75F5) } }, -- { { UINT64_C(0x2FD97B9B9DFBF22A), UINT64_C(0xDEC16CC85643532D), -- UINT64_C(0xDF0E6E3960FEE7C3), UINT64_C(0xD09AD7B6545860C8), -- UINT64_C(0xCC16E98473FC3B7C), UINT64_C(0x6CE734C10D4E1555) }, -- { UINT64_C(0xC6EFE68B4B5F6032), UINT64_C(0x3A64F34C14F54073), -- UINT64_C(0x25DA689CAC44DC95), UINT64_C(0x990C477E5358AD8A), -- UINT64_C(0x00E958A5F36DA7DE), UINT64_C(0x902B7360C9B6F161) } }, -- { { UINT64_C(0x454AB42C9347B90A), UINT64_C(0xCAEBE64AA698B02B), -- UINT64_C(0x119CDC69FB86FA40), UINT64_C(0x2E5CB7ADC3109281), -- UINT64_C(0x67BB1EC5CD0C3D00), UINT64_C(0x5D430BC783F25BBF) }, -- { UINT64_C(0x69FD84A85CDE0ABB), UINT64_C(0x69DA263E9816B688), -- UINT64_C(0xE52D93DF0E53CBB8), UINT64_C(0x42CF6F25ADD2D5A7), -- UINT64_C(0x227BA59DC87CA88F), UINT64_C(0x7A1CA876DA738554) } }, -- { { UINT64_C(0x3FA5C1051CAC82C4), UINT64_C(0x23C760878A78C9BE), -- UINT64_C(0xE98CDAD61C5CFA42), UINT64_C(0x09C302520A6C0421), -- UINT64_C(0x149BAC7C42FC61B9), UINT64_C(0x3A1C22AC3004A3E2) }, -- { UINT64_C(0xDE6B0D6E202C7FED), UINT64_C(0xB2457377E7E63052), -- UINT64_C(0x31725FD43706B3EF), UINT64_C(0xE16A347D2B1AFDBF), -- UINT64_C(0xBE4850C48C29CF66), UINT64_C(0x8F51CC4D2939F23C) } }, -- { { UINT64_C(0x169E025B219AE6C1), UINT64_C(0x55FF526F116E1CA1), -- UINT64_C(0x01B810A3B191F55D), UINT64_C(0x2D98127229588A69), -- UINT64_C(0x53C9377048B92199), UINT64_C(0x8C7DD84E8A85236F) }, -- { UINT64_C(0x293D48B6CAACF958), UINT64_C(0x1F084ACB43572B30), -- UINT64_C(0x628BFA2DFAD91F28), UINT64_C(0x8D627B11829386AF), -- UINT64_C(0x3EC1DD00D44A77BE), UINT64_C(0x8D3B0D08649AC7F0) } }, -- { { UINT64_C(0x00A93DAA177513BF), UINT64_C(0x2EF0B96F42AD79E1), -- UINT64_C(0x81F5AAF1A07129D9), UINT64_C(0xFC04B7EF923F2449), -- UINT64_C(0x855DA79560CDB1B7), UINT64_C(0xB1EB5DABAD5D61D4) }, -- { UINT64_C(0xD2CEF1AE353FD028), UINT64_C(0xC21D54399EE94847), -- UINT64_C(0x9ED552BB0380C1A8), UINT64_C(0xB156FE7A2BAC328F), -- UINT64_C(0xBB7E01967213C6A4), UINT64_C(0x36002A331701ED5B) } }, -- { { UINT64_C(0x20B1632ADDC9EF4D), UINT64_C(0x2A35FF4C272D082B), -- UINT64_C(0x30D39923F6CC9BD3), UINT64_C(0x6D879BC2E65C9D08), -- UINT64_C(0xCE8274E16FA9983C), UINT64_C(0x652371E80EB7424F) }, -- { UINT64_C(0x32B77503C5C35282), UINT64_C(0xD7306333C885A931), -- UINT64_C(0x8A16D71972955AA8), UINT64_C(0x5548F1637D51F882), -- UINT64_C(0xB311DC66BABA59EF), UINT64_C(0x773D54480DB8F627) } }, -- { { UINT64_C(0x59B1B1347A62EB3B), UINT64_C(0x0F8CE157CCEEFB34), -- UINT64_C(0x3FE842A8A798CB2B), UINT64_C(0xD01BC6260BF4161D), -- UINT64_C(0x55EF6E554D016FDB), UINT64_C(0xCB561503B242B201) }, -- { UINT64_C(0x076EBC73AF4199C1), UINT64_C(0x39DEDCBB697244F7), -- UINT64_C(0x9D184733040162BC), UINT64_C(0x902992C17F6B5FA6), -- UINT64_C(0xAD1DE754BB4952B5), UINT64_C(0x7ACF1B93A121F6C8) } }, -- { { UINT64_C(0x7A56867C325C9B9A), UINT64_C(0x1A143999F3DC3D6A), -- UINT64_C(0xCE10959003F5BCB8), UINT64_C(0x034E9035D6EEE5B7), -- UINT64_C(0x2AFA81C8495DF1BC), UINT64_C(0x5EAB52DC08924D02) }, -- { UINT64_C(0xEE6AA014AA181904), UINT64_C(0xE62DEF09310AD621), -- UINT64_C(0x6C9792FCC7538A03), UINT64_C(0xA89D3E883E41D789), -- UINT64_C(0xD60FA11C9F94AE83), UINT64_C(0x5E16A8C2E0D6234A) } }, -- { { UINT64_C(0x87EC053DA9242F3B), UINT64_C(0x99544637F0E03545), -- UINT64_C(0xEA0633FF6B7019E9), UINT64_C(0x8CB8AE0768DDDB5B), -- UINT64_C(0x892E7C841A811AC7), UINT64_C(0xC7EF19EB73664249) }, -- { UINT64_C(0xD1B5819ACD1489E3), UINT64_C(0xF9C80FB0DE45D24A), -- UINT64_C(0x045C21A683BB7491), UINT64_C(0xA65325BE73F7A47D), -- UINT64_C(0x08D09F0E9C394F0C), UINT64_C(0xE7FB21C6268D4F08) } }, -- { { UINT64_C(0xC4CCAB956CA95C18), UINT64_C(0x563FFD56BC42E040), -- UINT64_C(0xFA3C64D8E701C604), UINT64_C(0xC88D4426B0ABAFEE), -- UINT64_C(0x1A353E5E8542E4C3), UINT64_C(0x9A2D8B7CED726186) }, -- { UINT64_C(0xD61CE19042D097FA), UINT64_C(0x6A63E280799A748B), -- UINT64_C(0x0F48D0633225486B), UINT64_C(0x848F8FE142A3C443), -- UINT64_C(0x2CCDE2508493CEF4), UINT64_C(0x5450A50845E77E7C) } }, -- { { UINT64_C(0xD0F4E24803112816), UINT64_C(0xFCAD9DDBCCBE9E16), -- UINT64_C(0x177999BF5AE01EA0), UINT64_C(0xD20C78B9CE832DCE), -- UINT64_C(0x3CC694FB50C8C646), UINT64_C(0x24D75968C93D4887) }, -- { UINT64_C(0x9F06366A87BC08AF), UINT64_C(0x59FAB50E7FD0DF2A), -- UINT64_C(0x5FFCC7F76C4CC234), UINT64_C(0x87198DD765F52D86), -- UINT64_C(0x5B9C94B0A855DF04), UINT64_C(0xD8BA6C738A067AD7) } }, -- }, -- { -- { { UINT64_C(0x9E9AF3151C4C9D90), UINT64_C(0x8665C5A9D12E0A89), -- UINT64_C(0x204ABD9258286493), UINT64_C(0x79959889B2E09205), -- UINT64_C(0x0C727A3DFE56B101), UINT64_C(0xF366244C8B657F26) }, -- { UINT64_C(0xDE35D954CCA65BE2), UINT64_C(0x52EE1230B0FD41CE), -- UINT64_C(0xFA03261F36019FEE), UINT64_C(0xAFDA42D966511D8F), -- UINT64_C(0xF63211DD821148B9), UINT64_C(0x7B56AF7E6F13A3E1) } }, -- { { UINT64_C(0x47FE47995913E184), UINT64_C(0x5BBE584C82145900), -- UINT64_C(0xB76CFA8B9A867173), UINT64_C(0x9BC87BF0514BF471), -- UINT64_C(0x37392DCE71DCF1FC), UINT64_C(0xEC3EFAE03AD1EFA8) }, -- { UINT64_C(0xBBEA5A3414876451), UINT64_C(0x96E5F5436217090F), -- UINT64_C(0x5B3D4ECD9B1665A9), UINT64_C(0xE7B0DF26E329DF22), -- UINT64_C(0x18FB438E0BAA808D), UINT64_C(0x90757EBFDD516FAF) } }, -- { { UINT64_C(0x1E6F9A95D5A98D68), UINT64_C(0x759EA7DF849DA828), -- UINT64_C(0x365D56256E8B4198), UINT64_C(0xE1B9C53B7A4A53F9), -- UINT64_C(0x55DC1D50E32B9B16), UINT64_C(0xA4657EBBBB6D5701) }, -- { UINT64_C(0x4C270249EACC76E2), UINT64_C(0xBE49EC75162B1CC7), -- UINT64_C(0x19A95B610689902B), UINT64_C(0xDD5706BFA4CFC5A8), -- UINT64_C(0xD33BDB7314E5B424), UINT64_C(0x21311BD1E69EBA87) } }, -- { { UINT64_C(0x75BA2F9B72A21ACC), UINT64_C(0x356688D4A28EDB4C), -- UINT64_C(0x3C339E0B610D080F), UINT64_C(0x614AC29333A99C2F), -- UINT64_C(0xA5E23AF2AA580AFF), UINT64_C(0xA6BCB860E1FDBA3A) }, -- { UINT64_C(0xAA603365B43F9425), UINT64_C(0xAE8D7126F7EE4635), -- UINT64_C(0xA2B2524456330A32), UINT64_C(0xC396B5BB9E025AA3), -- UINT64_C(0xABBF77FAF8A0D5CF), UINT64_C(0xB322EE30EA31C83B) } }, -- { { UINT64_C(0x048813847890E234), UINT64_C(0x387F1159672E70C6), -- UINT64_C(0x1468A6147B307F75), UINT64_C(0x56335B52ED85EC96), -- UINT64_C(0xDA1BB60FD45BCAE9), UINT64_C(0x4D94F3F0F9FAEADD) }, -- { UINT64_C(0x6C6A7183FC78D86B), UINT64_C(0xA425B5C73018DEC6), -- UINT64_C(0xB1549C332D877399), UINT64_C(0x6C41C50C92B2BC37), -- UINT64_C(0x3A9F380C83EE0DDB), UINT64_C(0xDED5FEB6C4599E73) } }, -- { { UINT64_C(0x14D34C210B7F8354), UINT64_C(0x1475A1CD9177CE45), -- UINT64_C(0x9F5F764A9B926E4B), UINT64_C(0x77260D1E05DD21FE), -- UINT64_C(0x3C882480C4B937F7), UINT64_C(0xC92DCD39722372F2) }, -- { UINT64_C(0xF636A1BEEC6F657E), UINT64_C(0xB0E6C3121D30DD35), -- UINT64_C(0xFE4B0528E4654EFE), UINT64_C(0x1C4A682021D230D2), -- UINT64_C(0x615D2E4898FA45AB), UINT64_C(0x1F35D6D801FDBABF) } }, -- { { UINT64_C(0xA636EEB83A7B10D1), UINT64_C(0x4E1AE352F4A29E73), -- UINT64_C(0x01704F5FE6BB1EC7), UINT64_C(0x75C04F720EF020AE), -- UINT64_C(0x448D8CEE5A31E6A6), UINT64_C(0xE40A9C29208F994B) }, -- { UINT64_C(0x69E09A30FD8F9D5D), UINT64_C(0xE6A5F7EB449BAB7E), -- UINT64_C(0xF25BC18A2AA1768B), UINT64_C(0x9449E4043C841234), -- UINT64_C(0x7A3BF43E016A7BEF), UINT64_C(0xF25803E82A150B60) } }, -- { { UINT64_C(0xE44A2A57B215F9E0), UINT64_C(0x38B34DCE19066F0A), -- UINT64_C(0x8BB91DAD40BB1BFB), UINT64_C(0x64C9F775E67735FC), -- UINT64_C(0xDE14241788D613CD), UINT64_C(0xC5014FF51901D88D) }, -- { UINT64_C(0xA250341DF38116B0), UINT64_C(0xF96B9DD49D6CBCB2), -- UINT64_C(0x15EC6C7276B3FAC2), UINT64_C(0x88F1952F8124C1E9), -- UINT64_C(0x6B72F8EA975BE4F5), UINT64_C(0x23D288FF061F7530) } }, -- { { UINT64_C(0xEBFE3E5FAFB96CE3), UINT64_C(0x2275EDFBB1979537), -- UINT64_C(0xC37AB9E8C97BA741), UINT64_C(0x446E4B1063D7C626), -- UINT64_C(0xB73E2DCED025EB02), UINT64_C(0x1F952B517669EEA7) }, -- { UINT64_C(0xABDD00F66069A424), UINT64_C(0x1C0F9D9BDC298BFB), -- UINT64_C(0x831B1FD3EB757B33), UINT64_C(0xD7DBE18359D60B32), -- UINT64_C(0x663D1F369EF094B3), UINT64_C(0x1BD5732E67F7F11A) } }, -- { { UINT64_C(0x3C7FB3F5C75D8892), UINT64_C(0x2CFF9A0CBA68DA69), -- UINT64_C(0x76455E8B60EC740B), UINT64_C(0x4B8D67FF167B88F0), -- UINT64_C(0xEDEC0C025A4186B1), UINT64_C(0x127C462DBEBF35AB) }, -- { UINT64_C(0x9159C67E049430FC), UINT64_C(0x86B21DD2E7747320), -- UINT64_C(0x0E0E01520CF27B89), UINT64_C(0x705F28F5CD1316B6), -- UINT64_C(0x76751691BEAEA8A8), UINT64_C(0x4C73E282360C5B69) } }, -- { { UINT64_C(0x46BCC0D5FD7B3D74), UINT64_C(0x6F13C20E0DC4F410), -- UINT64_C(0x98A1AF7D72F11CDF), UINT64_C(0x6099FD837928881C), -- UINT64_C(0x66976356371BB94B), UINT64_C(0x673FBA7219B945AB) }, -- { UINT64_C(0xE4D8FA6EAED00700), UINT64_C(0xEA2313EC5C71A9F7), -- UINT64_C(0xF9ED8268F99D4AEA), UINT64_C(0xADD8916442AB59C7), -- UINT64_C(0xB37EB26F3F3A2D45), UINT64_C(0x0B39BD7AA924841E) } }, -- { { UINT64_C(0xD811EB32E03CDBBB), UINT64_C(0x12055F1D7CC3610E), -- UINT64_C(0x6B23A1A0A9046E3F), UINT64_C(0x4D7121229DD4A749), -- UINT64_C(0xB0C2ACA1B1BF0AC3), UINT64_C(0x71EFF575C1B0432F) }, -- { UINT64_C(0x6CD814922B44E285), UINT64_C(0x3088BD9CD87E8D20), -- UINT64_C(0xACE218E5F567E8FA), UINT64_C(0xB3FA0424CF90CBBB), -- UINT64_C(0xADBDA751770734D3), UINT64_C(0xBCD78BAD5AD6569A) } }, -- { { UINT64_C(0xCADB31FA7F39641F), UINT64_C(0x3EF3E295825E5562), -- UINT64_C(0x4893C633F4094C64), UINT64_C(0x52F685F18ADDF432), -- UINT64_C(0x9FD887AB7FDC9373), UINT64_C(0x47A9ADA0E8680E8B) }, -- { UINT64_C(0x579313B7F0CD44F6), UINT64_C(0xAC4B8668E188AE2E), -- UINT64_C(0x648F43698FB145BD), UINT64_C(0xE0460AB374629E31), -- UINT64_C(0xC25F28758FF2B05F), UINT64_C(0x4720C2B62D31EAEA) } }, -- { { UINT64_C(0x4603CDF413D48F80), UINT64_C(0x9ADB50E2A49725DA), -- UINT64_C(0x8CD3305065DF63F0), UINT64_C(0x58D8B3BBCD643003), -- UINT64_C(0x170A4F4AB739826B), UINT64_C(0x857772B51EAD0E17) }, -- { UINT64_C(0x01B78152E65320F1), UINT64_C(0xA6B4D845B7503FC0), -- UINT64_C(0x0F5089B93DD50798), UINT64_C(0x488F200F5690B6BE), -- UINT64_C(0x220B4ADF9E096F36), UINT64_C(0x474D7C9F8CE5BC7C) } }, -- { { UINT64_C(0xFED8C058C745F8C9), UINT64_C(0xB683179E291262D1), -- UINT64_C(0x26ABD367D15EE88C), UINT64_C(0x29E8EED3F60A6249), -- UINT64_C(0xED6008BB1E02D6E1), UINT64_C(0xD82ECF4CA6B12B8D) }, -- { UINT64_C(0x9929D021AAE4FA22), UINT64_C(0xBE4DEF14336A1AB3), -- UINT64_C(0x529B7E098C80A312), UINT64_C(0xB059188DEE0EB0CE), -- UINT64_C(0x1E42979A16DEAB7F), UINT64_C(0x2411034984EE9477) } }, -- { { UINT64_C(0xD65246852BE579CC), UINT64_C(0x849316F1C456FDED), -- UINT64_C(0xC51B7DA42D1B67DA), UINT64_C(0xC25B539E41BC6D6A), -- UINT64_C(0xE3B7CCA3A9BF8BED), UINT64_C(0x813EF18C045C15E4) }, -- { UINT64_C(0x5F3789A1697982C4), UINT64_C(0x4C1253698C435566), -- UINT64_C(0x00A7AE6EDC0A92C6), UINT64_C(0x1ABC929B2F64A053), -- UINT64_C(0xF4925C4C38666B44), UINT64_C(0xA81044B00F3DE7F6) } }, -- }, -- { -- { { UINT64_C(0xBCC88422C2EC3731), UINT64_C(0x78A3E4D410DC4EC2), -- UINT64_C(0x745DA1EF2571D6B1), UINT64_C(0xF01C2921739A956E), -- UINT64_C(0xEFFD8065E4BFFC16), UINT64_C(0x6EFE62A1F36FE72C) }, -- { UINT64_C(0xF49E90D20F4629A4), UINT64_C(0xADD1DCC78CE646F4), -- UINT64_C(0xCB78B583B7240D91), UINT64_C(0x2E1A7C3C03F8387F), -- UINT64_C(0x16566C223200F2D9), UINT64_C(0x2361B14BAAF80A84) } }, -- { { UINT64_C(0xDB1CFFD2B5733309), UINT64_C(0x24BC250B0F9DD939), -- UINT64_C(0xA4181E5AA3C1DB85), UINT64_C(0xE5183E51AC55D391), -- UINT64_C(0x2793D5EFEFD270D0), UINT64_C(0x7D56F63DC0631546) }, -- { UINT64_C(0xECB40A590C1EE59D), UINT64_C(0xE613A9E4BB5BFA2C), -- UINT64_C(0xA89B14AB6C5830F9), UINT64_C(0x4DC477DCA03F201E), -- UINT64_C(0x5604F5DAC88C54F6), UINT64_C(0xD49264DC2ACFC66E) } }, -- { { UINT64_C(0x283DD7F01C4DFA95), UINT64_C(0xB898CC2C62C0B160), -- UINT64_C(0xBA08C095870282AA), UINT64_C(0xB02B00D8F4E36324), -- UINT64_C(0x53AADDC0604CECF2), UINT64_C(0xF1F927D384DDD24E) }, -- { UINT64_C(0x34BC00A0E2ABC9E1), UINT64_C(0x2DA1227D60289F88), -- UINT64_C(0x5228EAAACEF68F74), UINT64_C(0x40A790D23C029351), -- UINT64_C(0xE0E9AF5C8442E3B7), UINT64_C(0xA3214142A9F141E0) } }, -- { { UINT64_C(0x72F4949EF9A58E3D), UINT64_C(0x738C700BA48660A6), -- UINT64_C(0x71B04726092A5805), UINT64_C(0xAD5C3C110F5CDB72), -- UINT64_C(0xD4951F9E554BFC49), UINT64_C(0xEE594EE56131EBE7) }, -- { UINT64_C(0x37DA59F33C1AF0A9), UINT64_C(0xD7AFC73BCB040A63), -- UINT64_C(0xD020962A4D89FA65), UINT64_C(0x2610C61E71D824F5), -- UINT64_C(0x9C917DA73C050E31), UINT64_C(0x3840F92FE6E7EBFB) } }, -- { { UINT64_C(0x50FBD7FE8D8B8CED), UINT64_C(0xC7282F7547D240AE), -- UINT64_C(0x79646A471930FF73), UINT64_C(0x2E0BAC4E2F7F5A77), -- UINT64_C(0x0EE44FA526127E0B), UINT64_C(0x678881B782BC2AA7) }, -- { UINT64_C(0xB9E5D38467F5F497), UINT64_C(0x8F94A7D4A9B7106B), -- UINT64_C(0xBF7E0B079D329F68), UINT64_C(0x169B93EA45D192FB), -- UINT64_C(0xCCAA946720DBE8C0), UINT64_C(0xD4513A50938F9574) } }, -- { { UINT64_C(0x841C96B4054CB874), UINT64_C(0xD75B1AF1A3C26834), -- UINT64_C(0x7237169DEE6575F0), UINT64_C(0xD71FC7E50322AADC), -- UINT64_C(0xD7A23F1E949E3A8E), UINT64_C(0x77E2D102DD31D8C7) }, -- { UINT64_C(0x5AD69D09D10F5A1F), UINT64_C(0x526C9CB4B99D9A0B), -- UINT64_C(0x521BB10B972B237D), UINT64_C(0x1E4CD42FA326F342), -- UINT64_C(0x5BB6DB27F0F126CA), UINT64_C(0x587AF22CA4A515AD) } }, -- { { UINT64_C(0x1123A531B12E542F), UINT64_C(0x1D01A64DB9EB2811), -- UINT64_C(0xA4A3515BF2D70F87), UINT64_C(0xFA205234B4BD0270), -- UINT64_C(0x74B818305EDA26B9), UINT64_C(0x9305D6E656578E75) }, -- { UINT64_C(0xF38E69DE9F11BE19), UINT64_C(0x1E2A5C2344DBE89F), -- UINT64_C(0x1077E7BCFD286654), UINT64_C(0xD36698940FCA4741), -- UINT64_C(0x893BF904278F8497), UINT64_C(0xD6AC5F83EB3E14F4) } }, -- { { UINT64_C(0x327B9DAB488F5F74), UINT64_C(0x2B44F4B8CAB7364F), -- UINT64_C(0xB4A6D22D19B6C6BD), UINT64_C(0xA087E613FC77CD3E), -- UINT64_C(0x4558E327B0B49BC7), UINT64_C(0x188805BECD835D35) }, -- { UINT64_C(0x592F293CC1DC1007), UINT64_C(0xFAEE660F6AF02B44), -- UINT64_C(0x5BFBB3BF904035F2), UINT64_C(0xD7C9AE6079C07E70), -- UINT64_C(0xC5287DD4234896C2), UINT64_C(0xC4CE4523CB0E4121) } }, -- { { UINT64_C(0x3626B40658344831), UINT64_C(0xABCCE3568E55C984), -- UINT64_C(0x495CC81C77241602), UINT64_C(0x4FB796766D70DF8F), -- UINT64_C(0x6354B37C5B071DCA), UINT64_C(0x2CAD80A48C0FC0AD) }, -- { UINT64_C(0x18AADD51F68739B4), UINT64_C(0x1BFBB17747F09C6C), -- UINT64_C(0x9355EA19A8FD51C4), UINT64_C(0x3D512A84EE58DB7B), -- UINT64_C(0x70842AFDE9237640), UINT64_C(0x36F515CAACAF858D) } }, -- { { UINT64_C(0x3DDEC7C47E768B23), UINT64_C(0x97E13C53036D43ED), -- UINT64_C(0x871E59253A39AB5F), UINT64_C(0x9AF292DE07E68E2B), -- UINT64_C(0x411583494A40112E), UINT64_C(0xCDBB46AF3D4D97E6) }, -- { UINT64_C(0x2F8912933C0EBE40), UINT64_C(0x696C7EEE3EBAD1E5), -- UINT64_C(0x8A5F3B6933B50D99), UINT64_C(0xB7BC48407ED47DDE), -- UINT64_C(0x3A6F8E6C1E6706D8), UINT64_C(0x6A1479433D84BB8F) } }, -- { { UINT64_C(0xEC3A9C78603AE8D1), UINT64_C(0xBFE07E37228C29E5), -- UINT64_C(0xB0385C5B396DBC2B), UINT64_C(0x7C14FE83DF85F41F), -- UINT64_C(0xE2E64676ADFD463E), UINT64_C(0x5BEF10AA8BF9F23D) }, -- { UINT64_C(0xFA83EA0DF6BAB6DA), UINT64_C(0xCD0C8BA5966BF7E3), -- UINT64_C(0xD62216B498501C2E), UINT64_C(0xB7F298A4C3E69F2D), -- UINT64_C(0x42CEF13B9C8740F4), UINT64_C(0xBB317E520DD64307) } }, -- { { UINT64_C(0x22B6245C3FFEE775), UINT64_C(0x5C3F60BEB37CE7AA), -- UINT64_C(0xDE195D40E1FEC0DF), UINT64_C(0x3BFAFBC5A0A82074), -- UINT64_C(0xC36EC86AC72CA86A), UINT64_C(0x5606285113FD43EA) }, -- { UINT64_C(0x8686BE808E0B03A4), UINT64_C(0xC3BD1F93D540D440), -- UINT64_C(0x13E4EBC0BF96CEC5), UINT64_C(0xE8E239849190C844), -- UINT64_C(0x183593A600844802), UINT64_C(0x467168794D206878) } }, -- { { UINT64_C(0x358F394DB6F63D19), UINT64_C(0xA75D48496B052194), -- UINT64_C(0x584035905C8D7975), UINT64_C(0x86DC9B6B6CBFBD77), -- UINT64_C(0x2DB04D77647A51E5), UINT64_C(0x5E9A5B02F8950D88) }, -- { UINT64_C(0xCE69A7E5017168B0), UINT64_C(0x94630FACC4843AD3), -- UINT64_C(0xB3B9D7361EFC44FF), UINT64_C(0xE729E9B6B14D7F93), -- UINT64_C(0xA071FC60E0ED0ABC), UINT64_C(0xFC1A99718C8D9B83) } }, -- { { UINT64_C(0x49686031D138E975), UINT64_C(0x648640385A8EF0D1), -- UINT64_C(0x32679713E7F7DE49), UINT64_C(0x5913234929D1CD1D), -- UINT64_C(0x849AA23A20BE9ED2), UINT64_C(0x15D303E1284B3F33) }, -- { UINT64_C(0x37309475B63F9FE9), UINT64_C(0x327BAC8B45B7256A), -- UINT64_C(0x291CD227D17FC5D3), UINT64_C(0x8291D8CDA973EDF1), -- UINT64_C(0xF3843562437ABA09), UINT64_C(0x33FFB704271D0785) } }, -- { { UINT64_C(0x5248D6E447E11E5E), UINT64_C(0x0F66FC3C269C7ED3), -- UINT64_C(0x18C0D2B9903E346E), UINT64_C(0xD81D9D974BEAE1B8), -- UINT64_C(0x610326B0FC30FDF3), UINT64_C(0x2B13687019A7DFCD) }, -- { UINT64_C(0xEC75F70AB9527676), UINT64_C(0x90829F5129A3D897), -- UINT64_C(0x92FE180997980302), UINT64_C(0xA3F2498E68474991), -- UINT64_C(0x6A66307B0F22BBAD), UINT64_C(0x32014B9120378557) } }, -- { { UINT64_C(0x72CD7D553CD98610), UINT64_C(0xC3D560B074504ADF), -- UINT64_C(0x23F0A982CEBB5D5D), UINT64_C(0x1431C15BB839DDB8), -- UINT64_C(0x7E207CD8CEB72207), UINT64_C(0x28E0A848E7EFB28D) }, -- { UINT64_C(0xD22561FE1BD96F6E), UINT64_C(0x04812C1862A8236B), -- UINT64_C(0xA0BF2334975491FA), UINT64_C(0x294F42A6435DF87F), -- UINT64_C(0x2772B783A5D6F4F6), UINT64_C(0x348F92ED2724F853) } }, -- }, -- { -- { { UINT64_C(0xC20FB9111A42E5E7), UINT64_C(0x075A678B81D12863), -- UINT64_C(0x12BCBC6A5CC0AA89), UINT64_C(0x5279C6AB4FB9F01E), -- UINT64_C(0xBC8E178911AE1B89), UINT64_C(0xAE74A706C290003C) }, -- { UINT64_C(0x9949D6EC79DF3F45), UINT64_C(0xBA18E26296C8D37F), -- UINT64_C(0x68DE6EE2DD2275BF), UINT64_C(0xA9E4FFF8C419F1D5), -- UINT64_C(0xBC759CA4A52B5A40), UINT64_C(0xFF18CBD863B0996D) } }, -- { { UINT64_C(0x73C57FDED7DD47E5), UINT64_C(0xB0FE5479D49A7F5D), -- UINT64_C(0xD25C71F1CFB9821E), UINT64_C(0x9427E209CF6A1D68), -- UINT64_C(0xBF3C3916ACD24E64), UINT64_C(0x7E9F5583BDA7B8B5) }, -- { UINT64_C(0xE7C5F7C8CF971E11), UINT64_C(0xEC16D5D73C7F035E), -- UINT64_C(0x818DC472E66B277C), UINT64_C(0x4413FD47B2816F1E), -- UINT64_C(0x40F262AF48383C6D), UINT64_C(0xFB0575844F190537) } }, -- { { UINT64_C(0x487EDC0708962F6B), UINT64_C(0x6002F1E7190A7E55), -- UINT64_C(0x7FC62BEA10FDBA0C), UINT64_C(0xC836BBC52C3DBF33), -- UINT64_C(0x4FDFB5C34F7D2A46), UINT64_C(0x824654DEDCA0DF71) }, -- { UINT64_C(0x30A076760C23902B), UINT64_C(0x7F1EBB9377FBBF37), -- UINT64_C(0xD307D49DFACC13DB), UINT64_C(0x148D673AAE1A261A), -- UINT64_C(0xE008F95B52D98650), UINT64_C(0xC76144409F558FDE) } }, -- { { UINT64_C(0x17CD6AF69CB16650), UINT64_C(0x86CC27C169F4EEBE), -- UINT64_C(0x7E495B1D78822432), UINT64_C(0xFED338E31B974525), -- UINT64_C(0x527743D386F3CE21), UINT64_C(0x87948AD3B515C896) }, -- { UINT64_C(0x9FDE7039B17F2FB8), UINT64_C(0xA2FA9A5FD9B89D96), -- UINT64_C(0x5D46600B36FF74DC), UINT64_C(0x8EA74B048302C3C9), -- UINT64_C(0xD560F570F744B5EB), UINT64_C(0xC921023BFE762402) } }, -- { { UINT64_C(0xA35AB657FFF4C8ED), UINT64_C(0x017C61248A5FABD7), -- UINT64_C(0x5646302509ACDA28), UINT64_C(0x6038D36114CF238A), -- UINT64_C(0x1428B1B6AF1B9F07), UINT64_C(0x5827FF447482E95C) }, -- { UINT64_C(0xCB997E18780FF362), UINT64_C(0x2B89D702E0BCAC1E), -- UINT64_C(0xC632A0B5A837DDC8), UINT64_C(0xF3EFCF1F59762647), -- UINT64_C(0xE9BA309A38B0D60A), UINT64_C(0x05DEABDD20B5FB37) } }, -- { { UINT64_C(0xD44E5DBACB8AF047), UINT64_C(0x15400CB4943CFE82), -- UINT64_C(0xDBD695759DF88B67), UINT64_C(0x8299DB2BB2405A7D), -- UINT64_C(0x46E3BF770B1D80CD), UINT64_C(0xC50CF66CE82BA3D9) }, -- { UINT64_C(0xB2910A07F2F747A9), UINT64_C(0xF6B669DB5ADC89C1), -- UINT64_C(0x3B5EF1A09052B081), UINT64_C(0x0F5D5ED3B594ACE2), -- UINT64_C(0xDA30B8D5D5F01320), UINT64_C(0x0D688C5EAAFCD58F) } }, -- { { UINT64_C(0x5EEE3A312A161074), UINT64_C(0x6BAAAE56EFE2BE37), -- UINT64_C(0xF9787F61E3D78698), UINT64_C(0xC6836B2650630A30), -- UINT64_C(0x7445B85D1445DEF1), UINT64_C(0xD72016A2D568A6A5) }, -- { UINT64_C(0x9DD6F533E355614F), UINT64_C(0x637E7E5F91E04588), -- UINT64_C(0x42E142F3B9FB1391), UINT64_C(0x0D07C05C41AFE5DA), -- UINT64_C(0xD7CD25C81394EDF1), UINT64_C(0xEBE6A0FCB99288EE) } }, -- { { UINT64_C(0xB8E63B7BBABBAD86), UINT64_C(0x63226A9F90D66766), -- UINT64_C(0x263818365CF26666), UINT64_C(0xCCBD142D4CADD0BF), -- UINT64_C(0xA070965E9AC29470), UINT64_C(0x6BDCA26025FF23ED) }, -- { UINT64_C(0xD4E00FD487DCA7B3), UINT64_C(0xA50978339E0E8734), -- UINT64_C(0xF73F162E048173A4), UINT64_C(0xD23F91969C3C2FA2), -- UINT64_C(0x9AB98B45E4AC397A), UINT64_C(0x2BAA0300543F2D4B) } }, -- { { UINT64_C(0xBBBE15E7C658C445), UINT64_C(0xB8CBCB20C28941D1), -- UINT64_C(0x65549BE2027D6540), UINT64_C(0xEBBCA8021E8EF4F4), -- UINT64_C(0x18214B4BD2ACA397), UINT64_C(0xCBEC7DE2E31784A3) }, -- { UINT64_C(0x96F0533F0116FDF3), UINT64_C(0x68911C905C8F5EE1), -- UINT64_C(0x7DE9A3AED568603A), UINT64_C(0x3F56C52C6A3AD7B7), -- UINT64_C(0x5BE9AFCA670B4D0E), UINT64_C(0x628BFEEE375DFE2F) } }, -- { { UINT64_C(0x97DAE81BDD4ADDB3), UINT64_C(0x12D2CF4E8704761B), -- UINT64_C(0x5E820B403247788D), UINT64_C(0x82234B620051CA80), -- UINT64_C(0x0C62704D6CB5EA74), UINT64_C(0xDE56042023941593) }, -- { UINT64_C(0xB3912A3CF1B04145), UINT64_C(0xE3967CD7AF93688D), -- UINT64_C(0x2E2DCD2F58DABB4B), UINT64_C(0x6564836F0E303911), -- UINT64_C(0x1F10F19BECE07C5C), UINT64_C(0xB47F07EED8919126) } }, -- { { UINT64_C(0xE3545085E9A2EEC9), UINT64_C(0x81866A972C8E51FE), -- UINT64_C(0xD2BA7DB550027243), UINT64_C(0x29DAEAB54AE87DE4), -- UINT64_C(0x5EF3D4B8684F9497), UINT64_C(0xE2DACE3B9D5D6873) }, -- { UINT64_C(0xF012C951FFD29C9C), UINT64_C(0x48289445ADBADA14), -- UINT64_C(0x8751F50D89558C49), UINT64_C(0x75511A4F99E35BEE), -- UINT64_C(0xEF802D6E7D59AA5F), UINT64_C(0x14FCAD65A2A795E2) } }, -- { { UINT64_C(0xC8EB00E808CB8F2C), UINT64_C(0x686075322B45BD86), -- UINT64_C(0x7A29B45959969713), UINT64_C(0x5FA15B9BD684201B), -- UINT64_C(0x1A853190B9E538EE), UINT64_C(0x4150605CD573D043) }, -- { UINT64_C(0xEF011D3BEB9FBB68), UINT64_C(0x6727998266AE32B6), -- UINT64_C(0x861B86EA445DE5EC), UINT64_C(0x62837D18A34A50E1), -- UINT64_C(0x228C006ABF5F0663), UINT64_C(0xE007FDE7396DB36A) } }, -- { { UINT64_C(0xDEE4F8815A916A55), UINT64_C(0x20DC0370F39C82CB), -- UINT64_C(0xD9A7161540F09821), UINT64_C(0xD50AD8BFF7273492), -- UINT64_C(0xA06F7D1232E7C4BF), UINT64_C(0xFA0F61544C5CEA36) }, -- { UINT64_C(0xF4FD9BED5FC49CFE), UINT64_C(0xD8CB45D1C9291678), -- UINT64_C(0x94DB86CC7B92C9F2), UINT64_C(0x09CA5F3873C81169), -- UINT64_C(0x109F40B0AEED06F0), UINT64_C(0x9F0360B214DCAA0A) } }, -- { { UINT64_C(0x4189B70DE12AD3E7), UINT64_C(0x5208ADB210B06607), -- UINT64_C(0xEBD8E2A2EE8497FA), UINT64_C(0x61B1BD67E04F2ECB), -- UINT64_C(0x0E2DDA724F3F5F99), UINT64_C(0xD5D96740F747B16D) }, -- { UINT64_C(0x308A48F6A6BF397F), UINT64_C(0x7021C3E523A93595), -- UINT64_C(0xF10B022936470AA0), UINT64_C(0x7761E8EC4E03295B), -- UINT64_C(0x16EFEF5807339770), UINT64_C(0x0D55D2DD5DA5DAA2) } }, -- { { UINT64_C(0x915EA6A38A22F87A), UINT64_C(0x191151C12E5A088E), -- UINT64_C(0x190252F17F1D5CBE), UINT64_C(0xE43F59C33B0EC99B), -- UINT64_C(0xBE8588D4FF2A6135), UINT64_C(0x103877CC2ECB4B9F) }, -- { UINT64_C(0x8F4147E5023CF92B), UINT64_C(0xC24384CC0CC2085B), -- UINT64_C(0x6A2DB4A2D082D311), UINT64_C(0x06283811ED7BA9AE), -- UINT64_C(0xE9A3F5322A8E1592), UINT64_C(0xAC20F0F45A59E894) } }, -- { { UINT64_C(0x788CAA5274AAB4B1), UINT64_C(0xEB84ABA12FEAFC7E), -- UINT64_C(0x31DA71DAAC04FF77), UINT64_C(0x39D12EB924E4D0BF), -- UINT64_C(0x4F2F292F87A34EF8), UINT64_C(0x9B324372A237A8ED) }, -- { UINT64_C(0xBB2D04B12EE3A82D), UINT64_C(0xED4FF367D18D36B2), -- UINT64_C(0x99D231EEA6EA0138), UINT64_C(0x7C2D4F064F92E04A), -- UINT64_C(0x78A82AB2CA272FD0), UINT64_C(0x7EC41340AB8CDC32) } }, -- }, -- { -- { { UINT64_C(0xD23658C8D2E15A8C), UINT64_C(0x23F93DF716BA28CA), -- UINT64_C(0x6DAB10EC082210F1), UINT64_C(0xFB1ADD91BFC36490), -- UINT64_C(0xEDA8B02F9A4F2D14), UINT64_C(0x9060318C56560443) }, -- { UINT64_C(0x6C01479E64711AB2), UINT64_C(0x41446FC7E337EB85), -- UINT64_C(0x4DCF3C1D71888397), UINT64_C(0x87A9C04E13C34FD2), -- UINT64_C(0xFE0E08EC510C15AC), UINT64_C(0xFC0D0413C0F495D2) } }, -- { { UINT64_C(0xEB05C516156636C2), UINT64_C(0x2F613ABA090E93FC), -- UINT64_C(0xCFD573CD489576F5), UINT64_C(0xE6535380535A8D57), -- UINT64_C(0x13947314671436C4), UINT64_C(0x1172FB0C5F0A122D) }, -- { UINT64_C(0xAECC7EC1C12F58F6), UINT64_C(0xFE42F9578E41AFD2), -- UINT64_C(0xDF96F6523D4221AA), UINT64_C(0xFEF5649F2851996B), -- UINT64_C(0x46FB9F26D5CFB67E), UINT64_C(0xB047BFC7EF5C4052) } }, -- { { UINT64_C(0x5CBDC442F4484374), UINT64_C(0x6B156957F92452EF), -- UINT64_C(0x58A26886C118D02A), UINT64_C(0x87FF74E675AAF276), -- UINT64_C(0xB133BE95F65F6EC1), UINT64_C(0xA89B62844B1B8D32) }, -- { UINT64_C(0xDD8A8EF309C81004), UINT64_C(0x7F8225DB0CF21991), -- UINT64_C(0xD525A6DB26623FAF), UINT64_C(0xF2368D40BAE15453), -- UINT64_C(0x55D6A84D84F89FC9), UINT64_C(0xAF38358A86021A3E) } }, -- { { UINT64_C(0xBD048BDCFF52E280), UINT64_C(0x8A51D0B2526A1795), -- UINT64_C(0x40AAA758A985AC0F), UINT64_C(0x6039BCDCF2C7ACE9), -- UINT64_C(0x712092CC6AEC347D), UINT64_C(0x7976D0906B5ACAB7) }, -- { UINT64_C(0x1EBCF80D6EED9617), UINT64_C(0xB3A63149B0F404A4), -- UINT64_C(0x3FDD3D1AD0B610EF), UINT64_C(0xDD3F6F9498C28AC7), -- UINT64_C(0x650B77943A59750F), UINT64_C(0xEC59BAB12D3991AC) } }, -- { { UINT64_C(0x01F40E882E552766), UINT64_C(0x1FE3D50966F5354F), -- UINT64_C(0x0E46D006B3A8EA7F), UINT64_C(0xF75AB629F831CD6A), -- UINT64_C(0xDAD808D791465119), UINT64_C(0x442405AF17EF9B10) }, -- { UINT64_C(0xD5FE0A96672BDFCB), UINT64_C(0xA9DFA422355DBDEC), -- UINT64_C(0xFDB79AA179B25636), UINT64_C(0xE7F26FFDEECE8AEC), -- UINT64_C(0xB59255507EDD5AA2), UINT64_C(0x2C8F6FF08EB3A6C2) } }, -- { { UINT64_C(0x88887756757D6136), UINT64_C(0xAD9AC18388B92E72), -- UINT64_C(0x92CB2FC48785D3EB), UINT64_C(0xD1A542FE9319764B), -- UINT64_C(0xAF4CC78F626A62F8), UINT64_C(0x7F3F5FC926BFFAAE) }, -- { UINT64_C(0x0A203D4340AE2231), UINT64_C(0xA8BFD9E0387898E8), -- UINT64_C(0x1A0C379C474B7DDD), UINT64_C(0x03855E0A34FD49EA), -- UINT64_C(0x02B26223B3EF4AE1), UINT64_C(0x804BD8CFE399E0A3) } }, -- { { UINT64_C(0x11A9F3D0DE865713), UINT64_C(0x81E36B6BBDE98821), -- UINT64_C(0x324996C86AA891D0), UINT64_C(0x7B95BDC1395682B5), -- UINT64_C(0x47BF2219C1600563), UINT64_C(0x7A473F50643E38B4) }, -- { UINT64_C(0x0911F50AF5738288), UINT64_C(0xDF947A706F9C415B), -- UINT64_C(0xBDB994F267A067F6), UINT64_C(0x3F4BEC1B88BE96CD), -- UINT64_C(0x9820E931E56DD6D9), UINT64_C(0xB138F14F0A80F419) } }, -- { { UINT64_C(0xA11A1A8F0429077A), UINT64_C(0x2BB1E33D10351C68), -- UINT64_C(0x3C25ABFE89459A27), UINT64_C(0x2D0091B86B8AC774), -- UINT64_C(0xDAFC78533B2415D9), UINT64_C(0xDE713CF19201680D) }, -- { UINT64_C(0x8E5F445D68889D57), UINT64_C(0x608B209C60EABF5B), -- UINT64_C(0x10EC0ACCF9CFA408), UINT64_C(0xD5256B9D4D1EE754), -- UINT64_C(0xFF866BAB0AA6C18D), UINT64_C(0x9D196DB8ACB90A45) } }, -- { { UINT64_C(0xA46D76A9B9B081B2), UINT64_C(0xFC743A1062163C25), -- UINT64_C(0xCD2A5C8D7761C392), UINT64_C(0x39BDDE0BBE808583), -- UINT64_C(0x7C416021B98E4DFE), UINT64_C(0xF930E56365913A44) }, -- { UINT64_C(0xC3555F7E7585CF3C), UINT64_C(0xC737E3833D6333D5), -- UINT64_C(0x5B60DBA4B430B03D), UINT64_C(0x42B715EBE7555404), -- UINT64_C(0x571BDF5B7C7796E3), UINT64_C(0x33DC62C66DB6331F) } }, -- { { UINT64_C(0x3FB9CCB0E61DEE59), UINT64_C(0xC5185F2318B14DB9), -- UINT64_C(0x1B2ADC4F845EF36C), UINT64_C(0x195D5B505C1A33AB), -- UINT64_C(0x8CEA528E421F59D2), UINT64_C(0x7DFCCECFD2931CEA) }, -- { UINT64_C(0x51FFA1D58CF7E3F7), UINT64_C(0xF01B7886BDC9FB43), -- UINT64_C(0xD65AB610261A0D35), UINT64_C(0x84BCBAFD7574A554), -- UINT64_C(0x4B119956FAD70208), UINT64_C(0xDDC329C24FAB5243) } }, -- { { UINT64_C(0x1A08AA579CE92177), UINT64_C(0x3395E557DC2B5C36), -- UINT64_C(0xFDFE7041394ED04E), UINT64_C(0xB797EB24C6DFCDDE), -- UINT64_C(0x284A6B2ACB9DE5D6), UINT64_C(0xE0BD95C807222765) }, -- { UINT64_C(0x114A951B9FE678A7), UINT64_C(0xE7ECD0BD9E4954EC), -- UINT64_C(0x7D4096FE79F0B8A9), UINT64_C(0xBDB26E9A09724FE2), -- UINT64_C(0x08741AD8F787AF95), UINT64_C(0x2BF9727224045AD8) } }, -- { { UINT64_C(0xAB1FEDD9A9451D57), UINT64_C(0xDF4D91DF483E38C9), -- UINT64_C(0x2D54D31124E9CF8E), UINT64_C(0x9C2A5AF87A22EEB6), -- UINT64_C(0xBD9861EF0A43F123), UINT64_C(0x581EA6A238A18B7B) }, -- { UINT64_C(0xAF339C85296470A3), UINT64_C(0xF9603FCDAFD8203E), -- UINT64_C(0x95D0535096763C28), UINT64_C(0x15445C16860EC831), -- UINT64_C(0x2AFB87286867A323), UINT64_C(0x4B152D6D0C4838BF) } }, -- { { UINT64_C(0x45BA0E4F837CACBA), UINT64_C(0x7ADB38AEC0725275), -- UINT64_C(0x19C82831942D3C28), UINT64_C(0x94F4731D6D0FE7DD), -- UINT64_C(0xC3C07E134898F1E6), UINT64_C(0x76350EACED410B51) }, -- { UINT64_C(0x0FA8BECAF99AACFC), UINT64_C(0x2834D86F65FAF9CF), -- UINT64_C(0x8E62846A6F3866AF), UINT64_C(0xDAA9BD4F3DFD6A2B), -- UINT64_C(0xC27115BBA6132655), UINT64_C(0x83972DF7BD5A32C2) } }, -- { { UINT64_C(0xA330CB5BD513B825), UINT64_C(0xAE18B2D3EE37BEC3), -- UINT64_C(0xFC3AB80AF780A902), UINT64_C(0xD7835BE2D607DDF1), -- UINT64_C(0x8120F7675B6E4C2B), UINT64_C(0xAA8C385967E78CCB) }, -- { UINT64_C(0xA8DA8CE2AA0ED321), UINT64_C(0xCB8846FDD766341A), -- UINT64_C(0xF2A342EE33DC9D9A), UINT64_C(0xA519E0BED0A18A80), -- UINT64_C(0x9CDAA39CAF48DF4C), UINT64_C(0xA4B500CA7E0C19EE) } }, -- { { UINT64_C(0x83A7FD2F8217001B), UINT64_C(0x4F6FCF064296A8BA), -- UINT64_C(0x7D74864391619927), UINT64_C(0x174C1075941E4D41), -- UINT64_C(0x037EDEBDA64F5A6C), UINT64_C(0xCF64DB3A6E29DC56) }, -- { UINT64_C(0x150B3ACE37C0B9F4), UINT64_C(0x1323234A7168178B), -- UINT64_C(0x1CE47014EF4D1879), UINT64_C(0xA22E374217FB4D5C), -- UINT64_C(0x69B81822D985F794), UINT64_C(0x199C21C4081D7214) } }, -- { { UINT64_C(0x160BC7A18F04B4D2), UINT64_C(0x79CA81DDB10DE174), -- UINT64_C(0xE2A280B02DA1E9C7), UINT64_C(0xB4F6BD991D6A0A29), -- UINT64_C(0x57CF3EDD1C5B8F27), UINT64_C(0x7E34FC57158C2FD4) }, -- { UINT64_C(0x828CFD89CAC93459), UINT64_C(0x9E631B6FB7AF499F), -- UINT64_C(0xF4DC8BC0DA26C135), UINT64_C(0x6128ED3937186735), -- UINT64_C(0xBB45538B67BF0BA5), UINT64_C(0x1ADDD4C10064A3AB) } }, -- }, -- { -- { { UINT64_C(0xC32730E8DD14D47E), UINT64_C(0xCDC1FD42C0F01E0F), -- UINT64_C(0x2BACFDBF3F5CD846), UINT64_C(0x45F364167272D4DD), -- UINT64_C(0xDD813A795EB75776), UINT64_C(0xB57885E450997BE2) }, -- { UINT64_C(0xDA054E2BDB8C9829), UINT64_C(0x4161D820AAB5A594), -- UINT64_C(0x4C428F31026116A3), UINT64_C(0x372AF9A0DCD85E91), -- UINT64_C(0xFDA6E903673ADC2D), UINT64_C(0x4526B8ACA8DB59E6) } }, -- { { UINT64_C(0x68FE359DE23A8472), UINT64_C(0x43EB12BD4CE3C101), -- UINT64_C(0x0EC652C3FC704935), UINT64_C(0x1EEFF1F952E4E22D), -- UINT64_C(0xBA6777CB083E3ADA), UINT64_C(0xAB52D7DC8BEFC871) }, -- { UINT64_C(0x4EDE689F497CBD59), UINT64_C(0xC8AE42B927577DD9), -- UINT64_C(0xE0F080517AB83C27), UINT64_C(0x1F3D5F252C8C1F48), -- UINT64_C(0x57991607AF241AAC), UINT64_C(0xC4458B0AB8A337E0) } }, -- { { UINT64_C(0x3DBB3FA651DD1BA9), UINT64_C(0xE53C1C4D545E960B), -- UINT64_C(0x35AC6574793CE803), UINT64_C(0xB2697DC783DBCE4F), -- UINT64_C(0xE35C5BF2E13CF6B0), UINT64_C(0x35034280B0C4A164) }, -- { UINT64_C(0xAA490908D9C0D3C1), UINT64_C(0x2CCE614DCB4D2E90), -- UINT64_C(0xF646E96C54D504E4), UINT64_C(0xD74E7541B73310A3), -- UINT64_C(0xEAD7159618BDE5DA), UINT64_C(0x96E7F4A8AA09AEF7) } }, -- { { UINT64_C(0xA8393A245D6E5F48), UINT64_C(0x2C8D7EA2F9175CE8), -- UINT64_C(0xD8824E0255A20268), UINT64_C(0x9DD9A272A446BCC6), -- UINT64_C(0xC929CDED5351499B), UINT64_C(0xEA5AD9ECCFE76535) }, -- { UINT64_C(0x26F3D7D9DC32D001), UINT64_C(0x51C3BE8343EB9689), -- UINT64_C(0x91FDCC06759E6DDB), UINT64_C(0xAC2E1904E302B891), -- UINT64_C(0xAD25C645C207E1F7), UINT64_C(0x28A70F0DAB3DEB4A) } }, -- { { UINT64_C(0x922D7F9703BEA8F1), UINT64_C(0x3AD820D4584570BE), -- UINT64_C(0x0CE0A8503CD46B43), UINT64_C(0x4C07911FAE66743D), -- UINT64_C(0x66519EB9FDA60023), UINT64_C(0x7F83004BEC2ACD9C) }, -- { UINT64_C(0x001E0B80C3117EAD), UINT64_C(0xBB72D5410722BA25), -- UINT64_C(0x3AF7DB966E9A5078), UINT64_C(0x86C5774E701B6B4C), -- UINT64_C(0xBD2C0E8E37824DB5), UINT64_C(0x3AE3028CBFAC286D) } }, -- { { UINT64_C(0x83D4D4A8A33E071B), UINT64_C(0x881C0A9261444BB5), -- UINT64_C(0xEEA1E292520E3BC3), UINT64_C(0x5A5F4C3C2AAAB729), -- UINT64_C(0x0B766C5EE63C7C94), UINT64_C(0x62BB8A9FBB2CC79C) }, -- { UINT64_C(0x97ADC7D2AA5DC49D), UINT64_C(0x30CC26B331718681), -- UINT64_C(0xAC86E6FF56E86EDE), UINT64_C(0x37BCA7A2CD52F7F2), -- UINT64_C(0x734D2C949CE6D87F), UINT64_C(0x06A71D71C2F7E0CA) } }, -- { { UINT64_C(0x559DCF75C6357D33), UINT64_C(0x4616D940652517DE), -- UINT64_C(0x3D576B981CCF207B), UINT64_C(0x51E2D1EF1979F631), -- UINT64_C(0x57517DDD06AE8296), UINT64_C(0x309A3D7FD6E7151F) }, -- { UINT64_C(0xBA2A23E60E3A6FE5), UINT64_C(0x76CF674AD28B22C3), -- UINT64_C(0xD235AD07F8B808C3), UINT64_C(0x7BBF4C586B71213A), -- UINT64_C(0x0676792E93271EBB), UINT64_C(0x2CFD2C7605B1FC31) } }, -- { { UINT64_C(0x4258E5C037A450F5), UINT64_C(0xC3245F1B52D2B118), -- UINT64_C(0x6DF7B48482BC5963), UINT64_C(0xE520DA4D9C273D1E), -- UINT64_C(0xED78E0122C3010E5), UINT64_C(0x112229483C1D4C05) }, -- { UINT64_C(0xE3DAE5AFC692B490), UINT64_C(0x3272BD10C197F793), -- UINT64_C(0xF7EAE411E709ACAA), UINT64_C(0x00B0C95F778270A6), -- UINT64_C(0x4DA76EE1220D4350), UINT64_C(0x521E1461AB71E308) } }, -- { { UINT64_C(0x7B654323343196A3), UINT64_C(0x35D442ADB0C95250), -- UINT64_C(0x38AF50E6E264FF17), UINT64_C(0x28397A412030D2EA), -- UINT64_C(0x8F1D84E9F74EEDA1), UINT64_C(0xD521F92DE6FB3C52) }, -- { UINT64_C(0xAF358D7795733811), UINT64_C(0xEBFDDD0193ABFE94), -- UINT64_C(0x05D8A028D18D99DE), UINT64_C(0x5A664019B5D5BDD9), -- UINT64_C(0x3DF172822AA12FE8), UINT64_C(0xB42E006FB889A28E) } }, -- { { UINT64_C(0xCF10E97DBC35CB1A), UINT64_C(0xC70A7BBD994DEDC5), -- UINT64_C(0x76A5327C37D04FB9), UINT64_C(0x87539F76A76E0CDA), -- UINT64_C(0xE9FE493FCD60A6B1), UINT64_C(0xA4574796132F01C0) }, -- { UINT64_C(0xC43B85EBDB70B167), UINT64_C(0x81D5039A98551DFA), -- UINT64_C(0x6B56FBE91D979FA4), UINT64_C(0x49714FD78615098F), -- UINT64_C(0xB10E1CEA94DECAB5), UINT64_C(0x8342EBA3480EF6E3) } }, -- { { UINT64_C(0xE1E030B0B3677288), UINT64_C(0x2978174C8D5CE3AF), -- UINT64_C(0xAFC0271CF7B2DE98), UINT64_C(0x745BC6F3B99C20B5), -- UINT64_C(0x9F6EDCED1E3BB4E5), UINT64_C(0x58D3EE4E73C8C1FC) }, -- { UINT64_C(0x1F3535F47FD30124), UINT64_C(0xF366AC705FA62502), -- UINT64_C(0x4C4C1FDD965363FE), UINT64_C(0x8B2C77771DE2CA2B), -- UINT64_C(0x0CB54743882F1173), UINT64_C(0x94B6B8C071343331) } }, -- { { UINT64_C(0x75AF014165B8B35B), UINT64_C(0x6D7B84854670A1F5), -- UINT64_C(0x6EAA3A47A3B6D376), UINT64_C(0xD7E673D2CB3E5B66), -- UINT64_C(0xC0338E6C9589AB38), UINT64_C(0x4BE26CB309440FAA) }, -- { UINT64_C(0x82CB05E7394F9AA3), UINT64_C(0xC45C8A8A7F7792EA), -- UINT64_C(0x37E5E33BB687DC70), UINT64_C(0x63853219DFE48E49), -- UINT64_C(0x087951C16D0E5C8C), UINT64_C(0x7696A8C72BC27310) } }, -- { { UINT64_C(0xA05736D5B67E834A), UINT64_C(0xDD2AA0F29098D42A), -- UINT64_C(0x09F0C1D849C69DDC), UINT64_C(0x81F8BC1C8FF0F0F3), -- UINT64_C(0x36FD3A4F03037775), UINT64_C(0x8286717D4B06DF5C) }, -- { UINT64_C(0xB878F496A9079EA2), UINT64_C(0xA5642426D7DC796D), -- UINT64_C(0x29B9351A67FDAC2B), UINT64_C(0x93774C0E1D543CDE), -- UINT64_C(0x4F8793BA1A8E31C4), UINT64_C(0x7C9F3F3A6C94798A) } }, -- { { UINT64_C(0x23C5AD11CB8ECDB8), UINT64_C(0x1E88D25E485A6A02), -- UINT64_C(0xB27CBE84F1E268AE), UINT64_C(0xDDA80238F4CD0475), -- UINT64_C(0x4F88857B49F8EB1B), UINT64_C(0x91B1221F52FB07F9) }, -- { UINT64_C(0x7CE974608637FA67), UINT64_C(0x528B3CF4632198D8), -- UINT64_C(0x33365AB3F6623769), UINT64_C(0x6FEBCFFF3A83A30F), -- UINT64_C(0x398F4C999BD341EB), UINT64_C(0x180712BBB33A333C) } }, -- { { UINT64_C(0x2B8655A2D93429E7), UINT64_C(0x99D600BB75C8B9EE), -- UINT64_C(0x9FC1AF8B88FCA6CD), UINT64_C(0x2FB533867C311F80), -- UINT64_C(0x20743ECBE8A71EEE), UINT64_C(0xEC3713C4E848B49E) }, -- { UINT64_C(0x5B2037B5BB886817), UINT64_C(0x40EF5AC2307DBAF4), -- UINT64_C(0xC2888AF21B3F643D), UINT64_C(0x0D8252E19D5A4190), -- UINT64_C(0x06CC0BEC2DB52A8A), UINT64_C(0xB84B98EAAB94E969) } }, -- { { UINT64_C(0x2E7AC078A0321E0E), UINT64_C(0x5C5A1168EF3DAAB6), -- UINT64_C(0xD2D573CBADDD454A), UINT64_C(0x27E149E236259CC7), -- UINT64_C(0x1EDFD469A63F47F1), UINT64_C(0x039AD674F1BD2CFD) }, -- { UINT64_C(0xBFA633FC3077D3CC), UINT64_C(0x14A7C82F2FD64E9F), -- UINT64_C(0xAAA650149D824999), UINT64_C(0x41AB113B21760F2E), -- UINT64_C(0x23E646C51CAE260A), UINT64_C(0x08062C8F68DC5159) } }, -- }, -- { -- { { UINT64_C(0x2E7D0A16204BE028), UINT64_C(0x4F1D082ED0E41851), -- UINT64_C(0x15F1DDC63EB317F9), UINT64_C(0xF02750715ADF71D7), -- UINT64_C(0x2CE33C2EEE858BC3), UINT64_C(0xA24C76D1DA73B71A) }, -- { UINT64_C(0x9EF6A70A6C70C483), UINT64_C(0xEFCF170505CF9612), -- UINT64_C(0x9F5BF5A67502DE64), UINT64_C(0xD11122A1A4701973), -- UINT64_C(0x82CFAAC2A2EA7B24), UINT64_C(0x6CAD67CC0A4582E1) } }, -- { { UINT64_C(0x597A26FFB4DC8600), UINT64_C(0x264A09F3F9288555), -- UINT64_C(0x0B06AFF65C27F5F6), UINT64_C(0xCE5AB665D8D544E6), -- UINT64_C(0x92F031BE99275C32), UINT64_C(0xAF51C5BBF42E0E7C) }, -- { UINT64_C(0x5BB28B061E37B36D), UINT64_C(0x583FBA6A8473543A), -- UINT64_C(0xE73FD299F93FB7DC), UINT64_C(0xFCD999A86E2CCAD9), -- UINT64_C(0xB8C8A6DF334D4F57), UINT64_C(0x5ADB28DD9A2ACC9B) } }, -- { { UINT64_C(0x5ADF3D9A111792B9), UINT64_C(0x1C77A3054F1E0D09), -- UINT64_C(0xF9FBCE33A82D3736), UINT64_C(0xF307823E718C8AA3), -- UINT64_C(0x860578CF416CCF69), UINT64_C(0xB942ADD81EF8465B) }, -- { UINT64_C(0x9EE0CF97CD9472E1), UINT64_C(0xE6792EEFB01528A8), -- UINT64_C(0xF99B9A8DC09DA90B), UINT64_C(0x1F521C2DCBF3CCB8), -- UINT64_C(0x6BF6694891A62632), UINT64_C(0xCC7A9CEB854FE9DA) } }, -- { { UINT64_C(0x46303171491CCB92), UINT64_C(0xA80A8C0D2771235B), -- UINT64_C(0xD8E497FFF172C7CF), UINT64_C(0x7F7009D735B193CF), -- UINT64_C(0x6B9FD3F7F19DF4BC), UINT64_C(0xADA548C3B46F1E37) }, -- { UINT64_C(0x87C6EAA9C7A20270), UINT64_C(0xEF2245D6AE78EF99), -- UINT64_C(0x2A121042539EAB95), UINT64_C(0x29A6D5D779B8F5CC), -- UINT64_C(0x33803A10B77840DC), UINT64_C(0xFEDD3A7011A6A30F) } }, -- { { UINT64_C(0xFA070E22142403D1), UINT64_C(0x68FF316015C6F7F5), -- UINT64_C(0xE09F04E6223A0CE8), UINT64_C(0x22BBD01853E14183), -- UINT64_C(0x35D9FAFCCF45B75B), UINT64_C(0x3A34819D7ECEEC88) }, -- { UINT64_C(0xD9CF7568D33262D2), UINT64_C(0x431036D5841D1505), -- UINT64_C(0x0C8005659EB2A79A), UINT64_C(0x8E77D9F05F7EDC6A), -- UINT64_C(0x19E12D0565E800AA), UINT64_C(0x335C8D36B7784E7C) } }, -- { { UINT64_C(0x8B2FC4E96484FD40), UINT64_C(0xEE702764A35D24EA), -- UINT64_C(0x15B28AC7B871C3F3), UINT64_C(0x805B4048E097047F), -- UINT64_C(0xD6F1B8DF647CAD2F), UINT64_C(0xF1D5B458DC7DD67F) }, -- { UINT64_C(0x324C529C25148803), UINT64_C(0xF6185EBE21274FAF), -- UINT64_C(0xAF14751E95148B55), UINT64_C(0x283ED89D28F284F4), -- UINT64_C(0x93AD20E74CBEBF1A), UINT64_C(0x5F6EC65D882935E1) } }, -- { { UINT64_C(0xE222EBA4A4DCEFE9), UINT64_C(0x63AD235FEC1CEB74), -- UINT64_C(0x2E0BF749E05B18E7), UINT64_C(0x547BD050B48BDD87), -- UINT64_C(0x0490C970F5AA2FC4), UINT64_C(0xCED5E4CF2B431390) }, -- { UINT64_C(0x07D8270451D2898E), UINT64_C(0x44B72442083B57D4), -- UINT64_C(0xA4ADA2305037FCE8), UINT64_C(0x55F7905E50510DA6), -- UINT64_C(0xD8EE724F8D890A98), UINT64_C(0x925A8E7C11B85640) } }, -- { { UINT64_C(0x5BFA10CD1CA459ED), UINT64_C(0x593F085A6DCF56BF), -- UINT64_C(0xE6F0AD9BC0579C3E), UINT64_C(0xC11C95A22527C1AD), -- UINT64_C(0x7CFA71E1CF1CB8B3), UINT64_C(0xEDCFF8331D6DC79D) }, -- { UINT64_C(0x581C4BBE432521C9), UINT64_C(0xBF620096144E11A0), -- UINT64_C(0x54C38B71BE3A107B), UINT64_C(0xED555E37E2606EC0), -- UINT64_C(0x3FB148B8D721D034), UINT64_C(0x79D53DAD0091BC90) } }, -- { { UINT64_C(0xE32068C5B7082C80), UINT64_C(0x4140FFD27A144E22), -- UINT64_C(0x5811D2F09EDD9E86), UINT64_C(0xCDD79B5FC572C465), -- UINT64_C(0x3563FED1C97BF450), UINT64_C(0x985C1444F2CE5C9C) }, -- { UINT64_C(0x260AE79799950F1C), UINT64_C(0x659F4F40765E9DED), -- UINT64_C(0x2A412D662E3BC286), UINT64_C(0xE865E62CF87E0C82), -- UINT64_C(0xD63D3A9A6C05E7D7), UINT64_C(0x96725D678686F89A) } }, -- { { UINT64_C(0xC99A5E4CAB7EA0F5), UINT64_C(0xC9860A1AC5393FA9), -- UINT64_C(0x9ED83CEE8FDEEFC0), UINT64_C(0xE3EA8B4C5ED6869A), -- UINT64_C(0x89A85463D2EED3A9), UINT64_C(0x2CD91B6DE421A622) }, -- { UINT64_C(0x6FEC1EF32C91C41D), UINT64_C(0xB1540D1F8171037D), -- UINT64_C(0x4FE4991A1C010E5B), UINT64_C(0x28A3469FFC1C7368), -- UINT64_C(0xE1EEECD1AF118781), UINT64_C(0x1BCCB97799EF3531) } }, -- { { UINT64_C(0x63D3B638C4DAB7B8), UINT64_C(0xD92133B63F7F5BAB), -- UINT64_C(0x2573EE2009FB6069), UINT64_C(0x771FABDF890A1686), -- UINT64_C(0x1D0BA21FA77AFFF5), UINT64_C(0x83145FCCBA3DD2C0) }, -- { UINT64_C(0xFA073A812D115C20), UINT64_C(0x6AB7A9D319176F27), -- UINT64_C(0xAF62CF939AC639EE), UINT64_C(0xF73848B92CCD1319), -- UINT64_C(0x3B6132343C71659D), UINT64_C(0xF8E0011C10AB3826) } }, -- { { UINT64_C(0x0501F0360282FFA5), UINT64_C(0xC39A5CF4D9E0F15A), -- UINT64_C(0x48D8C7299A3D1F3C), UINT64_C(0xB5FC136B64E18EDA), -- UINT64_C(0xE81B53D97E58FEF0), UINT64_C(0x0D534055F7B0F28D) }, -- { UINT64_C(0x47B8DE127A80619B), UINT64_C(0x60E2A2B381F9E55D), -- UINT64_C(0x6E9624D7CF564CC5), UINT64_C(0xFDF18A216BDEDFFF), -- UINT64_C(0x3787DE38C0D5FC82), UINT64_C(0xCBCAA347497A6B11) } }, -- { { UINT64_C(0x6E7EF35EB226465A), UINT64_C(0x4B4699195F8A2BAF), -- UINT64_C(0x44B3A3CF1120D93F), UINT64_C(0xB052C8B668F34AD1), -- UINT64_C(0x27EC574BEF7632DD), UINT64_C(0xAEBEA108685DE26F) }, -- { UINT64_C(0xDA33236BE39424B6), UINT64_C(0xB1BD94A9EBCC22AD), -- UINT64_C(0x6DDEE6CC2CDFB5D5), UINT64_C(0xBDAED9276F14069A), -- UINT64_C(0x2ADE427C2A247CB7), UINT64_C(0xCE96B436ED156A40) } }, -- { { UINT64_C(0xDDDCA36081F3F819), UINT64_C(0x4AF4A49FD419B96A), -- UINT64_C(0x746C65257CB966B9), UINT64_C(0x01E390886F610023), -- UINT64_C(0x05ECB38D98DD33FC), UINT64_C(0x962B971B8F84EDF4) }, -- { UINT64_C(0xEB32C0A56A6F2602), UINT64_C(0xF026AF71562D60F2), -- UINT64_C(0xA9E246BF84615FAB), UINT64_C(0xAD96709275DBAE01), -- UINT64_C(0xBF97C79B3ECE5D07), UINT64_C(0xE06266C774EAA3D3) } }, -- { { UINT64_C(0x161A01572E6DBB6E), UINT64_C(0xB8AF490460FA8F47), -- UINT64_C(0xE4336C4400197F22), UINT64_C(0xF811AFFA9CEDCE0E), -- UINT64_C(0xB1DD7685F94C2EF1), UINT64_C(0xEEDC0F4BCA957BB0) }, -- { UINT64_C(0xD319FD574AA76BB1), UINT64_C(0xB3525D7C16CD7CCB), -- UINT64_C(0x7B22DA9CA97DD072), UINT64_C(0x99DB84BD38A83E71), -- UINT64_C(0x4939BC8DC0EDD8BE), UINT64_C(0x06D524EA903A932C) } }, -- { { UINT64_C(0x4BC950EC0E31F639), UINT64_C(0xB7ABD3DC6016BE30), -- UINT64_C(0x3B0F44736703DAD0), UINT64_C(0xCC405F8B0AC1C4EA), -- UINT64_C(0x9BED5E57176C3FEE), UINT64_C(0xF452481036AE36C2) }, -- { UINT64_C(0xC1EDBB8315D7B503), UINT64_C(0x943B1156E30F3657), -- UINT64_C(0x984E9EEF98377805), UINT64_C(0x291AE7AC36CF1DEB), -- UINT64_C(0xFED8748CA9F66DF3), UINT64_C(0xECA758BBFEA8FA5D) } }, -- }, -- { -- { { UINT64_C(0xACC787EF2DD1B249), UINT64_C(0x736E1030D82976F1), -- UINT64_C(0x0A6940FAA01B3649), UINT64_C(0xE00B926BC42341E7), -- UINT64_C(0x911508D0DE8FFD6C), UINT64_C(0x4DCF8D465276B0CB) }, -- { UINT64_C(0x23AD0A90CC3CAD8D), UINT64_C(0x2A92E54CADED962A), -- UINT64_C(0x93FBEC4DF231BFAF), UINT64_C(0x9544BC774798987A), -- UINT64_C(0x48084E2508E29F60), UINT64_C(0x0C0D2F4332DE5869) } }, -- { { UINT64_C(0x6778F9703A9ABC13), UINT64_C(0xFD014FAC3D2B166B), -- UINT64_C(0x1FE4FC783C6FED60), UINT64_C(0x04295FA8AA7C69C5), -- UINT64_C(0xA01DE56D7C123175), UINT64_C(0x0FA0D3A83D9A713A) }, -- { UINT64_C(0xA7A6E5E3E3E08ADD), UINT64_C(0xBD77E94B1AC58F85), -- UINT64_C(0x078F6FD2B7321A9C), UINT64_C(0x9564601E911EF6D9), -- UINT64_C(0x31C5C1B2415C6BEF), UINT64_C(0xE6C0C91ED3212C62) } }, -- { { UINT64_C(0xBA7BD23C0D16022F), UINT64_C(0xE9CF4750198BE288), -- UINT64_C(0x304E316947DEEC65), UINT64_C(0xCF65B41F96EEB288), -- UINT64_C(0x17E99C17927E9E3B), UINT64_C(0x82225546F6630A80) }, -- { UINT64_C(0x15122B8ACA067BD9), UINT64_C(0xE2673205B77B4E98), -- UINT64_C(0x130375659407CA63), UINT64_C(0x53624F548B621602), -- UINT64_C(0x96AF2CB1EAE4BD06), UINT64_C(0x576ECD1C8FA20829) } }, -- { { UINT64_C(0xA551CE107E02D2D0), UINT64_C(0x1584ED249D13DBC7), -- UINT64_C(0x082017AD4DA7B6D8), UINT64_C(0x81918A8FE054BC48), -- UINT64_C(0x677DB48E572DC384), UINT64_C(0x2EF822966155484C) }, -- { UINT64_C(0xC3DB14C641B9C231), UINT64_C(0x910A87D14A766192), -- UINT64_C(0x93D5CC8610AB8E0F), UINT64_C(0x4194D548AE57CA1B), -- UINT64_C(0xFAF3A1D6267FC37A), UINT64_C(0x70EC236413B87C97) } }, -- { { UINT64_C(0x064B565B5E12756A), UINT64_C(0x953B7BD1AE49C98E), -- UINT64_C(0xE0CE8284F7001D91), UINT64_C(0x1546060BF31108D0), -- UINT64_C(0xDBC2C3F46779B6E2), UINT64_C(0x157AA47DE0DD07CF) }, -- { UINT64_C(0xBF4A1C6FF23B261E), UINT64_C(0x5B8EED30654F4BE5), -- UINT64_C(0xDF5896D36B20CCD8), UINT64_C(0x56920E2C559ED23D), -- UINT64_C(0x901F342EFA6E3E27), UINT64_C(0x745C747C896CA082) } }, -- { { UINT64_C(0xDBCCD5752944EC84), UINT64_C(0x54A2A935A5FF65FE), -- UINT64_C(0x88C92A5E1A1319B6), UINT64_C(0x9537C28F82DA96C1), -- UINT64_C(0xB683647435F93C46), UINT64_C(0xEC526A1D65B0846C) }, -- { UINT64_C(0x6F12AFBDF382C412), UINT64_C(0x5EBC81D89E99FA06), -- UINT64_C(0x97B5D672869B93BD), UINT64_C(0x2983C310377E12AA), -- UINT64_C(0x4875968124D681EA), UINT64_C(0x1E0BD106287FD767) } }, -- { { UINT64_C(0x0AC75A3E7231247F), UINT64_C(0x65C20DE6EF27AD3A), -- UINT64_C(0x87EB6CF1BD02EEE5), UINT64_C(0x264ACA7A00147E03), -- UINT64_C(0xEBC78581AE2A9437), UINT64_C(0x9929964E6316BFA5) }, -- { UINT64_C(0xDC09E0409AF207EF), UINT64_C(0x3ECFFE2D0C9D8658), -- UINT64_C(0x547EA735DFB43D38), UINT64_C(0x5485247BD04B1B20), -- UINT64_C(0xB18D3F02BFD8B609), UINT64_C(0xEEB3E805CCE73705) } }, -- { { UINT64_C(0xDAB1A525DB93850F), UINT64_C(0x18ADAA238365B7D5), -- UINT64_C(0x58485C90113FC8C7), UINT64_C(0x80C3DBB9348AD323), -- UINT64_C(0xAF892FB5E16ADCA1), UINT64_C(0x2183C879979F005A) }, -- { UINT64_C(0x20FA1A940643A99E), UINT64_C(0x2741221C1A1609CB), -- UINT64_C(0x1C1687E53C2FBDDC), UINT64_C(0xDCCF329ED420D6CF), -- UINT64_C(0x75D5577D2B7197D1), UINT64_C(0x4C3C3875C8729D9C) } }, -- { { UINT64_C(0x5E79F995E5CBDCB9), UINT64_C(0x03139824A742FCC7), -- UINT64_C(0x6D0C214A239EF4A1), UINT64_C(0x53A27952401A2944), -- UINT64_C(0xF42A1B34C10BCDF0), UINT64_C(0x426BAA437CF38061) }, -- { UINT64_C(0x16A53139A96AD0C8), UINT64_C(0x627F1D316BAD5301), -- UINT64_C(0x5AF748774ACCD627), UINT64_C(0x3C58A1C5B55B0FB8), -- UINT64_C(0xFAA57B91F4399A6A), UINT64_C(0xBAD283FBC28094B8) } }, -- { { UINT64_C(0xBA32AC6183E10A93), UINT64_C(0x1C91F6B4EC06BDB0), -- UINT64_C(0x42E6CFBC65F60C93), UINT64_C(0xEFE33BC82C0CDCBE), -- UINT64_C(0xE0FE1D094D6414F2), UINT64_C(0x4C11231676FA5C5B) }, -- { UINT64_C(0x812C1DC62E26200A), UINT64_C(0xD6C413C5EE879D25), -- UINT64_C(0xBEADE255BCA8BAFE), UINT64_C(0x0EAF4AE2CE2BA0E7), -- UINT64_C(0x66E9FFB0C4F4408A), UINT64_C(0xB36A86D79782C7AD) } }, -- { { UINT64_C(0x10FCD1F4BAD8D1C7), UINT64_C(0xC903816A4502F645), -- UINT64_C(0x7FAC1CC1A503B895), UINT64_C(0x8BCD60410778900C), -- UINT64_C(0x5A5F22025BCF2784), UINT64_C(0x9B157E8710EDB896) }, -- { UINT64_C(0x4C58DA69F602A8B1), UINT64_C(0xD55132F859EC9D7E), -- UINT64_C(0x155B719AA26D4870), UINT64_C(0x25AAFCA336441746), -- UINT64_C(0x01F83338DD3B6B30), UINT64_C(0xD52BB5C1551917CC) } }, -- { { UINT64_C(0xA0B6207B6135066A), UINT64_C(0xB3409F842AEC8CBD), -- UINT64_C(0x5EBFD43619D87DF0), UINT64_C(0xCB4C209BE8526DE2), -- UINT64_C(0xD764085B21E1A230), UINT64_C(0x96F915540899964A) }, -- { UINT64_C(0xB0BEC8EFA57D122A), UINT64_C(0xC572EC565D9D0B33), -- UINT64_C(0xEBE2A780CFA7C72C), UINT64_C(0x52D40CDB9EF3295C), -- UINT64_C(0x640045840DE74DFE), UINT64_C(0xA6846432C0809716) } }, -- { { UINT64_C(0x0D09E8CD02C979BC), UINT64_C(0xEC4B21F6409F4F2A), -- UINT64_C(0x68125C7013FB07CA), UINT64_C(0x1C4CFC176FDFA72A), -- UINT64_C(0xC9E71B9E04539FCD), UINT64_C(0x94B7103D8BA70797) }, -- { UINT64_C(0x6B81E82FB33FDE83), UINT64_C(0x7CA9A8CAEABAFD4B), -- UINT64_C(0xADD85A67EAB819CE), UINT64_C(0xAEC2548398E99FFC), -- UINT64_C(0x938D6440274A07B6), UINT64_C(0x0A5C7097564A6AA0) } }, -- { { UINT64_C(0x7284FF502F4FCEB6), UINT64_C(0x0A28715A78D0D5CB), -- UINT64_C(0xE70B7014BFCE187C), UINT64_C(0xA6B538F57A17148D), -- UINT64_C(0x1DAB07C9DD427166), UINT64_C(0x5C5578B0149D23CA) }, -- { UINT64_C(0x875E2056875B5EDE), UINT64_C(0xCBF44B6D02C893B9), -- UINT64_C(0x5715A77E5C2993FB), UINT64_C(0xAF3281463410597E), -- UINT64_C(0x65DF418F42DC49DF), UINT64_C(0x7AC9C720A9EE52F6) } }, -- { { UINT64_C(0xB1C9AA0762955486), UINT64_C(0xCBF35BE3245061D7), -- UINT64_C(0x811E1BD38CF4DDC0), UINT64_C(0xD9D4589C948F7C84), -- UINT64_C(0x30D09A0FCB0F996D), UINT64_C(0x1A1B3B7A590E7704) }, -- { UINT64_C(0xA848E3492082768D), UINT64_C(0x9FEBD4929A249DF4), -- UINT64_C(0x503420AF5F20439A), UINT64_C(0x0CBE52B68E2BFCD4), -- UINT64_C(0xB1D5E261118C91B2), UINT64_C(0x93CFF6DA71D8F2BC) } }, -- { { UINT64_C(0x5F5BC06B8AB58944), UINT64_C(0xE4BED5384979882D), -- UINT64_C(0x57C30362D79B0EB1), UINT64_C(0x391AE2C1EF7C56D8), -- UINT64_C(0x28BC2E97ADD98625), UINT64_C(0xFA8E86B81B257107) }, -- { UINT64_C(0x5E4859F86118C715), UINT64_C(0x91C83324524C71DD), -- UINT64_C(0xFB2092436D2F5E6D), UINT64_C(0x6B4FE21F2A900A43), -- UINT64_C(0x241F75D632A73C1F), UINT64_C(0xF5BC46295AE89613) } }, -+ SECStatus res = SECSuccess; -+ if (!pt || !pt->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; - } --}; - --/*- -- * Finite field inversion. -- * Computed with Bernstein-Yang algorithm. -- * https://tches.iacr.org/index.php/TCHES/article/view/8298 -- * Based on https://github.com/mit-plv/fiat-crypto/tree/master/inversion/c -- * NB: this is not a real fiat-crypto function, just named that way for consistency. -- */ --static void --fiat_secp384r1_inv(fe_t output, const fe_t t1) --{ -- int i; -- fe_t v1, r1, v2; -- limb_t *r2 = output; -- limb_t f1[LIMB_CNT + 1], g1[LIMB_CNT + 1], f2[LIMB_CNT + 1], -- g2[LIMB_CNT + 1]; -- limb_t d2, d1 = 1; -- -- fe_copy(g1, t1); -- g1[LIMB_CNT] = 0; -- fe_copy(f1, const_psat); -- f1[LIMB_CNT] = 0; -- fe_copy(r1, const_one); -- fe_set_zero(v1); -- -- /* 1110 divstep iterations */ -- for (i = 0; i < 555; i++) { -- fiat_secp384r1_divstep(&d2, f2, g2, v2, r2, d1, f1, g1, v1, r1); -- fiat_secp384r1_divstep(&d1, f1, g1, v1, r1, d2, f2, g2, v2, r2); -+ if (pt->len != 97) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; - } - -- fiat_secp384r1_opp(output, v1); -- fiat_secp384r1_selectznz(output, f1[LIMB_CNT] >> (LIMB_BITS - 1), v1, -- output); -- fiat_secp384r1_mul(output, output, const_divstep); --} -- --/*- -- * Q := 2P, both projective, Q and P same pointers OK -- * Autogenerated: op3/dbl_proj.op3 -- * https://eprint.iacr.org/2015/1060 Alg 6 -- * ASSERT: a = -3 -- */ --static void --point_double(pt_prj_t *Q, const pt_prj_t *P) --{ -- /* temporary variables */ -- fe_t t0, t1, t2, t3, t4; -- /* constants */ -- const limb_t *b = const_b; -- /* set pointers for legacy curve arith */ -- const limb_t *X = P->X; -- const limb_t *Y = P->Y; -- const limb_t *Z = P->Z; -- limb_t *X3 = Q->X; -- limb_t *Y3 = Q->Y; -- limb_t *Z3 = Q->Z; -- -- /* the curve arith formula */ -- fiat_secp384r1_square(t0, X); -- fiat_secp384r1_square(t1, Y); -- fiat_secp384r1_square(t2, Z); -- fiat_secp384r1_mul(t3, X, Y); -- fiat_secp384r1_add(t3, t3, t3); -- fiat_secp384r1_mul(t4, Y, Z); -- fiat_secp384r1_mul(Z3, X, Z); -- fiat_secp384r1_add(Z3, Z3, Z3); -- fiat_secp384r1_mul(Y3, b, t2); -- fiat_secp384r1_sub(Y3, Y3, Z3); -- fiat_secp384r1_add(X3, Y3, Y3); -- fiat_secp384r1_add(Y3, X3, Y3); -- fiat_secp384r1_sub(X3, t1, Y3); -- fiat_secp384r1_add(Y3, t1, Y3); -- fiat_secp384r1_mul(Y3, X3, Y3); -- fiat_secp384r1_mul(X3, X3, t3); -- fiat_secp384r1_add(t3, t2, t2); -- fiat_secp384r1_add(t2, t2, t3); -- fiat_secp384r1_mul(Z3, b, Z3); -- fiat_secp384r1_sub(Z3, Z3, t2); -- fiat_secp384r1_sub(Z3, Z3, t0); -- fiat_secp384r1_add(t3, Z3, Z3); -- fiat_secp384r1_add(Z3, Z3, t3); -- fiat_secp384r1_add(t3, t0, t0); -- fiat_secp384r1_add(t0, t3, t0); -- fiat_secp384r1_sub(t0, t0, t2); -- fiat_secp384r1_mul(t0, t0, Z3); -- fiat_secp384r1_add(Y3, Y3, t0); -- fiat_secp384r1_add(t0, t4, t4); -- fiat_secp384r1_mul(Z3, t0, Z3); -- fiat_secp384r1_sub(X3, X3, Z3); -- fiat_secp384r1_mul(Z3, t0, t1); -- fiat_secp384r1_add(Z3, Z3, Z3); -- fiat_secp384r1_add(Z3, Z3, Z3); --} -- --/*- -- * R := Q + P where R and Q are projective, P affine. -- * R and Q same pointers OK -- * R and P same pointers not OK -- * Autogenerated: op3/add_mixed.op3 -- * https://eprint.iacr.org/2015/1060 Alg 5 -- * ASSERT: a = -3 -- */ --static void --point_add_mixed(pt_prj_t *R, const pt_prj_t *Q, const pt_aff_t *P) --{ -- /* temporary variables */ -- fe_t t0, t1, t2, t3, t4; -- /* constants */ -- const limb_t *b = const_b; -- /* set pointers for legacy curve arith */ -- const limb_t *X1 = Q->X; -- const limb_t *Y1 = Q->Y; -- const limb_t *Z1 = Q->Z; -- const limb_t *X2 = P->X; -- const limb_t *Y2 = P->Y; -- fe_t X3; -- fe_t Y3; -- fe_t Z3; -- limb_t nz; -- -- /* check P for affine inf */ -- fiat_secp384r1_nonzero(&nz, P->Y); -- -- /* the curve arith formula */ -- fiat_secp384r1_mul(t0, X1, X2); -- fiat_secp384r1_mul(t1, Y1, Y2); -- fiat_secp384r1_add(t3, X2, Y2); -- fiat_secp384r1_add(t4, X1, Y1); -- fiat_secp384r1_mul(t3, t3, t4); -- fiat_secp384r1_add(t4, t0, t1); -- fiat_secp384r1_sub(t3, t3, t4); -- fiat_secp384r1_mul(t4, Y2, Z1); -- fiat_secp384r1_add(t4, t4, Y1); -- fiat_secp384r1_mul(Y3, X2, Z1); -- fiat_secp384r1_add(Y3, Y3, X1); -- fiat_secp384r1_mul(Z3, b, Z1); -- fiat_secp384r1_sub(X3, Y3, Z3); -- fiat_secp384r1_add(Z3, X3, X3); -- fiat_secp384r1_add(X3, X3, Z3); -- fiat_secp384r1_sub(Z3, t1, X3); -- fiat_secp384r1_add(X3, t1, X3); -- fiat_secp384r1_mul(Y3, b, Y3); -- fiat_secp384r1_add(t1, Z1, Z1); -- fiat_secp384r1_add(t2, t1, Z1); -- fiat_secp384r1_sub(Y3, Y3, t2); -- fiat_secp384r1_sub(Y3, Y3, t0); -- fiat_secp384r1_add(t1, Y3, Y3); -- fiat_secp384r1_add(Y3, t1, Y3); -- fiat_secp384r1_add(t1, t0, t0); -- fiat_secp384r1_add(t0, t1, t0); -- fiat_secp384r1_sub(t0, t0, t2); -- fiat_secp384r1_mul(t1, t4, Y3); -- fiat_secp384r1_mul(t2, t0, Y3); -- fiat_secp384r1_mul(Y3, X3, Z3); -- fiat_secp384r1_add(Y3, Y3, t2); -- fiat_secp384r1_mul(X3, t3, X3); -- fiat_secp384r1_sub(X3, X3, t1); -- fiat_secp384r1_mul(Z3, t4, Z3); -- fiat_secp384r1_mul(t1, t3, t0); -- fiat_secp384r1_add(Z3, Z3, t1); -- -- /* if P is inf, throw all that away and take Q */ -- fiat_secp384r1_selectznz(R->X, nz, Q->X, X3); -- fiat_secp384r1_selectznz(R->Y, nz, Q->Y, Y3); -- fiat_secp384r1_selectznz(R->Z, nz, Q->Z, Z3); --} -- --/*- -- * R := Q + P all projective. -- * R and Q same pointers OK -- * R and P same pointers not OK -- * Autogenerated: op3/add_proj.op3 -- * https://eprint.iacr.org/2015/1060 Alg 4 -- * ASSERT: a = -3 -- */ --static void --point_add_proj(pt_prj_t *R, const pt_prj_t *Q, const pt_prj_t *P) --{ -- /* temporary variables */ -- fe_t t0, t1, t2, t3, t4, t5; -- /* constants */ -- const limb_t *b = const_b; -- /* set pointers for legacy curve arith */ -- const limb_t *X1 = Q->X; -- const limb_t *Y1 = Q->Y; -- const limb_t *Z1 = Q->Z; -- const limb_t *X2 = P->X; -- const limb_t *Y2 = P->Y; -- const limb_t *Z2 = P->Z; -- limb_t *X3 = R->X; -- limb_t *Y3 = R->Y; -- limb_t *Z3 = R->Z; -- -- /* the curve arith formula */ -- fiat_secp384r1_mul(t0, X1, X2); -- fiat_secp384r1_mul(t1, Y1, Y2); -- fiat_secp384r1_mul(t2, Z1, Z2); -- fiat_secp384r1_add(t3, X1, Y1); -- fiat_secp384r1_add(t4, X2, Y2); -- fiat_secp384r1_mul(t3, t3, t4); -- fiat_secp384r1_add(t4, t0, t1); -- fiat_secp384r1_sub(t3, t3, t4); -- fiat_secp384r1_add(t4, Y1, Z1); -- fiat_secp384r1_add(t5, Y2, Z2); -- fiat_secp384r1_mul(t4, t4, t5); -- fiat_secp384r1_add(t5, t1, t2); -- fiat_secp384r1_sub(t4, t4, t5); -- fiat_secp384r1_add(X3, X1, Z1); -- fiat_secp384r1_add(Y3, X2, Z2); -- fiat_secp384r1_mul(X3, X3, Y3); -- fiat_secp384r1_add(Y3, t0, t2); -- fiat_secp384r1_sub(Y3, X3, Y3); -- fiat_secp384r1_mul(Z3, b, t2); -- fiat_secp384r1_sub(X3, Y3, Z3); -- fiat_secp384r1_add(Z3, X3, X3); -- fiat_secp384r1_add(X3, X3, Z3); -- fiat_secp384r1_sub(Z3, t1, X3); -- fiat_secp384r1_add(X3, t1, X3); -- fiat_secp384r1_mul(Y3, b, Y3); -- fiat_secp384r1_add(t1, t2, t2); -- fiat_secp384r1_add(t2, t1, t2); -- fiat_secp384r1_sub(Y3, Y3, t2); -- fiat_secp384r1_sub(Y3, Y3, t0); -- fiat_secp384r1_add(t1, Y3, Y3); -- fiat_secp384r1_add(Y3, t1, Y3); -- fiat_secp384r1_add(t1, t0, t0); -- fiat_secp384r1_add(t0, t1, t0); -- fiat_secp384r1_sub(t0, t0, t2); -- fiat_secp384r1_mul(t1, t4, Y3); -- fiat_secp384r1_mul(t2, t0, Y3); -- fiat_secp384r1_mul(Y3, X3, Z3); -- fiat_secp384r1_add(Y3, Y3, t2); -- fiat_secp384r1_mul(X3, t3, X3); -- fiat_secp384r1_sub(X3, X3, t1); -- fiat_secp384r1_mul(Z3, t4, Z3); -- fiat_secp384r1_mul(t1, t3, t0); -- fiat_secp384r1_add(Z3, Z3, t1); --} -- --/* constants */ --#define RADIX 5 --#define DRADIX (1 << RADIX) --#define DRADIX_WNAF ((DRADIX) << 1) -- --/*- -- * precomp for wnaf scalar multiplication: -- * precomp[0] = 1P -- * precomp[1] = 3P -- * precomp[2] = 5P -- * precomp[3] = 7P -- * precomp[4] = 9P -- * ... -- */ --static void --precomp_wnaf(pt_prj_t precomp[DRADIX / 2], const pt_aff_t *P) --{ -- int i; -- -- fe_copy(precomp[0].X, P->X); -- fe_copy(precomp[0].Y, P->Y); -- fe_copy(precomp[0].Z, const_one); -- point_double(&precomp[DRADIX / 2 - 1], &precomp[0]); -- -- for (i = 1; i < DRADIX / 2; i++) -- point_add_proj(&precomp[i], &precomp[DRADIX / 2 - 1], &precomp[i - 1]); --} -- --/* fetch a scalar bit */ --static int --scalar_get_bit(const unsigned char in[48], int idx) --{ -- int widx, rshift; -- -- widx = idx >> 3; -- rshift = idx & 0x7; -- -- if (idx < 0 || widx >= 48) -- return 0; -- -- return (in[widx] >> rshift) & 0x1; --} -- --/*- -- * Compute "regular" wnaf representation of a scalar. -- * See "Exponent Recoding and Regular Exponentiation Algorithms", -- * Tunstall et al., AfricaCrypt 2009, Alg 6. -- * It forces an odd scalar and outputs digits in -- * {\pm 1, \pm 3, \pm 5, \pm 7, \pm 9, ...} -- * i.e. signed odd digits with _no zeroes_ -- that makes it "regular". -- */ --static void --scalar_rwnaf(int8_t out[77], const unsigned char in[48]) --{ -- int i; -- int8_t window, d; -- -- window = (in[0] & (DRADIX_WNAF - 1)) | 1; -- for (i = 0; i < 76; i++) { -- d = (window & (DRADIX_WNAF - 1)) - DRADIX; -- out[i] = d; -- window = (window - d) >> RADIX; -- window += scalar_get_bit(in, (i + 1) * RADIX + 1) << 1; -- window += scalar_get_bit(in, (i + 1) * RADIX + 2) << 2; -- window += scalar_get_bit(in, (i + 1) * RADIX + 3) << 3; -- window += scalar_get_bit(in, (i + 1) * RADIX + 4) << 4; -- window += scalar_get_bit(in, (i + 1) * RADIX + 5) << 5; -+ if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; - } -- out[i] = window; --} - --/*- -- * Compute "textbook" wnaf representation of a scalar. -- * NB: not constant time -- */ --static void --scalar_wnaf(int8_t out[385], const unsigned char in[48]) --{ -- int i; -- int8_t window, d; -+ bool b = Hacl_P384_validate_public_key(pt->data + 1); - -- window = in[0] & (DRADIX_WNAF - 1); -- for (i = 0; i < 385; i++) { -- d = 0; -- if ((window & 1) && ((d = window & (DRADIX_WNAF - 1)) & DRADIX)) -- d -= DRADIX_WNAF; -- out[i] = d; -- window = (window - d) >> 1; -- window += scalar_get_bit(in, i + 1 + RADIX) << RADIX; -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; - } -+ return res; - } - --/*- -- * Simultaneous scalar multiplication: interleaved "textbook" wnaf. -- * NB: not constant time -+/* -+ * Scalar multiplication for P-384. -+ * If P == NULL, the base point is used. -+ * Returns X = k*P - */ --static void --var_smul_wnaf_two(pt_aff_t *out, const unsigned char a[48], -- const unsigned char b[48], const pt_aff_t *P) --{ -- int i, d, is_neg, is_inf = 1, flipped = 0; -- int8_t anaf[385] = { 0 }; -- int8_t bnaf[385] = { 0 }; -- pt_prj_t Q = { { 0 }, { 0 }, { 0 } }; -- pt_prj_t precomp[DRADIX / 2]; -- -- precomp_wnaf(precomp, P); -- scalar_wnaf(anaf, a); -- scalar_wnaf(bnaf, b); -- -- for (i = 384; i >= 0; i--) { -- if (!is_inf) -- point_double(&Q, &Q); -- if ((d = bnaf[i])) { -- if ((is_neg = d < 0) != flipped) { -- fiat_secp384r1_opp(Q.Y, Q.Y); -- flipped ^= 1; -- } -- d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; -- if (is_inf) { -- /* initialize accumulator */ -- fe_copy(Q.X, &precomp[d].X); -- fe_copy(Q.Y, &precomp[d].Y); -- fe_copy(Q.Z, &precomp[d].Z); -- is_inf = 0; -- } else -- point_add_proj(&Q, &Q, &precomp[d]); -- } -- if ((d = anaf[i])) { -- if ((is_neg = d < 0) != flipped) { -- fiat_secp384r1_opp(Q.Y, Q.Y); -- flipped ^= 1; -- } -- d = (is_neg) ? (-d - 1) >> 1 : (d - 1) >> 1; -- if (is_inf) { -- /* initialize accumulator */ -- fe_copy(Q.X, &lut_cmb[0][d].X); -- fe_copy(Q.Y, &lut_cmb[0][d].Y); -- fe_copy(Q.Z, const_one); -- is_inf = 0; -- } else -- point_add_mixed(&Q, &Q, &lut_cmb[0][d]); -- } -- } -- -- if (is_inf) { -- /* initialize accumulator to inf: all-zero scalars */ -- fe_set_zero(Q.X); -- fe_copy(Q.Y, const_one); -- fe_set_zero(Q.Z); -- } -- -- if (flipped) { -- /* correct sign */ -- fiat_secp384r1_opp(Q.Y, Q.Y); -- } -- -- /* convert to affine -- NB depends on coordinate system */ -- fiat_secp384r1_inv(Q.Z, Q.Z); -- fiat_secp384r1_mul(out->X, Q.X, Q.Z); -- fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); --} - --/*- -- * Variable point scalar multiplication with "regular" wnaf. -- * Here "regular" means _no zeroes_, so the sequence of -- * EC arithmetic ops is fixed. -- */ --static void --var_smul_rwnaf(pt_aff_t *out, const unsigned char scalar[48], -- const pt_aff_t *P) -+SECStatus -+ec_secp384r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) - { -- int i, j, d, diff, is_neg; -- int8_t rnaf[77] = { 0 }; -- pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, lut = { { 0 }, { 0 }, { 0 } }; -- pt_prj_t precomp[DRADIX / 2]; -- -- precomp_wnaf(precomp, P); -- scalar_rwnaf(rnaf, scalar); -- --#if defined(_MSC_VER) -- /* result still unsigned: yes we know */ --#pragma warning(push) --#pragma warning(disable : 4146) --#endif -+ SECStatus res = SECSuccess; -+ if (!P) { -+ uint8_t derived[96] = { 0 }; - -- /* initialize accumulator to high digit */ -- d = (rnaf[76] - 1) >> 1; -- for (j = 0; j < DRADIX / 2; j++) { -- diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; -- fiat_secp384r1_selectznz(Q.X, diff, Q.X, precomp[j].X); -- fiat_secp384r1_selectznz(Q.Y, diff, Q.Y, precomp[j].Y); -- fiat_secp384r1_selectznz(Q.Z, diff, Q.Z, precomp[j].Z); -- } -- -- for (i = 75; i >= 0; i--) { -- for (j = 0; j < RADIX; j++) -- point_double(&Q, &Q); -- d = rnaf[i]; -- /* is_neg = (d < 0) ? 1 : 0 */ -- is_neg = (d >> (8 * sizeof(int) - 1)) & 1; -- /* d = abs(d) */ -- d = (d ^ -is_neg) + is_neg; -- d = (d - 1) >> 1; -- for (j = 0; j < DRADIX / 2; j++) { -- diff = (1 - (-(d ^ j) >> (8 * sizeof(int) - 1))) & 1; -- fiat_secp384r1_selectznz(lut.X, diff, lut.X, precomp[j].X); -- fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, precomp[j].Y); -- fiat_secp384r1_selectznz(lut.Z, diff, lut.Z, precomp[j].Z); -+ if (!X || !k || !X->data || !k->data || -+ X->len < 97 || k->len != 48) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; - } -- /* negate lut point if digit is negative */ -- fiat_secp384r1_opp(out->Y, lut.Y); -- fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); -- point_add_proj(&Q, &Q, &lut); -- } - --#if defined(_MSC_VER) --#pragma warning(pop) --#endif -- -- /* conditionally subtract P if the scalar was even */ -- fe_copy(lut.X, precomp[0].X); -- fiat_secp384r1_opp(lut.Y, precomp[0].Y); -- fe_copy(lut.Z, precomp[0].Z); -- point_add_proj(&lut, &lut, &Q); -- fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, lut.X, Q.X); -- fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, lut.Y, Q.Y); -- fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, lut.Z, Q.Z); -- -- /* convert to affine -- NB depends on coordinate system */ -- fiat_secp384r1_inv(Q.Z, Q.Z); -- fiat_secp384r1_mul(out->X, Q.X, Q.Z); -- fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); --} -- --/*- -- * Fixed scalar multiplication: comb with interleaving. -- */ --static void --fixed_smul_cmb(pt_aff_t *out, const unsigned char scalar[48]) --{ -- int i, j, k, d, diff, is_neg = 0; -- int8_t rnaf[77] = { 0 }; -- pt_prj_t Q = { { 0 }, { 0 }, { 0 } }, R = { { 0 }, { 0 }, { 0 } }; -- pt_aff_t lut = { { 0 }, { 0 } }; -+ bool b = Hacl_P384_dh_initiator(derived, k->data); - -- scalar_rwnaf(rnaf, scalar); -- -- /* initalize accumulator to inf */ -- fe_set_zero(Q.X); -- fe_copy(Q.Y, const_one); -- fe_set_zero(Q.Z); -- --#if defined(_MSC_VER) -- /* result still unsigned: yes we know */ --#pragma warning(push) --#pragma warning(disable : 4146) --#endif -- -- for (i = 3; i >= 0; i--) { -- for (j = 0; i != 3 && j < RADIX; j++) -- point_double(&Q, &Q); -- for (j = 0; j < 21; j++) { -- if (j * 4 + i > 76) -- continue; -- d = rnaf[j * 4 + i]; -- /* is_neg = (d < 0) ? 