From 625bffc69a7fdf4d2c2647bce6e9ae5ba1c3e863 Mon Sep 17 00:00:00 2001 From: Hacl Bot Date: Mon, 24 Jun 2024 10:50:51 +0000 Subject: [PATCH] [CI] update code --- include/Hacl_Gf128_NI.h | 65 ++++ include/Hacl_Hash_Blake2b.h | 41 ++- include/Hacl_Hash_Blake2b_Simd256.h | 98 ++++-- include/Hacl_Hash_Blake2s.h | 102 ++++-- include/Hacl_Hash_Blake2s_Simd128.h | 98 ++++-- include/internal/Hacl_Hash_Blake2b.h | 8 +- include/internal/Hacl_Hash_Blake2b_Simd256.h | 1 + include/internal/Hacl_Hash_Blake2s.h | 1 + include/internal/Hacl_Hash_Blake2s_Simd128.h | 1 + include/msvc/Hacl_Hash_Blake2b.h | 41 ++- include/msvc/Hacl_Hash_Blake2b_Simd256.h | 98 ++++-- include/msvc/Hacl_Hash_Blake2s.h | 102 ++++-- include/msvc/Hacl_Hash_Blake2s_Simd128.h | 98 ++++-- include/msvc/internal/Hacl_Hash_Blake2b.h | 8 +- .../msvc/internal/Hacl_Hash_Blake2b_Simd256.h | 1 + include/msvc/internal/Hacl_Hash_Blake2s.h | 1 + .../msvc/internal/Hacl_Hash_Blake2s_Simd128.h | 1 + ocaml/ctypes.depend | 6 +- ocaml/lib/Hacl_Gf128_NI_bindings.ml | 9 + .../lib/Hacl_Hash_Blake2b_Simd256_bindings.ml | 4 +- ocaml/lib/Hacl_Hash_Blake2b_bindings.ml | 19 +- .../lib/Hacl_Hash_Blake2s_Simd128_bindings.ml | 4 +- ocaml/lib/Hacl_Hash_Blake2s_bindings.ml | 22 +- ocaml/lib_gen/Hacl_Gf128_NI_gen.ml | 10 + src/EverCrypt_HMAC.c | 14 +- src/EverCrypt_Hash.c | 6 +- src/Hacl_Gf128_NI.c | 310 ++++++++++++++++++ src/Hacl_HMAC.c | 14 +- src/Hacl_HMAC_Blake2b_256.c | 3 + src/Hacl_HMAC_Blake2s_128.c | 4 +- src/Hacl_Hash_Blake2b.c | 157 ++++++--- src/Hacl_Hash_Blake2b_Simd256.c | 229 +++++++++---- src/Hacl_Hash_Blake2s.c | 240 ++++++++++---- src/Hacl_Hash_Blake2s_Simd128.c | 230 ++++++++----- src/msvc/EverCrypt_HMAC.c | 14 +- src/msvc/EverCrypt_Hash.c | 6 +- src/msvc/Hacl_HMAC.c | 14 +- src/msvc/Hacl_HMAC_Blake2b_256.c | 3 + src/msvc/Hacl_HMAC_Blake2s_128.c | 4 +- src/msvc/Hacl_Hash_Blake2b.c | 157 ++++++--- src/msvc/Hacl_Hash_Blake2b_Simd256.c | 229 +++++++++---- src/msvc/Hacl_Hash_Blake2s.c | 240 ++++++++++---- src/msvc/Hacl_Hash_Blake2s_Simd128.c | 230 ++++++++----- src/wasm/EverCrypt_Hash.wasm | Bin 58084 -> 58090 bytes src/wasm/Hacl_Bignum.wasm | Bin 74661 -> 74661 bytes src/wasm/Hacl_Bignum32.wasm | Bin 13286 -> 13286 bytes src/wasm/Hacl_Bignum_Base.wasm | Bin 24692 -> 24692 bytes src/wasm/Hacl_GenericField64.wasm | Bin 11718 -> 11718 bytes src/wasm/Hacl_HKDF_Blake2s_128.wasm | Bin 1392 -> 1392 bytes src/wasm/Hacl_HMAC.wasm | Bin 28160 -> 28174 bytes src/wasm/Hacl_Hash_Blake2b.wasm | Bin 22942 -> 23807 bytes src/wasm/Hacl_Hash_Blake2b_Simd256.wasm | Bin 11362 -> 11946 bytes src/wasm/Hacl_Hash_Blake2s.wasm | Bin 21136 -> 21925 bytes src/wasm/Hacl_Hash_Blake2s_Simd128.wasm | Bin 10194 -> 10776 bytes src/wasm/INFO.txt | 4 +- src/wasm/layouts.json | 2 +- 56 files changed, 2225 insertions(+), 724 deletions(-) create mode 100644 include/Hacl_Gf128_NI.h create mode 100644 ocaml/lib/Hacl_Gf128_NI_bindings.ml create mode 100644 ocaml/lib_gen/Hacl_Gf128_NI_gen.ml create mode 100644 src/Hacl_Gf128_NI.c diff --git a/include/Hacl_Gf128_NI.h b/include/Hacl_Gf128_NI.h new file mode 100644 index 00000000..46322a32 --- /dev/null +++ b/include/Hacl_Gf128_NI.h @@ -0,0 +1,65 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#ifndef __Hacl_Gf128_NI_H +#define __Hacl_Gf128_NI_H + +#if defined(__cplusplus) +extern "C" { +#endif + +#include +#include "krml/internal/types.h" +#include "krml/lowstar_endianness.h" +#include "krml/internal/target.h" + +#include "libintvector.h" + +void Hacl_Gf128_NI_gcm_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key); + +void +Hacl_Gf128_NI_gcm_update_blocks( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +); + +extern void +(*Hacl_Gf128_NI_gcm_update_padded)( + Lib_IntVector_Intrinsics_vec128 *x0, + uint32_t x1, + uint8_t *x2 +); + +void Hacl_Gf128_NI_gcm_emit(uint8_t *tag, Lib_IntVector_Intrinsics_vec128 *ctx); + +void Hacl_Gf128_NI_ghash(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key); + +#if defined(__cplusplus) +} +#endif + +#define __Hacl_Gf128_NI_H_DEFINED +#endif diff --git a/include/Hacl_Hash_Blake2b.h b/include/Hacl_Hash_Blake2b.h index 3403fc83..d79f13d6 100644 --- a/include/Hacl_Hash_Blake2b.h +++ b/include/Hacl_Hash_Blake2b.h @@ -53,6 +53,24 @@ typedef struct Hacl_Hash_Blake2b_blake2_params_s } Hacl_Hash_Blake2b_blake2_params; +typedef struct Hacl_Hash_Blake2b_index_s +{ + uint8_t key_length; + uint8_t digest_length; + bool last_node; +} +Hacl_Hash_Blake2b_index; + +#define HACL_HASH_BLAKE2B_BLOCK_BYTES (128U) + +#define HACL_HASH_BLAKE2B_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_PERSONAL_BYTES (16U) + typedef struct K____uint64_t___uint64_t__s { uint64_t *fst; @@ -64,7 +82,8 @@ typedef struct Hacl_Hash_Blake2b_block_state_t_s { uint8_t fst; uint8_t snd; - K____uint64_t___uint64_t_ thd; + bool thd; + K____uint64_t___uint64_t_ f3; } Hacl_Hash_Blake2b_block_state_t; @@ -92,7 +111,11 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** Specialized allocation function that picks default values for all @@ -116,7 +139,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void); /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -159,10 +182,14 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s); /** Free state function when there is no key @@ -201,7 +228,7 @@ parameters `params` into `output`. The `key` array must be of length `params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_Blake2b_Simd256.h b/include/Hacl_Hash_Blake2b_Simd256.h index af309dc8..3210987e 100644 --- a/include/Hacl_Hash_Blake2b_Simd256.h +++ b/include/Hacl_Hash_Blake2b_Simd256.h @@ -40,6 +40,16 @@ extern "C" { #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" +#define HACL_HASH_BLAKE2B_SIMD256_BLOCK_BYTES (128U) + +#define HACL_HASH_BLAKE2B_SIMD256_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_SIMD256_PERSONAL_BYTES (16U) + typedef struct