From f941537517177ebd342f1375eba70fc89beabb70 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Fri, 4 Nov 2022 14:25:55 -0700 Subject: [PATCH 01/33] Replace SHA2 implementation with verified code from HACL* --- Modules/Setup.stdlib.in | 2 +- Modules/_hacl/AUTHORS.md | 5 + Modules/_hacl/Hacl_Krmllib.h | 84 + Modules/_hacl/Hacl_SHA2_Generic.h | 134 ++ Modules/_hacl/Hacl_SHA2_Types.h | 47 + Modules/_hacl/Hacl_Streaming_SHA2.c | 1651 +++++++++++++++++ Modules/_hacl/Hacl_Streaming_SHA2.h | 92 + Modules/{ => _hacl}/clinic/sha256module.c.h | 0 Modules/_hacl/include/krml/internal/builtin.h | 16 + .../_hacl/include/krml/internal/callconv.h | 46 + Modules/_hacl/include/krml/internal/target.h | 297 +++ Modules/_hacl/include/krml/internal/types.h | 85 + .../_hacl/include/krml/lowstar_endianness.h | 230 +++ Modules/_hacl/internal/Hacl_Hash_SHA2.h | 67 + Modules/_hacl/internal/Hacl_Krmllib.h | 46 + Modules/_hacl/internal/Hacl_SHA2_Types.h | 108 ++ .../krmllib/dist/minimal/FStar_UInt128.h | 79 + .../dist/minimal/FStar_UInt128_Verified.h | 347 ++++ .../dist/minimal/FStar_UInt_8_16_32_64.h | 108 ++ .../krmllib/dist/minimal/LowStar_Endianness.h | 28 + .../dist/minimal/fstar_uint128_gcc64.h | 165 ++ .../krmllib/dist/minimal/fstar_uint128_msvc.h | 510 +++++ .../minimal/fstar_uint128_struct_endianness.h | 68 + Modules/_hacl/sha256module.c | 452 +++++ Modules/sha256module.c | 756 -------- PCbuild/pythoncore.vcxproj | 2 +- PCbuild/pythoncore.vcxproj.filters | 2 +- Tools/c-analyzer/cpython/_parser.py | 2 +- 28 files changed, 4669 insertions(+), 760 deletions(-) create mode 100644 Modules/_hacl/AUTHORS.md create mode 100644 Modules/_hacl/Hacl_Krmllib.h create mode 100644 Modules/_hacl/Hacl_SHA2_Generic.h create mode 100644 Modules/_hacl/Hacl_SHA2_Types.h create mode 100644 Modules/_hacl/Hacl_Streaming_SHA2.c create mode 100644 Modules/_hacl/Hacl_Streaming_SHA2.h rename Modules/{ => _hacl}/clinic/sha256module.c.h (100%) create mode 100644 Modules/_hacl/include/krml/internal/builtin.h create mode 100644 Modules/_hacl/include/krml/internal/callconv.h create mode 100644 Modules/_hacl/include/krml/internal/target.h create mode 100644 Modules/_hacl/include/krml/internal/types.h create mode 100644 Modules/_hacl/include/krml/lowstar_endianness.h create mode 100644 Modules/_hacl/internal/Hacl_Hash_SHA2.h create mode 100644 Modules/_hacl/internal/Hacl_Krmllib.h create mode 100644 Modules/_hacl/internal/Hacl_SHA2_Types.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h create mode 100644 Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h create mode 100644 Modules/_hacl/sha256module.c delete mode 100644 Modules/sha256module.c diff --git a/Modules/Setup.stdlib.in b/Modules/Setup.stdlib.in index ac8959ebea5bf2..98fe8656860c68 100644 --- a/Modules/Setup.stdlib.in +++ b/Modules/Setup.stdlib.in @@ -78,7 +78,7 @@ # hashing builtins, can be disabled with --without-builtin-hashlib-hashes @MODULE__MD5_TRUE@_md5 md5module.c @MODULE__SHA1_TRUE@_sha1 sha1module.c -@MODULE__SHA256_TRUE@_sha256 sha256module.c +@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -IModules/_hacl/include -IModules/_hacl/internal -IModules/_hacl/krmllib/dist/minimal @MODULE__SHA512_TRUE@_sha512 sha512module.c @MODULE__SHA3_TRUE@_sha3 _sha3/sha3module.c @MODULE__BLAKE2_TRUE@_blake2 _blake2/blake2module.c _blake2/blake2b_impl.c _blake2/blake2s_impl.c diff --git a/Modules/_hacl/AUTHORS.md b/Modules/_hacl/AUTHORS.md new file mode 100644 index 00000000000000..25636a3d643ad3 --- /dev/null +++ b/Modules/_hacl/AUTHORS.md @@ -0,0 +1,5 @@ +The SHA2 implementation was written by Karthikeyan Bhargavan. +The agile hash infrastructure, the streaming functor, its instantiation to +support incremental SHA2, extraction and packaging was performed by Jonathan +Protzenko. +Considerable proof help was provided by Marina Polubelova and Aymeric Fromherz. diff --git a/Modules/_hacl/Hacl_Krmllib.h b/Modules/_hacl/Hacl_Krmllib.h new file mode 100644 index 00000000000000..c3df0e6c50dda9 --- /dev/null +++ b/Modules/_hacl/Hacl_Krmllib.h @@ -0,0 +1,84 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Krmllib_H +#define __Hacl_Krmllib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + +static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b); + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b); + +static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b); + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b); + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b); + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); + +static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Krmllib_H_DEFINED +#endif diff --git a/Modules/_hacl/Hacl_SHA2_Generic.h b/Modules/_hacl/Hacl_SHA2_Generic.h new file mode 100644 index 00000000000000..3a6a754837b768 --- /dev/null +++ b/Modules/_hacl/Hacl_SHA2_Generic.h @@ -0,0 +1,134 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Generic_H +#define __Hacl_SHA2_Generic_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + + + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Generic_H_DEFINED +#endif diff --git a/Modules/_hacl/Hacl_SHA2_Types.h b/Modules/_hacl/Hacl_SHA2_Types.h new file mode 100644 index 00000000000000..ef78be8f07b69d --- /dev/null +++ b/Modules/_hacl/Hacl_SHA2_Types.h @@ -0,0 +1,47 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_SHA2_Types_H +#define __Hacl_SHA2_Types_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + + + +typedef uint8_t *Hacl_Impl_SHA2_Types_uint8_1p; + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_SHA2_Types_H_DEFINED +#endif diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.c b/Modules/_hacl/Hacl_Streaming_SHA2.c new file mode 100644 index 00000000000000..1eebc43ee17fa9 --- /dev/null +++ b/Modules/_hacl/Hacl_Streaming_SHA2.c @@ -0,0 +1,1651 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Streaming_SHA2.h" + +#include "internal/Hacl_SHA2_Types.h" + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state; + uint32_t x = Hacl_Impl_SHA2_Generic_h224[i]; + os[i] = x;); + return p; +} + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state; + uint32_t x = Hacl_Impl_SHA2_Generic_h224[i]; + os[i] = x;); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + uint32_t blocks0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks0; i0++) + { + uint8_t *b00 = buf_multi; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = mb; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u0 = load32_be(b + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = tmp_block_state[0U]; + uint32_t b0 = tmp_block_state[1U]; + uint32_t c0 = tmp_block_state[2U]; + uint32_t d0 = tmp_block_state[3U]; + uint32_t e0 = tmp_block_state[4U]; + uint32_t f0 = tmp_block_state[5U]; + uint32_t g0 = tmp_block_state[6U]; + uint32_t h05 = tmp_block_state[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h13 = g0; + tmp_block_state[0U] = a1; + tmp_block_state[1U] = b1; + tmp_block_state[2U] = c1; + tmp_block_state[3U] = d1; + tmp_block_state[4U] = e1; + tmp_block_state[5U] = f1; + tmp_block_state[6U] = g1; + tmp_block_state[7U] = h13;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = tmp_block_state; + uint32_t x = tmp_block_state[i] + hash_old[i]; + os[i] = x;); + } + uint64_t prev_len_last = total_len - (uint64_t)r; + uint32_t blocks; + if (r + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[128U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = (prev_len_last + (uint64_t)r) << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b00 = buf_last; + memcpy(last, b00, r * sizeof (uint8_t)); + last[r] = (uint8_t)0x80U; + memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)64U; + Hacl_Impl_SHA2_Types_uint8_2p scrut0 = { .fst = last00, .snd = last10 }; + uint8_t *l0 = scrut0.fst; + uint8_t *l1 = scrut0.snd; + uint8_t *lb0 = l0; + uint8_t *lb1 = l1; + Hacl_Impl_SHA2_Types_uint8_2p scrut1 = { .fst = lb0, .snd = lb1 }; + uint8_t *last0 = scrut1.fst; + uint8_t *last1 = scrut1.snd; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws0[16U] = { 0U }; + memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b2 = last0; + uint32_t u0 = load32_be(b2); + ws0[0U] = u0; + uint32_t u1 = load32_be(b2 + (uint32_t)4U); + ws0[1U] = u1; + uint32_t u2 = load32_be(b2 + (uint32_t)8U); + ws0[2U] = u2; + uint32_t u3 = load32_be(b2 + (uint32_t)12U); + ws0[3U] = u3; + uint32_t u4 = load32_be(b2 + (uint32_t)16U); + ws0[4U] = u4; + uint32_t u5 = load32_be(b2 + (uint32_t)20U); + ws0[5U] = u5; + uint32_t u6 = load32_be(b2 + (uint32_t)24U); + ws0[6U] = u6; + uint32_t u7 = load32_be(b2 + (uint32_t)28U); + ws0[7U] = u7; + uint32_t u8 = load32_be(b2 + (uint32_t)32U); + ws0[8U] = u8; + uint32_t u9 = load32_be(b2 + (uint32_t)36U); + ws0[9U] = u9; + uint32_t u10 = load32_be(b2 + (uint32_t)40U); + ws0[10U] = u10; + uint32_t u11 = load32_be(b2 + (uint32_t)44U); + ws0[11U] = u11; + uint32_t u12 = load32_be(b2 + (uint32_t)48U); + ws0[12U] = u12; + uint32_t u13 = load32_be(b2 + (uint32_t)52U); + ws0[13U] = u13; + uint32_t u14 = load32_be(b2 + (uint32_t)56U); + ws0[14U] = u14; + uint32_t u15 = load32_be(b2 + (uint32_t)60U); + ws0[15U] = u15; + KRML_MAYBE_FOR4(i0, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + uint32_t ws_t = ws0[i]; + uint32_t a0 = tmp_block_state[0U]; + uint32_t b0 = tmp_block_state[1U]; + uint32_t c0 = tmp_block_state[2U]; + uint32_t d0 = tmp_block_state[3U]; + uint32_t e0 = tmp_block_state[4U]; + uint32_t f0 = tmp_block_state[5U]; + uint32_t g0 = tmp_block_state[6U]; + uint32_t h05 = tmp_block_state[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h14 = g0; + tmp_block_state[0U] = a1; + tmp_block_state[1U] = b1; + tmp_block_state[2U] = c1; + tmp_block_state[3U] = d1; + tmp_block_state[4U] = e1; + tmp_block_state[5U] = f1; + tmp_block_state[6U] = g1; + tmp_block_state[7U] = h14;); + if (i0 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws0[i]; + uint32_t t15 = ws0[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws0[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws0[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws0[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = tmp_block_state; + uint32_t x = tmp_block_state[i] + hash_old[i]; + os[i] = x;); + if (blocks > (uint32_t)1U) + { + uint32_t hash_old0[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old0, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = last1; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u16 = load32_be(b + (uint32_t)4U); + ws[1U] = u16; + uint32_t u17 = load32_be(b + (uint32_t)8U); + ws[2U] = u17; + uint32_t u18 = load32_be(b + (uint32_t)12U); + ws[3U] = u18; + uint32_t u19 = load32_be(b + (uint32_t)16U); + ws[4U] = u19; + uint32_t u20 = load32_be(b + (uint32_t)20U); + ws[5U] = u20; + uint32_t u21 = load32_be(b + (uint32_t)24U); + ws[6U] = u21; + uint32_t u22 = load32_be(b + (uint32_t)28U); + ws[7U] = u22; + uint32_t u23 = load32_be(b + (uint32_t)32U); + ws[8U] = u23; + uint32_t u24 = load32_be(b + (uint32_t)36U); + ws[9U] = u24; + uint32_t u25 = load32_be(b + (uint32_t)40U); + ws[10U] = u25; + uint32_t u26 = load32_be(b + (uint32_t)44U); + ws[11U] = u26; + uint32_t u27 = load32_be(b + (uint32_t)48U); + ws[12U] = u27; + uint32_t u28 = load32_be(b + (uint32_t)52U); + ws[13U] = u28; + uint32_t u29 = load32_be(b + (uint32_t)56U); + ws[14U] = u29; + uint32_t u30 = load32_be(b + (uint32_t)60U); + ws[15U] = u30; + KRML_MAYBE_FOR4(i0, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = tmp_block_state[0U]; + uint32_t b0 = tmp_block_state[1U]; + uint32_t c0 = tmp_block_state[2U]; + uint32_t d0 = tmp_block_state[3U]; + uint32_t e0 = tmp_block_state[4U]; + uint32_t f0 = tmp_block_state[5U]; + uint32_t g0 = tmp_block_state[6U]; + uint32_t h05 = tmp_block_state[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h14 = g0; + tmp_block_state[0U] = a1; + tmp_block_state[1U] = b1; + tmp_block_state[2U] = c1; + tmp_block_state[3U] = d1; + tmp_block_state[4U] = e1; + tmp_block_state[5U] = f1; + tmp_block_state[6U] = g1; + tmp_block_state[7U] = h14;); + if (i0 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = tmp_block_state; + uint32_t x = tmp_block_state[i] + hash_old0[i]; + os[i] = x;); + } + uint8_t hbuf[32U] = { 0U }; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + store32_be(hbuf + i * (uint32_t)4U, tmp_block_state[i]);); + memcpy(dst, hbuf, (uint32_t)28U * sizeof (uint8_t)); +} + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state; + uint32_t x = Hacl_Impl_SHA2_Generic_h256[i]; + os[i] = x;); + return p; +} + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state; + uint32_t x = Hacl_Impl_SHA2_Generic_h256[i]; + os[i] = x;); + s[0U] = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state, + .buf = buf, + .total_len = (uint64_t)0U + } + ); +} + +/** +0 = success, 1 = max length exceeded +*/ +uint32_t +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +) +{ + Hacl_Streaming_SHA2_state_sha2_224 s = *p; + uint64_t total_len = s.total_len; + if ((uint64_t)len > (uint64_t)2305843009213693951U - total_len) + { + return (uint32_t)1U; + } + uint32_t sz; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + sz = (uint32_t)64U; + } + else + { + sz = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + if (len <= (uint32_t)64U - sz) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf + sz1; + memcpy(buf2, data, len * sizeof (uint8_t)); + uint64_t total_len2 = total_len1 + (uint64_t)len; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len2 + } + ); + } + else if (sz == (uint32_t)0U) + { + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state1 = s1.block_state; + uint8_t *buf = s1.buf; + uint64_t total_len1 = s1.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + uint32_t blocks = (uint32_t)1U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) + { + uint8_t *b00 = buf; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = mb; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u0 = load32_be(b + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = block_state1[0U]; + uint32_t b0 = block_state1[1U]; + uint32_t c0 = block_state1[2U]; + uint32_t d0 = block_state1[3U]; + uint32_t e0 = block_state1[4U]; + uint32_t f0 = block_state1[5U]; + uint32_t g0 = block_state1[6U]; + uint32_t h05 = block_state1[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h12 = g0; + block_state1[0U] = a1; + block_state1[1U] = b1; + block_state1[2U] = c1; + block_state1[3U] = d1; + block_state1[4U] = e1; + block_state1[5U] = f1; + block_state1[6U] = g1; + block_state1[7U] = h12;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s11 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s11 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state1; + uint32_t x = block_state1[i] + hash_old[i]; + os[i] = x;); + } + } + uint32_t ite; + if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)len % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - data1_len; + uint8_t *data1 = data; + uint8_t *data2 = data + data1_len; + uint32_t blocks = data1_len / (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) + { + uint8_t *b00 = data1; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = mb; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u0 = load32_be(b + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = block_state1[0U]; + uint32_t b0 = block_state1[1U]; + uint32_t c0 = block_state1[2U]; + uint32_t d0 = block_state1[3U]; + uint32_t e0 = block_state1[4U]; + uint32_t f0 = block_state1[5U]; + uint32_t g0 = block_state1[6U]; + uint32_t h05 = block_state1[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h13 = g0; + block_state1[0U] = a1; + block_state1[1U] = b1; + block_state1[2U] = c1; + block_state1[3U] = d1; + block_state1[4U] = e1; + block_state1[5U] = f1; + block_state1[6U] = g1; + block_state1[7U] = h13;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s11 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s11 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state1; + uint32_t x = block_state1[i] + hash_old[i]; + os[i] = x;); + } + uint8_t *dst = buf; + memcpy(dst, data2, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)len + } + ); + } + else + { + uint32_t diff = (uint32_t)64U - sz; + uint8_t *data1 = data; + uint8_t *data2 = data + diff; + Hacl_Streaming_SHA2_state_sha2_224 s1 = *p; + uint32_t *block_state10 = s1.block_state; + uint8_t *buf0 = s1.buf; + uint64_t total_len10 = s1.total_len; + uint32_t sz10; + if (total_len10 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len10 > (uint64_t)0U) + { + sz10 = (uint32_t)64U; + } + else + { + sz10 = (uint32_t)(total_len10 % (uint64_t)(uint32_t)64U); + } + uint8_t *buf2 = buf0 + sz10; + memcpy(buf2, data1, diff * sizeof (uint8_t)); + uint64_t total_len2 = total_len10 + (uint64_t)diff; + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state10, + .buf = buf0, + .total_len = total_len2 + } + ); + Hacl_Streaming_SHA2_state_sha2_224 s10 = *p; + uint32_t *block_state1 = s10.block_state; + uint8_t *buf = s10.buf; + uint64_t total_len1 = s10.total_len; + uint32_t sz1; + if (total_len1 % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len1 > (uint64_t)0U) + { + sz1 = (uint32_t)64U; + } + else + { + sz1 = (uint32_t)(total_len1 % (uint64_t)(uint32_t)64U); + } + if (!(sz1 == (uint32_t)0U)) + { + uint32_t blocks = (uint32_t)1U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) + { + uint8_t *b00 = buf; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = mb; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u0 = load32_be(b + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = block_state1[0U]; + uint32_t b0 = block_state1[1U]; + uint32_t c0 = block_state1[2U]; + uint32_t d0 = block_state1[3U]; + uint32_t e0 = block_state1[4U]; + uint32_t f0 = block_state1[5U]; + uint32_t g0 = block_state1[6U]; + uint32_t h06 = block_state1[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h06 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h13 = g0; + block_state1[0U] = a1; + block_state1[1U] = b1; + block_state1[2U] = c1; + block_state1[3U] = d1; + block_state1[4U] = e1; + block_state1[5U] = f1; + block_state1[6U] = g1; + block_state1[7U] = h13;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s11 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s11 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state1; + uint32_t x = block_state1[i] + hash_old[i]; + os[i] = x;); + } + } + uint32_t ite; + if + ( + (uint64_t)(len - diff) + % (uint64_t)(uint32_t)64U + == (uint64_t)0U + && (uint64_t)(len - diff) > (uint64_t)0U + ) + { + ite = (uint32_t)64U; + } + else + { + ite = (uint32_t)((uint64_t)(len - diff) % (uint64_t)(uint32_t)64U); + } + uint32_t n_blocks = (len - diff - ite) / (uint32_t)64U; + uint32_t data1_len = n_blocks * (uint32_t)64U; + uint32_t data2_len = len - diff - data1_len; + uint8_t *data11 = data2; + uint8_t *data21 = data2 + data1_len; + uint32_t blocks = data1_len / (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) + { + uint8_t *b00 = data11; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = mb; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u0 = load32_be(b + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = block_state1[0U]; + uint32_t b0 = block_state1[1U]; + uint32_t c0 = block_state1[2U]; + uint32_t d0 = block_state1[3U]; + uint32_t e0 = block_state1[4U]; + uint32_t f0 = block_state1[5U]; + uint32_t g0 = block_state1[6U]; + uint32_t h06 = block_state1[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h06 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h14 = g0; + block_state1[0U] = a1; + block_state1[1U] = b1; + block_state1[2U] = c1; + block_state1[3U] = d1; + block_state1[4U] = e1; + block_state1[5U] = f1; + block_state1[6U] = g1; + block_state1[7U] = h14;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s11 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s11 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = block_state1; + uint32_t x = block_state1[i] + hash_old[i]; + os[i] = x;); + } + uint8_t *dst = buf; + memcpy(dst, data21, data2_len * sizeof (uint8_t)); + *p + = + ( + (Hacl_Streaming_SHA2_state_sha2_224){ + .block_state = block_state1, + .buf = buf, + .total_len = total_len1 + (uint64_t)(len - diff) + } + ); + } + return (uint32_t)0U; +} + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + uint32_t blocks0 = (uint32_t)0U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks0; i0++) + { + uint8_t *b00 = buf_multi; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = mb; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u0 = load32_be(b + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = tmp_block_state[0U]; + uint32_t b0 = tmp_block_state[1U]; + uint32_t c0 = tmp_block_state[2U]; + uint32_t d0 = tmp_block_state[3U]; + uint32_t e0 = tmp_block_state[4U]; + uint32_t f0 = tmp_block_state[5U]; + uint32_t g0 = tmp_block_state[6U]; + uint32_t h05 = tmp_block_state[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h13 = g0; + tmp_block_state[0U] = a1; + tmp_block_state[1U] = b1; + tmp_block_state[2U] = c1; + tmp_block_state[3U] = d1; + tmp_block_state[4U] = e1; + tmp_block_state[5U] = f1; + tmp_block_state[6U] = g1; + tmp_block_state[7U] = h13;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = tmp_block_state; + uint32_t x = tmp_block_state[i] + hash_old[i]; + os[i] = x;); + } + uint64_t prev_len_last = total_len - (uint64_t)r; + uint32_t blocks; + if (r + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[128U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = (prev_len_last + (uint64_t)r) << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b00 = buf_last; + memcpy(last, b00, r * sizeof (uint8_t)); + last[r] = (uint8_t)0x80U; + memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)64U; + Hacl_Impl_SHA2_Types_uint8_2p scrut0 = { .fst = last00, .snd = last10 }; + uint8_t *l0 = scrut0.fst; + uint8_t *l1 = scrut0.snd; + uint8_t *lb0 = l0; + uint8_t *lb1 = l1; + Hacl_Impl_SHA2_Types_uint8_2p scrut1 = { .fst = lb0, .snd = lb1 }; + uint8_t *last0 = scrut1.fst; + uint8_t *last1 = scrut1.snd; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws0[16U] = { 0U }; + memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b2 = last0; + uint32_t u0 = load32_be(b2); + ws0[0U] = u0; + uint32_t u1 = load32_be(b2 + (uint32_t)4U); + ws0[1U] = u1; + uint32_t u2 = load32_be(b2 + (uint32_t)8U); + ws0[2U] = u2; + uint32_t u3 = load32_be(b2 + (uint32_t)12U); + ws0[3U] = u3; + uint32_t u4 = load32_be(b2 + (uint32_t)16U); + ws0[4U] = u4; + uint32_t u5 = load32_be(b2 + (uint32_t)20U); + ws0[5U] = u5; + uint32_t u6 = load32_be(b2 + (uint32_t)24U); + ws0[6U] = u6; + uint32_t u7 = load32_be(b2 + (uint32_t)28U); + ws0[7U] = u7; + uint32_t u8 = load32_be(b2 + (uint32_t)32U); + ws0[8U] = u8; + uint32_t u9 = load32_be(b2 + (uint32_t)36U); + ws0[9U] = u9; + uint32_t u10 = load32_be(b2 + (uint32_t)40U); + ws0[10U] = u10; + uint32_t u11 = load32_be(b2 + (uint32_t)44U); + ws0[11U] = u11; + uint32_t u12 = load32_be(b2 + (uint32_t)48U); + ws0[12U] = u12; + uint32_t u13 = load32_be(b2 + (uint32_t)52U); + ws0[13U] = u13; + uint32_t u14 = load32_be(b2 + (uint32_t)56U); + ws0[14U] = u14; + uint32_t u15 = load32_be(b2 + (uint32_t)60U); + ws0[15U] = u15; + KRML_MAYBE_FOR4(i0, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + uint32_t ws_t = ws0[i]; + uint32_t a0 = tmp_block_state[0U]; + uint32_t b0 = tmp_block_state[1U]; + uint32_t c0 = tmp_block_state[2U]; + uint32_t d0 = tmp_block_state[3U]; + uint32_t e0 = tmp_block_state[4U]; + uint32_t f0 = tmp_block_state[5U]; + uint32_t g0 = tmp_block_state[6U]; + uint32_t h05 = tmp_block_state[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h14 = g0; + tmp_block_state[0U] = a1; + tmp_block_state[1U] = b1; + tmp_block_state[2U] = c1; + tmp_block_state[3U] = d1; + tmp_block_state[4U] = e1; + tmp_block_state[5U] = f1; + tmp_block_state[6U] = g1; + tmp_block_state[7U] = h14;); + if (i0 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws0[i]; + uint32_t t15 = ws0[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws0[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws0[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws0[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = tmp_block_state; + uint32_t x = tmp_block_state[i] + hash_old[i]; + os[i] = x;); + if (blocks > (uint32_t)1U) + { + uint32_t hash_old0[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old0, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b = last1; + uint32_t u = load32_be(b); + ws[0U] = u; + uint32_t u16 = load32_be(b + (uint32_t)4U); + ws[1U] = u16; + uint32_t u17 = load32_be(b + (uint32_t)8U); + ws[2U] = u17; + uint32_t u18 = load32_be(b + (uint32_t)12U); + ws[3U] = u18; + uint32_t u19 = load32_be(b + (uint32_t)16U); + ws[4U] = u19; + uint32_t u20 = load32_be(b + (uint32_t)20U); + ws[5U] = u20; + uint32_t u21 = load32_be(b + (uint32_t)24U); + ws[6U] = u21; + uint32_t u22 = load32_be(b + (uint32_t)28U); + ws[7U] = u22; + uint32_t u23 = load32_be(b + (uint32_t)32U); + ws[8U] = u23; + uint32_t u24 = load32_be(b + (uint32_t)36U); + ws[9U] = u24; + uint32_t u25 = load32_be(b + (uint32_t)40U); + ws[10U] = u25; + uint32_t u26 = load32_be(b + (uint32_t)44U); + ws[11U] = u26; + uint32_t u27 = load32_be(b + (uint32_t)48U); + ws[12U] = u27; + uint32_t u28 = load32_be(b + (uint32_t)52U); + ws[13U] = u28; + uint32_t u29 = load32_be(b + (uint32_t)56U); + ws[14U] = u29; + uint32_t u30 = load32_be(b + (uint32_t)60U); + ws[15U] = u30; + KRML_MAYBE_FOR4(i0, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = tmp_block_state[0U]; + uint32_t b0 = tmp_block_state[1U]; + uint32_t c0 = tmp_block_state[2U]; + uint32_t d0 = tmp_block_state[3U]; + uint32_t e0 = tmp_block_state[4U]; + uint32_t f0 = tmp_block_state[5U]; + uint32_t g0 = tmp_block_state[6U]; + uint32_t h05 = tmp_block_state[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h05 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h14 = g0; + tmp_block_state[0U] = a1; + tmp_block_state[1U] = b1; + tmp_block_state[2U] = c1; + tmp_block_state[3U] = d1; + tmp_block_state[4U] = e1; + tmp_block_state[5U] = f1; + tmp_block_state[6U] = g1; + tmp_block_state[7U] = h14;); + if (i0 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = tmp_block_state; + uint32_t x = tmp_block_state[i] + hash_old0[i]; + os[i] = x;); + } + uint8_t hbuf[32U] = { 0U }; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + store32_be(hbuf + i * (uint32_t)4U, tmp_block_state[i]);); + memcpy(dst, hbuf, (uint32_t)32U * sizeof (uint8_t)); +} + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + KRML_HOST_FREE(block_state); + KRML_HOST_FREE(buf); + KRML_HOST_FREE(s); +} diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h new file mode 100644 index 00000000000000..ff9243d8b2c3ec --- /dev/null +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -0,0 +1,92 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Streaming_SHA2_H +#define __Hacl_Streaming_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + +#include "Hacl_SHA2_Generic.h" +#include "Hacl_Krmllib.h" + +typedef struct Hacl_Streaming_SHA2_state_sha2_224_s +{ + uint32_t *block_state; + uint8_t *buf; + uint64_t total_len; +} +Hacl_Streaming_SHA2_state_sha2_224; + +typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA2_state_sha2_256; + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(void); + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +/** +0 = success, 1 = max length exceeded +*/ +uint32_t +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(void); + +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +/** +0 = success, 1 = max length exceeded +*/ +uint32_t +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *data, + uint32_t len +); + +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); + +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Streaming_SHA2_H_DEFINED +#endif diff --git a/Modules/clinic/sha256module.c.h b/Modules/_hacl/clinic/sha256module.c.h similarity index 100% rename from Modules/clinic/sha256module.c.h rename to Modules/_hacl/clinic/sha256module.c.h diff --git a/Modules/_hacl/include/krml/internal/builtin.h b/Modules/_hacl/include/krml/internal/builtin.h new file mode 100644 index 00000000000000..53ea9040c0b0fd --- /dev/null +++ b/Modules/_hacl/include/krml/internal/builtin.h @@ -0,0 +1,16 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KRML_BUILTIN_H +#define __KRML_BUILTIN_H + +/* For alloca, when using KaRaMeL's -falloca */ +#if (defined(_WIN32) || defined(_WIN64)) +# include +#endif + +/* If some globals need to be initialized before the main, then karamel will + * generate and try to link last a function with this type: */ +void krmlinit_globals(void); + +#endif diff --git a/Modules/_hacl/include/krml/internal/callconv.h b/Modules/_hacl/include/krml/internal/callconv.h new file mode 100644 index 00000000000000..11ca0e9ef5f6b9 --- /dev/null +++ b/Modules/_hacl/include/krml/internal/callconv.h @@ -0,0 +1,46 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KRML_CALLCONV_H +#define __KRML_CALLCONV_H + +/******************************************************************************/ +/* Some macros to ease compatibility */ +/******************************************************************************/ + +/* We want to generate __cdecl safely without worrying about it being undefined. + * When using MSVC, these are always defined. When using MinGW, these are + * defined too. They have no meaning for other platforms, so we define them to + * be empty macros in other situations. */ +#ifndef _MSC_VER +#ifndef __cdecl +#define __cdecl +#endif +#ifndef __stdcall +#define __stdcall +#endif +#ifndef __fastcall +#define __fastcall +#endif +#endif + +/* Since KaRaMeL emits the inline keyword unconditionally, we follow the + * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this + * __inline__ to ensure the code compiles with -std=c90 and earlier. */ +#ifdef __GNUC__ +# define inline __inline__ +#endif + +/* GCC-specific attribute syntax; everyone else gets the standard C inline + * attribute. */ +#ifdef __GNU_C__ +# ifndef __clang__ +# define force_inline inline __attribute__((always_inline)) +# else +# define force_inline inline +# endif +#else +# define force_inline inline +#endif + +#endif diff --git a/Modules/_hacl/include/krml/internal/target.h b/Modules/_hacl/include/krml/internal/target.h new file mode 100644 index 00000000000000..6685c989ffe3e3 --- /dev/null +++ b/Modules/_hacl/include/krml/internal/target.h @@ -0,0 +1,297 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __KRML_TARGET_H +#define __KRML_TARGET_H + +#include +#include +#include +#include +#include + +#include "krml/internal/callconv.h" + +/******************************************************************************/ +/* Macros that KaRaMeL will generate. */ +/******************************************************************************/ + +/* For "bare" targets that do not have a C stdlib, the user might want to use + * [-add-early-include '"mydefinitions.h"'] and override these. */ +#ifndef KRML_HOST_PRINTF +# define KRML_HOST_PRINTF printf +#endif + +#if ( \ + (defined __STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \ + (!(defined KRML_HOST_EPRINTF))) +# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#elif !