1 : 0 */ -- is_neg = (d >> (8 * sizeof(int) - 1)) & 1; -- /* d = abs(d) */ -- d = (d ^ -is_neg) + is_neg; -- d = (d - 1) >> 1; -- for (k = 0; k < DRADIX / 2; k++) { -- diff = (1 - (-(d ^ k) >> (8 * sizeof(int) - 1))) & 1; -- fiat_secp384r1_selectznz(lut.X, diff, lut.X, lut_cmb[j][k].X); -- fiat_secp384r1_selectznz(lut.Y, diff, lut.Y, lut_cmb[j][k].Y); -- } -- /* negate lut point if digit is negative */ -- fiat_secp384r1_opp(out->Y, lut.Y); -- fiat_secp384r1_selectznz(lut.Y, is_neg, lut.Y, out->Y); -- point_add_mixed(&Q, &Q, &lut); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; - } -- } -- --#if defined(_MSC_VER) --#pragma warning(pop) --#endif -- -- /* conditionally subtract P if the scalar was even */ -- fe_copy(lut.X, lut_cmb[0][0].X); -- fiat_secp384r1_opp(lut.Y, lut_cmb[0][0].Y); -- point_add_mixed(&R, &Q, &lut); -- fiat_secp384r1_selectznz(Q.X, scalar[0] & 1, R.X, Q.X); -- fiat_secp384r1_selectznz(Q.Y, scalar[0] & 1, R.Y, Q.Y); -- fiat_secp384r1_selectznz(Q.Z, scalar[0] & 1, R.Z, Q.Z); -- -- /* convert to affine -- NB depends on coordinate system */ -- fiat_secp384r1_inv(Q.Z, Q.Z); -- fiat_secp384r1_mul(out->X, Q.X, Q.Z); -- fiat_secp384r1_mul(out->Y, Q.Y, Q.Z); --} -- --/*- -- * Wrapper: simultaneous scalar mutiplication. -- * outx, outy := a * G + b * P -- * where P = (inx, iny). -- * Everything is LE byte ordering. -- */ --static void --point_mul_two_secp384r1(unsigned char outx[48], unsigned char outy[48], -- const unsigned char a[48], -- const unsigned char b[48], -- const unsigned char inx[48], -- const unsigned char iny[48]) --{ -- pt_aff_t P; -- -- fiat_secp384r1_from_bytes(P.X, inx); -- fiat_secp384r1_from_bytes(P.Y, iny); -- fiat_secp384r1_to_montgomery(P.X, P.X); -- fiat_secp384r1_to_montgomery(P.Y, P.Y); -- /* simultaneous scalar multiplication */ -- var_smul_wnaf_two(&P, a, b, &P); - -- fiat_secp384r1_from_montgomery(P.X, P.X); -- fiat_secp384r1_from_montgomery(P.Y, P.Y); -- fiat_secp384r1_to_bytes(outx, P.X); -- fiat_secp384r1_to_bytes(outy, P.Y); --} -- --/*- -- * Wrapper: fixed scalar mutiplication. -- * outx, outy := scalar * G -- * Everything is LE byte ordering. -- */ --static void --point_mul_g_secp384r1(unsigned char outx[48], unsigned char outy[48], -- const unsigned char scalar[48]) --{ -- pt_aff_t P; -- -- /* fixed scmul function */ -- fixed_smul_cmb(&P, scalar); -- fiat_secp384r1_from_montgomery(P.X, P.X); -- fiat_secp384r1_from_montgomery(P.Y, P.Y); -- fiat_secp384r1_to_bytes(outx, P.X); -- fiat_secp384r1_to_bytes(outy, P.Y); --} -- --/*- -- * Wrapper: variable point scalar mutiplication. -- * outx, outy := scalar * P -- * where P = (inx, iny). -- * Everything is LE byte ordering. -- */ --static void --point_mul_secp384r1(unsigned char outx[48], unsigned char outy[48], -- const unsigned char scalar[48], -- const unsigned char inx[48], -- const unsigned char iny[48]) --{ -- pt_aff_t P; -- -- fiat_secp384r1_from_bytes(P.X, inx); -- fiat_secp384r1_from_bytes(P.Y, iny); -- fiat_secp384r1_to_montgomery(P.X, P.X); -- fiat_secp384r1_to_montgomery(P.Y, P.Y); -- /* var scmul function */ -- var_smul_rwnaf(&P, scalar, &P); -- fiat_secp384r1_from_montgomery(P.X, P.X); -- fiat_secp384r1_from_montgomery(P.Y, P.Y); -- fiat_secp384r1_to_bytes(outx, P.X); -- fiat_secp384r1_to_bytes(outy, P.Y); --} -+ X->len = 97; -+ X->data[0] = EC_POINT_FORM_UNCOMPRESSED; -+ memcpy(X->data + 1, derived, 96); - --#undef RADIX --#include "ecp.h" --#include "mpi-priv.h" --#include "mplogic.h" -+ } else { -+ uint8_t full_key[48] = { 0 }; -+ uint8_t *key; -+ uint8_t derived[96] = { 0 }; - --/*- -- * reverse bytes -- total hack -- */ --#define MP_BE2LE(a) \ -- do { \ -- unsigned char z_bswap; \ -- z_bswap = a[0]; \ -- a[0] = a[47]; \ -- a[47] = z_bswap; \ -- z_bswap = a[1]; \ -- a[1] = a[46]; \ -- a[46] = z_bswap; \ -- z_bswap = a[2]; \ -- a[2] = a[45]; \ -- a[45] = z_bswap; \ -- z_bswap = a[3]; \ -- a[3] = a[44]; \ -- a[44] = z_bswap; \ -- z_bswap = a[4]; \ -- a[4] = a[43]; \ -- a[43] = z_bswap; \ -- z_bswap = a[5]; \ -- a[5] = a[42]; \ -- a[42] = z_bswap; \ -- z_bswap = a[6]; \ -- a[6] = a[41]; \ -- a[41] = z_bswap; \ -- z_bswap = a[7]; \ -- a[7] = a[40]; \ -- a[40] = z_bswap; \ -- z_bswap = a[8]; \ -- a[8] = a[39]; \ -- a[39] = z_bswap; \ -- z_bswap = a[9]; \ -- a[9] = a[38]; \ -- a[38] = z_bswap; \ -- z_bswap = a[10]; \ -- a[10] = a[37]; \ -- a[37] = z_bswap; \ -- z_bswap = a[11]; \ -- a[11] = a[36]; \ -- a[36] = z_bswap; \ -- z_bswap = a[12]; \ -- a[12] = a[35]; \ -- a[35] = z_bswap; \ -- z_bswap = a[13]; \ -- a[13] = a[34]; \ -- a[34] = z_bswap; \ -- z_bswap = a[14]; \ -- a[14] = a[33]; \ -- a[33] = z_bswap; \ -- z_bswap = a[15]; \ -- a[15] = a[32]; \ -- a[32] = z_bswap; \ -- z_bswap = a[16]; \ -- a[16] = a[31]; \ -- a[31] = z_bswap; \ -- z_bswap = a[17]; \ -- a[17] = a[30]; \ -- a[30] = z_bswap; \ -- z_bswap = a[18]; \ -- a[18] = a[29]; \ -- a[29] = z_bswap; \ -- z_bswap = a[19]; \ -- a[19] = a[28]; \ -- a[28] = z_bswap; \ -- z_bswap = a[20]; \ -- a[20] = a[27]; \ -- a[27] = z_bswap; \ -- z_bswap = a[21]; \ -- a[21] = a[26]; \ -- a[26] = z_bswap; \ -- z_bswap = a[22]; \ -- a[22] = a[25]; \ -- a[25] = z_bswap; \ -- z_bswap = a[23]; \ -- a[23] = a[24]; \ -- a[24] = z_bswap; \ -- } while (0) -- --static mp_err --point_mul_g_secp384r1_wrap(const mp_int *n, mp_int *out_x, -- mp_int *out_y, const ECGroup *group) --{ -- unsigned char b_x[48]; -- unsigned char b_y[48]; -- unsigned char b_n[48]; -- mp_err res; -- -- ARGCHK(n != NULL && out_x != NULL && out_y != NULL, MP_BADARG); -- -- /* fail on out of range scalars */ -- if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != MP_GT) -- return MP_RANGE; -- -- MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); -- MP_BE2LE(b_n); -- point_mul_g_secp384r1(b_x, b_y, b_n); -- MP_BE2LE(b_x); -- MP_BE2LE(b_y); -- MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); -- MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); -- --CLEANUP: -- return res; --} -- --static mp_err --point_mul_secp384r1_wrap(const mp_int *n, const mp_int *in_x, -- const mp_int *in_y, mp_int *out_x, -- mp_int *out_y, const ECGroup *group) --{ -- unsigned char b_x[48]; -- unsigned char b_y[48]; -- unsigned char b_n[48]; -- mp_err res; -- -- ARGCHK(n != NULL && in_x != NULL && in_y != NULL && out_x != NULL && -- out_y != NULL, -- MP_BADARG); -- -- /* fail on out of range scalars */ -- if (mpl_significant_bits(n) > 384 || mp_cmp_z(n) != MP_GT) -- return MP_RANGE; -- -- MP_CHECKOK(mp_to_fixlen_octets(n, b_n, 48)); -- MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); -- MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); -- MP_BE2LE(b_x); -- MP_BE2LE(b_y); -- MP_BE2LE(b_n); -- point_mul_secp384r1(b_x, b_y, b_n, b_x, b_y); -- MP_BE2LE(b_x); -- MP_BE2LE(b_y); -- MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); -- MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); -- --CLEANUP: -- return res; --} -- --static mp_err --point_mul_two_secp384r1_wrap(const mp_int *n1, const mp_int *n2, -- const mp_int *in_x, -- const mp_int *in_y, mp_int *out_x, -- mp_int *out_y, -- const ECGroup *group) --{ -- unsigned char b_x[48]; -- unsigned char b_y[48]; -- unsigned char b_n1[48]; -- unsigned char b_n2[48]; -- mp_err res; -- -- /* If n2 == NULL or 0, this is just a base-point multiplication. */ -- if (n2 == NULL || mp_cmp_z(n2) == MP_EQ) -- return point_mul_g_secp384r1_wrap(n1, out_x, out_y, group); -- -- /* If n1 == NULL or 0, this is just an arbitary-point multiplication. */ -- if (n1 == NULL || mp_cmp_z(n1) == MP_EQ) -- return point_mul_secp384r1_wrap(n2, in_x, in_y, out_x, out_y, group); -- -- ARGCHK(in_x != NULL && in_y != NULL && out_x != NULL && out_y != NULL, -- MP_BADARG); -+ if (!X || !k || !P || !X->data || !k->data || !P->data || -+ X->len < 48 || P->len != 97 || -+ P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } - -- /* fail on out of range scalars */ -- if (mpl_significant_bits(n1) > 384 || mp_cmp_z(n1) != MP_GT || -- mpl_significant_bits(n2) > 384 || mp_cmp_z(n2) != MP_GT) -- return MP_RANGE; -+ /* We consider keys of up to size 48, or of size 49 with a single leading 0 */ -+ if (k->len < 48) { -+ memcpy(full_key + 48 - k->len, k->data, k->len); -+ key = full_key; -+ } else if (k->len == 48) { -+ key = k->data; -+ } else if (k->len == 49 && k->data[0] == 0) { -+ key = k->data + 1; -+ } else { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } - -- MP_CHECKOK(mp_to_fixlen_octets(n1, b_n1, 48)); -- MP_CHECKOK(mp_to_fixlen_octets(n2, b_n2, 48)); -- MP_CHECKOK(mp_to_fixlen_octets(in_x, b_x, 48)); -- MP_CHECKOK(mp_to_fixlen_octets(in_y, b_y, 48)); -- MP_BE2LE(b_x); -- MP_BE2LE(b_y); -- MP_BE2LE(b_n1); -- MP_BE2LE(b_n2); -- point_mul_two_secp384r1(b_x, b_y, b_n1, b_n2, b_x, b_y); -- MP_BE2LE(b_x); -- MP_BE2LE(b_y); -- MP_CHECKOK(mp_read_unsigned_octets(out_x, b_x, 48)); -- MP_CHECKOK(mp_read_unsigned_octets(out_y, b_y, 48)); -+ bool b = Hacl_P384_dh_responder(derived, P->data + 1, key); - --CLEANUP: -- return res; --} -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } - --mp_err --ec_group_set_secp384r1(ECGroup *group, ECCurveName name) --{ -- if (name == ECCurve_NIST_P384) { -- group->base_point_mul = &point_mul_g_secp384r1_wrap; -- group->point_mul = &point_mul_secp384r1_wrap; -- group->points_mul = &point_mul_two_secp384r1_wrap; -+ X->len = 48; -+ memcpy(X->data, derived, 48); - } -- return MP_OKAY; --} -- --#else /* __SIZEOF_INT128__ */ - --#include --#include --#define LIMB_BITS 32 --#define LIMB_CNT 12 --/* Field elements */ --typedef uint32_t fe_t[LIMB_CNT]; --typedef uint32_t limb_t; -- --#define fe_copy(d, s) memcpy(d, s, sizeof(fe_t)) --#define fe_set_zero(d) memset(d, 0, sizeof(fe_t)) -- --/* Projective points */ --typedef struct { -- fe_t X; -- fe_t Y; -- fe_t Z; --} pt_prj_t; -- --/* Affine points */ --typedef struct { -- fe_t X; -- fe_t Y; --} pt_aff_t; -- --/* BEGIN verbatim fiat code https://github.com/mit-plv/fiat-crypto */ --/*- -- * MIT License -- * -- * Copyright (c) 2015-2021 the fiat-crypto authors (see the AUTHORS file). -- * https://github.com/mit-plv/fiat-crypto/blob/master/AUTHORS -- * -- * Permission is hereby granted, free of charge, to any person obtaining a copy -- * of this software and associated documentation files (the "Software"), to deal -- * in the Software without restriction, including without limitation the rights -- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -- * copies of the Software, and to permit persons to whom the Software is -- * furnished to do so, subject to the following conditions: -- * -- * The above copyright notice and this permission notice shall be included in -- * all copies or substantial portions of the Software. -- * -- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -- * SOFTWARE. -- */ -- --/* Autogenerated: word_by_word_montgomery --static --use-value-barrier secp384r1 32 '2^384 - 2^128 - 2^96 + 2^32 - 1' */ --/* curve description: secp384r1 */ --/* machine_wordsize = 32 (from "32") */ --/* requested operations: (all) */ --/* m = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff (from "2^384 - 2^128 - 2^96 + 2^32 - 1") */ --/* */ --/* NOTE: In addition to the bounds specified above each function, all */ --/* functions synthesized for this Montgomery arithmetic require the */ --/* input to be strictly less than the prime modulus (m), and also */ --/* require the input to be in the unique saturated representation. */ --/* All functions also ensure that these two properties are true of */ --/* return values. */ --/* */ --/* Computed values: */ --/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) */ --/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) + (z[32] << 256) + (z[33] << 0x108) + (z[34] << 0x110) + (z[35] << 0x118) + (z[36] << 0x120) + (z[37] << 0x128) + (z[38] << 0x130) + (z[39] << 0x138) + (z[40] << 0x140) + (z[41] << 0x148) + (z[42] << 0x150) + (z[43] << 0x158) + (z[44] << 0x160) + (z[45] << 0x168) + (z[46] << 0x170) + (z[47] << 0x178) */ --/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) + (z[8] << 256) + (z[9] << 0x120) + (z[10] << 0x140) + (z[11] << 0x160) in */ --/* if x1 & (2^384-1) < 2^383 then x1 & (2^384-1) else (x1 & (2^384-1)) - 2^384 */ -- --#include --typedef unsigned char fiat_secp384r1_uint1; --typedef signed char fiat_secp384r1_int1; --#ifdef __GNUC__ --#define FIAT_SECP384R1_FIAT_INLINE __inline__ --#else --#define FIAT_SECP384R1_FIAT_INLINE --#endif -- --/* The type fiat_secp384r1_montgomery_domain_field_element is a field element in the Montgomery domain. */ --/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ --typedef uint32_t fiat_secp384r1_montgomery_domain_field_element[12]; -- --/* The type fiat_secp384r1_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ --/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ --typedef uint32_t fiat_secp384r1_non_montgomery_domain_field_element[12]; -- --#if (-1 & 3) != 3 --#error "This code only works on a two's complement system" --#endif -- --#if !defined(FIAT_SECP384R1_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) --static __inline__ uint32_t --fiat_secp384r1_value_barrier_u32(uint32_t a) --{ -- __asm__("" -- : "+r"(a) -- : /* no inputs */); -- return a; --} --#else --#define fiat_secp384r1_value_barrier_u32(x) (x) --#endif -- --/* -- * The function fiat_secp384r1_addcarryx_u32 is an addition with carry. -- * -- * Postconditions: -- * out1 = (arg1 + arg2 + arg3) mod 2^32 -- * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [0x0 ~> 0xffffffff] -- * arg3: [0x0 ~> 0xffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffff] -- * out2: [0x0 ~> 0x1] -- */ --static void --fiat_secp384r1_addcarryx_u32(uint32_t *out1, -- fiat_secp384r1_uint1 *out2, -- fiat_secp384r1_uint1 arg1, -- uint32_t arg2, uint32_t arg3) --{ -- uint64_t x1; -- uint32_t x2; -- fiat_secp384r1_uint1 x3; -- x1 = ((arg1 + (uint64_t)arg2) + arg3); -- x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); -- x3 = (fiat_secp384r1_uint1)(x1 >> 32); -- *out1 = x2; -- *out2 = x3; --} -- --/* -- * The function fiat_secp384r1_subborrowx_u32 is a subtraction with borrow. -- * -- * Postconditions: -- * out1 = (-arg1 + arg2 + -arg3) mod 2^32 -- * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [0x0 ~> 0xffffffff] -- * arg3: [0x0 ~> 0xffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffff] -- * out2: [0x0 ~> 0x1] -- */ --static void --fiat_secp384r1_subborrowx_u32(uint32_t *out1, -- fiat_secp384r1_uint1 *out2, -- fiat_secp384r1_uint1 arg1, -- uint32_t arg2, uint32_t arg3) --{ -- int64_t x1; -- fiat_secp384r1_int1 x2; -- uint32_t x3; -- x1 = ((arg2 - (int64_t)arg1) - arg3); -- x2 = (fiat_secp384r1_int1)(x1 >> 32); -- x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); -- *out1 = x3; -- *out2 = (fiat_secp384r1_uint1)(0x0 - x2); --} -- --/* -- * The function fiat_secp384r1_mulx_u32 is a multiplication, returning the full double-width result. -- * -- * Postconditions: -- * out1 = (arg1 * arg2) mod 2^32 -- * out2 = ⌊arg1 * arg2 / 2^32⌋ -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0xffffffff] -- * arg2: [0x0 ~> 0xffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffff] -- * out2: [0x0 ~> 0xffffffff] -- */ --static void --fiat_secp384r1_mulx_u32(uint32_t *out1, uint32_t *out2, -- uint32_t arg1, uint32_t arg2) --{ -- uint64_t x1; -- uint32_t x2; -- uint32_t x3; -- x1 = ((uint64_t)arg1 * arg2); -- x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); -- x3 = (uint32_t)(x1 >> 32); -- *out1 = x2; -- *out2 = x3; --} -- --/* -- * The function fiat_secp384r1_cmovznz_u32 is a single-word conditional move. -- * -- * Postconditions: -- * out1 = (if arg1 = 0 then arg2 else arg3) -- * -- * Input Bounds: -- * arg1: [0x0 ~> 0x1] -- * arg2: [0x0 ~> 0xffffffff] -- * arg3: [0x0 ~> 0xffffffff] -- * Output Bounds: -- * out1: [0x0 ~> 0xffffffff] -- */ --static void --fiat_secp384r1_cmovznz_u32(uint32_t *out1, -- fiat_secp384r1_uint1 arg1, uint32_t arg2, -- uint32_t arg3) --{ -- fiat_secp384r1_uint1 x1; -- uint32_t x2; -- uint32_t x3; -- x1 = (!(!arg1)); -- x2 = ((fiat_secp384r1_int1)(0x0 - x1) & UINT32_C(0xffffffff)); -- x3 = ((fiat_secp384r1_value_barrier_u32(x2) & arg3) | -- (fiat_secp384r1_value_barrier_u32((~x2)) & arg2)); -- *out1 = x3; --} -- --/* -- * The function fiat_secp384r1_mul multiplies two field elements in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * 0 ≤ eval arg2 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_mul( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1, -- const fiat_secp384r1_montgomery_domain_field_element arg2) --{ -- uint32_t x1; -- uint32_t x2; -- uint32_t x3; -- uint32_t x4; -- uint32_t x5; -- uint32_t x6; -- uint32_t x7; -- uint32_t x8; -- uint32_t x9; -- uint32_t x10; -- uint32_t x11; -- uint32_t x12; -- uint32_t x13; -- uint32_t x14; -- uint32_t x15; -- uint32_t x16; -- uint32_t x17; -- uint32_t x18; -- uint32_t x19; -- uint32_t x20; -- uint32_t x21; -- uint32_t x22; -- uint32_t x23; -- uint32_t x24; -- uint32_t x25; -- uint32_t x26; -- uint32_t x27; -- uint32_t x28; -- uint32_t x29; -- uint32_t x30; -- uint32_t x31; -- uint32_t x32; -- uint32_t x33; -- uint32_t x34; -- uint32_t x35; -- uint32_t x36; -- uint32_t x37; -- fiat_secp384r1_uint1 x38; -- uint32_t x39; -- fiat_secp384r1_uint1 x40; -- uint32_t x41; -- fiat_secp384r1_uint1 x42; -- uint32_t x43; -- fiat_secp384r1_uint1 x44; -- uint32_t x45; -- fiat_secp384r1_uint1 x46; -- uint32_t x47; -- fiat_secp384r1_uint1 x48; -- uint32_t x49; -- fiat_secp384r1_uint1 x50; -- uint32_t x51; -- fiat_secp384r1_uint1 x52; -- uint32_t x53; -- fiat_secp384r1_uint1 x54; -- uint32_t x55; -- fiat_secp384r1_uint1 x56; -- uint32_t x57; -- fiat_secp384r1_uint1 x58; -- uint32_t x59; -- uint32_t x60; -- uint32_t x61; -- uint32_t x62; -- uint32_t x63; -- uint32_t x64; -- uint32_t x65; -- uint32_t x66; -- uint32_t x67; -- uint32_t x68; -- uint32_t x69; -- uint32_t x70; -- uint32_t x71; -- uint32_t x72; -- uint32_t x73; -- uint32_t x74; -- uint32_t x75; -- uint32_t x76; -- uint32_t x77; -- uint32_t x78; -- uint32_t x79; -- uint32_t x80; -- fiat_secp384r1_uint1 x81; -- uint32_t x82; -- fiat_secp384r1_uint1 x83; -- uint32_t x84; -- fiat_secp384r1_uint1 x85; -- uint32_t x86; -- fiat_secp384r1_uint1 x87; -- uint32_t x88; -- fiat_secp384r1_uint1 x89; -- uint32_t x90; -- fiat_secp384r1_uint1 x91; -- uint32_t x92; -- fiat_secp384r1_uint1 x93; -- uint32_t x94; -- fiat_secp384r1_uint1 x95; -- uint32_t x96; -- uint32_t x97; -- fiat_secp384r1_uint1 x98; -- uint32_t x99; -- fiat_secp384r1_uint1 x100; -- uint32_t x101; -- fiat_secp384r1_uint1 x102; -- uint32_t x103; -- fiat_secp384r1_uint1 x104; -- uint32_t x105; -- fiat_secp384r1_uint1 x106; -- uint32_t x107; -- fiat_secp384r1_uint1 x108; -- uint32_t x109; -- fiat_secp384r1_uint1 x110; -- uint32_t x111; -- fiat_secp384r1_uint1 x112; -- uint32_t x113; -- fiat_secp384r1_uint1 x114; -- uint32_t x115; -- fiat_secp384r1_uint1 x116; -- uint32_t x117; -- fiat_secp384r1_uint1 x118; -- uint32_t x119; -- fiat_secp384r1_uint1 x120; -- uint32_t x121; -- fiat_secp384r1_uint1 x122; -- uint32_t x123; -- uint32_t x124; -- uint32_t x125; -- uint32_t x126; -- uint32_t x127; -- uint32_t x128; -- uint32_t x129; -- uint32_t x130; -- uint32_t x131; -- uint32_t x132; -- uint32_t x133; -- uint32_t x134; -- uint32_t x135; -- uint32_t x136; -- uint32_t x137; -- uint32_t x138; -- uint32_t x139; -- uint32_t x140; -- uint32_t x141; -- uint32_t x142; -- uint32_t x143; -- uint32_t x144; -- uint32_t x145; -- uint32_t x146; -- uint32_t x147; -- fiat_secp384r1_uint1 x148; -- uint32_t x149; -- fiat_secp384r1_uint1 x150; -- uint32_t x151; -- fiat_secp384r1_uint1 x152; -- uint32_t x153; -- fiat_secp384r1_uint1 x154; -- uint32_t x155; -- fiat_secp384r1_uint1 x156; -- uint32_t x157; -- fiat_secp384r1_uint1 x158; -- uint32_t x159; -- fiat_secp384r1_uint1 x160; -- uint32_t x161; -- fiat_secp384r1_uint1 x162; -- uint32_t x163; -- fiat_secp384r1_uint1 x164; -- uint32_t x165; -- fiat_secp384r1_uint1 x166; -- uint32_t x167; -- fiat_secp384r1_uint1 x168; -- uint32_t x169; -- uint32_t x170; -- fiat_secp384r1_uint1 x171; -- uint32_t x172; -- fiat_secp384r1_uint1 x173; -- uint32_t x174; -- fiat_secp384r1_uint1 x175; -- uint32_t x176; -- fiat_secp384r1_uint1 x177; -- uint32_t x178; -- fiat_secp384r1_uint1 x179; -- uint32_t x180; -- fiat_secp384r1_uint1 x181; -- uint32_t x182; -- fiat_secp384r1_uint1 x183; -- uint32_t x184; -- fiat_secp384r1_uint1 x185; -- uint32_t x186; -- fiat_secp384r1_uint1 x187; -- uint32_t x188; -- fiat_secp384r1_uint1 x189; -- uint32_t x190; -- fiat_secp384r1_uint1 x191; -- uint32_t x192; -- fiat_secp384r1_uint1 x193; -- uint32_t x194; -- fiat_secp384r1_uint1 x195; -- uint32_t x196; -- uint32_t x197; -- uint32_t x198; -- uint32_t x199; -- uint32_t x200; -- uint32_t x201; -- uint32_t x202; -- uint32_t x203; -- uint32_t x204; -- uint32_t x205; -- uint32_t x206; -- uint32_t x207; -- uint32_t x208; -- uint32_t x209; -- uint32_t x210; -- uint32_t x211; -- uint32_t x212; -- uint32_t x213; -- uint32_t x214; -- uint32_t x215; -- uint32_t x216; -- fiat_secp384r1_uint1 x217; -- uint32_t x218; -- fiat_secp384r1_uint1 x219; -- uint32_t x220; -- fiat_secp384r1_uint1 x221; -- uint32_t x222; -- fiat_secp384r1_uint1 x223; -- uint32_t x224; -- fiat_secp384r1_uint1 x225; -- uint32_t x226; -- fiat_secp384r1_uint1 x227; -- uint32_t x228; -- fiat_secp384r1_uint1 x229; -- uint32_t x230; -- fiat_secp384r1_uint1 x231; -- uint32_t x232; -- uint32_t x233; -- fiat_secp384r1_uint1 x234; -- uint32_t x235; -- fiat_secp384r1_uint1 x236; -- uint32_t x237; -- fiat_secp384r1_uint1 x238; -- uint32_t x239; -- fiat_secp384r1_uint1 x240; -- uint32_t x241; -- fiat_secp384r1_uint1 x242; -- uint32_t x243; -- fiat_secp384r1_uint1 x244; -- uint32_t x245; -- fiat_secp384r1_uint1 x246; -- uint32_t x247; -- fiat_secp384r1_uint1 x248; -- uint32_t x249; -- fiat_secp384r1_uint1 x250; -- uint32_t x251; -- fiat_secp384r1_uint1 x252; -- uint32_t x253; -- fiat_secp384r1_uint1 x254; -- uint32_t x255; -- fiat_secp384r1_uint1 x256; -- uint32_t x257; -- fiat_secp384r1_uint1 x258; -- uint32_t x259; -- uint32_t x260; -- uint32_t x261; -- uint32_t x262; -- uint32_t x263; -- uint32_t x264; -- uint32_t x265; -- uint32_t x266; -- uint32_t x267; -- uint32_t x268; -- uint32_t x269; -- uint32_t x270; -- uint32_t x271; -- uint32_t x272; -- uint32_t x273; -- uint32_t x274; -- uint32_t x275; -- uint32_t x276; -- uint32_t x277; -- uint32_t x278; -- uint32_t x279; -- uint32_t x280; -- uint32_t x281; -- uint32_t x282; -- uint32_t x283; -- uint32_t x284; -- fiat_secp384r1_uint1 x285; -- uint32_t x286; -- fiat_secp384r1_uint1 x287; -- uint32_t x288; -- fiat_secp384r1_uint1 x289; -- uint32_t x290; -- fiat_secp384r1_uint1 x291; -- uint32_t x292; -- fiat_secp384r1_uint1 x293; -- uint32_t x294; -- fiat_secp384r1_uint1 x295; -- uint32_t x296; -- fiat_secp384r1_uint1 x297; -- uint32_t x298; -- fiat_secp384r1_uint1 x299; -- uint32_t x300; -- fiat_secp384r1_uint1 x301; -- uint32_t x302; -- fiat_secp384r1_uint1 x303; -- uint32_t x304; -- fiat_secp384r1_uint1 x305; -- uint32_t x306; -- uint32_t x307; -- fiat_secp384r1_uint1 x308; -- uint32_t x309; -- fiat_secp384r1_uint1 x310; -- uint32_t x311; -- fiat_secp384r1_uint1 x312; -- uint32_t x313; -- fiat_secp384r1_uint1 x314; -- uint32_t x315; -- fiat_secp384r1_uint1 x316; -- uint32_t x317; -- fiat_secp384r1_uint1 x318; -- uint32_t x319; -- fiat_secp384r1_uint1 x320; -- uint32_t x321; -- fiat_secp384r1_uint1 x322; -- uint32_t x323; -- fiat_secp384r1_uint1 x324; -- uint32_t x325; -- fiat_secp384r1_uint1 x326; -- uint32_t x327; -- fiat_secp384r1_uint1 x328; -- uint32_t x329; -- fiat_secp384r1_uint1 x330; -- uint32_t x331; -- fiat_secp384r1_uint1 x332; -- uint32_t x333; -- uint32_t x334; -- uint32_t x335; -- uint32_t x336; -- uint32_t x337; -- uint32_t x338; -- uint32_t x339; -- uint32_t x340; -- uint32_t x341; -- uint32_t x342; -- uint32_t x343; -- uint32_t x344; -- uint32_t x345; -- uint32_t x346; -- uint32_t x347; -- uint32_t x348; -- uint32_t x349; -- uint32_t x350; -- uint32_t x351; -- uint32_t x352; -- uint32_t x353; -- fiat_secp384r1_uint1 x354; -- uint32_t x355; -- fiat_secp384r1_uint1 x356; -- uint32_t x357; -- fiat_secp384r1_uint1 x358; -- uint32_t x359; -- fiat_secp384r1_uint1 x360; -- uint32_t x361; -- fiat_secp384r1_uint1 x362; -- uint32_t x363; -- fiat_secp384r1_uint1 x364; -- uint32_t x365; -- fiat_secp384r1_uint1 x366; -- uint32_t x367; -- fiat_secp384r1_uint1 x368; -- uint32_t x369; -- uint32_t x370; -- fiat_secp384r1_uint1 x371; -- uint32_t x372; -- fiat_secp384r1_uint1 x373; -- uint32_t x374; -- fiat_secp384r1_uint1 x375; -- uint32_t x376; -- fiat_secp384r1_uint1 x377; -- uint32_t x378; -- fiat_secp384r1_uint1 x379; -- uint32_t x380; -- fiat_secp384r1_uint1 x381; -- uint32_t x382; -- fiat_secp384r1_uint1 x383; -- uint32_t x384; -- fiat_secp384r1_uint1 x385; -- uint32_t x386; -- fiat_secp384r1_uint1 x387; -- uint32_t x388; -- fiat_secp384r1_uint1 x389; -- uint32_t x390; -- fiat_secp384r1_uint1 x391; -- uint32_t x392; -- fiat_secp384r1_uint1 x393; -- uint32_t x394; -- fiat_secp384r1_uint1 x395; -- uint32_t x396; -- uint32_t x397; -- uint32_t x398; -- uint32_t x399; -- uint32_t x400; -- uint32_t x401; -- uint32_t x402; -- uint32_t x403; -- uint32_t x404; -- uint32_t x405; -- uint32_t x406; -- uint32_t x407; -- uint32_t x408; -- uint32_t x409; -- uint32_t x410; -- uint32_t x411; -- uint32_t x412; -- uint32_t x413; -- uint32_t x414; -- uint32_t x415; -- uint32_t x416; -- uint32_t x417; -- uint32_t x418; -- uint32_t x419; -- uint32_t x420; -- uint32_t x421; -- fiat_secp384r1_uint1 x422; -- uint32_t x423; -- fiat_secp384r1_uint1 x424; -- uint32_t x425; -- fiat_secp384r1_uint1 x426; -- uint32_t x427; -- fiat_secp384r1_uint1 x428; -- uint32_t x429; -- fiat_secp384r1_uint1 x430; -- uint32_t x431; -- fiat_secp384r1_uint1 x432; -- uint32_t x433; -- fiat_secp384r1_uint1 x434; -- uint32_t x435; -- fiat_secp384r1_uint1 x436; -- uint32_t x437; -- fiat_secp384r1_uint1 x438; -- uint32_t x439; -- fiat_secp384r1_uint1 x440; -- uint32_t x441; -- fiat_secp384r1_uint1 x442; -- uint32_t x443; -- uint32_t x444; -- fiat_secp384r1_uint1 x445; -- uint32_t x446; -- fiat_secp384r1_uint1 x447; -- uint32_t x448; -- fiat_secp384r1_uint1 x449; -- uint32_t x450; -- fiat_secp384r1_uint1 x451; -- uint32_t x452; -- fiat_secp384r1_uint1 x453; -- uint32_t x454; -- fiat_secp384r1_uint1 x455; -- uint32_t x456; -- fiat_secp384r1_uint1 x457; -- uint32_t x458; -- fiat_secp384r1_uint1 x459; -- uint32_t x460; -- fiat_secp384r1_uint1 x461; -- uint32_t x462; -- fiat_secp384r1_uint1 x463; -- uint32_t x464; -- fiat_secp384r1_uint1 x465; -- uint32_t x466; -- fiat_secp384r1_uint1 x467; -- uint32_t x468; -- fiat_secp384r1_uint1 x469; -- uint32_t x470; -- uint32_t x471; -- uint32_t x472; -- uint32_t x473; -- uint32_t x474; -- uint32_t x475; -- uint32_t x476; -- uint32_t x477; -- uint32_t x478; -- uint32_t x479; -- uint32_t x480; -- uint32_t x481; -- uint32_t x482; -- uint32_t x483; -- uint32_t x484; -- uint32_t x485; -- uint32_t x486; -- uint32_t x487; -- uint32_t x488; -- uint32_t x489; -- uint32_t x490; -- fiat_secp384r1_uint1 x491; -- uint32_t x492; -- fiat_secp384r1_uint1 x493; -- uint32_t x494; -- fiat_secp384r1_uint1 x495; -- uint32_t x496; -- fiat_secp384r1_uint1 x497; -- uint32_t x498; -- fiat_secp384r1_uint1 x499; -- uint32_t x500; -- fiat_secp384r1_uint1 x501; -- uint32_t x502; -- fiat_secp384r1_uint1 x503; -- uint32_t x504; -- fiat_secp384r1_uint1 x505; -- uint32_t x506; -- uint32_t x507; -- fiat_secp384r1_uint1 x508; -- uint32_t x509; -- fiat_secp384r1_uint1 x510; -- uint32_t x511; -- fiat_secp384r1_uint1 x512; -- uint32_t x513; -- fiat_secp384r1_uint1 x514; -- uint32_t x515; -- fiat_secp384r1_uint1 x516; -- uint32_t x517; -- fiat_secp384r1_uint1 x518; -- uint32_t x519; -- fiat_secp384r1_uint1 x520; -- uint32_t x521; -- fiat_secp384r1_uint1 x522; -- uint32_t x523; -- fiat_secp384r1_uint1 x524; -- uint32_t x525; -- fiat_secp384r1_uint1 x526; -- uint32_t x527; -- fiat_secp384r1_uint1 x528; -- uint32_t x529; -- fiat_secp384r1_uint1 x530; -- uint32_t x531; -- fiat_secp384r1_uint1 x532; -- uint32_t x533; -- uint32_t x534; -- uint32_t x535; -- uint32_t x536; -- uint32_t x537; -- uint32_t x538; -- uint32_t x539; -- uint32_t x540; -- uint32_t x541; -- uint32_t x542; -- uint32_t x543; -- uint32_t x544; -- uint32_t x545; -- uint32_t x546; -- uint32_t x547; -- uint32_t x548; -- uint32_t x549; -- uint32_t x550; -- uint32_t x551; -- uint32_t x552; -- uint32_t x553; -- uint32_t x554; -- uint32_t x555; -- uint32_t x556; -- uint32_t x557; -- uint32_t x558; -- fiat_secp384r1_uint1 x559; -- uint32_t x560; -- fiat_secp384r1_uint1 x561; -- uint32_t x562; -- fiat_secp384r1_uint1 x563; -- uint32_t x564; -- fiat_secp384r1_uint1 x565; -- uint32_t x566; -- fiat_secp384r1_uint1 x567; -- uint32_t x568; -- fiat_secp384r1_uint1 x569; -- uint32_t x570; -- fiat_secp384r1_uint1 x571; -- uint32_t x572; -- fiat_secp384r1_uint1 x573; -- uint32_t x574; -- fiat_secp384r1_uint1 x575; -- uint32_t x576; -- fiat_secp384r1_uint1 x577; -- uint32_t x578; -- fiat_secp384r1_uint1 x579; -- uint32_t x580; -- uint32_t x581; -- fiat_secp384r1_uint1 x582; -- uint32_t x583; -- fiat_secp384r1_uint1 x584; -- uint32_t x585; -- fiat_secp384r1_uint1 x586; -- uint32_t x587; -- fiat_secp384r1_uint1 x588; -- uint32_t x589; -- fiat_secp384r1_uint1 x590; -- uint32_t x591; -- fiat_secp384r1_uint1 x592; -- uint32_t x593; -- fiat_secp384r1_uint1 x594; -- uint32_t x595; -- fiat_secp384r1_uint1 x596; -- uint32_t x597; -- fiat_secp384r1_uint1 x598; -- uint32_t x599; -- fiat_secp384r1_uint1 x600; -- uint32_t x601; -- fiat_secp384r1_uint1 x602; -- uint32_t x603; -- fiat_secp384r1_uint1 x604; -- uint32_t x605; -- fiat_secp384r1_uint1 x606; -- uint32_t x607; -- uint32_t x608; -- uint32_t x609; -- uint32_t x610; -- uint32_t x611; -- uint32_t x612; -- uint32_t x613; -- uint32_t x614; -- uint32_t x615; -- uint32_t x616; -- uint32_t x617; -- uint32_t x618; -- uint32_t x619; -- uint32_t x620; -- uint32_t x621; -- uint32_t x622; -- uint32_t x623; -- uint32_t x624; -- uint32_t x625; -- uint32_t x626; -- uint32_t x627; -- fiat_secp384r1_uint1 x628; -- uint32_t x629; -- fiat_secp384r1_uint1 x630; -- uint32_t x631; -- fiat_secp384r1_uint1 x632; -- uint32_t x633; -- fiat_secp384r1_uint1 x634; -- uint32_t x635; -- fiat_secp384r1_uint1 x636; -- uint32_t x637; -- fiat_secp384r1_uint1 x638; -- uint32_t x639; -- fiat_secp384r1_uint1 x640; -- uint32_t x641; -- fiat_secp384r1_uint1 x642; -- uint32_t x643; -- uint32_t x644; -- fiat_secp384r1_uint1 x645; -- uint32_t x646; -- fiat_secp384r1_uint1 x647; -- uint32_t x648; -- fiat_secp384r1_uint1 x649; -- uint32_t x650; -- fiat_secp384r1_uint1 x651; -- uint32_t x652; -- fiat_secp384r1_uint1 x653; -- uint32_t x654; -- fiat_secp384r1_uint1 x655; -- uint32_t x656; -- fiat_secp384r1_uint1 x657; -- uint32_t x658; -- fiat_secp384r1_uint1 x659; -- uint32_t x660; -- fiat_secp384r1_uint1 x661; -- uint32_t x662; -- fiat_secp384r1_uint1 x663; -- uint32_t x664; -- fiat_secp384r1_uint1 x665; -- uint32_t x666; -- fiat_secp384r1_uint1 x667; -- uint32_t x668; -- fiat_secp384r1_uint1 x669; -- uint32_t x670; -- uint32_t x671; -- uint32_t x672; -- uint32_t x673; -- uint32_t x674; -- uint32_t x675; -- uint32_t x676; -- uint32_t x677; -- uint32_t x678; -- uint32_t x679; -- uint32_t x680; -- uint32_t x681; -- uint32_t x682; -- uint32_t x683; -- uint32_t x684; -- uint32_t x685; -- uint32_t x686; -- uint32_t x687; -- uint32_t x688; -- uint32_t x689; -- uint32_t x690; -- uint32_t x691; -- uint32_t x692; -- uint32_t x693; -- uint32_t x694; -- uint32_t x695; -- fiat_secp384r1_uint1 x696; -- uint32_t x697; -- fiat_secp384r1_uint1 x698; -- uint32_t x699; -- fiat_secp384r1_uint1 x700; -- uint32_t x701; -- fiat_secp384r1_uint1 x702; -- uint32_t x703; -- fiat_secp384r1_uint1 x704; -- uint32_t x705; -- fiat_secp384r1_uint1 x706; -- uint32_t x707; -- fiat_secp384r1_uint1 x708; -- uint32_t x709; -- fiat_secp384r1_uint1 x710; -- uint32_t x711; -- fiat_secp384r1_uint1 x712; -- uint32_t x713; -- fiat_secp384r1_uint1 x714; -- uint32_t x715; -- fiat_secp384r1_uint1 x716; -- uint32_t x717; -- uint32_t x718; -- fiat_secp384r1_uint1 x719; -- uint32_t x720; -- fiat_secp384r1_uint1 x721; -- uint32_t x722; -- fiat_secp384r1_uint1 x723; -- uint32_t x724; -- fiat_secp384r1_uint1 x725; -- uint32_t x726; -- fiat_secp384r1_uint1 x727; -- uint32_t x728; -- fiat_secp384r1_uint1 x729; -- uint32_t x730; -- fiat_secp384r1_uint1 x731; -- uint32_t x732; -- fiat_secp384r1_uint1 x733; -- uint32_t x734; -- fiat_secp384r1_uint1 x735; -- uint32_t x736; -- fiat_secp384r1_uint1 x737; -- uint32_t x738; -- fiat_secp384r1_uint1 x739; -- uint32_t x740; -- fiat_secp384r1_uint1 x741; -- uint32_t x742; -- fiat_secp384r1_uint1 x743; -- uint32_t x744; -- uint32_t x745; -- uint32_t x746; -- uint32_t x747; -- uint32_t x748; -- uint32_t x749; -- uint32_t x750; -- uint32_t x751; -- uint32_t x752; -- uint32_t x753; -- uint32_t x754; -- uint32_t x755; -- uint32_t x756; -- uint32_t x757; -- uint32_t x758; -- uint32_t x759; -- uint32_t x760; -- uint32_t x761; -- uint32_t x762; -- uint32_t x763; -- uint32_t x764; -- fiat_secp384r1_uint1 x765; -- uint32_t x766; -- fiat_secp384r1_uint1 x767; -- uint32_t x768; -- fiat_secp384r1_uint1 x769; -- uint32_t x770; -- fiat_secp384r1_uint1 x771; -- uint32_t x772; -- fiat_secp384r1_uint1 x773; -- uint32_t x774; -- fiat_secp384r1_uint1 x775; -- uint32_t x776; -- fiat_secp384r1_uint1 x777; -- uint32_t x778; -- fiat_secp384r1_uint1 x779; -- uint32_t x780; -- uint32_t x781; -- fiat_secp384r1_uint1 x782; -- uint32_t x783; -- fiat_secp384r1_uint1 x784; -- uint32_t x785; -- fiat_secp384r1_uint1 x786; -- uint32_t x787; -- fiat_secp384r1_uint1 x788; -- uint32_t x789; -- fiat_secp384r1_uint1 x790; -- uint32_t x791; -- fiat_secp384r1_uint1 x792; -- uint32_t x793; -- fiat_secp384r1_uint1 x794; -- uint32_t x795; -- fiat_secp384r1_uint1 x796; -- uint32_t x797; -- fiat_secp384r1_uint1 x798; -- uint32_t x799; -- fiat_secp384r1_uint1 x800; -- uint32_t x801; -- fiat_secp384r1_uint1 x802; -- uint32_t x803; -- fiat_secp384r1_uint1 x804; -- uint32_t x805; -- fiat_secp384r1_uint1 x806; -- uint32_t x807; -- uint32_t x808; -- uint32_t x809; -- uint32_t x810; -- uint32_t x811; -- uint32_t x812; -- uint32_t x813; -- uint32_t x814; -- uint32_t x815; -- uint32_t x816; -- uint32_t x817; -- uint32_t x818; -- uint32_t x819; -- uint32_t x820; -- uint32_t x821; -- uint32_t x822; -- uint32_t x823; -- uint32_t x824; -- uint32_t x825; -- uint32_t x826; -- uint32_t x827; -- uint32_t x828; -- uint32_t x829; -- uint32_t x830; -- uint32_t x831; -- uint32_t x832; -- fiat_secp384r1_uint1 x833; -- uint32_t x834; -- fiat_secp384r1_uint1 x835; -- uint32_t x836; -- fiat_secp384r1_uint1 x837; -- uint32_t x838; -- fiat_secp384r1_uint1 x839; -- uint32_t x840; -- fiat_secp384r1_uint1 x841; -- uint32_t x842; -- fiat_secp384r1_uint1 x843; -- uint32_t x844; -- fiat_secp384r1_uint1 x845; -- uint32_t x846; -- fiat_secp384r1_uint1 x847; -- uint32_t x848; -- fiat_secp384r1_uint1 x849; -- uint32_t x850; -- fiat_secp384r1_uint1 x851; -- uint32_t x852; -- fiat_secp384r1_uint1 x853; -- uint32_t x854; -- uint32_t x855; -- fiat_secp384r1_uint1 x856; -- uint32_t x857; -- fiat_secp384r1_uint1 x858; -- uint32_t x859; -- fiat_secp384r1_uint1 x860; -- uint32_t x861; -- fiat_secp384r1_uint1 x862; -- uint32_t x863; -- fiat_secp384r1_uint1 x864; -- uint32_t x865; -- fiat_secp384r1_uint1 x866; -- uint32_t x867; -- fiat_secp384r1_uint1 x868; -- uint32_t x869; -- fiat_secp384r1_uint1 x870; -- uint32_t x871; -- fiat_secp384r1_uint1 x872; -- uint32_t x873; -- fiat_secp384r1_uint1 x874; -- uint32_t x875; -- fiat_secp384r1_uint1 x876; -- uint32_t x877; -- fiat_secp384r1_uint1 x878; -- uint32_t x879; -- fiat_secp384r1_uint1 x880; -- uint32_t x881; -- uint32_t x882; -- uint32_t x883; -- uint32_t x884; -- uint32_t x885; -- uint32_t x886; -- uint32_t x887; -- uint32_t x888; -- uint32_t x889; -- uint32_t x890; -- uint32_t x891; -- uint32_t x892; -- uint32_t x893; -- uint32_t x894; -- uint32_t x895; -- uint32_t x896; -- uint32_t x897; -- uint32_t x898; -- uint32_t x899; -- uint32_t x900; -- uint32_t