K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256__s { Lib_IntVector_Intrinsics_vec256 *fst; @@ -51,7 +61,8 @@ typedef struct Hacl_Hash_Blake2b_Simd256_block_state_t_s { uint8_t fst; uint8_t snd; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ thd; + bool thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ f3; } Hacl_Hash_Blake2b_Simd256_block_state_t; @@ -64,34 +75,54 @@ typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s Hacl_Hash_Blake2b_Simd256_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -101,21 +132,27 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -125,10 +162,19 @@ Hacl_Hash_Blake2b_Simd256_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s); /** Free state function when there is no key @@ -136,7 +182,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state); @@ -161,8 +207,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_Blake2s.h b/include/Hacl_Hash_Blake2s.h index ac783473..7fbf8395 100644 --- a/include/Hacl_Hash_Blake2s.h +++ b/include/Hacl_Hash_Blake2s.h @@ -38,6 +38,16 @@ extern "C" { #include "Hacl_Streaming_Types.h" #include "Hacl_Hash_Blake2b.h" +#define HACL_HASH_BLAKE2S_BLOCK_BYTES (64U) + +#define HACL_HASH_BLAKE2S_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_PERSONAL_BYTES (8U) + typedef struct K____uint32_t___uint32_t__s { uint32_t *fst; @@ -49,7 +59,8 @@ typedef struct Hacl_Hash_Blake2s_block_state_t_s { uint8_t fst; uint8_t snd; - K____uint32_t___uint32_t_ thd; + bool thd; + K____uint32_t___uint32_t_ f3; } Hacl_Hash_Blake2s_block_state_t; @@ -62,30 +73,53 @@ typedef struct Hacl_Hash_Blake2s_state_t_s Hacl_Hash_Blake2s_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -95,28 +129,44 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s); /** Free state function when there is no key @@ -124,7 +174,7 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state); @@ -148,8 +198,14 @@ Hacl_Hash_Blake2s_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/Hacl_Hash_Blake2s_Simd128.h b/include/Hacl_Hash_Blake2s_Simd128.h index d725ee86..d83e0f0f 100644 --- a/include/Hacl_Hash_Blake2s_Simd128.h +++ b/include/Hacl_Hash_Blake2s_Simd128.h @@ -39,6 +39,16 @@ extern "C" { #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" +#define HACL_HASH_BLAKE2S_SIMD128_BLOCK_BYTES (64U) + +#define HACL_HASH_BLAKE2S_SIMD128_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_SIMD128_PERSONAL_BYTES (8U) + typedef struct K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128__s { Lib_IntVector_Intrinsics_vec128 *fst; @@ -50,7 +60,8 @@ typedef struct Hacl_Hash_Blake2s_Simd128_block_state_t_s { uint8_t fst; uint8_t snd; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ thd; + bool thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ f3; } Hacl_Hash_Blake2s_Simd128_block_state_t; @@ -63,34 +74,54 @@ typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s Hacl_Hash_Blake2s_Simd128_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -100,21 +131,27 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -124,10 +161,19 @@ Hacl_Hash_Blake2s_Simd128_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s); /** Free state function when there is no key @@ -135,7 +181,7 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state); @@ -160,8 +206,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/internal/Hacl_Hash_Blake2b.h b/include/internal/Hacl_Hash_Blake2b.h index 6928d205..c29ce456 100644 --- a/include/internal/Hacl_Hash_Blake2b.h +++ b/include/internal/Hacl_Hash_Blake2b.h @@ -38,13 +38,6 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" -typedef struct Hacl_Hash_Blake2b_index_s -{ - uint8_t key_length; - uint8_t digest_length; -} -Hacl_Hash_Blake2b_index; - void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); void @@ -62,6 +55,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d diff --git a/include/internal/Hacl_Hash_Blake2b_Simd256.h b/include/internal/Hacl_Hash_Blake2b_Simd256.h index 4dd986b2..04b091fc 100644 --- a/include/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/include/internal/Hacl_Hash_Blake2b_Simd256.h @@ -58,6 +58,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d diff --git a/include/internal/Hacl_Hash_Blake2s.h b/include/internal/Hacl_Hash_Blake2s.h index eccd92de..279c472e 100644 --- a/include/internal/Hacl_Hash_Blake2s.h +++ b/include/internal/Hacl_Hash_Blake2s.h @@ -56,6 +56,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d diff --git a/include/internal/Hacl_Hash_Blake2s_Simd128.h b/include/internal/Hacl_Hash_Blake2s_Simd128.h index 2c422949..77505dc2 100644 --- a/include/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/include/internal/Hacl_Hash_Blake2s_Simd128.h @@ -58,6 +58,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/Hacl_Hash_Blake2b.h b/include/msvc/Hacl_Hash_Blake2b.h index 3403fc83..d79f13d6 100644 --- a/include/msvc/Hacl_Hash_Blake2b.h +++ b/include/msvc/Hacl_Hash_Blake2b.h @@ -53,6 +53,24 @@ typedef struct Hacl_Hash_Blake2b_blake2_params_s } Hacl_Hash_Blake2b_blake2_params; +typedef struct Hacl_Hash_Blake2b_index_s +{ + uint8_t key_length; + uint8_t digest_length; + bool last_node; +} +Hacl_Hash_Blake2b_index; + +#define HACL_HASH_BLAKE2B_BLOCK_BYTES (128U) + +#define HACL_HASH_BLAKE2B_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_PERSONAL_BYTES (16U) + typedef struct K____uint64_t___uint64_t__s { uint64_t *fst; @@ -64,7 +82,8 @@ typedef struct Hacl_Hash_Blake2b_block_state_t_s { uint8_t fst; uint8_t snd; - K____uint64_t___uint64_t_ thd; + bool thd; + K____uint64_t___uint64_t_ f3; } Hacl_Hash_Blake2b_block_state_t; @@ -92,7 +111,11 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** Specialized allocation function that picks default values for all @@ -116,7 +139,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void); /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -159,10 +182,14 