(defined KRML_HOST_EPRINTF) && defined(_MSC_VER) +# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) +#endif + +#ifndef KRML_HOST_EXIT +# define KRML_HOST_EXIT exit +#endif + +#ifndef KRML_HOST_MALLOC +# define KRML_HOST_MALLOC malloc +#endif + +#ifndef KRML_HOST_CALLOC +# define KRML_HOST_CALLOC calloc +#endif + +#ifndef KRML_HOST_FREE +# define KRML_HOST_FREE free +#endif + +#ifndef KRML_HOST_TIME + +# include + +/* Prims_nat not yet in scope */ +inline static int32_t krml_time() { + return (int32_t)time(NULL); +} + +# define KRML_HOST_TIME krml_time +#endif + +/* In statement position, exiting is easy. */ +#define KRML_EXIT \ + do { \ + KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \ + KRML_HOST_EXIT(254); \ + } while (0) + +/* In expression position, use the comma-operator and a malloc to return an + * expression of the right size. KaRaMeL passes t as the parameter to the macro. + */ +#define KRML_EABORT(t, msg) \ + (KRML_HOST_PRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \ + KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t)))) + +/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of + * *elements*. Do an ugly, run-time check (some of which KaRaMeL can eliminate). + */ + +#ifdef __GNUC__ +# define _KRML_CHECK_SIZE_PRAGMA \ + _Pragma("GCC diagnostic ignored \"-Wtype-limits\"") +#else +# define _KRML_CHECK_SIZE_PRAGMA +#endif + +#define KRML_CHECK_SIZE(size_elt, sz) \ + do { \ + _KRML_CHECK_SIZE_PRAGMA \ + if (((size_t)(sz)) > ((size_t)(SIZE_MAX / (size_elt)))) { \ + KRML_HOST_PRINTF( \ + "Maximum allocatable size exceeded, aborting before overflow at " \ + "%s:%d\n", \ + __FILE__, __LINE__); \ + KRML_HOST_EXIT(253); \ + } \ + } while (0) + +#if defined(_MSC_VER) && _MSC_VER < 1900 +# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) +#else +# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) +#endif + +#if defined(__GNUC__) && __GNUC__ >= 4 && __GNUC_MINOR__ > 4 +# define KRML_DEPRECATED(x) __attribute__((deprecated(x))) +#elif defined(__GNUC__) +/* deprecated attribute is not defined in GCC < 4.5. */ +# define KRML_DEPRECATED(x) +#elif defined(_MSC_VER) +# define KRML_DEPRECATED(x) __declspec(deprecated(x)) +#endif + +/* Macros for prettier unrolling of loops */ +#define KRML_LOOP1(i, n, x) { \ + x \ + i += n; \ +} + +#define KRML_LOOP2(i, n, x) \ + KRML_LOOP1(i, n, x) \ + KRML_LOOP1(i, n, x) + +#define KRML_LOOP3(i, n, x) \ + KRML_LOOP2(i, n, x) \ + KRML_LOOP1(i, n, x) + +#define KRML_LOOP4(i, n, x) \ + KRML_LOOP2(i, n, x) \ + KRML_LOOP2(i, n, x) + +#define KRML_LOOP5(i, n, x) \ + KRML_LOOP4(i, n, x) \ + KRML_LOOP1(i, n, x) + +#define KRML_LOOP6(i, n, x) \ + KRML_LOOP4(i, n, x) \ + KRML_LOOP2(i, n, x) + +#define KRML_LOOP7(i, n, x) \ + KRML_LOOP4(i, n, x) \ + KRML_LOOP3(i, n, x) + +#define KRML_LOOP8(i, n, x) \ + KRML_LOOP4(i, n, x) \ + KRML_LOOP4(i, n, x) + +#define KRML_LOOP9(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP1(i, n, x) + +#define KRML_LOOP10(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP2(i, n, x) + +#define KRML_LOOP11(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP3(i, n, x) + +#define KRML_LOOP12(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP4(i, n, x) + +#define KRML_LOOP13(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP5(i, n, x) + +#define KRML_LOOP14(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP6(i, n, x) + +#define KRML_LOOP15(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP7(i, n, x) + +#define KRML_LOOP16(i, n, x) \ + KRML_LOOP8(i, n, x) \ + KRML_LOOP8(i, n, x) + +#define KRML_UNROLL_FOR(i, z, n, k, x) do { \ + uint32_t i = z; \ + KRML_LOOP##n(i, k, x) \ +} while (0) + +#define KRML_ACTUAL_FOR(i, z, n, k, x) \ + do { \ + for (uint32_t i = z; i < n; i += k) { \ + x \ + } \ + } while (0) + +#ifndef KRML_UNROLL_MAX +#define KRML_UNROLL_MAX 16 +#endif + +/* 1 is the number of loop iterations, i.e. (n - z)/k as evaluated by krml */ +#if 0 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR0(i, z, n, k, x) +#else +#define KRML_MAYBE_FOR0(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 1 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR1(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 1, k, x) +#else +#define KRML_MAYBE_FOR1(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 2 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR2(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 2, k, x) +#else +#define KRML_MAYBE_FOR2(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 3 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR3(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 3, k, x) +#else +#define KRML_MAYBE_FOR3(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 4 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR4(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 4, k, x) +#else +#define KRML_MAYBE_FOR4(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 5 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR5(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 5, k, x) +#else +#define KRML_MAYBE_FOR5(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 6 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR6(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 6, k, x) +#else +#define KRML_MAYBE_FOR6(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 7 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR7(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 7, k, x) +#else +#define KRML_MAYBE_FOR7(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 8 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR8(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 8, k, x) +#else +#define KRML_MAYBE_FOR8(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 9 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR9(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 9, k, x) +#else +#define KRML_MAYBE_FOR9(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 10 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR10(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 10, k, x) +#else +#define KRML_MAYBE_FOR10(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 11 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR11(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 11, k, x) +#else +#define KRML_MAYBE_FOR11(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 12 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR12(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 12, k, x) +#else +#define KRML_MAYBE_FOR12(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 13 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR13(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 13, k, x) +#else +#define KRML_MAYBE_FOR13(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 14 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR14(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 14, k, x) +#else +#define KRML_MAYBE_FOR14(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 15 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR15(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 15, k, x) +#else +#define KRML_MAYBE_FOR15(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif + +#if 16 <= KRML_UNROLL_MAX +#define KRML_MAYBE_FOR16(i, z, n, k, x) KRML_UNROLL_FOR(i, z, 16, k, x) +#else +#define KRML_MAYBE_FOR16(i, z, n, k, x) KRML_ACTUAL_FOR(i, z, n, k, x) +#endif +#endif diff --git a/Modules/_hacl/include/krml/internal/types.h b/Modules/_hacl/include/krml/internal/types.h new file mode 100644 index 00000000000000..ac9ba7d012fe5d --- /dev/null +++ b/Modules/_hacl/include/krml/internal/types.h @@ -0,0 +1,85 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef KRML_TYPES_H +#define KRML_TYPES_H + +#include +#include +#include +#include + +/* Types which are either abstract, meaning that have to be implemented in C, or + * which are models, meaning that they are swapped out at compile-time for + * hand-written C types (in which case they're marked as noextract). */ + +typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_; +typedef int64_t FStar_Int64_t, FStar_Int64_t_; +typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_; +typedef int32_t FStar_Int32_t, FStar_Int32_t_; +typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_; +typedef int16_t FStar_Int16_t, FStar_Int16_t_; +typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_; +typedef int8_t FStar_Int8_t, FStar_Int8_t_; + +/* Only useful when building krmllib, because it's in the dependency graph of + * FStar.Int.Cast. */ +typedef uint64_t FStar_UInt63_t, FStar_UInt63_t_; +typedef int64_t FStar_Int63_t, FStar_Int63_t_; + +#if (defined(_MSC_VER) && defined(_M_X64) && !defined(__clang__)) +#define IS_MSVC64 1 +#endif + +/* This code makes a number of assumptions and should be refined. In particular, + * it assumes that: any non-MSVC amd64 compiler supports int128. Maybe it would + * be easier to just test for defined(__SIZEOF_INT128__) only? */ +#if (defined(__x86_64__) || \ + defined(__x86_64) || \ + defined(__aarch64__) || \ + (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ + defined(__s390x__) || \ + (defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \ + (defined(__mips__) && defined(__LP64__)) || \ + (defined(__riscv) && __riscv_xlen == 64) || \ + defined(__SIZEOF_INT128__)) +#define HAS_INT128 1 +#endif + +/* The uint128 type is a special case since we offer several implementations of + * it, depending on the compiler and whether the user wants the verified + * implementation or not. */ +#if !defined(KRML_VERIFIED_UINT128) && defined(IS_MSVC64) +# include +typedef __m128i FStar_UInt128_uint128; +#elif !defined(KRML_VERIFIED_UINT128) && defined(HAS_INT128) +typedef unsigned __int128 FStar_UInt128_uint128; +#else +typedef struct FStar_UInt128_uint128_s { + uint64_t low; + uint64_t high; +} FStar_UInt128_uint128; +#endif + +/* The former is defined once, here (otherwise, conflicts for test-c89. The + * latter is for internal use. */ +typedef FStar_UInt128_uint128 FStar_UInt128_t, uint128_t; + +#include "krml/lowstar_endianness.h" + +#endif + +/* Avoid a circular loop: if this header is included via FStar_UInt8_16_32_64, + * then don't bring the uint128 definitions into scope. */ +#ifndef __FStar_UInt_8_16_32_64_H + +#if !defined(KRML_VERIFIED_UINT128) && defined(IS_MSVC64) +#include "fstar_uint128_msvc.h" +#elif !defined(KRML_VERIFIED_UINT128) && defined(HAS_INT128) +#include "fstar_uint128_gcc64.h" +#else +#include "FStar_UInt128_Verified.h" +#include "fstar_uint128_struct_endianness.h" +#endif + +#endif diff --git a/Modules/_hacl/include/krml/lowstar_endianness.h b/Modules/_hacl/include/krml/lowstar_endianness.h new file mode 100644 index 00000000000000..32a7391e817ebb --- /dev/null +++ b/Modules/_hacl/include/krml/lowstar_endianness.h @@ -0,0 +1,230 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef __LOWSTAR_ENDIANNESS_H +#define __LOWSTAR_ENDIANNESS_H + +#include +#include + +/******************************************************************************/ +/* Implementing C.fst (part 2: endian-ness macros) */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) || defined (__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) +# include + +/* ... for OSX */ +#elif defined(__APPLE__) +# include +# define htole64(x) OSSwapHostToLittleInt64(x) +# define le64toh(x) OSSwapLittleToHostInt64(x) +# define htobe64(x) OSSwapHostToBigInt64(x) +# define be64toh(x) OSSwapBigToHostInt64(x) + +# define htole16(x) OSSwapHostToLittleInt16(x) +# define le16toh(x) OSSwapLittleToHostInt16(x) +# define htobe16(x) OSSwapHostToBigInt16(x) +# define be16toh(x) OSSwapBigToHostInt16(x) + +# define htole32(x) OSSwapHostToLittleInt32(x) +# define le32toh(x) OSSwapLittleToHostInt32(x) +# define htobe32(x) OSSwapHostToBigInt32(x) +# define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +# include +# define htole64(x) LE_64(x) +# define le64toh(x) LE_64(x) +# define htobe64(x) BE_64(x) +# define be64toh(x) BE_64(x) + +# define htole16(x) LE_16(x) +# define le16toh(x) LE_16(x) +# define htobe16(x) BE_16(x) +# define be16toh(x) BE_16(x) + +# define htole32(x) LE_32(x) +# define le32toh(x) LE_32(x) +# define htobe32(x) BE_32(x) +# define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +# include +#elif defined(__OpenBSD__) +# include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +# include +# define htobe16(x) _byteswap_ushort(x) +# define htole16(x) (x) +# define be16toh(x) _byteswap_ushort(x) +# define le16toh(x) (x) + +# define htobe32(x) _byteswap_ulong(x) +# define htole32(x) (x) +# define be32toh(x) _byteswap_ulong(x) +# define le32toh(x) (x) + +# define htobe64(x) _byteswap_uint64(x) +# define htole64(x) (x) +# define be64toh(x) _byteswap_uint64(x) +# define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64)) && \ + (defined(__GNUC__) || defined(__clang__)) + +# define htobe16(x) __builtin_bswap16(x) +# define htole16(x) (x) +# define be16toh(x) __builtin_bswap16(x) +# define le16toh(x) (x) + +# define htobe32(x) __builtin_bswap32(x) +# define htole32(x) (x) +# define be32toh(x) __builtin_bswap32(x) +# define le32toh(x) (x) + +# define htobe64(x) __builtin_bswap64(x) +# define htole64(x) (x) +# define be64toh(x) __builtin_bswap64(x) +# define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +# define htobe32(x) (x) +# define be32toh(x) (x) +# define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +# define le32toh(x) (htole32((x))) + +# define htobe64(x) (x) +# define be64toh(x) (x) +# define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +# define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +# define htole32(x) (x) +# define le32toh(x) (x) +# define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +# define be32toh(x) (htobe32((x))) + +# define htole64(x) (x) +# define le64toh(x) (x) +# define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +# define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +# error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { + memcpy(b, &i, 2); +} + +inline static void store32(uint8_t *b, uint32_t i) { + memcpy(b, &i, 4); +} + +inline static void store64(uint8_t *b, uint64_t i) { + memcpy(b, &i, 8); +} + +/* Legacy accessors so that this header can serve as an implementation of + * C.Endianness */ +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/* Co-existence of LowStar.Endianness and FStar.Endianness generates name + * conflicts, because of course both insist on having no prefixes. Until a + * prefix is added, or until we truly retire FStar.Endianness, solve this issue + * in an elegant way. */ +#define load16_le0 load16_le +#define store16_le0 store16_le +#define load16_be0 load16_be +#define store16_be0 store16_be + +#define load32_le0 load32_le +#define store32_le0 store32_le +#define load32_be0 load32_be +#define store32_be0 store32_be + +#define load64_le0 load64_le +#define store64_le0 store64_le +#define load64_be0 load64_be +#define store64_be0 store64_be + +#define load128_le0 load128_le +#define store128_le0 store128_le +#define load128_be0 load128_be +#define store128_be0 store128_be + +#endif diff --git a/Modules/_hacl/internal/Hacl_Hash_SHA2.h b/Modules/_hacl/internal/Hacl_Hash_SHA2.h new file mode 100644 index 00000000000000..fd4746e638694b --- /dev/null +++ b/Modules/_hacl/internal/Hacl_Hash_SHA2.h @@ -0,0 +1,67 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Hash_SHA2_H +#define __internal_Hacl_Hash_SHA2_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + +#include "../Hacl_Hash_SHA2.h" + +void Hacl_Hash_Core_SHA2_init_224(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_256(uint32_t *s); + +void Hacl_Hash_Core_SHA2_init_384(uint64_t *s); + +void Hacl_Hash_Core_SHA2_init_512(uint64_t *s); + +void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block); + +void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst); + +void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Hash_SHA2_H_DEFINED +#endif diff --git a/Modules/_hacl/internal/Hacl_Krmllib.h b/Modules/_hacl/internal/Hacl_Krmllib.h new file mode 100644 index 00000000000000..2a40f074eaf3f5 --- /dev/null +++ b/Modules/_hacl/internal/Hacl_Krmllib.h @@ -0,0 +1,46 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_Krmllib_H +#define __internal_Hacl_Krmllib_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + +#include "../Hacl_Krmllib.h" +uint32_t LowStar_Vector_new_capacity(uint32_t cap); + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_Krmllib_H_DEFINED +#endif diff --git a/Modules/_hacl/internal/Hacl_SHA2_Types.h b/Modules/_hacl/internal/Hacl_SHA2_Types.h new file mode 100644 index 00000000000000..3e62e3fd30d478 --- /dev/null +++ b/Modules/_hacl/internal/Hacl_SHA2_Types.h @@ -0,0 +1,108 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Types_H +#define __internal_Hacl_SHA2_Types_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + +#include "../Hacl_SHA2_Types.h" + +typedef struct Hacl_Impl_SHA2_Types_uint8_2p_s +{ + uint8_t *fst; + uint8_t *snd; +} +Hacl_Impl_SHA2_Types_uint8_2p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_3p_s +{ + uint8_t *fst; + Hacl_Impl_SHA2_Types_uint8_2p snd; +} +Hacl_Impl_SHA2_Types_uint8_3p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_4p_s +{ + uint8_t *fst; + Hacl_Impl_SHA2_Types_uint8_3p snd; +} +Hacl_Impl_SHA2_Types_uint8_4p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_5p_s +{ + uint8_t *fst; + Hacl_Impl_SHA2_Types_uint8_4p snd; +} +Hacl_Impl_SHA2_Types_uint8_5p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_6p_s +{ + uint8_t *fst; + Hacl_Impl_SHA2_Types_uint8_5p snd; +} +Hacl_Impl_SHA2_Types_uint8_6p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_7p_s +{ + uint8_t *fst; + Hacl_Impl_SHA2_Types_uint8_6p snd; +} +Hacl_Impl_SHA2_Types_uint8_7p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_8p_s +{ + uint8_t *fst; + Hacl_Impl_SHA2_Types_uint8_7p snd; +} +Hacl_Impl_SHA2_Types_uint8_8p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_2x4p_s +{ + Hacl_Impl_SHA2_Types_uint8_4p fst; + Hacl_Impl_SHA2_Types_uint8_4p snd; +} +Hacl_Impl_SHA2_Types_uint8_2x4p; + +typedef struct Hacl_Impl_SHA2_Types_uint8_2x8p_s +{ + Hacl_Impl_SHA2_Types_uint8_8p fst; + Hacl_Impl_SHA2_Types_uint8_8p snd; +} +Hacl_Impl_SHA2_Types_uint8_2x8p; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Types_H_DEFINED +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h new file mode 100644 index 00000000000000..40a9b5399bd614 --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h @@ -0,0 +1,79 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __FStar_UInt128_H +#define __FStar_UInt128_H + + + + +#include +#include +#include "krml/lowstar_endianness.h" +#include "krml/internal/types.h" +#include "krml/internal/target.h" +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); + +static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y); + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); + + +#define __FStar_UInt128_H_DEFINED +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h new file mode 100644 index 00000000000000..be0e6225bc725b --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h @@ -0,0 +1,347 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __FStar_UInt128_Verified_H +#define __FStar_UInt128_Verified_H + + + +#include "FStar_UInt_8_16_32_64.h" +#include +#include +#include "krml/internal/types.h" +#include "krml/internal/target.h" +static inline uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) +{ + return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U; +} + +static inline uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) +{ + return FStar_UInt128_constant_time_carry(a, b); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return FStar_UInt128_sub_mod_impl(a, b); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low & b.low; + lit.high = a.high & b.high; + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low ^ b.low; + lit.high = a.high ^ b.high; + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = a.low | b.low; + lit.high = a.high | b.high; + return lit; +} + +static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) +{ + FStar_UInt128_uint128 lit; + lit.low = ~a.low; + lit.high = ~a.high; + return lit; +} + +static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; + +static inline uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) +{ + return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s)); +} + +static inline uint64_t +FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) +{ + return FStar_UInt128_add_u64_shift_left(hi, lo, s); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s == (uint32_t)0U) + { + return a; + } + else + { + FStar_UInt128_uint128 lit; + lit.low = a.low << s; + lit.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); + return lit; + } +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) +{ + FStar_UInt128_uint128 lit; + lit.low = (uint64_t)0U; + lit.high = a.low << (s - FStar_UInt128_u32_64); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s < FStar_UInt128_u32_64) + { + return FStar_UInt128_shift_left_small(a, s); + } + else + { + return FStar_UInt128_shift_left_large(a, s); + } +} + +static inline uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) +{ + return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s)); +} + +static inline uint64_t +FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) +{ + return FStar_UInt128_add_u64_shift_right(hi, lo, s); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s == (uint32_t)0U) + { + return a; + } + else + { + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); + lit.high = a.high >> s; + return lit; + } +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) +{ + FStar_UInt128_uint128 lit; + lit.low = a.high >> (s - FStar_UInt128_u32_64); + lit.high = (uint64_t)0U; + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) +{ + if (s < FStar_UInt128_u32_64) + { + return FStar_UInt128_shift_right_small(a, s); + } + else + { + return FStar_UInt128_shift_right_large(a, s); + } +} + +static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.low == b.low && a.high == b.high; +} + +static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high > b.high || (a.high == b.high && a.low > b.low); +} + +static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high < b.high || (a.high == b.high && a.low < b.low); +} + +static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high > b.high || (a.high == b.high && a.low >= b.low); +} + +static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + return a.high < b.high || (a.high == b.high && a.low <= b.low); +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + return lit; +} + +static inline FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +{ + FStar_UInt128_uint128 lit; + lit.low = + (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) + | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); + lit.high = + (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) + | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); + return lit; +} + +static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) +{ + FStar_UInt128_uint128 lit; + lit.low = a; + lit.high = (uint64_t)0U; + return lit; +} + +static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) +{ + return a.low; +} + +static inline uint64_t FStar_UInt128_u64_mod_32(uint64_t a) +{ + return a & (uint64_t)0xffffffffU; +} + +static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; + +static inline uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) +{ + return lo + (hi << FStar_UInt128_u32_32); +} + +static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y) +{ + FStar_UInt128_uint128 lit; + lit.low = + FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32) + * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); + lit.high = + ((x >> FStar_UInt128_u32_32) + * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) + >> FStar_UInt128_u32_32; + return lit; +} + +static inline uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) +{ + return lo + (hi << FStar_UInt128_u32_32); +} + +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) +{ + FStar_UInt128_uint128 lit; + lit.low = + FStar_UInt128_u32_combine_(FStar_UInt128_u64_mod_32(x) + * (y >> FStar_UInt128_u32_32) + + + FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y))); + lit.high = + (x >> FStar_UInt128_u32_32) + * (y >> FStar_UInt128_u32_32) + + + (((x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)) + >> FStar_UInt128_u32_32) + + + ((FStar_UInt128_u64_mod_32(x) + * (y >> FStar_UInt128_u32_32) + + + FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) + * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32))) + >> FStar_UInt128_u32_32); + return lit; +} + + +#define __FStar_UInt128_Verified_H_DEFINED +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h new file mode 100644 index 00000000000000..a76301f1840acf --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h @@ -0,0 +1,108 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __FStar_UInt_8_16_32_64_H +#define __FStar_UInt_8_16_32_64_H + + + + +#include +#include +#include "krml/lowstar_endianness.h" +#include "krml/internal/types.h" +#include "krml/internal/target.h" + +static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b) +{ + uint64_t x = a ^ b; + uint64_t minus_x = ~x + (uint64_t)1U; + uint64_t x_or_minus_x = x | minus_x; + uint64_t xnx = x_or_minus_x >> (uint32_t)63U; + return xnx - (uint64_t)1U; +} + +static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b) +{ + uint64_t x = a; + uint64_t y = b; + uint64_t x_xor_y = x ^ y; + uint64_t x_sub_y = x - y; + uint64_t x_sub_y_xor_y = x_sub_y ^ y; + uint64_t q = x_xor_y | x_sub_y_xor_y; + uint64_t x_xor_q = x ^ q; + uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U; + return x_xor_q_ - (uint64_t)1U; +} + +static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b) +{ + uint32_t x = a ^ b; + uint32_t minus_x = ~x + (uint32_t)1U; + uint32_t x_or_minus_x = x | minus_x; + uint32_t xnx = x_or_minus_x >> (uint32_t)31U; + return xnx - (uint32_t)1U; +} + +static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b) +{ + uint32_t x = a; + uint32_t y = b; + uint32_t x_xor_y = x ^ y; + uint32_t x_sub_y = x - y; + uint32_t x_sub_y_xor_y = x_sub_y ^ y; + uint32_t q = x_xor_y | x_sub_y_xor_y; + uint32_t x_xor_q = x ^ q; + uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U; + return x_xor_q_ - (uint32_t)1U; +} + +static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b) +{ + uint16_t x = a ^ b; + uint16_t minus_x = ~x + (uint16_t)1U; + uint16_t x_or_minus_x = x | minus_x; + uint16_t xnx = x_or_minus_x >> (uint32_t)15U; + return xnx - (uint16_t)1U; +} + +static inline uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b) +{ + uint16_t x = a; + uint16_t y = b; + uint16_t x_xor_y = x ^ y; + uint16_t x_sub_y = x - y; + uint16_t x_sub_y_xor_y = x_sub_y ^ y; + uint16_t q = x_xor_y | x_sub_y_xor_y; + uint16_t x_xor_q = x ^ q; + uint16_t x_xor_q_ = x_xor_q >> (uint32_t)15U; + return x_xor_q_ - (uint16_t)1U; +} + +static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b) +{ + uint8_t x = a ^ b; + uint8_t minus_x = ~x + (uint8_t)1U; + uint8_t x_or_minus_x = x | minus_x; + uint8_t xnx = x_or_minus_x >> (uint32_t)7U; + return xnx - (uint8_t)1U; +} + +static inline uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b) +{ + uint8_t x = a; + uint8_t y = b; + uint8_t x_xor_y = x ^ y; + uint8_t x_sub_y = x - y; + uint8_t x_sub_y_xor_y = x_sub_y ^ y; + uint8_t q = x_xor_y | x_sub_y_xor_y; + uint8_t x_xor_q = x ^ q; + uint8_t x_xor_q_ = x_xor_q >> (uint32_t)7U; + return x_xor_q_ - (uint8_t)1U; +} + +#define __FStar_UInt_8_16_32_64_H_DEFINED +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h b/Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h new file mode 100644 index 00000000000000..cac1d21ec0c1ec --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h @@ -0,0 +1,28 @@ +/* + Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. +*/ + + +#ifndef __LowStar_Endianness_H +#define __LowStar_Endianness_H + + + +#include "FStar_UInt128.h" +#include +#include +#include "krml/lowstar_endianness.h" +#include "krml/internal/types.h" +#include "krml/internal/target.h" +static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_le(uint8_t *x0); + +static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); + +static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); + + +#define __LowStar_Endianness_H_DEFINED +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h new file mode 100644 index 00000000000000..e40304b25b40f9 --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -0,0 +1,165 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +/******************************************************************************/ +/* Machine integers (128-bit arithmetic) */ +/******************************************************************************/ + +/* This header contains two things. + * + * First, an implementation of 128-bit arithmetic suitable for 64-bit GCC and + * Clang, i.e. all the operations from FStar.UInt128. + * + * Second, 128-bit operations from C.Endianness (or LowStar.Endianness), + * suitable for any compiler and platform (via a series of ifdefs). This second + * part is unfortunate, and should be fixed by moving {load,store}128_{be,le} to + * FStar.UInt128 to avoid a maze of preprocessor guards and hand-written code. + * */ + +/* This file is used for both the minimal and generic krmllib distributions. As + * such, it assumes that the machine integers have been bundled the exact same + * way in both cases. */ + +#ifndef FSTAR_UINT128_GCC64 +#define FSTAR_UINT128_GCC64 + +#include "FStar_UInt128.h" +#include "FStar_UInt_8_16_32_64.h" +#include "LowStar_Endianness.h" + +/* GCC + using native unsigned __int128 support */ + +inline static uint128_t load128_le(uint8_t *b) { + uint128_t l = (uint128_t)load64_le(b); + uint128_t h = (uint128_t)load64_le(b + 8); + return (h << 64 | l); +} + +inline static void store128_le(uint8_t *b, uint128_t n) { + store64_le(b, (uint64_t)n); + store64_le(b + 8, (uint64_t)(n >> 64)); +} + +inline static uint128_t load128_be(uint8_t *b) { + uint128_t h = (uint128_t)load64_be(b); + uint128_t l = (uint128_t)load64_be(b + 8); + return (h << 64 | l); +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store64_be(b, (uint64_t)(n >> 64)); + store64_be(b + 8, (uint64_t)n); +} + +inline static uint128_t FStar_UInt128_add(uint128_t x, uint128_t y) { + return x + y; +} + +inline static uint128_t FStar_UInt128_mul(uint128_t x, uint128_t y) { + return x * y; +} + +inline static uint128_t FStar_UInt128_add_mod(uint128_t x, uint128_t y) { + return x + y; +} + +inline static uint128_t FStar_UInt128_sub(uint128_t x, uint128_t y) { + return x - y; +} + +inline static uint128_t FStar_UInt128_sub_mod(uint128_t x, uint128_t y) { + return x - y; +} + +inline static uint128_t FStar_UInt128_logand(uint128_t x, uint128_t y) { + return x & y; +} + +inline static uint128_t FStar_UInt128_logor(uint128_t x, uint128_t y) { + return x | y; +} + +inline static uint128_t FStar_UInt128_logxor(uint128_t x, uint128_t y) { + return x ^ y; +} + +inline static uint128_t FStar_UInt128_lognot(uint128_t x) { + return ~x; +} + +inline static uint128_t FStar_UInt128_shift_left(uint128_t x, uint32_t y) { + return x << y; +} + +inline static uint128_t FStar_UInt128_shift_right(uint128_t x, uint32_t y) { + return x >> y; +} + +inline static uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x) { + return (uint128_t)x; +} + +inline static uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x) { + return (uint64_t)x; +} + +inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { + return ((uint128_t) x) * y; +} + +inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { + uint64_t mask = + FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & + FStar_UInt64_eq_mask(x, y); + return ((uint128_t)mask) << 64 | mask; +} + +inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { + uint64_t mask = + (FStar_UInt64_gte_mask(x >> 64, y >> 64) & + ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); + return ((uint128_t)mask) << 64 | mask; +} + +inline static uint64_t FStar_UInt128___proj__Mkuint128__item__low(uint128_t x) { + return (uint64_t) x; +} + +inline static uint64_t FStar_UInt128___proj__Mkuint128__item__high(uint128_t x) { + return (uint64_t) (x >> 64); +} + +inline static uint128_t FStar_UInt128_add_underspec(uint128_t x, uint128_t y) { + return x + y; +} + +inline static uint128_t FStar_UInt128_sub_underspec(uint128_t x, uint128_t y) { + return x - y; +} + +inline static bool FStar_UInt128_eq(uint128_t x, uint128_t y) { + return x == y; +} + +inline static bool FStar_UInt128_gt(uint128_t x, uint128_t y) { + return x > y; +} + +inline static bool FStar_UInt128_lt(uint128_t x, uint128_t y) { + return x < y; +} + +inline static bool FStar_UInt128_gte(uint128_t x, uint128_t y) { + return x >= y; +} + +inline static bool FStar_UInt128_lte(uint128_t x, uint128_t y) { + return x <= y; +} + +inline static uint128_t FStar_UInt128_mul32(uint64_t x, uint32_t y) { + return (uint128_t) x * (uint128_t) y; +} + +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h new file mode 100644 index 00000000000000..cd1448ddb6588b --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h @@ -0,0 +1,510 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +/* This file was generated by KaRaMeL + * then hand-edited to use MSVC intrinsics KaRaMeL invocation: + * C:\users\barrybo\mitls2c\karamel\_build\src\Karamel.native -minimal -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include "krmllib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims + * F* version: 15104ff8 + * KaRaMeL version: 318b7fa8 + */ + +#ifndef FSTAR_UINT128_MSVC +#define FSTAR_UINT128_MSVC + +#include "krml/internal/types.h" +#include "FStar_UInt128.h" +#include "FStar_UInt_8_16_32_64.h" + +#ifndef _MSC_VER +# error This file only works with the MSVC compiler +#endif + +/* JP: need to rip out HAS_OPTIMIZED since the header guards in types.h are now + * done properly and only include this file when we know for sure we are on + * 64-bit MSVC. */ + +#if defined(_M_X64) && !defined(KRML_VERIFIED_UINT128) +#define HAS_OPTIMIZED 1 +#else +#define HAS_OPTIMIZED 0 +#endif + +// Define .low and .high in terms of the __m128i fields, to reduce +// the amount of churn in this file. +#if HAS_OPTIMIZED +#include +#include +#define low m128i_u64[0] +#define high m128i_u64[1] +#endif + +inline static FStar_UInt128_uint128 load128_le(uint8_t *b) { +#if HAS_OPTIMIZED + return _mm_loadu_si128((__m128i *)b); +#else + FStar_UInt128_uint128 lit; + lit.low = load64_le(b); + lit.high = load64_le(b + 8); + return lit; +#endif +} + +inline static void store128_le(uint8_t *b, FStar_UInt128_uint128 n) { + store64_le(b, n.low); + store64_le(b + 8, n.high); +} + +inline static FStar_UInt128_uint128 load128_be(uint8_t *b) { + uint64_t l = load64_be(b + 8); + uint64_t h = load64_be(b); +#if HAS_OPTIMIZED + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = l; + lit.high = h; + return lit; +#endif +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store64_be(b, n.high); + store64_be(b + 8, n.low); +} + +inline static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) { + return (a ^ (a ^ b | a - b ^ b)) >> (uint32_t)63U; +} + +inline static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) { + return FStar_UInt128_constant_time_carry(a, b); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + uint64_t l, h; + + unsigned char carry = + _addcarry_u64(0, a.low, b.low, &l); // low/CF = a.low+b.low+0 + _addcarry_u64(carry, a.high, b.high, &h); // high = a.high+b.high+CF + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_add(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_add(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low + b.low; + lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + uint64_t l, h; + + unsigned char borrow = _subborrow_u64(0, a.low, b.low, &l); + _subborrow_u64(borrow, a.high, b.high, &h); + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_sub(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + FStar_UInt128_uint128 lit; + lit.low = a.low - b.low; + lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); + return lit; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return FStar_UInt128_sub(a, b); +#else + return FStar_UInt128_sub_mod_impl(a, b); +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return _mm_and_si128(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low & b.low; + lit.high = a.high & b.high; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return _mm_xor_si128(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low ^ b.low; + lit.high = a.high ^ b.high; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + return _mm_or_si128(a, b); +#else + FStar_UInt128_uint128 lit; + lit.low = a.low | b.low; + lit.high = a.high | b.high; + return lit; +#endif +} + +inline static FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) { +#if HAS_OPTIMIZED + return _mm_andnot_si128(a, a); +#else + FStar_UInt128_uint128 lit; + lit.low = ~a.low; + lit.high = ~a.high; + return lit; +#endif +} + +static const uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; + +inline static uint64_t +FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) { + return (hi << s) + (lo >> FStar_UInt128_u32_64 - s); +} + +inline static uint64_t +FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) { + return FStar_UInt128_add_u64_shift_left(hi, lo, s); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) { + if (s == (uint32_t)0U) + return a; + else { + FStar_UInt128_uint128 lit; + lit.low = a.low << s; + lit.