x901; -- fiat_secp384r1_uint1 x902; -- uint32_t x903; -- fiat_secp384r1_uint1 x904; -- uint32_t x905; -- fiat_secp384r1_uint1 x906; -- uint32_t x907; -- fiat_secp384r1_uint1 x908; -- uint32_t x909; -- fiat_secp384r1_uint1 x910; -- uint32_t x911; -- fiat_secp384r1_uint1 x912; -- uint32_t x913; -- fiat_secp384r1_uint1 x914; -- uint32_t x915; -- fiat_secp384r1_uint1 x916; -- uint32_t x917; -- uint32_t x918; -- fiat_secp384r1_uint1 x919; -- uint32_t x920; -- fiat_secp384r1_uint1 x921; -- uint32_t x922; -- fiat_secp384r1_uint1 x923; -- uint32_t x924; -- fiat_secp384r1_uint1 x925; -- uint32_t x926; -- fiat_secp384r1_uint1 x927; -- uint32_t x928; -- fiat_secp384r1_uint1 x929; -- uint32_t x930; -- fiat_secp384r1_uint1 x931; -- uint32_t x932; -- fiat_secp384r1_uint1 x933; -- uint32_t x934; -- fiat_secp384r1_uint1 x935; -- uint32_t x936; -- fiat_secp384r1_uint1 x937; -- uint32_t x938; -- fiat_secp384r1_uint1 x939; -- uint32_t x940; -- fiat_secp384r1_uint1 x941; -- uint32_t x942; -- fiat_secp384r1_uint1 x943; -- uint32_t x944; -- uint32_t x945; -- uint32_t x946; -- uint32_t x947; -- uint32_t x948; -- uint32_t x949; -- uint32_t x950; -- uint32_t x951; -- uint32_t x952; -- uint32_t x953; -- uint32_t x954; -- uint32_t x955; -- uint32_t x956; -- uint32_t x957; -- uint32_t x958; -- uint32_t x959; -- uint32_t x960; -- uint32_t x961; -- uint32_t x962; -- uint32_t x963; -- uint32_t x964; -- uint32_t x965; -- uint32_t x966; -- uint32_t x967; -- uint32_t x968; -- uint32_t x969; -- fiat_secp384r1_uint1 x970; -- uint32_t x971; -- fiat_secp384r1_uint1 x972; -- uint32_t x973; -- fiat_secp384r1_uint1 x974; -- uint32_t x975; -- fiat_secp384r1_uint1 x976; -- uint32_t x977; -- fiat_secp384r1_uint1 x978; -- uint32_t x979; -- fiat_secp384r1_uint1 x980; -- uint32_t x981; -- fiat_secp384r1_uint1 x982; -- uint32_t x983; -- fiat_secp384r1_uint1 x984; -- uint32_t x985; -- fiat_secp384r1_uint1 x986; -- uint32_t x987; -- fiat_secp384r1_uint1 x988; -- uint32_t x989; -- fiat_secp384r1_uint1 x990; -- uint32_t x991; -- uint32_t x992; -- fiat_secp384r1_uint1 x993; -- uint32_t x994; -- fiat_secp384r1_uint1 x995; -- uint32_t x996; -- fiat_secp384r1_uint1 x997; -- uint32_t x998; -- fiat_secp384r1_uint1 x999; -- uint32_t x1000; -- fiat_secp384r1_uint1 x1001; -- uint32_t x1002; -- fiat_secp384r1_uint1 x1003; -- uint32_t x1004; -- fiat_secp384r1_uint1 x1005; -- uint32_t x1006; -- fiat_secp384r1_uint1 x1007; -- uint32_t x1008; -- fiat_secp384r1_uint1 x1009; -- uint32_t x1010; -- fiat_secp384r1_uint1 x1011; -- uint32_t x1012; -- fiat_secp384r1_uint1 x1013; -- uint32_t x1014; -- fiat_secp384r1_uint1 x1015; -- uint32_t x1016; -- fiat_secp384r1_uint1 x1017; -- uint32_t x1018; -- uint32_t x1019; -- uint32_t x1020; -- uint32_t x1021; -- uint32_t x1022; -- uint32_t x1023; -- uint32_t x1024; -- uint32_t x1025; -- uint32_t x1026; -- uint32_t x1027; -- uint32_t x1028; -- uint32_t x1029; -- uint32_t x1030; -- uint32_t x1031; -- uint32_t x1032; -- uint32_t x1033; -- uint32_t x1034; -- uint32_t x1035; -- uint32_t x1036; -- uint32_t x1037; -- uint32_t x1038; -- fiat_secp384r1_uint1 x1039; -- uint32_t x1040; -- fiat_secp384r1_uint1 x1041; -- uint32_t x1042; -- fiat_secp384r1_uint1 x1043; -- uint32_t x1044; -- fiat_secp384r1_uint1 x1045; -- uint32_t x1046; -- fiat_secp384r1_uint1 x1047; -- uint32_t x1048; -- fiat_secp384r1_uint1 x1049; -- uint32_t x1050; -- fiat_secp384r1_uint1 x1051; -- uint32_t x1052; -- fiat_secp384r1_uint1 x1053; -- uint32_t x1054; -- uint32_t x1055; -- fiat_secp384r1_uint1 x1056; -- uint32_t x1057; -- fiat_secp384r1_uint1 x1058; -- uint32_t x1059; -- fiat_secp384r1_uint1 x1060; -- uint32_t x1061; -- fiat_secp384r1_uint1 x1062; -- uint32_t x1063; -- fiat_secp384r1_uint1 x1064; -- uint32_t x1065; -- fiat_secp384r1_uint1 x1066; -- uint32_t x1067; -- fiat_secp384r1_uint1 x1068; -- uint32_t x1069; -- fiat_secp384r1_uint1 x1070; -- uint32_t x1071; -- fiat_secp384r1_uint1 x1072; -- uint32_t x1073; -- fiat_secp384r1_uint1 x1074; -- uint32_t x1075; -- fiat_secp384r1_uint1 x1076; -- uint32_t x1077; -- fiat_secp384r1_uint1 x1078; -- uint32_t x1079; -- fiat_secp384r1_uint1 x1080; -- uint32_t x1081; -- uint32_t x1082; -- uint32_t x1083; -- uint32_t x1084; -- uint32_t x1085; -- uint32_t x1086; -- uint32_t x1087; -- uint32_t x1088; -- uint32_t x1089; -- uint32_t x1090; -- uint32_t x1091; -- uint32_t x1092; -- uint32_t x1093; -- uint32_t x1094; -- uint32_t x1095; -- uint32_t x1096; -- uint32_t x1097; -- uint32_t x1098; -- uint32_t x1099; -- uint32_t x1100; -- uint32_t x1101; -- uint32_t x1102; -- uint32_t x1103; -- uint32_t x1104; -- uint32_t x1105; -- uint32_t x1106; -- fiat_secp384r1_uint1 x1107; -- uint32_t x1108; -- fiat_secp384r1_uint1 x1109; -- uint32_t x1110; -- fiat_secp384r1_uint1 x1111; -- uint32_t x1112; -- fiat_secp384r1_uint1 x1113; -- uint32_t x1114; -- fiat_secp384r1_uint1 x1115; -- uint32_t x1116; -- fiat_secp384r1_uint1 x1117; -- uint32_t x1118; -- fiat_secp384r1_uint1 x1119; -- uint32_t x1120; -- fiat_secp384r1_uint1 x1121; -- uint32_t x1122; -- fiat_secp384r1_uint1 x1123; -- uint32_t x1124; -- fiat_secp384r1_uint1 x1125; -- uint32_t x1126; -- fiat_secp384r1_uint1 x1127; -- uint32_t x1128; -- uint32_t x1129; -- fiat_secp384r1_uint1 x1130; -- uint32_t x1131; -- fiat_secp384r1_uint1 x1132; -- uint32_t x1133; -- fiat_secp384r1_uint1 x1134; -- uint32_t x1135; -- fiat_secp384r1_uint1 x1136; -- uint32_t x1137; -- fiat_secp384r1_uint1 x1138; -- uint32_t x1139; -- fiat_secp384r1_uint1 x1140; -- uint32_t x1141; -- fiat_secp384r1_uint1 x1142; -- uint32_t x1143; -- fiat_secp384r1_uint1 x1144; -- uint32_t x1145; -- fiat_secp384r1_uint1 x1146; -- uint32_t x1147; -- fiat_secp384r1_uint1 x1148; -- uint32_t x1149; -- fiat_secp384r1_uint1 x1150; -- uint32_t x1151; -- fiat_secp384r1_uint1 x1152; -- uint32_t x1153; -- fiat_secp384r1_uint1 x1154; -- uint32_t x1155; -- uint32_t x1156; -- uint32_t x1157; -- uint32_t x1158; -- uint32_t x1159; -- uint32_t x1160; -- uint32_t x1161; -- uint32_t x1162; -- uint32_t x1163; -- uint32_t x1164; -- uint32_t x1165; -- uint32_t x1166; -- uint32_t x1167; -- uint32_t x1168; -- uint32_t x1169; -- uint32_t x1170; -- uint32_t x1171; -- uint32_t x1172; -- uint32_t x1173; -- uint32_t x1174; -- uint32_t x1175; -- fiat_secp384r1_uint1 x1176; -- uint32_t x1177; -- fiat_secp384r1_uint1 x1178; -- uint32_t x1179; -- fiat_secp384r1_uint1 x1180; -- uint32_t x1181; -- fiat_secp384r1_uint1 x1182; -- uint32_t x1183; -- fiat_secp384r1_uint1 x1184; -- uint32_t x1185; -- fiat_secp384r1_uint1 x1186; -- uint32_t x1187; -- fiat_secp384r1_uint1 x1188; -- uint32_t x1189; -- fiat_secp384r1_uint1 x1190; -- uint32_t x1191; -- uint32_t x1192; -- fiat_secp384r1_uint1 x1193; -- uint32_t x1194; -- fiat_secp384r1_uint1 x1195; -- uint32_t x1196; -- fiat_secp384r1_uint1 x1197; -- uint32_t x1198; -- fiat_secp384r1_uint1 x1199; -- uint32_t x1200; -- fiat_secp384r1_uint1 x1201; -- uint32_t x1202; -- fiat_secp384r1_uint1 x1203; -- uint32_t x1204; -- fiat_secp384r1_uint1 x1205; -- uint32_t x1206; -- fiat_secp384r1_uint1 x1207; -- uint32_t x1208; -- fiat_secp384r1_uint1 x1209; -- uint32_t x1210; -- fiat_secp384r1_uint1 x1211; -- uint32_t x1212; -- fiat_secp384r1_uint1 x1213; -- uint32_t x1214; -- fiat_secp384r1_uint1 x1215; -- uint32_t x1216; -- fiat_secp384r1_uint1 x1217; -- uint32_t x1218; -- uint32_t x1219; -- uint32_t x1220; -- uint32_t x1221; -- uint32_t x1222; -- uint32_t x1223; -- uint32_t x1224; -- uint32_t x1225; -- uint32_t x1226; -- uint32_t x1227; -- uint32_t x1228; -- uint32_t x1229; -- uint32_t x1230; -- uint32_t x1231; -- uint32_t x1232; -- uint32_t x1233; -- uint32_t x1234; -- uint32_t x1235; -- uint32_t x1236; -- uint32_t x1237; -- uint32_t x1238; -- uint32_t x1239; -- uint32_t x1240; -- uint32_t x1241; -- uint32_t x1242; -- uint32_t x1243; -- fiat_secp384r1_uint1 x1244; -- uint32_t x1245; -- fiat_secp384r1_uint1 x1246; -- uint32_t x1247; -- fiat_secp384r1_uint1 x1248; -- uint32_t x1249; -- fiat_secp384r1_uint1 x1250; -- uint32_t x1251; -- fiat_secp384r1_uint1 x1252; -- uint32_t x1253; -- fiat_secp384r1_uint1 x1254; -- uint32_t x1255; -- fiat_secp384r1_uint1 x1256; -- uint32_t x1257; -- fiat_secp384r1_uint1 x1258; -- uint32_t x1259; -- fiat_secp384r1_uint1 x1260; -- uint32_t x1261; -- fiat_secp384r1_uint1 x1262; -- uint32_t x1263; -- fiat_secp384r1_uint1 x1264; -- uint32_t x1265; -- uint32_t x1266; -- fiat_secp384r1_uint1 x1267; -- uint32_t x1268; -- fiat_secp384r1_uint1 x1269; -- uint32_t x1270; -- fiat_secp384r1_uint1 x1271; -- uint32_t x1272; -- fiat_secp384r1_uint1 x1273; -- uint32_t x1274; -- fiat_secp384r1_uint1 x1275; -- uint32_t x1276; -- fiat_secp384r1_uint1 x1277; -- uint32_t x1278; -- fiat_secp384r1_uint1 x1279; -- uint32_t x1280; -- fiat_secp384r1_uint1 x1281; -- uint32_t x1282; -- fiat_secp384r1_uint1 x1283; -- uint32_t x1284; -- fiat_secp384r1_uint1 x1285; -- uint32_t x1286; -- fiat_secp384r1_uint1 x1287; -- uint32_t x1288; -- fiat_secp384r1_uint1 x1289; -- uint32_t x1290; -- fiat_secp384r1_uint1 x1291; -- uint32_t x1292; -- uint32_t x1293; -- uint32_t x1294; -- uint32_t x1295; -- uint32_t x1296; -- uint32_t x1297; -- uint32_t x1298; -- uint32_t x1299; -- uint32_t x1300; -- uint32_t x1301; -- uint32_t x1302; -- uint32_t x1303; -- uint32_t x1304; -- uint32_t x1305; -- uint32_t x1306; -- uint32_t x1307; -- uint32_t x1308; -- uint32_t x1309; -- uint32_t x1310; -- uint32_t x1311; -- uint32_t x1312; -- fiat_secp384r1_uint1 x1313; -- uint32_t x1314; -- fiat_secp384r1_uint1 x1315; -- uint32_t x1316; -- fiat_secp384r1_uint1 x1317; -- uint32_t x1318; -- fiat_secp384r1_uint1 x1319; -- uint32_t x1320; -- fiat_secp384r1_uint1 x1321; -- uint32_t x1322; -- fiat_secp384r1_uint1 x1323; -- uint32_t x1324; -- fiat_secp384r1_uint1 x1325; -- uint32_t x1326; -- fiat_secp384r1_uint1 x1327; -- uint32_t x1328; -- uint32_t x1329; -- fiat_secp384r1_uint1 x1330; -- uint32_t x1331; -- fiat_secp384r1_uint1 x1332; -- uint32_t x1333; -- fiat_secp384r1_uint1 x1334; -- uint32_t x1335; -- fiat_secp384r1_uint1 x1336; -- uint32_t x1337; -- fiat_secp384r1_uint1 x1338; -- uint32_t x1339; -- fiat_secp384r1_uint1 x1340; -- uint32_t x1341; -- fiat_secp384r1_uint1 x1342; -- uint32_t x1343; -- fiat_secp384r1_uint1 x1344; -- uint32_t x1345; -- fiat_secp384r1_uint1 x1346; -- uint32_t x1347; -- fiat_secp384r1_uint1 x1348; -- uint32_t x1349; -- fiat_secp384r1_uint1 x1350; -- uint32_t x1351; -- fiat_secp384r1_uint1 x1352; -- uint32_t x1353; -- fiat_secp384r1_uint1 x1354; -- uint32_t x1355; -- uint32_t x1356; -- uint32_t x1357; -- uint32_t x1358; -- uint32_t x1359; -- uint32_t x1360; -- uint32_t x1361; -- uint32_t x1362; -- uint32_t x1363; -- uint32_t x1364; -- uint32_t x1365; -- uint32_t x1366; -- uint32_t x1367; -- uint32_t x1368; -- uint32_t x1369; -- uint32_t x1370; -- uint32_t x1371; -- uint32_t x1372; -- uint32_t x1373; -- uint32_t x1374; -- uint32_t x1375; -- uint32_t x1376; -- uint32_t x1377; -- uint32_t x1378; -- uint32_t x1379; -- uint32_t x1380; -- fiat_secp384r1_uint1 x1381; -- uint32_t x1382; -- fiat_secp384r1_uint1 x1383; -- uint32_t x1384; -- fiat_secp384r1_uint1 x1385; -- uint32_t x1386; -- fiat_secp384r1_uint1 x1387; -- uint32_t x1388; -- fiat_secp384r1_uint1 x1389; -- uint32_t x1390; -- fiat_secp384r1_uint1 x1391; -- uint32_t x1392; -- fiat_secp384r1_uint1 x1393; -- uint32_t x1394; -- fiat_secp384r1_uint1 x1395; -- uint32_t x1396; -- fiat_secp384r1_uint1 x1397; -- uint32_t x1398; -- fiat_secp384r1_uint1 x1399; -- uint32_t x1400; -- fiat_secp384r1_uint1 x1401; -- uint32_t x1402; -- uint32_t x1403; -- fiat_secp384r1_uint1 x1404; -- uint32_t x1405; -- fiat_secp384r1_uint1 x1406; -- uint32_t x1407; -- fiat_secp384r1_uint1 x1408; -- uint32_t x1409; -- fiat_secp384r1_uint1 x1410; -- uint32_t x1411; -- fiat_secp384r1_uint1 x1412; -- uint32_t x1413; -- fiat_secp384r1_uint1 x1414; -- uint32_t x1415; -- fiat_secp384r1_uint1 x1416; -- uint32_t x1417; -- fiat_secp384r1_uint1 x1418; -- uint32_t x1419; -- fiat_secp384r1_uint1 x1420; -- uint32_t x1421; -- fiat_secp384r1_uint1 x1422; -- uint32_t x1423; -- fiat_secp384r1_uint1 x1424; -- uint32_t x1425; -- fiat_secp384r1_uint1 x1426; -- uint32_t x1427; -- fiat_secp384r1_uint1 x1428; -- uint32_t x1429; -- uint32_t x1430; -- uint32_t x1431; -- uint32_t x1432; -- uint32_t x1433; -- uint32_t x1434; -- uint32_t x1435; -- uint32_t x1436; -- uint32_t x1437; -- uint32_t x1438; -- uint32_t x1439; -- uint32_t x1440; -- uint32_t x1441; -- uint32_t x1442; -- uint32_t x1443; -- uint32_t x1444; -- uint32_t x1445; -- uint32_t x1446; -- uint32_t x1447; -- uint32_t x1448; -- uint32_t x1449; -- fiat_secp384r1_uint1 x1450; -- uint32_t x1451; -- fiat_secp384r1_uint1 x1452; -- uint32_t x1453; -- fiat_secp384r1_uint1 x1454; -- uint32_t x1455; -- fiat_secp384r1_uint1 x1456; -- uint32_t x1457; -- fiat_secp384r1_uint1 x1458; -- uint32_t x1459; -- fiat_secp384r1_uint1 x1460; -- uint32_t x1461; -- fiat_secp384r1_uint1 x1462; -- uint32_t x1463; -- fiat_secp384r1_uint1 x1464; -- uint32_t x1465; -- uint32_t x1466; -- fiat_secp384r1_uint1 x1467; -- uint32_t x1468; -- fiat_secp384r1_uint1 x1469; -- uint32_t x1470; -- fiat_secp384r1_uint1 x1471; -- uint32_t x1472; -- fiat_secp384r1_uint1 x1473; -- uint32_t x1474; -- fiat_secp384r1_uint1 x1475; -- uint32_t x1476; -- fiat_secp384r1_uint1 x1477; -- uint32_t x1478; -- fiat_secp384r1_uint1 x1479; -- uint32_t x1480; -- fiat_secp384r1_uint1 x1481; -- uint32_t x1482; -- fiat_secp384r1_uint1 x1483; -- uint32_t x1484; -- fiat_secp384r1_uint1 x1485; -- uint32_t x1486; -- fiat_secp384r1_uint1 x1487; -- uint32_t x1488; -- fiat_secp384r1_uint1 x1489; -- uint32_t x1490; -- fiat_secp384r1_uint1 x1491; -- uint32_t x1492; -- uint32_t x1493; -- uint32_t x1494; -- uint32_t x1495; -- uint32_t x1496; -- uint32_t x1497; -- uint32_t x1498; -- uint32_t x1499; -- uint32_t x1500; -- uint32_t x1501; -- uint32_t x1502; -- uint32_t x1503; -- uint32_t x1504; -- uint32_t x1505; -- uint32_t x1506; -- uint32_t x1507; -- uint32_t x1508; -- uint32_t x1509; -- uint32_t x1510; -- uint32_t x1511; -- uint32_t x1512; -- uint32_t x1513; -- uint32_t x1514; -- uint32_t x1515; -- uint32_t x1516; -- uint32_t x1517; -- fiat_secp384r1_uint1 x1518; -- uint32_t x1519; -- fiat_secp384r1_uint1 x1520; -- uint32_t x1521; -- fiat_secp384r1_uint1 x1522; -- uint32_t x1523; -- fiat_secp384r1_uint1 x1524; -- uint32_t x1525; -- fiat_secp384r1_uint1 x1526; -- uint32_t x1527; -- fiat_secp384r1_uint1 x1528; -- uint32_t x1529; -- fiat_secp384r1_uint1 x1530; -- uint32_t x1531; -- fiat_secp384r1_uint1 x1532; -- uint32_t x1533; -- fiat_secp384r1_uint1 x1534; -- uint32_t x1535; -- fiat_secp384r1_uint1 x1536; -- uint32_t x1537; -- fiat_secp384r1_uint1 x1538; -- uint32_t x1539; -- uint32_t x1540; -- fiat_secp384r1_uint1 x1541; -- uint32_t x1542; -- fiat_secp384r1_uint1 x1543; -- uint32_t x1544; -- fiat_secp384r1_uint1 x1545; -- uint32_t x1546; -- fiat_secp384r1_uint1 x1547; -- uint32_t x1548; -- fiat_secp384r1_uint1 x1549; -- uint32_t x1550; -- fiat_secp384r1_uint1 x1551; -- uint32_t x1552; -- fiat_secp384r1_uint1 x1553; -- uint32_t x1554; -- fiat_secp384r1_uint1 x1555; -- uint32_t x1556; -- fiat_secp384r1_uint1 x1557; -- uint32_t x1558; -- fiat_secp384r1_uint1 x1559; -- uint32_t x1560; -- fiat_secp384r1_uint1 x1561; -- uint32_t x1562; -- fiat_secp384r1_uint1 x1563; -- uint32_t x1564; -- fiat_secp384r1_uint1 x1565; -- uint32_t x1566; -- uint32_t x1567; -- uint32_t x1568; -- uint32_t x1569; -- uint32_t x1570; -- uint32_t x1571; -- uint32_t x1572; -- uint32_t x1573; -- uint32_t x1574; -- uint32_t x1575; -- uint32_t x1576; -- uint32_t x1577; -- uint32_t x1578; -- uint32_t x1579; -- uint32_t x1580; -- uint32_t x1581; -- uint32_t x1582; -- uint32_t x1583; -- uint32_t x1584; -- uint32_t x1585; -- uint32_t x1586; -- fiat_secp384r1_uint1 x1587; -- uint32_t x1588; -- fiat_secp384r1_uint1 x1589; -- uint32_t x1590; -- fiat_secp384r1_uint1 x1591; -- uint32_t x1592; -- fiat_secp384r1_uint1 x1593; -- uint32_t x1594; -- fiat_secp384r1_uint1 x1595; -- uint32_t x1596; -- fiat_secp384r1_uint1 x1597; -- uint32_t x1598; -- fiat_secp384r1_uint1 x1599; -- uint32_t x1600; -- fiat_secp384r1_uint1 x1601; -- uint32_t x1602; -- uint32_t x1603; -- fiat_secp384r1_uint1 x1604; -- uint32_t x1605; -- fiat_secp384r1_uint1 x1606; -- uint32_t x1607; -- fiat_secp384r1_uint1 x1608; -- uint32_t x1609; -- fiat_secp384r1_uint1 x1610; -- uint32_t x1611; -- fiat_secp384r1_uint1 x1612; -- uint32_t x1613; -- fiat_secp384r1_uint1 x1614; -- uint32_t x1615; -- fiat_secp384r1_uint1 x1616; -- uint32_t x1617; -- fiat_secp384r1_uint1 x1618; -- uint32_t x1619; -- fiat_secp384r1_uint1 x1620; -- uint32_t x1621; -- fiat_secp384r1_uint1 x1622; -- uint32_t x1623; -- fiat_secp384r1_uint1 x1624; -- uint32_t x1625; -- fiat_secp384r1_uint1 x1626; -- uint32_t x1627; -- fiat_secp384r1_uint1 x1628; -- uint32_t x1629; -- uint32_t x1630; -- fiat_secp384r1_uint1 x1631; -- uint32_t x1632; -- fiat_secp384r1_uint1 x1633; -- uint32_t x1634; -- fiat_secp384r1_uint1 x1635; -- uint32_t x1636; -- fiat_secp384r1_uint1 x1637; -- uint32_t x1638; -- fiat_secp384r1_uint1 x1639; -- uint32_t x1640; -- fiat_secp384r1_uint1 x1641; -- uint32_t x1642; -- fiat_secp384r1_uint1 x1643; -- uint32_t x1644; -- fiat_secp384r1_uint1 x1645; -- uint32_t x1646; -- fiat_secp384r1_uint1 x1647; -- uint32_t x1648; -- fiat_secp384r1_uint1 x1649; -- uint32_t x1650; -- fiat_secp384r1_uint1 x1651; -- uint32_t x1652; -- fiat_secp384r1_uint1 x1653; -- uint32_t x1654; -- fiat_secp384r1_uint1 x1655; -- uint32_t x1656; -- uint32_t x1657; -- uint32_t x1658; -- uint32_t x1659; -- uint32_t x1660; -- uint32_t x1661; -- uint32_t x1662; -- uint32_t x1663; -- uint32_t x1664; -- uint32_t x1665; -- uint32_t x1666; -- uint32_t x1667; -- x1 = (arg1[1]); -- x2 = (arg1[2]); -- x3 = (arg1[3]); -- x4 = (arg1[4]); -- x5 = (arg1[5]); -- x6 = (arg1[6]); -- x7 = (arg1[7]); -- x8 = (arg1[8]); -- x9 = (arg1[9]); -- x10 = (arg1[10]); -- x11 = (arg1[11]); -- x12 = (arg1[0]); -- fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); -- fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); -- fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); -- fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); -- fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); -- fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); -- fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); -- fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); -- fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); -- fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); -- fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); -- x59 = (x58 + x14); -- fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); -- fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); -- fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); -- fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); -- fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); -- fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); -- fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); -- fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); -- x96 = (x95 + x61); -- fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); -- fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); -- fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); -- fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); -- fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); -- fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); -- fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); -- fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); -- fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); -- fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); -- fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); -- fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); -- fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); -- fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); -- fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); -- fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); -- fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); -- fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); -- fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); -- fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); -- fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); -- fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); -- fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); -- fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); -- x169 = (x168 + x124); -- fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); -- fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); -- fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); -- fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); -- fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); -- fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); -- fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); -- fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); -- fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); -- fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); -- fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); -- fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); -- fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); -- fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); -- fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); -- fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); -- fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); -- fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); -- fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); -- fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); -- fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); -- x232 = (x231 + x197); -- fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); -- fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); -- fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); -- fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); -- fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); -- fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); -- fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); -- fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); -- fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); -- fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); -- fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); -- fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); -- fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); -- x259 = ((uint32_t)x258 + x195); -- fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); -- fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); -- fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); -- fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); -- fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); -- fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); -- fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); -- fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); -- fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); -- fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); -- fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); -- x306 = (x305 + x261); -- fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); -- fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); -- fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); -- fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); -- fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); -- fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); -- fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); -- fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); -- fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); -- fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); -- fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); -- fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); -- fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); -- fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); -- fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); -- fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); -- fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); -- fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); -- fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); -- fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); -- fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); -- x369 = (x368 + x334); -- fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); -- fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); -- fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); -- fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); -- fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); -- fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); -- fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); -- fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); -- fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); -- fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); -- fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); -- fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); -- fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); -- x396 = ((uint32_t)x395 + x332); -- fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); -- fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); -- fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); -- fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); -- fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); -- fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); -- fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); -- fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); -- fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); -- fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); -- fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); -- x443 = (x442 + x398); -- fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); -- fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); -- fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); -- fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); -- fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); -- fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); -- fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); -- fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); -- fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); -- fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); -- fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); -- fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); -- fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); -- fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); -- fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); -- fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); -- fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); -- fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); -- fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); -- fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); -- fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); -- x506 = (x505 + x471); -- fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); -- fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); -- fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); -- fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); -- fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); -- fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); -- fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); -- fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); -- fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); -- fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); -- fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); -- fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); -- fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); -- x533 = ((uint32_t)x532 + x469); -- fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); -- fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); -- fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); -- fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); -- fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); -- fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); -- fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); -- fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); -- fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); -- fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); -- fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); -- x580 = (x579 + x535); -- fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); -- fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); -- fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); -- fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); -- fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); -- fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); -- fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); -- fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); -- fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); -- fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); -- fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); -- fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); -- fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); -- fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); -- fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); -- fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); -- fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); -- fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); -- fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); -- fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); -- fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); -- x643 = (x642 + x608); -- fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); -- fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); -- fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); -- fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); -- fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); -- fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); -- fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); -- fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); -- fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); -- fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); -- fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); -- fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); -- fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); -- x670 = ((uint32_t)x669 + x606); -- fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); -- fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); -- fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); -- fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); -- fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); -- fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); -- fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); -- fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); -- fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); -- fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); -- fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); -- x717 = (x716 + x672); -- fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); -- fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); -- fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); -- fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); -- fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); -- fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); -- fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); -- fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); -- fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); -- fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); -- fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); -- fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); -- fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); -- fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); -- fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); -- fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); -- fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); -- fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); -- fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); -- fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); -- fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); -- x780 = (x779 + x745); -- fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); -- fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); -- fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); -- fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); -- fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); -- fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); -- fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); -- fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); -- fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); -- fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); -- fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); -- fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); -- fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); -- x807 = ((uint32_t)x806 + x743); -- fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); -- fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); -- fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); -- fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); -- fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); -- fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); -- fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); -- fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); -- fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); -- fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); -- fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); -- x854 = (x853 + x809); -- fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); -- fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); -- fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); -- fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); -- fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); -- fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); -- fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); -- fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); -- fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); -- fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); -- fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); -- fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); -- fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); -- fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); -- fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); -- fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); -- fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); -- fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); -- fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); -- fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); -- fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); -- x917 = (x916 + x882); -- fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); -- fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); -- fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); -- fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); -- fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); -- fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); -- fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); -- fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); -- fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); -- fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); -- fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); -- fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); -- fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); -- x944 = ((uint32_t)x943 + x880); -- fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); -- fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); -- fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); -- fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); -- fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); -- fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); -- fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); -- fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); -- fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); -- fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); -- fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); -- x991 = (x990 + x946); -- fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); -- fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); -- fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); -- fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); -- fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); -- fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); -- fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); -- fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); -- fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); -- fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); -- fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); -- fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); -- fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); -- fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); -- fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); -- fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); -- fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); -- fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); -- fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); -- fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); -- fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); -- x1054 = (x1053 + x1019); -- fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); -- fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); -- fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); -- fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); -- fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); -- fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); -- fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); -- fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); -- fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); -- fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); -- fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); -- fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); -- x1081 = ((uint32_t)x1080 + x1017); -- fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); -- fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); -- fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); -- fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); -- fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); -- fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); -- fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); -- fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); -- fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); -- fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); -- fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); -- x1128 = (x1127 + x1083); -- fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); -- fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); -- fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); -- fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); -- fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); -- fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); -- fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); -- fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); -- fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); -- fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); -- fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); -- fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); -- fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); -- fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); -- fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); -- fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); -- fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); -- fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); -- fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); -- fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); -- fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); -- x1191 = (x1190 + x1156); -- fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); -- fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); -- fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); -- fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); -- fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); -- fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); -- fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); -- fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); -- fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); -- fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); -- fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); -- fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); -- x1218 = ((uint32_t)x1217 + x1154); -- fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); -- fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); -- fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); -- fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); -- fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); -- fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); -- fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); -- fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); -- fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); -- fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); -- fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); -- x1265 = (x1264 + x1220); -- fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); -- fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); -- fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); -- fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); -- fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); -- fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); -- fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); -- fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); -- fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); -- fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); -- fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); -- fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); -- fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); -- fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); -- fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); -- fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); -- fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); -- fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); -- fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); -- fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); -- fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); -- x1328 = (x1327 + x1293); -- fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); -- fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); -- fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); -- fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); -- fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); -- fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); -- fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); -- fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); -- fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); -- fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); -- fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); -- fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); -- x1355 = ((uint32_t)x1354 + x1291); -- fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); -- fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); -- fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); -- fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); -- fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); -- fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); -- fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); -- fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); -- fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); -- fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); -- fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); -- x1402 = (x1401 + x1357); -- fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); -- fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); -- fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); -- fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); -- fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); -- fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); -- fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); -- fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); -- fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); -- fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); -- fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); -- fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); -- fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); -- fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); -- fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); -- fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); -- fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); -- fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); -- fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); -- fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); -- fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); -- x1465 = (x1464 + x1430); -- fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); -- fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); -- fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); -- fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); -- fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); -- fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); -- fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); -- fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); -- fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); -- fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); -- fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); -- fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); -- x1492 = ((uint32_t)x1491 + x1428); -- fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg2[11])); -- fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg2[10])); -- fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg2[9])); -- fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg2[8])); -- fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg2[7])); -- fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg2[6])); -- fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg2[5])); -- fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg2[4])); -- fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg2[3])); -- fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg2[2])); -- fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg2[1])); -- fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); -- fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); -- fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); -- fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); -- fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); -- fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); -- fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); -- fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); -- fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); -- fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); -- fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); -- x1539 = (x1538 + x1494); -- fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); -- fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); -- fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); -- fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); -- fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); -- fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); -- fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); -- fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); -- fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); -- fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); -- fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); -- fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); -- fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); -- fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); -- fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); -- fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); -- fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); -- fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); -- fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); -- fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); -- fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); -- x1602 = (x1601 + x1567); -- fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); -- fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); -- fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); -- fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); -- fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); -- fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); -- fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); -- fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); -- fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); -- fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); -- fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); -- fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); -- x1629 = ((uint32_t)x1628 + x1565); -- fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); -- fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); -- fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, -- UINT32_C(0xfffffffe)); -- fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); -- fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); -- fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); -- fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); -- fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); -- fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); -- fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); -- fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); -- fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); -- fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); -- fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); -- fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); -- fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); -- out1[0] = x1656; -- out1[1] = x1657; -- out1[2] = x1658; -- out1[3] = x1659; -- out1[4] = x1660; -- out1[5] = x1661; -- out1[6] = x1662; -- out1[7] = x1663; -- out1[8] = x1664; -- out1[9] = x1665; -- out1[10] = x1666; -- out1[11] = x1667; --} -- --/* -- * The function fiat_secp384r1_square squares a field element in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_square( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1) --{ -- uint32_t x1; -- uint32_t x2; -- uint32_t x3; -- uint32_t x4; -- uint32_t x5; -- uint32_t x6; -- uint32_t x7; -- uint32_t x8; -- uint32_t x9; -- uint32_t x10; -- uint32_t x11; -- uint32_t x12; -- uint32_t x13; -- uint32_t x14; -- uint32_t x15; -- uint32_t x16; -- uint32_t x17; -- uint32_t x18; -- uint32_t x19; -- uint32_t x20; -- uint32_t x21; -- uint32_t x22; -- uint32_t x23; -- uint32_t x24; -- uint32_t x25; -- uint32_t x26; -- uint32_t x27; -- uint32_t x28; -- uint32_t x29; -- uint32_t x30; -- uint32_t x31; -- uint32_t x32; -- uint32_t x33; -- uint32_t x34; -- uint32_t x35; -- uint32_t x36; -- uint32_t x37; -- fiat_secp384r1_uint1 x38; -- uint32_t x39; -- fiat_secp384r1_uint1 x40; -- uint32_t x41; -- fiat_secp384r1_uint1 x42; -- uint32_t x43; -- fiat_secp384r1_uint1 x44; -- uint32_t x45; -- fiat_secp384r1_uint1 x46; -- uint32_t x47; -- fiat_secp384r1_uint1 x48; -- uint32_t x49; -- fiat_secp384r1_uint1 x50; -- uint32_t x51; -- fiat_secp384r1_uint1 x52; -- uint32_t x53; -- fiat_secp384r1_uint1 x54; -- uint32_t x55; -- fiat_secp384r1_uint1 x56; -- uint32_t x57; -- fiat_secp384r1_uint1 x58; -- uint32_t x59; -- uint32_t x60; -- uint32_t x61; -- uint32_t x62; -- uint32_t x63; -- uint32_t x64; -- uint32_t x65; -- uint32_t x66; -- uint32_t x67; -- uint32_t x68; -- uint32_t x69; -- uint32_t x70; -- uint32_t x71; -- uint32_t x72; -- uint32_t x73; -- uint32_t x74; -- uint32_t x75; -- uint32_t x76; -- uint32_t x77; -- uint32_t x78; -- uint32_t x79; -- uint32_t x80; -- fiat_secp384r1_uint1 x81; -- uint32_t x82; -- fiat_secp384r1_uint1 x83; -- uint32_t x84; -- fiat_secp384r1_uint1 x85; -- uint32_t x86; -- fiat_secp384r1_uint1 x87; -- uint32_t x88; -- fiat_secp384r1_uint1 x89; -- uint32_t x90; -- fiat_secp384r1_uint1 x91; -- uint32_t x92; -- fiat_secp384r1_uint1 x93; -- uint32_t x94; -- fiat_secp384r1_uint1 x95; -- uint32_t x96; -- uint32_t x97; -- fiat_secp384r1_uint1 x98; -- uint32_t x99; -- fiat_secp384r1_uint1 x100; -- uint32_t x101; -- fiat_secp384r1_uint1 x102; -- uint32_t x103; -- fiat_secp384r1_uint1 x104; -- uint32_t x105; -- fiat_secp384r1_uint1 x106; -- uint32_t x107; -- fiat_secp384r1_uint1 x108; -- uint32_t x109; -- fiat_secp384r1_uint1 x110; -- uint32_t x111; -- fiat_secp384r1_uint1 x112; -- uint32_t x113; -- fiat_secp384r1_uint1 x114; -- uint32_t x115; -- fiat_secp384r1_uint1 x116; -- uint32_t x117; -- fiat_secp384r1_uint1 x118; -- uint32_t x119; -- fiat_secp384r1_uint1 x120; -- uint32_t x121; -- fiat_secp384r1_uint1 x122; -- uint32_t x123; -- uint32_t x124; -- uint32_t x125; -- uint32_t x126; -- uint32_t x127; -- uint32_t x128; -- uint32_t x129; -- uint32_t x130; -- uint32_t x131; -- uint32_t x132; -- uint32_t x133; -- uint32_t x134; -- uint32_t x135; -- uint32_t x136; -- uint32_t x137; -- uint32_t x138; -- uint32_t x139; -- uint32_t x140; -- uint32_t x141; -- uint32_t x142; -- uint32_t x143; -- uint32_t x144; -- uint32_t x145; -- uint32_t x146; -- uint32_t x147; -- fiat_secp384r1_uint1 x148; -- uint32_t x149; -- fiat_secp384r1_uint1 x150; -- uint32_t x151; -- fiat_secp384r1_uint1 x152; -- uint32_t x153; -- fiat_secp384r1_uint1 x154; -- uint32_t x155; -- fiat_secp384r1_uint1 x156; -- uint32_t x157; -- fiat_secp384r1_uint1 x158; -- uint32_t x159; -- fiat_secp384r1_uint1 x160; -- uint32_t x161; -- fiat_secp384r1_uint1 x162; -- uint32_t x163; -- fiat_secp384r1_uint1 x164; -- uint32_t x165; -- fiat_secp384r1_uint1 x166; -- uint32_t x167; -- fiat_secp384r1_uint1 x168; -- uint32_t x169; -- uint32_t x170; -- fiat_secp384r1_uint1 x171; -- uint32_t x172; -- fiat_secp384r1_uint1 x173; -- uint32_t x174; -- fiat_secp384r1_uint1 x175; -- uint32_t x176; -- fiat_secp384r1_uint1 x177; -- uint32_t x178; -- fiat_secp384r1_uint1 x179; -- uint32_t x180; -- fiat_secp384r1_uint1 x181; -- uint32_t x182; -- fiat_secp384r1_uint1 x183; -- uint32_t x184; -- fiat_secp384r1_uint1 x185; -- uint32_t x186; -- fiat_secp384r1_uint1 x187; -- uint32_t x188; -- fiat_secp384r1_uint1 x189; -- uint32_t x190; -- fiat_secp384r1_uint1 x191; -- uint32_t x192; -- fiat_secp384r1_uint1 x193; -- uint32_t x194; -- fiat_secp384r1_uint1 x195; -- uint32_t x196; -- uint32_t x197; -- uint32_t x198; -- uint32_t x199; -- uint32_t x200; -- uint32_t x201; -- uint32_t x202; -- uint32_t x203; -- uint32_t x204; -- uint32_t x205; -- uint32_t x206; -- uint32_t x207; -- uint32_t x208; -- uint32_t x209; -- uint32_t x210; -- uint32_t x211; -- uint32_t x212; -- uint32_t x213; -- uint32_t x214; -- uint32_t x215; -- uint32_t x216; -- fiat_secp384r1_uint1 x217; -- uint32_t x218; -- fiat_secp384r1_uint1 x219; -- uint32_t x220; -- fiat_secp384r1_uint1 x221; -- uint32_t x222; -- fiat_secp384r1_uint1 x223; -- uint32_t x224; -- fiat_secp384r1_uint1 x225; -- uint32_t x226; -- fiat_secp384r1_uint1 x227; -- uint32_t x228; -- fiat_secp384r1_uint1 x229; -- uint32_t x230; -- fiat_secp384r1_uint1 x231; -- uint32_t x232; -- uint32_t x233; -- fiat_secp384r1_uint1 x234; -- uint32_t x235; -- fiat_secp384r1_uint1 x236; -- uint32_t x237; -- fiat_secp384r1_uint1 x238; -- uint32_t x239; -- fiat_secp384r1_uint1 x240; -- uint32_t x241; -- fiat_secp384r1_uint1 x242; -- uint32_t x243; -- fiat_secp384r1_uint1 x244; -- uint32_t x245; -- fiat_secp384r1_uint1 x246; -- uint32_t x247; -- fiat_secp384r1_uint1 x248; -- uint32_t x249; -- fiat_secp384r1_uint1 x250; -- uint32_t x251; -- fiat_secp384r1_uint1 x252; -- uint32_t x253; -- fiat_secp384r1_uint1 x254; -- uint32_t x255; -- fiat_secp384r1_uint1 x256; -- uint32_t x257; -- fiat_secp384r1_uint1 x258; -- uint32_t x259; -- uint32_t x260; -- uint32_t x261; -- uint32_t x262; -- uint32_t x263; -- uint32_t x264; -- uint32_t x265; -- uint32_t x266; -- uint32_t x267; -- uint32_t x268; -- uint32_t x269; -- uint32_t x270; -- uint32_t x271; -- uint32_t x272; -- uint32_t x273; -- uint32_t x274; -- uint32_t x275; -- uint32_t x276; -- uint32_t x277; -- uint32_t x278; -- uint32_t x279; -- uint32_t x280; -- uint32_t x281; -- uint32_t x282; -- uint32_t x283; -- uint32_t x284; -- fiat_secp384r1_uint1 x285; -- uint32_t x286; -- fiat_secp384r1_uint1 x287; -- uint32_t x288; -- fiat_secp384r1_uint1 x289; -- uint32_t x290; -- fiat_secp384r1_uint1 x291; -- uint32_t x292; -- fiat_secp384r1_uint1 x293; -- uint32_t x294; -- fiat_secp384r1_uint1 x295; -- uint32_t x296; -- fiat_secp384r1_uint1 x297; -- uint32_t x298; -- fiat_secp384r1_uint1 x299; -- uint32_t x300; -- fiat_secp384r1_uint1 x301; -- uint32_t x302; -- fiat_secp384r1_uint1 x303; -- uint32_t x304; -- fiat_secp384r1_uint1 x305; -- uint32_t x306; -- uint32_t x307; -- fiat_secp384r1_uint1 x308; -- uint32_t x309; -- fiat_secp384r1_uint1 x310; -- uint32_t x311; -- fiat_secp384r1_uint1 x312; -- uint32_t x313; -- fiat_secp384r1_uint1 x314; -- uint32_t x315; -- fiat_secp384r1_uint1 x316; -- uint32_t x317; -- fiat_secp384r1_uint1 x318; -- uint32_t x319; -- fiat_secp384r1_uint1 x320; -- uint32_t x321; -- fiat_secp384r1_uint1 x322; -- uint32_t x323; -- fiat_secp384r1_uint1 x324; -- uint32_t x325; -- fiat_secp384r1_uint1 x326; -- uint32_t x327; -- fiat_secp384r1_uint1 x328; -- uint32_t x329; -- fiat_secp384r1_uint1 x330; -- uint32_t x331; -- fiat_secp384r1_uint1 x332; -- uint32_t x333; -- uint32_t x334; -- uint32_t x335; -- uint32_t x336; -- uint32_t x337; -- uint32_t x338; -- uint32_t x339; -- uint32_t x340; -- uint32_t x341; -- uint32_t x342; -- uint32_t x343; -- uint32_t x344; -- uint32_t x345; -- uint32_t x346; -- uint32_t x347; -- uint32_t x348; -- uint32_t x349; -- uint32_t x350; -- uint32_t x351; -- uint32_t x352; -- uint32_t x353; -- fiat_secp384r1_uint1 x354; -- uint32_t x355; -- fiat_secp384r1_uint1 x356; -- uint32_t x357; -- fiat_secp384r1_uint1 x358; -- uint32_t x359; -- fiat_secp384r1_uint1 x360; -- uint32_t x361; -- fiat_secp384r1_uint1 x362; -- uint32_t x363; -- fiat_secp384r1_uint1 x364; -- uint32_t x365; -- fiat_secp384r1_uint1 x366; -- uint32_t x367; -- fiat_secp384r1_uint1 x368; -- uint32_t x369; -- uint32_t x370; -- fiat_secp384r1_uint1 x371; -- uint32_t x372; -- fiat_secp384r1_uint1 x373; -- uint32_t x374; -- fiat_secp384r1_uint1 x375; -- uint32_t x376; -- fiat_secp384r1_uint1 x377; -- uint32_t x378; -- fiat_secp384r1_uint1 x379; -- uint32_t x380; -- fiat_secp384r1_uint1 x381; -- uint32_t x382; -- fiat_secp384r1_uint1 x383; -- uint32_t x384; -- fiat_secp384r1_uint1 x385; -- uint32_t x386; -- fiat_secp384r1_uint1 x387; -- uint32_t x388; -- fiat_secp384r1_uint1 x389; -- uint32_t x390; -- fiat_secp384r1_uint1 x391; -- uint32_t x392; -- fiat_secp384r1_uint1 x393; -- uint32_t x394; -- fiat_secp384r1_uint1 x395; -- uint32_t x396; -- uint32_t x397; -- uint32_t x398; -- uint32_t x399; -- uint32_t x400; -- uint32_t x401; -- uint32_t x402; -- uint32_t x403; -- uint32_t x404; -- uint32_t x405; -- uint32_t x406; -- uint32_t x407; -- uint32_t x408; -- uint32_t x409; -- uint32_t x410; -- uint32_t x411; -- uint32_t x412; -- uint32_t x413; -- uint32_t x414; -- uint32_t x415; -- uint32_t x416; -- uint32_t x417; -- uint32_t x418; -- uint32_t x419; -- uint32_t x420; -- uint32_t x421; -- fiat_secp384r1_uint1 x422; -- uint32_t x423; -- fiat_secp384r1_uint1 x424; -- uint32_t x425; -- fiat_secp384r1_uint1 x426; -- uint32_t x427; -- fiat_secp384r1_uint1 x428; -- uint32_t x429; -- fiat_secp384r1_uint1 x430; -- uint32_t x431; -- fiat_secp384r1_uint1 x432; -- uint32_t x433; -- fiat_secp384r1_uint1 x434; -- uint32_t x435; -- fiat_secp384r1_uint1 x436; -- uint32_t x437; -- fiat_secp384r1_uint1 x438; -- uint32_t x439; -- fiat_secp384r1_uint1 x440; -- uint32_t x441; -- fiat_secp384r1_uint1 x442; -- uint32_t x443; -- uint32_t x444; -- fiat_secp384r1_uint1 x445; -- uint32_t x446; -- fiat_secp384r1_uint1 x447; -- uint32_t x448; -- fiat_secp384r1_uint1 x449; -- uint32_t x450; -- fiat_secp384r1_uint1 x451; -- uint32_t x452; -- fiat_secp384r1_uint1 x453; -- uint32_t x454; -- fiat_secp384r1_uint1 x455; -- uint32_t x456; -- fiat_secp384r1_uint1 x457; -- uint32_t x458; -- fiat_secp384r1_uint1 x459; -- uint32_t x460; -- fiat_secp384r1_uint1 x461; -- uint32_t x462; -- fiat_secp384r1_uint1 x463; -- uint32_t x464; -- fiat_secp384r1_uint1 x465; -- uint32_t x466; -- fiat_secp384r1_uint1 x467; -- uint32_t x468; -- fiat_secp384r1_uint1 x469; -- uint32_t x470; -- uint32_t x471; -- uint32_t x472; -- uint32_t x473; -- uint32_t x474; -- uint32_t x475; -- uint32_t x476; -- uint32_t x477; -- uint32_t x478; -- uint32_t x479; -- uint32_t x480; -- uint32_t x481; -- uint32_t x482; -- uint32_t x483; -- uint32_t x484; -- uint32_t x485; -- uint32_t x486; -- uint32_t x487; -- uint32_t x488; -- uint32_t x489; -- uint32_t x490; -- fiat_secp384r1_uint1 x491; -- uint32_t x492; -- fiat_secp384r1_uint1 x493; -- uint32_t x494; -- fiat_secp384r1_uint1 x495; -- uint32_t x496; -- fiat_secp384r1_uint1 x497; -- uint32_t x498; -- fiat_secp384r1_uint1 x499; -- uint32_t x500; -- fiat_secp384r1_uint1 x501; -- uint32_t x502; -- fiat_secp384r1_uint1 x503; -- uint32_t x504; -- fiat_secp384r1_uint1 x505; -- uint32_t x506; -- uint32_t x507; -- fiat_secp384r1_uint1 x508; -- uint32_t x509; -- fiat_secp384r1_uint1 x510; -- uint32_t x511; -- fiat_secp384r1_uint1 x512; -- uint32_t x513; -- fiat_secp384r1_uint1 x514; -- uint32_t x515; -- fiat_secp384r1_uint1 x516; -- uint32_t x517; -- fiat_secp384r1_uint1 x518; -- uint32_t x519; -- fiat_secp384r1_uint1 x520; -- uint32_t x521; -- fiat_secp384r1_uint1 x522; -- uint32_t x523; -- fiat_secp384r1_uint1 x524; -- uint32_t x525; -- fiat_secp384r1_uint1 x526; -- uint32_t x527; -- fiat_secp384r1_uint1 x528; -- uint32_t x529; -- fiat_secp384r1_uint1 x530; -- uint32_t x531; -- fiat_secp384r1_uint1 x532; -- uint32_t x533; -- uint32_t x534; -- uint32_t x535; -- uint32_t x536; -- uint32_t x537; -- uint32_t x538; -- uint32_t x539; -- uint32_t x540; -- uint32_t x541; -- uint32_t x542; -- uint32_t x543; -- uint32_t x544; -- uint32_t x545; -- uint32_t x546; -- uint32_t x547; -- uint32_t x548; -- uint32_t x549; -- uint32_t x550; -- uint32_t x551; -- uint32_t x552; -- uint32_t x553; -- uint32_t x554; -- uint32_t x555; -- uint32_t x556; -- uint32_t x557; -- uint32_t x558; -- fiat_secp384r1_uint1 x559; -- uint32_t x560; -- fiat_secp384r1_uint1 x561; -- uint32_t x562; -- fiat_secp384r1_uint1 x563; -- uint32_t x564; -- fiat_secp384r1_uint1 x565; -- uint32_t x566; -- fiat_secp384r1_uint1 x567; -- uint32_t x568; -- fiat_secp384r1_uint1 x569; -- uint32_t x570; -- fiat_secp384r1_uint1 x571; -- uint32_t x572; -- fiat_secp384r1_uint1 x573; -- uint32_t x574; -- fiat_secp384r1_uint1 x575; -- uint32_t x576; -- fiat_secp384r1_uint1 x577; -- uint32_t x578; -- fiat_secp384r1_uint1 x579; -- uint32_t x580; -- uint32_t x581; -- fiat_secp384r1_uint1 x582; -- uint32_t x583; -- fiat_secp384r1_uint1 x584; -- uint32_t x585; -- fiat_secp384r1_uint1 x586; -- uint32_t x587; -- fiat_secp384r1_uint1 x588; -- uint32_t x589; -- fiat_secp384r1_uint1 x590; -- uint32_t x591; -- fiat_secp384r1_uint1 x592; -- uint32_t x593; -- fiat_secp384r1_uint1 x594; -- uint32_t x595; -- fiat_secp384r1_uint1 x596; -- uint32_t x597; -- fiat_secp384r1_uint1 x598; -- uint32_t x599; -- fiat_secp384r1_uint1 x600; -- uint32_t x601; -- fiat_secp384r1_uint1 x602; -- uint32_t x603; -- fiat_secp384r1_uint1 x604; -- uint32_t x605; -- fiat_secp384r1_uint1 x606; -- uint32_t x607; -- uint32_t x608; -- uint32_t x609; -- uint32_t x610; -- uint32_t x611; -- uint32_t x612; -- uint32_t x613; -- uint32_t x614; -- uint32_t x615; -- uint32_t x616; -- uint32_t x617; -- uint32_t x618; -- uint32_t x619; -- uint32_t x620; -- uint32_t x621; -- uint32_t x622; -- uint32_t x623; -- uint32_t x624; -- uint32_t x625; -- uint32_t x626; -- uint32_t x627; -- fiat_secp384r1_uint1 x628; -- uint32_t x629; -- fiat_secp384r1_uint1 x630; -- uint32_t x631; -- fiat_secp384r1_uint1 x632; -- uint32_t x633; -- fiat_secp384r1_uint1 x634; -- uint32_t x635; -- fiat_secp384r1_uint1 x636; -- uint32_t x637; -- fiat_secp384r1_uint1 x638; -- uint32_t x639; -- fiat_secp384r1_uint1 x640; -- uint32_t x641; -- fiat_secp384r1_uint1 x642; -- uint32_t x643; -- uint32_t x644; -- fiat_secp384r1_uint1 x645; -- uint32_t x646; -- fiat_secp384r1_uint1 x647; -- uint32_t x648; -- fiat_secp384r1_uint1 x649; -- uint32_t x650; -- fiat_secp384r1_uint1 x651; -- uint32_t