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s); /** Free state function when there is no key @@ -201,7 +228,7 @@ parameters `params` into `output`. The `key` array must be of length `params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_Blake2b_Simd256.h b/include/msvc/Hacl_Hash_Blake2b_Simd256.h index af309dc8..3210987e 100644 --- a/include/msvc/Hacl_Hash_Blake2b_Simd256.h +++ b/include/msvc/Hacl_Hash_Blake2b_Simd256.h @@ -40,6 +40,16 @@ extern "C" { #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" +#define HACL_HASH_BLAKE2B_SIMD256_BLOCK_BYTES (128U) + +#define HACL_HASH_BLAKE2B_SIMD256_OUT_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_KEY_BYTES (64U) + +#define HACL_HASH_BLAKE2B_SIMD256_SALT_BYTES (16U) + +#define HACL_HASH_BLAKE2B_SIMD256_PERSONAL_BYTES (16U) + typedef struct K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256__s { Lib_IntVector_Intrinsics_vec256 *fst; @@ -51,7 +61,8 @@ typedef struct Hacl_Hash_Blake2b_Simd256_block_state_t_s { uint8_t fst; uint8_t snd; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ thd; + bool thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ f3; } Hacl_Hash_Blake2b_Simd256_block_state_t; @@ -64,34 +75,54 @@ typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s Hacl_Hash_Blake2b_Simd256_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -101,21 +132,27 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -125,10 +162,19 @@ Hacl_Hash_Blake2b_Simd256_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s); /** Free state function when there is no key @@ -136,7 +182,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state); @@ -161,8 +207,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_Blake2s.h b/include/msvc/Hacl_Hash_Blake2s.h index ac783473..7fbf8395 100644 --- a/include/msvc/Hacl_Hash_Blake2s.h +++ b/include/msvc/Hacl_Hash_Blake2s.h @@ -38,6 +38,16 @@ extern "C" { #include "Hacl_Streaming_Types.h" #include "Hacl_Hash_Blake2b.h" +#define HACL_HASH_BLAKE2S_BLOCK_BYTES (64U) + +#define HACL_HASH_BLAKE2S_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_PERSONAL_BYTES (8U) + typedef struct K____uint32_t___uint32_t__s { uint32_t *fst; @@ -49,7 +59,8 @@ typedef struct Hacl_Hash_Blake2s_block_state_t_s { uint8_t fst; uint8_t snd; - K____uint32_t___uint32_t_ thd; + bool thd; + K____uint32_t___uint32_t_ f3; } Hacl_Hash_Blake2s_block_state_t; @@ -62,30 +73,53 @@ typedef struct Hacl_Hash_Blake2s_state_t_s Hacl_Hash_Blake2s_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k); +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -95,28 +129,44 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s); /** Free state function when there is no key @@ -124,7 +174,7 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state); @@ -148,8 +198,14 @@ Hacl_Hash_Blake2s_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/Hacl_Hash_Blake2s_Simd128.h b/include/msvc/Hacl_Hash_Blake2s_Simd128.h index d725ee86..d83e0f0f 100644 --- a/include/msvc/Hacl_Hash_Blake2s_Simd128.h +++ b/include/msvc/Hacl_Hash_Blake2s_Simd128.h @@ -39,6 +39,16 @@ extern "C" { #include "Hacl_Hash_Blake2b.h" #include "libintvector.h" +#define HACL_HASH_BLAKE2S_SIMD128_BLOCK_BYTES (64U) + +#define HACL_HASH_BLAKE2S_SIMD128_OUT_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_KEY_BYTES (32U) + +#define HACL_HASH_BLAKE2S_SIMD128_SALT_BYTES (8U) + +#define HACL_HASH_BLAKE2S_SIMD128_PERSONAL_BYTES (8U) + typedef struct K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128__s { Lib_IntVector_Intrinsics_vec128 *fst; @@ -50,7 +60,8 @@ typedef struct Hacl_Hash_Blake2s_Simd128_block_state_t_s { uint8_t fst; uint8_t snd; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ thd; + bool thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ f3; } Hacl_Hash_Blake2s_Simd128_block_state_t; @@ -63,34 +74,54 @@ typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s Hacl_Hash_Blake2s_Simd128_state_t; /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ); /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk); /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void); /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -100,21 +131,27 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( ); /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k); /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s); /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -124,10 +161,19 @@ Hacl_Hash_Blake2s_Simd128_update( ); /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output); +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst); + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s); /** Free state function when there is no key @@ -135,7 +181,7 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state); /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state); @@ -160,8 +206,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( uint32_t key_len ); +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/include/msvc/internal/Hacl_Hash_Blake2b.h b/include/msvc/internal/Hacl_Hash_Blake2b.h index 6928d205..c29ce456 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2b.h +++ b/include/msvc/internal/Hacl_Hash_Blake2b.h @@ -38,13 +38,6 @@ extern "C" { #include "internal/Hacl_Impl_Blake2_Constants.h" #include "../Hacl_Hash_Blake2b.h" -typedef struct Hacl_Hash_Blake2b_index_s -{ - uint8_t key_length; - uint8_t digest_length; -} -Hacl_Hash_Blake2b_index; - void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn); void @@ -62,6 +55,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h b/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h index 4dd986b2..04b091fc 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h +++ b/include/msvc/internal/Hacl_Hash_Blake2b_Simd256.h @@ -58,6 +58,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/internal/Hacl_Hash_Blake2s.h