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); + return lit; + } +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) { + FStar_UInt128_uint128 lit; + lit.low = (uint64_t)0U; + lit.high = a.low << s - FStar_UInt128_u32_64; + return lit; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) { +#if HAS_OPTIMIZED + if (s == 0) { + return a; + } else if (s < FStar_UInt128_u32_64) { + uint64_t l = a.low << s; + uint64_t h = __shiftleft128(a.low, a.high, (unsigned char)s); + return _mm_set_epi64x(h, l); + } else { + return _mm_set_epi64x(a.low << (s - FStar_UInt128_u32_64), 0); + } +#else + if (s < FStar_UInt128_u32_64) + return FStar_UInt128_shift_left_small(a, s); + else + return FStar_UInt128_shift_left_large(a, s); +#endif +} + +inline static uint64_t +FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) { + return (lo >> s) + (hi << FStar_UInt128_u32_64 - s); +} + +inline static uint64_t +FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) { + return FStar_UInt128_add_u64_shift_right(hi, lo, s); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) { + if (s == (uint32_t)0U) + return a; + else { + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); + lit.high = a.high >> s; + return lit; + } +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) { + FStar_UInt128_uint128 lit; + lit.low = a.high >> s - FStar_UInt128_u32_64; + lit.high = (uint64_t)0U; + return lit; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) { +#if HAS_OPTIMIZED + if (s == 0) { + return a; + } else if (s < FStar_UInt128_u32_64) { + uint64_t l = __shiftright128(a.low, a.high, (unsigned char)s); + uint64_t h = a.high >> s; + return _mm_set_epi64x(h, l); + } else { + return _mm_set_epi64x(0, a.high >> (s - FStar_UInt128_u32_64)); + } +#else + if (s < FStar_UInt128_u32_64) + return FStar_UInt128_shift_right_small(a, s); + else + return FStar_UInt128_shift_right_large(a, s); +#endif +} + +inline static bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.low == b.low && a.high == b.high; +} + +inline static bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high > b.high || a.high == b.high && a.low > b.low; +} + +inline static bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high < b.high || a.high == b.high && a.low < b.low; +} + +inline static bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high > b.high || a.high == b.high && a.low >= b.low; +} + +inline static bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { + return a.high < b.high || a.high == b.high && a.low <= b.low; +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED + // PCMPW to produce 4 32-bit values, all either 0x0 or 0xffffffff + __m128i r32 = _mm_cmpeq_epi32(a, b); + // Shuffle 3,2,1,0 into 2,3,0,1 (swapping dwords inside each half) + __m128i s32 = _mm_shuffle_epi32(r32, _MM_SHUFFLE(2, 3, 0, 1)); + // Bitwise and to compute (3&2),(2&3),(1&0),(0&1) + __m128i ret64 = _mm_and_si128(r32, s32); + // Swap the two 64-bit values to form s64 + __m128i s64 = + _mm_shuffle_epi32(ret64, _MM_SHUFFLE(1, 0, 3, 2)); // 3,2,1,0 -> 1,0,3,2 + // And them together + return _mm_and_si128(ret64, s64); +#else + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { +#if HAS_OPTIMIZED && 0 + // ge - compare 3,2,1,0 for >= and generating 0 or 0xffffffff for each + // eq - compare 3,2,1,0 for == and generating 0 or 0xffffffff for each + // slot 0 = ge0 | (eq0 & ge1) | (eq0 & eq1 & ge2) | (eq0 & eq1 & eq2 & ge3) + // then splat slot 0 to 3,2,1,0 + __m128i gt = _mm_cmpgt_epi32(a, b); + __m128i eq = _mm_cmpeq_epi32(a, b); + __m128i ge = _mm_or_si128(gt, eq); + __m128i ge0 = ge; + __m128i eq0 = eq; + __m128i ge1 = _mm_srli_si128(ge, 4); // shift ge from 3,2,1,0 to 0x0,3,2,1 + __m128i t1 = _mm_and_si128(eq0, ge1); + __m128i ret = _mm_or_si128(ge, t1); // ge0 | (eq0 & ge1) is now in 0 + __m128i eq1 = _mm_srli_si128(eq, 4); // shift eq from 3,2,1,0 to 0x0,3,2,1 + __m128i ge2 = + _mm_srli_si128(ge1, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,3,2 + __m128i t2 = + _mm_and_si128(eq0, _mm_and_si128(eq1, ge2)); // t2 = (eq0 & eq1 & ge2) + ret = _mm_or_si128(ret, t2); + __m128i eq2 = _mm_srli_si128(eq1, 4); // shift eq from 3,2,1,0 to 0x0,00,00,3 + __m128i ge3 = + _mm_srli_si128(ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3 + __m128i t3 = _mm_and_si128( + eq0, _mm_and_si128( + eq1, _mm_and_si128(eq2, ge3))); // t3 = (eq0 & eq1 & eq2 & ge3) + ret = _mm_or_si128(ret, t3); + return _mm_shuffle_epi32( + ret, + _MM_SHUFFLE(0, 0, 0, 0)); // the result is in 0. Shuffle into all dwords. +#else + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt64_gte_mask(a.high, b.high) & + ~FStar_UInt64_eq_mask(a.high, b.high) | + FStar_UInt64_eq_mask(a.high, b.high) & + FStar_UInt64_gte_mask(a.low, b.low); + lit.high = FStar_UInt64_gte_mask(a.high, b.high) & + ~FStar_UInt64_eq_mask(a.high, b.high) | + FStar_UInt64_eq_mask(a.high, b.high) & + FStar_UInt64_gte_mask(a.low, b.low); + return lit; +#endif +} + +inline static FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) { +#if HAS_OPTIMIZED + return _mm_set_epi64x(0, a); +#else + FStar_UInt128_uint128 lit; + lit.low = a; + lit.high = (uint64_t)0U; + return lit; +#endif +} + +inline static uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) { + return a.low; +} + +inline static uint64_t FStar_UInt128_u64_mod_32(uint64_t a) { + return a & (uint64_t)0xffffffffU; +} + +static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; + +inline static uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) { + return lo + (hi << FStar_UInt128_u32_32); +} + +inline static FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y) { +#if HAS_OPTIMIZED + uint64_t l, h; + l = _umul128(x, (uint64_t)y, &h); + return _mm_set_epi64x(h, l); +#else + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_u32_combine( + (x >> FStar_UInt128_u32_32) * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> + FStar_UInt128_u32_32), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); + lit.high = (x >> FStar_UInt128_u32_32) * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> + FStar_UInt128_u32_32) >> + FStar_UInt128_u32_32; + return lit; +#endif +} + +/* Note: static headers bring scope collision issues when they define types! + * Because now client (karamel-generated) code will include this header and + * there might be type collisions if the client code uses quadruples of uint64s. + * So, we cannot use the karamel-generated name. */ +typedef struct K_quad_s { + uint64_t fst; + uint64_t snd; + uint64_t thd; + uint64_t f3; +} K_quad; + +inline static K_quad +FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) { + K_quad tmp; + tmp.fst = FStar_UInt128_u64_mod_32(x); + tmp.snd = FStar_UInt128_u64_mod_32( + FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)); + tmp.thd = x >> FStar_UInt128_u32_32; + tmp.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> + FStar_UInt128_u32_32); + return tmp; +} + +static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) { + return lo + (hi << FStar_UInt128_u32_32); +} + +inline static FStar_UInt128_uint128 +FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y) { + K_quad scrut = + FStar_UInt128_mul_wide_impl_t_(x, y); + uint64_t u1 = scrut.fst; + uint64_t w3 = scrut.snd; + uint64_t x_ = scrut.thd; + uint64_t t_ = scrut.f3; + FStar_UInt128_uint128 lit; + lit.low = FStar_UInt128_u32_combine_( + u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), w3); + lit.high = + x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + + (u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_) >> + FStar_UInt128_u32_32); + return lit; +} + +inline static +FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { +#if HAS_OPTIMIZED + uint64_t l, h; + l = _umul128(x, y, &h); + return _mm_set_epi64x(h, l); +#else + return FStar_UInt128_mul_wide_impl(x, y); +#endif +} + +#undef low +#undef high + +#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h new file mode 100644 index 00000000000000..e2b6d62859a5f1 --- /dev/null +++ b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h @@ -0,0 +1,68 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + +#ifndef FSTAR_UINT128_STRUCT_ENDIANNESS_H +#define FSTAR_UINT128_STRUCT_ENDIANNESS_H + +/* Hand-written implementation of endianness-related uint128 functions + * for the extracted uint128 implementation */ + +/* Access 64-bit fields within the int128. */ +#define HIGH64_OF(x) ((x)->high) +#define LOW64_OF(x) ((x)->low) + +/* A series of definitions written using pointers. */ + +inline static void load128_le_(uint8_t *b, uint128_t *r) { + LOW64_OF(r) = load64_le(b); + HIGH64_OF(r) = load64_le(b + 8); +} + +inline static void store128_le_(uint8_t *b, uint128_t *n) { + store64_le(b, LOW64_OF(n)); + store64_le(b + 8, HIGH64_OF(n)); +} + +inline static void load128_be_(uint8_t *b, uint128_t *r) { + HIGH64_OF(r) = load64_be(b); + LOW64_OF(r) = load64_be(b + 8); +} + +inline static void store128_be_(uint8_t *b, uint128_t *n) { + store64_be(b, HIGH64_OF(n)); + store64_be(b + 8, LOW64_OF(n)); +} + +#ifndef KRML_NOSTRUCT_PASSING + +inline static uint128_t load128_le(uint8_t *b) { + uint128_t r; + load128_le_(b, &r); + return r; +} + +inline static void store128_le(uint8_t *b, uint128_t n) { + store128_le_(b, &n); +} + +inline static uint128_t load128_be(uint8_t *b) { + uint128_t r; + load128_be_(b, &r); + return r; +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store128_be_(b, &n); +} + +#else /* !defined(KRML_STRUCT_PASSING) */ + +# define print128 print128_ +# define load128_le load128_le_ +# define store128_le store128_le_ +# define load128_be load128_be_ +# define store128_be store128_be_ + +#endif /* KRML_STRUCT_PASSING */ + +#endif diff --git a/Modules/_hacl/sha256module.c b/Modules/_hacl/sha256module.c new file mode 100644 index 00000000000000..fe8bbaa8f627bc --- /dev/null +++ b/Modules/_hacl/sha256module.c @@ -0,0 +1,452 @@ +/* SHA256 module */ + +/* This module provides an interface to NIST's SHA-256 and SHA-224 Algorithms */ + +/* See below for information about the original code this module was + based upon. Additional work performed by: + + Andrew Kuchling (amk@amk.ca) + Greg Stein (gstein@lyra.org) + Trevor Perrin (trevp@trevp.net) + + Copyright (C) 2005-2007 Gregory P. Smith (greg@krypto.org) + Licensed to PSF under a Contributor Agreement. + +*/ + +/* SHA objects */ +#ifndef Py_BUILD_CORE_BUILTIN +# define Py_BUILD_CORE_MODULE 1 +#endif + +#include "Python.h" +#include "pycore_bitutils.h" // _Py_bswap32() +#include "pycore_strhex.h" // _Py_strhex() +#include "structmember.h" // PyMemberDef +#include "../hashlib.h" + +/*[clinic input] +module _sha256 +class SHA256Type "SHAobject *" "&PyType_Type" +[clinic start generated code]*/ +/*[clinic end generated code: output=da39a3ee5e6b4b0d input=71a39174d4f0a744]*/ + + +/* The SHA block size and maximum message digest sizes, in bytes */ + +#define SHA_BLOCKSIZE 64 +#define SHA_DIGESTSIZE 32 + +/* The SHA2-224 and SHA2-256 implementations defer to the HACL* verified + * library. */ + +#include "Hacl_Streaming_SHA2.h" + +typedef struct { + PyObject_HEAD + // Even though one could conceivably perform run-type checks to tell apart a + // sha224_type from a sha256_type (and thus deduce the digest size), we must + // keep this field because it's exposed as a member field on the underlying + // python object. + // TODO: could we transform this into a getter and get rid of the redundant + // field? + int digestsize; + Hacl_Streaming_SHA2_state_sha2_256 *state; +} SHAobject; + +#include "clinic/sha256module.c.h" + +/* We shall use run-time type information in the remainder of this module to + * tell apart SHA2-224 and SHA2-256 */ +typedef struct { + PyTypeObject* sha224_type; + PyTypeObject* sha256_type; +} _sha256_state; + +static inline _sha256_state* +_sha256_get_state(PyObject *module) +{ + void *state = PyModule_GetState(module); + assert(state != NULL); + return (_sha256_state *)state; +} + +static void SHAcopy(SHAobject *src, SHAobject *dest) +{ + dest->digestsize = src->digestsize; + // TODO: implement this in HACL + dest->state->total_len = src->state->total_len; + memcpy(dest->state->block_state, src->state->block_state, SHA_DIGESTSIZE); + memcpy(dest->state->buf, src->state->buf, SHA_BLOCKSIZE); +} + +static SHAobject * +newSHA224object(_sha256_state *state) +{ + SHAobject *sha = (SHAobject *)PyObject_GC_New(SHAobject, + state->sha224_type); + PyObject_GC_Track(sha); + return sha; +} + +static SHAobject * +newSHA256object(_sha256_state *state) +{ + SHAobject *sha = (SHAobject *)PyObject_GC_New(SHAobject, + state->sha256_type); + PyObject_GC_Track(sha); + return sha; +} + +/* Internal methods for a hash object */ +static int +SHA_traverse(PyObject *ptr, visitproc visit, void *arg) +{ + Py_VISIT(Py_TYPE(ptr)); + return 0; +} + +static void +SHA_dealloc(PyObject *ptr) +{ + // TODO: change function signature + Hacl_Streaming_SHA2_free_256(((SHAobject *)ptr)->state); + PyTypeObject *tp = Py_TYPE(ptr); + PyObject_GC_UnTrack(ptr); + PyObject_GC_Del(ptr); + Py_DECREF(tp); +} + + +/* External methods for a hash object */ + +/*[clinic input] +SHA256Type.copy + + cls:defining_class + +Return a copy of the hash object. +[clinic start generated code]*/ + +static PyObject * +SHA256Type_copy_impl(SHAobject *self, PyTypeObject *cls) +/*[clinic end generated code: output=9273f92c382be12f input=3137146fcb88e212]*/ +{ + SHAobject *newobj; + _sha256_state *state = PyType_GetModuleState(cls); + if (Py_IS_TYPE(self, state->sha256_type)) { + if ( (newobj = newSHA256object(state)) == NULL) { + return NULL; + } + } else { + if ( (newobj = newSHA224object(state))==NULL) { + return NULL; + } + } + + SHAcopy(self, newobj); + return (PyObject *)newobj; +} + +/*[clinic input] +SHA256Type.digest + +Return the digest value as a bytes object. +[clinic start generated code]*/ + +static PyObject * +SHA256Type_digest_impl(SHAobject *self) +/*[clinic end generated code: output=46616a5e909fbc3d input=f1f4cfea5cbde35c]*/ +{ + uint8_t digest[SHA_DIGESTSIZE]; + // HACL performs copies under the hood so that self->state remains valid + // after this call. + Hacl_Streaming_SHA2_finish_256(self->state, digest); + return PyBytes_FromStringAndSize((const char *)digest, self->digestsize); +} + +/*[clinic input] +SHA256Type.hexdigest + +Return the digest value as a string of hexadecimal digits. +[clinic start generated code]*/ + +static PyObject * +SHA256Type_hexdigest_impl(SHAobject *self) +/*[clinic end generated code: output=725f8a7041ae97f3 input=0cc4c714693010d1]*/ +{ + uint8_t digest[SHA_DIGESTSIZE]; + Hacl_Streaming_SHA2_finish_256(self->state, digest); + return _Py_strhex((const char *)digest, self->digestsize); +} + +/*[clinic input] +SHA256Type.update + + obj: object + / + +Update this hash object's state with the provided string. +[clinic start generated code]*/ + +static PyObject * +SHA256Type_update(SHAobject *self, PyObject *obj) +/*[clinic end generated code: output=0967fb2860c66af7 input=b2d449d5b30f0f5a]*/ +{ + Py_buffer buf; + + GET_BUFFER_VIEW_OR_ERROUT(obj, &buf); + + Hacl_Streaming_SHA2_update_256(self->state, buf.buf, buf.len); + + PyBuffer_Release(&buf); + Py_RETURN_NONE; +} + +static PyMethodDef SHA_methods[] = { + SHA256TYPE_COPY_METHODDEF + SHA256TYPE_DIGEST_METHODDEF + SHA256TYPE_HEXDIGEST_METHODDEF + SHA256TYPE_UPDATE_METHODDEF + {NULL, NULL} /* sentinel */ +}; + +static PyObject * +SHA256_get_block_size(PyObject *self, void *closure) +{ + return PyLong_FromLong(SHA_BLOCKSIZE); +} + +static PyObject * +SHA256_get_name(PyObject *self, void *closure) +{ + if (((SHAobject *)self)->digestsize == 28) + return PyUnicode_FromStringAndSize("sha224", 6); + else + return PyUnicode_FromStringAndSize("sha256", 6); +} + +static PyGetSetDef SHA_getseters[] = { + {"block_size", + (getter)SHA256_get_block_size, NULL, + NULL, + NULL}, + {"name", + (getter)SHA256_get_name, NULL, + NULL, + NULL}, + {NULL} /* Sentinel */ +}; + +static PyMemberDef SHA_members[] = { + {"digest_size", T_INT, offsetof(SHAobject, digestsize), READONLY, NULL}, + {NULL} /* Sentinel */ +}; + +static PyType_Slot sha256_types_slots[] = { + {Py_tp_dealloc, SHA_dealloc}, + {Py_tp_methods, SHA_methods}, + {Py_tp_members, SHA_members}, + {Py_tp_getset, SHA_getseters}, + {Py_tp_traverse, SHA_traverse}, + {0,0} +}; + +static PyType_Spec sha224_type_spec = { + .name = "_sha256.sha224", + .basicsize = sizeof(SHAobject), + .flags = (Py_TPFLAGS_DEFAULT | Py_TPFLAGS_DISALLOW_INSTANTIATION | + Py_TPFLAGS_IMMUTABLETYPE | Py_TPFLAGS_HAVE_GC), + .slots = sha256_types_slots +}; + +static PyType_Spec sha256_type_spec = { + .name = "_sha256.sha256", + .basicsize = sizeof(SHAobject), + .flags = (Py_TPFLAGS_DEFAULT | Py_TPFLAGS_DISALLOW_INSTANTIATION | + Py_TPFLAGS_IMMUTABLETYPE | Py_TPFLAGS_HAVE_GC), + .slots = sha256_types_slots +}; + +/* The single module-level function: new() */ + +/*[clinic input] +_sha256.sha256 + + string: object(c_default="NULL") = b'' + * + usedforsecurity: bool = True + +Return a new SHA-256 hash object; optionally initialized with a string. +[clinic start generated code]*/ + +static PyObject * +_sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity) +/*[clinic end generated code: output=a1de327e8e1185cf input=9be86301aeb14ea5]*/ +{ + Py_buffer buf; + + if (string) { + GET_BUFFER_VIEW_OR_ERROUT(string, &buf); + } + + _sha256_state *state = PyModule_GetState(module); + + SHAobject *new; + if ((new = newSHA256object(state)) == NULL) { + if (string) { + PyBuffer_Release(&buf); + } + return NULL; + } + + new->state = Hacl_Streaming_SHA2_create_in_256(); + new->digestsize = 32; + + if (PyErr_Occurred()) { + Py_DECREF(new); + if (string) { + PyBuffer_Release(&buf); + } + return NULL; + } + if (string) { + Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len); + PyBuffer_Release(&buf); + } + + return (PyObject *)new; +} + +/*[clinic input] +_sha256.sha224 + + string: object(c_default="NULL") = b'' + * + usedforsecurity: bool = True + +Return a new SHA-224 hash object; optionally initialized with a string. +[clinic start generated code]*/ + +static PyObject * +_sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity) +/*[clinic end generated code: output=08be6b36569bc69c input=9fcfb46e460860ac]*/ +{ + Py_buffer buf; + if (string) { + GET_BUFFER_VIEW_OR_ERROUT(string, &buf); + } + + _sha256_state *state = PyModule_GetState(module); + SHAobject *new; + if ((new = newSHA224object(state)) == NULL) { + if (string) { + PyBuffer_Release(&buf); + } + return NULL; + } + + new->state = Hacl_Streaming_SHA2_create_in_224(); + new->digestsize = 28; + + if (PyErr_Occurred()) { + Py_DECREF(new); + if (string) { + PyBuffer_Release(&buf); + } + return NULL; + } + if (string) { + Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len); + PyBuffer_Release(&buf); + } + + return (PyObject *)new; +} + + +/* List of functions exported by this module */ + +static struct PyMethodDef SHA_functions[] = { + _SHA256_SHA256_METHODDEF + _SHA256_SHA224_METHODDEF + {NULL, NULL} /* Sentinel */ +}; + +static int +_sha256_traverse(PyObject *module, visitproc visit, void *arg) +{ + _sha256_state *state = _sha256_get_state(module); + Py_VISIT(state->sha224_type); + Py_VISIT(state->sha256_type); + return 0; +} + +static int +_sha256_clear(PyObject *module) +{ + _sha256_state *state = _sha256_get_state(module); + Py_CLEAR(state->sha224_type); + Py_CLEAR(state->sha256_type); + return 0; +} + +static void +_sha256_free(void *module) +{ + _sha256_clear((PyObject *)module); +} + +static int sha256_exec(PyObject *module) +{ + _sha256_state *state = _sha256_get_state(module); + + state->sha224_type = (PyTypeObject *)PyType_FromModuleAndSpec( + module, &sha224_type_spec, NULL); + + if (state->sha224_type == NULL) { + return -1; + } + + state->sha256_type = (PyTypeObject *)PyType_FromModuleAndSpec( + module, &sha256_type_spec, NULL); + + if (state->sha256_type == NULL) { + return -1; + } + + Py_INCREF((PyObject *)state->sha224_type); + if (PyModule_AddObject(module, "SHA224Type", (PyObject *)state->sha224_type) < 0) { + Py_DECREF((PyObject *)state->sha224_type); + return -1; + } + Py_INCREF((PyObject *)state->sha256_type); + if (PyModule_AddObject(module, "SHA256Type", (PyObject *)state->sha256_type) < 0) { + Py_DECREF((PyObject *)state->sha256_type); + return -1; + } + return 0; +} + +static PyModuleDef_Slot _sha256_slots[] = { + {Py_mod_exec, sha256_exec}, + {0, NULL} +}; + +static struct PyModuleDef _sha256module = { + PyModuleDef_HEAD_INIT, + .m_name = "_sha256", + .m_size = sizeof(_sha256_state), + .m_methods = SHA_functions, + .m_slots = _sha256_slots, + .m_traverse = _sha256_traverse, + .m_clear = _sha256_clear, + .m_free = _sha256_free +}; + +/* Initialize this module. */ +PyMODINIT_FUNC +PyInit__sha256(void) +{ + return PyModuleDef_Init(&_sha256module); +} diff --git a/Modules/sha256module.c b/Modules/sha256module.c deleted file mode 100644 index 17ee86683b7a89..00000000000000 --- a/Modules/sha256module.c +++ /dev/null @@ -1,756 +0,0 @@ -/* SHA256 module */ - -/* This module provides an interface to NIST's SHA-256 and SHA-224 Algorithms */ - -/* See below for information about the original code this module was - based upon. Additional work performed by: - - Andrew Kuchling (amk@amk.ca) - Greg Stein (gstein@lyra.org) - Trevor Perrin (trevp@trevp.net) - - Copyright (C) 2005-2007 Gregory P. Smith (greg@krypto.org) - Licensed to PSF under a Contributor Agreement. - -*/ - -/* SHA objects */ -#ifndef Py_BUILD_CORE_BUILTIN -# define Py_BUILD_CORE_MODULE 1 -#endif - -#include "Python.h" -#include "pycore_bitutils.h" // _Py_bswap32() -#include "pycore_strhex.h" // _Py_strhex() -#include "structmember.h" // PyMemberDef -#include "hashlib.h" - -/*[clinic input] -module _sha256 -class SHA256Type "SHAobject *" "&PyType_Type" -[clinic start generated code]*/ -/*[clinic end generated code: output=da39a3ee5e6b4b0d input=71a39174d4f0a744]*/ - -/* Some useful types */ - -typedef unsigned char SHA_BYTE; -typedef uint32_t SHA_INT32; /* 32-bit integer */ - -/* The SHA block size and message digest sizes, in bytes */ - -#define SHA_BLOCKSIZE 64 -#define SHA_DIGESTSIZE 32 - -/* The structure for storing SHA info */ - -typedef struct { - PyObject_HEAD - SHA_INT32 digest[8]; /* Message digest */ - SHA_INT32 count_lo, count_hi; /* 64-bit bit count */ - SHA_BYTE data[SHA_BLOCKSIZE]; /* SHA data buffer */ - int local; /* unprocessed amount in data */ - int digestsize; -} SHAobject; - -#include "clinic/sha256module.c.h" - -typedef struct { - PyTypeObject* sha224_type; - PyTypeObject* sha256_type; -} _sha256_state; - -static inline _sha256_state* -_sha256_get_state(PyObject *module) -{ - void *state = PyModule_GetState(module); - assert(state != NULL); - return (_sha256_state *)state; -} - -/* When run on a little-endian CPU we need to perform byte reversal on an - array of longwords. */ - -#if PY_LITTLE_ENDIAN -static void longReverse(SHA_INT32 *buffer, int byteCount) -{ - byteCount /= sizeof(*buffer); - for (; byteCount--; buffer++) { - *buffer = _Py_bswap32(*buffer); - } -} -#endif - -static void SHAcopy(SHAobject *src, SHAobject *dest) -{ - dest->local = src->local; - dest->digestsize = src->digestsize; - dest->count_lo = src->count_lo; - dest->count_hi = src->count_hi; - memcpy(dest->digest, src->digest, sizeof(src->digest)); - memcpy(dest->data, src->data, sizeof(src->data)); -} - - -/* ------------------------------------------------------------------------ - * - * This code for the SHA-256 algorithm was noted as public domain. The - * original headers are pasted below. - * - * Several changes have been made to make it more compatible with the - * Python environment and desired interface. - * - */ - -/* LibTomCrypt, modular cryptographic library -- Tom St Denis - * - * LibTomCrypt is a library that provides various cryptographic - * algorithms in a highly modular and flexible manner. - * - * The library is free for all purposes without any express - * guarantee it works. - * - * Tom St Denis, tomstdenis@iahu.ca, https://www.libtom.net - */ - - -/* SHA256 by Tom St Denis */ - -/* Various logical functions */ -#define ROR(x, y)\ -( ((((unsigned long)(x)&0xFFFFFFFFUL)>>(unsigned long)((y)&31)) | \ -((unsigned long)(x)<<(unsigned long)(32-((y)&31)))) & 0xFFFFFFFFUL) -#define Ch(x,y,z) (z ^ (x & (y ^ z))) -#define Maj(x,y,z) (((x | y) & z) | (x & y)) -#define S(x, n) ROR((x),(n)) -#define R(x, n) (((x)&0xFFFFFFFFUL)>>(n)) -#define Sigma0(x) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) -#define Sigma1(x) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) -#define Gamma0(x) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) -#define Gamma1(x) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) - - -static void -sha_transform(SHAobject *sha_info) -{ - int i; - SHA_INT32 S[8], W[64], t0, t1; - - memcpy(W, sha_info->data, sizeof(sha_info->data)); -#if PY_LITTLE_ENDIAN - longReverse(W, (int)sizeof(sha_info->data)); -#endif - - for (i = 16; i < 64; ++i) { - W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; - } - for (i = 0; i < 8; ++i) { - S[i] = sha_info->digest[i]; - } - - /* Compress */ -#define RND(a,b,c,d,e,f,g,h,i,ki) \ - t0 = h + Sigma1(e) + Ch(e, f, g) + ki + W[i]; \ - t1 = Sigma0(a) + Maj(a, b, c); \ - d += t0; \ - h = t0 + t1; - - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],0,0x428a2f98); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],1,0x71374491); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],2,0xb5c0fbcf); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],3,0xe9b5dba5); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],4,0x3956c25b); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],5,0x59f111f1); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],6,0x923f82a4); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],7,0xab1c5ed5); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],8,0xd807aa98); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],9,0x12835b01); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],10,0x243185be); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],11,0x550c7dc3); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],12,0x72be5d74); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],13,0x80deb1fe); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],14,0x9bdc06a7); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],15,0xc19bf174); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],16,0xe49b69c1); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],17,0xefbe4786); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],18,0x0fc19dc6); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],19,0x240ca1cc); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],20,0x2de92c6f); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],21,0x4a7484aa); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],22,0x5cb0a9dc); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],23,0x76f988da); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],24,0x983e5152); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],25,0xa831c66d); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],26,0xb00327c8); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],27,0xbf597fc7); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],28,0xc6e00bf3); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],29,0xd5a79147); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],30,0x06ca6351); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],31,0x14292967); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],32,0x27b70a85); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],33,0x2e1b2138); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],34,0x4d2c6dfc); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],35,0x53380d13); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],36,0x650a7354); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],37,0x766a0abb); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],38,0x81c2c92e); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],39,0x92722c85); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],40,0xa2bfe8a1); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],41,0xa81a664b); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],42,0xc24b8b70); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],43,0xc76c51a3); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],44,0xd192e819); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],45,0xd6990624); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],46,0xf40e3585); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],47,0x106aa070); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],48,0x19a4c116); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],49,0x1e376c08); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],50,0x2748774c); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],51,0x34b0bcb5); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],52,0x391c0cb3); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],53,0x4ed8aa4a); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],54,0x5b9cca4f); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],55,0x682e6ff3); - RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],56,0x748f82ee); - RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],57,0x78a5636f); - RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],58,0x84c87814); - RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],59,0x8cc70208); - RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],60,0x90befffa); - RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],61,0xa4506ceb); - RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],62,0xbef9a3f7); - RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],63,0xc67178f2); - -#undef RND - - /* feedback */ - for (i = 0; i < 8; i++) { - sha_info->digest[i] = sha_info->digest[i] + S[i]; - } - -} - - - -/* initialize the SHA digest */ - -static void -sha_init(SHAobject *sha_info) -{ - sha_info->digest[0] = 0x6A09E667L; - sha_info->digest[1] = 0xBB67AE85L; - sha_info->digest[2] = 0x3C6EF372L; - sha_info->digest[3] = 0xA54FF53AL; - sha_info->digest[4] = 0x510E527FL; - sha_info->digest[5] = 0x9B05688CL; - sha_info->digest[6] = 0x1F83D9ABL; - sha_info->digest[7] = 0x5BE0CD19L; - sha_info->count_lo = 0L; - sha_info->count_hi = 0L; - sha_info->local = 0; - sha_info->digestsize = 32; -} - -static void -sha224_init(SHAobject *sha_info) -{ - sha_info->digest[0] = 0xc1059ed8L; - sha_info->digest[1] = 0x367cd507L; - sha_info->digest[2] = 0x3070dd17L; - sha_info->digest[3] = 0xf70e5939L; - sha_info->digest[4] = 0xffc00b31L; - sha_info->digest[5] = 0x68581511L; - sha_info->digest[6] = 0x64f98fa7L; - sha_info->digest[7] = 0xbefa4fa4L; - sha_info->count_lo = 0L; - sha_info->count_hi = 0L; - sha_info->local = 0; - sha_info->digestsize = 28; -} - - -/* update the SHA digest */ - -static void -sha_update(SHAobject *sha_info, SHA_BYTE *buffer, Py_ssize_t count) -{ - Py_ssize_t i; - SHA_INT32 clo; - - clo = sha_info->count_lo + ((SHA_INT32) count << 3); - if (clo < sha_info->count_lo) { - ++sha_info->count_hi; - } - sha_info->count_lo = clo; - sha_info->count_hi += (SHA_INT32) count >> 29; - if (sha_info->local) { - i = SHA_BLOCKSIZE - sha_info->local; - if (i > count) { - i = count; - } - memcpy(((SHA_BYTE *) sha_info->data) + sha_info->local, buffer, i); - count -= i; - buffer += i; - sha_info->local += (int)i; - if (sha_info->local == SHA_BLOCKSIZE) { - sha_transform(sha_info); - } - else { - return; - } - } - while (count >= SHA_BLOCKSIZE) { - memcpy(sha_info->data, buffer, SHA_BLOCKSIZE); - buffer += SHA_BLOCKSIZE; - count -= SHA_BLOCKSIZE; - sha_transform(sha_info); - } - memcpy(sha_info->data, buffer, count); - sha_info->local = (int)count; -} - -/* finish computing the SHA digest */ - -static void -sha_final(unsigned char digest[SHA_DIGESTSIZE], SHAobject *sha_info) -{ - int count; - SHA_INT32 lo_bit_count, hi_bit_count; - - lo_bit_count = sha_info->count_lo; - hi_bit_count = sha_info->count_hi; - count = (int) ((lo_bit_count >> 3) & 0x3f); - ((SHA_BYTE *) sha_info->data)[count++] = 0x80; - if (count > SHA_BLOCKSIZE - 8) { - memset(((SHA_BYTE *) sha_info->data) + count, 0, - SHA_BLOCKSIZE - count); - sha_transform(sha_info); - memset((SHA_BYTE *) sha_info->data, 0, SHA_BLOCKSIZE - 8); - } - else { - memset(((SHA_BYTE *) sha_info->data) + count, 0, - SHA_BLOCKSIZE - 8 - count); - } - - /* GJS: note that we add the hi/lo in big-endian. sha_transform will - swap these values into host-order. */ - sha_info->data[56] = (hi_bit_count >> 24) & 0xff; - sha_info->data[57] = (hi_bit_count >> 16) & 0xff; - sha_info->data[58] = (hi_bit_count >> 8) & 0xff; - sha_info->data[59] = (hi_bit_count >> 0) & 0xff; - sha_info->data[60] = (lo_bit_count >> 24) & 0xff; - sha_info->data[61] = (lo_bit_count >> 16) & 0xff; - sha_info->data[62] = (lo_bit_count >> 8) & 0xff; - sha_info->data[63] = (lo_bit_count >> 0) & 0xff; - sha_transform(sha_info); - digest[ 0] = (unsigned char) ((sha_info->digest[0] >> 24) & 0xff); - digest[ 1] = (unsigned char) ((sha_info->digest[0] >> 16) & 0xff); - digest[ 2] = (unsigned char) ((sha_info->digest[0] >> 8) & 0xff); - digest[ 3] = (unsigned char) ((sha_info->digest[0] ) & 0xff); - digest[ 4] = (unsigned char) ((sha_info->digest[1] >> 24) & 0xff); - digest[ 5] = (unsigned char) ((sha_info->digest[1] >> 16) & 0xff); - digest[ 6] = (unsigned char) ((sha_info->digest[1] >> 8) & 0xff); - digest[ 7] = (unsigned char) ((sha_info->digest[1] ) & 0xff); - digest[ 8] = (unsigned char) ((sha_info->digest[2] >> 24) & 0xff); - digest[ 9] = (unsigned char) ((sha_info->digest[2] >> 16) & 0xff); - digest[10] = (unsigned char) ((sha_info->digest[2] >> 8) & 0xff); - digest[11] = (unsigned char) ((sha_info->digest[2] ) & 0xff); - digest[12] = (unsigned char) ((sha_info->digest[3] >> 24) & 0xff); - digest[13] = (unsigned char) ((sha_info->digest[3] >> 16) & 0xff); - digest[14] = (unsigned char) ((sha_info->digest[3] >> 8) & 0xff); - digest[15] = (unsigned char) ((sha_info->digest[3] ) & 0xff); - digest[16] = (unsigned char) ((sha_info->digest[4] >> 24) & 0xff); - digest[17] = (unsigned char) ((sha_info->digest[4] >> 16) & 0xff); - digest[18] = (unsigned char) ((sha_info->digest[4] >> 8) & 0xff); - digest[19] = (unsigned char) ((sha_info->digest[4] ) & 0xff); - digest[20] = (unsigned char) ((sha_info->digest[5] >> 24) & 0xff); - digest[21] = (unsigned char) ((sha_info->digest[5] >> 16) & 0xff); - digest[22] = (unsigned char) ((sha_info->digest[5] >> 8) & 0xff); - digest[23] = (unsigned char) ((sha_info->digest[5] ) & 0xff); - digest[24] = (unsigned char) ((sha_info->digest[6] >> 24) & 0xff); - digest[25] = (unsigned char) ((sha_info->digest[6] >> 16) & 0xff); - digest[26] = (unsigned char) ((sha_info->digest[6] >> 8) & 0xff); - digest[27] = (unsigned char) ((sha_info->digest[6] ) & 0xff); - digest[28] = (unsigned char) ((sha_info->digest[7] >> 24) & 0xff); - digest[29] = (unsigned char) ((sha_info->digest[7] >> 16) & 0xff); - digest[30] = (unsigned char) ((sha_info->digest[7] >> 8) & 0xff); - digest[31] = (unsigned char) ((sha_info->digest[7] ) & 0xff); -} - -/* - * End of copied SHA code. - * - * ------------------------------------------------------------------------ - */ - - -static SHAobject * -newSHA224object(_sha256_state *state) -{ - SHAobject *sha = (SHAobject *)PyObject_GC_New(SHAobject, - state->sha224_type); - PyObject_GC_Track(sha); - return sha; -} - -static SHAobject * -newSHA256object(_sha256_state *state) -{ - SHAobject *sha = (SHAobject *)PyObject_GC_New(SHAobject, - state->sha256_type); - PyObject_GC_Track(sha); - return sha; -} - -/* Internal methods for a hash object */ -static int -SHA_traverse(PyObject *ptr, visitproc visit, void *arg) -{ - Py_VISIT(Py_TYPE(ptr)); - return 0; -} - -static void -SHA_dealloc(PyObject *ptr) -{ - PyTypeObject *tp = Py_TYPE(ptr); - PyObject_GC_UnTrack(ptr); - PyObject_GC_Del(ptr); - Py_DECREF(tp); -} - - -/* External methods for a hash object */ - -/*[clinic input] -SHA256Type.copy - - cls:defining_class - -Return a copy of the hash object. -[clinic start generated code]*/ - -static PyObject * -SHA256Type_copy_impl(SHAobject *self, PyTypeObject *cls) -/*[clinic end generated code: output=9273f92c382be12f input=3137146fcb88e212]*/ -{ - SHAobject *newobj; - _sha256_state *state = PyType_GetModuleState(cls); - if (Py_IS_TYPE(self, state->sha256_type)) { - if ( (newobj = newSHA256object(state)) == NULL) { - return NULL; - } - } else { - if ( (newobj = newSHA224object(state))==NULL) { - return NULL; - } - } - - SHAcopy(self, newobj); - return (PyObject *)newobj; -} - -/*[clinic input] -SHA256Type.digest - -Return the digest value as a bytes object. -[clinic start generated code]*/ - -static PyObject * -SHA256Type_digest_impl(SHAobject *self) -/*[clinic end generated code: output=46616a5e909fbc3d input=f1f4cfea5cbde35c]*/ -{ - unsigned char digest[SHA_DIGESTSIZE]; - SHAobject temp; - - SHAcopy(self, &temp); - sha_final(digest, &temp); - return PyBytes_FromStringAndSize((const char *)digest, self->digestsize); -} - -/*[clinic input] -SHA256Type.hexdigest - -Return the digest value as a string of hexadecimal digits. -[clinic start generated code]*/ - -static PyObject * -SHA256Type_hexdigest_impl(SHAobject *self) -/*[clinic end generated code: output=725f8a7041ae97f3 input=0cc4c714693010d1]*/ -{ - unsigned char digest[SHA_DIGESTSIZE]; - SHAobject temp; - - /* Get the raw (binary) digest value */ - SHAcopy(self, &temp); - sha_final(digest, &temp); - - return _Py_strhex((const char *)digest, self->digestsize); -} - -/*[clinic input] -SHA256Type.update - - obj: object - / - -Update this hash object's state with the provided string. -[clinic start generated code]*/ - -static PyObject * -SHA256Type_update(SHAobject *self, PyObject *obj) -/*[clinic end generated code: output=0967fb2860c66af7 input=b2d449d5b30f0f5a]*/ -{ - Py_buffer buf; - - GET_BUFFER_VIEW_OR_ERROUT(obj, &buf); - - sha_update(self, buf.buf, buf.len); - - PyBuffer_Release(&buf); - Py_RETURN_NONE; -} - -static PyMethodDef SHA_methods[] = { - SHA256TYPE_COPY_METHODDEF - SHA256TYPE_DIGEST_METHODDEF - SHA256TYPE_HEXDIGEST_METHODDEF - SHA256TYPE_UPDATE_METHODDEF - {NULL, NULL} /* sentinel */ -}; - -static PyObject * -SHA256_get_block_size(PyObject *self, void *closure) -{ - return PyLong_FromLong(SHA_BLOCKSIZE); -} - -static PyObject * -SHA256_get_name(PyObject *self, void *closure) -{ - if (((SHAobject *)self)->digestsize == 32) - return PyUnicode_FromStringAndSize("sha256", 6); - else - return PyUnicode_FromStringAndSize("sha224", 6); -} - -static PyGetSetDef SHA_getseters[] = { - {"block_size", - (getter)SHA256_get_block_size, NULL, - NULL, - NULL}, - {"name", - (getter)SHA256_get_name, NULL, - NULL, - NULL}, - {NULL} /* Sentinel */ -}; - -static PyMemberDef SHA_members[] = { - {"digest_size", T_INT, offsetof(SHAobject, digestsize), READONLY, NULL}, - {NULL} /* Sentinel */ -}; - -static PyType_Slot sha256_types_slots[] = { - {Py_tp_dealloc, SHA_dealloc}, - {Py_tp_methods, SHA_methods}, - {Py_tp_members, SHA_members}, - {Py_tp_getset, SHA_getseters}, - {Py_tp_traverse, SHA_traverse}, - {0,0} -}; - -static PyType_Spec sha224_type_spec = { - .name = "_sha256.sha224", - .basicsize = sizeof(SHAobject), - .flags = (Py_TPFLAGS_DEFAULT | Py_TPFLAGS_DISALLOW_INSTANTIATION | - Py_TPFLAGS_IMMUTABLETYPE | Py_TPFLAGS_HAVE_GC), - .slots = sha256_types_slots -}; - -static PyType_Spec sha256_type_spec = { - .name = "_sha256.sha256", - .basicsize = sizeof(SHAobject), - .flags = (Py_TPFLAGS_DEFAULT | Py_TPFLAGS_DISALLOW_INSTANTIATION | - Py_TPFLAGS_IMMUTABLETYPE | Py_TPFLAGS_HAVE_GC), - .slots = sha256_types_slots -}; - -/* The single module-level function: new() */ - -/*[clinic input] -_sha256.sha256 - - string: object(c_default="NULL") = b'' - * - usedforsecurity: bool = True - -Return a new SHA-256 hash object; optionally initialized with a string. -[clinic start generated code]*/ - -static PyObject * -_sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity) -/*[clinic end generated code: output=a1de327e8e1185cf input=9be86301aeb14ea5]*/ -{ - Py_buffer buf; - - if (string) { - GET_BUFFER_VIEW_OR_ERROUT(string, &buf); - } - - _sha256_state *state = PyModule_GetState(module); - - SHAobject *new; - if ((new = newSHA256object(state)) == NULL) { - if (string) { - PyBuffer_Release(&buf); - } - return NULL; - } - - sha_init(new); - - if (PyErr_Occurred()) { - Py_DECREF(new); - if (string) { - PyBuffer_Release(&buf); - } - return NULL; - } - if (string) { - sha_update(new, buf.buf, buf.len); - PyBuffer_Release(&buf); - } - - return (PyObject *)new; -} - -/*[clinic input] -_sha256.sha224 - - string: object(c_default="NULL") = b'' - * - usedforsecurity: bool = True - -Return a new SHA-224 hash object; optionally initialized with a string. -[clinic start generated code]*/ - -static PyObject * -_sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity) -/*[clinic end generated code: output=08be6b36569bc69c input=9fcfb46e460860ac]*/ -{ - Py_buffer buf; - if (string) { - GET_BUFFER_VIEW_OR_ERROUT(string, &buf); - } - - _sha256_state *state = PyModule_GetState(module); - SHAobject *new; - if ((new = newSHA224object(state)) == NULL) { - if (string) { - PyBuffer_Release(&buf); - } - return NULL; - } - - sha224_init(new); - - if (PyErr_Occurred()) { - Py_DECREF(new); - if (string) { - PyBuffer_Release(&buf); - } - return NULL; - } - if (string) { - sha_update(new, buf.buf, buf.len); - PyBuffer_Release(&buf); - } - - return (PyObject *)new; -} - - -/* List of functions exported by this module */ - -static struct PyMethodDef SHA_functions[] = { - _SHA256_SHA256_METHODDEF - _SHA256_SHA224_METHODDEF - {NULL, NULL} /* Sentinel */ -}; - -static int -_sha256_traverse(PyObject *module, visitproc visit, void *arg) -{ - _sha256_state *state = _sha256_get_state(module); - Py_VISIT(state->sha224_type); - Py_VISIT(state->sha256_type); - return 0; -} - -static int -_sha256_clear(PyObject *module) -{ - _sha256_state *state = _sha256_get_state(module); - Py_CLEAR(state->sha224_type); - Py_CLEAR(state->sha256_type); - return 0; -} - -static void -_sha256_free(void *module) -{ - _sha256_clear((PyObject *)module); -} - -static int sha256_exec(PyObject *module) -{ - _sha256_state *state = _sha256_get_state(module); - - state->sha224_type = (PyTypeObject *)PyType_FromModuleAndSpec( - module, &sha224_type_spec, NULL); - - if (state->sha224_type == NULL) { - return -1; - } - - state->sha256_type = (PyTypeObject *)PyType_FromModuleAndSpec( - module, &sha256_type_spec, NULL); - - if (state->sha256_type == NULL) { - return -1; - } - - Py_INCREF((PyObject *)state->sha224_type); - if (PyModule_AddObject(module, "SHA224Type", (PyObject *)state->sha224_type) < 0) { - Py_DECREF((PyObject *)state->sha224_type); - return -1; - } - Py_INCREF((PyObject *)state->sha256_type); - if (PyModule_AddObject(module, "SHA256Type", (PyObject *)state->sha256_type) < 0) { - Py_DECREF((PyObject *)state->sha256_type); - return -1; - } - return 0; -} - -static PyModuleDef_Slot _sha256_slots[] = { - {Py_mod_exec, sha256_exec}, - {0, NULL} -}; - -static struct PyModuleDef _sha256module = { - PyModuleDef_HEAD_INIT, - .m_name = "_sha256", - .m_size = sizeof(_sha256_state), - .m_methods = SHA_functions, - .m_slots = _sha256_slots, - .m_traverse = _sha256_traverse, - .m_clear = _sha256_clear, - .m_free = _sha256_free -}; - -/* Initialize this module. */ -PyMODINIT_FUNC -PyInit__sha256(void) -{ - return PyModuleDef_Init(&_sha256module); -} diff --git a/PCbuild/pythoncore.vcxproj b/PCbuild/pythoncore.vcxproj index ff17304032cded..a8f87d66aac0e6 100644 --- a/PCbuild/pythoncore.vcxproj +++ b/PCbuild/pythoncore.vcxproj @@ -392,7 +392,7 @@ - + diff --git a/PCbuild/pythoncore.vcxproj.filters b/PCbuild/pythoncore.vcxproj.filters index 7d7fe7267c8ff0..1749495ef21f39 100644 --- a/PCbuild/pythoncore.vcxproj.filters +++ b/PCbuild/pythoncore.vcxproj.filters @@ -821,7 +821,7 @@ Modules - + Modules diff --git a/Tools/c-analyzer/cpython/_parser.py b/Tools/c-analyzer/cpython/_parser.py index 78241f0ea08ac8..3a8e5d863a89e9 100644 --- a/Tools/c-analyzer/cpython/_parser.py +++ b/Tools/c-analyzer/cpython/_parser.py @@ -189,7 +189,7 @@ def clean_lines(text): Modules/main.c Py_BUILD_CORE 1 Modules/mathmodule.c Py_BUILD_CORE 1 Modules/posixmodule.c Py_BUILD_CORE 1 -Modules/sha256module.c Py_BUILD_CORE 1 +Modules/_hacl/sha256module.c Py_BUILD_CORE 1 Modules/sha512module.c Py_BUILD_CORE 1 Modules/signalmodule.c Py_BUILD_CORE 1 Modules/symtablemodule.c Py_BUILD_CORE 1 From 89712f60e70bc28056f94cba62548b3013f591a8 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Fri, 4 Nov 2022 14:27:47 -0700 Subject: [PATCH 02/33] Fixup some casts --- Modules/_hacl/sha256module.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Modules/_hacl/sha256module.c b/Modules/_hacl/sha256module.c index fe8bbaa8f627bc..2fe5dfdb7e27ab 100644 --- a/Modules/_hacl/sha256module.c +++ b/Modules/_hacl/sha256module.c @@ -107,10 +107,9 @@ SHA_traverse(PyObject *ptr, visitproc visit, void *arg) } static void -SHA_dealloc(PyObject *ptr) +SHA_dealloc(SHAobject *ptr) { - // TODO: change function signature - Hacl_Streaming_SHA2_free_256(((SHAobject *)ptr)->state); + Hacl_Streaming_SHA2_free_256(ptr->state); PyTypeObject *tp = Py_TYPE(ptr); PyObject_GC_UnTrack(ptr); PyObject_GC_Del(ptr); @@ -218,9 +217,9 @@ SHA256_get_block_size(PyObject *self, void *closure) } static PyObject * -SHA256_get_name(PyObject *self, void *closure) +SHA256_get_name(SHAobject *self, void *closure) { - if (((SHAobject *)self)->digestsize == 28) + if (self->digestsize == 28) return PyUnicode_FromStringAndSize("sha224", 6); else return PyUnicode_FromStringAndSize("sha256", 6); From 21fddf15a5e78a7a3f98cfe4f35ae37874702e63 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Fri, 4 Nov 2022 14:33:04 -0700 Subject: [PATCH 03/33] And proper error handling for maximum hashing lengths exceeded --- Modules/_hacl/sha256module.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Modules/_hacl/sha256module.c b/Modules/_hacl/sha256module.c index 2fe5dfdb7e27ab..365e474db6af75 100644 --- a/Modules/_hacl/sha256module.c +++ b/Modules/_hacl/sha256module.c @@ -196,7 +196,8 @@ SHA256Type_update(SHAobject *self, PyObject *obj) GET_BUFFER_VIEW_OR_ERROUT(obj, &buf); - Hacl_Streaming_SHA2_update_256(self->state, buf.buf, buf.len); + if (!Hacl_Streaming_SHA2_update_256(self->state, buf.buf, buf.len)) + PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); PyBuffer_Release(&buf); Py_RETURN_NONE; @@ -310,7 +311,8 @@ _sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity) return NULL; } if (string) { - Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len); + if (!Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len)) + PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); PyBuffer_Release(&buf); } @@ -356,7 +358,8 @@ _sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity) return NULL; } if (string) { - Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len); + if (!Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len)) + PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); PyBuffer_Release(&buf); } From 6c5498eb892623df036b17fbaa77a352ba78dee4 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Fri, 4 Nov 2022 14:46:23 -0700 Subject: [PATCH 04/33] Remove extra file --- Modules/_hacl/AUTHORS.md | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 Modules/_hacl/AUTHORS.md diff --git a/Modules/_hacl/AUTHORS.md b/Modules/_hacl/AUTHORS.md deleted file mode 100644 index 25636a3d643ad3..00000000000000 --- a/Modules/_hacl/AUTHORS.md +++ /dev/null @@ -1,5 +0,0 @@ -The SHA2 implementation was written by Karthikeyan Bhargavan. -The agile hash infrastructure, the streaming functor, its instantiation to -support incremental SHA2, extraction and packaging was performed by Jonathan -Protzenko. -Considerable proof help was provided by Marina Polubelova and Aymeric Fromherz. From 77c682c633d6652683feee4fb3b3451184e3b58b Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Fri, 4 Nov 2022 15:21:51 -0700 Subject: [PATCH 05/33] See if using srcdir helps --- Modules/Setup.stdlib.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Setup.stdlib.in b/Modules/Setup.stdlib.in index 98fe8656860c68..cc11a07b097427 100644 --- a/Modules/Setup.stdlib.in +++ b/Modules/Setup.stdlib.in @@ -78,7 +78,7 @@ # hashing builtins, can be disabled with --without-builtin-hashlib-hashes @MODULE__MD5_TRUE@_md5 md5module.c @MODULE__SHA1_TRUE@_sha1 sha1module.c -@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -IModules/_hacl/include -IModules/_hacl/internal -IModules/_hacl/krmllib/dist/minimal +@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -I$(srcdir)/Modules/_hacl/include -I$(srcdir)/Modules/_hacl/internal -I$(srcdir)/Modules/_hacl/krmllib/dist/minimal @MODULE__SHA512_TRUE@_sha512 sha512module.c @MODULE__SHA3_TRUE@_sha3 _sha3/sha3module.c @MODULE__BLAKE2_TRUE@_blake2 _blake2/blake2module.c _blake2/blake2b_impl.c _blake2/blake2s_impl.c From 158618826c66d2c39f2ff08dabf9b4b8558a2504 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Mon, 7 Nov 2022 09:04:10 -0800 Subject: [PATCH 06/33] Delete 11 un-needed files --- Modules/_hacl/Hacl_Krmllib.h | 84 ----------- Modules/_hacl/Hacl_SHA2_Generic.h | 134 ------------------ Modules/_hacl/Hacl_SHA2_Types.h | 47 ------ Modules/_hacl/Hacl_Streaming_SHA2.c | 60 ++++++-- Modules/_hacl/Hacl_Streaming_SHA2.h | 3 - Modules/_hacl/include/krml/internal/builtin.h | 16 --- .../_hacl/include/krml/internal/callconv.h | 46 ------ Modules/_hacl/include/krml/internal/target.h | 88 +----------- Modules/_hacl/include/krml/internal/types.h | 19 --- Modules/_hacl/internal/Hacl_Hash_SHA2.h | 67 --------- Modules/_hacl/internal/Hacl_Krmllib.h | 46 ------ Modules/_hacl/internal/Hacl_SHA2_Types.h | 108 -------------- .../krmllib/dist/minimal/FStar_UInt128.h | 79 ----------- .../dist/minimal/FStar_UInt128_Verified.h | 64 ++++++++- .../dist/minimal/FStar_UInt_8_16_32_64.h | 3 - .../krmllib/dist/minimal/LowStar_Endianness.h | 28 ---- .../dist/minimal/fstar_uint128_gcc64.h | 2 - .../krmllib/dist/minimal/fstar_uint128_msvc.h | 1 - .../minimal/fstar_uint128_struct_endianness.h | 68 --------- 19 files changed, 113 insertions(+), 850 deletions(-) delete mode 100644 Modules/_hacl/Hacl_Krmllib.h delete mode 100644 Modules/_hacl/Hacl_SHA2_Generic.h delete mode 100644 Modules/_hacl/Hacl_SHA2_Types.h delete mode 100644 Modules/_hacl/include/krml/internal/builtin.h delete mode 100644 Modules/_hacl/include/krml/internal/callconv.h delete mode 100644 Modules/_hacl/internal/Hacl_Hash_SHA2.h delete mode 100644 Modules/_hacl/internal/Hacl_Krmllib.h delete mode 100644 Modules/_hacl/internal/Hacl_SHA2_Types.h delete mode 100644 Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h delete mode 100644 Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h delete mode 100644 Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h diff --git a/Modules/_hacl/Hacl_Krmllib.h b/Modules/_hacl/Hacl_Krmllib.h deleted file mode 100644 index c3df0e6c50dda9..00000000000000 --- a/Modules/_hacl/Hacl_Krmllib.h +++ /dev/null @@ -1,84 +0,0 @@ -/* MIT License - * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -#ifndef __Hacl_Krmllib_H -#define __Hacl_Krmllib_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - -static inline uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b); - -static inline uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b); - -static inline uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b); - -static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b); - -static inline uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b); - -static inline uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); - -static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); - -static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); - -static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); - -static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); - -static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); - -static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); - -#if defined(__cplusplus) -} -#endif - -#define __Hacl_Krmllib_H_DEFINED -#endif diff --git a/Modules/_hacl/Hacl_SHA2_Generic.h b/Modules/_hacl/Hacl_SHA2_Generic.h deleted file mode 100644 index 3a6a754837b768..00000000000000 --- a/Modules/_hacl/Hacl_SHA2_Generic.h +++ /dev/null @@ -1,134 +0,0 @@ -/* MIT License - * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -#ifndef __Hacl_SHA2_Generic_H -#define __Hacl_SHA2_Generic_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - - - - -static const -uint32_t -Hacl_Impl_SHA2_Generic_h224[8U] = - { - (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, - (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U - }; - -static const -uint32_t -Hacl_Impl_SHA2_Generic_h256[8U] = - { - (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, - (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U - }; - -static const -uint64_t -Hacl_Impl_SHA2_Generic_h384[8U] = - { - (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, - (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, - (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U - }; - -static const -uint64_t -Hacl_Impl_SHA2_Generic_h512[8U] = - { - (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, - (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, - (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U - }; - -static const -uint32_t -Hacl_Impl_SHA2_Generic_k224_256[64U] = - { - (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, - (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, - (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, - (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, - (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, - (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, - (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, - (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, - (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, - (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, - (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, - (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, - (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, - (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, - (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, - (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U - }; - -static const -uint64_t -Hacl_Impl_SHA2_Generic_k384_512[80U] = - { - (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, - (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, - (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, - (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, - (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, - (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, - (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, - (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, - (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, - (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, - (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, - (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, - (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, - (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, - (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, - (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, - (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, - (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, - (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, - (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, - (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, - (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, - (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, - (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, - (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, - (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, - (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U - }; - -#if defined(__cplusplus) -} -#endif - -#define __Hacl_SHA2_Generic_H_DEFINED -#endif diff --git a/Modules/_hacl/Hacl_SHA2_Types.h b/Modules/_hacl/Hacl_SHA2_Types.h deleted file mode 100644 index ef78be8f07b69d..00000000000000 --- a/Modules/_hacl/Hacl_SHA2_Types.h +++ /dev/null @@ -1,47 +0,0 @@ -/* MIT License - * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -#ifndef __Hacl_SHA2_Types_H -#define __Hacl_SHA2_Types_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - - - - -typedef uint8_t *Hacl_Impl_SHA2_Types_uint8_1p; - -#if defined(__cplusplus) -} -#endif - -#define __Hacl_SHA2_Types_H_DEFINED -#endif diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.c b/Modules/_hacl/Hacl_Streaming_SHA2.c index 1eebc43ee17fa9..002c0c3caab1b7 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.c +++ b/Modules/_hacl/Hacl_Streaming_SHA2.c @@ -24,7 +24,43 @@ #include "Hacl_Streaming_SHA2.h" -#include "internal/Hacl_SHA2_Types.h" +static const +uint32_t +Hacl_Impl_SHA2_Generic_h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() { @@ -32,7 +68,6 @@ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); Hacl_Streaming_SHA2_state_sha2_224 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); Hacl_Streaming_SHA2_state_sha2_224 *p = (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( @@ -243,14 +278,12 @@ void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8 memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); uint8_t *last00 = last; uint8_t *last10 = last + (uint32_t)64U; - Hacl_Impl_SHA2_Types_uint8_2p scrut0 = { .fst = last00, .snd = last10 }; - uint8_t *l0 = scrut0.fst; - uint8_t *l1 = scrut0.snd; + uint8_t *l0 = last00; + uint8_t *l1 = last10; uint8_t *lb0 = l0; uint8_t *lb1 = l1; - Hacl_Impl_SHA2_Types_uint8_2p scrut1 = { .fst = lb0, .snd = lb1 }; - uint8_t *last0 = scrut1.fst; - uint8_t *last1 = scrut1.snd; + uint8_t *last0 = lb0; + uint8_t *last1 = lb1; uint32_t hash_old[8U] = { 0U }; uint32_t ws0[16U] = { 0U }; memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); @@ -511,7 +544,6 @@ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); Hacl_Streaming_SHA2_state_sha2_224 s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - KRML_CHECK_SIZE(sizeof (Hacl_Streaming_SHA2_state_sha2_224), (uint32_t)1U); Hacl_Streaming_SHA2_state_sha2_224 *p = (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( @@ -1388,14 +1420,12 @@ void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8 memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); uint8_t *last00 = last; uint8_t *last10 = last + (uint32_t)64U; - Hacl_Impl_SHA2_Types_uint8_2p scrut0 = { .fst = last00, .snd = last10 }; - uint8_t *l0 = scrut0.fst; - uint8_t *l1 = scrut0.snd; + uint8_t *l0 = last00; + uint8_t *l1 = last10; uint8_t *lb0 = l0; uint8_t *lb1 = l1; - Hacl_Impl_SHA2_Types_uint8_2p scrut1 = { .fst = lb0, .snd = lb1 }; - uint8_t *last0 = scrut1.fst; - uint8_t *last1 = scrut1.snd; + uint8_t *last0 = lb0; + uint8_t *last1 = lb1; uint32_t hash_old[8U] = { 0U }; uint32_t ws0[16U] = { 0U }; memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h index ff9243d8b2c3ec..2b182afe7a523c 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.h +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -35,9 +35,6 @@ extern "C" { #include "krml/internal/target.h" -#include "Hacl_SHA2_Generic.h" -#include "Hacl_Krmllib.h" - typedef struct Hacl_Streaming_SHA2_state_sha2_224_s { uint32_t *block_state; diff --git a/Modules/_hacl/include/krml/internal/builtin.h b/Modules/_hacl/include/krml/internal/builtin.h deleted file mode 100644 index 53ea9040c0b0fd..00000000000000 --- a/Modules/_hacl/include/krml/internal/builtin.h +++ /dev/null @@ -1,16 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -#ifndef __KRML_BUILTIN_H -#define __KRML_BUILTIN_H - -/* For alloca, when using KaRaMeL's -falloca */ -#if (defined(_WIN32) || defined(_WIN64)) -# include -#endif - -/* If some globals need to be initialized before the main, then karamel will - * generate and try to link last a function with this type: */ -void krmlinit_globals(void); - -#endif diff --git a/Modules/_hacl/include/krml/internal/callconv.h b/Modules/_hacl/include/krml/internal/callconv.h deleted file mode 100644 index 11ca0e9ef5f6b9..00000000000000 --- a/Modules/_hacl/include/krml/internal/callconv.h +++ /dev/null @@ -1,46 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -#ifndef __KRML_CALLCONV_H -#define __KRML_CALLCONV_H - -/******************************************************************************/ -/* Some macros to ease compatibility */ -/******************************************************************************/ - -/* We want to generate __cdecl safely without worrying about it being undefined. - * When using MSVC, these are always defined. When using MinGW, these are - * defined too. They have no meaning for other platforms, so we define them to - * be empty macros in other situations. */ -#ifndef _MSC_VER -#ifndef __cdecl -#define __cdecl -#endif -#ifndef __stdcall -#define __stdcall -#endif -#ifndef __fastcall -#define __fastcall -#endif -#endif - -/* Since KaRaMeL emits the inline keyword unconditionally, we follow the - * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this - * __inline__ to ensure the code compiles with -std=c90 and earlier. */ -#ifdef __GNUC__ -# define inline __inline__ -#endif - -/* GCC-specific attribute syntax; everyone else gets the standard C inline - * attribute. */ -#ifdef __GNU_C__ -# ifndef __clang__ -# define force_inline inline __attribute__((always_inline)) -# else -# define force_inline inline -# endif -#else -# define force_inline inline -#endif - -#endif diff --git a/Modules/_hacl/include/krml/internal/target.h b/Modules/_hacl/include/krml/internal/target.h index 6685c989ffe3e3..7fad802e6cb0f0 100644 --- a/Modules/_hacl/include/krml/internal/target.h +++ b/Modules/_hacl/include/krml/internal/target.h @@ -10,29 +10,17 @@ #include #include -#include "krml/internal/callconv.h" +/* Since KaRaMeL emits the inline keyword unconditionally, we follow the + * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this + * __inline__ to ensure the code compiles with -std=c90 and earlier. */ +#ifdef __GNUC__ +# define inline __inline__ +#endif /******************************************************************************/ /* Macros that KaRaMeL will generate. */ /******************************************************************************/ -/* For "bare" targets that do not have a C stdlib, the user might want to use - * [-add-early-include '"mydefinitions.h"'] and override these. */ -#ifndef KRML_HOST_PRINTF -# define KRML_HOST_PRINTF printf -#endif - -#if ( \ - (defined __STDC_VERSION__) && (__STDC_VERSION__ >= 199901L) && \ - (!(defined KRML_HOST_EPRINTF))) -# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) -#elif !(defined KRML_HOST_EPRINTF) && defined(_MSC_VER) -# define KRML_HOST_EPRINTF(...) fprintf(stderr, __VA_ARGS__) -#endif - -#ifndef KRML_HOST_EXIT -# define KRML_HOST_EXIT exit -#endif #ifndef KRML_HOST_MALLOC # define KRML_HOST_MALLOC malloc @@ -46,70 +34,6 @@ # define KRML_HOST_FREE free #endif -#ifndef KRML_HOST_TIME - -# include - -/* Prims_nat not yet in scope */ -inline static int32_t krml_time() { - return (int32_t)time(NULL); -} - -# define KRML_HOST_TIME krml_time -#endif - -/* In statement position, exiting is easy. */ -#define KRML_EXIT \ - do { \ - KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \ - KRML_HOST_EXIT(254); \ - } while (0) - -/* In expression position, use the comma-operator and a malloc to return an - * expression of the right size. KaRaMeL passes t as the parameter to the macro. - */ -#define KRML_EABORT(t, msg) \ - (KRML_HOST_PRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \ - KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t)))) - -/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of - * *elements*. Do an ugly, run-time check (some of which KaRaMeL can eliminate). - */ - -#ifdef __GNUC__ -# define _KRML_CHECK_SIZE_PRAGMA \ - _Pragma("GCC diagnostic ignored \"-Wtype-limits\"") -#else -# define _KRML_CHECK_SIZE_PRAGMA -#endif - -#define KRML_CHECK_SIZE(size_elt, sz) \ - do { \ - _KRML_CHECK_SIZE_PRAGMA \ - if (((size_t)(sz)) > ((size_t)(SIZE_MAX / (size_elt)))) { \ - KRML_HOST_PRINTF( \ - "Maximum allocatable size exceeded, aborting before overflow at " \ - "%s:%d\n", \ - __FILE__, __LINE__); \ - KRML_HOST_EXIT(253); \ - } \ - } while (0) - -#if defined(_MSC_VER) && _MSC_VER < 1900 -# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) -#else -# define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) -#endif - -#if defined(__GNUC__) && __GNUC__ >= 4 && __GNUC_MINOR__ > 4 -# define KRML_DEPRECATED(x) __attribute__((deprecated(x))) -#elif defined(__GNUC__) -/* deprecated attribute is not defined in GCC < 4.5. */ -# define KRML_DEPRECATED(x) -#elif defined(_MSC_VER) -# define KRML_DEPRECATED(x) __declspec(deprecated(x)) -#endif - /* Macros for prettier unrolling of loops */ #define KRML_LOOP1(i, n, x) { \ x \ diff --git a/Modules/_hacl/include/krml/internal/types.h b/Modules/_hacl/include/krml/internal/types.h index ac9ba7d012fe5d..2fbea6ca175893 100644 --- a/Modules/_hacl/include/krml/internal/types.h +++ b/Modules/_hacl/include/krml/internal/types.h @@ -9,24 +9,6 @@ #include #include -/* Types which are either abstract, meaning that have to be implemented in C, or - * which are models, meaning that they are swapped out at compile-time for - * hand-written C types (in which case they're marked as noextract). */ - -typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_; -typedef int64_t FStar_Int64_t, FStar_Int64_t_; -typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_; -typedef int32_t FStar_Int32_t, FStar_Int32_t_; -typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_; -typedef int16_t FStar_Int16_t, FStar_Int16_t_; -typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_; -typedef int8_t FStar_Int8_t, FStar_Int8_t_; - -/* Only useful when building krmllib, because it's in the dependency graph of - * FStar.Int.Cast. */ -typedef uint64_t FStar_UInt63_t, FStar_UInt63_t_; -typedef int64_t FStar_Int63_t, FStar_Int63_t_; - #if (defined(_MSC_VER) && defined(_M_X64) && !defined(__clang__)) #define IS_MSVC64 1 #endif @@ -79,7 +61,6 @@ typedef FStar_UInt128_uint128 FStar_UInt128_t, uint128_t; #include "fstar_uint128_gcc64.h" #else #include "FStar_UInt128_Verified.h" -#include "fstar_uint128_struct_endianness.h" #endif #endif diff --git a/Modules/_hacl/internal/Hacl_Hash_SHA2.h b/Modules/_hacl/internal/Hacl_Hash_SHA2.h deleted file mode 100644 index fd4746e638694b..00000000000000 --- a/Modules/_hacl/internal/Hacl_Hash_SHA2.h +++ /dev/null @@ -1,67 +0,0 @@ -/* MIT License - * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -#ifndef __internal_Hacl_Hash_SHA2_H -#define __internal_Hacl_Hash_SHA2_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - - -#include "../Hacl_Hash_SHA2.h" - -void Hacl_Hash_Core_SHA2_init_224(uint32_t *s); - -void Hacl_Hash_Core_SHA2_init_256(uint32_t *s); - -void Hacl_Hash_Core_SHA2_init_384(uint64_t *s); - -void Hacl_Hash_Core_SHA2_init_512(uint64_t *s); - -void Hacl_Hash_Core_SHA2_update_384(uint64_t *hash, uint8_t *block); - -void Hacl_Hash_Core_SHA2_update_512(uint64_t *hash, uint8_t *block); - -void Hacl_Hash_Core_SHA2_pad_256(uint64_t len, uint8_t *dst); - -void Hacl_Hash_Core_SHA2_finish_224(uint32_t *s, uint8_t *dst); - -void Hacl_Hash_Core_SHA2_finish_256(uint32_t *s, uint8_t *dst); - -void Hacl_Hash_Core_SHA2_finish_384(uint64_t *s, uint8_t *dst); - -void Hacl_Hash_Core_SHA2_finish_512(uint64_t *s, uint8_t *dst); - -#if defined(__cplusplus) -} -#endif - -#define __internal_Hacl_Hash_SHA2_H_DEFINED -#endif diff --git a/Modules/_hacl/internal/Hacl_Krmllib.h b/Modules/_hacl/internal/Hacl_Krmllib.h deleted file mode 100644 index 2a40f074eaf3f5..00000000000000 --- a/Modules/_hacl/internal/Hacl_Krmllib.h +++ /dev/null @@ -1,46 +0,0 @@ -/* MIT License - * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -#ifndef __internal_Hacl_Krmllib_H -#define __internal_Hacl_Krmllib_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - - -#include "../Hacl_Krmllib.h" -uint32_t LowStar_Vector_new_capacity(uint32_t cap); - -#if defined(__cplusplus) -} -#endif - -#define __internal_Hacl_Krmllib_H_DEFINED -#endif diff --git a/Modules/_hacl/internal/Hacl_SHA2_Types.h b/Modules/_hacl/internal/Hacl_SHA2_Types.h deleted file mode 100644 index 3e62e3fd30d478..00000000000000 --- a/Modules/_hacl/internal/Hacl_SHA2_Types.h +++ /dev/null @@ -1,108 +0,0 @@ -/* MIT License - * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - - -#ifndef __internal_Hacl_SHA2_Types_H -#define __internal_Hacl_SHA2_Types_H - -#if defined(__cplusplus) -extern "C" { -#endif - -#include -#include "krml/internal/types.h" -#include "krml/lowstar_endianness.h" -#include "krml/internal/target.h" - - -#include "../Hacl_SHA2_Types.h" - -typedef struct Hacl_Impl_SHA2_Types_uint8_2p_s -{ - uint8_t *fst; - uint8_t *snd; -} -Hacl_Impl_SHA2_Types_uint8_2p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_3p_s -{ - uint8_t *fst; - Hacl_Impl_SHA2_Types_uint8_2p snd; -} -Hacl_Impl_SHA2_Types_uint8_3p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_4p_s -{ - uint8_t *fst; - Hacl_Impl_SHA2_Types_uint8_3p snd; -} -Hacl_Impl_SHA2_Types_uint8_4p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_5p_s -{ - uint8_t *fst; - Hacl_Impl_SHA2_Types_uint8_4p snd; -} -Hacl_Impl_SHA2_Types_uint8_5p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_6p_s -{ - uint8_t *fst; - Hacl_Impl_SHA2_Types_uint8_5p snd; -} -Hacl_Impl_SHA2_Types_uint8_6p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_7p_s -{ - uint8_t *fst; - Hacl_Impl_SHA2_Types_uint8_6p snd; -} -Hacl_Impl_SHA2_Types_uint8_7p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_8p_s -{ - uint8_t *fst; - Hacl_Impl_SHA2_Types_uint8_7p snd; -} -Hacl_Impl_SHA2_Types_uint8_8p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_2x4p_s -{ - Hacl_Impl_SHA2_Types_uint8_4p fst; - Hacl_Impl_SHA2_Types_uint8_4p snd; -} -Hacl_Impl_SHA2_Types_uint8_2x4p; - -typedef struct Hacl_Impl_SHA2_Types_uint8_2x8p_s -{ - Hacl_Impl_SHA2_Types_uint8_8p fst; - Hacl_Impl_SHA2_Types_uint8_8p snd; -} -Hacl_Impl_SHA2_Types_uint8_2x8p; - -#if defined(__cplusplus) -} -#endif - -#define __internal_Hacl_SHA2_Types_H_DEFINED -#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h deleted file mode 100644 index 40a9b5399bd614..00000000000000 --- a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128.h +++ /dev/null @@ -1,79 +0,0 @@ -/* - Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. -*/ - - -#ifndef __FStar_UInt128_H -#define __FStar_UInt128_H - - - - -#include -#include -#include "krml/lowstar_endianness.h" -#include "krml/internal/types.h" -#include "krml/internal/target.h" -static inline FStar_UInt128_uint128 -FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a); - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); - -static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 -FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); - -static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); - -static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); - -static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y); - -static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); - - -#define __FStar_UInt128_H_DEFINED -#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h index be0e6225bc725b..567aebecb5c634 100644 --- a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h +++ b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h @@ -7,13 +7,12 @@ #ifndef __FStar_UInt128_Verified_H #define __FStar_UInt128_Verified_H - - #include "FStar_UInt_8_16_32_64.h" #include #include #include "krml/internal/types.h" #include "krml/internal/target.h" + static inline uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) { return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U; @@ -343,5 +342,66 @@ static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t } +/* Hand-written implementation of endianness-related uint128 functions + * for the extracted uint128 implementation */ + +/* Access 64-bit fields within the int128. */ +#define HIGH64_OF(x) ((x)->high) +#define LOW64_OF(x) ((x)->low) + +/* A series of definitions written using pointers. */ + +inline static void load128_le_(uint8_t *b, uint128_t *r) { + LOW64_OF(r) = load64_le(b); + HIGH64_OF(r) = load64_le(b + 8); +} + +inline static void store128_le_(uint8_t *b, uint128_t *n) { + store64_le(b, LOW64_OF(n)); + store64_le(b + 8, HIGH64_OF(n)); +} + +inline static void load128_be_(uint8_t *b, uint128_t *r) { + HIGH64_OF(r) = load64_be(b); + LOW64_OF(r) = load64_be(b + 8); +} + +inline static void store128_be_(uint8_t *b, uint128_t *n) { + store64_be(b, HIGH64_OF(n)); + store64_be(b + 8, LOW64_OF(n)); +} + +#ifndef KRML_NOSTRUCT_PASSING + +inline static uint128_t load128_le(uint8_t *b) { + uint128_t r; + load128_le_(b, &r); + return r; +} + +inline static void store128_le(uint8_t *b, uint128_t n) { + store128_le_(b, &n); +} + +inline static uint128_t load128_be(uint8_t *b) { + uint128_t r; + load128_be_(b, &r); + return r; +} + +inline static void store128_be(uint8_t *b, uint128_t n) { + store128_be_(b, &n); +} + +#else /* !defined(KRML_STRUCT_PASSING) */ + +# define print128 print128_ +# define load128_le load128_le_ +# define store128_le store128_le_ +# define load128_be load128_be_ +# define store128_be store128_be_ + +#endif /* KRML_STRUCT_PASSING */ + #define __FStar_UInt128_Verified_H_DEFINED #endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h index a76301f1840acf..c58da1b37c204e 100644 --- a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h +++ b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h @@ -7,9 +7,6 @@ #ifndef __FStar_UInt_8_16_32_64_H #define __FStar_UInt_8_16_32_64_H - - - #include #include #include "krml/lowstar_endianness.h" diff --git a/Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h b/Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h deleted file mode 100644 index cac1d21ec0c1ec..00000000000000 --- a/Modules/_hacl/krmllib/dist/minimal/LowStar_Endianness.