x652; -- fiat_secp384r1_uint1 x653; -- uint32_t x654; -- fiat_secp384r1_uint1 x655; -- uint32_t x656; -- fiat_secp384r1_uint1 x657; -- uint32_t x658; -- fiat_secp384r1_uint1 x659; -- uint32_t x660; -- fiat_secp384r1_uint1 x661; -- uint32_t x662; -- fiat_secp384r1_uint1 x663; -- uint32_t x664; -- fiat_secp384r1_uint1 x665; -- uint32_t x666; -- fiat_secp384r1_uint1 x667; -- uint32_t x668; -- fiat_secp384r1_uint1 x669; -- uint32_t x670; -- uint32_t x671; -- uint32_t x672; -- uint32_t x673; -- uint32_t x674; -- uint32_t x675; -- uint32_t x676; -- uint32_t x677; -- uint32_t x678; -- uint32_t x679; -- uint32_t x680; -- uint32_t x681; -- uint32_t x682; -- uint32_t x683; -- uint32_t x684; -- uint32_t x685; -- uint32_t x686; -- uint32_t x687; -- uint32_t x688; -- uint32_t x689; -- uint32_t x690; -- uint32_t x691; -- uint32_t x692; -- uint32_t x693; -- uint32_t x694; -- uint32_t x695; -- fiat_secp384r1_uint1 x696; -- uint32_t x697; -- fiat_secp384r1_uint1 x698; -- uint32_t x699; -- fiat_secp384r1_uint1 x700; -- uint32_t x701; -- fiat_secp384r1_uint1 x702; -- uint32_t x703; -- fiat_secp384r1_uint1 x704; -- uint32_t x705; -- fiat_secp384r1_uint1 x706; -- uint32_t x707; -- fiat_secp384r1_uint1 x708; -- uint32_t x709; -- fiat_secp384r1_uint1 x710; -- uint32_t x711; -- fiat_secp384r1_uint1 x712; -- uint32_t x713; -- fiat_secp384r1_uint1 x714; -- uint32_t x715; -- fiat_secp384r1_uint1 x716; -- uint32_t x717; -- uint32_t x718; -- fiat_secp384r1_uint1 x719; -- uint32_t x720; -- fiat_secp384r1_uint1 x721; -- uint32_t x722; -- fiat_secp384r1_uint1 x723; -- uint32_t x724; -- fiat_secp384r1_uint1 x725; -- uint32_t x726; -- fiat_secp384r1_uint1 x727; -- uint32_t x728; -- fiat_secp384r1_uint1 x729; -- uint32_t x730; -- fiat_secp384r1_uint1 x731; -- uint32_t x732; -- fiat_secp384r1_uint1 x733; -- uint32_t x734; -- fiat_secp384r1_uint1 x735; -- uint32_t x736; -- fiat_secp384r1_uint1 x737; -- uint32_t x738; -- fiat_secp384r1_uint1 x739; -- uint32_t x740; -- fiat_secp384r1_uint1 x741; -- uint32_t x742; -- fiat_secp384r1_uint1 x743; -- uint32_t x744; -- uint32_t x745; -- uint32_t x746; -- uint32_t x747; -- uint32_t x748; -- uint32_t x749; -- uint32_t x750; -- uint32_t x751; -- uint32_t x752; -- uint32_t x753; -- uint32_t x754; -- uint32_t x755; -- uint32_t x756; -- uint32_t x757; -- uint32_t x758; -- uint32_t x759; -- uint32_t x760; -- uint32_t x761; -- uint32_t x762; -- uint32_t x763; -- uint32_t x764; -- fiat_secp384r1_uint1 x765; -- uint32_t x766; -- fiat_secp384r1_uint1 x767; -- uint32_t x768; -- fiat_secp384r1_uint1 x769; -- uint32_t x770; -- fiat_secp384r1_uint1 x771; -- uint32_t x772; -- fiat_secp384r1_uint1 x773; -- uint32_t x774; -- fiat_secp384r1_uint1 x775; -- uint32_t x776; -- fiat_secp384r1_uint1 x777; -- uint32_t x778; -- fiat_secp384r1_uint1 x779; -- uint32_t x780; -- uint32_t x781; -- fiat_secp384r1_uint1 x782; -- uint32_t x783; -- fiat_secp384r1_uint1 x784; -- uint32_t x785; -- fiat_secp384r1_uint1 x786; -- uint32_t x787; -- fiat_secp384r1_uint1 x788; -- uint32_t x789; -- fiat_secp384r1_uint1 x790; -- uint32_t x791; -- fiat_secp384r1_uint1 x792; -- uint32_t x793; -- fiat_secp384r1_uint1 x794; -- uint32_t x795; -- fiat_secp384r1_uint1 x796; -- uint32_t x797; -- fiat_secp384r1_uint1 x798; -- uint32_t x799; -- fiat_secp384r1_uint1 x800; -- uint32_t x801; -- fiat_secp384r1_uint1 x802; -- uint32_t x803; -- fiat_secp384r1_uint1 x804; -- uint32_t x805; -- fiat_secp384r1_uint1 x806; -- uint32_t x807; -- uint32_t x808; -- uint32_t x809; -- uint32_t x810; -- uint32_t x811; -- uint32_t x812; -- uint32_t x813; -- uint32_t x814; -- uint32_t x815; -- uint32_t x816; -- uint32_t x817; -- uint32_t x818; -- uint32_t x819; -- uint32_t x820; -- uint32_t x821; -- uint32_t x822; -- uint32_t x823; -- uint32_t x824; -- uint32_t x825; -- uint32_t x826; -- uint32_t x827; -- uint32_t x828; -- uint32_t x829; -- uint32_t x830; -- uint32_t x831; -- uint32_t x832; -- fiat_secp384r1_uint1 x833; -- uint32_t x834; -- fiat_secp384r1_uint1 x835; -- uint32_t x836; -- fiat_secp384r1_uint1 x837; -- uint32_t x838; -- fiat_secp384r1_uint1 x839; -- uint32_t x840; -- fiat_secp384r1_uint1 x841; -- uint32_t x842; -- fiat_secp384r1_uint1 x843; -- uint32_t x844; -- fiat_secp384r1_uint1 x845; -- uint32_t x846; -- fiat_secp384r1_uint1 x847; -- uint32_t x848; -- fiat_secp384r1_uint1 x849; -- uint32_t x850; -- fiat_secp384r1_uint1 x851; -- uint32_t x852; -- fiat_secp384r1_uint1 x853; -- uint32_t x854; -- uint32_t x855; -- fiat_secp384r1_uint1 x856; -- uint32_t x857; -- fiat_secp384r1_uint1 x858; -- uint32_t x859; -- fiat_secp384r1_uint1 x860; -- uint32_t x861; -- fiat_secp384r1_uint1 x862; -- uint32_t x863; -- fiat_secp384r1_uint1 x864; -- uint32_t x865; -- fiat_secp384r1_uint1 x866; -- uint32_t x867; -- fiat_secp384r1_uint1 x868; -- uint32_t x869; -- fiat_secp384r1_uint1 x870; -- uint32_t x871; -- fiat_secp384r1_uint1 x872; -- uint32_t x873; -- fiat_secp384r1_uint1 x874; -- uint32_t x875; -- fiat_secp384r1_uint1 x876; -- uint32_t x877; -- fiat_secp384r1_uint1 x878; -- uint32_t x879; -- fiat_secp384r1_uint1 x880; -- uint32_t x881; -- uint32_t x882; -- uint32_t x883; -- uint32_t x884; -- uint32_t x885; -- uint32_t x886; -- uint32_t x887; -- uint32_t x888; -- uint32_t x889; -- uint32_t x890; -- uint32_t x891; -- uint32_t x892; -- uint32_t x893; -- uint32_t x894; -- uint32_t x895; -- uint32_t x896; -- uint32_t x897; -- uint32_t x898; -- uint32_t x899; -- uint32_t x900; -- uint32_t x901; -- fiat_secp384r1_uint1 x902; -- uint32_t x903; -- fiat_secp384r1_uint1 x904; -- uint32_t x905; -- fiat_secp384r1_uint1 x906; -- uint32_t x907; -- fiat_secp384r1_uint1 x908; -- uint32_t x909; -- fiat_secp384r1_uint1 x910; -- uint32_t x911; -- fiat_secp384r1_uint1 x912; -- uint32_t x913; -- fiat_secp384r1_uint1 x914; -- uint32_t x915; -- fiat_secp384r1_uint1 x916; -- uint32_t x917; -- uint32_t x918; -- fiat_secp384r1_uint1 x919; -- uint32_t x920; -- fiat_secp384r1_uint1 x921; -- uint32_t x922; -- fiat_secp384r1_uint1 x923; -- uint32_t x924; -- fiat_secp384r1_uint1 x925; -- uint32_t x926; -- fiat_secp384r1_uint1 x927; -- uint32_t x928; -- fiat_secp384r1_uint1 x929; -- uint32_t x930; -- fiat_secp384r1_uint1 x931; -- uint32_t x932; -- fiat_secp384r1_uint1 x933; -- uint32_t x934; -- fiat_secp384r1_uint1 x935; -- uint32_t x936; -- fiat_secp384r1_uint1 x937; -- uint32_t x938; -- fiat_secp384r1_uint1 x939; -- uint32_t x940; -- fiat_secp384r1_uint1 x941; -- uint32_t x942; -- fiat_secp384r1_uint1 x943; -- uint32_t x944; -- uint32_t x945; -- uint32_t x946; -- uint32_t x947; -- uint32_t x948; -- uint32_t x949; -- uint32_t x950; -- uint32_t x951; -- uint32_t x952; -- uint32_t x953; -- uint32_t x954; -- uint32_t x955; -- uint32_t x956; -- uint32_t x957; -- uint32_t x958; -- uint32_t x959; -- uint32_t x960; -- uint32_t x961; -- uint32_t x962; -- uint32_t x963; -- uint32_t x964; -- uint32_t x965; -- uint32_t x966; -- uint32_t x967; -- uint32_t x968; -- uint32_t x969; -- fiat_secp384r1_uint1 x970; -- uint32_t x971; -- fiat_secp384r1_uint1 x972; -- uint32_t x973; -- fiat_secp384r1_uint1 x974; -- uint32_t x975; -- fiat_secp384r1_uint1 x976; -- uint32_t x977; -- fiat_secp384r1_uint1 x978; -- uint32_t x979; -- fiat_secp384r1_uint1 x980; -- uint32_t x981; -- fiat_secp384r1_uint1 x982; -- uint32_t x983; -- fiat_secp384r1_uint1 x984; -- uint32_t x985; -- fiat_secp384r1_uint1 x986; -- uint32_t x987; -- fiat_secp384r1_uint1 x988; -- uint32_t x989; -- fiat_secp384r1_uint1 x990; -- uint32_t x991; -- uint32_t x992; -- fiat_secp384r1_uint1 x993; -- uint32_t x994; -- fiat_secp384r1_uint1 x995; -- uint32_t x996; -- fiat_secp384r1_uint1 x997; -- uint32_t x998; -- fiat_secp384r1_uint1 x999; -- uint32_t x1000; -- fiat_secp384r1_uint1 x1001; -- uint32_t x1002; -- fiat_secp384r1_uint1 x1003; -- uint32_t x1004; -- fiat_secp384r1_uint1 x1005; -- uint32_t x1006; -- fiat_secp384r1_uint1 x1007; -- uint32_t x1008; -- fiat_secp384r1_uint1 x1009; -- uint32_t x1010; -- fiat_secp384r1_uint1 x1011; -- uint32_t x1012; -- fiat_secp384r1_uint1 x1013; -- uint32_t x1014; -- fiat_secp384r1_uint1 x1015; -- uint32_t x1016; -- fiat_secp384r1_uint1 x1017; -- uint32_t x1018; -- uint32_t x1019; -- uint32_t x1020; -- uint32_t x1021; -- uint32_t x1022; -- uint32_t x1023; -- uint32_t x1024; -- uint32_t x1025; -- uint32_t x1026; -- uint32_t x1027; -- uint32_t x1028; -- uint32_t x1029; -- uint32_t x1030; -- uint32_t x1031; -- uint32_t x1032; -- uint32_t x1033; -- uint32_t x1034; -- uint32_t x1035; -- uint32_t x1036; -- uint32_t x1037; -- uint32_t x1038; -- fiat_secp384r1_uint1 x1039; -- uint32_t x1040; -- fiat_secp384r1_uint1 x1041; -- uint32_t x1042; -- fiat_secp384r1_uint1 x1043; -- uint32_t x1044; -- fiat_secp384r1_uint1 x1045; -- uint32_t x1046; -- fiat_secp384r1_uint1 x1047; -- uint32_t x1048; -- fiat_secp384r1_uint1 x1049; -- uint32_t x1050; -- fiat_secp384r1_uint1 x1051; -- uint32_t x1052; -- fiat_secp384r1_uint1 x1053; -- uint32_t x1054; -- uint32_t x1055; -- fiat_secp384r1_uint1 x1056; -- uint32_t x1057; -- fiat_secp384r1_uint1 x1058; -- uint32_t x1059; -- fiat_secp384r1_uint1 x1060; -- uint32_t x1061; -- fiat_secp384r1_uint1 x1062; -- uint32_t x1063; -- fiat_secp384r1_uint1 x1064; -- uint32_t x1065; -- fiat_secp384r1_uint1 x1066; -- uint32_t x1067; -- fiat_secp384r1_uint1 x1068; -- uint32_t x1069; -- fiat_secp384r1_uint1 x1070; -- uint32_t x1071; -- fiat_secp384r1_uint1 x1072; -- uint32_t x1073; -- fiat_secp384r1_uint1 x1074; -- uint32_t x1075; -- fiat_secp384r1_uint1 x1076; -- uint32_t x1077; -- fiat_secp384r1_uint1 x1078; -- uint32_t x1079; -- fiat_secp384r1_uint1 x1080; -- uint32_t x1081; -- uint32_t x1082; -- uint32_t x1083; -- uint32_t x1084; -- uint32_t x1085; -- uint32_t x1086; -- uint32_t x1087; -- uint32_t x1088; -- uint32_t x1089; -- uint32_t x1090; -- uint32_t x1091; -- uint32_t x1092; -- uint32_t x1093; -- uint32_t x1094; -- uint32_t x1095; -- uint32_t x1096; -- uint32_t x1097; -- uint32_t x1098; -- uint32_t x1099; -- uint32_t x1100; -- uint32_t x1101; -- uint32_t x1102; -- uint32_t x1103; -- uint32_t x1104; -- uint32_t x1105; -- uint32_t x1106; -- fiat_secp384r1_uint1 x1107; -- uint32_t x1108; -- fiat_secp384r1_uint1 x1109; -- uint32_t x1110; -- fiat_secp384r1_uint1 x1111; -- uint32_t x1112; -- fiat_secp384r1_uint1 x1113; -- uint32_t x1114; -- fiat_secp384r1_uint1 x1115; -- uint32_t x1116; -- fiat_secp384r1_uint1 x1117; -- uint32_t x1118; -- fiat_secp384r1_uint1 x1119; -- uint32_t x1120; -- fiat_secp384r1_uint1 x1121; -- uint32_t x1122; -- fiat_secp384r1_uint1 x1123; -- uint32_t x1124; -- fiat_secp384r1_uint1 x1125; -- uint32_t x1126; -- fiat_secp384r1_uint1 x1127; -- uint32_t x1128; -- uint32_t x1129; -- fiat_secp384r1_uint1 x1130; -- uint32_t x1131; -- fiat_secp384r1_uint1 x1132; -- uint32_t x1133; -- fiat_secp384r1_uint1 x1134; -- uint32_t x1135; -- fiat_secp384r1_uint1 x1136; -- uint32_t x1137; -- fiat_secp384r1_uint1 x1138; -- uint32_t x1139; -- fiat_secp384r1_uint1 x1140; -- uint32_t x1141; -- fiat_secp384r1_uint1 x1142; -- uint32_t x1143; -- fiat_secp384r1_uint1 x1144; -- uint32_t x1145; -- fiat_secp384r1_uint1 x1146; -- uint32_t x1147; -- fiat_secp384r1_uint1 x1148; -- uint32_t x1149; -- fiat_secp384r1_uint1 x1150; -- uint32_t x1151; -- fiat_secp384r1_uint1 x1152; -- uint32_t x1153; -- fiat_secp384r1_uint1 x1154; -- uint32_t x1155; -- uint32_t x1156; -- uint32_t x1157; -- uint32_t x1158; -- uint32_t x1159; -- uint32_t x1160; -- uint32_t x1161; -- uint32_t x1162; -- uint32_t x1163; -- uint32_t x1164; -- uint32_t x1165; -- uint32_t x1166; -- uint32_t x1167; -- uint32_t x1168; -- uint32_t x1169; -- uint32_t x1170; -- uint32_t x1171; -- uint32_t x1172; -- uint32_t x1173; -- uint32_t x1174; -- uint32_t x1175; -- fiat_secp384r1_uint1 x1176; -- uint32_t x1177; -- fiat_secp384r1_uint1 x1178; -- uint32_t x1179; -- fiat_secp384r1_uint1 x1180; -- uint32_t x1181; -- fiat_secp384r1_uint1 x1182; -- uint32_t x1183; -- fiat_secp384r1_uint1 x1184; -- uint32_t x1185; -- fiat_secp384r1_uint1 x1186; -- uint32_t x1187; -- fiat_secp384r1_uint1 x1188; -- uint32_t x1189; -- fiat_secp384r1_uint1 x1190; -- uint32_t x1191; -- uint32_t x1192; -- fiat_secp384r1_uint1 x1193; -- uint32_t x1194; -- fiat_secp384r1_uint1 x1195; -- uint32_t x1196; -- fiat_secp384r1_uint1 x1197; -- uint32_t x1198; -- fiat_secp384r1_uint1 x1199; -- uint32_t x1200; -- fiat_secp384r1_uint1 x1201; -- uint32_t x1202; -- fiat_secp384r1_uint1 x1203; -- uint32_t x1204; -- fiat_secp384r1_uint1 x1205; -- uint32_t x1206; -- fiat_secp384r1_uint1 x1207; -- uint32_t x1208; -- fiat_secp384r1_uint1 x1209; -- uint32_t x1210; -- fiat_secp384r1_uint1 x1211; -- uint32_t x1212; -- fiat_secp384r1_uint1 x1213; -- uint32_t x1214; -- fiat_secp384r1_uint1 x1215; -- uint32_t x1216; -- fiat_secp384r1_uint1 x1217; -- uint32_t x1218; -- uint32_t x1219; -- uint32_t x1220; -- uint32_t x1221; -- uint32_t x1222; -- uint32_t x1223; -- uint32_t x1224; -- uint32_t x1225; -- uint32_t x1226; -- uint32_t x1227; -- uint32_t x1228; -- uint32_t x1229; -- uint32_t x1230; -- uint32_t x1231; -- uint32_t x1232; -- uint32_t x1233; -- uint32_t x1234; -- uint32_t x1235; -- uint32_t x1236; -- uint32_t x1237; -- uint32_t x1238; -- uint32_t x1239; -- uint32_t x1240; -- uint32_t x1241; -- uint32_t x1242; -- uint32_t x1243; -- fiat_secp384r1_uint1 x1244; -- uint32_t x1245; -- fiat_secp384r1_uint1 x1246; -- uint32_t x1247; -- fiat_secp384r1_uint1 x1248; -- uint32_t x1249; -- fiat_secp384r1_uint1 x1250; -- uint32_t x1251; -- fiat_secp384r1_uint1 x1252; -- uint32_t x1253; -- fiat_secp384r1_uint1 x1254; -- uint32_t x1255; -- fiat_secp384r1_uint1 x1256; -- uint32_t x1257; -- fiat_secp384r1_uint1 x1258; -- uint32_t x1259; -- fiat_secp384r1_uint1 x1260; -- uint32_t x1261; -- fiat_secp384r1_uint1 x1262; -- uint32_t x1263; -- fiat_secp384r1_uint1 x1264; -- uint32_t x1265; -- uint32_t x1266; -- fiat_secp384r1_uint1 x1267; -- uint32_t x1268; -- fiat_secp384r1_uint1 x1269; -- uint32_t x1270; -- fiat_secp384r1_uint1 x1271; -- uint32_t x1272; -- fiat_secp384r1_uint1 x1273; -- uint32_t x1274; -- fiat_secp384r1_uint1 x1275; -- uint32_t x1276; -- fiat_secp384r1_uint1 x1277; -- uint32_t x1278; -- fiat_secp384r1_uint1 x1279; -- uint32_t x1280; -- fiat_secp384r1_uint1 x1281; -- uint32_t x1282; -- fiat_secp384r1_uint1 x1283; -- uint32_t x1284; -- fiat_secp384r1_uint1 x1285; -- uint32_t x1286; -- fiat_secp384r1_uint1 x1287; -- uint32_t x1288; -- fiat_secp384r1_uint1 x1289; -- uint32_t x1290; -- fiat_secp384r1_uint1 x1291; -- uint32_t x1292; -- uint32_t x1293; -- uint32_t x1294; -- uint32_t x1295; -- uint32_t x1296; -- uint32_t x1297; -- uint32_t x1298; -- uint32_t x1299; -- uint32_t x1300; -- uint32_t x1301; -- uint32_t x1302; -- uint32_t x1303; -- uint32_t x1304; -- uint32_t x1305; -- uint32_t x1306; -- uint32_t x1307; -- uint32_t x1308; -- uint32_t x1309; -- uint32_t x1310; -- uint32_t x1311; -- uint32_t x1312; -- fiat_secp384r1_uint1 x1313; -- uint32_t x1314; -- fiat_secp384r1_uint1 x1315; -- uint32_t x1316; -- fiat_secp384r1_uint1 x1317; -- uint32_t x1318; -- fiat_secp384r1_uint1 x1319; -- uint32_t x1320; -- fiat_secp384r1_uint1 x1321; -- uint32_t x1322; -- fiat_secp384r1_uint1 x1323; -- uint32_t x1324; -- fiat_secp384r1_uint1 x1325; -- uint32_t x1326; -- fiat_secp384r1_uint1 x1327; -- uint32_t x1328; -- uint32_t x1329; -- fiat_secp384r1_uint1 x1330; -- uint32_t x1331; -- fiat_secp384r1_uint1 x1332; -- uint32_t x1333; -- fiat_secp384r1_uint1 x1334; -- uint32_t x1335; -- fiat_secp384r1_uint1 x1336; -- uint32_t x1337; -- fiat_secp384r1_uint1 x1338; -- uint32_t x1339; -- fiat_secp384r1_uint1 x1340; -- uint32_t x1341; -- fiat_secp384r1_uint1 x1342; -- uint32_t x1343; -- fiat_secp384r1_uint1 x1344; -- uint32_t x1345; -- fiat_secp384r1_uint1 x1346; -- uint32_t x1347; -- fiat_secp384r1_uint1 x1348; -- uint32_t x1349; -- fiat_secp384r1_uint1 x1350; -- uint32_t x1351; -- fiat_secp384r1_uint1 x1352; -- uint32_t x1353; -- fiat_secp384r1_uint1 x1354; -- uint32_t x1355; -- uint32_t x1356; -- uint32_t x1357; -- uint32_t x1358; -- uint32_t x1359; -- uint32_t x1360; -- uint32_t x1361; -- uint32_t x1362; -- uint32_t x1363; -- uint32_t x1364; -- uint32_t x1365; -- uint32_t x1366; -- uint32_t x1367; -- uint32_t x1368; -- uint32_t x1369; -- uint32_t x1370; -- uint32_t x1371; -- uint32_t x1372; -- uint32_t x1373; -- uint32_t x1374; -- uint32_t x1375; -- uint32_t x1376; -- uint32_t x1377; -- uint32_t x1378; -- uint32_t x1379; -- uint32_t x1380; -- fiat_secp384r1_uint1 x1381; -- uint32_t x1382; -- fiat_secp384r1_uint1 x1383; -- uint32_t x1384; -- fiat_secp384r1_uint1 x1385; -- uint32_t x1386; -- fiat_secp384r1_uint1 x1387; -- uint32_t x1388; -- fiat_secp384r1_uint1 x1389; -- uint32_t x1390; -- fiat_secp384r1_uint1 x1391; -- uint32_t x1392; -- fiat_secp384r1_uint1 x1393; -- uint32_t x1394; -- fiat_secp384r1_uint1 x1395; -- uint32_t x1396; -- fiat_secp384r1_uint1 x1397; -- uint32_t x1398; -- fiat_secp384r1_uint1 x1399; -- uint32_t x1400; -- fiat_secp384r1_uint1 x1401; -- uint32_t x1402; -- uint32_t x1403; -- fiat_secp384r1_uint1 x1404; -- uint32_t x1405; -- fiat_secp384r1_uint1 x1406; -- uint32_t x1407; -- fiat_secp384r1_uint1 x1408; -- uint32_t x1409; -- fiat_secp384r1_uint1 x1410; -- uint32_t x1411; -- fiat_secp384r1_uint1 x1412; -- uint32_t x1413; -- fiat_secp384r1_uint1 x1414; -- uint32_t x1415; -- fiat_secp384r1_uint1 x1416; -- uint32_t x1417; -- fiat_secp384r1_uint1 x1418; -- uint32_t x1419; -- fiat_secp384r1_uint1 x1420; -- uint32_t x1421; -- fiat_secp384r1_uint1 x1422; -- uint32_t x1423; -- fiat_secp384r1_uint1 x1424; -- uint32_t x1425; -- fiat_secp384r1_uint1 x1426; -- uint32_t x1427; -- fiat_secp384r1_uint1 x1428; -- uint32_t x1429; -- uint32_t x1430; -- uint32_t x1431; -- uint32_t x1432; -- uint32_t x1433; -- uint32_t x1434; -- uint32_t x1435; -- uint32_t x1436; -- uint32_t x1437; -- uint32_t x1438; -- uint32_t x1439; -- uint32_t x1440; -- uint32_t x1441; -- uint32_t x1442; -- uint32_t x1443; -- uint32_t x1444; -- uint32_t x1445; -- uint32_t x1446; -- uint32_t x1447; -- uint32_t x1448; -- uint32_t x1449; -- fiat_secp384r1_uint1 x1450; -- uint32_t x1451; -- fiat_secp384r1_uint1 x1452; -- uint32_t x1453; -- fiat_secp384r1_uint1 x1454; -- uint32_t x1455; -- fiat_secp384r1_uint1 x1456; -- uint32_t x1457; -- fiat_secp384r1_uint1 x1458; -- uint32_t x1459; -- fiat_secp384r1_uint1 x1460; -- uint32_t x1461; -- fiat_secp384r1_uint1 x1462; -- uint32_t x1463; -- fiat_secp384r1_uint1 x1464; -- uint32_t x1465; -- uint32_t x1466; -- fiat_secp384r1_uint1 x1467; -- uint32_t x1468; -- fiat_secp384r1_uint1 x1469; -- uint32_t x1470; -- fiat_secp384r1_uint1 x1471; -- uint32_t x1472; -- fiat_secp384r1_uint1 x1473; -- uint32_t x1474; -- fiat_secp384r1_uint1 x1475; -- uint32_t x1476; -- fiat_secp384r1_uint1 x1477; -- uint32_t x1478; -- fiat_secp384r1_uint1 x1479; -- uint32_t x1480; -- fiat_secp384r1_uint1 x1481; -- uint32_t x1482; -- fiat_secp384r1_uint1 x1483; -- uint32_t x1484; -- fiat_secp384r1_uint1 x1485; -- uint32_t x1486; -- fiat_secp384r1_uint1 x1487; -- uint32_t x1488; -- fiat_secp384r1_uint1 x1489; -- uint32_t x1490; -- fiat_secp384r1_uint1 x1491; -- uint32_t x1492; -- uint32_t x1493; -- uint32_t x1494; -- uint32_t x1495; -- uint32_t x1496; -- uint32_t x1497; -- uint32_t x1498; -- uint32_t x1499; -- uint32_t x1500; -- uint32_t x1501; -- uint32_t x1502; -- uint32_t x1503; -- uint32_t x1504; -- uint32_t x1505; -- uint32_t x1506; -- uint32_t x1507; -- uint32_t x1508; -- uint32_t x1509; -- uint32_t x1510; -- uint32_t x1511; -- uint32_t x1512; -- uint32_t x1513; -- uint32_t x1514; -- uint32_t x1515; -- uint32_t x1516; -- uint32_t x1517; -- fiat_secp384r1_uint1 x1518; -- uint32_t x1519; -- fiat_secp384r1_uint1 x1520; -- uint32_t x1521; -- fiat_secp384r1_uint1 x1522; -- uint32_t x1523; -- fiat_secp384r1_uint1 x1524; -- uint32_t x1525; -- fiat_secp384r1_uint1 x1526; -- uint32_t x1527; -- fiat_secp384r1_uint1 x1528; -- uint32_t x1529; -- fiat_secp384r1_uint1 x1530; -- uint32_t x1531; -- fiat_secp384r1_uint1 x1532; -- uint32_t x1533; -- fiat_secp384r1_uint1 x1534; -- uint32_t x1535; -- fiat_secp384r1_uint1 x1536; -- uint32_t x1537; -- fiat_secp384r1_uint1 x1538; -- uint32_t x1539; -- uint32_t x1540; -- fiat_secp384r1_uint1 x1541; -- uint32_t x1542; -- fiat_secp384r1_uint1 x1543; -- uint32_t x1544; -- fiat_secp384r1_uint1 x1545; -- uint32_t x1546; -- fiat_secp384r1_uint1 x1547; -- uint32_t x1548; -- fiat_secp384r1_uint1 x1549; -- uint32_t x1550; -- fiat_secp384r1_uint1 x1551; -- uint32_t x1552; -- fiat_secp384r1_uint1 x1553; -- uint32_t x1554; -- fiat_secp384r1_uint1 x1555; -- uint32_t x1556; -- fiat_secp384r1_uint1 x1557; -- uint32_t x1558; -- fiat_secp384r1_uint1 x1559; -- uint32_t x1560; -- fiat_secp384r1_uint1 x1561; -- uint32_t x1562; -- fiat_secp384r1_uint1 x1563; -- uint32_t x1564; -- fiat_secp384r1_uint1 x1565; -- uint32_t x1566; -- uint32_t x1567; -- uint32_t x1568; -- uint32_t x1569; -- uint32_t x1570; -- uint32_t x1571; -- uint32_t x1572; -- uint32_t x1573; -- uint32_t x1574; -- uint32_t x1575; -- uint32_t x1576; -- uint32_t x1577; -- uint32_t x1578; -- uint32_t x1579; -- uint32_t x1580; -- uint32_t x1581; -- uint32_t x1582; -- uint32_t x1583; -- uint32_t x1584; -- uint32_t x1585; -- uint32_t x1586; -- fiat_secp384r1_uint1 x1587; -- uint32_t x1588; -- fiat_secp384r1_uint1 x1589; -- uint32_t x1590; -- fiat_secp384r1_uint1 x1591; -- uint32_t x1592; -- fiat_secp384r1_uint1 x1593; -- uint32_t x1594; -- fiat_secp384r1_uint1 x1595; -- uint32_t x1596; -- fiat_secp384r1_uint1 x1597; -- uint32_t x1598; -- fiat_secp384r1_uint1 x1599; -- uint32_t x1600; -- fiat_secp384r1_uint1 x1601; -- uint32_t x1602; -- uint32_t x1603; -- fiat_secp384r1_uint1 x1604; -- uint32_t x1605; -- fiat_secp384r1_uint1 x1606; -- uint32_t x1607; -- fiat_secp384r1_uint1 x1608; -- uint32_t x1609; -- fiat_secp384r1_uint1 x1610; -- uint32_t x1611; -- fiat_secp384r1_uint1 x1612; -- uint32_t x1613; -- fiat_secp384r1_uint1 x1614; -- uint32_t x1615; -- fiat_secp384r1_uint1 x1616; -- uint32_t x1617; -- fiat_secp384r1_uint1 x1618; -- uint32_t x1619; -- fiat_secp384r1_uint1 x1620; -- uint32_t x1621; -- fiat_secp384r1_uint1 x1622; -- uint32_t x1623; -- fiat_secp384r1_uint1 x1624; -- uint32_t x1625; -- fiat_secp384r1_uint1 x1626; -- uint32_t x1627; -- fiat_secp384r1_uint1 x1628; -- uint32_t x1629; -- uint32_t x1630; -- fiat_secp384r1_uint1 x1631; -- uint32_t x1632; -- fiat_secp384r1_uint1 x1633; -- uint32_t x1634; -- fiat_secp384r1_uint1 x1635; -- uint32_t x1636; -- fiat_secp384r1_uint1 x1637; -- uint32_t x1638; -- fiat_secp384r1_uint1 x1639; -- uint32_t x1640; -- fiat_secp384r1_uint1 x1641; -- uint32_t x1642; -- fiat_secp384r1_uint1 x1643; -- uint32_t x1644; -- fiat_secp384r1_uint1 x1645; -- uint32_t x1646; -- fiat_secp384r1_uint1 x1647; -- uint32_t x1648; -- fiat_secp384r1_uint1 x1649; -- uint32_t x1650; -- fiat_secp384r1_uint1 x1651; -- uint32_t x1652; -- fiat_secp384r1_uint1 x1653; -- uint32_t x1654; -- fiat_secp384r1_uint1 x1655; -- uint32_t x1656; -- uint32_t x1657; -- uint32_t x1658; -- uint32_t x1659; -- uint32_t x1660; -- uint32_t x1661; -- uint32_t x1662; -- uint32_t x1663; -- uint32_t x1664; -- uint32_t x1665; -- uint32_t x1666; -- uint32_t x1667; -- x1 = (arg1[1]); -- x2 = (arg1[2]); -- x3 = (arg1[3]); -- x4 = (arg1[4]); -- x5 = (arg1[5]); -- x6 = (arg1[6]); -- x7 = (arg1[7]); -- x8 = (arg1[8]); -- x9 = (arg1[9]); -- x10 = (arg1[10]); -- x11 = (arg1[11]); -- x12 = (arg1[0]); -- fiat_secp384r1_mulx_u32(&x13, &x14, x12, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x15, &x16, x12, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x17, &x18, x12, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x19, &x20, x12, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x21, &x22, x12, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x23, &x24, x12, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x25, &x26, x12, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x27, &x28, x12, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x29, &x30, x12, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x31, &x32, x12, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x33, &x34, x12, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x35, &x36, x12, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x37, &x38, 0x0, x36, x33); -- fiat_secp384r1_addcarryx_u32(&x39, &x40, x38, x34, x31); -- fiat_secp384r1_addcarryx_u32(&x41, &x42, x40, x32, x29); -- fiat_secp384r1_addcarryx_u32(&x43, &x44, x42, x30, x27); -- fiat_secp384r1_addcarryx_u32(&x45, &x46, x44, x28, x25); -- fiat_secp384r1_addcarryx_u32(&x47, &x48, x46, x26, x23); -- fiat_secp384r1_addcarryx_u32(&x49, &x50, x48, x24, x21); -- fiat_secp384r1_addcarryx_u32(&x51, &x52, x50, x22, x19); -- fiat_secp384r1_addcarryx_u32(&x53, &x54, x52, x20, x17); -- fiat_secp384r1_addcarryx_u32(&x55, &x56, x54, x18, x15); -- fiat_secp384r1_addcarryx_u32(&x57, &x58, x56, x16, x13); -- x59 = (x58 + x14); -- fiat_secp384r1_mulx_u32(&x60, &x61, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x62, &x63, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x64, &x65, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x66, &x67, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x68, &x69, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x70, &x71, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x72, &x73, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x74, &x75, x35, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x76, &x77, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x78, &x79, x35, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x80, &x81, 0x0, x77, x74); -- fiat_secp384r1_addcarryx_u32(&x82, &x83, x81, x75, x72); -- fiat_secp384r1_addcarryx_u32(&x84, &x85, x83, x73, x70); -- fiat_secp384r1_addcarryx_u32(&x86, &x87, x85, x71, x68); -- fiat_secp384r1_addcarryx_u32(&x88, &x89, x87, x69, x66); -- fiat_secp384r1_addcarryx_u32(&x90, &x91, x89, x67, x64); -- fiat_secp384r1_addcarryx_u32(&x92, &x93, x91, x65, x62); -- fiat_secp384r1_addcarryx_u32(&x94, &x95, x93, x63, x60); -- x96 = (x95 + x61); -- fiat_secp384r1_addcarryx_u32(&x97, &x98, 0x0, x35, x78); -- fiat_secp384r1_addcarryx_u32(&x99, &x100, x98, x37, x79); -- fiat_secp384r1_addcarryx_u32(&x101, &x102, x100, x39, 0x0); -- fiat_secp384r1_addcarryx_u32(&x103, &x104, x102, x41, x76); -- fiat_secp384r1_addcarryx_u32(&x105, &x106, x104, x43, x80); -- fiat_secp384r1_addcarryx_u32(&x107, &x108, x106, x45, x82); -- fiat_secp384r1_addcarryx_u32(&x109, &x110, x108, x47, x84); -- fiat_secp384r1_addcarryx_u32(&x111, &x112, x110, x49, x86); -- fiat_secp384r1_addcarryx_u32(&x113, &x114, x112, x51, x88); -- fiat_secp384r1_addcarryx_u32(&x115, &x116, x114, x53, x90); -- fiat_secp384r1_addcarryx_u32(&x117, &x118, x116, x55, x92); -- fiat_secp384r1_addcarryx_u32(&x119, &x120, x118, x57, x94); -- fiat_secp384r1_addcarryx_u32(&x121, &x122, x120, x59, x96); -- fiat_secp384r1_mulx_u32(&x123, &x124, x1, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x125, &x126, x1, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x127, &x128, x1, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x129, &x130, x1, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x131, &x132, x1, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x133, &x134, x1, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x135, &x136, x1, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x137, &x138, x1, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x139, &x140, x1, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x141, &x142, x1, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x143, &x144, x1, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x145, &x146, x1, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x147, &x148, 0x0, x146, x143); -- fiat_secp384r1_addcarryx_u32(&x149, &x150, x148, x144, x141); -- fiat_secp384r1_addcarryx_u32(&x151, &x152, x150, x142, x139); -- fiat_secp384r1_addcarryx_u32(&x153, &x154, x152, x140, x137); -- fiat_secp384r1_addcarryx_u32(&x155, &x156, x154, x138, x135); -- fiat_secp384r1_addcarryx_u32(&x157, &x158, x156, x136, x133); -- fiat_secp384r1_addcarryx_u32(&x159, &x160, x158, x134, x131); -- fiat_secp384r1_addcarryx_u32(&x161, &x162, x160, x132, x129); -- fiat_secp384r1_addcarryx_u32(&x163, &x164, x162, x130, x127); -- fiat_secp384r1_addcarryx_u32(&x165, &x166, x164, x128, x125); -- fiat_secp384r1_addcarryx_u32(&x167, &x168, x166, x126, x123); -- x169 = (x168 + x124); -- fiat_secp384r1_addcarryx_u32(&x170, &x171, 0x0, x99, x145); -- fiat_secp384r1_addcarryx_u32(&x172, &x173, x171, x101, x147); -- fiat_secp384r1_addcarryx_u32(&x174, &x175, x173, x103, x149); -- fiat_secp384r1_addcarryx_u32(&x176, &x177, x175, x105, x151); -- fiat_secp384r1_addcarryx_u32(&x178, &x179, x177, x107, x153); -- fiat_secp384r1_addcarryx_u32(&x180, &x181, x179, x109, x155); -- fiat_secp384r1_addcarryx_u32(&x182, &x183, x181, x111, x157); -- fiat_secp384r1_addcarryx_u32(&x184, &x185, x183, x113, x159); -- fiat_secp384r1_addcarryx_u32(&x186, &x187, x185, x115, x161); -- fiat_secp384r1_addcarryx_u32(&x188, &x189, x187, x117, x163); -- fiat_secp384r1_addcarryx_u32(&x190, &x191, x189, x119, x165); -- fiat_secp384r1_addcarryx_u32(&x192, &x193, x191, x121, x167); -- fiat_secp384r1_addcarryx_u32(&x194, &x195, x193, x122, x169); -- fiat_secp384r1_mulx_u32(&x196, &x197, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x198, &x199, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x200, &x201, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x202, &x203, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x204, &x205, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x206, &x207, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x208, &x209, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x210, &x211, x170, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x212, &x213, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x214, &x215, x170, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x216, &x217, 0x0, x213, x210); -- fiat_secp384r1_addcarryx_u32(&x218, &x219, x217, x211, x208); -- fiat_secp384r1_addcarryx_u32(&x220, &x221, x219, x209, x206); -- fiat_secp384r1_addcarryx_u32(&x222, &x223, x221, x207, x204); -- fiat_secp384r1_addcarryx_u32(&x224, &x225, x223, x205, x202); -- fiat_secp384r1_addcarryx_u32(&x226, &x227, x225, x203, x200); -- fiat_secp384r1_addcarryx_u32(&x228, &x229, x227, x201, x198); -- fiat_secp384r1_addcarryx_u32(&x230, &x231, x229, x199, x196); -- x232 = (x231 + x197); -- fiat_secp384r1_addcarryx_u32(&x233, &x234, 0x0, x170, x214); -- fiat_secp384r1_addcarryx_u32(&x235, &x236, x234, x172, x215); -- fiat_secp384r1_addcarryx_u32(&x237, &x238, x236, x174, 0x0); -- fiat_secp384r1_addcarryx_u32(&x239, &x240, x238, x176, x212); -- fiat_secp384r1_addcarryx_u32(&x241, &x242, x240, x178, x216); -- fiat_secp384r1_addcarryx_u32(&x243, &x244, x242, x180, x218); -- fiat_secp384r1_addcarryx_u32(&x245, &x246, x244, x182, x220); -- fiat_secp384r1_addcarryx_u32(&x247, &x248, x246, x184, x222); -- fiat_secp384r1_addcarryx_u32(&x249, &x250, x248, x186, x224); -- fiat_secp384r1_addcarryx_u32(&x251, &x252, x250, x188, x226); -- fiat_secp384r1_addcarryx_u32(&x253, &x254, x252, x190, x228); -- fiat_secp384r1_addcarryx_u32(&x255, &x256, x254, x192, x230); -- fiat_secp384r1_addcarryx_u32(&x257, &x258, x256, x194, x232); -- x259 = ((uint32_t)x258 + x195); -- fiat_secp384r1_mulx_u32(&x260, &x261, x2, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x262, &x263, x2, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x264, &x265, x2, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x266, &x267, x2, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x268, &x269, x2, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x270, &x271, x2, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x272, &x273, x2, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x274, &x275, x2, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x276, &x277, x2, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x278, &x279, x2, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x280, &x281, x2, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x282, &x283, x2, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x284, &x285, 0x0, x283, x280); -- fiat_secp384r1_addcarryx_u32(&x286, &x287, x285, x281, x278); -- fiat_secp384r1_addcarryx_u32(&x288, &x289, x287, x279, x276); -- fiat_secp384r1_addcarryx_u32(&x290, &x291, x289, x277, x274); -- fiat_secp384r1_addcarryx_u32(&x292, &x293, x291, x275, x272); -- fiat_secp384r1_addcarryx_u32(&x294, &x295, x293, x273, x270); -- fiat_secp384r1_addcarryx_u32(&x296, &x297, x295, x271, x268); -- fiat_secp384r1_addcarryx_u32(&x298, &x299, x297, x269, x266); -- fiat_secp384r1_addcarryx_u32(&x300, &x301, x299, x267, x264); -- fiat_secp384r1_addcarryx_u32(&x302, &x303, x301, x265, x262); -- fiat_secp384r1_addcarryx_u32(&x304, &x305, x303, x263, x260); -- x306 = (x305 + x261); -- fiat_secp384r1_addcarryx_u32(&x307, &x308, 