b/include/msvc/internal/Hacl_Hash_Blake2s.h index eccd92de..279c472e 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2s.h +++ b/include/msvc/internal/Hacl_Hash_Blake2s.h @@ -56,6 +56,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d diff --git a/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h b/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h index 2c422949..77505dc2 100644 --- a/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h +++ b/include/msvc/internal/Hacl_Hash_Blake2s_Simd128.h @@ -58,6 +58,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d diff --git a/ocaml/ctypes.depend b/ocaml/ctypes.depend index d94fad90..4592c84e 100644 --- a/ocaml/ctypes.depend +++ b/ocaml/ctypes.depend @@ -1,4 +1,4 @@ -CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA3_Simd256_stubs.cmx lib/Hacl_Hash_SHA3_Simd256_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx +CTYPES_DEPS=lib/Hacl_Streaming_Types_stubs.cmx lib/Hacl_Streaming_Types_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_bindings.cmx lib/Hacl_Hash_Blake2b_stubs.cmx lib/Hacl_Hash_Blake2b_bindings.cmx lib/Hacl_Hash_Blake2s_stubs.cmx lib/Hacl_Hash_Blake2s_bindings.cmx lib/Hacl_Hash_Blake2b_Simd256_stubs.cmx lib/Hacl_Hash_Blake2b_Simd256_bindings.cmx lib/Hacl_Hash_Blake2s_Simd128_stubs.cmx lib/Hacl_Hash_Blake2s_Simd128_bindings.cmx lib/Hacl_Hash_Base_stubs.cmx lib/Hacl_Hash_Base_bindings.cmx lib/Hacl_Hash_SHA1_stubs.cmx lib/Hacl_Hash_SHA1_bindings.cmx lib/Hacl_Hash_SHA2_stubs.cmx lib/Hacl_Hash_SHA2_bindings.cmx lib/Hacl_HMAC_stubs.cmx lib/Hacl_HMAC_bindings.cmx lib/Hacl_HMAC_Blake2s_128_stubs.cmx lib/Hacl_HMAC_Blake2s_128_bindings.cmx lib/Hacl_HMAC_Blake2b_256_stubs.cmx lib/Hacl_HMAC_Blake2b_256_bindings.cmx lib/Hacl_Hash_SHA3_stubs.cmx lib/Hacl_Hash_SHA3_bindings.cmx lib/Hacl_SHA2_Types_stubs.cmx lib/Hacl_SHA2_Types_bindings.cmx lib/Hacl_Hash_SHA3_Simd256_stubs.cmx lib/Hacl_Hash_SHA3_Simd256_bindings.cmx lib/Hacl_Hash_MD5_stubs.cmx lib/Hacl_Hash_MD5_bindings.cmx lib/EverCrypt_Error_stubs.cmx lib/EverCrypt_Error_bindings.cmx lib/EverCrypt_AutoConfig2_stubs.cmx lib/EverCrypt_AutoConfig2_bindings.cmx lib/EverCrypt_Hash_stubs.cmx lib/EverCrypt_Hash_bindings.cmx lib/Hacl_Chacha20_stubs.cmx lib/Hacl_Chacha20_bindings.cmx lib/Hacl_Salsa20_stubs.cmx lib/Hacl_Salsa20_bindings.cmx lib/Hacl_Bignum_Base_stubs.cmx lib/Hacl_Bignum_Base_bindings.cmx lib/Hacl_Bignum_stubs.cmx lib/Hacl_Bignum_bindings.cmx lib/Hacl_Curve25519_64_stubs.cmx lib/Hacl_Curve25519_64_bindings.cmx lib/Hacl_Bignum25519_51_stubs.cmx lib/Hacl_Bignum25519_51_bindings.cmx lib/Hacl_Curve25519_51_stubs.cmx lib/Hacl_Curve25519_51_bindings.cmx lib/Hacl_MAC_Poly1305_stubs.cmx lib/Hacl_MAC_Poly1305_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_bindings.cmx lib/Hacl_MAC_Poly1305_Simd128_stubs.cmx lib/Hacl_MAC_Poly1305_Simd128_bindings.cmx lib/Hacl_Chacha20_Vec128_stubs.cmx lib/Hacl_Chacha20_Vec128_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.cmx lib/Hacl_MAC_Poly1305_Simd256_stubs.cmx lib/Hacl_MAC_Poly1305_Simd256_bindings.cmx lib/Hacl_Chacha20_Vec256_stubs.cmx lib/Hacl_Chacha20_Vec256_bindings.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_stubs.cmx lib/Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.cmx lib/Hacl_Ed25519_stubs.cmx lib/Hacl_Ed25519_bindings.cmx lib/Hacl_NaCl_stubs.cmx lib/Hacl_NaCl_bindings.cmx lib/Hacl_P256_stubs.cmx lib/Hacl_P256_bindings.cmx lib/Hacl_Bignum_K256_stubs.cmx lib/Hacl_Bignum_K256_bindings.cmx lib/Hacl_K256_ECDSA_stubs.cmx lib/Hacl_K256_ECDSA_bindings.cmx lib/Hacl_Frodo_KEM_stubs.cmx lib/Hacl_Frodo_KEM_bindings.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_stubs.cmx lib/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.cmx lib/Hacl_IntTypes_Intrinsics_stubs.cmx lib/Hacl_IntTypes_Intrinsics_bindings.cmx lib/Hacl_IntTypes_Intrinsics_128_stubs.cmx lib/Hacl_IntTypes_Intrinsics_128_bindings.cmx lib/Hacl_RSAPSS_stubs.cmx lib/Hacl_RSAPSS_bindings.cmx lib/Hacl_FFDHE_stubs.cmx lib/Hacl_FFDHE_bindings.cmx lib/Hacl_Gf128_NI_stubs.cmx lib/Hacl_Gf128_NI_bindings.cmx lib/Hacl_Frodo640_stubs.cmx lib/Hacl_Frodo640_bindings.cmx lib/Hacl_HKDF_stubs.cmx lib/Hacl_HKDF_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA512_bindings.cmx lib/EverCrypt_Cipher_stubs.cmx lib/EverCrypt_Cipher_bindings.cmx lib/Hacl_GenericField32_stubs.cmx lib/Hacl_GenericField32_bindings.cmx lib/Hacl_SHA2_Vec256_stubs.cmx lib/Hacl_SHA2_Vec256_bindings.cmx lib/Hacl_EC_K256_stubs.cmx lib/Hacl_EC_K256_bindings.cmx lib/Hacl_Bignum4096_stubs.cmx lib/Hacl_Bignum4096_bindings.cmx lib/Hacl_Chacha20_Vec32_stubs.cmx lib/Hacl_Chacha20_Vec32_bindings.cmx lib/EverCrypt_Ed25519_stubs.cmx lib/EverCrypt_Ed25519_bindings.cmx lib/Hacl_Bignum4096_32_stubs.cmx lib/Hacl_Bignum4096_32_bindings.cmx lib/EverCrypt_HMAC_stubs.cmx lib/EverCrypt_HMAC_bindings.cmx lib/Hacl_HMAC_DRBG_stubs.cmx lib/Hacl_HMAC_DRBG_bindings.cmx lib/EverCrypt_DRBG_stubs.cmx lib/EverCrypt_DRBG_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP128_SHA256_bindings.cmx lib/EverCrypt_Curve25519_stubs.cmx lib/EverCrypt_Curve25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA512_bindings.cmx lib/Hacl_Frodo976_stubs.cmx lib/Hacl_Frodo976_bindings.cmx lib/Hacl_HKDF_Blake2s_128_stubs.cmx lib/Hacl_HKDF_Blake2s_128_bindings.cmx lib/Hacl_GenericField64_stubs.cmx lib/Hacl_GenericField64_bindings.cmx lib/Hacl_Frodo1344_stubs.cmx lib/Hacl_Frodo1344_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA512_bindings.cmx lib/Hacl_Bignum32_stubs.cmx lib/Hacl_Bignum32_bindings.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP128_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP128_SHA256_bindings.cmx lib/Hacl_Bignum256_32_stubs.cmx lib/Hacl_Bignum256_32_bindings.cmx lib/Hacl_SHA2_Vec128_stubs.cmx lib/Hacl_SHA2_Vec128_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA256_bindings.cmx lib/EverCrypt_Poly1305_stubs.cmx lib/EverCrypt_Poly1305_bindings.