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. -*/ - - -#ifndef __LowStar_Endianness_H -#define __LowStar_Endianness_H - - - -#include "FStar_UInt128.h" -#include -#include -#include "krml/lowstar_endianness.h" -#include "krml/internal/types.h" -#include "krml/internal/target.h" -static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); - -static inline FStar_UInt128_uint128 load128_le(uint8_t *x0); - -static inline void store128_be(uint8_t *x0, FStar_UInt128_uint128 x1); - -static inline FStar_UInt128_uint128 load128_be(uint8_t *x0); - - -#define __LowStar_Endianness_H_DEFINED -#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h index e40304b25b40f9..d86aae2706c8a5 100644 --- a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -23,9 +23,7 @@ #ifndef FSTAR_UINT128_GCC64 #define FSTAR_UINT128_GCC64 -#include "FStar_UInt128.h" #include "FStar_UInt_8_16_32_64.h" -#include "LowStar_Endianness.h" /* GCC + using native unsigned __int128 support */ diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h index cd1448ddb6588b..10eb74dcc7f487 100644 --- a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h +++ b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h @@ -12,7 +12,6 @@ #define FSTAR_UINT128_MSVC #include "krml/internal/types.h" -#include "FStar_UInt128.h" #include "FStar_UInt_8_16_32_64.h" #ifndef _MSC_VER diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h deleted file mode 100644 index e2b6d62859a5f1..00000000000000 --- a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_struct_endianness.h +++ /dev/null @@ -1,68 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -#ifndef FSTAR_UINT128_STRUCT_ENDIANNESS_H -#define FSTAR_UINT128_STRUCT_ENDIANNESS_H - -/* Hand-written implementation of endianness-related uint128 functions - * for the extracted uint128 implementation */ - -/* Access 64-bit fields within the int128. */ -#define HIGH64_OF(x) ((x)->high) -#define LOW64_OF(x) ((x)->low) - -/* A series of definitions written using pointers. */ - -inline static void load128_le_(uint8_t *b, uint128_t *r) { - LOW64_OF(r) = load64_le(b); - HIGH64_OF(r) = load64_le(b + 8); -} - -inline static void store128_le_(uint8_t *b, uint128_t *n) { - store64_le(b, LOW64_OF(n)); - store64_le(b + 8, HIGH64_OF(n)); -} - -inline static void load128_be_(uint8_t *b, uint128_t *r) { - HIGH64_OF(r) = load64_be(b); - LOW64_OF(r) = load64_be(b + 8); -} - -inline static void store128_be_(uint8_t *b, uint128_t *n) { - store64_be(b, HIGH64_OF(n)); - store64_be(b + 8, LOW64_OF(n)); -} - -#ifndef KRML_NOSTRUCT_PASSING - -inline static uint128_t load128_le(uint8_t *b) { - uint128_t r; - load128_le_(b, &r); - return r; -} - -inline static void store128_le(uint8_t *b, uint128_t n) { - store128_le_(b, &n); -} - -inline static uint128_t load128_be(uint8_t *b) { - uint128_t r; - load128_be_(b, &r); - return r; -} - -inline static void store128_be(uint8_t *b, uint128_t n) { - store128_be_(b, &n); -} - -#else /* !defined(KRML_STRUCT_PASSING) */ - -# define print128 print128_ -# define load128_le load128_le_ -# define store128_le store128_le_ -# define load128_be load128_be_ -# define store128_be store128_be_ - -#endif /* KRML_STRUCT_PASSING */ - -#endif From 621ef0dd112e61cbdc5c73a00c31f4b4128d51a6 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Mon, 7 Nov 2022 09:31:34 -0800 Subject: [PATCH 07/33] Wrong direction for error checking --- Modules/_hacl/sha256module.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/_hacl/sha256module.c b/Modules/_hacl/sha256module.c index 365e474db6af75..b7e262348bc50f 100644 --- a/Modules/_hacl/sha256module.c +++ b/Modules/_hacl/sha256module.c @@ -196,7 +196,7 @@ SHA256Type_update(SHAobject *self, PyObject *obj) GET_BUFFER_VIEW_OR_ERROUT(obj, &buf); - if (!Hacl_Streaming_SHA2_update_256(self->state, buf.buf, buf.len)) + if (Hacl_Streaming_SHA2_update_256(self->state, buf.buf, buf.len) != 0) PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); PyBuffer_Release(&buf); @@ -311,7 +311,7 @@ _sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity) return NULL; } if (string) { - if (!Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len)) + if (Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len) != 0) PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); PyBuffer_Release(&buf); } @@ -358,7 +358,7 @@ _sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity) return NULL; } if (string) { - if (!Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len)) + if (Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len) != 0) PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); PyBuffer_Release(&buf); } From 81cac0f7f0cd178449f8fd065abfc97625e99d3b Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Mon, 7 Nov 2022 09:42:34 -0800 Subject: [PATCH 08/33] Remove another four files --- Modules/Setup.stdlib.in | 2 +- Modules/_hacl/Hacl_Streaming_SHA2.h | 1 - .../krml}/FStar_UInt_8_16_32_64.h | 0 Modules/_hacl/include/krml/internal/types.h | 66 --- .../dist/minimal/FStar_UInt128_Verified.h | 407 -------------- .../dist/minimal/fstar_uint128_gcc64.h | 163 ------ .../krmllib/dist/minimal/fstar_uint128_msvc.h | 509 ------------------ 7 files changed, 1 insertion(+), 1147 deletions(-) rename Modules/_hacl/{krmllib/dist/minimal => include/krml}/FStar_UInt_8_16_32_64.h (100%) delete mode 100644 Modules/_hacl/include/krml/internal/types.h delete mode 100644 Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h delete mode 100644 Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h delete mode 100644 Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h diff --git a/Modules/Setup.stdlib.in b/Modules/Setup.stdlib.in index cc11a07b097427..b8139751e5c2dc 100644 --- a/Modules/Setup.stdlib.in +++ b/Modules/Setup.stdlib.in @@ -78,7 +78,7 @@ # hashing builtins, can be disabled with --without-builtin-hashlib-hashes @MODULE__MD5_TRUE@_md5 md5module.c @MODULE__SHA1_TRUE@_sha1 sha1module.c -@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -I$(srcdir)/Modules/_hacl/include -I$(srcdir)/Modules/_hacl/internal -I$(srcdir)/Modules/_hacl/krmllib/dist/minimal +@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -I$(srcdir)/Modules/_hacl/include -I$(srcdir)/Modules/_hacl/internal -I$(srcdir)/Modules/_hacl/krmllib/dist/minimal -DKRML_VERIFIED_UINT128 @MODULE__SHA512_TRUE@_sha512 sha512module.c @MODULE__SHA3_TRUE@_sha3 _sha3/sha3module.c @MODULE__BLAKE2_TRUE@_blake2 _blake2/blake2module.c _blake2/blake2b_impl.c _blake2/blake2s_impl.c diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h index 2b182afe7a523c..189bb10d034d28 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.h +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -30,7 +30,6 @@ extern "C" { #endif #include -#include "krml/internal/types.h" #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h similarity index 100% rename from Modules/_hacl/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h rename to Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h diff --git a/Modules/_hacl/include/krml/internal/types.h b/Modules/_hacl/include/krml/internal/types.h deleted file mode 100644 index 2fbea6ca175893..00000000000000 --- a/Modules/_hacl/include/krml/internal/types.h +++ /dev/null @@ -1,66 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -#ifndef KRML_TYPES_H -#define KRML_TYPES_H - -#include -#include -#include -#include - -#if (defined(_MSC_VER) && defined(_M_X64) && !defined(__clang__)) -#define IS_MSVC64 1 -#endif - -/* This code makes a number of assumptions and should be refined. In particular, - * it assumes that: any non-MSVC amd64 compiler supports int128. Maybe it would - * be easier to just test for defined(__SIZEOF_INT128__) only? */ -#if (defined(__x86_64__) || \ - defined(__x86_64) || \ - defined(__aarch64__) || \ - (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ - defined(__s390x__) || \ - (defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \ - (defined(__mips__) && defined(__LP64__)) || \ - (defined(__riscv) && __riscv_xlen == 64) || \ - defined(__SIZEOF_INT128__)) -#define HAS_INT128 1 -#endif - -/* The uint128 type is a special case since we offer several implementations of - * it, depending on the compiler and whether the user wants the verified - * implementation or not. */ -#if !defined(KRML_VERIFIED_UINT128) && defined(IS_MSVC64) -# include -typedef __m128i FStar_UInt128_uint128; -#elif !defined(KRML_VERIFIED_UINT128) && defined(HAS_INT128) -typedef unsigned __int128 FStar_UInt128_uint128; -#else -typedef struct FStar_UInt128_uint128_s { - uint64_t low; - uint64_t high; -} FStar_UInt128_uint128; -#endif - -/* The former is defined once, here (otherwise, conflicts for test-c89. The - * latter is for internal use. */ -typedef FStar_UInt128_uint128 FStar_UInt128_t, uint128_t; - -#include "krml/lowstar_endianness.h" - -#endif - -/* Avoid a circular loop: if this header is included via FStar_UInt8_16_32_64, - * then don't bring the uint128 definitions into scope. */ -#ifndef __FStar_UInt_8_16_32_64_H - -#if !defined(KRML_VERIFIED_UINT128) && defined(IS_MSVC64) -#include "fstar_uint128_msvc.h" -#elif !defined(KRML_VERIFIED_UINT128) && defined(HAS_INT128) -#include "fstar_uint128_gcc64.h" -#else -#include "FStar_UInt128_Verified.h" -#endif - -#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h b/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h deleted file mode 100644 index 567aebecb5c634..00000000000000 --- a/Modules/_hacl/krmllib/dist/minimal/FStar_UInt128_Verified.h +++ /dev/null @@ -1,407 +0,0 @@ -/* - Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. -*/ - - -#ifndef __FStar_UInt128_Verified_H -#define __FStar_UInt128_Verified_H - -#include "FStar_UInt_8_16_32_64.h" -#include -#include -#include "krml/internal/types.h" -#include "krml/internal/target.h" - -static inline uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) -{ - return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U; -} - -static inline uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) -{ - return FStar_UInt128_constant_time_carry(a, b); -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low + b.low; - lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low + b.low; - lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low + b.low; - lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low - b.low; - lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low - b.low; - lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low - b.low; - lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - return FStar_UInt128_sub_mod_impl(a, b); -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low & b.low; - lit.high = a.high & b.high; - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low ^ b.low; - lit.high = a.high ^ b.high; - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = a.low | b.low; - lit.high = a.high | b.high; - return lit; -} - -static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) -{ - FStar_UInt128_uint128 lit; - lit.low = ~a.low; - lit.high = ~a.high; - return lit; -} - -static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; - -static inline uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) -{ - return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s)); -} - -static inline uint64_t -FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) -{ - return FStar_UInt128_add_u64_shift_left(hi, lo, s); -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) -{ - if (s == (uint32_t)0U) - { - return a; - } - else - { - FStar_UInt128_uint128 lit; - lit.low = a.low << s; - lit.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); - return lit; - } -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) -{ - FStar_UInt128_uint128 lit; - lit.low = (uint64_t)0U; - lit.high = a.low << (s - FStar_UInt128_u32_64); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) -{ - if (s < FStar_UInt128_u32_64) - { - return FStar_UInt128_shift_left_small(a, s); - } - else - { - return FStar_UInt128_shift_left_large(a, s); - } -} - -static inline uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) -{ - return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s)); -} - -static inline uint64_t -FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) -{ - return FStar_UInt128_add_u64_shift_right(hi, lo, s); -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) -{ - if (s == (uint32_t)0U) - { - return a; - } - else - { - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); - lit.high = a.high >> s; - return lit; - } -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) -{ - FStar_UInt128_uint128 lit; - lit.low = a.high >> (s - FStar_UInt128_u32_64); - lit.high = (uint64_t)0U; - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) -{ - if (s < FStar_UInt128_u32_64) - { - return FStar_UInt128_shift_right_small(a, s); - } - else - { - return FStar_UInt128_shift_right_large(a, s); - } -} - -static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - return a.low == b.low && a.high == b.high; -} - -static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - return a.high > b.high || (a.high == b.high && a.low > b.low); -} - -static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - return a.high < b.high || (a.high == b.high && a.low < b.low); -} - -static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - return a.high > b.high || (a.high == b.high && a.low >= b.low); -} - -static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - return a.high < b.high || (a.high == b.high && a.low <= b.low); -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); - lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); - return lit; -} - -static inline FStar_UInt128_uint128 -FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) -{ - FStar_UInt128_uint128 lit; - lit.low = - (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) - | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); - lit.high = - (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) - | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); - return lit; -} - -static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) -{ - FStar_UInt128_uint128 lit; - lit.low = a; - lit.high = (uint64_t)0U; - return lit; -} - -static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) -{ - return a.low; -} - -static inline uint64_t FStar_UInt128_u64_mod_32(uint64_t a) -{ - return a & (uint64_t)0xffffffffU; -} - -static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; - -static inline uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) -{ - return lo + (hi << FStar_UInt128_u32_32); -} - -static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y) -{ - FStar_UInt128_uint128 lit; - lit.low = - FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32) - * (uint64_t)y - + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32), - FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); - lit.high = - ((x >> FStar_UInt128_u32_32) - * (uint64_t)y - + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) - >> FStar_UInt128_u32_32; - return lit; -} - -static inline uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) -{ - return lo + (hi << FStar_UInt128_u32_32); -} - -static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) -{ - FStar_UInt128_uint128 lit; - lit.low = - FStar_UInt128_u32_combine_(FStar_UInt128_u64_mod_32(x) - * (y >> FStar_UInt128_u32_32) - + - FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) - * FStar_UInt128_u64_mod_32(y) - + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)), - FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y))); - lit.high = - (x >> FStar_UInt128_u32_32) - * (y >> FStar_UInt128_u32_32) - + - (((x >> FStar_UInt128_u32_32) - * FStar_UInt128_u64_mod_32(y) - + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)) - >> FStar_UInt128_u32_32) - + - ((FStar_UInt128_u64_mod_32(x) - * (y >> FStar_UInt128_u32_32) - + - FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) - * FStar_UInt128_u64_mod_32(y) - + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32))) - >> FStar_UInt128_u32_32); - return lit; -} - - -/* Hand-written implementation of endianness-related uint128 functions - * for the extracted uint128 implementation */ - -/* Access 64-bit fields within the int128. */ -#define HIGH64_OF(x) ((x)->high) -#define LOW64_OF(x) ((x)->low) - -/* A series of definitions written using pointers. */ - -inline static void load128_le_(uint8_t *b, uint128_t *r) { - LOW64_OF(r) = load64_le(b); - HIGH64_OF(r) = load64_le(b + 8); -} - -inline static void store128_le_(uint8_t *b, uint128_t *n) { - store64_le(b, LOW64_OF(n)); - store64_le(b + 8, HIGH64_OF(n)); -} - -inline static void load128_be_(uint8_t *b, uint128_t *r) { - HIGH64_OF(r) = load64_be(b); - LOW64_OF(r) = load64_be(b + 8); -} - -inline static void store128_be_(uint8_t *b, uint128_t *n) { - store64_be(b, HIGH64_OF(n)); - store64_be(b + 8, LOW64_OF(n)); -} - -#ifndef KRML_NOSTRUCT_PASSING - -inline static uint128_t load128_le(uint8_t *b) { - uint128_t r; - load128_le_(b, &r); - return r; -} - -inline static void store128_le(uint8_t *b, uint128_t n) { - store128_le_(b, &n); -} - -inline static uint128_t load128_be(uint8_t *b) { - uint128_t r; - load128_be_(b, &r); - return r; -} - -inline static void store128_be(uint8_t *b, uint128_t n) { - store128_be_(b, &n); -} - -#else /* !defined(KRML_STRUCT_PASSING) */ - -# define print128 print128_ -# define load128_le load128_le_ -# define store128_le store128_le_ -# define load128_be load128_be_ -# define store128_be store128_be_ - -#endif /* KRML_STRUCT_PASSING */ - -#define __FStar_UInt128_Verified_H_DEFINED -#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h deleted file mode 100644 index d86aae2706c8a5..00000000000000 --- a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ /dev/null @@ -1,163 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -/******************************************************************************/ -/* Machine integers (128-bit arithmetic) */ -/******************************************************************************/ - -/* This header contains two things. - * - * First, an implementation of 128-bit arithmetic suitable for 64-bit GCC and - * Clang, i.e. all the operations from FStar.UInt128. - * - * Second, 128-bit operations from C.Endianness (or LowStar.Endianness), - * suitable for any compiler and platform (via a series of ifdefs). This second - * part is unfortunate, and should be fixed by moving {load,store}128_{be,le} to - * FStar.UInt128 to avoid a maze of preprocessor guards and hand-written code. - * */ - -/* This file is used for both the minimal and generic krmllib distributions. As - * such, it assumes that the machine integers have been bundled the exact same - * way in both cases. */ - -#ifndef FSTAR_UINT128_GCC64 -#define FSTAR_UINT128_GCC64 - -#include "FStar_UInt_8_16_32_64.h" - -/* GCC + using native unsigned __int128 support */ - -inline static uint128_t load128_le(uint8_t *b) { - uint128_t l = (uint128_t)load64_le(b); - uint128_t h = (uint128_t)load64_le(b + 8); - return (h << 64 | l); -} - -inline static void store128_le(uint8_t *b, uint128_t n) { - store64_le(b, (uint64_t)n); - store64_le(b + 8, (uint64_t)(n >> 64)); -} - -inline static uint128_t load128_be(uint8_t *b) { - uint128_t h = (uint128_t)load64_be(b); - uint128_t l = (uint128_t)load64_be(b + 8); - return (h << 64 | l); -} - -inline static void store128_be(uint8_t *b, uint128_t n) { - store64_be(b, (uint64_t)(n >> 64)); - store64_be(b + 8, (uint64_t)n); -} - -inline static uint128_t FStar_UInt128_add(uint128_t x, uint128_t y) { - return x + y; -} - -inline static uint128_t FStar_UInt128_mul(uint128_t x, uint128_t y) { - return x * y; -} - -inline static uint128_t FStar_UInt128_add_mod(uint128_t x, uint128_t y) { - return x + y; -} - -inline static uint128_t FStar_UInt128_sub(uint128_t x, uint128_t y) { - return x - y; -} - -inline static uint128_t FStar_UInt128_sub_mod(uint128_t x, uint128_t y) { - return x - y; -} - -inline static uint128_t FStar_UInt128_logand(uint128_t x, uint128_t y) { - return x & y; -} - -inline static uint128_t FStar_UInt128_logor(uint128_t x, uint128_t y) { - return x | y; -} - -inline static uint128_t FStar_UInt128_logxor(uint128_t x, uint128_t y) { - return x ^ y; -} - -inline static uint128_t FStar_UInt128_lognot(uint128_t x) { - return ~x; -} - -inline static uint128_t FStar_UInt128_shift_left(uint128_t x, uint32_t y) { - return x << y; -} - -inline static uint128_t FStar_UInt128_shift_right(uint128_t x, uint32_t y) { - return x >> y; -} - -inline static uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x) { - return (uint128_t)x; -} - -inline static uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x) { - return (uint64_t)x; -} - -inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { - return ((uint128_t) x) * y; -} - -inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) { - uint64_t mask = - FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) & - FStar_UInt64_eq_mask(x, y); - return ((uint128_t)mask) << 64 | mask; -} - -inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { - uint64_t mask = - (FStar_UInt64_gte_mask(x >> 64, y >> 64) & - ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | - (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y)); - return ((uint128_t)mask) << 64 | mask; -} - -inline static uint64_t FStar_UInt128___proj__Mkuint128__item__low(uint128_t x) { - return (uint64_t) x; -} - -inline static uint64_t FStar_UInt128___proj__Mkuint128__item__high(uint128_t x) { - return (uint64_t) (x >> 64); -} - -inline static uint128_t FStar_UInt128_add_underspec(uint128_t x, uint128_t y) { - return x + y; -} - -inline static uint128_t FStar_UInt128_sub_underspec(uint128_t x, uint128_t y) { - return x - y; -} - -inline static bool FStar_UInt128_eq(uint128_t x, uint128_t y) { - return x == y; -} - -inline static bool FStar_UInt128_gt(uint128_t x, uint128_t y) { - return x > y; -} - -inline static bool FStar_UInt128_lt(uint128_t x, uint128_t y) { - return x < y; -} - -inline static bool FStar_UInt128_gte(uint128_t x, uint128_t y) { - return x >= y; -} - -inline static bool FStar_UInt128_lte(uint128_t x, uint128_t y) { - return x <= y; -} - -inline static uint128_t FStar_UInt128_mul32(uint64_t x, uint32_t y) { - return (uint128_t) x * (uint128_t) y; -} - -#endif diff --git a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h b/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h deleted file mode 100644 index 10eb74dcc7f487..00000000000000 --- a/Modules/_hacl/krmllib/dist/minimal/fstar_uint128_msvc.h +++ /dev/null @@ -1,509 +0,0 @@ -/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - -/* This file was generated by KaRaMeL - * then hand-edited to use MSVC intrinsics KaRaMeL invocation: - * C:\users\barrybo\mitls2c\karamel\_build\src\Karamel.native -minimal -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include "krmllib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims - * F* version: 15104ff8 - * KaRaMeL version: 318b7fa8 - */ - -#ifndef FSTAR_UINT128_MSVC -#define FSTAR_UINT128_MSVC - -#include "krml/internal/types.h" -#include "FStar_UInt_8_16_32_64.h" - -#ifndef _MSC_VER -# error This file only works with the MSVC compiler -#endif - -/* JP: need to rip out HAS_OPTIMIZED since the header guards in types.h are now - * done properly and only include this file when we know for sure we are on - * 64-bit MSVC. */ - -#if defined(_M_X64) && !defined(KRML_VERIFIED_UINT128) -#define HAS_OPTIMIZED 1 -#else -#define HAS_OPTIMIZED 0 -#endif - -// Define .low and .high in terms of the __m128i fields, to reduce -// the amount of churn in this file. -#if HAS_OPTIMIZED -#include -#include -#define low m128i_u64[0] -#define high m128i_u64[1] -#endif - -inline static FStar_UInt128_uint128 load128_le(uint8_t *b) { -#if HAS_OPTIMIZED - return _mm_loadu_si128((__m128i *)b); -#else - FStar_UInt128_uint128 lit; - lit.low = load64_le(b); - lit.high = load64_le(b + 8); - return lit; -#endif -} - -inline static void store128_le(uint8_t *b, FStar_UInt128_uint128 n) { - store64_le(b, n.low); - store64_le(b + 8, n.high); -} - -inline static FStar_UInt128_uint128 load128_be(uint8_t *b) { - uint64_t l = load64_be(b + 8); - uint64_t h = load64_be(b); -#if HAS_OPTIMIZED - return _mm_set_epi64x(h, l); -#else - FStar_UInt128_uint128 lit; - lit.low = l; - lit.high = h; - return lit; -#endif -} - -inline static void store128_be(uint8_t *b, uint128_t n) { - store64_be(b, n.high); - store64_be(b + 8, n.low); -} - -inline static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) { - return (a ^ (a ^ b | a - b ^ b)) >> (uint32_t)63U; -} - -inline static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) { - return FStar_UInt128_constant_time_carry(a, b); -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - uint64_t l, h; - - unsigned char carry = - _addcarry_u64(0, a.low, b.low, &l); // low/CF = a.low+b.low+0 - _addcarry_u64(carry, a.high, b.high, &h); // high = a.high+b.high+CF - return _mm_set_epi64x(h, l); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low + b.low; - lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return FStar_UInt128_add(a, b); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low + b.low; - lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low; - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return FStar_UInt128_add(a, b); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low + b.low; - lit.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low); - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - uint64_t l, h; - - unsigned char borrow = _subborrow_u64(0, a.low, b.low, &l); - _subborrow_u64(borrow, a.high, b.high, &h); - return _mm_set_epi64x(h, l); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low - b.low; - lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return FStar_UInt128_sub(a, b); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low - b.low; - lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { - FStar_UInt128_uint128 lit; - lit.low = a.low - b.low; - lit.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low); - return lit; -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return FStar_UInt128_sub(a, b); -#else - return FStar_UInt128_sub_mod_impl(a, b); -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return _mm_and_si128(a, b); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low & b.low; - lit.high = a.high & b.high; - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return _mm_xor_si128(a, b); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low ^ b.low; - lit.high = a.high ^ b.high; - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - return _mm_or_si128(a, b); -#else - FStar_UInt128_uint128 lit; - lit.low = a.low | b.low; - lit.high = a.high | b.high; - return lit; -#endif -} - -inline static FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a) { -#if HAS_OPTIMIZED - return _mm_andnot_si128(a, a); -#else - FStar_UInt128_uint128 lit; - lit.low = ~a.low; - lit.high = ~a.high; - return lit; -#endif -} - -static const uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; - -inline static uint64_t -FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) { - return (hi << s) + (lo >> FStar_UInt128_u32_64 - s); -} - -inline static uint64_t -FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) { - return FStar_UInt128_add_u64_shift_left(hi, lo, s); -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) { - if (s == (uint32_t)0U) - return a; - else { - FStar_UInt128_uint128 lit; - lit.low = a.low << s; - lit.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s); - return lit; - } -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) { - FStar_UInt128_uint128 lit; - lit.low = (uint64_t)0U; - lit.high = a.low << s - FStar_UInt128_u32_64; - return lit; -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) { -#if HAS_OPTIMIZED - if (s == 0) { - return a; - } else if (s < FStar_UInt128_u32_64) { - uint64_t l = a.low << s; - uint64_t h = __shiftleft128(a.low, a.high, (unsigned char)s); - return _mm_set_epi64x(h, l); - } else { - return _mm_set_epi64x(a.low << (s - FStar_UInt128_u32_64), 0); - } -#else - if (s < FStar_UInt128_u32_64) - return FStar_UInt128_shift_left_small(a, s); - else - return FStar_UInt128_shift_left_large(a, s); -#endif -} - -inline static uint64_t -FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) { - return (lo >> s) + (hi << FStar_UInt128_u32_64 - s); -} - -inline static uint64_t -FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) { - return FStar_UInt128_add_u64_shift_right(hi, lo, s); -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) { - if (s == (uint32_t)0U) - return a; - else { - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s); - lit.high = a.high >> s; - return lit; - } -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) { - FStar_UInt128_uint128 lit; - lit.low = a.high >> s - FStar_UInt128_u32_64; - lit.high = (uint64_t)0U; - return lit; -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) { -#if HAS_OPTIMIZED - if (s == 0) { - return a; - } else if (s < FStar_UInt128_u32_64) { - uint64_t l = __shiftright128(a.low, a.high, (unsigned char)s); - uint64_t h = a.high >> s; - return _mm_set_epi64x(h, l); - } else { - return _mm_set_epi64x(0, a.high >> (s - FStar_UInt128_u32_64)); - } -#else - if (s < FStar_UInt128_u32_64) - return FStar_UInt128_shift_right_small(a, s); - else - return FStar_UInt128_shift_right_large(a, s); -#endif -} - -inline static bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { - return a.low == b.low && a.high == b.high; -} - -inline static bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { - return a.high > b.high || a.high == b.high && a.low > b.low; -} - -inline static bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { - return a.high < b.high || a.high == b.high && a.low < b.low; -} - -inline static bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { - return a.high > b.high || a.high == b.high && a.low >= b.low; -} - -inline static bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { - return a.high < b.high || a.high == b.high && a.low <= b.low; -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED - // PCMPW to produce 4 32-bit values, all either 0x0 or 0xffffffff - __m128i r32 = _mm_cmpeq_epi32(a, b); - // Shuffle 3,2,1,0 into 2,3,0,1 (swapping dwords inside each half) - __m128i s32 = _mm_shuffle_epi32(r32, _MM_SHUFFLE(2, 3, 0, 1)); - // Bitwise and to compute (3&2),(2&3),(1&0),(0&1) - __m128i ret64 = _mm_and_si128(r32, s32); - // Swap the two 64-bit values to form s64 - __m128i s64 = - _mm_shuffle_epi32(ret64, _MM_SHUFFLE(1, 0, 3, 2)); // 3,2,1,0 -> 1,0,3,2 - // And them together - return _mm_and_si128(ret64, s64); -#else - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); - lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); - return lit; -#endif -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { -#if HAS_OPTIMIZED && 0 - // ge - compare 3,2,1,0 for >= and generating 0 or 0xffffffff for each - // eq - compare 3,2,1,0 for == and generating 0 or 0xffffffff for each - // slot 0 = ge0 | (eq0 & ge1) | (eq0 & eq1 & ge2) | (eq0 & eq1 & eq2 & ge3) - // then splat slot 0 to 3,2,1,0 - __m128i gt = _mm_cmpgt_epi32(a, b); - __m128i eq = _mm_cmpeq_epi32(a, b); - __m128i ge = _mm_or_si128(gt, eq); - __m128i ge0 = ge; - __m128i eq0 = eq; - __m128i ge1 = _mm_srli_si128(ge, 4); // shift ge from 3,2,1,0 to 0x0,3,2,1 - __m128i t1 = _mm_and_si128(eq0, ge1); - __m128i ret = _mm_or_si128(ge, t1); // ge0 | (eq0 & ge1) is now in 0 - __m128i eq1 = _mm_srli_si128(eq, 4); // shift eq from 3,2,1,0 to 0x0,3,2,1 - __m128i ge2 = - _mm_srli_si128(ge1, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,3,2 - __m128i t2 = - _mm_and_si128(eq0, _mm_and_si128(eq1, ge2)); // t2 = (eq0 & eq1 & ge2) - ret = _mm_or_si128(ret, t2); - __m128i eq2 = _mm_srli_si128(eq1, 4); // shift eq from 3,2,1,0 to 0x0,00,00,3 - __m128i ge3 = - _mm_srli_si128(ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3 - __m128i t3 = _mm_and_si128( - eq0, _mm_and_si128( - eq1, _mm_and_si128(eq2, ge3))); // t3 = (eq0 & eq1 & eq2 & ge3) - ret = _mm_or_si128(ret, t3); - return _mm_shuffle_epi32( - ret, - _MM_SHUFFLE(0, 0, 0, 0)); // the result is in 0. Shuffle into all dwords. -#else - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt64_gte_mask(a.high, b.high) & - ~FStar_UInt64_eq_mask(a.high, b.high) | - FStar_UInt64_eq_mask(a.high, b.high) & - FStar_UInt64_gte_mask(a.low, b.low); - lit.high = FStar_UInt64_gte_mask(a.high, b.high) & - ~FStar_UInt64_eq_mask(a.high, b.high) | - FStar_UInt64_eq_mask(a.high, b.high) & - FStar_UInt64_gte_mask(a.low, b.low); - return lit; -#endif -} - -inline static FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a) { -#if HAS_OPTIMIZED - return _mm_set_epi64x(0, a); -#else - FStar_UInt128_uint128 lit; - lit.low = a; - lit.high = (uint64_t)0U; - return lit; -#endif -} - -inline static uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) { - return a.low; -} - -inline static uint64_t FStar_UInt128_u64_mod_32(uint64_t a) { - return a & (uint64_t)0xffffffffU; -} - -static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; - -inline static uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) { - return lo + (hi << FStar_UInt128_u32_32); -} - -inline static FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y) { -#if HAS_OPTIMIZED - uint64_t l, h; - l = _umul128(x, (uint64_t)y, &h); - return _mm_set_epi64x(h, l); -#else - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt128_u32_combine( - (x >> FStar_UInt128_u32_32) * (uint64_t)y + - (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> - FStar_UInt128_u32_32), - FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); - lit.high = (x >> FStar_UInt128_u32_32) * (uint64_t)y + - (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> - FStar_UInt128_u32_32) >> - FStar_UInt128_u32_32; - return lit; -#endif -} - -/* Note: static headers bring scope collision issues when they define types! - * Because now client (karamel-generated) code will include this header and - * there might be type collisions if the client code uses quadruples of uint64s. - * So, we cannot use the karamel-generated name. */ -typedef struct K_quad_s { - uint64_t fst; - uint64_t snd; - uint64_t thd; - uint64_t f3; -} K_quad; - -inline static K_quad -FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) { - K_quad tmp; - tmp.fst = FStar_UInt128_u64_mod_32(x); - tmp.snd = FStar_UInt128_u64_mod_32( - FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)); - tmp.thd = x >> FStar_UInt128_u32_32; - tmp.