0x0, x235, x282); -- fiat_secp384r1_addcarryx_u32(&x309, &x310, x308, x237, x284); -- fiat_secp384r1_addcarryx_u32(&x311, &x312, x310, x239, x286); -- fiat_secp384r1_addcarryx_u32(&x313, &x314, x312, x241, x288); -- fiat_secp384r1_addcarryx_u32(&x315, &x316, x314, x243, x290); -- fiat_secp384r1_addcarryx_u32(&x317, &x318, x316, x245, x292); -- fiat_secp384r1_addcarryx_u32(&x319, &x320, x318, x247, x294); -- fiat_secp384r1_addcarryx_u32(&x321, &x322, x320, x249, x296); -- fiat_secp384r1_addcarryx_u32(&x323, &x324, x322, x251, x298); -- fiat_secp384r1_addcarryx_u32(&x325, &x326, x324, x253, x300); -- fiat_secp384r1_addcarryx_u32(&x327, &x328, x326, x255, x302); -- fiat_secp384r1_addcarryx_u32(&x329, &x330, x328, x257, x304); -- fiat_secp384r1_addcarryx_u32(&x331, &x332, x330, x259, x306); -- fiat_secp384r1_mulx_u32(&x333, &x334, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x335, &x336, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x337, &x338, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x339, &x340, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x341, &x342, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x343, &x344, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x345, &x346, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x347, &x348, x307, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x349, &x350, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x351, &x352, x307, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x353, &x354, 0x0, x350, x347); -- fiat_secp384r1_addcarryx_u32(&x355, &x356, x354, x348, x345); -- fiat_secp384r1_addcarryx_u32(&x357, &x358, x356, x346, x343); -- fiat_secp384r1_addcarryx_u32(&x359, &x360, x358, x344, x341); -- fiat_secp384r1_addcarryx_u32(&x361, &x362, x360, x342, x339); -- fiat_secp384r1_addcarryx_u32(&x363, &x364, x362, x340, x337); -- fiat_secp384r1_addcarryx_u32(&x365, &x366, x364, x338, x335); -- fiat_secp384r1_addcarryx_u32(&x367, &x368, x366, x336, x333); -- x369 = (x368 + x334); -- fiat_secp384r1_addcarryx_u32(&x370, &x371, 0x0, x307, x351); -- fiat_secp384r1_addcarryx_u32(&x372, &x373, x371, x309, x352); -- fiat_secp384r1_addcarryx_u32(&x374, &x375, x373, x311, 0x0); -- fiat_secp384r1_addcarryx_u32(&x376, &x377, x375, x313, x349); -- fiat_secp384r1_addcarryx_u32(&x378, &x379, x377, x315, x353); -- fiat_secp384r1_addcarryx_u32(&x380, &x381, x379, x317, x355); -- fiat_secp384r1_addcarryx_u32(&x382, &x383, x381, x319, x357); -- fiat_secp384r1_addcarryx_u32(&x384, &x385, x383, x321, x359); -- fiat_secp384r1_addcarryx_u32(&x386, &x387, x385, x323, x361); -- fiat_secp384r1_addcarryx_u32(&x388, &x389, x387, x325, x363); -- fiat_secp384r1_addcarryx_u32(&x390, &x391, x389, x327, x365); -- fiat_secp384r1_addcarryx_u32(&x392, &x393, x391, x329, x367); -- fiat_secp384r1_addcarryx_u32(&x394, &x395, x393, x331, x369); -- x396 = ((uint32_t)x395 + x332); -- fiat_secp384r1_mulx_u32(&x397, &x398, x3, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x399, &x400, x3, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x401, &x402, x3, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x403, &x404, x3, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x405, &x406, x3, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x407, &x408, x3, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x409, &x410, x3, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x411, &x412, x3, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x413, &x414, x3, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x415, &x416, x3, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x417, &x418, x3, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x419, &x420, x3, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x421, &x422, 0x0, x420, x417); -- fiat_secp384r1_addcarryx_u32(&x423, &x424, x422, x418, x415); -- fiat_secp384r1_addcarryx_u32(&x425, &x426, x424, x416, x413); -- fiat_secp384r1_addcarryx_u32(&x427, &x428, x426, x414, x411); -- fiat_secp384r1_addcarryx_u32(&x429, &x430, x428, x412, x409); -- fiat_secp384r1_addcarryx_u32(&x431, &x432, x430, x410, x407); -- fiat_secp384r1_addcarryx_u32(&x433, &x434, x432, x408, x405); -- fiat_secp384r1_addcarryx_u32(&x435, &x436, x434, x406, x403); -- fiat_secp384r1_addcarryx_u32(&x437, &x438, x436, x404, x401); -- fiat_secp384r1_addcarryx_u32(&x439, &x440, x438, x402, x399); -- fiat_secp384r1_addcarryx_u32(&x441, &x442, x440, x400, x397); -- x443 = (x442 + x398); -- fiat_secp384r1_addcarryx_u32(&x444, &x445, 0x0, x372, x419); -- fiat_secp384r1_addcarryx_u32(&x446, &x447, x445, x374, x421); -- fiat_secp384r1_addcarryx_u32(&x448, &x449, x447, x376, x423); -- fiat_secp384r1_addcarryx_u32(&x450, &x451, x449, x378, x425); -- fiat_secp384r1_addcarryx_u32(&x452, &x453, x451, x380, x427); -- fiat_secp384r1_addcarryx_u32(&x454, &x455, x453, x382, x429); -- fiat_secp384r1_addcarryx_u32(&x456, &x457, x455, x384, x431); -- fiat_secp384r1_addcarryx_u32(&x458, &x459, x457, x386, x433); -- fiat_secp384r1_addcarryx_u32(&x460, &x461, x459, x388, x435); -- fiat_secp384r1_addcarryx_u32(&x462, &x463, x461, x390, x437); -- fiat_secp384r1_addcarryx_u32(&x464, &x465, x463, x392, x439); -- fiat_secp384r1_addcarryx_u32(&x466, &x467, x465, x394, x441); -- fiat_secp384r1_addcarryx_u32(&x468, &x469, x467, x396, x443); -- fiat_secp384r1_mulx_u32(&x470, &x471, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x472, &x473, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x474, &x475, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x476, &x477, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x478, &x479, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x480, &x481, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x482, &x483, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x484, &x485, x444, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x486, &x487, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x488, &x489, x444, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x490, &x491, 0x0, x487, x484); -- fiat_secp384r1_addcarryx_u32(&x492, &x493, x491, x485, x482); -- fiat_secp384r1_addcarryx_u32(&x494, &x495, x493, x483, x480); -- fiat_secp384r1_addcarryx_u32(&x496, &x497, x495, x481, x478); -- fiat_secp384r1_addcarryx_u32(&x498, &x499, x497, x479, x476); -- fiat_secp384r1_addcarryx_u32(&x500, &x501, x499, x477, x474); -- fiat_secp384r1_addcarryx_u32(&x502, &x503, x501, x475, x472); -- fiat_secp384r1_addcarryx_u32(&x504, &x505, x503, x473, x470); -- x506 = (x505 + x471); -- fiat_secp384r1_addcarryx_u32(&x507, &x508, 0x0, x444, x488); -- fiat_secp384r1_addcarryx_u32(&x509, &x510, x508, x446, x489); -- fiat_secp384r1_addcarryx_u32(&x511, &x512, x510, x448, 0x0); -- fiat_secp384r1_addcarryx_u32(&x513, &x514, x512, x450, x486); -- fiat_secp384r1_addcarryx_u32(&x515, &x516, x514, x452, x490); -- fiat_secp384r1_addcarryx_u32(&x517, &x518, x516, x454, x492); -- fiat_secp384r1_addcarryx_u32(&x519, &x520, x518, x456, x494); -- fiat_secp384r1_addcarryx_u32(&x521, &x522, x520, x458, x496); -- fiat_secp384r1_addcarryx_u32(&x523, &x524, x522, x460, x498); -- fiat_secp384r1_addcarryx_u32(&x525, &x526, x524, x462, x500); -- fiat_secp384r1_addcarryx_u32(&x527, &x528, x526, x464, x502); -- fiat_secp384r1_addcarryx_u32(&x529, &x530, x528, x466, x504); -- fiat_secp384r1_addcarryx_u32(&x531, &x532, x530, x468, x506); -- x533 = ((uint32_t)x532 + x469); -- fiat_secp384r1_mulx_u32(&x534, &x535, x4, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x536, &x537, x4, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x538, &x539, x4, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x540, &x541, x4, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x542, &x543, x4, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x544, &x545, x4, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x546, &x547, x4, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x548, &x549, x4, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x550, &x551, x4, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x552, &x553, x4, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x554, &x555, x4, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x556, &x557, x4, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x558, &x559, 0x0, x557, x554); -- fiat_secp384r1_addcarryx_u32(&x560, &x561, x559, x555, x552); -- fiat_secp384r1_addcarryx_u32(&x562, &x563, x561, x553, x550); -- fiat_secp384r1_addcarryx_u32(&x564, &x565, x563, x551, x548); -- fiat_secp384r1_addcarryx_u32(&x566, &x567, x565, x549, x546); -- fiat_secp384r1_addcarryx_u32(&x568, &x569, x567, x547, x544); -- fiat_secp384r1_addcarryx_u32(&x570, &x571, x569, x545, x542); -- fiat_secp384r1_addcarryx_u32(&x572, &x573, x571, x543, x540); -- fiat_secp384r1_addcarryx_u32(&x574, &x575, x573, x541, x538); -- fiat_secp384r1_addcarryx_u32(&x576, &x577, x575, x539, x536); -- fiat_secp384r1_addcarryx_u32(&x578, &x579, x577, x537, x534); -- x580 = (x579 + x535); -- fiat_secp384r1_addcarryx_u32(&x581, &x582, 0x0, x509, x556); -- fiat_secp384r1_addcarryx_u32(&x583, &x584, x582, x511, x558); -- fiat_secp384r1_addcarryx_u32(&x585, &x586, x584, x513, x560); -- fiat_secp384r1_addcarryx_u32(&x587, &x588, x586, x515, x562); -- fiat_secp384r1_addcarryx_u32(&x589, &x590, x588, x517, x564); -- fiat_secp384r1_addcarryx_u32(&x591, &x592, x590, x519, x566); -- fiat_secp384r1_addcarryx_u32(&x593, &x594, x592, x521, x568); -- fiat_secp384r1_addcarryx_u32(&x595, &x596, x594, x523, x570); -- fiat_secp384r1_addcarryx_u32(&x597, &x598, x596, x525, x572); -- fiat_secp384r1_addcarryx_u32(&x599, &x600, x598, x527, x574); -- fiat_secp384r1_addcarryx_u32(&x601, &x602, x600, x529, x576); -- fiat_secp384r1_addcarryx_u32(&x603, &x604, x602, x531, x578); -- fiat_secp384r1_addcarryx_u32(&x605, &x606, x604, x533, x580); -- fiat_secp384r1_mulx_u32(&x607, &x608, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x609, &x610, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x611, &x612, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x613, &x614, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x615, &x616, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x617, &x618, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x619, &x620, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x621, &x622, x581, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x623, &x624, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x625, &x626, x581, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x627, &x628, 0x0, x624, x621); -- fiat_secp384r1_addcarryx_u32(&x629, &x630, x628, x622, x619); -- fiat_secp384r1_addcarryx_u32(&x631, &x632, x630, x620, x617); -- fiat_secp384r1_addcarryx_u32(&x633, &x634, x632, x618, x615); -- fiat_secp384r1_addcarryx_u32(&x635, &x636, x634, x616, x613); -- fiat_secp384r1_addcarryx_u32(&x637, &x638, x636, x614, x611); -- fiat_secp384r1_addcarryx_u32(&x639, &x640, x638, x612, x609); -- fiat_secp384r1_addcarryx_u32(&x641, &x642, x640, x610, x607); -- x643 = (x642 + x608); -- fiat_secp384r1_addcarryx_u32(&x644, &x645, 0x0, x581, x625); -- fiat_secp384r1_addcarryx_u32(&x646, &x647, x645, x583, x626); -- fiat_secp384r1_addcarryx_u32(&x648, &x649, x647, x585, 0x0); -- fiat_secp384r1_addcarryx_u32(&x650, &x651, x649, x587, x623); -- fiat_secp384r1_addcarryx_u32(&x652, &x653, x651, x589, x627); -- fiat_secp384r1_addcarryx_u32(&x654, &x655, x653, x591, x629); -- fiat_secp384r1_addcarryx_u32(&x656, &x657, x655, x593, x631); -- fiat_secp384r1_addcarryx_u32(&x658, &x659, x657, x595, x633); -- fiat_secp384r1_addcarryx_u32(&x660, &x661, x659, x597, x635); -- fiat_secp384r1_addcarryx_u32(&x662, &x663, x661, x599, x637); -- fiat_secp384r1_addcarryx_u32(&x664, &x665, x663, x601, x639); -- fiat_secp384r1_addcarryx_u32(&x666, &x667, x665, x603, x641); -- fiat_secp384r1_addcarryx_u32(&x668, &x669, x667, x605, x643); -- x670 = ((uint32_t)x669 + x606); -- fiat_secp384r1_mulx_u32(&x671, &x672, x5, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x673, &x674, x5, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x675, &x676, x5, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x677, &x678, x5, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x679, &x680, x5, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x681, &x682, x5, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x683, &x684, x5, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x685, &x686, x5, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x687, &x688, x5, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x689, &x690, x5, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x691, &x692, x5, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x693, &x694, x5, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x695, &x696, 0x0, x694, x691); -- fiat_secp384r1_addcarryx_u32(&x697, &x698, x696, x692, x689); -- fiat_secp384r1_addcarryx_u32(&x699, &x700, x698, x690, x687); -- fiat_secp384r1_addcarryx_u32(&x701, &x702, x700, x688, x685); -- fiat_secp384r1_addcarryx_u32(&x703, &x704, x702, x686, x683); -- fiat_secp384r1_addcarryx_u32(&x705, &x706, x704, x684, x681); -- fiat_secp384r1_addcarryx_u32(&x707, &x708, x706, x682, x679); -- fiat_secp384r1_addcarryx_u32(&x709, &x710, x708, x680, x677); -- fiat_secp384r1_addcarryx_u32(&x711, &x712, x710, x678, x675); -- fiat_secp384r1_addcarryx_u32(&x713, &x714, x712, x676, x673); -- fiat_secp384r1_addcarryx_u32(&x715, &x716, x714, x674, x671); -- x717 = (x716 + x672); -- fiat_secp384r1_addcarryx_u32(&x718, &x719, 0x0, x646, x693); -- fiat_secp384r1_addcarryx_u32(&x720, &x721, x719, x648, x695); -- fiat_secp384r1_addcarryx_u32(&x722, &x723, x721, x650, x697); -- fiat_secp384r1_addcarryx_u32(&x724, &x725, x723, x652, x699); -- fiat_secp384r1_addcarryx_u32(&x726, &x727, x725, x654, x701); -- fiat_secp384r1_addcarryx_u32(&x728, &x729, x727, x656, x703); -- fiat_secp384r1_addcarryx_u32(&x730, &x731, x729, x658, x705); -- fiat_secp384r1_addcarryx_u32(&x732, &x733, x731, x660, x707); -- fiat_secp384r1_addcarryx_u32(&x734, &x735, x733, x662, x709); -- fiat_secp384r1_addcarryx_u32(&x736, &x737, x735, x664, x711); -- fiat_secp384r1_addcarryx_u32(&x738, &x739, x737, x666, x713); -- fiat_secp384r1_addcarryx_u32(&x740, &x741, x739, x668, x715); -- fiat_secp384r1_addcarryx_u32(&x742, &x743, x741, x670, x717); -- fiat_secp384r1_mulx_u32(&x744, &x745, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x746, &x747, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x748, &x749, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x750, &x751, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x752, &x753, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x754, &x755, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x756, &x757, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x758, &x759, x718, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x760, &x761, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x762, &x763, x718, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x764, &x765, 0x0, x761, x758); -- fiat_secp384r1_addcarryx_u32(&x766, &x767, x765, x759, x756); -- fiat_secp384r1_addcarryx_u32(&x768, &x769, x767, x757, x754); -- fiat_secp384r1_addcarryx_u32(&x770, &x771, x769, x755, x752); -- fiat_secp384r1_addcarryx_u32(&x772, &x773, x771, x753, x750); -- fiat_secp384r1_addcarryx_u32(&x774, &x775, x773, x751, x748); -- fiat_secp384r1_addcarryx_u32(&x776, &x777, x775, x749, x746); -- fiat_secp384r1_addcarryx_u32(&x778, &x779, x777, x747, x744); -- x780 = (x779 + x745); -- fiat_secp384r1_addcarryx_u32(&x781, &x782, 0x0, x718, x762); -- fiat_secp384r1_addcarryx_u32(&x783, &x784, x782, x720, x763); -- fiat_secp384r1_addcarryx_u32(&x785, &x786, x784, x722, 0x0); -- fiat_secp384r1_addcarryx_u32(&x787, &x788, x786, x724, x760); -- fiat_secp384r1_addcarryx_u32(&x789, &x790, x788, x726, x764); -- fiat_secp384r1_addcarryx_u32(&x791, &x792, x790, x728, x766); -- fiat_secp384r1_addcarryx_u32(&x793, &x794, x792, x730, x768); -- fiat_secp384r1_addcarryx_u32(&x795, &x796, x794, x732, x770); -- fiat_secp384r1_addcarryx_u32(&x797, &x798, x796, x734, x772); -- fiat_secp384r1_addcarryx_u32(&x799, &x800, x798, x736, x774); -- fiat_secp384r1_addcarryx_u32(&x801, &x802, x800, x738, x776); -- fiat_secp384r1_addcarryx_u32(&x803, &x804, x802, x740, x778); -- fiat_secp384r1_addcarryx_u32(&x805, &x806, x804, x742, x780); -- x807 = ((uint32_t)x806 + x743); -- fiat_secp384r1_mulx_u32(&x808, &x809, x6, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x810, &x811, x6, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x812, &x813, x6, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x814, &x815, x6, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x816, &x817, x6, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x818, &x819, x6, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x820, &x821, x6, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x822, &x823, x6, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x824, &x825, x6, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x826, &x827, x6, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x828, &x829, x6, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x830, &x831, x6, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x832, &x833, 0x0, x831, x828); -- fiat_secp384r1_addcarryx_u32(&x834, &x835, x833, x829, x826); -- fiat_secp384r1_addcarryx_u32(&x836, &x837, x835, x827, x824); -- fiat_secp384r1_addcarryx_u32(&x838, &x839, x837, x825, x822); -- fiat_secp384r1_addcarryx_u32(&x840, &x841, x839, x823, x820); -- fiat_secp384r1_addcarryx_u32(&x842, &x843, x841, x821, x818); -- fiat_secp384r1_addcarryx_u32(&x844, &x845, x843, x819, x816); -- fiat_secp384r1_addcarryx_u32(&x846, &x847, x845, x817, x814); -- fiat_secp384r1_addcarryx_u32(&x848, &x849, x847, x815, x812); -- fiat_secp384r1_addcarryx_u32(&x850, &x851, x849, x813, x810); -- fiat_secp384r1_addcarryx_u32(&x852, &x853, x851, x811, x808); -- x854 = (x853 + x809); -- fiat_secp384r1_addcarryx_u32(&x855, &x856, 0x0, x783, x830); -- fiat_secp384r1_addcarryx_u32(&x857, &x858, x856, x785, x832); -- fiat_secp384r1_addcarryx_u32(&x859, &x860, x858, x787, x834); -- fiat_secp384r1_addcarryx_u32(&x861, &x862, x860, x789, x836); -- fiat_secp384r1_addcarryx_u32(&x863, &x864, x862, x791, x838); -- fiat_secp384r1_addcarryx_u32(&x865, &x866, x864, x793, x840); -- fiat_secp384r1_addcarryx_u32(&x867, &x868, x866, x795, x842); -- fiat_secp384r1_addcarryx_u32(&x869, &x870, x868, x797, x844); -- fiat_secp384r1_addcarryx_u32(&x871, &x872, x870, x799, x846); -- fiat_secp384r1_addcarryx_u32(&x873, &x874, x872, x801, x848); -- fiat_secp384r1_addcarryx_u32(&x875, &x876, x874, x803, x850); -- fiat_secp384r1_addcarryx_u32(&x877, &x878, x876, x805, x852); -- fiat_secp384r1_addcarryx_u32(&x879, &x880, x878, x807, x854); -- fiat_secp384r1_mulx_u32(&x881, &x882, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x883, &x884, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x885, &x886, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x887, &x888, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x889, &x890, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x891, &x892, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x893, &x894, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x895, &x896, x855, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x897, &x898, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x899, &x900, x855, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x901, &x902, 0x0, x898, x895); -- fiat_secp384r1_addcarryx_u32(&x903, &x904, x902, x896, x893); -- fiat_secp384r1_addcarryx_u32(&x905, &x906, x904, x894, x891); -- fiat_secp384r1_addcarryx_u32(&x907, &x908, x906, x892, x889); -- fiat_secp384r1_addcarryx_u32(&x909, &x910, x908, x890, x887); -- fiat_secp384r1_addcarryx_u32(&x911, &x912, x910, x888, x885); -- fiat_secp384r1_addcarryx_u32(&x913, &x914, x912, x886, x883); -- fiat_secp384r1_addcarryx_u32(&x915, &x916, x914, x884, x881); -- x917 = (x916 + x882); -- fiat_secp384r1_addcarryx_u32(&x918, &x919, 0x0, x855, x899); -- fiat_secp384r1_addcarryx_u32(&x920, &x921, x919, x857, x900); -- fiat_secp384r1_addcarryx_u32(&x922, &x923, x921, x859, 0x0); -- fiat_secp384r1_addcarryx_u32(&x924, &x925, x923, x861, x897); -- fiat_secp384r1_addcarryx_u32(&x926, &x927, x925, x863, x901); -- fiat_secp384r1_addcarryx_u32(&x928, &x929, x927, x865, x903); -- fiat_secp384r1_addcarryx_u32(&x930, &x931, x929, x867, x905); -- fiat_secp384r1_addcarryx_u32(&x932, &x933, x931, x869, x907); -- fiat_secp384r1_addcarryx_u32(&x934, &x935, x933, x871, x909); -- fiat_secp384r1_addcarryx_u32(&x936, &x937, x935, x873, x911); -- fiat_secp384r1_addcarryx_u32(&x938, &x939, x937, x875, x913); -- fiat_secp384r1_addcarryx_u32(&x940, &x941, x939, x877, x915); -- fiat_secp384r1_addcarryx_u32(&x942, &x943, x941, x879, x917); -- x944 = ((uint32_t)x943 + x880); -- fiat_secp384r1_mulx_u32(&x945, &x946, x7, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x947, &x948, x7, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x949, &x950, x7, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x951, &x952, x7, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x953, &x954, x7, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x955, &x956, x7, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x957, &x958, x7, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x959, &x960, x7, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x961, &x962, x7, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x963, &x964, x7, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x965, &x966, x7, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x967, &x968, x7, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x969, &x970, 0x0, x968, x965); -- fiat_secp384r1_addcarryx_u32(&x971, &x972, x970, x966, x963); -- fiat_secp384r1_addcarryx_u32(&x973, &x974, x972, x964, x961); -- fiat_secp384r1_addcarryx_u32(&x975, &x976, x974, x962, x959); -- fiat_secp384r1_addcarryx_u32(&x977, &x978, x976, x960, x957); -- fiat_secp384r1_addcarryx_u32(&x979, &x980, x978, x958, x955); -- fiat_secp384r1_addcarryx_u32(&x981, &x982, x980, x956, x953); -- fiat_secp384r1_addcarryx_u32(&x983, &x984, x982, x954, x951); -- fiat_secp384r1_addcarryx_u32(&x985, &x986, x984, x952, x949); -- fiat_secp384r1_addcarryx_u32(&x987, &x988, x986, x950, x947); -- fiat_secp384r1_addcarryx_u32(&x989, &x990, x988, x948, x945); -- x991 = (x990 + x946); -- fiat_secp384r1_addcarryx_u32(&x992, &x993, 0x0, x920, x967); -- fiat_secp384r1_addcarryx_u32(&x994, &x995, x993, x922, x969); -- fiat_secp384r1_addcarryx_u32(&x996, &x997, x995, x924, x971); -- fiat_secp384r1_addcarryx_u32(&x998, &x999, x997, x926, x973); -- fiat_secp384r1_addcarryx_u32(&x1000, &x1001, x999, x928, x975); -- fiat_secp384r1_addcarryx_u32(&x1002, &x1003, x1001, x930, x977); -- fiat_secp384r1_addcarryx_u32(&x1004, &x1005, x1003, x932, x979); -- fiat_secp384r1_addcarryx_u32(&x1006, &x1007, x1005, x934, x981); -- fiat_secp384r1_addcarryx_u32(&x1008, &x1009, x1007, x936, x983); -- fiat_secp384r1_addcarryx_u32(&x1010, &x1011, x1009, x938, x985); -- fiat_secp384r1_addcarryx_u32(&x1012, &x1013, x1011, x940, x987); -- fiat_secp384r1_addcarryx_u32(&x1014, &x1015, x1013, x942, x989); -- fiat_secp384r1_addcarryx_u32(&x1016, &x1017, x1015, x944, x991); -- fiat_secp384r1_mulx_u32(&x1018, &x1019, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1020, &x1021, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1022, &x1023, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1024, &x1025, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1026, &x1027, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1028, &x1029, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1030, &x1031, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1032, &x1033, x992, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1034, &x1035, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1036, &x1037, x992, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1038, &x1039, 0x0, x1035, x1032); -- fiat_secp384r1_addcarryx_u32(&x1040, &x1041, x1039, x1033, x1030); -- fiat_secp384r1_addcarryx_u32(&x1042, &x1043, x1041, x1031, x1028); -- fiat_secp384r1_addcarryx_u32(&x1044, &x1045, x1043, x1029, x1026); -- fiat_secp384r1_addcarryx_u32(&x1046, &x1047, x1045, x1027, x1024); -- fiat_secp384r1_addcarryx_u32(&x1048, &x1049, x1047, x1025, x1022); -- fiat_secp384r1_addcarryx_u32(&x1050, &x1051, x1049, x1023, x1020); -- fiat_secp384r1_addcarryx_u32(&x1052, &x1053, x1051, x1021, x1018); -- x1054 = (x1053 + x1019); -- fiat_secp384r1_addcarryx_u32(&x1055, &x1056, 0x0, x992, x1036); -- fiat_secp384r1_addcarryx_u32(&x1057, &x1058, x1056, x994, x1037); -- fiat_secp384r1_addcarryx_u32(&x1059, &x1060, x1058, x996, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1061, &x1062, x1060, x998, x1034); -- fiat_secp384r1_addcarryx_u32(&x1063, &x1064, x1062, x1000, x1038); -- fiat_secp384r1_addcarryx_u32(&x1065, &x1066, x1064, x1002, x1040); -- fiat_secp384r1_addcarryx_u32(&x1067, &x1068, x1066, x1004, x1042); -- fiat_secp384r1_addcarryx_u32(&x1069, &x1070, x1068, x1006, x1044); -- fiat_secp384r1_addcarryx_u32(&x1071, &x1072, x1070, x1008, x1046); -- fiat_secp384r1_addcarryx_u32(&x1073, &x1074, x1072, x1010, x1048); -- fiat_secp384r1_addcarryx_u32(&x1075, &x1076, x1074, x1012, x1050); -- fiat_secp384r1_addcarryx_u32(&x1077, &x1078, x1076, x1014, x1052); -- fiat_secp384r1_addcarryx_u32(&x1079, &x1080, x1078, x1016, x1054); -- x1081 = ((uint32_t)x1080 + x1017); -- fiat_secp384r1_mulx_u32(&x1082, &x1083, x8, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x1084, &x1085, x8, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x1086, &x1087, x8, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x1088, &x1089, x8, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x1090, &x1091, x8, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x1092, &x1093, x8, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x1094, &x1095, x8, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x1096, &x1097, x8, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x1098, &x1099, x8, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x1100, &x1101, x8, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x1102, &x1103, x8, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x1104, &x1105, x8, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x1106, &x1107, 0x0, x1105, x1102); -- fiat_secp384r1_addcarryx_u32(&x1108, &x1109, x1107, x1103, x1100); -- fiat_secp384r1_addcarryx_u32(&x1110, &x1111, x1109, x1101, x1098); -- fiat_secp384r1_addcarryx_u32(&x1112, &x1113, x1111, x1099, x1096); -- fiat_secp384r1_addcarryx_u32(&x1114, &x1115, x1113, x1097, x1094); -- fiat_secp384r1_addcarryx_u32(&x1116, &x1117, x1115, x1095, x1092); -- fiat_secp384r1_addcarryx_u32(&x1118, &x1119, x1117, x1093, x1090); -- fiat_secp384r1_addcarryx_u32(&x1120, &x1121, x1119, x1091, x1088); -- fiat_secp384r1_addcarryx_u32(&x1122, &x1123, x1121, x1089, x1086); -- fiat_secp384r1_addcarryx_u32(&x1124, &x1125, x1123, x1087, x1084); -- fiat_secp384r1_addcarryx_u32(&x1126, &x1127, x1125, x1085, x1082); -- x1128 = (x1127 + x1083); -- fiat_secp384r1_addcarryx_u32(&x1129, &x1130, 0x0, x1057, x1104); -- fiat_secp384r1_addcarryx_u32(&x1131, &x1132, x1130, x1059, x1106); -- fiat_secp384r1_addcarryx_u32(&x1133, &x1134, x1132, x1061, x1108); -- fiat_secp384r1_addcarryx_u32(&x1135, &x1136, x1134, x1063, x1110); -- fiat_secp384r1_addcarryx_u32(&x1137, &x1138, x1136, x1065, x1112); -- fiat_secp384r1_addcarryx_u32(&x1139, &x1140, x1138, x1067, x1114); -- fiat_secp384r1_addcarryx_u32(&x1141, &x1142, x1140, x1069, x1116); -- fiat_secp384r1_addcarryx_u32(&x1143, &x1144, x1142, x1071, x1118); -- fiat_secp384r1_addcarryx_u32(&x1145, &x1146, x1144, x1073, x1120); -- fiat_secp384r1_addcarryx_u32(&x1147, &x1148, x1146, x1075, x1122); -- fiat_secp384r1_addcarryx_u32(&x1149, &x1150, x1148, x1077, x1124); -- fiat_secp384r1_addcarryx_u32(&x1151, &x1152, x1150, x1079, x1126); -- fiat_secp384r1_addcarryx_u32(&x1153, &x1154, x1152, x1081, x1128); -- fiat_secp384r1_mulx_u32(&x1155, &x1156, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1157, &x1158, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1159, &x1160, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1161, &x1162, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1163, &x1164, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1165, &x1166, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1167, &x1168, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1169, &x1170, x1129, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1171, &x1172, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1173, &x1174, x1129, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1175, &x1176, 0x0, x1172, x1169); -- fiat_secp384r1_addcarryx_u32(&x1177, &x1178, x1176, x1170, x1167); -- fiat_secp384r1_addcarryx_u32(&x1179, &x1180, x1178, x1168, x1165); -- fiat_secp384r1_addcarryx_u32(&x1181, &x1182, x1180, x1166, x1163); -- fiat_secp384r1_addcarryx_u32(&x1183, &x1184, x1182, x1164, x1161); -- fiat_secp384r1_addcarryx_u32(&x1185, &x1186, x1184, x1162, x1159); -- fiat_secp384r1_addcarryx_u32(&x1187, &x1188, x1186, x1160, x1157); -- fiat_secp384r1_addcarryx_u32(&x1189, &x1190, x1188, x1158, x1155); -- x1191 = (x1190 + x1156); -- fiat_secp384r1_addcarryx_u32(&x1192, &x1193, 0x0, x1129, x1173); -- fiat_secp384r1_addcarryx_u32(&x1194, &x1195, x1193, x1131, x1174); -- fiat_secp384r1_addcarryx_u32(&x1196, &x1197, x1195, x1133, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1198, &x1199, x1197, x1135, x1171); -- fiat_secp384r1_addcarryx_u32(&x1200, &x1201, x1199, x1137, x1175); -- fiat_secp384r1_addcarryx_u32(&x1202, &x1203, x1201, x1139, x1177); -- fiat_secp384r1_addcarryx_u32(&x1204, &x1205, x1203, x1141, x1179); -- fiat_secp384r1_addcarryx_u32(&x1206, &x1207, x1205, x1143, x1181); -- fiat_secp384r1_addcarryx_u32(&x1208, &x1209, x1207, x1145, x1183); -- fiat_secp384r1_addcarryx_u32(&x1210, &x1211, x1209, x1147, x1185); -- fiat_secp384r1_addcarryx_u32(&x1212, &x1213, x1211, x1149, x1187); -- fiat_secp384r1_addcarryx_u32(&x1214, &x1215, x1213, x1151, x1189); -- fiat_secp384r1_addcarryx_u32(&x1216, &x1217, x1215, x1153, x1191); -- x1218 = ((uint32_t)x1217 + x1154); -- fiat_secp384r1_mulx_u32(&x1219, &x1220, x9, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x1221, &x1222, x9, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x1223, &x1224, x9, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x1225, &x1226, x9, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x1227, &x1228, x9, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x1229, &x1230, x9, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x1231, &x1232, x9, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x1233, &x1234, x9, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x1235, &x1236, x9, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x1237, &x1238, x9, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x1239, &x1240, x9, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x1241, &x1242, x9, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x1243, &x1244, 0x0, x1242, x1239); -- fiat_secp384r1_addcarryx_u32(&x1245, &x1246, x1244, x1240, x1237); -- fiat_secp384r1_addcarryx_u32(&x1247, &x1248, x1246, x1238, x1235); -- fiat_secp384r1_addcarryx_u32(&x1249, &x1250, x1248, x1236, x1233); -- fiat_secp384r1_addcarryx_u32(&x1251, &x1252, x1250, x1234, x1231); -- fiat_secp384r1_addcarryx_u32(&x1253, &x1254, x1252, x1232, x1229); -- fiat_secp384r1_addcarryx_u32(&x1255, &x1256, x1254, x1230, x1227); -- fiat_secp384r1_addcarryx_u32(&x1257, &x1258, x1256, x1228, x1225); -- fiat_secp384r1_addcarryx_u32(&x1259, &x1260, x1258, x1226, x1223); -- fiat_secp384r1_addcarryx_u32(&x1261, &x1262, x1260, x1224, x1221); -- fiat_secp384r1_addcarryx_u32(&x1263, &x1264, x1262, x1222, x1219); -- x1265 = (x1264 + x1220); -- fiat_secp384r1_addcarryx_u32(&x1266, &x1267, 0x0, x1194, x1241); -- fiat_secp384r1_addcarryx_u32(&x1268, &x1269, x1267, x1196, x1243); -- fiat_secp384r1_addcarryx_u32(&x1270, &x1271, x1269, x1198, x1245); -- fiat_secp384r1_addcarryx_u32(&x1272, &x1273, x1271, x1200, x1247); -- fiat_secp384r1_addcarryx_u32(&x1274, &x1275, x1273, x1202, x1249); -- fiat_secp384r1_addcarryx_u32(&x1276, &x1277, x1275, x1204, x1251); -- fiat_secp384r1_addcarryx_u32(&x1278, &x1279, x1277, x1206, x1253); -- fiat_secp384r1_addcarryx_u32(&x1280, &x1281, x1279, x1208, x1255); -- fiat_secp384r1_addcarryx_u32(&x1282, &x1283, x1281, x1210, x1257); -- fiat_secp384r1_addcarryx_u32(&x1284, &x1285, x1283, x1212, x1259); -- fiat_secp384r1_addcarryx_u32(&x1286, &x1287, x1285, x1214, x1261); -- fiat_secp384r1_addcarryx_u32(&x1288, &x1289, x1287, x1216, x1263); -- fiat_secp384r1_addcarryx_u32(&x1290, &x1291, x1289, x1218, x1265); -- fiat_secp384r1_mulx_u32(&x1292, &x1293, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1294, &x1295, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1296, &x1297, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1298, &x1299, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1300, &x1301, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1302, &x1303, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1304, &x1305, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1306, &x1307, x1266, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1308, &x1309, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1310, &x1311, x1266, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1312, &x1313, 