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve51_CP32_SHA512_bindings.cmx lib/Hacl_HPKE_P256_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP256_SHA256_bindings.cmx lib/Hacl_HPKE_P256_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_P256_CP32_SHA256_bindings.cmx lib/Hacl_Bignum64_stubs.cmx lib/Hacl_Bignum64_bindings.cmx lib/Hacl_Frodo64_stubs.cmx lib/Hacl_Frodo64_bindings.cmx lib/Hacl_HKDF_Blake2b_256_stubs.cmx lib/Hacl_HKDF_Blake2b_256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA256_bindings.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_stubs.cmx lib/Hacl_HPKE_Curve64_CP32_SHA512_bindings.cmx lib/EverCrypt_HKDF_stubs.cmx lib/EverCrypt_HKDF_bindings.cmx lib/Hacl_EC_Ed25519_stubs.cmx lib/Hacl_EC_Ed25519_bindings.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_stubs.cmx lib/Hacl_HPKE_Curve51_CP256_SHA256_bindings.cmx lib/EverCrypt_Chacha20Poly1305_stubs.cmx lib/EverCrypt_Chacha20Poly1305_bindings.cmx lib/EverCrypt_AEAD_stubs.cmx lib/EverCrypt_AEAD_bindings.cmx lib/Hacl_Bignum256_stubs.cmx lib/Hacl_Bignum256_bindings.cmx lib/Hacl_Streaming_Types_bindings.cmx: lib/Hacl_Streaming_Types_bindings.cmo: lib_gen/Hacl_Streaming_Types_gen.cmx: lib/Hacl_Streaming_Types_bindings.cmx @@ -179,6 +179,10 @@ lib/Hacl_FFDHE_bindings.cmx: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_FFDHE_bindings.cmo: lib/Hacl_Spec_bindings.cmo lib/Hacl_Spec_stubs.cmo lib_gen/Hacl_FFDHE_gen.cmx: lib/Hacl_FFDHE_bindings.cmx lib_gen/Hacl_FFDHE_gen.exe: lib/Hacl_Spec_bindings.cmx lib/Hacl_Spec_stubs.cmx lib/Hacl_Spec_c_stubs.o lib/Hacl_FFDHE_bindings.cmx lib_gen/Hacl_FFDHE_gen.cmx +lib/Hacl_Gf128_NI_bindings.cmx: +lib/Hacl_Gf128_NI_bindings.cmo: +lib_gen/Hacl_Gf128_NI_gen.cmx: lib/Hacl_Gf128_NI_bindings.cmx +lib_gen/Hacl_Gf128_NI_gen.exe: lib/Hacl_Gf128_NI_bindings.cmx lib_gen/Hacl_Gf128_NI_gen.cmx lib/Hacl_Frodo640_bindings.cmx: lib/Hacl_Frodo640_bindings.cmo: lib_gen/Hacl_Frodo640_gen.cmx: lib/Hacl_Frodo640_bindings.cmx diff --git a/ocaml/lib/Hacl_Gf128_NI_bindings.ml b/ocaml/lib/Hacl_Gf128_NI_bindings.ml new file mode 100644 index 00000000..f5cc7c47 --- /dev/null +++ b/ocaml/lib/Hacl_Gf128_NI_bindings.ml @@ -0,0 +1,9 @@ +open Ctypes +module Bindings(F:Cstubs.FOREIGN) = + struct + open F + let hacl_Gf128_NI_ghash = + foreign "Hacl_Gf128_NI_ghash" + (ocaml_bytes @-> + (uint32_t @-> (ocaml_bytes @-> (ocaml_bytes @-> (returning void))))) + end \ No newline at end of file diff --git a/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml index 1c132a7a..8fdc5be6 100644 --- a/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2b_Simd256_bindings.ml @@ -15,8 +15,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas" + let hacl_Hash_Blake2b_Simd256_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml index 7ba4fcf6..ba084942 100644 --- a/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2b_bindings.ml @@ -39,6 +39,8 @@ module Bindings(F:Cstubs.FOREIGN) = field hacl_Hash_Blake2b_index "key_length" uint8_t let hacl_Hash_Blake2b_index_digest_length = field hacl_Hash_Blake2b_index "digest_length" uint8_t + let hacl_Hash_Blake2b_index_last_node = + field hacl_Hash_Blake2b_index "last_node" bool let _ = seal hacl_Hash_Blake2b_index let hacl_Hash_Blake2b_init = foreign "Hacl_Hash_Blake2b_init" @@ -65,7 +67,9 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2b_block_state_t_snd = field hacl_Hash_Blake2b_block_state_t "snd" uint8_t let hacl_Hash_Blake2b_block_state_t_thd = - field hacl_Hash_Blake2b_block_state_t "thd" k____uint64_t___uint64_t_ + field hacl_Hash_Blake2b_block_state_t "thd" bool + let hacl_Hash_Blake2b_block_state_t_f3 = + field hacl_Hash_Blake2b_block_state_t "f3" k____uint64_t___uint64_t_ let _ = seal hacl_Hash_Blake2b_block_state_t type hacl_Hash_Blake2b_state_t = [ `hacl_Hash_Blake2b_state_t ] structure let (hacl_Hash_Blake2b_state_t : @@ -82,7 +86,8 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2b_malloc_with_params_and_key = foreign "Hacl_Hash_Blake2b_malloc_with_params_and_key" ((ptr hacl_Hash_Blake2b_blake2_params) @-> - (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2b_state_t)))) + (bool @-> + (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2b_state_t))))) let hacl_Hash_Blake2b_malloc_with_key = foreign "Hacl_Hash_Blake2b_malloc_with_key" (ocaml_bytes @-> @@ -110,7 +115,11 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2b_digest = foreign "Hacl_Hash_Blake2b_digest" ((ptr hacl_Hash_Blake2b_state_t) @-> - (ocaml_bytes @-> (returning void))) + (ocaml_bytes @-> (returning uint8_t))) + let hacl_Hash_Blake2b_info = + foreign "Hacl_Hash_Blake2b_info" + ((ptr hacl_Hash_Blake2b_state_t) @-> + (returning hacl_Hash_Blake2b_index)) let hacl_Hash_Blake2b_free = foreign "Hacl_Hash_Blake2b_free" ((ptr hacl_Hash_Blake2b_state_t) @-> (returning void)) @@ -125,8 +134,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2b_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2b_hash_with_key_and_paramas" + let hacl_Hash_Blake2b_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2b_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml index 6533ddbc..75fbbf39 100644 --- a/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2s_Simd128_bindings.ml @@ -15,8 +15,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas" + let hacl_Hash_Blake2s_Simd128_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml b/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml index f6c93e89..34336a6c 100644 --- a/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml +++ b/ocaml/lib/Hacl_Hash_Blake2s_bindings.ml @@ -23,8 +23,9 @@ module Bindings(F:Cstubs.FOREIGN) = (uint32_t @-> ((ptr uint32_t) @-> ((ptr uint32_t) @-> - (uint64_t @-> - (uint32_t @-> (ocaml_bytes @-> (returning void))))))) + (bool @-> + (uint64_t @-> + (uint32_t @-> (ocaml_bytes @-> (returning void)))))))) let hacl_Hash_Blake2s_finish = foreign "Hacl_Hash_Blake2s_finish" (uint32_t @-> (ocaml_bytes @-> ((ptr uint32_t) @-> (returning void)))) @@ -47,7 +48,9 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2s_block_state_t_snd = field hacl_Hash_Blake2s_block_state_t "snd" uint8_t let hacl_Hash_Blake2s_block_state_t_thd = - field hacl_Hash_Blake2s_block_state_t "thd" k____uint32_t___uint32_t_ + field hacl_Hash_Blake2s_block_state_t "thd" bool + let hacl_Hash_Blake2s_block_state_t_f3 = + field hacl_Hash_Blake2s_block_state_t "f3" k____uint32_t___uint32_t_ let _ = seal hacl_Hash_Blake2s_block_state_t type hacl_Hash_Blake2s_state_t = [ `hacl_Hash_Blake2s_state_t ] structure let (hacl_Hash_Blake2s_state_t : @@ -64,7 +67,8 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2s_malloc_with_params_and_key = foreign "Hacl_Hash_Blake2s_malloc_with_params_and_key" ((ptr hacl_Hash_Blake2b_blake2_params) @-> - (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2s_state_t)))) + (bool @-> + (ocaml_bytes @-> (returning (ptr hacl_Hash_Blake2s_state_t))))) let hacl_Hash_Blake2s_malloc_with_key = foreign "Hacl_Hash_Blake2s_malloc_with_key" (ocaml_bytes @-> @@ -92,7 +96,11 @@ module Bindings(F:Cstubs.FOREIGN) = let hacl_Hash_Blake2s_digest = foreign "Hacl_Hash_Blake2s_digest" ((ptr hacl_Hash_Blake2s_state_t) @-> - (ocaml_bytes @-> (returning void))) + (ocaml_bytes @-> (returning uint8_t))) + let hacl_Hash_Blake2s_info = + foreign "Hacl_Hash_Blake2s_info" + ((ptr hacl_Hash_Blake2s_state_t) @-> + (returning hacl_Hash_Blake2b_index)) let hacl_Hash_Blake2s_free = foreign "Hacl_Hash_Blake2s_free" ((ptr hacl_Hash_Blake2s_state_t) @-> (returning void)) @@ -107,8 +115,8 @@ module Bindings(F:Cstubs.FOREIGN) = (ocaml_bytes @-> (uint32_t @-> (ocaml_bytes @-> (uint32_t @-> (returning void))))))) - let hacl_Hash_Blake2s_hash_with_key_and_paramas = - foreign "Hacl_Hash_Blake2s_hash_with_key_and_paramas" + let hacl_Hash_Blake2s_hash_with_key_and_params = + foreign "Hacl_Hash_Blake2s_hash_with_key_and_params" (ocaml_bytes @-> (ocaml_bytes @-> (uint32_t @-> diff --git a/ocaml/lib_gen/Hacl_Gf128_NI_gen.ml b/ocaml/lib_gen/Hacl_Gf128_NI_gen.ml new file mode 100644 index 00000000..daa5fae1 --- /dev/null +++ b/ocaml/lib_gen/Hacl_Gf128_NI_gen.ml @@ -0,0 +1,10 @@ +let _ = + (((Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Gf128_NI_stubs.ml"); + Cstubs.write_ml Format.std_formatter ~prefix:"" + (module Hacl_Gf128_NI_bindings.Bindings)); + Format.set_formatter_out_channel + (open_out_bin "lib/Hacl_Gf128_NI_c_stubs.c")); + Format.printf "#include \"Hacl_Gf128_NI.h\"\n"); + Cstubs.write_c Format.std_formatter ~prefix:"" + (module Hacl_Gf128_NI_bindings.Bindings) \ No newline at end of file diff --git a/src/EverCrypt_HMAC.c b/src/EverCrypt_HMAC.c index 90bcaaac..844aed81 100644 --- a/src/EverCrypt_HMAC.c +++ b/src/EverCrypt_HMAC.c @@ -620,7 +620,7 @@ EverCrypt_HMAC_compute_blake2s( if (data_len == 0U) { uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -655,6 +655,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -693,6 +694,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -757,7 +759,13 @@ EverCrypt_HMAC_compute_blake2b( if (data_len == 0U) { uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -792,6 +800,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -831,6 +840,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/EverCrypt_Hash.c b/src/EverCrypt_Hash.c index bfafa9be..153063cc 100644 --- a/src/EverCrypt_Hash.c +++ b/src/EverCrypt_Hash.c @@ -616,7 +616,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ { uint32_t *p1 = scrut.case_Blake2S_s; uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; } if (scrut.tag == Blake2S_128_s) @@ -624,7 +624,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; #else KRML_MAYBE_UNUSED_VAR(p1); @@ -638,6 +638,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); @@ -651,6 +652,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_Simd256_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); diff --git a/src/Hacl_Gf128_NI.c b/src/Hacl_Gf128_NI.c new file mode 100644 index 00000000..9f28b485 --- /dev/null +++ b/src/Hacl_Gf128_NI.c @@ -0,0 +1,310 @@ +/* MIT License + * + * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation + * Copyright (c) 2022-2023 HACL* Contributors + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + + +#include "Hacl_Gf128_NI.h" + +static inline void +fadd0(Lib_IntVector_Intrinsics_vec128 *x, Lib_IntVector_Intrinsics_vec128 *y) +{ + x[0U] = Lib_IntVector_Intrinsics_vec128_xor(x[0U], y[0U]); +} + +static inline void +fmul0(Lib_IntVector_Intrinsics_vec128 *x, Lib_IntVector_Intrinsics_vec128 *y) +{ + Lib_IntVector_Intrinsics_vec128 xe = x[0U]; + Lib_IntVector_Intrinsics_vec128 ye = y[0U]; + Lib_IntVector_Intrinsics_vec128 lo0 = Lib_IntVector_Intrinsics_ni_clmul(xe, ye, 0x00U); + Lib_IntVector_Intrinsics_vec128 m1 = Lib_IntVector_Intrinsics_ni_clmul(xe, ye, 0x10U); + Lib_IntVector_Intrinsics_vec128 m2 = Lib_IntVector_Intrinsics_ni_clmul(xe, ye, 0x01U); + Lib_IntVector_Intrinsics_vec128 hi = Lib_IntVector_Intrinsics_ni_clmul(xe, ye, 0x11U); + Lib_IntVector_Intrinsics_vec128 m11 = Lib_IntVector_Intrinsics_vec128_xor(m1, m2); + Lib_IntVector_Intrinsics_vec128 m21 = Lib_IntVector_Intrinsics_vec128_shift_left(m11, 64U); + Lib_IntVector_Intrinsics_vec128 m12 = Lib_IntVector_Intrinsics_vec128_shift_right(m11, 64U); + Lib_IntVector_Intrinsics_vec128 lo10 = Lib_IntVector_Intrinsics_vec128_xor(lo0, m21); + Lib_IntVector_Intrinsics_vec128 hi10 = Lib_IntVector_Intrinsics_vec128_xor(hi, m12); + Lib_IntVector_Intrinsics_vec128 hi0 = hi10; + Lib_IntVector_Intrinsics_vec128 lo = lo10; + Lib_IntVector_Intrinsics_vec128 lo1 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo, 63U); + Lib_IntVector_Intrinsics_vec128 lo2 = Lib_IntVector_Intrinsics_vec128_shift_left(lo1, 64U); + Lib_IntVector_Intrinsics_vec128 lo3 