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + - (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> - FStar_UInt128_u32_32); - return tmp; -} - -static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) { - return lo + (hi << FStar_UInt128_u32_32); -} - -inline static FStar_UInt128_uint128 -FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y) { - K_quad scrut = - FStar_UInt128_mul_wide_impl_t_(x, y); - uint64_t u1 = scrut.fst; - uint64_t w3 = scrut.snd; - uint64_t x_ = scrut.thd; - uint64_t t_ = scrut.f3; - FStar_UInt128_uint128 lit; - lit.low = FStar_UInt128_u32_combine_( - u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), w3); - lit.high = - x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + - (u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_) >> - FStar_UInt128_u32_32); - return lit; -} - -inline static -FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { -#if HAS_OPTIMIZED - uint64_t l, h; - l = _umul128(x, y, &h); - return _mm_set_epi64x(h, l); -#else - return FStar_UInt128_mul_wide_impl(x, y); -#endif -} - -#undef low -#undef high - -#endif From 5134c6ab723071a7b1fe28b07a0479856f2a000e Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Mon, 7 Nov 2022 10:59:37 -0800 Subject: [PATCH 09/33] better code quality --- Modules/_hacl/Hacl_Streaming_SHA2.c | 618 ++++++---------------------- 1 file changed, 130 insertions(+), 488 deletions(-) diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.c b/Modules/_hacl/Hacl_Streaming_SHA2.c index 002c0c3caab1b7..6fa9fe5ead8c8c 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.c +++ b/Modules/_hacl/Hacl_Streaming_SHA2.c @@ -62,6 +62,132 @@ Hacl_Impl_SHA2_Generic_k224_256[64U] = (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U }; +static void update_nblocks_256(uint32_t len, uint8_t *b, uint32_t *st) +{ + uint32_t blocks = len / (uint32_t)64U; + for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) + { + uint8_t *b00 = b; + uint8_t *mb = b00 + i0 * (uint32_t)64U; + uint32_t hash_old[8U] = { 0U }; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, st, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b10 = mb; + uint32_t u = load32_be(b10); + ws[0U] = u; + uint32_t u0 = load32_be(b10 + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b10 + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b10 + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b10 + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b10 + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b10 + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b10 + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b10 + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b10 + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b10 + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b10 + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b10 + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b10 + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b10 + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b10 + (uint32_t)60U); + ws[15U] = u14; + KRML_MAYBE_FOR4(i1, + (uint32_t)0U, + (uint32_t)4U, + (uint32_t)1U, + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; + uint32_t ws_t = ws[i]; + uint32_t a0 = st[0U]; + uint32_t b0 = st[1U]; + uint32_t c0 = st[2U]; + uint32_t d0 = st[3U]; + uint32_t e0 = st[4U]; + uint32_t f0 = st[5U]; + uint32_t g0 = st[6U]; + uint32_t h03 = st[7U]; + uint32_t k_e_t = k_t; + uint32_t + t1 = + h03 + + + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) + ^ + ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) + ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) + + ((e0 & f0) ^ (~e0 & g0)) + + k_e_t + + ws_t; + uint32_t + t2 = + ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) + ^ + ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) + ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) + + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); + uint32_t a1 = t1 + t2; + uint32_t b1 = a0; + uint32_t c1 = b0; + uint32_t d1 = c0; + uint32_t e1 = d0 + t1; + uint32_t f1 = e0; + uint32_t g1 = f0; + uint32_t h12 = g0; + st[0U] = a1; + st[1U] = b1; + st[2U] = c1; + st[3U] = d1; + st[4U] = e1; + st[5U] = f1; + st[6U] = g1; + st[7U] = h12;); + if (i1 < (uint32_t)3U) + { + KRML_MAYBE_FOR16(i, + (uint32_t)0U, + (uint32_t)16U, + (uint32_t)1U, + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t + s1 = + (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) + ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); + uint32_t + s0 = + (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) + ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); + ws[i] = s1 + t7 + s0 + t16;); + }); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = st; + uint32_t x = st[i] + hash_old[i]; + os[i] = x;); + } +} + Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); @@ -652,128 +778,7 @@ Hacl_Streaming_SHA2_update_256( } if (!(sz1 == (uint32_t)0U)) { - uint32_t blocks = (uint32_t)1U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) - { - uint8_t *b00 = buf; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = mb; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u0 = load32_be(b + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = block_state1[0U]; - uint32_t b0 = block_state1[1U]; - uint32_t c0 = block_state1[2U]; - uint32_t d0 = block_state1[3U]; - uint32_t e0 = block_state1[4U]; - uint32_t f0 = block_state1[5U]; - uint32_t g0 = block_state1[6U]; - uint32_t h05 = block_state1[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h12 = g0; - block_state1[0U] = a1; - block_state1[1U] = b1; - block_state1[2U] = c1; - block_state1[3U] = d1; - block_state1[4U] = e1; - block_state1[5U] = f1; - block_state1[6U] = g1; - block_state1[7U] = h12;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s11 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s11 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state1; - uint32_t x = block_state1[i] + hash_old[i]; - os[i] = x;); - } + update_nblocks_256((uint32_t)64U, buf, block_state1); } uint32_t ite; if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) @@ -789,128 +794,7 @@ Hacl_Streaming_SHA2_update_256( uint32_t data2_len = len - data1_len; uint8_t *data1 = data; uint8_t *data2 = data + data1_len; - uint32_t blocks = data1_len / (uint32_t)64U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) - { - uint8_t *b00 = data1; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = mb; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u0 = load32_be(b + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = block_state1[0U]; - uint32_t b0 = block_state1[1U]; - uint32_t c0 = block_state1[2U]; - uint32_t d0 = block_state1[3U]; - uint32_t e0 = block_state1[4U]; - uint32_t f0 = block_state1[5U]; - uint32_t g0 = block_state1[6U]; - uint32_t h05 = block_state1[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h13 = g0; - block_state1[0U] = a1; - block_state1[1U] = b1; - block_state1[2U] = c1; - block_state1[3U] = d1; - block_state1[4U] = e1; - block_state1[5U] = f1; - block_state1[6U] = g1; - block_state1[7U] = h13;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s11 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s11 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state1; - uint32_t x = block_state1[i] + hash_old[i]; - os[i] = x;); - } + update_nblocks_256(data1_len, data1, block_state1); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); *p @@ -968,128 +852,7 @@ Hacl_Streaming_SHA2_update_256( } if (!(sz1 == (uint32_t)0U)) { - uint32_t blocks = (uint32_t)1U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) - { - uint8_t *b00 = buf; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = mb; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u0 = load32_be(b + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = block_state1[0U]; - uint32_t b0 = block_state1[1U]; - uint32_t c0 = block_state1[2U]; - uint32_t d0 = block_state1[3U]; - uint32_t e0 = block_state1[4U]; - uint32_t f0 = block_state1[5U]; - uint32_t g0 = block_state1[6U]; - uint32_t h06 = block_state1[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h06 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h13 = g0; - block_state1[0U] = a1; - block_state1[1U] = b1; - block_state1[2U] = c1; - block_state1[3U] = d1; - block_state1[4U] = e1; - block_state1[5U] = f1; - block_state1[6U] = g1; - block_state1[7U] = h13;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s11 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s11 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state1; - uint32_t x = block_state1[i] + hash_old[i]; - os[i] = x;); - } + update_nblocks_256((uint32_t)64U, buf, block_state1); } uint32_t ite; if @@ -1111,128 +874,7 @@ Hacl_Streaming_SHA2_update_256( uint32_t data2_len = len - diff - data1_len; uint8_t *data11 = data2; uint8_t *data21 = data2 + data1_len; - uint32_t blocks = data1_len / (uint32_t)64U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) - { - uint8_t *b00 = data11; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, block_state1, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = mb; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u0 = load32_be(b + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = block_state1[0U]; - uint32_t b0 = block_state1[1U]; - uint32_t c0 = block_state1[2U]; - uint32_t d0 = block_state1[3U]; - uint32_t e0 = block_state1[4U]; - uint32_t f0 = block_state1[5U]; - uint32_t g0 = block_state1[6U]; - uint32_t h06 = block_state1[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h06 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h14 = g0; - block_state1[0U] = a1; - block_state1[1U] = b1; - block_state1[2U] = c1; - block_state1[3U] = d1; - block_state1[4U] = e1; - block_state1[5U] = f1; - block_state1[6U] = g1; - block_state1[7U] = h14;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s11 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s11 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state1; - uint32_t x = block_state1[i] + hash_old[i]; - os[i] = x;); - } + update_nblocks_256(data1_len, data11, block_state1); uint8_t *dst = buf; memcpy(dst, data21, data2_len * sizeof (uint8_t)); *p From f21244796b3f3d13078d2d1ca34ba346a7bf622a Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Mon, 7 Nov 2022 12:51:25 -0800 Subject: [PATCH 10/33] Fixup memory management mistake --- Modules/_hacl/sha256module.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Modules/_hacl/sha256module.c b/Modules/_hacl/sha256module.c index b7e262348bc50f..dc2fc90d1057b1 100644 --- a/Modules/_hacl/sha256module.c +++ b/Modules/_hacl/sha256module.c @@ -75,6 +75,10 @@ static void SHAcopy(SHAobject *src, SHAobject *dest) { dest->digestsize = src->digestsize; // TODO: implement this in HACL + if (dest->digestsize == 28) + dest->state = Hacl_Streaming_SHA2_create_in_224(); + else + dest->state = Hacl_Streaming_SHA2_create_in_256(); dest->state->total_len = src->state->total_len; memcpy(dest->state->block_state, src->state->block_state, SHA_DIGESTSIZE); memcpy(dest->state->buf, src->state->buf, SHA_BLOCKSIZE); From 6543fdd1f153175a267e36168a3b686dd3b094e4 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Mon, 7 Nov 2022 14:24:00 -0800 Subject: [PATCH 11/33] Fix Linux build --- Modules/Setup.stdlib.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/Setup.stdlib.in b/Modules/Setup.stdlib.in index b8139751e5c2dc..d550e4032ebdfa 100644 --- a/Modules/Setup.stdlib.in +++ b/Modules/Setup.stdlib.in @@ -78,7 +78,7 @@ # hashing builtins, can be disabled with --without-builtin-hashlib-hashes @MODULE__MD5_TRUE@_md5 md5module.c @MODULE__SHA1_TRUE@_sha1 sha1module.c -@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -I$(srcdir)/Modules/_hacl/include -I$(srcdir)/Modules/_hacl/internal -I$(srcdir)/Modules/_hacl/krmllib/dist/minimal -DKRML_VERIFIED_UINT128 +@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -I$(srcdir)/Modules/_hacl/include -I$(srcdir)/Modules/_hacl/internal -I$(srcdir)/Modules/_hacl/krmllib/dist/minimal -DKRML_VERIFIED_UINT128 -D_BSD_SOURCE -D_DEFAULT_SOURCE @MODULE__SHA512_TRUE@_sha512 sha512module.c @MODULE__SHA3_TRUE@_sha3 _sha3/sha3module.c @MODULE__BLAKE2_TRUE@_blake2 _blake2/blake2module.c _blake2/blake2b_impl.c _blake2/blake2s_impl.c From a52e9ce7c69660ed2aee47d9f7676f86b7a96792 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 11:32:07 -0800 Subject: [PATCH 12/33] Address review comments from @tiran; regenerate configure --- Makefile.pre.in | 2 +- Modules/Setup.stdlib.in | 2 +- Modules/{_hacl => }/clinic/sha256module.c.h | 0 Modules/{_hacl => }/sha256module.c | 4 ++-- configure | 16 ++-------------- configure.ac | 4 +++- 6 files changed, 9 insertions(+), 19 deletions(-) rename Modules/{_hacl => }/clinic/sha256module.c.h (100%) rename Modules/{_hacl => }/sha256module.c (99%) diff --git a/Makefile.pre.in b/Makefile.pre.in index 5b4bf15eb8aa58..09f831c1fe901f 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in @@ -2592,7 +2592,7 @@ MODULE__HASHLIB_DEPS=$(srcdir)/Modules/hashlib.h MODULE__IO_DEPS=$(srcdir)/Modules/_io/_iomodule.h MODULE__MD5_DEPS=$(srcdir)/Modules/hashlib.h MODULE__SHA1_DEPS=$(srcdir)/Modules/hashlib.h -MODULE__SHA256_DEPS=$(srcdir)/Modules/hashlib.h +MODULE__SHA256_DEPS=$(srcdir)/Modules/hashlib.h $(srcdir)/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h $(srcdir)/Modules/_hacl/include/krml/lowstar_endianness.h $(srcdir)/Modules/_hacl/include/krml/internal/target.h $(srcdir)/Modules/_hacl/Hacl_Streaming_SHA2.h MODULE__SHA3_DEPS=$(srcdir)/Modules/_sha3/sha3.c $(srcdir)/Modules/_sha3/sha3.h $(srcdir)/Modules/hashlib.h MODULE__SHA512_DEPS=$(srcdir)/Modules/hashlib.h MODULE__SOCKET_DEPS=$(srcdir)/Modules/socketmodule.h $(srcdir)/Modules/addrinfo.h $(srcdir)/Modules/getaddrinfo.c $(srcdir)/Modules/getnameinfo.c diff --git a/Modules/Setup.stdlib.in b/Modules/Setup.stdlib.in index b8139751e5c2dc..f234880e90cf25 100644 --- a/Modules/Setup.stdlib.in +++ b/Modules/Setup.stdlib.in @@ -78,7 +78,7 @@ # hashing builtins, can be disabled with --without-builtin-hashlib-hashes @MODULE__MD5_TRUE@_md5 md5module.c @MODULE__SHA1_TRUE@_sha1 sha1module.c -@MODULE__SHA256_TRUE@_sha256 _hacl/sha256module.c _hacl/Hacl_Streaming_SHA2.c -I$(srcdir)/Modules/_hacl/include -I$(srcdir)/Modules/_hacl/internal -I$(srcdir)/Modules/_hacl/krmllib/dist/minimal -DKRML_VERIFIED_UINT128 +@MODULE__SHA256_TRUE@_sha256 sha256module.c _hacl/Hacl_Streaming_SHA2.c @MODULE__SHA512_TRUE@_sha512 sha512module.c @MODULE__SHA3_TRUE@_sha3 _sha3/sha3module.c @MODULE__BLAKE2_TRUE@_blake2 _blake2/blake2module.c _blake2/blake2b_impl.c _blake2/blake2s_impl.c diff --git a/Modules/_hacl/clinic/sha256module.c.h b/Modules/clinic/sha256module.c.h similarity index 100% rename from Modules/_hacl/clinic/sha256module.c.h rename to Modules/clinic/sha256module.c.h diff --git a/Modules/_hacl/sha256module.c b/Modules/sha256module.c similarity index 99% rename from Modules/_hacl/sha256module.c rename to Modules/sha256module.c index dc2fc90d1057b1..d3f964b4b753f3 100644 --- a/Modules/_hacl/sha256module.c +++ b/Modules/sha256module.c @@ -23,7 +23,7 @@ #include "pycore_bitutils.h" // _Py_bswap32() #include "pycore_strhex.h" // _Py_strhex() #include "structmember.h" // PyMemberDef -#include "../hashlib.h" +#include "hashlib.h" /*[clinic input] module _sha256 @@ -40,7 +40,7 @@ class SHA256Type "SHAobject *" "&PyType_Type" /* The SHA2-224 and SHA2-256 implementations defer to the HACL* verified * library. */ -#include "Hacl_Streaming_SHA2.h" +#include "_hacl/Hacl_Streaming_SHA2.h" typedef struct { PyObject_HEAD diff --git a/configure b/configure index 15d97963742f79..acd10c1e29ef5e 100755 --- a/configure +++ b/configure @@ -1013,7 +1013,6 @@ infodir docdir oldincludedir includedir -runstatedir localstatedir sharedstatedir sysconfdir @@ -1175,7 +1174,6 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' -runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1428,15 +1426,6 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; - -runstatedir | --runstatedir | --runstatedi | --runstated \ - | --runstate | --runstat | --runsta | --runst | --runs \ - | --run | --ru | --r) - ac_prev=runstatedir ;; - -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ - | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ - | --run=* | --ru=* | --r=*) - runstatedir=$ac_optarg ;; - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1574,7 +1563,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir runstatedir + libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1727,7 +1716,6 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] @@ -27103,7 +27091,7 @@ fi as_fn_append MODULE_BLOCK "MODULE__SHA256_STATE=$py_cv_module__sha256$as_nl" if test "x$py_cv_module__sha256" = xyes; then : - + as_fn_append MODULE_BLOCK "MODULE__SHA256_CFLAGS=-I\$(srcdir)/Modules/_hacl/include -I\$(srcdir)/Modules/_hacl/internal$as_nl" fi diff --git a/configure.ac b/configure.ac index c7945aaf8505e6..8d1146bb0de9db 100644 --- a/configure.ac +++ b/configure.ac @@ -7298,7 +7298,9 @@ dnl By default we always compile these even when OpenSSL is available dnl (issue #14693). The modules are small. PY_STDLIB_MOD([_md5], [test "$with_builtin_md5" = yes]) PY_STDLIB_MOD([_sha1], [test "$with_builtin_sha1" = yes]) -PY_STDLIB_MOD([_sha256], [test "$with_builtin_sha256" = yes]) +PY_STDLIB_MOD([_sha256], + [test "$with_builtin_sha256" = yes], [], + [-I\$(srcdir)/Modules/_hacl/include -I\$(srcdir)/Modules/_hacl/internal]) PY_STDLIB_MOD([_sha512], [test "$with_builtin_sha512" = yes]) PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes]) PY_STDLIB_MOD([_blake2], From 7f997a9aed641494db1789092bdf839d566c6118 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 11:35:28 -0800 Subject: [PATCH 13/33] Move Linux & BSD CFLAGS into configure --- configure | 2 +- configure.ac | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/configure b/configure index acd10c1e29ef5e..8d64d8b86dfa59 100755 --- a/configure +++ b/configure @@ -27091,7 +27091,7 @@ fi as_fn_append MODULE_BLOCK "MODULE__SHA256_STATE=$py_cv_module__sha256$as_nl" if test "x$py_cv_module__sha256" = xyes; then : - as_fn_append MODULE_BLOCK "MODULE__SHA256_CFLAGS=-I\$(srcdir)/Modules/_hacl/include -I\$(srcdir)/Modules/_hacl/internal$as_nl" + as_fn_append MODULE_BLOCK "MODULE__SHA256_CFLAGS=-I\$(srcdir)/Modules/_hacl/include -I\$(srcdir)/Modules/_hacl/internal -D_BSD_SOURCE -D_DEFAULT_SOURCE$as_nl" fi diff --git a/configure.ac b/configure.ac index 8d1146bb0de9db..46abfa58761b53 100644 --- a/configure.ac +++ b/configure.ac @@ -7300,7 +7300,7 @@ PY_STDLIB_MOD([_md5], [test "$with_builtin_md5" = yes]) PY_STDLIB_MOD([_sha1], [test "$with_builtin_sha1" = yes]) PY_STDLIB_MOD([_sha256], [test "$with_builtin_sha256" = yes], [], - [-I\$(srcdir)/Modules/_hacl/include -I\$(srcdir)/Modules/_hacl/internal]) + [-I\$(srcdir)/Modules/_hacl/include -I\$(srcdir)/Modules/_hacl/internal -D_BSD_SOURCE -D_DEFAULT_SOURCE]) PY_STDLIB_MOD([_sha512], [test "$with_builtin_sha512" = yes]) PY_STDLIB_MOD([_sha3], [test "$with_builtin_sha3" = yes]) PY_STDLIB_MOD([_blake2], From ec36acb46039e19de21db30ed2048a802b40f194 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 12:06:58 -0800 Subject: [PATCH 14/33] Add NEWS entry. --- .../next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst diff --git a/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst b/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst new file mode 100644 index 00000000000000..492c6ab9ef8f34 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst @@ -0,0 +1,2 @@ +Replace builtin hashlib implementation of SHA2-224 and SHA2-256 with +formally verified, side-channel resistant code from the HACL* project. From c5d5e67b08d824ad54055359bef012862e244869 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 12:37:15 -0800 Subject: [PATCH 15/33] SRCDIRS --- configure | 1 + configure.ac | 1 + 2 files changed, 2 insertions(+) diff --git a/configure b/configure index 8d64d8b86dfa59..11d69ae0cc59b9 100755 --- a/configure +++ b/configure @@ -24574,6 +24574,7 @@ SRCDIRS="\ Modules/_ctypes \ Modules/_decimal \ Modules/_decimal/libmpdec \ + Modules/_hacl \ Modules/_io \ Modules/_multiprocessing \ Modules/_sha3 \ diff --git a/configure.ac b/configure.ac index 46abfa58761b53..d69f00907cb4e2 100644 --- a/configure.ac +++ b/configure.ac @@ -6613,6 +6613,7 @@ SRCDIRS="\ Modules/_ctypes \ Modules/_decimal \ Modules/_decimal/libmpdec \ + Modules/_hacl \ Modules/_io \ Modules/_multiprocessing \ Modules/_sha3 \ From adc0b8b1fe50e9d1ad3064caba34b043949d8158 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 13:32:15 -0800 Subject: [PATCH 16/33] Properly regenerate configure --- configure | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 11d69ae0cc59b9..5faf06f092fc81 100755 --- a/configure +++ b/configure @@ -1013,6 +1013,7 @@ infodir docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -1174,6 +1175,7 @@ datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1426,6 +1428,15 @@ do | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1563,7 +1574,7 @@ fi for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1716,6 +1727,7 @@ Fine tuning of the installation directories: --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] From ca1e02e16af8f1620c7d81e339a923c35780f014 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 13:42:32 -0800 Subject: [PATCH 17/33] Fix paths in Windows build --- PCbuild/pythoncore.vcxproj | 3 ++- PCbuild/pythoncore.vcxproj.filters | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/PCbuild/pythoncore.vcxproj b/PCbuild/pythoncore.vcxproj index a8f87d66aac0e6..570c235e26bfb0 100644 --- a/PCbuild/pythoncore.vcxproj +++ b/PCbuild/pythoncore.vcxproj @@ -392,7 +392,8 @@ - + + diff --git a/PCbuild/pythoncore.vcxproj.filters b/PCbuild/pythoncore.vcxproj.filters index 1749495ef21f39..f96f3aa122b88d 100644 --- a/PCbuild/pythoncore.vcxproj.filters +++ b/PCbuild/pythoncore.vcxproj.filters @@ -821,7 +821,10 @@ Modules - + + Modules + + Modules From 47be718fe68c528b1b41c90a33a79b13492a0944 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 13:56:08 -0800 Subject: [PATCH 18/33] Add include directory --- PCbuild/pythoncore.vcxproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PCbuild/pythoncore.vcxproj b/PCbuild/pythoncore.vcxproj index 570c235e26bfb0..6eb6f7519967c6 100644 --- a/PCbuild/pythoncore.vcxproj +++ b/PCbuild/pythoncore.vcxproj @@ -100,7 +100,7 @@ /Zm200 %(AdditionalOptions) - $(PySourcePath)Python;%(AdditionalIncludeDirectories) + $(PySourcePath)Modules\_hacl;$(PySourcePath)Python;%(AdditionalIncludeDirectories) $(zlibDir);%(AdditionalIncludeDirectories) _USRDLL;Py_BUILD_CORE;Py_BUILD_CORE_BUILTIN;Py_ENABLE_SHARED;MS_DLL_ID="$(SysWinVer)";%(PreprocessorDefinitions) _Py_HAVE_ZLIB;%(PreprocessorDefinitions) From b5081778e8349b0f55831b65fc449fa2cb6ba1eb Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 8 Nov 2022 15:32:46 -0800 Subject: [PATCH 19/33] Fixup include paths --- PCbuild/pythoncore.vcxproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PCbuild/pythoncore.vcxproj b/PCbuild/pythoncore.vcxproj index 6eb6f7519967c6..372a3a8c8d5022 100644 --- a/PCbuild/pythoncore.vcxproj +++ b/PCbuild/pythoncore.vcxproj @@ -100,7 +100,7 @@ /Zm200 %(AdditionalOptions) - $(PySourcePath)Modules\_hacl;$(PySourcePath)Python;%(AdditionalIncludeDirectories) + $(PySourcePath)Modules\_hacl\include;$(PySourcePath)Modules\_hacl\internal;$(PySourcePath)Python;%(AdditionalIncludeDirectories) $(zlibDir);%(AdditionalIncludeDirectories) _USRDLL;Py_BUILD_CORE;Py_BUILD_CORE_BUILTIN;Py_ENABLE_SHARED;MS_DLL_ID="$(SysWinVer)";%(PreprocessorDefinitions) _Py_HAVE_ZLIB;%(PreprocessorDefinitions) From e893889a4cdd56f96b1e3eace555c7b1b57e0381 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Wed, 9 Nov 2022 10:15:24 -0800 Subject: [PATCH 20/33] Fix patchcheck --- Tools/c-analyzer/cpython/_parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/c-analyzer/cpython/_parser.py b/Tools/c-analyzer/cpython/_parser.py index 3a8e5d863a89e9..78241f0ea08ac8 100644 --- a/Tools/c-analyzer/cpython/_parser.py +++ b/Tools/c-analyzer/cpython/_parser.py @@ -189,7 +189,7 @@ def clean_lines(text): Modules/main.c Py_BUILD_CORE 1 Modules/mathmodule.c Py_BUILD_CORE 1 Modules/posixmodule.c Py_BUILD_CORE 1 -Modules/_hacl/sha256module.c Py_BUILD_CORE 1 +Modules/sha256module.c Py_BUILD_CORE 1 Modules/sha512module.c Py_BUILD_CORE 1 Modules/signalmodule.c Py_BUILD_CORE 1 Modules/symtablemodule.c Py_BUILD_CORE 1 From 1c82dc2c19e8ed5284e9c194e71f60a50bee6c75 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 20 Dec 2022 11:10:38 -0800 Subject: [PATCH 21/33] Automate import of HACL* into the tree with a script --- Modules/_hacl/Hacl_Streaming_SHA2.c | 1304 ++++------------- Modules/_hacl/Hacl_Streaming_SHA2.h | 71 +- .../include/krml/FStar_UInt_8_16_32_64.h | 8 +- Modules/_hacl/include/krml/internal/target.h | 7 +- Modules/_hacl/internal/Hacl_SHA2_Generic.h | 134 ++ Modules/_hacl/refresh.sh | 99 ++ 6 files changed, 612 insertions(+), 1011 deletions(-) create mode 100644 Modules/_hacl/internal/Hacl_SHA2_Generic.h create mode 100755 Modules/_hacl/refresh.sh diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.c b/Modules/_hacl/Hacl_Streaming_SHA2.c index 6fa9fe5ead8c8c..ab9350a5f2fecf 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.c +++ b/Modules/_hacl/Hacl_Streaming_SHA2.c @@ -24,428 +24,58 @@ #include "Hacl_Streaming_SHA2.h" -static const -uint32_t -Hacl_Impl_SHA2_Generic_h224[8U] = - { - (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, - (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U - }; +#include "internal/Hacl_SHA2_Generic.h" -static const -uint32_t -Hacl_Impl_SHA2_Generic_h256[8U] = - { - (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, - (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U - }; - -static const -uint32_t -Hacl_Impl_SHA2_Generic_k224_256[64U] = - { - (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, - (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, - (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, - (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, - (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, - (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, - (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, - (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, - (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, - (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, - (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, - (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, - (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, - (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, - (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, - (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U - }; - -static void update_nblocks_256(uint32_t len, uint8_t *b, uint32_t *st) -{ - uint32_t blocks = len / (uint32_t)64U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks; i0++) - { - uint8_t *b00 = b; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, st, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b10 = mb; - uint32_t u = load32_be(b10); - ws[0U] = u; - uint32_t u0 = load32_be(b10 + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b10 + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b10 + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b10 + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b10 + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b10 + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b10 + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b10 + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b10 + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b10 + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b10 + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b10 + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b10 + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b10 + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b10 + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = st[0U]; - uint32_t b0 = st[1U]; - uint32_t c0 = st[2U]; - uint32_t d0 = st[3U]; - uint32_t e0 = st[4U]; - uint32_t f0 = st[5U]; - uint32_t g0 = st[6U]; - uint32_t h03 = st[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h03 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h12 = g0; - st[0U] = a1; - st[1U] = b1; - st[2U] = c1; - st[3U] = d1; - st[4U] = e1; - st[5U] = f1; - st[6U] = g1; - st[7U] = h12;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s1 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s1 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = st; - uint32_t x = st[i] + hash_old[i]; - os[i] = x;); - } -} -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +static inline void sha256_init(uint32_t *hash) { - uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); - uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); - Hacl_Streaming_SHA2_state_sha2_224 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; - Hacl_Streaming_SHA2_state_sha2_224 - *p = - (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( - Hacl_Streaming_SHA2_state_sha2_224 - )); - p[0U] = s; KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, - uint32_t *os = block_state; - uint32_t x = Hacl_Impl_SHA2_Generic_h224[i]; - os[i] = x;); - return p; -} - -void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s) -{ - Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; - uint8_t *buf = scrut.buf; - uint32_t *block_state = scrut.block_state; - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state; - uint32_t x = Hacl_Impl_SHA2_Generic_h224[i]; + uint32_t *os = hash; + uint32_t x = Hacl_Impl_SHA2_Generic_h256[i]; os[i] = x;); - s[0U] = - ( - (Hacl_Streaming_SHA2_state_sha2_224){ - .block_state = block_state, - .buf = buf, - .total_len = (uint64_t)0U - } - ); } -void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +static inline void sha256_update0(uint8_t *b, uint32_t *hash) { - Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; - uint32_t *block_state = scrut.block_state; - uint8_t *buf_ = scrut.buf; - uint64_t total_len = scrut.total_len; - uint32_t r; - if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) - { - r = (uint32_t)64U; - } - else - { - r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); - } - uint8_t *buf_1 = buf_; - uint32_t tmp_block_state[8U] = { 0U }; - memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); - uint32_t ite; - if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) - { - ite = (uint32_t)64U; - } - else - { - ite = r % (uint32_t)64U; - } - uint8_t *buf_last = buf_1 + r - ite; - uint8_t *buf_multi = buf_1; - uint32_t blocks0 = (uint32_t)0U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks0; i0++) - { - uint8_t *b00 = buf_multi; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = mb; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u0 = load32_be(b + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = tmp_block_state[0U]; - uint32_t b0 = tmp_block_state[1U]; - uint32_t c0 = tmp_block_state[2U]; - uint32_t d0 = tmp_block_state[3U]; - uint32_t e0 = tmp_block_state[4U]; - uint32_t f0 = tmp_block_state[5U]; - uint32_t g0 = tmp_block_state[6U]; - uint32_t h05 = tmp_block_state[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h13 = g0; - tmp_block_state[0U] = a1; - tmp_block_state[1U] = b1; - tmp_block_state[2U] = c1; - tmp_block_state[3U] = d1; - tmp_block_state[4U] = e1; - tmp_block_state[5U] = f1; - tmp_block_state[6U] = g1; - tmp_block_state[7U] = h13;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s1 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s1 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = tmp_block_state; - uint32_t x = tmp_block_state[i] + hash_old[i]; - os[i] = x;); - } - uint64_t prev_len_last = total_len - (uint64_t)r; - uint32_t blocks; - if (r + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) - { - blocks = (uint32_t)1U; - } - else - { - blocks = (uint32_t)2U; - } - uint32_t fin = blocks * (uint32_t)64U; - uint8_t last[128U] = { 0U }; - uint8_t totlen_buf[8U] = { 0U }; - uint64_t total_len_bits = (prev_len_last + (uint64_t)r) << (uint32_t)3U; - store64_be(totlen_buf, total_len_bits); - uint8_t *b00 = buf_last; - memcpy(last, b00, r * sizeof (uint8_t)); - last[r] = (uint8_t)0x80U; - memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); - uint8_t *last00 = last; - uint8_t *last10 = last + (uint32_t)64U; - uint8_t *l0 = last00; - uint8_t *l1 = last10; - uint8_t *lb0 = l0; - uint8_t *lb1 = l1; - uint8_t *last0 = lb0; - uint8_t *last1 = lb1; uint32_t hash_old[8U] = { 0U }; - uint32_t ws0[16U] = { 0U }; - memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b2 = last0; - uint32_t u0 = load32_be(b2); - ws0[0U] = u0; - uint32_t u1 = load32_be(b2 + (uint32_t)4U); - ws0[1U] = u1; - uint32_t u2 = load32_be(b2 + (uint32_t)8U); - ws0[2U] = u2; - uint32_t u3 = load32_be(b2 + (uint32_t)12U); - ws0[3U] = u3; - uint32_t u4 = load32_be(b2 + (uint32_t)16U); - ws0[4U] = u4; - uint32_t u5 = load32_be(b2 + (uint32_t)20U); - ws0[5U] = u5; - uint32_t u6 = load32_be(b2 + (uint32_t)24U); - ws0[6U] = u6; - uint32_t u7 = load32_be(b2 + (uint32_t)28U); - ws0[7U] = u7; - uint32_t u8 = load32_be(b2 + (uint32_t)32U); - ws0[8U] = u8; - uint32_t u9 = load32_be(b2 + (uint32_t)36U); - ws0[9U] = u9; - uint32_t u10 = load32_be(b2 + (uint32_t)40U); - ws0[10U] = u10; - uint32_t u11 = load32_be(b2 + (uint32_t)44U); - ws0[11U] = u11; - uint32_t u12 = load32_be(b2 + (uint32_t)48U); - ws0[12U] = u12; - uint32_t u13 = load32_be(b2 + (uint32_t)52U); - ws0[13U] = u13; - uint32_t u14 = load32_be(b2 + (uint32_t)56U); - ws0[14U] = u14; - uint32_t u15 = load32_be(b2 + (uint32_t)60U); - ws0[15U] = u15; + uint32_t ws[16U] = { 0U }; + memcpy(hash_old, hash, (uint32_t)8U * sizeof (uint32_t)); + uint8_t *b10 = b; + uint32_t u = load32_be(b10); + ws[0U] = u; + uint32_t u0 = load32_be(b10 + (uint32_t)4U); + ws[1U] = u0; + uint32_t u1 = load32_be(b10 + (uint32_t)8U); + ws[2U] = u1; + uint32_t u2 = load32_be(b10 + (uint32_t)12U); + ws[3U] = u2; + uint32_t u3 = load32_be(b10 + (uint32_t)16U); + ws[4U] = u3; + uint32_t u4 = load32_be(b10 + (uint32_t)20U); + ws[5U] = u4; + uint32_t u5 = load32_be(b10 + (uint32_t)24U); + ws[6U] = u5; + uint32_t u6 = load32_be(b10 + (uint32_t)28U); + ws[7U] = u6; + uint32_t u7 = load32_be(b10 + (uint32_t)32U); + ws[8U] = u7; + uint32_t u8 = load32_be(b10 + (uint32_t)36U); + ws[9U] = u8; + uint32_t u9 = load32_be(b10 + (uint32_t)40U); + ws[10U] = u9; + uint32_t u10 = load32_be(b10 + (uint32_t)44U); + ws[11U] = u10; + uint32_t u11 = load32_be(b10 + (uint32_t)48U); + ws[12U] = u11; + uint32_t u12 = load32_be(b10 + (uint32_t)52U); + ws[13U] = u12; + uint32_t u13 = load32_be(b10 + (uint32_t)56U); + ws[14U] = u13; + uint32_t u14 = load32_be(b10 + (uint32_t)60U); + ws[15U] = u14; KRML_MAYBE_FOR4(i0, (uint32_t)0U, (uint32_t)4U, @@ -455,19 +85,19 @@ void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8 (uint32_t)16U, (uint32_t)1U, uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; - uint32_t ws_t = ws0[i]; - uint32_t a0 = tmp_block_state[0U]; - uint32_t b0 = tmp_block_state[1U]; - uint32_t c0 = tmp_block_state[2U]; - uint32_t d0 = tmp_block_state[3U]; - uint32_t e0 = tmp_block_state[4U]; - uint32_t f0 = tmp_block_state[5U]; - uint32_t g0 = tmp_block_state[6U]; - uint32_t h05 = tmp_block_state[7U]; + uint32_t ws_t = ws[i]; + uint32_t a0 = hash[0U]; + uint32_t b0 = hash[1U]; + uint32_t c0 = hash[2U]; + uint32_t d0 = hash[3U]; + uint32_t e0 = hash[4U]; + uint32_t f0 = hash[5U]; + uint32_t g0 = hash[6U]; + uint32_t h02 = hash[7U]; uint32_t k_e_t = k_t; uint32_t t1 = - h05 + h02 + ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) ^ @@ -490,25 +120,25 @@ void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8 uint32_t e1 = d0 + t1; uint32_t f1 = e0; uint32_t g1 = f0; - uint32_t h14 = g0; - tmp_block_state[0U] = a1; - tmp_block_state[1U] = b1; - tmp_block_state[2U] = c1; - tmp_block_state[3U] = d1; - tmp_block_state[4U] = e1; - tmp_block_state[5U] = f1; - tmp_block_state[6U] = g1; - tmp_block_state[7U] = h14;); + uint32_t h12 = g0; + hash[0U] = a1; + hash[1U] = b1; + hash[2U] = c1; + hash[3U] = d1; + hash[4U] = e1; + hash[5U] = f1; + hash[6U] = g1; + hash[7U] = h12;); if (i0 < (uint32_t)3U) { KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, - uint32_t t16 = ws0[i]; - uint32_t t15 = ws0[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws0[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws0[(i + (uint32_t)14U) % (uint32_t)16U]; + uint32_t t16 = ws[i]; + uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; + uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; + uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; uint32_t s1 = (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) @@ -517,206 +147,144 @@ void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8 s0 = (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws0[i] = s1 + t7 + s0 + t16;); + ws[i] = s1 + t7 + s0 + t16;); }); KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, - uint32_t *os = tmp_block_state; - uint32_t x = tmp_block_state[i] + hash_old[i]; + uint32_t *os = hash; + uint32_t x = hash[i] + hash_old[i]; os[i] = x;); +} + +static inline void sha256_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st) +{ + uint32_t blocks = len / (uint32_t)64U; + for (uint32_t i = (uint32_t)0U; i < blocks; i++) + { + uint8_t *b0 = b; + uint8_t *mb = b0 + i * (uint32_t)64U; + sha256_update0(mb, st); + } +} + +static inline void +sha256_update_last(uint64_t totlen, uint32_t len, uint8_t *b, uint32_t *hash) +{ + uint32_t blocks; + if (len + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) + { + blocks = (uint32_t)1U; + } + else + { + blocks = (uint32_t)2U; + } + uint32_t fin = blocks * (uint32_t)64U; + uint8_t last[128U] = { 0U }; + uint8_t totlen_buf[8U] = { 0U }; + uint64_t total_len_bits = totlen << (uint32_t)3U; + store64_be(totlen_buf, total_len_bits); + uint8_t *b0 = b; + memcpy(last, b0, len * sizeof (uint8_t)); + last[len] = (uint8_t)0x80U; + memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); + uint8_t *last00 = last; + uint8_t *last10 = last + (uint32_t)64U; + uint8_t *l0 = last00; + uint8_t *l1 = last10; + uint8_t *lb0 = l0; + uint8_t *lb1 = l1; + uint8_t *last0 = lb0; + uint8_t *last1 = lb1; + sha256_update0(last0, hash); if (blocks > (uint32_t)1U) { - uint32_t hash_old0[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old0, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = last1; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u16 = load32_be(b + (uint32_t)4U); - ws[1U] = u16; - uint32_t u17 = load32_be(b + (uint32_t)8U); - ws[2U] = u17; - uint32_t u18 = load32_be(b + (uint32_t)12U); - ws[3U] = u18; - uint32_t u19 = load32_be(b + (uint32_t)16U); - ws[4U] = u19; - uint32_t u20 = load32_be(b + (uint32_t)20U); - ws[5U] = u20; - uint32_t u21 = load32_be(b + (uint32_t)24U); - ws[6U] = u21; - uint32_t u22 = load32_be(b + (uint32_t)28U); - ws[7U] = u22; - uint32_t u23 = load32_be(b + (uint32_t)32U); - ws[8U] = u23; - uint32_t u24 = load32_be(b + (uint32_t)36U); - ws[9U] = u24; - uint32_t u25 = load32_be(b + (uint32_t)40U); - ws[10U] = u25; - uint32_t u26 = load32_be(b + (uint32_t)44U); - ws[11U] = u26; - uint32_t u27 = load32_be(b + (uint32_t)48U); - ws[12U] = u27; - uint32_t u28 = load32_be(b + (uint32_t)52U); - ws[13U] = u28; - uint32_t u29 = load32_be(b + (uint32_t)56U); - ws[14U] = u29; - uint32_t u30 = load32_be(b + (uint32_t)60U); - ws[15U] = u30; - KRML_MAYBE_FOR4(i0, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = tmp_block_state[0U]; - uint32_t b0 = tmp_block_state[1U]; - uint32_t c0 = tmp_block_state[2U]; - uint32_t d0 = tmp_block_state[3U]; - uint32_t e0 = tmp_block_state[4U]; - uint32_t f0 = tmp_block_state[5U]; - uint32_t g0 = tmp_block_state[6U]; - uint32_t h05 = tmp_block_state[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h14 = g0; - tmp_block_state[0U] = a1; - tmp_block_state[1U] = b1; - tmp_block_state[2U] = c1; - tmp_block_state[3U] = d1; - tmp_block_state[4U] = e1; - tmp_block_state[5U] = f1; - tmp_block_state[6U] = g1; - tmp_block_state[7U] = h14;); - if (i0 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s1 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s1 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = tmp_block_state; - uint32_t x = tmp_block_state[i] + hash_old0[i]; - os[i] = x;); + sha256_update0(last1, hash); + return; } +} + +static inline void sha256_finish(uint32_t *st, uint8_t *h) +{ uint8_t hbuf[32U] = { 0U }; KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, - store32_be(hbuf + i * (uint32_t)4U, tmp_block_state[i]);); - memcpy(dst, hbuf, (uint32_t)28U * sizeof (uint8_t)); + store32_be(hbuf + i * (uint32_t)4U, st[i]);); + memcpy(h, hbuf, (uint32_t)32U * sizeof (uint8_t)); } -void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +static inline void sha224_init(uint32_t *hash) { - Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; - uint8_t *buf = scrut.buf; - uint32_t *block_state = scrut.block_state; - KRML_HOST_FREE(block_state); - KRML_HOST_FREE(buf); - KRML_HOST_FREE(s); + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + uint32_t *os = hash; + uint32_t x = Hacl_Impl_SHA2_Generic_h224[i]; + os[i] = x;); +} + +static inline void sha224_update_nblocks(uint32_t len, uint8_t *b, uint32_t *st) +{ + sha256_update_nblocks(len, b, st); } +static void sha224_update_last(uint64_t totlen, uint32_t len, uint8_t *b, uint32_t *st) +{ + sha256_update_last(totlen, len, b, st); +} + +static inline void sha224_finish(uint32_t *st, uint8_t *h) +{ + uint8_t hbuf[32U] = { 0U }; + KRML_MAYBE_FOR8(i, + (uint32_t)0U, + (uint32_t)8U, + (uint32_t)1U, + store32_be(hbuf + i * (uint32_t)4U, st[i]);); + memcpy(h, hbuf, (uint32_t)28U * sizeof (uint8_t)); +} + +/** +Allocate initial state for the SHA2_256 hash. The state is to be freed by +calling `free_256`. +*/ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); Hacl_Streaming_SHA2_state_sha2_224 - s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)0U }; + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; Hacl_Streaming_SHA2_state_sha2_224 *p = (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( Hacl_Streaming_SHA2_state_sha2_224 )); p[0U] = s; - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state; - uint32_t x = Hacl_Impl_SHA2_Generic_h256[i]; - os[i] = x;); + sha256_init(block_state); return p; } +/** +Reset an existing state to the initial hash state with empty data. +*/ void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s) { Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; uint8_t *buf = scrut.buf; uint32_t *block_state = scrut.block_state; - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = block_state; - uint32_t x = Hacl_Impl_SHA2_Generic_h256[i]; - os[i] = x;); - s[0U] = - ( - (Hacl_Streaming_SHA2_state_sha2_224){ - .block_state = block_state, - .buf = buf, - .total_len = (uint64_t)0U - } - ); + sha256_init(block_state); + Hacl_Streaming_SHA2_state_sha2_224 + tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; + s[0U] = tmp; } -/** -0 = success, 1 = max length exceeded -*/ -uint32_t -Hacl_Streaming_SHA2_update_256( - Hacl_Streaming_SHA2_state_sha2_224 *p, - uint8_t *data, - uint32_t len -) +static inline uint32_t +update_224_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *data, uint32_t len) { Hacl_Streaming_SHA2_state_sha2_224 s = *p; uint64_t total_len = s.total_len; @@ -778,7 +346,7 @@ Hacl_Streaming_SHA2_update_256( } if (!(sz1 == (uint32_t)0U)) { - update_nblocks_256((uint32_t)64U, buf, block_state1); + sha256_update_nblocks((uint32_t)64U, buf, block_state1); } uint32_t ite; if ((uint64_t)len % (uint64_t)(uint32_t)64U == (uint64_t)0U && (uint64_t)len > (uint64_t)0U) @@ -794,7 +362,7 @@ Hacl_Streaming_SHA2_update_256( uint32_t data2_len = len - data1_len; uint8_t *data1 = data; uint8_t *data2 = data + data1_len; - update_nblocks_256(data1_len, data1, block_state1); + sha256_update_nblocks(data1_len, data1, block_state1); uint8_t *dst = buf; memcpy(dst, data2, data2_len * sizeof (uint8_t)); *p @@ -852,7 +420,7 @@ Hacl_Streaming_SHA2_update_256( } if (!(sz1 == (uint32_t)0U)) { - update_nblocks_256((uint32_t)64U, buf, block_state1); + sha256_update_nblocks((uint32_t)64U, buf, block_state1); } uint32_t ite; if @@ -874,7 +442,7 @@ Hacl_Streaming_SHA2_update_256( uint32_t data2_len = len - diff - data1_len; uint8_t *data11 = data2; uint8_t *data21 = data2 + data1_len; - update_nblocks_256(data1_len, data11, block_state1); + sha256_update_nblocks(data1_len, data11, block_state1); uint8_t *dst = buf; memcpy(dst, data21, data2_len * sizeof (uint8_t)); *p @@ -890,6 +458,29 @@ Hacl_Streaming_SHA2_update_256( return (uint32_t)0U; } +/** +Feed an arbitrary amount of data into the hash. This function returns 0 for +success, or 1 if the combined length of all of the data passed to `update_256` +(since the last call to `init_256`) exceeds 2^61-1 bytes. + +This function is identical to the update function for SHA2_224. +*/ +uint32_t +Hacl_Streaming_SHA2_update_256( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *input, + uint32_t input_len +) +{ + return update_224_256(p, input, input_len); +} + +/** +Write the resulting hash into `dst`, an array of 32 bytes. The state remains +valid after a call to `finish_256`, meaning the user may feed more data into +the hash via `update_256`. (The finish_256 function operates on an internal copy of +the state and therefore does not invalidate the client-held state `p`.) +*/ void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) { Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; @@ -919,399 +510,17 @@ void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8 } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - uint32_t blocks0 = (uint32_t)0U; - for (uint32_t i0 = (uint32_t)0U; i0 < blocks0; i0++) - { - uint8_t *b00 = buf_multi; - uint8_t *mb = b00 + i0 * (uint32_t)64U; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = mb; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u0 = load32_be(b + (uint32_t)4U); - ws[1U] = u0; - uint32_t u1 = load32_be(b + (uint32_t)8U); - ws[2U] = u1; - uint32_t u2 = load32_be(b + (uint32_t)12U); - ws[3U] = u2; - uint32_t u3 = load32_be(b + (uint32_t)16U); - ws[4U] = u3; - uint32_t u4 = load32_be(b + (uint32_t)20U); - ws[5U] = u4; - uint32_t u5 = load32_be(b + (uint32_t)24U); - ws[6U] = u5; - uint32_t u6 = load32_be(b + (uint32_t)28U); - ws[7U] = u6; - uint32_t u7 = load32_be(b + (uint32_t)32U); - ws[8U] = u7; - uint32_t u8 = load32_be(b + (uint32_t)36U); - ws[9U] = u8; - uint32_t u9 = load32_be(b + (uint32_t)40U); - ws[10U] = u9; - uint32_t u10 = load32_be(b + (uint32_t)44U); - ws[11U] = u10; - uint32_t u11 = load32_be(b + (uint32_t)48U); - ws[12U] = u11; - uint32_t u12 = load32_be(b + (uint32_t)52U); - ws[13U] = u12; - uint32_t u13 = load32_be(b + (uint32_t)56U); - ws[14U] = u13; - uint32_t u14 = load32_be(b + (uint32_t)60U); - ws[15U] = u14; - KRML_MAYBE_FOR4(i1, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i1 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = tmp_block_state[0U]; - uint32_t b0 = tmp_block_state[1U]; - uint32_t c0 = tmp_block_state[2U]; - uint32_t d0 = tmp_block_state[3U]; - uint32_t e0 = tmp_block_state[4U]; - uint32_t f0 = tmp_block_state[5U]; - uint32_t g0 = tmp_block_state[6U]; - uint32_t h05 = tmp_block_state[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h13 = g0; - tmp_block_state[0U] = a1; - tmp_block_state[1U] = b1; - tmp_block_state[2U] = c1; - tmp_block_state[3U] = d1; - tmp_block_state[4U] = e1; - tmp_block_state[5U] = f1; - tmp_block_state[6U] = g1; - tmp_block_state[7U] = h13;); - if (i1 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s1 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s1 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = tmp_block_state; - uint32_t x = tmp_block_state[i] + hash_old[i]; - os[i] = x;); - } + sha256_update_nblocks((uint32_t)0U, buf_multi, tmp_block_state); uint64_t prev_len_last = total_len - (uint64_t)r; - uint32_t blocks; - if (r + (uint32_t)8U + (uint32_t)1U <= (uint32_t)64U) - { - blocks = (uint32_t)1U; - } - else - { - blocks = (uint32_t)2U; - } - uint32_t fin = blocks * (uint32_t)64U; - uint8_t last[128U] = { 0U }; - uint8_t totlen_buf[8U] = { 0U }; - uint64_t total_len_bits = (prev_len_last + (uint64_t)r) << (uint32_t)3U; - store64_be(totlen_buf, total_len_bits); - uint8_t *b00 = buf_last; - memcpy(last, b00, r * sizeof (uint8_t)); - last[r] = (uint8_t)0x80U; - memcpy(last + fin - (uint32_t)8U, totlen_buf, (uint32_t)8U * sizeof (uint8_t)); - uint8_t *last00 = last; - uint8_t *last10 = last + (uint32_t)64U; - uint8_t *l0 = last00; - uint8_t *l1 = last10; - uint8_t *lb0 = l0; - uint8_t *lb1 = l1; - uint8_t *last0 = lb0; - uint8_t *last1 = lb1; - uint32_t hash_old[8U] = { 0U }; - uint32_t ws0[16U] = { 0U }; - memcpy(hash_old, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b2 = last0; - uint32_t u0 = load32_be(b2); - ws0[0U] = u0; - uint32_t u1 = load32_be(b2 + (uint32_t)4U); - ws0[1U] = u1; - uint32_t u2 = load32_be(b2 + (uint32_t)8U); - ws0[2U] = u2; - uint32_t u3 = load32_be(b2 + (uint32_t)12U); - ws0[3U] = u3; - uint32_t u4 = load32_be(b2 + (uint32_t)16U); - ws0[4U] = u4; - uint32_t u5 = load32_be(b2 + (uint32_t)20U); - ws0[5U] = u5; - uint32_t u6 = load32_be(b2 + (uint32_t)24U); - ws0[6U] = u6; - uint32_t u7 = load32_be(b2 + (uint32_t)28U); - ws0[7U] = u7; - uint32_t u8 = load32_be(b2 + (uint32_t)32U); - ws0[8U] = u8; - uint32_t u9 = load32_be(b2 + (uint32_t)36U); - ws0[9U] = u9; - uint32_t u10 = load32_be(b2 + (uint32_t)40U); - ws0[10U] = u10; - uint32_t u11 = load32_be(b2 + (uint32_t)44U); - ws0[11U] = u11; - uint32_t u12 = load32_be(b2 + (uint32_t)48U); - ws0[12U] = u12; - uint32_t u13 = load32_be(b2 + (uint32_t)52U); - ws0[13U] = u13; - uint32_t u14 = load32_be(b2 + (uint32_t)56U); - ws0[14U] = u14; - uint32_t u15 = load32_be(b2 + (uint32_t)60U); - ws0[15U] = u15; - KRML_MAYBE_FOR4(i0, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; - uint32_t ws_t = ws0[i]; - uint32_t a0 = tmp_block_state[0U]; - uint32_t b0 = tmp_block_state[1U]; - uint32_t c0 = tmp_block_state[2U]; - uint32_t d0 = tmp_block_state[3U]; - uint32_t e0 = tmp_block_state[4U]; - uint32_t f0 = tmp_block_state[5U]; - uint32_t g0 = tmp_block_state[6U]; - uint32_t h05 = tmp_block_state[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h14 = g0; - tmp_block_state[0U] = a1; - tmp_block_state[1U] = b1; - tmp_block_state[2U] = c1; - tmp_block_state[3U] = d1; - tmp_block_state[4U] = e1; - tmp_block_state[5U] = f1; - tmp_block_state[6U] = g1; - tmp_block_state[7U] = h14;); - if (i0 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws0[i]; - uint32_t t15 = ws0[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws0[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws0[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s1 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws0[i] = s1 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = tmp_block_state; - uint32_t x = tmp_block_state[i] + hash_old[i]; - os[i] = x;); - if (blocks > (uint32_t)1U) - { - uint32_t hash_old0[8U] = { 0U }; - uint32_t ws[16U] = { 0U }; - memcpy(hash_old0, tmp_block_state, (uint32_t)8U * sizeof (uint32_t)); - uint8_t *b = last1; - uint32_t u = load32_be(b); - ws[0U] = u; - uint32_t u16 = load32_be(b + (uint32_t)4U); - ws[1U] = u16; - uint32_t u17 = load32_be(b + (uint32_t)8U); - ws[2U] = u17; - uint32_t u18 = load32_be(b + (uint32_t)12U); - ws[3U] = u18; - uint32_t u19 = load32_be(b + (uint32_t)16U); - ws[4U] = u19; - uint32_t u20 = load32_be(b + (uint32_t)20U); - ws[5U] = u20; - uint32_t u21 = load32_be(b + (uint32_t)24U); - ws[6U] = u21; - uint32_t u22 = load32_be(b + (uint32_t)28U); - ws[7U] = u22; - uint32_t u23 = load32_be(b + (uint32_t)32U); - ws[8U] = u23; - uint32_t u24 = load32_be(b + (uint32_t)36U); - ws[9U] = u24; - uint32_t u25 = load32_be(b + (uint32_t)40U); - ws[10U] = u25; - uint32_t u26 = load32_be(b + (uint32_t)44U); - ws[11U] = u26; - uint32_t u27 = load32_be(b + (uint32_t)48U); - ws[12U] = u27; - uint32_t u28 = load32_be(b + (uint32_t)52U); - ws[13U] = u28; - uint32_t u29 = load32_be(b + (uint32_t)56U); - ws[14U] = u29; - uint32_t u30 = load32_be(b + (uint32_t)60U); - ws[15U] = u30; - KRML_MAYBE_FOR4(i0, - (uint32_t)0U, - (uint32_t)4U, - (uint32_t)1U, - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t k_t = Hacl_Impl_SHA2_Generic_k224_256[(uint32_t)16U * i0 + i]; - uint32_t ws_t = ws[i]; - uint32_t a0 = tmp_block_state[0U]; - uint32_t b0 = tmp_block_state[1U]; - uint32_t c0 = tmp_block_state[2U]; - uint32_t d0 = tmp_block_state[3U]; - uint32_t e0 = tmp_block_state[4U]; - uint32_t f0 = tmp_block_state[5U]; - uint32_t g0 = tmp_block_state[6U]; - uint32_t h05 = tmp_block_state[7U]; - uint32_t k_e_t = k_t; - uint32_t - t1 = - h05 - + - ((e0 << (uint32_t)26U | e0 >> (uint32_t)6U) - ^ - ((e0 << (uint32_t)21U | e0 >> (uint32_t)11U) - ^ (e0 << (uint32_t)7U | e0 >> (uint32_t)25U))) - + ((e0 & f0) ^ (~e0 & g0)) - + k_e_t - + ws_t; - uint32_t - t2 = - ((a0 << (uint32_t)30U | a0 >> (uint32_t)2U) - ^ - ((a0 << (uint32_t)19U | a0 >> (uint32_t)13U) - ^ (a0 << (uint32_t)10U | a0 >> (uint32_t)22U))) - + ((a0 & b0) ^ ((a0 & c0) ^ (b0 & c0))); - uint32_t a1 = t1 + t2; - uint32_t b1 = a0; - uint32_t c1 = b0; - uint32_t d1 = c0; - uint32_t e1 = d0 + t1; - uint32_t f1 = e0; - uint32_t g1 = f0; - uint32_t h14 = g0; - tmp_block_state[0U] = a1; - tmp_block_state[1U] = b1; - tmp_block_state[2U] = c1; - tmp_block_state[3U] = d1; - tmp_block_state[4U] = e1; - tmp_block_state[5U] = f1; - tmp_block_state[6U] = g1; - tmp_block_state[7U] = h14;); - if (i0 < (uint32_t)3U) - { - KRML_MAYBE_FOR16(i, - (uint32_t)0U, - (uint32_t)16U, - (uint32_t)1U, - uint32_t t16 = ws[i]; - uint32_t t15 = ws[(i + (uint32_t)1U) % (uint32_t)16U]; - uint32_t t7 = ws[(i + (uint32_t)9U) % (uint32_t)16U]; - uint32_t t2 = ws[(i + (uint32_t)14U) % (uint32_t)16U]; - uint32_t - s1 = - (t2 << (uint32_t)15U | t2 >> (uint32_t)17U) - ^ ((t2 << (uint32_t)13U | t2 >> (uint32_t)19U) ^ t2 >> (uint32_t)10U); - uint32_t - s0 = - (t15 << (uint32_t)25U | t15 >> (uint32_t)7U) - ^ ((t15 << (uint32_t)14U | t15 >> (uint32_t)18U) ^ t15 >> (uint32_t)3U); - ws[i] = s1 + t7 + s0 + t16;); - }); - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - uint32_t *os = tmp_block_state; - uint32_t x = tmp_block_state[i] + hash_old0[i]; - os[i] = x;); - } - uint8_t hbuf[32U] = { 0U }; - KRML_MAYBE_FOR8(i, - (uint32_t)0U, - (uint32_t)8U, - (uint32_t)1U, - store32_be(hbuf + i * (uint32_t)4U, tmp_block_state[i]);); - memcpy(dst, hbuf, (uint32_t)32U * sizeof (uint8_t)); + sha256_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state); + sha256_finish(tmp_block_state, dst); } +/** +Free a state allocated with `create_in_256`. + +This function is identical to the free function for SHA2_224. +*/ void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s) { Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; @@ -1321,3 +530,124 @@ void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s) KRML_HOST_FREE(buf); KRML_HOST_FREE(s); } + +/** +Hash `input`, of len `input_len`, into `dst`, an array of 32 bytes. +*/ +void Hacl_Streaming_SHA2_sha256(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint8_t *ib = input; + uint8_t *rb = dst; + uint32_t st[8U] = { 0U }; + sha256_init(st); + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + sha256_update_nblocks(input_len, ib, st); + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b0 = ib; + uint8_t *lb = b0 + input_len - rem1; + sha256_update_last(len_, rem, lb, st); + sha256_finish(st, rb); +} + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +{ + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + sha224_init(block_state); + return p; +} + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s; + uint8_t *buf = scrut.buf; + uint32_t *block_state = scrut.block_state; + sha224_init(block_state); + Hacl_Streaming_SHA2_state_sha2_224 + tmp = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; + s[0U] = tmp; +} + +uint32_t +Hacl_Streaming_SHA2_update_224( + Hacl_Streaming_SHA2_state_sha2_224 *p, + uint8_t *input, + uint32_t input_len +) +{ + return update_224_256(p, input, input_len); +} + +/** +Write the resulting hash into `dst`, an array of 28 bytes. The state remains +valid after a call to `finish_224`, meaning the user may feed more data into +the hash via `update_224`. +*/ +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *p; + uint32_t *block_state = scrut.block_state; + uint8_t *buf_ = scrut.buf; + uint64_t total_len = scrut.total_len; + uint32_t r; + if (total_len % (uint64_t)(uint32_t)64U == (uint64_t)0U && total_len > (uint64_t)0U) + { + r = (uint32_t)64U; + } + else + { + r = (uint32_t)(total_len % (uint64_t)(uint32_t)64U); + } + uint8_t *buf_1 = buf_; + uint32_t tmp_block_state[8U] = { 0U }; + memcpy(tmp_block_state, block_state, (uint32_t)8U * sizeof (uint32_t)); + uint32_t ite; + if (r % (uint32_t)64U == (uint32_t)0U && r > (uint32_t)0U) + { + ite = (uint32_t)64U; + } + else + { + ite = r % (uint32_t)64U; + } + uint8_t *buf_last = buf_1 + r - ite; + uint8_t *buf_multi = buf_1; + sha224_update_nblocks((uint32_t)0U, buf_multi, tmp_block_state); + uint64_t prev_len_last = total_len - (uint64_t)r; + sha224_update_last(prev_len_last + (uint64_t)r, r, buf_last, tmp_block_state); + sha224_finish(tmp_block_state, dst); +} + +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *p) +{ + Hacl_Streaming_SHA2_free_256(p); +} + +/** +Hash `input`, of len `input_len`, into `dst`, an array of 28 bytes. +*/ +void Hacl_Streaming_SHA2_sha224(uint8_t *input, uint32_t input_len, uint8_t *dst) +{ + uint8_t *ib = input; + uint8_t *rb = dst; + uint32_t st[8U] = { 0U }; + sha224_init(st); + uint32_t rem = input_len % (uint32_t)64U; + uint64_t len_ = (uint64_t)input_len; + sha224_update_nblocks(input_len, ib, st); + uint32_t rem1 = input_len % (uint32_t)64U; + uint8_t *b0 = ib; + uint8_t *lb = b0 + input_len - rem1; + sha224_update_last(len_, rem, lb, st); + sha224_finish(st, rb); +} + diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h index 189bb10d034d28..2aab2c69a7679c 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.h +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -30,10 +30,13 @@ extern "C" { #endif #include +#include "krml/FStar_UInt_8_16_32_64.h" #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" + + typedef struct Hacl_Streaming_SHA2_state_sha2_224_s { uint32_t *block_state; @@ -44,41 +47,75 @@ Hacl_Streaming_SHA2_state_sha2_224; typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA2_state_sha2_256; -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(void); +/** +Allocate initial state for the SHA2_256 hash. The state is to be freed by +calling `free_256`. +*/ +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(); -void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); +/** +Reset an existing state to the initial hash state with empty data. +*/ +void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s); /** -0 = success, 1 = max length exceeded +Feed an arbitrary amount of data into the hash. This function returns 0 for +success, or 1 if the combined length of all of the data passed to `update_256` +(since the last call to `init_256`) exceeds 2^61-1 bytes. + +This function is identical to the update function for SHA2_224. */ uint32_t -Hacl_Streaming_SHA2_update_224( +Hacl_Streaming_SHA2_update_256( Hacl_Streaming_SHA2_state_sha2_224 *p, - uint8_t *data, - uint32_t len + uint8_t *input, + uint32_t input_len ); -void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); - -void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *s); +/** +Write the resulting hash into `dst`, an array of 32 bytes. The state remains +valid after a call to `finish_256`, meaning the user may feed more data into +the hash via `update_256`. (The finish_256 function operates on an internal copy of +the state and therefore does not invalidate the client-held state `p`.) +*/ +void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(void); +/** +Free a state allocated with `create_in_256`. -void Hacl_Streaming_SHA2_init_256(Hacl_Streaming_SHA2_state_sha2_224 *s); +This function is identical to the free function for SHA2_224. +*/ +void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s); /** -0 = success, 1 = max length exceeded +Hash `input`, of len `input_len`, into `dst`, an array of 32 bytes. */ +void Hacl_Streaming_SHA2_sha256(uint8_t *input, uint32_t input_len, uint8_t *dst); + +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(); + +void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); + uint32_t -Hacl_Streaming_SHA2_update_256( +Hacl_Streaming_SHA2_update_224( Hacl_Streaming_SHA2_state_sha2_224 *p, - uint8_t *data, - uint32_t len + uint8_t *input, + uint32_t input_len ); -void Hacl_Streaming_SHA2_finish_256(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); +/** +Write the resulting hash into `dst`, an array of 28 bytes. The state remains +valid after a call to `finish_224`, meaning the user may feed more data into +the hash via `update_224`. +*/ +void Hacl_Streaming_SHA2_finish_224(Hacl_Streaming_SHA2_state_sha2_224 *p, uint8_t *dst); -void Hacl_Streaming_SHA2_free_256(Hacl_Streaming_SHA2_state_sha2_224 *s); +void Hacl_Streaming_SHA2_free_224(Hacl_Streaming_SHA2_state_sha2_224 *p); + +/** +Hash `input`, of len `input_len`, into `dst`, an array of 28 bytes. +*/ +void Hacl_Streaming_SHA2_sha224(uint8_t *input, uint32_t input_len, uint8_t *dst); #if defined(__cplusplus) } diff --git a/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h b/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h index c58da1b37c204e..3e2e4b32b22f96 100644 --- a/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h +++ b/Modules/_hacl/include/krml/FStar_UInt_8_16_32_64.h @@ -7,12 +7,15 @@ #ifndef __FStar_UInt_8_16_32_64_H #define __FStar_UInt_8_16_32_64_H + + + #include #include + #include "krml/lowstar_endianness.h" -#include "krml/internal/types.h" +#include "krml/FStar_UInt_8_16_32_64.h" #include "krml/internal/target.h" - static inline uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b) { uint64_t x = a ^ b; @@ -101,5 +104,6 @@ static inline uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b) return x_xor_q_ - (uint8_t)1U; } + #define __FStar_UInt_8_16_32_64_H_DEFINED #endif diff --git a/Modules/_hacl/include/krml/internal/target.h b/Modules/_hacl/include/krml/internal/target.h index 7fad802e6cb0f0..9ef59859a554b5 100644 --- a/Modules/_hacl/include/krml/internal/target.h +++ b/Modules/_hacl/include/krml/internal/target.h @@ -5,10 +5,12 @@ #define __KRML_TARGET_H #include +#include #include #include #include #include +#include /* Since KaRaMeL emits the inline keyword unconditionally, we follow the * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this @@ -17,11 +19,6 @@ # define inline __inline__ #endif -/******************************************************************************/ -/* Macros that KaRaMeL will generate. */ -/******************************************************************************/ - - #ifndef KRML_HOST_MALLOC # define KRML_HOST_MALLOC malloc #endif diff --git a/Modules/_hacl/internal/Hacl_SHA2_Generic.h b/Modules/_hacl/internal/Hacl_SHA2_Generic.h new file mode 100644 index 00000000000000..5086b805b70b89 --- /dev/null +++ b/Modules/_hacl/internal/Hacl_SHA2_Generic.h @@ -0,0 +1,134 @@ +/* MIT License + * + * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __internal_Hacl_SHA2_Generic_H +#define __internal_Hacl_SHA2_Generic_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/FStar_UInt_8_16_32_64.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + + + + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h224[8U] = + { + (uint32_t)0xc1059ed8U, (uint32_t)0x367cd507U, (uint32_t)0x3070dd17U, (uint32_t)0xf70e5939U, + (uint32_t)0xffc00b31U, (uint32_t)0x68581511U, (uint32_t)0x64f98fa7U, (uint32_t)0xbefa4fa4U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_h256[8U] = + { + (uint32_t)0x6a09e667U, (uint32_t)0xbb67ae85U, (uint32_t)0x3c6ef372U, (uint32_t)0xa54ff53aU, + (uint32_t)0x510e527fU, (uint32_t)0x9b05688cU, (uint32_t)0x1f83d9abU, (uint32_t)0x5be0cd19U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h384[8U] = + { + (uint64_t)0xcbbb9d5dc1059ed8U, (uint64_t)0x629a292a367cd507U, (uint64_t)0x9159015a3070dd17U, + (uint64_t)0x152fecd8f70e5939U, (uint64_t)0x67332667ffc00b31U, (uint64_t)0x8eb44a8768581511U, + (uint64_t)0xdb0c2e0d64f98fa7U, (uint64_t)0x47b5481dbefa4fa4U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_h512[8U] = + { + (uint64_t)0x6a09e667f3bcc908U, (uint64_t)0xbb67ae8584caa73bU, (uint64_t)0x3c6ef372fe94f82bU, + (uint64_t)0xa54ff53a5f1d36f1U, (uint64_t)0x510e527fade682d1U, (uint64_t)0x9b05688c2b3e6c1fU, + (uint64_t)0x1f83d9abfb41bd6bU, (uint64_t)0x5be0cd19137e2179U + }; + +static const +uint32_t +Hacl_Impl_SHA2_Generic_k224_256[64U] = + { + (uint32_t)0x428a2f98U, (uint32_t)0x71374491U, (uint32_t)0xb5c0fbcfU, (uint32_t)0xe9b5dba5U, + (uint32_t)0x3956c25bU, (uint32_t)0x59f111f1U, (uint32_t)0x923f82a4U, (uint32_t)0xab1c5ed5U, + (uint32_t)0xd807aa98U, (uint32_t)0x12835b01U, (uint32_t)0x243185beU, (uint32_t)0x550c7dc3U, + (uint32_t)0x72be5d74U, (uint32_t)0x80deb1feU, (uint32_t)0x9bdc06a7U, (uint32_t)0xc19bf174U, + (uint32_t)0xe49b69c1U, (uint32_t)0xefbe4786U, (uint32_t)0x0fc19dc6U, (uint32_t)0x240ca1ccU, + (uint32_t)0x2de92c6fU, (uint32_t)0x4a7484aaU, (uint32_t)0x5cb0a9dcU, (uint32_t)0x76f988daU, + (uint32_t)0x983e5152U, (uint32_t)0xa831c66dU, (uint32_t)0xb00327c8U, (uint32_t)0xbf597fc7U, + (uint32_t)0xc6e00bf3U, (uint32_t)0xd5a79147U, (uint32_t)0x06ca6351U, (uint32_t)0x14292967U, + (uint32_t)0x27b70a85U, (uint32_t)0x2e1b2138U, (uint32_t)0x4d2c6dfcU, (uint32_t)0x53380d13U, + (uint32_t)0x650a7354U, (uint32_t)0x766a0abbU, (uint32_t)0x81c2c92eU, (uint32_t)0x92722c85U, + (uint32_t)0xa2bfe8a1U, (uint32_t)0xa81a664bU, (uint32_t)0xc24b8b70U, (uint32_t)0xc76c51a3U, + (uint32_t)0xd192e819U, (uint32_t)0xd6990624U, (uint32_t)0xf40e3585U, (uint32_t)0x106aa070U, + (uint32_t)0x19a4c116U, (uint32_t)0x1e376c08U, (uint32_t)0x2748774cU, (uint32_t)0x34b0bcb5U, + (uint32_t)0x391c0cb3U, (uint32_t)0x4ed8aa4aU, (uint32_t)0x5b9cca4fU, (uint32_t)0x682e6ff3U, + (uint32_t)0x748f82eeU, (uint32_t)0x78a5636fU, (uint32_t)0x84c87814U, (uint32_t)0x8cc70208U, + (uint32_t)0x90befffaU, (uint32_t)0xa4506cebU, (uint32_t)0xbef9a3f7U, (uint32_t)0xc67178f2U + }; + +static const +uint64_t +Hacl_Impl_SHA2_Generic_k384_512[80U] = + { + (uint64_t)0x428a2f98d728ae22U, (uint64_t)0x7137449123ef65cdU, (uint64_t)0xb5c0fbcfec4d3b2fU, + (uint64_t)0xe9b5dba58189dbbcU, (uint64_t)0x3956c25bf348b538U, (uint64_t)0x59f111f1b605d019U, + (uint64_t)0x923f82a4af194f9bU, (uint64_t)0xab1c5ed5da6d8118U, (uint64_t)0xd807aa98a3030242U, + (uint64_t)0x12835b0145706fbeU, (uint64_t)0x243185be4ee4b28cU, (uint64_t)0x550c7dc3d5ffb4e2U, + (uint64_t)0x72be5d74f27b896fU, (uint64_t)0x80deb1fe3b1696b1U, (uint64_t)0x9bdc06a725c71235U, + (uint64_t)0xc19bf174cf692694U, (uint64_t)0xe49b69c19ef14ad2U, (uint64_t)0xefbe4786384f25e3U, + (uint64_t)0x0fc19dc68b8cd5b5U, (uint64_t)0x240ca1cc77ac9c65U, (uint64_t)0x2de92c6f592b0275U, + (uint64_t)0x4a7484aa6ea6e483U, (uint64_t)0x5cb0a9dcbd41fbd4U, (uint64_t)0x76f988da831153b5U, + (uint64_t)0x983e5152ee66dfabU, (uint64_t)0xa831c66d2db43210U, (uint64_t)0xb00327c898fb213fU, + (uint64_t)0xbf597fc7beef0ee4U, (uint64_t)0xc6e00bf33da88fc2U, (uint64_t)0xd5a79147930aa725U, + (uint64_t)0x06ca6351e003826fU, (uint64_t)0x142929670a0e6e70U, (uint64_t)0x27b70a8546d22ffcU, + (uint64_t)0x2e1b21385c26c926U, (uint64_t)0x4d2c6dfc5ac42aedU, (uint64_t)0x53380d139d95b3dfU, + (uint64_t)0x650a73548baf63deU, (uint64_t)0x766a0abb3c77b2a8U, (uint64_t)0x81c2c92e47edaee6U, + (uint64_t)0x92722c851482353bU, (uint64_t)0xa2bfe8a14cf10364U, (uint64_t)0xa81a664bbc423001U, + (uint64_t)0xc24b8b70d0f89791U, (uint64_t)0xc76c51a30654be30U, (uint64_t)0xd192e819d6ef5218U, + (uint64_t)0xd69906245565a910U, (uint64_t)0xf40e35855771202aU, (uint64_t)0x106aa07032bbd1b8U, + (uint64_t)0x19a4c116b8d2d0c8U, (uint64_t)0x1e376c085141ab53U, (uint64_t)0x2748774cdf8eeb99U, + (uint64_t)0x34b0bcb5e19b48a8U, (uint64_t)0x391c0cb3c5c95a63U, (uint64_t)0x4ed8aa4ae3418acbU, + (uint64_t)0x5b9cca4f7763e373U, (uint64_t)0x682e6ff3d6b2b8a3U, (uint64_t)0x748f82ee5defb2fcU, + (uint64_t)0x78a5636f43172f60U, (uint64_t)0x84c87814a1f0ab72U, (uint64_t)0x8cc702081a6439ecU, + (uint64_t)0x90befffa23631e28U, (uint64_t)0xa4506cebde82bde9U, (uint64_t)0xbef9a3f7b2c67915U, + (uint64_t)0xc67178f2e372532bU, (uint64_t)0xca273eceea26619cU, (uint64_t)0xd186b8c721c0c207U, + (uint64_t)0xeada7dd6cde0eb1eU, (uint64_t)0xf57d4f7fee6ed178U, (uint64_t)0x06f067aa72176fbaU, + (uint64_t)0x0a637dc5a2c898a6U, (uint64_t)0x113f9804bef90daeU, (uint64_t)0x1b710b35131c471bU, + (uint64_t)0x28db77f523047d84U, (uint64_t)0x32caab7b40c72493U, (uint64_t)0x3c9ebe0a15c9bebcU, + (uint64_t)0x431d67c49c100d4cU, (uint64_t)0x4cc5d4becb3e42b6U, (uint64_t)0x597f299cfc657e2aU, + (uint64_t)0x5fcb6fab3ad6faecU, (uint64_t)0x6c44198c4a475817U + }; + +#if defined(__cplusplus) +} +#endif + +#define __internal_Hacl_SHA2_Generic_H_DEFINED +#endif diff --git a/Modules/_hacl/refresh.sh b/Modules/_hacl/refresh.sh new file mode 100755 index 00000000000000..0f3cabe9d2c503 --- /dev/null +++ b/Modules/_hacl/refresh.sh @@ -0,0 +1,99 @@ +#!/usr/bin/env bash + +set -e +set -o pipefail + +if [[ $1 == "" ]]; then + echo "USAGE: $0 path-to-hacl-directory" + exit 1 +fi + +hacl_dir=$1 +expected_rev=b0f29a4bd3a9408a9453b97de9cefffb11d89391 +actual_rev=$(cd "$hacl_dir" && git rev-parse HEAD) + +if [[ $actual_rev != $expected_rev ]]; then + echo "WARNING: HACL* is at revision $actual_rev, but expected revision $expected_rev" +fi + +# Step 1: copy files + +dist_files="\ + Hacl_Streaming_SHA2.h \ + internal/Hacl_SHA2_Generic.h \ + Hacl_Streaming_SHA2.c" + +include_files="\ + include/krml/lowstar_endianness.h \ + include/krml/internal/target.h" + +lib_files="\ + krmllib/dist/minimal/FStar_UInt_8_16_32_64.h" + +# C files for the algorithms themselves: current directory +(cd $hacl_dir/dist/gcc-compatible && tar cf - $dist_files) | tar xf - + +# Support header files (e.g. endianness macros): stays in include/ +(cd $hacl_dir/dist/karamel && tar cf - $include_files) | tar xf - + +# Special treatment: we don't bother with an extra directory and move krmllib +# files to the same include directory +for f in $lib_files; do + cp $hacl_dir/dist/karamel/$f include/krml/ +done + +# Step 2: some in-place modifications to keep things simple and minimal + +# This is basic, but refreshes of the vendored HACL code are infrequent, so +# let's not over-engineer this. +if [[ $(uname) == "Darwin" ]]; then + sed=gsed +else + sed=sed +fi + +all_files=$(find . -name '*.h' -or -name '*.c') + +# types.h is a simple wrapper that defines the uint128 then proceeds to include +# FStar_UInt_8_16_32_64.h; we jump the types.h step since our current selection +# of algorithms does not necessitate the use of uint128 +$sed -i 's!