0x0, x1309, x1306); -- fiat_secp384r1_addcarryx_u32(&x1314, &x1315, x1313, x1307, x1304); -- fiat_secp384r1_addcarryx_u32(&x1316, &x1317, x1315, x1305, x1302); -- fiat_secp384r1_addcarryx_u32(&x1318, &x1319, x1317, x1303, x1300); -- fiat_secp384r1_addcarryx_u32(&x1320, &x1321, x1319, x1301, x1298); -- fiat_secp384r1_addcarryx_u32(&x1322, &x1323, x1321, x1299, x1296); -- fiat_secp384r1_addcarryx_u32(&x1324, &x1325, x1323, x1297, x1294); -- fiat_secp384r1_addcarryx_u32(&x1326, &x1327, x1325, x1295, x1292); -- x1328 = (x1327 + x1293); -- fiat_secp384r1_addcarryx_u32(&x1329, &x1330, 0x0, x1266, x1310); -- fiat_secp384r1_addcarryx_u32(&x1331, &x1332, x1330, x1268, x1311); -- fiat_secp384r1_addcarryx_u32(&x1333, &x1334, x1332, x1270, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1335, &x1336, x1334, x1272, x1308); -- fiat_secp384r1_addcarryx_u32(&x1337, &x1338, x1336, x1274, x1312); -- fiat_secp384r1_addcarryx_u32(&x1339, &x1340, x1338, x1276, x1314); -- fiat_secp384r1_addcarryx_u32(&x1341, &x1342, x1340, x1278, x1316); -- fiat_secp384r1_addcarryx_u32(&x1343, &x1344, x1342, x1280, x1318); -- fiat_secp384r1_addcarryx_u32(&x1345, &x1346, x1344, x1282, x1320); -- fiat_secp384r1_addcarryx_u32(&x1347, &x1348, x1346, x1284, x1322); -- fiat_secp384r1_addcarryx_u32(&x1349, &x1350, x1348, x1286, x1324); -- fiat_secp384r1_addcarryx_u32(&x1351, &x1352, x1350, x1288, x1326); -- fiat_secp384r1_addcarryx_u32(&x1353, &x1354, x1352, x1290, x1328); -- x1355 = ((uint32_t)x1354 + x1291); -- fiat_secp384r1_mulx_u32(&x1356, &x1357, x10, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x1358, &x1359, x10, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x1360, &x1361, x10, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x1362, &x1363, x10, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x1364, &x1365, x10, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x1366, &x1367, x10, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x1368, &x1369, x10, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x1370, &x1371, x10, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x1372, &x1373, x10, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x1374, &x1375, x10, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x1376, &x1377, x10, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x1378, &x1379, x10, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x1380, &x1381, 0x0, x1379, x1376); -- fiat_secp384r1_addcarryx_u32(&x1382, &x1383, x1381, x1377, x1374); -- fiat_secp384r1_addcarryx_u32(&x1384, &x1385, x1383, x1375, x1372); -- fiat_secp384r1_addcarryx_u32(&x1386, &x1387, x1385, x1373, x1370); -- fiat_secp384r1_addcarryx_u32(&x1388, &x1389, x1387, x1371, x1368); -- fiat_secp384r1_addcarryx_u32(&x1390, &x1391, x1389, x1369, x1366); -- fiat_secp384r1_addcarryx_u32(&x1392, &x1393, x1391, x1367, x1364); -- fiat_secp384r1_addcarryx_u32(&x1394, &x1395, x1393, x1365, x1362); -- fiat_secp384r1_addcarryx_u32(&x1396, &x1397, x1395, x1363, x1360); -- fiat_secp384r1_addcarryx_u32(&x1398, &x1399, x1397, x1361, x1358); -- fiat_secp384r1_addcarryx_u32(&x1400, &x1401, x1399, x1359, x1356); -- x1402 = (x1401 + x1357); -- fiat_secp384r1_addcarryx_u32(&x1403, &x1404, 0x0, x1331, x1378); -- fiat_secp384r1_addcarryx_u32(&x1405, &x1406, x1404, x1333, x1380); -- fiat_secp384r1_addcarryx_u32(&x1407, &x1408, x1406, x1335, x1382); -- fiat_secp384r1_addcarryx_u32(&x1409, &x1410, x1408, x1337, x1384); -- fiat_secp384r1_addcarryx_u32(&x1411, &x1412, x1410, x1339, x1386); -- fiat_secp384r1_addcarryx_u32(&x1413, &x1414, x1412, x1341, x1388); -- fiat_secp384r1_addcarryx_u32(&x1415, &x1416, x1414, x1343, x1390); -- fiat_secp384r1_addcarryx_u32(&x1417, &x1418, x1416, x1345, x1392); -- fiat_secp384r1_addcarryx_u32(&x1419, &x1420, x1418, x1347, x1394); -- fiat_secp384r1_addcarryx_u32(&x1421, &x1422, x1420, x1349, x1396); -- fiat_secp384r1_addcarryx_u32(&x1423, &x1424, x1422, x1351, x1398); -- fiat_secp384r1_addcarryx_u32(&x1425, &x1426, x1424, x1353, x1400); -- fiat_secp384r1_addcarryx_u32(&x1427, &x1428, x1426, x1355, x1402); -- fiat_secp384r1_mulx_u32(&x1429, &x1430, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1431, &x1432, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1433, &x1434, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1435, &x1436, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1437, &x1438, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1439, &x1440, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1441, &x1442, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1443, &x1444, x1403, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1445, &x1446, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1447, &x1448, x1403, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1449, &x1450, 0x0, x1446, x1443); -- fiat_secp384r1_addcarryx_u32(&x1451, &x1452, x1450, x1444, x1441); -- fiat_secp384r1_addcarryx_u32(&x1453, &x1454, x1452, x1442, x1439); -- fiat_secp384r1_addcarryx_u32(&x1455, &x1456, x1454, x1440, x1437); -- fiat_secp384r1_addcarryx_u32(&x1457, &x1458, x1456, x1438, x1435); -- fiat_secp384r1_addcarryx_u32(&x1459, &x1460, x1458, x1436, x1433); -- fiat_secp384r1_addcarryx_u32(&x1461, &x1462, x1460, x1434, x1431); -- fiat_secp384r1_addcarryx_u32(&x1463, &x1464, x1462, x1432, x1429); -- x1465 = (x1464 + x1430); -- fiat_secp384r1_addcarryx_u32(&x1466, &x1467, 0x0, x1403, x1447); -- fiat_secp384r1_addcarryx_u32(&x1468, &x1469, x1467, x1405, x1448); -- fiat_secp384r1_addcarryx_u32(&x1470, &x1471, x1469, x1407, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1472, &x1473, x1471, x1409, x1445); -- fiat_secp384r1_addcarryx_u32(&x1474, &x1475, x1473, x1411, x1449); -- fiat_secp384r1_addcarryx_u32(&x1476, &x1477, x1475, x1413, x1451); -- fiat_secp384r1_addcarryx_u32(&x1478, &x1479, x1477, x1415, x1453); -- fiat_secp384r1_addcarryx_u32(&x1480, &x1481, x1479, x1417, x1455); -- fiat_secp384r1_addcarryx_u32(&x1482, &x1483, x1481, x1419, x1457); -- fiat_secp384r1_addcarryx_u32(&x1484, &x1485, x1483, x1421, x1459); -- fiat_secp384r1_addcarryx_u32(&x1486, &x1487, x1485, x1423, x1461); -- fiat_secp384r1_addcarryx_u32(&x1488, &x1489, x1487, x1425, x1463); -- fiat_secp384r1_addcarryx_u32(&x1490, &x1491, x1489, x1427, x1465); -- x1492 = ((uint32_t)x1491 + x1428); -- fiat_secp384r1_mulx_u32(&x1493, &x1494, x11, (arg1[11])); -- fiat_secp384r1_mulx_u32(&x1495, &x1496, x11, (arg1[10])); -- fiat_secp384r1_mulx_u32(&x1497, &x1498, x11, (arg1[9])); -- fiat_secp384r1_mulx_u32(&x1499, &x1500, x11, (arg1[8])); -- fiat_secp384r1_mulx_u32(&x1501, &x1502, x11, (arg1[7])); -- fiat_secp384r1_mulx_u32(&x1503, &x1504, x11, (arg1[6])); -- fiat_secp384r1_mulx_u32(&x1505, &x1506, x11, (arg1[5])); -- fiat_secp384r1_mulx_u32(&x1507, &x1508, x11, (arg1[4])); -- fiat_secp384r1_mulx_u32(&x1509, &x1510, x11, (arg1[3])); -- fiat_secp384r1_mulx_u32(&x1511, &x1512, x11, (arg1[2])); -- fiat_secp384r1_mulx_u32(&x1513, &x1514, x11, (arg1[1])); -- fiat_secp384r1_mulx_u32(&x1515, &x1516, x11, (arg1[0])); -- fiat_secp384r1_addcarryx_u32(&x1517, &x1518, 0x0, x1516, x1513); -- fiat_secp384r1_addcarryx_u32(&x1519, &x1520, x1518, x1514, x1511); -- fiat_secp384r1_addcarryx_u32(&x1521, &x1522, x1520, x1512, x1509); -- fiat_secp384r1_addcarryx_u32(&x1523, &x1524, x1522, x1510, x1507); -- fiat_secp384r1_addcarryx_u32(&x1525, &x1526, x1524, x1508, x1505); -- fiat_secp384r1_addcarryx_u32(&x1527, &x1528, x1526, x1506, x1503); -- fiat_secp384r1_addcarryx_u32(&x1529, &x1530, x1528, x1504, x1501); -- fiat_secp384r1_addcarryx_u32(&x1531, &x1532, x1530, x1502, x1499); -- fiat_secp384r1_addcarryx_u32(&x1533, &x1534, x1532, x1500, x1497); -- fiat_secp384r1_addcarryx_u32(&x1535, &x1536, x1534, x1498, x1495); -- fiat_secp384r1_addcarryx_u32(&x1537, &x1538, x1536, x1496, x1493); -- x1539 = (x1538 + x1494); -- fiat_secp384r1_addcarryx_u32(&x1540, &x1541, 0x0, x1468, x1515); -- fiat_secp384r1_addcarryx_u32(&x1542, &x1543, x1541, x1470, x1517); -- fiat_secp384r1_addcarryx_u32(&x1544, &x1545, x1543, x1472, x1519); -- fiat_secp384r1_addcarryx_u32(&x1546, &x1547, x1545, x1474, x1521); -- fiat_secp384r1_addcarryx_u32(&x1548, &x1549, x1547, x1476, x1523); -- fiat_secp384r1_addcarryx_u32(&x1550, &x1551, x1549, x1478, x1525); -- fiat_secp384r1_addcarryx_u32(&x1552, &x1553, x1551, x1480, x1527); -- fiat_secp384r1_addcarryx_u32(&x1554, &x1555, x1553, x1482, x1529); -- fiat_secp384r1_addcarryx_u32(&x1556, &x1557, x1555, x1484, x1531); -- fiat_secp384r1_addcarryx_u32(&x1558, &x1559, x1557, x1486, x1533); -- fiat_secp384r1_addcarryx_u32(&x1560, &x1561, x1559, x1488, x1535); -- fiat_secp384r1_addcarryx_u32(&x1562, &x1563, x1561, x1490, x1537); -- fiat_secp384r1_addcarryx_u32(&x1564, &x1565, x1563, x1492, x1539); -- fiat_secp384r1_mulx_u32(&x1566, &x1567, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1568, &x1569, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1570, &x1571, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1572, &x1573, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1574, &x1575, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1576, &x1577, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1578, &x1579, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1580, &x1581, x1540, UINT32_C(0xfffffffe)); -- fiat_secp384r1_mulx_u32(&x1582, &x1583, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_mulx_u32(&x1584, &x1585, x1540, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x1586, &x1587, 0x0, x1583, x1580); -- fiat_secp384r1_addcarryx_u32(&x1588, &x1589, x1587, x1581, x1578); -- fiat_secp384r1_addcarryx_u32(&x1590, &x1591, x1589, x1579, x1576); -- fiat_secp384r1_addcarryx_u32(&x1592, &x1593, x1591, x1577, x1574); -- fiat_secp384r1_addcarryx_u32(&x1594, &x1595, x1593, x1575, x1572); -- fiat_secp384r1_addcarryx_u32(&x1596, &x1597, x1595, x1573, x1570); -- fiat_secp384r1_addcarryx_u32(&x1598, &x1599, x1597, x1571, x1568); -- fiat_secp384r1_addcarryx_u32(&x1600, &x1601, x1599, x1569, x1566); -- x1602 = (x1601 + x1567); -- fiat_secp384r1_addcarryx_u32(&x1603, &x1604, 0x0, x1540, x1584); -- fiat_secp384r1_addcarryx_u32(&x1605, &x1606, x1604, x1542, x1585); -- fiat_secp384r1_addcarryx_u32(&x1607, &x1608, x1606, x1544, 0x0); -- fiat_secp384r1_addcarryx_u32(&x1609, &x1610, x1608, x1546, x1582); -- fiat_secp384r1_addcarryx_u32(&x1611, &x1612, x1610, x1548, x1586); -- fiat_secp384r1_addcarryx_u32(&x1613, &x1614, x1612, x1550, x1588); -- fiat_secp384r1_addcarryx_u32(&x1615, &x1616, x1614, x1552, x1590); -- fiat_secp384r1_addcarryx_u32(&x1617, &x1618, x1616, x1554, x1592); -- fiat_secp384r1_addcarryx_u32(&x1619, &x1620, x1618, x1556, x1594); -- fiat_secp384r1_addcarryx_u32(&x1621, &x1622, x1620, x1558, x1596); -- fiat_secp384r1_addcarryx_u32(&x1623, &x1624, x1622, x1560, x1598); -- fiat_secp384r1_addcarryx_u32(&x1625, &x1626, x1624, x1562, x1600); -- fiat_secp384r1_addcarryx_u32(&x1627, &x1628, x1626, x1564, x1602); -- x1629 = ((uint32_t)x1628 + x1565); -- fiat_secp384r1_subborrowx_u32(&x1630, &x1631, 0x0, x1605, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1632, &x1633, x1631, x1607, 0x0); -- fiat_secp384r1_subborrowx_u32(&x1634, &x1635, x1633, x1609, 0x0); -- fiat_secp384r1_subborrowx_u32(&x1636, &x1637, x1635, x1611, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1638, &x1639, x1637, x1613, -- UINT32_C(0xfffffffe)); -- fiat_secp384r1_subborrowx_u32(&x1640, &x1641, x1639, x1615, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1642, &x1643, x1641, x1617, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1644, &x1645, x1643, x1619, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1646, &x1647, x1645, x1621, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1648, &x1649, x1647, x1623, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1650, &x1651, x1649, x1625, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1652, &x1653, x1651, x1627, -- UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x1654, &x1655, x1653, x1629, 0x0); -- fiat_secp384r1_cmovznz_u32(&x1656, x1655, x1630, x1605); -- fiat_secp384r1_cmovznz_u32(&x1657, x1655, x1632, x1607); -- fiat_secp384r1_cmovznz_u32(&x1658, x1655, x1634, x1609); -- fiat_secp384r1_cmovznz_u32(&x1659, x1655, x1636, x1611); -- fiat_secp384r1_cmovznz_u32(&x1660, x1655, x1638, x1613); -- fiat_secp384r1_cmovznz_u32(&x1661, x1655, x1640, x1615); -- fiat_secp384r1_cmovznz_u32(&x1662, x1655, x1642, x1617); -- fiat_secp384r1_cmovznz_u32(&x1663, x1655, x1644, x1619); -- fiat_secp384r1_cmovznz_u32(&x1664, x1655, x1646, x1621); -- fiat_secp384r1_cmovznz_u32(&x1665, x1655, x1648, x1623); -- fiat_secp384r1_cmovznz_u32(&x1666, x1655, x1650, x1625); -- fiat_secp384r1_cmovznz_u32(&x1667, x1655, x1652, x1627); -- out1[0] = x1656; -- out1[1] = x1657; -- out1[2] = x1658; -- out1[3] = x1659; -- out1[4] = x1660; -- out1[5] = x1661; -- out1[6] = x1662; -- out1[7] = x1663; -- out1[8] = x1664; -- out1[9] = x1665; -- out1[10] = x1666; -- out1[11] = x1667; --} -- --/* -- * The function fiat_secp384r1_add adds two field elements in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * 0 ≤ eval arg2 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_add( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1, -- const fiat_secp384r1_montgomery_domain_field_element arg2) --{ -- uint32_t x1; -- fiat_secp384r1_uint1 x2; -- uint32_t x3; -- fiat_secp384r1_uint1 x4; -- uint32_t x5; -- fiat_secp384r1_uint1 x6; -- uint32_t x7; -- fiat_secp384r1_uint1 x8; -- uint32_t x9; -- fiat_secp384r1_uint1 x10; -- uint32_t x11; -- fiat_secp384r1_uint1 x12; -- uint32_t x13; -- fiat_secp384r1_uint1 x14; -- uint32_t x15; -- fiat_secp384r1_uint1 x16; -- uint32_t x17; -- fiat_secp384r1_uint1 x18; -- uint32_t x19; -- fiat_secp384r1_uint1 x20; -- uint32_t x21; -- fiat_secp384r1_uint1 x22; -- uint32_t x23; -- fiat_secp384r1_uint1 x24; -- uint32_t x25; -- fiat_secp384r1_uint1 x26; -- uint32_t x27; -- fiat_secp384r1_uint1 x28; -- uint32_t x29; -- fiat_secp384r1_uint1 x30; -- uint32_t x31; -- fiat_secp384r1_uint1 x32; -- uint32_t x33; -- fiat_secp384r1_uint1 x34; -- uint32_t x35; -- fiat_secp384r1_uint1 x36; -- uint32_t x37; -- fiat_secp384r1_uint1 x38; -- uint32_t x39; -- fiat_secp384r1_uint1 x40; -- uint32_t x41; -- fiat_secp384r1_uint1 x42; -- uint32_t x43; -- fiat_secp384r1_uint1 x44; -- uint32_t x45; -- fiat_secp384r1_uint1 x46; -- uint32_t x47; -- fiat_secp384r1_uint1 x48; -- uint32_t x49; -- fiat_secp384r1_uint1 x50; -- uint32_t x51; -- uint32_t x52; -- uint32_t x53; -- uint32_t x54; -- uint32_t x55; -- uint32_t x56; -- uint32_t x57; -- uint32_t x58; -- uint32_t x59; -- uint32_t x60; -- uint32_t x61; -- uint32_t x62; -- fiat_secp384r1_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); -- fiat_secp384r1_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); -- fiat_secp384r1_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); -- fiat_secp384r1_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); -- fiat_secp384r1_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); -- fiat_secp384r1_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); -- fiat_secp384r1_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); -- fiat_secp384r1_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); -- fiat_secp384r1_addcarryx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); -- fiat_secp384r1_addcarryx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); -- fiat_secp384r1_addcarryx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); -- fiat_secp384r1_addcarryx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); -- fiat_secp384r1_subborrowx_u32(&x25, &x26, 0x0, x1, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x27, &x28, x26, x3, 0x0); -- fiat_secp384r1_subborrowx_u32(&x29, &x30, x28, x5, 0x0); -- fiat_secp384r1_subborrowx_u32(&x31, &x32, x30, x7, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x33, &x34, x32, x9, UINT32_C(0xfffffffe)); -- fiat_secp384r1_subborrowx_u32(&x35, &x36, x34, x11, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x37, &x38, x36, x13, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x39, &x40, x38, x15, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x41, &x42, x40, x17, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x43, &x44, x42, x19, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x45, &x46, x44, x21, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x47, &x48, x46, x23, UINT32_C(0xffffffff)); -- fiat_secp384r1_subborrowx_u32(&x49, &x50, x48, x24, 0x0); -- fiat_secp384r1_cmovznz_u32(&x51, x50, x25, x1); -- fiat_secp384r1_cmovznz_u32(&x52, x50, x27, x3); -- fiat_secp384r1_cmovznz_u32(&x53, x50, x29, x5); -- fiat_secp384r1_cmovznz_u32(&x54, x50, x31, x7); -- fiat_secp384r1_cmovznz_u32(&x55, x50, x33, x9); -- fiat_secp384r1_cmovznz_u32(&x56, x50, x35, x11); -- fiat_secp384r1_cmovznz_u32(&x57, x50, x37, x13); -- fiat_secp384r1_cmovznz_u32(&x58, x50, x39, x15); -- fiat_secp384r1_cmovznz_u32(&x59, x50, x41, x17); -- fiat_secp384r1_cmovznz_u32(&x60, x50, x43, x19); -- fiat_secp384r1_cmovznz_u32(&x61, x50, x45, x21); -- fiat_secp384r1_cmovznz_u32(&x62, x50, x47, x23); -- out1[0] = x51; -- out1[1] = x52; -- out1[2] = x53; -- out1[3] = x54; -- out1[4] = x55; -- out1[5] = x56; -- out1[6] = x57; -- out1[7] = x58; -- out1[8] = x59; -- out1[9] = x60; -- out1[10] = x61; -- out1[11] = x62; --} -- --/* -- * The function fiat_secp384r1_sub subtracts two field elements in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * 0 ≤ eval arg2 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_sub( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1, -- const fiat_secp384r1_montgomery_domain_field_element arg2) --{ -- uint32_t x1; -- fiat_secp384r1_uint1 x2; -- uint32_t x3; -- fiat_secp384r1_uint1 x4; -- uint32_t x5; -- fiat_secp384r1_uint1 x6; -- uint32_t x7; -- fiat_secp384r1_uint1 x8; -- uint32_t x9; -- fiat_secp384r1_uint1 x10; -- uint32_t x11; -- fiat_secp384r1_uint1 x12; -- uint32_t x13; -- fiat_secp384r1_uint1 x14; -- uint32_t x15; -- fiat_secp384r1_uint1 x16; -- uint32_t x17; -- fiat_secp384r1_uint1 x18; -- uint32_t x19; -- fiat_secp384r1_uint1 x20; -- uint32_t x21; -- fiat_secp384r1_uint1 x22; -- uint32_t x23; -- fiat_secp384r1_uint1 x24; -- uint32_t x25; -- uint32_t x26; -- fiat_secp384r1_uint1 x27; -- uint32_t x28; -- fiat_secp384r1_uint1 x29; -- uint32_t x30; -- fiat_secp384r1_uint1 x31; -- uint32_t x32; -- fiat_secp384r1_uint1 x33; -- uint32_t x34; -- fiat_secp384r1_uint1 x35; -- uint32_t x36; -- fiat_secp384r1_uint1 x37; -- uint32_t x38; -- fiat_secp384r1_uint1 x39; -- uint32_t x40; -- fiat_secp384r1_uint1 x41; -- uint32_t x42; -- fiat_secp384r1_uint1 x43; -- uint32_t x44; -- fiat_secp384r1_uint1 x45; -- uint32_t x46; -- fiat_secp384r1_uint1 x47; -- uint32_t x48; -- fiat_secp384r1_uint1 x49; -- fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); -- fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); -- fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); -- fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); -- fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); -- fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); -- fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); -- fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); -- fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, (arg1[8]), (arg2[8])); -- fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, (arg1[9]), (arg2[9])); -- fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, (arg1[10]), (arg2[10])); -- fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, (arg1[11]), (arg2[11])); -- fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, x25); -- fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); -- fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); -- fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, x25); -- fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, -- (x25 & UINT32_C(0xfffffffe))); -- fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, x25); -- fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, x25); -- fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, x25); -- fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, x25); -- fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, x25); -- fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, x25); -- fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, x25); -- out1[0] = x26; -- out1[1] = x28; -- out1[2] = x30; -- out1[3] = x32; -- out1[4] = x34; -- out1[5] = x36; -- out1[6] = x38; -- out1[7] = x40; -- out1[8] = x42; -- out1[9] = x44; -- out1[10] = x46; -- out1[11] = x48; --} -- --/* -- * The function fiat_secp384r1_opp negates a field element in the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_opp( -- fiat_secp384r1_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1) --{ -- uint32_t x1; -- fiat_secp384r1_uint1 x2; -- uint32_t x3; -- fiat_secp384r1_uint1 x4; -- uint32_t x5; -- fiat_secp384r1_uint1 x6; -- uint32_t x7; -- fiat_secp384r1_uint1 x8; -- uint32_t x9; -- fiat_secp384r1_uint1 x10; -- uint32_t x11; -- fiat_secp384r1_uint1 x12; -- uint32_t x13; -- fiat_secp384r1_uint1 x14; -- uint32_t x15; -- fiat_secp384r1_uint1 x16; -- uint32_t x17; -- fiat_secp384r1_uint1 x18; -- uint32_t x19; -- fiat_secp384r1_uint1 x20; -- uint32_t x21; -- fiat_secp384r1_uint1 x22; -- uint32_t x23; -- fiat_secp384r1_uint1 x24; -- uint32_t x25; -- uint32_t x26; -- fiat_secp384r1_uint1 x27; -- uint32_t x28; -- fiat_secp384r1_uint1 x29; -- uint32_t x30; -- fiat_secp384r1_uint1 x31; -- uint32_t x32; -- fiat_secp384r1_uint1 x33; -- uint32_t x34; -- fiat_secp384r1_uint1 x35; -- uint32_t x36; -- fiat_secp384r1_uint1 x37; -- uint32_t x38; -- fiat_secp384r1_uint1 x39; -- uint32_t x40; -- fiat_secp384r1_uint1 x41; -- uint32_t x42; -- fiat_secp384r1_uint1 x43; -- uint32_t x44; -- fiat_secp384r1_uint1 x45; -- uint32_t x46; -- fiat_secp384r1_uint1 x47; -- uint32_t x48; -- fiat_secp384r1_uint1 x49; -- fiat_secp384r1_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); -- fiat_secp384r1_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); -- fiat_secp384r1_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); -- fiat_secp384r1_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); -- fiat_secp384r1_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); -- fiat_secp384r1_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); -- fiat_secp384r1_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); -- fiat_secp384r1_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); -- fiat_secp384r1_subborrowx_u32(&x17, &x18, x16, 0x0, (arg1[8])); -- fiat_secp384r1_subborrowx_u32(&x19, &x20, x18, 0x0, (arg1[9])); -- fiat_secp384r1_subborrowx_u32(&x21, &x22, x20, 0x0, (arg1[10])); -- fiat_secp384r1_subborrowx_u32(&x23, &x24, x22, 0x0, (arg1[11])); -- fiat_secp384r1_cmovznz_u32(&x25, x24, 0x0, UINT32_C(0xffffffff)); -- fiat_secp384r1_addcarryx_u32(&x26, &x27, 0x0, x1, x25); -- fiat_secp384r1_addcarryx_u32(&x28, &x29, x27, x3, 0x0); -- fiat_secp384r1_addcarryx_u32(&x30, &x31, x29, x5, 0x0); -- fiat_secp384r1_addcarryx_u32(&x32, &x33, x31, x7, x25); -- fiat_secp384r1_addcarryx_u32(&x34, &x35, x33, x9, -- (x25 & UINT32_C(0xfffffffe))); -- fiat_secp384r1_addcarryx_u32(&x36, &x37, x35, x11, x25); -- fiat_secp384r1_addcarryx_u32(&x38, &x39, x37, x13, x25); -- fiat_secp384r1_addcarryx_u32(&x40, &x41, x39, x15, x25); -- fiat_secp384r1_addcarryx_u32(&x42, &x43, x41, x17, x25); -- fiat_secp384r1_addcarryx_u32(&x44, &x45, x43, x19, x25); -- fiat_secp384r1_addcarryx_u32(&x46, &x47, x45, x21, x25); -- fiat_secp384r1_addcarryx_u32(&x48, &x49, x47, x23, x25); -- out1[0] = x26; -- out1[1] = x28; -- out1[2] = x30; -- out1[3] = x32; -- out1[4] = x34; -- out1[5] = x36; -- out1[6] = x38; -- out1[7] = x40; -- out1[8] = x42; -- out1[9] = x44; -- out1[10] = x46; -- out1[11] = x48; --} -- --/* -- * The function fiat_secp384r1_from_montgomery translates a field element out of the Montgomery domain. -- * -- * Preconditions: -- * 0 ≤ eval arg1 < m -- * Postconditions: -- * eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^12) mod m -- * 0 ≤ eval out1 < m -- * -- */ --static void --fiat_secp384r1_from_montgomery( -- fiat_secp384r1_non_montgomery_domain_field_element out1, -- const fiat_secp384r1_montgomery_domain_field_element arg1) --{ -- uint32_t x1; -- uint32_t x2; -- uint32_t x3; -- uint32_t x4; -- uint32_t x5; -- uint32_t x6; -- uint32_t x7; -- uint32_t x8; -- uint32_t x9; -- uint32_t x10; -- uint32_t x11; -- uint32_t x12; -- uint32_t x13; -- uint32_t x14; -- uint32_t x15; -- uint32_t x16; -- uint32_t x17; -- uint32_t x18; -- uint32_t x19; -- uint32_t x20; -- uint32_t x21; -- uint32_t x22; -- fiat_secp384r1_uint1 x23; -- uint32_t x24; -- fiat_secp384r1_uint1 x25; -- uint32_t x26; -- fiat_secp384r1_uint1 x27; -- uint32_t x28; -- fiat_secp384r1_uint1 x29; -- uint32_t x30; -- fiat_secp384r1_uint1 x31; -- uint32_t x32; -- fiat_secp384r1_uint1 x33; -- uint32_t x34; -- fiat_secp384r1_uint1 x35; -- uint32_t x36; -- fiat_secp384r1_uint1 x37; -- uint32_t x38; -- fiat_secp384r1_uint1 x39; -- uint32_t x40; -- fiat_secp384r1_uint1 x41; -- uint32_t x42; -- uint32_t x43; -- uint32_t x44; -- uint32_t x45; -- uint32_t x46; -- uint32_t x47; -- uint32_t x48; -- uint32_t x49; -- uint32_t x50; -- uint32_t x51; -- uint32_t x52; -- uint32_t x53; -- uint32_t x54; -- uint32_t x55; -- uint32_t x56; -- uint32_t x57; -- uint32_t x58; -- uint32_t x59; -- uint32_t x60; -- uint32_t x61; -- uint32_t x62; -- fiat_secp384r1_uint1 x63; -- uint32_t x64; -- fiat_secp384r1_uint1 x65; -- uint32_t x66; -- fiat_secp384r1_uint1 x67; -- uint32_t x68; -- fiat_secp384r1_uint1 x69; -- uint32_t x70; -- fiat_secp384r1_uint1 x71; -- uint32_t x72; -- fiat_secp384r1_uint1 x73; -- uint32_t x74; -- fiat_secp384r1_uint1 x75; -- uint32_t x76; -- fiat_secp384r1_uint1 x77; -- uint32_t x78; -- fiat_secp384r1_uint1 x79; -- uint32_t x80; -- fiat_secp384r1_uint1 x81; -- uint32_t x82; -- fiat_secp384r1_uint1 x83; -- uint32_t x84; -- fiat_secp384r1_uint1 x85; -- uint32_t x86; -- fiat_secp384r1_uint1 x87; -- uint32_t x88; -- fiat_secp384r1_uint1 x89; -- uint32_t x90; -- fiat_secp384r1_uint1 x91; -- uint32_t x92; -- fiat_secp384r1_uint1 x93; -- uint32_t x94; -- fiat_secp384r1_uint1 x95; -- uint32_t x96; -- fiat_secp384r1_uint1 x97; -- uint32_t x98; -- fiat_secp384r1_uint1 x99; -- uint32_t x100; -- fiat_secp384r1_uint1 x101; -- uint32_t x102; -- fiat_secp384r1_uint1 x103; -- uint32_t x104; -- fiat_secp384r1_uint1 x105; -- uint32_t x106; -- fiat_secp384r1_uint1 x107; -- uint32_t x108; -- fiat_secp384r1_uint1 x109; -- uint32_t x110; -- fiat_secp384r1_uint1 x111; -- uint32_t x112; -- fiat_secp384r1_uint1 x113; -- uint32_t x114; -- fiat_secp384r1_uint1 x115; -- uint32_t x116; -- fiat_secp384r1_uint1 x117; -- uint32_t x118; -- fiat_secp384r1_uint1 x119; -- uint32_t x120; -- fiat_secp384r1_uint1 x121; -- uint32_t x122; -- fiat_secp384r1_uint1 x123; -- uint32_t x124; -- fiat_secp384r1_uint1 x125; -- uint32_t x126; -- fiat_secp384r1_uint1 x127; -- uint32_t x128; -- uint32_t x129; -- uint32_t x130; -- uint32_t x131; -- uint32_t x132; -- uint32_t x133; -- uint32_t x134; -- uint32_t x135; -- uint32_t x136; -- uint32_t x137; -- uint32_t x138; -- uint32_t x139; -- uint32_t x140; -- uint32_t x141; -- uint32_t x142; -- uint32_t x143; -- uint32_t x144; -- uint32_t x145; -- uint32_t x146; -- uint32_t x147; -- uint32_t x148; -- fiat_secp384r1_uint1 x149; -- uint32_t x150; -- fiat_secp384r1_uint1 x151; -- uint32_t x152; -- fiat_secp384r1_uint1 x153; -- uint32_t x154; -- fiat_secp384r1_uint1 x155; -- uint32_t x156; -- fiat_secp384r1_uint1 x157; -- uint32_t x158; -- fiat_secp384r1_uint1 x159; -- uint32_t x160; -- fiat_secp384r1_uint1 x161; -- uint32_t x162; -- fiat_secp384r1_uint1 x163; -- uint32_t x164; -- fiat_secp384r1_uint1 x165; -- uint32_t x166; -- fiat_secp384r1_uint1 x167; -- uint32_t x168; -- fiat_secp384r1_uint1 x169; -- uint32_t x170; -- fiat_secp384r1_uint1 x171; -- uint32_t x172; -- fiat_secp384r1_uint1 x173; -- uint32_t x174; -- fiat_secp384r1_uint1 x175; -- uint32_t x176; -- fiat_secp384r1_uint1 x177; -- uint32_t x178; -- fiat_secp384r1_uint1 x179; -- uint32_t x180; -- fiat_secp384r1_uint1 x181; -- uint32_t x182; -- fiat_secp384r1_uint1 x183; -- uint32_t x184; -- fiat_secp384r1_uint1 x185; -- uint32_t x186; -- fiat_secp384r1_uint1 x187; -- uint32_t x188; -- fiat_secp384r1_uint1 x189; -- uint32_t x190; -- fiat_secp384r1_uint1 x191; -- uint32_t x192; -- fiat_secp384r1_uint1 x193; -- uint32_t x194; -- fiat_secp384r1_uint1 x195; -- uint32_t x196; -- fiat_secp384r1_uint1 x197; -- uint32_t x198; -- fiat_secp384r1_uint1 x199; -- uint32_t x200; -- fiat_secp384r1_uint1 x201; -- uint32_t x202; -- fiat_secp384r1_uint1 x203; -- uint32_t x204; -- fiat_secp384r1_uint1 x205; -- uint32_t x206; -- fiat_secp384r1_uint1 x207; -- uint32_t x208; -- fiat_secp384r1_uint1 x209; -- uint32_t x210; -- fiat_secp384r1_uint1 x211; -- uint32_t x212; -- fiat_secp384r1_uint1 x213; -- uint32_t x214; -- uint32_t x215; -- uint32_t x216; -- uint32_t x217; -- uint32_t x218; -- uint32_t x219; -- uint32_t x220; -- uint32_t x221; -- uint32_t x222; -- uint32_t x223; -- uint32_t x224; -- uint32_t x225; -- uint32_t x226; -- uint32_t x227; -- uint32_t x228; -- uint32_t x229; -- uint32_t x230; -- uint32_t x231; -- uint32_t x232; -- uint32_t x233; -- uint32_t x234; -- fiat_secp384r1_uint1 x235; -- uint32_t x236; -- fiat_secp384r1_uint1 x237; -- uint32_t x238; -- fiat_secp384r1_uint1 x239; -- uint32_t x240; -- fiat_secp384r1_uint1 x241; -- uint32_t x242; -- fiat_secp384r1_uint1 x243; -- uint32_t x244; -- fiat_secp384r1_uint1 x245; -- uint32_t x246; -- fiat_secp384r1_uint1 x247; -- uint32_t x248; -- fiat_secp384r1_uint1 x249; -- uint32_t x250; -- fiat_secp384r1_uint1 x251; -- uint32_t x252; -- fiat_secp384r1_uint1 x253; -- uint32_t x254; -- fiat_secp384r1_uint1 x255; -- uint32_t x256; -- fiat_secp384r1_uint1 x257; -- uint32_t x258; -- fiat_secp384r1_uint1 x259; -- uint32_t x260; -- fiat_secp384r1_uint1 x261; -- uint32_t x262; -- fiat_secp384r1_uint1 x263; -- uint32_t x264; -- fiat_secp384r1_uint1 x265; -- uint32_t x266; -- fiat_secp384r1_uint1 x267; -- uint32_t x268; -- fiat_secp384r1_uint1 x269; -- uint32_t x270; -- fiat_secp384r1_uint1 x271; -- uint32_t x272; -- fiat_secp384r1_uint1 x273; -- uint32_t x274; -- fiat_secp384r1_uint1 x275; -- uint32_t x276; -- fiat_secp384r1_uint1 x277; -- uint32_t x278; -- fiat_secp384r1_uint1 x279; -- uint32_t x280; -- fiat_secp384r1_uint1 x281; -- uint32_t x282; -- fiat_secp384r1_uint1 x283; -- uint32_t x284; -- fiat_secp384r1_uint1 x285; -- uint32_t x286; -- fiat_secp384r1_uint1 x287; -- uint32_t x288; -- fiat_secp384r1_uint1 x289; -- uint32_t x290; -- fiat_secp384r1_uint1 x291; -- uint32_t x292; -- fiat_secp384r1_uint1 x293; -- uint32_t x294; -- fiat_secp384r1_uint1 x295; -- uint32_t x296; -- fiat_secp384r1_uint1 x297; -- uint32_t x298; -- fiat_secp384r1_uint1 x299; -- uint32_t x300; -- uint32_t x301; -- uint32_t x302; -- uint32_t x303; -- uint32_t x304; -- uint32_t x305; -- uint32_t x306; -- uint32_t x307; -- uint32_t x308; -- uint32_t x309; -- uint32_t x310; -- uint32_t x311; -- uint32_t x312; -- uint32_t x313; -- uint32_t x314; -- uint32_t x315; -- uint32_t x316; -- uint32_t x317; -- uint32_t x318; -- uint32_t x319; -- uint32_t x320; -- fiat_secp384r1_uint1 x321; -- uint32_t x322; -- fiat_secp384r1_uint1 x323; -- uint32_t x324; -- fiat_secp384r1_uint1 x325; -- uint32_t x326; -- fiat_secp384r1_uint1 x327; -- uint32_t x328; -- fiat_secp384r1_uint1 x329; -- uint32_t x330; -- fiat_secp384r1_uint1 x331; -- uint32_t x332; -- fiat_secp384r1_uint1 x333; -- uint32_t x334; -- fiat_secp384r1_uint1 x335; -- uint32_t x336; -- fiat_secp384r1_uint1 x337; -- uint32_t x338; -- fiat_secp384r1_uint1 x339; -- uint32_t x340; -- fiat_secp384r1_uint1 x341; -- uint32_t x342; -- fiat_secp384r1_uint1 x343; -- uint32_t x344; -- fiat_secp384r1_uint1 x345; -- uint32_t x346; -- fiat_secp384r1_uint1 x347; -- uint32_t x348; -- fiat_secp384r1_uint1 x349; -- uint32_t x350; -- fiat_secp384r1_uint1 x351; -- uint32_t x352; -- fiat_secp384r1_uint1 x353; -- uint32_t x354; -- fiat_secp384r1_uint1 x355; -- uint32_t x356; -- fiat_secp384r1_uint1 x357; -- uint32_t x358; -- fiat_secp384r1_uint1 x359; -- uint32_t x360; -- fiat_secp384r1_uint1 x361; -- uint32_t x362; -- fiat_secp384r1_uint1 x363; -- uint32_t x364; -- fiat_secp384r1_uint1 x365; -- uint32_t x366; -- fiat_secp384r1_uint1 x367; -- uint32_t x368; -- fiat_secp384r1_uint1 x369; -- uint32_t x370; -- fiat_secp384r1_uint1 x371; -- uint32_t x372; -- fiat_secp384r1_uint1 x373; -- uint32_t x374; -- fiat_secp384r1_uint1 x375; -- uint32_t x376; -- fiat_secp384r1_uint1 x377; -- uint32_t x378; -- fiat_secp384r1_uint1 x379; -- uint32_t x380; -- fiat_secp384r1_uint1 x381; -- uint32_t x382; -- fiat_secp384r1_uint1 x383; -- uint32_t x384; -- fiat_secp384r1_uint1 x385; -- uint32_t x386; -- uint32_t x387; -- uint32_t x388; -- uint32_t x389; -- uint32_t x390; -- uint32_t x391; -- uint32_t x392; -- uint32_t x393; -- uint32_t x394; -- uint32_t x395; -- uint32_t x396; -- uint32_t x397; -- uint32_t x398; -- uint32_t x399; -- uint32_t x400; -- uint32_t x401; -- uint32_t x402; -- uint32_t x403; -- uint32_t x404; -- uint32_t x405; -- uint32_t x406; -- fiat_secp384r1_uint1 x407; -- uint32_t x408; -- fiat_secp384r1_uint1 x409; -- uint32_t x410; -- fiat_secp384r1_uint1 x411; -- uint32_t x412; -- fiat_secp384r1_uint1 x413; -- uint32_t x4