#include.*types.h"!#include "krml/FStar_UInt_8_16_32_64.h"!g' $all_files +$sed -i 's!#include.*compat.h"!!g' $all_files + +# FStar_UInt_8_16_32_64 contains definitions useful in the general case, but not +# for us; trim! +$sed -i -z 's!\(extern\|typedef\)[^;]*;\n\n!!g' include/krml/FStar_UInt_8_16_32_64.h + +# This contains static inline prototypes that are defined in +# FStar_UInt_8_16_32_64; they are by default repeated for safety of separate +# compilation, but this is not necessary. +$sed -i 's!#include.*Hacl_Krmllib.h"!!g' $all_files + +# This header is useful for *other* algorithms that refer to SHA2, e.g. Ed25519 +# which needs to compute a digest of a message before signing it. Here, since no +# other algorithm builds upon SHA2, this internal header is useless (and is not +# included in $dist_files). +$sed -i 's!#include.*internal/Hacl_Streaming_SHA2.h"!#include "Hacl_Streaming_SHA2.h"!g' $all_files + +# The SHA2 file contains all variants of SHA2. We strip 384 and 512 for the time +# being, to be included later. +# This regexp matches a separator (two new lines), followed by: +# +# * +# ... 384 or 512 ... { +# * +# } +# +# The first non-empty lines are the comment block. The second ... may spill over +# the next following lines if the arguments are printed in one-per-line mode. +$sed -i -z 's/\n\n\([^\n]\+\n\)*[^\n]*\(384\|512\)[^{]*{\n\?\( [^\n]*\n\)*}//g' Hacl_Streaming_SHA2.c + +# Same thing with function prototypes +$sed -i -z 's/\n\n\([^\n]\+\n\)*[^\n]*\(384\|512\)[^;]*;//g' Hacl_Streaming_SHA2.h + +# Finally, we remove a bunch of ifdefs from target.h that are, again, useful in +# the general case, but not exercised by the subset of HACL* that we vendor. +$sed -z -i 's!#ifndef KRML_\(HOST_PRINTF\|HOST_EXIT\|PRE_ALIGN\|POST_ALIGN\|ALIGNED_MALLOC\|ALIGNED_FREE\|HOST_TIME\)\n\(\n\|# [^\n]*\n\|[^#][^\n]*\n\)*#endif\n\n!!g' include/krml/internal/target.h +$sed -z -i 's!\n\n\([^#][^\n]*\n\)*#define KRML_\(EABORT\|EXIT\|CHECK_SIZE\)[^\n]*\(\n [^\n]*\)*!!g' include/krml/internal/target.h +$sed -z -i 's!\n\n\([^#][^\n]*\n\)*#if [^\n]*\n\( [^\n]*\n\)*#define KRML_\(EABORT\|EXIT\|CHECK_SIZE\)[^\n]*\(\n [^\n]*\)*!!g' include/krml/internal/target.h +$sed -z -i 's!\n\n\([^#][^\n]*\n\)*#if [^\n]*\n\( [^\n]*\n\)*# define _\?KRML_\(DEPRECATED\|CHECK_SIZE_PRAGMA\|HOST_EPRINTF\|HOST_SNPRINTF\)[^\n]*\n\([^#][^\n]*\n\|#el[^\n]*\n\|# [^\n]*\n\)*#endif!!g' include/krml/internal/target.h From a632c84b6c09e87b51378821f171f1ddce8df6aa Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 20 Dec 2022 12:32:22 -0800 Subject: [PATCH 22/33] Use newly-implemented copy operation --- Modules/_hacl/Hacl_Streaming_SHA2.c | 30 +++++++++++++++++++++++++++-- Modules/_hacl/Hacl_Streaming_SHA2.h | 11 +++++++++-- Modules/_hacl/refresh.sh | 8 ++++---- Modules/sha256module.c | 9 +-------- 4 files changed, 42 insertions(+), 16 deletions(-) diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.c b/Modules/_hacl/Hacl_Streaming_SHA2.c index ab9350a5f2fecf..fb7e1641850694 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.c +++ b/Modules/_hacl/Hacl_Streaming_SHA2.c @@ -253,7 +253,7 @@ static inline void sha224_finish(uint32_t *st, uint8_t *h) Allocate initial state for the SHA2_256 hash. The state is to be freed by calling `free_256`. */ -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); @@ -269,6 +269,32 @@ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256() return p; } +/** +Copies the state passed as argument into a newly allocated state. The state +is to be freed by calling `free_256` +*/ +Hacl_Streaming_SHA2_state_sha2_224 +*Hacl_Streaming_SHA2_copy_256(Hacl_Streaming_SHA2_state_sha2_224 *s0) +{ + Hacl_Streaming_SHA2_state_sha2_224 scrut = *s0; + uint32_t *block_state0 = scrut.block_state; + uint8_t *buf0 = scrut.buf; + uint64_t total_len0 = scrut.total_len; + uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); + memcpy(buf, buf0, (uint32_t)64U * sizeof (uint8_t)); + uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); + memcpy(block_state, block_state0, (uint32_t)8U * sizeof (uint32_t)); + Hacl_Streaming_SHA2_state_sha2_224 + s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; + Hacl_Streaming_SHA2_state_sha2_224 + *p = + (Hacl_Streaming_SHA2_state_sha2_224 *)KRML_HOST_MALLOC(sizeof ( + Hacl_Streaming_SHA2_state_sha2_224 + )); + p[0U] = s; + return p; +} + /** Reset an existing state to the initial hash state with empty data. */ @@ -550,7 +576,7 @@ void Hacl_Streaming_SHA2_sha256(uint8_t *input, uint32_t input_len, uint8_t *dst sha256_finish(st, rb); } -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224() +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(void) { uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC((uint32_t)64U, sizeof (uint8_t)); uint32_t *block_state = (uint32_t *)KRML_HOST_CALLOC((uint32_t)8U, sizeof (uint32_t)); diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h index 2aab2c69a7679c..20b79ac5509ea9 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.h +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -51,7 +51,14 @@ typedef Hacl_Streaming_SHA2_state_sha2_224 Hacl_Streaming_SHA2_state_sha2_256; Allocate initial state for the SHA2_256 hash. The state is to be freed by calling `free_256`. */ -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(); +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(void); + +/** +Copies the state passed as argument into a newly allocated state. The state +is to be freed by calling `free_256` +*/ +Hacl_Streaming_SHA2_state_sha2_224 +*Hacl_Streaming_SHA2_copy_256(Hacl_Streaming_SHA2_state_sha2_224 *s0); /** Reset an existing state to the initial hash state with empty data. @@ -92,7 +99,7 @@ Hash `input`, of len `input_len`, into `dst`, an array of 32 bytes. */ void Hacl_Streaming_SHA2_sha256(uint8_t *input, uint32_t input_len, uint8_t *dst); -Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(); +Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_224(void); void Hacl_Streaming_SHA2_init_224(Hacl_Streaming_SHA2_state_sha2_224 *s); diff --git a/Modules/_hacl/refresh.sh b/Modules/_hacl/refresh.sh index 0f3cabe9d2c503..4e0ed165516183 100755 --- a/Modules/_hacl/refresh.sh +++ b/Modules/_hacl/refresh.sh @@ -9,7 +9,7 @@ if [[ $1 == "" ]]; then fi hacl_dir=$1 -expected_rev=b0f29a4bd3a9408a9453b97de9cefffb11d89391 +expected_rev=34b8a9fcd91859460b021dabc54deb961e02a675 actual_rev=$(cd "$hacl_dir" && git rev-parse HEAD) if [[ $actual_rev != $expected_rev ]]; then @@ -54,9 +54,9 @@ fi all_files=$(find . -name '*.h' -or -name '*.c') -# types.h is a simple wrapper that defines the uint128 then proceeds to include -# FStar_UInt_8_16_32_64.h; we jump the types.h step since our current selection -# of algorithms does not necessitate the use of uint128 +# types.h is a simple wrapper that defines the uint128 type then proceeds to +# include FStar_UInt_8_16_32_64.h; we jump the types.h step since our current +# selection of algorithms does not necessitate the use of uint128 $sed -i 's!#include.*types.h"!#include "krml/FStar_UInt_8_16_32_64.h"!g' $all_files $sed -i 's!#include.*compat.h"!!g' $all_files diff --git a/Modules/sha256module.c b/Modules/sha256module.c index d3f964b4b753f3..f89628a748e58a 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -74,14 +74,7 @@ _sha256_get_state(PyObject *module) static void SHAcopy(SHAobject *src, SHAobject *dest) { dest->digestsize = src->digestsize; - // TODO: implement this in HACL - if (dest->digestsize == 28) - dest->state = Hacl_Streaming_SHA2_create_in_224(); - else - dest->state = Hacl_Streaming_SHA2_create_in_256(); - dest->state->total_len = src->state->total_len; - memcpy(dest->state->block_state, src->state->block_state, SHA_DIGESTSIZE); - memcpy(dest->state->buf, src->state->buf, SHA_BLOCKSIZE); + dest->state = Hacl_Streaming_SHA2_copy_256(src->state); } static SHAobject * From f4b267ebe24d5b8c33001b11eaab68a8f10e575c Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 20 Dec 2022 12:52:06 -0800 Subject: [PATCH 23/33] Add a suitable test for data > 4GB --- Lib/test/test_hashlib.py | 8 ++++++++ Modules/sha256module.c | 23 +++++++++++++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py index 450dc4933f47f7..edb399df88e7af 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -354,6 +354,14 @@ def test_large_update(self): self.assertEqual(m1.digest(*args), m4_copy.digest(*args)) self.assertEqual(m4.digest(*args), m4_digest) + def test_sha256_over_4gb(self): + zero_1mb = b"\0" * 1024 * 1024 + h = hashlib.sha256() + for i in range(0, 4096): + h.update(zero_1mb) + h.update(b"hello world") + self.assertEqual(h.hexdigest(), "a5364f7a52ebe2e25f1838a4ca715a893b6fd7a23f2a0d9e9762120da8b1bf53") + def check(self, name, data, hexdigest, shake=False, **kwargs): length = len(hexdigest)//2 hexdigest = hexdigest.lower() diff --git a/Modules/sha256module.c b/Modules/sha256module.c index f89628a748e58a..4ad72121aa2b84 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -113,6 +113,20 @@ SHA_dealloc(SHAobject *ptr) Py_DECREF(tp); } +/* HACL* takes a uint32_t for the length of its parameter, but Py_ssize_t can be + * 64 bits. */ +static void update_256(Hacl_Streaming_SHA2_state_sha2_256 *state, uint8_t *buf, Py_ssize_t len) { + /* Note: we explicitly ignore the error code on the basis that it would take > + * 1 billion years to overflow the maximum admissible length for SHA2-256 + * (namely, 2^61-1 bytes). */ + while (len > UINT32_MAX) { + Hacl_Streaming_SHA2_update_256(state, buf, UINT32_MAX); + len -= UINT32_MAX; + buf += UINT32_MAX; + } + Hacl_Streaming_SHA2_update_256(state, buf, len); +} + /* External methods for a hash object */ @@ -193,8 +207,7 @@ SHA256Type_update(SHAobject *self, PyObject *obj) GET_BUFFER_VIEW_OR_ERROUT(obj, &buf); - if (Hacl_Streaming_SHA2_update_256(self->state, buf.buf, buf.len) != 0) - PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); + update_256(self->state, buf.buf, buf.len); PyBuffer_Release(&buf); Py_RETURN_NONE; @@ -308,8 +321,7 @@ _sha256_sha256_impl(PyObject *module, PyObject *string, int usedforsecurity) return NULL; } if (string) { - if (Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len) != 0) - PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); + update_256(new->state, buf.buf, buf.len); PyBuffer_Release(&buf); } @@ -355,8 +367,7 @@ _sha256_sha224_impl(PyObject *module, PyObject *string, int usedforsecurity) return NULL; } if (string) { - if (Hacl_Streaming_SHA2_update_256(new->state, buf.buf, buf.len) != 0) - PyErr_SetString(PyExc_RuntimeError, "maximum hashing length exceeded"); + update_256(new->state, buf.buf, buf.len); PyBuffer_Release(&buf); } From 537831e052b16849946d92376ee6f1344806df21 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 20:59:45 -0800 Subject: [PATCH 24/33] Make more robust & follow shellcheck. * Require bash >= 4. * Use arrays and proper quoting to avoid shell injection. * Add more helpful help text and error messages. * Update to the latest HACL* revision. --- Modules/_hacl/refresh.sh | 76 ++++++++++++++++++++++++++++------------ 1 file changed, 53 insertions(+), 23 deletions(-) diff --git a/Modules/_hacl/refresh.sh b/Modules/_hacl/refresh.sh index 4e0ed165516183..846a2eb9a7805b 100755 --- a/Modules/_hacl/refresh.sh +++ b/Modules/_hacl/refresh.sh @@ -1,45 +1,71 @@ #!/usr/bin/env bash +# +# Use this script to update the HACL generated hash algorithm implementation +# code from a local checkout of the upstream hacl-star repository. +# set -e set -o pipefail +if [[ "${BASH_VERSINFO[0]}" -lt 4 ]]; then + echo "A bash version >= 4 required. Got: $BASH_VERSION" >&2 + exit 1 +fi + if [[ $1 == "" ]]; then - echo "USAGE: $0 path-to-hacl-directory" + echo "Usage: $0 path-to-hacl-directory" + echo "" + echo " path-to-hacl-directory should be a local git checkout of a" + echo " https://github.com/hacl-star/hacl-star/ repo." exit 1 fi -hacl_dir=$1 -expected_rev=34b8a9fcd91859460b021dabc54deb961e02a675 +# Update this when updating to a new version after verifying that the changes +# the update brings in are good. +expected_hacl_star_rev=94aabbb4cf71347d3779a8db486c761403c6d036 + +hacl_dir="$(realpath "$1")" +cd "$(dirname "$0")" actual_rev=$(cd "$hacl_dir" && git rev-parse HEAD) -if [[ $actual_rev != $expected_rev ]]; then - echo "WARNING: HACL* is at revision $actual_rev, but expected revision $expected_rev" +if [[ "$actual_rev" != "$expected_hacl_star_rev" ]]; then + echo "WARNING: HACL* in '$hacl_dir' is at revision:" >&2 + echo " $actual_rev" >&2 + echo "but expected revision:" >&2 + echo " $expected_hacl_star_rev" >&2 + echo "Edit the expected rev if the changes pulled in are what you want." fi # Step 1: copy files -dist_files="\ - Hacl_Streaming_SHA2.h \ - internal/Hacl_SHA2_Generic.h \ - Hacl_Streaming_SHA2.c" +declare -a dist_files +dist_files=( + Hacl_Streaming_SHA2.h + internal/Hacl_SHA2_Generic.h + Hacl_Streaming_SHA2.c +) -include_files="\ - include/krml/lowstar_endianness.h \ - include/krml/internal/target.h" +declare -a include_files +include_files=( + include/krml/lowstar_endianness.h + include/krml/internal/target.h +) -lib_files="\ - krmllib/dist/minimal/FStar_UInt_8_16_32_64.h" +declare -a lib_files +lib_files=( + krmllib/dist/minimal/FStar_UInt_8_16_32_64.h +) # C files for the algorithms themselves: current directory -(cd $hacl_dir/dist/gcc-compatible && tar cf - $dist_files) | tar xf - +(cd "$hacl_dir/dist/gcc-compatible" && tar cf - "${dist_files[@]}") | tar xf - # Support header files (e.g. endianness macros): stays in include/ -(cd $hacl_dir/dist/karamel && tar cf - $include_files) | tar xf - +(cd "$hacl_dir/dist/karamel" && tar cf - "${include_files[@]}") | tar xf - # Special treatment: we don't bother with an extra directory and move krmllib # files to the same include directory -for f in $lib_files; do - cp $hacl_dir/dist/karamel/$f include/krml/ +for f in "${lib_files[@]}"; do + cp "$hacl_dir/dist/karamel/$f" include/krml/ done # Step 2: some in-place modifications to keep things simple and minimal @@ -47,18 +73,20 @@ done # This is basic, but refreshes of the vendored HACL code are infrequent, so # let's not over-engineer this. if [[ $(uname) == "Darwin" ]]; then + # You're already running with homebrew or macports to satisfy the + # bash>=4 requirement, so requiring GNU sed is entirely reasonable. sed=gsed else sed=sed fi -all_files=$(find . -name '*.h' -or -name '*.c') +readarray -t all_files < <(find . -name '*.h' -or -name '*.c') # types.h is a simple wrapper that defines the uint128 type then proceeds to # include FStar_UInt_8_16_32_64.h; we jump the types.h step since our current # selection of algorithms does not necessitate the use of uint128 -$sed -i 's!#include.*types.h"!#include "krml/FStar_UInt_8_16_32_64.h"!g' $all_files -$sed -i 's!#include.*compat.h"!!g' $all_files +$sed -i 's!#include.*types.h"!#include "krml/FStar_UInt_8_16_32_64.h"!g' "${all_files[@]}" +$sed -i 's!#include.*compat.h"!!g' "${all_files[@]}" # FStar_UInt_8_16_32_64 contains definitions useful in the general case, but not # for us; trim! @@ -67,13 +95,13 @@ $sed -i -z 's!\(extern\|typedef\)[^;]*;\n\n!!g' include/krml/FStar_UInt_8_16_32_ # This contains static inline prototypes that are defined in # FStar_UInt_8_16_32_64; they are by default repeated for safety of separate # compilation, but this is not necessary. -$sed -i 's!#include.*Hacl_Krmllib.h"!!g' $all_files +$sed -i 's!#include.*Hacl_Krmllib.h"!!g' "${all_files[@]}" # This header is useful for *other* algorithms that refer to SHA2, e.g. Ed25519 # which needs to compute a digest of a message before signing it. Here, since no # other algorithm builds upon SHA2, this internal header is useless (and is not # included in $dist_files). -$sed -i 's!#include.*internal/Hacl_Streaming_SHA2.h"!#include "Hacl_Streaming_SHA2.h"!g' $all_files +$sed -i 's!#include.*internal/Hacl_Streaming_SHA2.h"!#include "Hacl_Streaming_SHA2.h"!g' "${all_files[@]}" # The SHA2 file contains all variants of SHA2. We strip 384 and 512 for the time # being, to be included later. @@ -97,3 +125,5 @@ $sed -z -i 's!#ifndef KRML_\(HOST_PRINTF\|HOST_EXIT\|PRE_ALIGN\|POST_ALIGN\|ALIG $sed -z -i 's!\n\n\([^#][^\n]*\n\)*#define KRML_\(EABORT\|EXIT\|CHECK_SIZE\)[^\n]*\(\n [^\n]*\)*!!g' include/krml/internal/target.h $sed -z -i 's!\n\n\([^#][^\n]*\n\)*#if [^\n]*\n\( [^\n]*\n\)*#define KRML_\(EABORT\|EXIT\|CHECK_SIZE\)[^\n]*\(\n [^\n]*\)*!!g' include/krml/internal/target.h $sed -z -i 's!\n\n\([^#][^\n]*\n\)*#if [^\n]*\n\( [^\n]*\n\)*# define _\?KRML_\(DEPRECATED\|CHECK_SIZE_PRAGMA\|HOST_EPRINTF\|HOST_SNPRINTF\)[^\n]*\n\([^#][^\n]*\n\|#el[^\n]*\n\|# [^\n]*\n\)*#endif!!g' include/krml/internal/target.h + +echo "Updated; verify all is okay using git diff and git status." From f33e2efe612e6c575d8d93ac5d9346c8e2396237 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 21:01:05 -0800 Subject: [PATCH 25/33] Update to the latest HACL* revision. Which seems to just be a copyright message update. --- Modules/_hacl/Hacl_Streaming_SHA2.c | 9 ++++++--- Modules/_hacl/Hacl_Streaming_SHA2.h | 9 ++++++--- Modules/_hacl/internal/Hacl_SHA2_Generic.h | 3 ++- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.c b/Modules/_hacl/Hacl_Streaming_SHA2.c index fb7e1641850694..84566571792a3c 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.c +++ b/Modules/_hacl/Hacl_Streaming_SHA2.c @@ -1,6 +1,7 @@ /* MIT License * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -270,8 +271,10 @@ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(void) } /** -Copies the state passed as argument into a newly allocated state. The state -is to be freed by calling `free_256` +Copies the state passed as argument into a newly allocated state (deep copy). +The state is to be freed by calling `free_256`. Cloning the state this way is +useful, for instance, if your control-flow diverges and you need to feed +more (different) data into the hash in each branch. */ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_copy_256(Hacl_Streaming_SHA2_state_sha2_224 *s0) diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h index 20b79ac5509ea9..152a842d805aab 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.h +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -1,6 +1,7 @@ /* MIT License * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -54,8 +55,10 @@ calling `free_256`. Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_create_in_256(void); /** -Copies the state passed as argument into a newly allocated state. The state -is to be freed by calling `free_256` +Copies the state passed as argument into a newly allocated state (deep copy). +The state is to be freed by calling `free_256`. Cloning the state this way is +useful, for instance, if your control-flow diverges and you need to feed +more (different) data into the hash in each branch. */ Hacl_Streaming_SHA2_state_sha2_224 *Hacl_Streaming_SHA2_copy_256(Hacl_Streaming_SHA2_state_sha2_224 *s0); diff --git a/Modules/_hacl/internal/Hacl_SHA2_Generic.h b/Modules/_hacl/internal/Hacl_SHA2_Generic.h index 5086b805b70b89..23f7cea1eb3884 100644 --- a/Modules/_hacl/internal/Hacl_SHA2_Generic.h +++ b/Modules/_hacl/internal/Hacl_SHA2_Generic.h @@ -1,6 +1,7 @@ /* MIT License * - * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal From ce292e751b0b8df0de35437e7d4613b2d308d70f Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 21:09:38 -0800 Subject: [PATCH 26/33] Add a README to the _hacl directory. --- Modules/_hacl/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 Modules/_hacl/README.md diff --git a/Modules/_hacl/README.md b/Modules/_hacl/README.md new file mode 100644 index 00000000000000..8eebe710dff7c3 --- /dev/null +++ b/Modules/_hacl/README.md @@ -0,0 +1,9 @@ +# Algorithm implementations used by the `hashlib` module. + +HACL\* is a cryptographic library that has been formally verified for memory +safety, functional correctness, and secret independence. + +Use the `refresh.sh` script in this directory to pull in a new upstream code +version. The upstream git hash used for the most recent code pull is recorded +in the script. Modify the script as needed to bring in more if changes are +needed based on upstream code refactoring. From aa24fd4332608f7c5f83e2c7bc8dd673e003ce1d Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 21:19:04 -0800 Subject: [PATCH 27/33] reword and ReSTify the news entry. --- .../Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst b/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst index 492c6ab9ef8f34..64acc09c482ecb 100644 --- a/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst +++ b/Misc/NEWS.d/next/Security/2022-11-08-12-06-52.gh-issue-99108.4Wrsuh.rst @@ -1,2 +1,4 @@ -Replace builtin hashlib implementation of SHA2-224 and SHA2-256 with -formally verified, side-channel resistant code from the HACL* project. +Replace the builtin :mod:`hashlib` implementations of SHA2-224 and SHA2-256 +originally from LibTomCrypt with formally verified, side-channel resistant +code from the `HACL* `_ project. The +builtins remain a fallback only used when OpenSSL does not provide them. From 29fd3c94f4de81800314f3704def039e76bfe06f Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 22:13:33 -0800 Subject: [PATCH 28/33] Dynamically rename the Hacl_ C symbols. We do this with other third party code as well, it avoids linking and dynamic linking ODR violations when extension module or embedding applications also use their own version of the library code in question. + Minor annotation on the test, use `python -m test -u cpu` + Add a link to the readme. --- Lib/test/test_hashlib.py | 4 +++- Modules/_hacl/Hacl_Streaming_SHA2.h | 1 + Modules/_hacl/README.md | 3 +++ Modules/_hacl/refresh.sh | 3 +++ Modules/sha256module.c | 25 +++++++++++++++++++++++-- 5 files changed, 33 insertions(+), 3 deletions(-) diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py index edb399df88e7af..9c92b4e9c280dc 100644 --- a/Lib/test/test_hashlib.py +++ b/Lib/test/test_hashlib.py @@ -22,6 +22,7 @@ from test.support import _4G, bigmemtest from test.support.import_helper import import_fresh_module from test.support import os_helper +from test.support import requires_resource from test.support import threading_helper from test.support import warnings_helper from http.client import HTTPException @@ -354,7 +355,8 @@ def test_large_update(self): self.assertEqual(m1.digest(*args), m4_copy.digest(*args)) self.assertEqual(m4.digest(*args), m4_digest) - def test_sha256_over_4gb(self): + @requires_resource('cpu') + def test_sha256_update_over_4gb(self): zero_1mb = b"\0" * 1024 * 1024 h = hashlib.sha256() for i in range(0, 4096): diff --git a/Modules/_hacl/Hacl_Streaming_SHA2.h b/Modules/_hacl/Hacl_Streaming_SHA2.h index 152a842d805aab..c83a835afe70fd 100644 --- a/Modules/_hacl/Hacl_Streaming_SHA2.h +++ b/Modules/_hacl/Hacl_Streaming_SHA2.h @@ -31,6 +31,7 @@ extern "C" { #endif #include +#include "python_hacl_namespaces.h" #include "krml/FStar_UInt_8_16_32_64.h" #include "krml/lowstar_endianness.h" #include "krml/internal/target.h" diff --git a/Modules/_hacl/README.md b/Modules/_hacl/README.md index 8eebe710dff7c3..fc50f1a4dba296 100644 --- a/Modules/_hacl/README.md +++ b/Modules/_hacl/README.md @@ -1,5 +1,8 @@ # Algorithm implementations used by the `hashlib` module. +This code comes from the +[HACL\*](https://github.com/hacl-star/hacl-star/) project. + HACL\* is a cryptographic library that has been formally verified for memory safety, functional correctness, and secret independence. diff --git a/Modules/_hacl/refresh.sh b/Modules/_hacl/refresh.sh index 846a2eb9a7805b..594873862a2db0 100755 --- a/Modules/_hacl/refresh.sh +++ b/Modules/_hacl/refresh.sh @@ -119,6 +119,9 @@ $sed -i -z 's/\n\n\([^\n]\+\n\)*[^\n]*\(384\|512\)[^{]*{\n\?\( [^\n]*\n\)*}//g' # Same thing with function prototypes $sed -i -z 's/\n\n\([^\n]\+\n\)*[^\n]*\(384\|512\)[^;]*;//g' Hacl_Streaming_SHA2.h +# Use globally unique names for the Hacl_ C APIs to avoid linkage conflicts. +$sed -i -z 's!#include \n!#include \n#include "python_hacl_namespaces.h"\n!' Hacl_Streaming_SHA2.h + # Finally, we remove a bunch of ifdefs from target.h that are, again, useful in # the general case, but not exercised by the subset of HACL* that we vendor. $sed -z -i 's!#ifndef KRML_\(HOST_PRINTF\|HOST_EXIT\|PRE_ALIGN\|POST_ALIGN\|ALIGNED_MALLOC\|ALIGNED_FREE\|HOST_TIME\)\n\(\n\|# [^\n]*\n\|[^#][^\n]*\n\)*#endif\n\n!!g' include/krml/internal/target.h diff --git a/Modules/sha256module.c b/Modules/sha256module.c index 4ad72121aa2b84..a8504e3101a2d9 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -40,6 +40,26 @@ class SHA256Type "SHAobject *" "&PyType_Type" /* The SHA2-224 and SHA2-256 implementations defer to the HACL* verified * library. */ +/* C's excuse for namespaces: Use unique names to avoid linkage conflicts + * with builds linking or dynamically loading other code potentially using + * HACL* libraries. */ +#define Hacl_Streaming_SHA2_state_sha2_224_s python_hashlib_Hacl_Streaming_SHA2_state_sha2_224_s +#define Hacl_Streaming_SHA2_state_sha2_224 python_hashlib_Hacl_Streaming_SHA2_state_sha2_224 +#define Hacl_Streaming_SHA2_state_sha2_256 python_hashlib_Hacl_Streaming_SHA2_state_sha2_256 +#define Hacl_Streaming_SHA2_create_in_256 python_hashlib_Hacl_Streaming_SHA2_create_in_256 +#define Hacl_Streaming_SHA2_create_in_224 python_hashlib_Hacl_Streaming_SHA2_create_in_224 +#define Hacl_Streaming_SHA2_copy_256 python_hashlib_Hacl_Streaming_SHA2_copy_256 +#define Hacl_Streaming_SHA2_copy_224 python_hashlib_Hacl_Streaming_SHA2_copy_224 +#define Hacl_Streaming_SHA2_init_256 python_hashlib_Hacl_Streaming_SHA2_init_256 +#define Hacl_Streaming_SHA2_init_224 python_hashlib_Hacl_Streaming_SHA2_init_224 +#define Hacl_Streaming_SHA2_update_256 python_hashlib_Hacl_Streaming_SHA2_update_256 +#define Hacl_Streaming_SHA2_update_224 python_hashlib_Hacl_Streaming_SHA2_update_224 +#define Hacl_Streaming_SHA2_finish_256 python_hashlib_Hacl_Streaming_SHA2_finish_256 +#define Hacl_Streaming_SHA2_finish_224 python_hashlib_Hacl_Streaming_SHA2_finish_224 +#define Hacl_Streaming_SHA2_free_256 python_hashlib_Hacl_Streaming_SHA2_free_256 +#define Hacl_Streaming_SHA2_free_224 python_hashlib_Hacl_Streaming_SHA2_free_224 +#define Hacl_Streaming_SHA2_sha256 python_hashlib_Hacl_Streaming_SHA2_sha256 +#define Hacl_Streaming_SHA2_sha224 python_hashlib_Hacl_Streaming_SHA2_sha224 #include "_hacl/Hacl_Streaming_SHA2.h" typedef struct { @@ -230,10 +250,11 @@ SHA256_get_block_size(PyObject *self, void *closure) static PyObject * SHA256_get_name(SHAobject *self, void *closure) { - if (self->digestsize == 28) + if (self->digestsize == 28) { return PyUnicode_FromStringAndSize("sha224", 6); - else + } else { return PyUnicode_FromStringAndSize("sha256", 6); + } } static PyGetSetDef SHA_getseters[] = { From 0362c1a850cc3118e5bde394ad49f5d8238cbb90 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 22:34:26 -0800 Subject: [PATCH 29/33] missing file add & readme update. --- Modules/_hacl/README.md | 17 +++++++++++ .../_hacl/include/python_hacl_namespaces.h | 28 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 Modules/_hacl/include/python_hacl_namespaces.h diff --git a/Modules/_hacl/README.md b/Modules/_hacl/README.md index fc50f1a4dba296..e6a156a54b3cee 100644 --- a/Modules/_hacl/README.md +++ b/Modules/_hacl/README.md @@ -6,7 +6,24 @@ This code comes from the HACL\* is a cryptographic library that has been formally verified for memory safety, functional correctness, and secret independence. +## Updating HACL* + Use the `refresh.sh` script in this directory to pull in a new upstream code version. The upstream git hash used for the most recent code pull is recorded in the script. Modify the script as needed to bring in more if changes are needed based on upstream code refactoring. + +Never manually edit HACL\* files. Always add transformation shell code to the +`refresh.sh` script to perform any necessary edits. If there are serious code +changes needed, work with the upstream repository. + +## Local files + +1. `./include/python_hacl_namespaces.h` +1. `./README.md` +1. `./refresh.sh` + +## ACKS + +* Jonathan Protzenko aka [@msprotz on Github](https://github.com/msprotz) +contributed our HACL\* based builtin code. diff --git a/Modules/_hacl/include/python_hacl_namespaces.h b/Modules/_hacl/include/python_hacl_namespaces.h new file mode 100644 index 00000000000000..66038d364f2a62 --- /dev/null +++ b/Modules/_hacl/include/python_hacl_namespaces.h @@ -0,0 +1,28 @@ +#ifndef PYTHON_HACL_NAMESPACES_H +#define PYTHON_HACL_NAMESPACES_H + +/* + * C's excuse for namespaces: Use globally unique names to avoid linkage + * conflicts with builds linking or dynamically loading other code potentially + * using HACL* libraries. + */ + +#define Hacl_Streaming_SHA2_state_sha2_224_s python_hashlib_Hacl_Streaming_SHA2_state_sha2_224_s +#define Hacl_Streaming_SHA2_state_sha2_224 python_hashlib_Hacl_Streaming_SHA2_state_sha2_224 +#define Hacl_Streaming_SHA2_state_sha2_256 python_hashlib_Hacl_Streaming_SHA2_state_sha2_256 +#define Hacl_Streaming_SHA2_create_in_256 python_hashlib_Hacl_Streaming_SHA2_create_in_256 +#define Hacl_Streaming_SHA2_create_in_224 python_hashlib_Hacl_Streaming_SHA2_create_in_224 +#define Hacl_Streaming_SHA2_copy_256 python_hashlib_Hacl_Streaming_SHA2_copy_256 +#define Hacl_Streaming_SHA2_copy_224 python_hashlib_Hacl_Streaming_SHA2_copy_224 +#define Hacl_Streaming_SHA2_init_256 python_hashlib_Hacl_Streaming_SHA2_init_256 +#define Hacl_Streaming_SHA2_init_224 python_hashlib_Hacl_Streaming_SHA2_init_224 +#define Hacl_Streaming_SHA2_update_256 python_hashlib_Hacl_Streaming_SHA2_update_256 +#define Hacl_Streaming_SHA2_update_224 python_hashlib_Hacl_Streaming_SHA2_update_224 +#define Hacl_Streaming_SHA2_finish_256 python_hashlib_Hacl_Streaming_SHA2_finish_256 +#define Hacl_Streaming_SHA2_finish_224 python_hashlib_Hacl_Streaming_SHA2_finish_224 +#define Hacl_Streaming_SHA2_free_256 python_hashlib_Hacl_Streaming_SHA2_free_256 +#define Hacl_Streaming_SHA2_free_224 python_hashlib_Hacl_Streaming_SHA2_free_224 +#define Hacl_Streaming_SHA2_sha256 python_hashlib_Hacl_Streaming_SHA2_sha256 +#define Hacl_Streaming_SHA2_sha224 python_hashlib_Hacl_Streaming_SHA2_sha224 + +#endif // PYTHON_HACL_NAMESPACES_H From 0f33a6aed87dc84731bcb86b9ec471e0531729f3 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 22:35:56 -0800 Subject: [PATCH 30/33] _ --- Modules/_hacl/include/python_hacl_namespaces.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/_hacl/include/python_hacl_namespaces.h b/Modules/_hacl/include/python_hacl_namespaces.h index 66038d364f2a62..af390459311fe8 100644 --- a/Modules/_hacl/include/python_hacl_namespaces.h +++ b/Modules/_hacl/include/python_hacl_namespaces.h @@ -1,5 +1,5 @@ -#ifndef PYTHON_HACL_NAMESPACES_H -#define PYTHON_HACL_NAMESPACES_H +#ifndef _PYTHON_HACL_NAMESPACES_H +#define _PYTHON_HACL_NAMESPACES_H /* * C's excuse for namespaces: Use globally unique names to avoid linkage @@ -25,4 +25,4 @@ #define Hacl_Streaming_SHA2_sha256 python_hashlib_Hacl_Streaming_SHA2_sha256 #define Hacl_Streaming_SHA2_sha224 python_hashlib_Hacl_Streaming_SHA2_sha224 -#endif // PYTHON_HACL_NAMESPACES_H +#endif // _PYTHON_HACL_NAMESPACES_H From d7c12407dfc18796bb9632ab5c7175d9456c3ebb Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith [Google LLC]" Date: Mon, 30 Jan 2023 22:36:27 -0800 Subject: [PATCH 31/33] remove wrongly placed defines. --- Modules/sha256module.c | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/Modules/sha256module.c b/Modules/sha256module.c index a8504e3101a2d9..08335dcc1ab649 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -40,26 +40,6 @@ class SHA256Type "SHAobject *" "&PyType_Type" /* The SHA2-224 and SHA2-256 implementations defer to the HACL* verified * library. */ -/* C's excuse for namespaces: Use unique names to avoid linkage conflicts - * with builds linking or dynamically loading other code potentially using - * HACL* libraries. */ -#define Hacl_Streaming_SHA2_state_sha2_224_s python_hashlib_Hacl_Streaming_SHA2_state_sha2_224_s -#define Hacl_Streaming_SHA2_state_sha2_224 python_hashlib_Hacl_Streaming_SHA2_state_sha2_224 -#define Hacl_Streaming_SHA2_state_sha2_256 python_hashlib_Hacl_Streaming_SHA2_state_sha2_256 -#define Hacl_Streaming_SHA2_create_in_256 python_hashlib_Hacl_Streaming_SHA2_create_in_256 -#define Hacl_Streaming_SHA2_create_in_224 python_hashlib_Hacl_Streaming_SHA2_create_in_224 -#define Hacl_Streaming_SHA2_copy_256 python_hashlib_Hacl_Streaming_SHA2_copy_256 -#define Hacl_Streaming_SHA2_copy_224 python_hashlib_Hacl_Streaming_SHA2_copy_224 -#define Hacl_Streaming_SHA2_init_256 python_hashlib_Hacl_Streaming_SHA2_init_256 -#define Hacl_Streaming_SHA2_init_224 python_hashlib_Hacl_Streaming_SHA2_init_224 -#define Hacl_Streaming_SHA2_update_256 python_hashlib_Hacl_Streaming_SHA2_update_256 -#define Hacl_Streaming_SHA2_update_224 python_hashlib_Hacl_Streaming_SHA2_update_224 -#define Hacl_Streaming_SHA2_finish_256 python_hashlib_Hacl_Streaming_SHA2_finish_256 -#define Hacl_Streaming_SHA2_finish_224 python_hashlib_Hacl_Streaming_SHA2_finish_224 -#define Hacl_Streaming_SHA2_free_256 python_hashlib_Hacl_Streaming_SHA2_free_256 -#define Hacl_Streaming_SHA2_free_224 python_hashlib_Hacl_Streaming_SHA2_free_224 -#define Hacl_Streaming_SHA2_sha256 python_hashlib_Hacl_Streaming_SHA2_sha256 -#define Hacl_Streaming_SHA2_sha224 python_hashlib_Hacl_Streaming_SHA2_sha224 #include "_hacl/Hacl_Streaming_SHA2.h" typedef struct { From 92033ad520892d39664e92e9c7e2d43fa99658d4 Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 31 Jan 2023 08:39:42 -0800 Subject: [PATCH 32/33] Stylistic fix in Modules/sha256module.c Co-authored-by: Erlend E. Aasland --- Modules/sha256module.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Modules/sha256module.c b/Modules/sha256module.c index 08335dcc1ab649..1daa7fabbd19f4 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -232,9 +232,8 @@ SHA256_get_name(SHAobject *self, void *closure) { if (self->digestsize == 28) { return PyUnicode_FromStringAndSize("sha224", 6); - } else { - return PyUnicode_FromStringAndSize("sha256", 6); } + return PyUnicode_FromStringAndSize("sha256", 6); } static PyGetSetDef SHA_getseters[] = { From c6705301aa34287457dd4d1c4b7fc147c3d9912e Mon Sep 17 00:00:00 2001 From: Jonathan Protzenko Date: Tue, 31 Jan 2023 09:06:25 -0800 Subject: [PATCH 33/33] Fix a warning on Windows builders --- Modules/sha256module.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/sha256module.c b/Modules/sha256module.c index 1daa7fabbd19f4..630e4bf03bbe96 100644 --- a/Modules/sha256module.c +++ b/Modules/sha256module.c @@ -124,7 +124,9 @@ static void update_256(Hacl_Streaming_SHA2_state_sha2_256 *state, uint8_t *buf, len -= UINT32_MAX; buf += UINT32_MAX; } - Hacl_Streaming_SHA2_update_256(state, buf, len); + /* Cast to uint32_t is safe: upon exiting the loop, len <= UINT32_MAX, and + * therefore fits in a uint32_t */ + Hacl_Streaming_SHA2_update_256(state, buf, (uint32_t) len); }