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo, 1U); + Lib_IntVector_Intrinsics_vec128 lo31 = Lib_IntVector_Intrinsics_vec128_xor(lo3, lo2); + Lib_IntVector_Intrinsics_vec128 hi1 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi0, 63U); + Lib_IntVector_Intrinsics_vec128 hi11 = Lib_IntVector_Intrinsics_vec128_shift_left(hi1, 64U); + Lib_IntVector_Intrinsics_vec128 hi2 = Lib_IntVector_Intrinsics_vec128_shift_left64(hi0, 1U); + Lib_IntVector_Intrinsics_vec128 hi21 = Lib_IntVector_Intrinsics_vec128_xor(hi2, hi11); + Lib_IntVector_Intrinsics_vec128 lo11 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo, 63U); + Lib_IntVector_Intrinsics_vec128 lo12 = Lib_IntVector_Intrinsics_vec128_shift_right(lo11, 64U); + Lib_IntVector_Intrinsics_vec128 hi22 = Lib_IntVector_Intrinsics_vec128_xor(hi21, lo12); + Lib_IntVector_Intrinsics_vec128 lo4 = lo31; + Lib_IntVector_Intrinsics_vec128 hi3 = hi22; + Lib_IntVector_Intrinsics_vec128 lo13 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo4, 63U); + Lib_IntVector_Intrinsics_vec128 lo21 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo4, 62U); + Lib_IntVector_Intrinsics_vec128 lo32 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo4, 57U); + Lib_IntVector_Intrinsics_vec128 lo14 = Lib_IntVector_Intrinsics_vec128_xor(lo13, lo21); + Lib_IntVector_Intrinsics_vec128 lo15 = Lib_IntVector_Intrinsics_vec128_xor(lo14, lo32); + Lib_IntVector_Intrinsics_vec128 lo22 = Lib_IntVector_Intrinsics_vec128_shift_right(lo15, 64U); + Lib_IntVector_Intrinsics_vec128 lo33 = Lib_IntVector_Intrinsics_vec128_shift_left(lo15, 64U); + Lib_IntVector_Intrinsics_vec128 lo5 = Lib_IntVector_Intrinsics_vec128_xor(lo4, lo33); + Lib_IntVector_Intrinsics_vec128 lo_ = lo22; + Lib_IntVector_Intrinsics_vec128 lo16 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo5, 1U); + Lib_IntVector_Intrinsics_vec128 lo23 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo5, 2U); + Lib_IntVector_Intrinsics_vec128 lo34 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo5, 7U); + Lib_IntVector_Intrinsics_vec128 lo17 = Lib_IntVector_Intrinsics_vec128_xor(lo16, lo23); + Lib_IntVector_Intrinsics_vec128 lo18 = Lib_IntVector_Intrinsics_vec128_xor(lo17, lo34); + Lib_IntVector_Intrinsics_vec128 lo19 = Lib_IntVector_Intrinsics_vec128_xor(lo18, lo_); + Lib_IntVector_Intrinsics_vec128 lo6 = Lib_IntVector_Intrinsics_vec128_xor(lo5, lo19); + Lib_IntVector_Intrinsics_vec128 lo7 = Lib_IntVector_Intrinsics_vec128_xor(lo6, hi3); + Lib_IntVector_Intrinsics_vec128 lo110 = lo7; + x[0U] = lo110; +} + +static inline void load_precompute_r(Lib_IntVector_Intrinsics_vec128 *pre, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 *r4 = pre; + Lib_IntVector_Intrinsics_vec128 *r3 = pre + 1U; + Lib_IntVector_Intrinsics_vec128 *r2 = pre + 2U; + Lib_IntVector_Intrinsics_vec128 *r1 = pre + 3U; + r1[0U] = Lib_IntVector_Intrinsics_vec128_load_be(key); + r4[0U] = r1[0U]; + r3[0U] = r1[0U]; + r2[0U] = r1[0U]; + fmul0(r2, r1); + fmul0(r3, r2); + fmul0(r4, r3); +} + +static inline void +normalize4( + Lib_IntVector_Intrinsics_vec128 *acc, + Lib_IntVector_Intrinsics_vec128 *x, + Lib_IntVector_Intrinsics_vec128 *pre +) +{ + Lib_IntVector_Intrinsics_vec128 x1 = x[0U]; + Lib_IntVector_Intrinsics_vec128 x2 = x[1U]; + Lib_IntVector_Intrinsics_vec128 x3 = x[2U]; + Lib_IntVector_Intrinsics_vec128 x4 = x[3U]; + Lib_IntVector_Intrinsics_vec128 y1 = pre[0U]; + Lib_IntVector_Intrinsics_vec128 y2 = pre[1U]; + Lib_IntVector_Intrinsics_vec128 y3 = pre[2U]; + Lib_IntVector_Intrinsics_vec128 y4 = pre[3U]; + Lib_IntVector_Intrinsics_vec128 lo10 = Lib_IntVector_Intrinsics_ni_clmul(x1, y1, 0x00U); + Lib_IntVector_Intrinsics_vec128 lo2 = Lib_IntVector_Intrinsics_ni_clmul(x2, y2, 0x00U); + Lib_IntVector_Intrinsics_vec128 lo30 = Lib_IntVector_Intrinsics_ni_clmul(x3, y3, 0x00U); + Lib_IntVector_Intrinsics_vec128 lo40 = Lib_IntVector_Intrinsics_ni_clmul(x4, y4, 0x00U); + Lib_IntVector_Intrinsics_vec128 lo0 = Lib_IntVector_Intrinsics_vec128_xor(lo10, lo2); + Lib_IntVector_Intrinsics_vec128 lo5 = Lib_IntVector_Intrinsics_vec128_xor(lo0, lo30); + Lib_IntVector_Intrinsics_vec128 lo6 = Lib_IntVector_Intrinsics_vec128_xor(lo5, lo40); + Lib_IntVector_Intrinsics_vec128 m1 = Lib_IntVector_Intrinsics_ni_clmul(x1, y1, 0x10U); + Lib_IntVector_Intrinsics_vec128 m2 = Lib_IntVector_Intrinsics_ni_clmul(x2, y2, 0x10U); + Lib_IntVector_Intrinsics_vec128 m3 = Lib_IntVector_Intrinsics_ni_clmul(x3, y3, 0x10U); + Lib_IntVector_Intrinsics_vec128 m4 = Lib_IntVector_Intrinsics_ni_clmul(x4, y4, 0x10U); + Lib_IntVector_Intrinsics_vec128 m = Lib_IntVector_Intrinsics_vec128_xor(m1, m2); + Lib_IntVector_Intrinsics_vec128 m5 = Lib_IntVector_Intrinsics_vec128_xor(m, m3); + Lib_IntVector_Intrinsics_vec128 m6 = Lib_IntVector_Intrinsics_vec128_xor(m5, m4); + Lib_IntVector_Intrinsics_vec128 m11 = Lib_IntVector_Intrinsics_ni_clmul(x1, y1, 0x01U); + Lib_IntVector_Intrinsics_vec128 m21 = Lib_IntVector_Intrinsics_ni_clmul(x2, y2, 0x01U); + Lib_IntVector_Intrinsics_vec128 m31 = Lib_IntVector_Intrinsics_ni_clmul(x3, y3, 0x01U); + Lib_IntVector_Intrinsics_vec128 m41 = Lib_IntVector_Intrinsics_ni_clmul(x4, y4, 0x01U); + Lib_IntVector_Intrinsics_vec128 m7 = Lib_IntVector_Intrinsics_vec128_xor(m6, m11); + Lib_IntVector_Intrinsics_vec128 m8 = Lib_IntVector_Intrinsics_vec128_xor(m7, m21); + Lib_IntVector_Intrinsics_vec128 m9 = Lib_IntVector_Intrinsics_vec128_xor(m8, m31); + Lib_IntVector_Intrinsics_vec128 m10 = Lib_IntVector_Intrinsics_vec128_xor(m9, m41); + Lib_IntVector_Intrinsics_vec128 hi10 = Lib_IntVector_Intrinsics_ni_clmul(x1, y1, 0x11U); + Lib_IntVector_Intrinsics_vec128 hi20 = Lib_IntVector_Intrinsics_ni_clmul(x2, y2, 0x11U); + Lib_IntVector_Intrinsics_vec128 hi30 = Lib_IntVector_Intrinsics_ni_clmul(x3, y3, 0x11U); + Lib_IntVector_Intrinsics_vec128 hi4 = Lib_IntVector_Intrinsics_ni_clmul(x4, y4, 0x11U); + Lib_IntVector_Intrinsics_vec128 hi = Lib_IntVector_Intrinsics_vec128_xor(hi10, hi20); + Lib_IntVector_Intrinsics_vec128 hi5 = Lib_IntVector_Intrinsics_vec128_xor(hi, hi30); + Lib_IntVector_Intrinsics_vec128 hi6 = Lib_IntVector_Intrinsics_vec128_xor(hi5, hi4); + Lib_IntVector_Intrinsics_vec128 m12 = Lib_IntVector_Intrinsics_vec128_shift_left(m10, 64U); + Lib_IntVector_Intrinsics_vec128 m22 = Lib_IntVector_Intrinsics_vec128_shift_right(m10, 64U); + Lib_IntVector_Intrinsics_vec128 lo7 = Lib_IntVector_Intrinsics_vec128_xor(lo6, m12); + Lib_IntVector_Intrinsics_vec128 hi7 = Lib_IntVector_Intrinsics_vec128_xor(hi6, m22); + Lib_IntVector_Intrinsics_vec128 hi0 = hi7; + Lib_IntVector_Intrinsics_vec128 lo = lo7; + Lib_IntVector_Intrinsics_vec128 lo1 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo, 63U); + Lib_IntVector_Intrinsics_vec128 lo20 = Lib_IntVector_Intrinsics_vec128_shift_left(lo1, 64U); + Lib_IntVector_Intrinsics_vec128 lo3 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo, 1U); + Lib_IntVector_Intrinsics_vec128 lo31 = Lib_IntVector_Intrinsics_vec128_xor(lo3, lo20); + Lib_IntVector_Intrinsics_vec128 hi1 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi0, 63U); + Lib_IntVector_Intrinsics_vec128 hi11 = Lib_IntVector_Intrinsics_vec128_shift_left(hi1, 64U); + Lib_IntVector_Intrinsics_vec128 hi2 = Lib_IntVector_Intrinsics_vec128_shift_left64(hi0, 1U); + Lib_IntVector_Intrinsics_vec128 hi21 = Lib_IntVector_Intrinsics_vec128_xor(hi2, hi11); + Lib_IntVector_Intrinsics_vec128 lo11 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo, 63U); + Lib_IntVector_Intrinsics_vec128 lo12 = Lib_IntVector_Intrinsics_vec128_shift_right(lo11, 64U); + Lib_IntVector_Intrinsics_vec128 hi22 = Lib_IntVector_Intrinsics_vec128_xor(hi21, lo12); + Lib_IntVector_Intrinsics_vec128 lo4 = lo31; + Lib_IntVector_Intrinsics_vec128 hi3 = hi22; + Lib_IntVector_Intrinsics_vec128 lo13 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo4, 63U); + Lib_IntVector_Intrinsics_vec128 lo21 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo4, 62U); + Lib_IntVector_Intrinsics_vec128 lo32 = Lib_IntVector_Intrinsics_vec128_shift_left64(lo4, 57U); + Lib_IntVector_Intrinsics_vec128 lo14 = Lib_IntVector_Intrinsics_vec128_xor(lo13, lo21); + Lib_IntVector_Intrinsics_vec128 lo15 = Lib_IntVector_Intrinsics_vec128_xor(lo14, lo32); + Lib_IntVector_Intrinsics_vec128 lo22 = Lib_IntVector_Intrinsics_vec128_shift_right(lo15, 64U); + Lib_IntVector_Intrinsics_vec128 lo33 = Lib_IntVector_Intrinsics_vec128_shift_left(lo15, 64U); + Lib_IntVector_Intrinsics_vec128 lo50 = Lib_IntVector_Intrinsics_vec128_xor(lo4, lo33); + Lib_IntVector_Intrinsics_vec128 lo_ = lo22; + Lib_IntVector_Intrinsics_vec128 lo16 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo50, 1U); + Lib_IntVector_Intrinsics_vec128 lo23 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo50, 2U); + Lib_IntVector_Intrinsics_vec128 lo34 = Lib_IntVector_Intrinsics_vec128_shift_right64(lo50, 7U); + Lib_IntVector_Intrinsics_vec128 lo17 = Lib_IntVector_Intrinsics_vec128_xor(lo16, lo23); + Lib_IntVector_Intrinsics_vec128 lo18 = Lib_IntVector_Intrinsics_vec128_xor(lo17, lo34); + Lib_IntVector_Intrinsics_vec128 lo19 = Lib_IntVector_Intrinsics_vec128_xor(lo18, lo_); + Lib_IntVector_Intrinsics_vec128 lo60 = Lib_IntVector_Intrinsics_vec128_xor(lo50, lo19); + Lib_IntVector_Intrinsics_vec128 lo70 = Lib_IntVector_Intrinsics_vec128_xor(lo60, hi3); + Lib_IntVector_Intrinsics_vec128 lo110 = lo70; + acc[0U] = lo110; +} + +inline void Hacl_Gf128_NI_gcm_init(Lib_IntVector_Intrinsics_vec128 *ctx, uint8_t *key) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 *pre = ctx + 1U; + acc[0U] = Lib_IntVector_Intrinsics_vec128_zero; + load_precompute_r(pre, key); +} + +inline void +Hacl_Gf128_NI_gcm_update_blocks( + Lib_IntVector_Intrinsics_vec128 *ctx, + uint32_t len, + uint8_t *text +) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 *pre = ctx + 1U; + uint32_t len0 = len / 64U * 64U; + uint8_t *t0 = text; + if (len0 > 0U) + { + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 f[4U] KRML_POST_ALIGN(16) = { 0U }; + Lib_IntVector_Intrinsics_vec128 *b4 = f; + uint32_t nb = len0 / 64U; + for (uint32_t i = 0U; i < nb; i++) + { + uint8_t *tb = t0 + i * 64U; + b4[0U] = Lib_IntVector_Intrinsics_vec128_load_be(tb); + b4[1U] = Lib_IntVector_Intrinsics_vec128_load_be(tb + 16U); + b4[2U] = Lib_IntVector_Intrinsics_vec128_load_be(tb + 32U); + b4[3U] = Lib_IntVector_Intrinsics_vec128_load_be(tb + 48U); + b4[0U] = Lib_IntVector_Intrinsics_vec128_xor(acc[0U], b4[0U]); + normalize4(acc, b4, pre); + } + } + uint32_t len1 = len - len0; + uint8_t *t1 = text + len0; + Lib_IntVector_Intrinsics_vec128 *r1 = pre + 3U; + uint32_t nb = len1 / 16U; + uint32_t rem = len1 % 16U; + for (uint32_t i = 0U; i < nb; i++) + { + uint8_t *tb = t1 + i * 16U; + Lib_IntVector_Intrinsics_vec128 elem = Lib_IntVector_Intrinsics_vec128_zero; + elem = Lib_IntVector_Intrinsics_vec128_load_be(tb); + fadd0(acc, &elem); + fmul0(acc, r1); + } + if (rem > 0U) + { + uint8_t *last = t1 + nb * 16U; + Lib_IntVector_Intrinsics_vec128 elem = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t b[16U] = { 0U }; + memcpy(b, last, rem * sizeof (uint8_t)); + elem = Lib_IntVector_Intrinsics_vec128_load_be(b); + fadd0(acc, &elem); + fmul0(acc, r1); + return; + } +} + +void +(*Hacl_Gf128_NI_gcm_update_padded)( + Lib_IntVector_Intrinsics_vec128 *x0, + uint32_t x1, + uint8_t *x2 +) = Hacl_Gf128_NI_gcm_update_blocks; + +inline void Hacl_Gf128_NI_gcm_emit(uint8_t *tag, Lib_IntVector_Intrinsics_vec128 *ctx) +{ + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128_store_be(tag, acc[0U]); +} + +inline void Hacl_Gf128_NI_ghash(uint8_t *tag, uint32_t len, uint8_t *text, uint8_t *key) +{ + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 ctx[5U] KRML_POST_ALIGN(16) = { 0U }; + Lib_IntVector_Intrinsics_vec128 *acc = ctx; + Lib_IntVector_Intrinsics_vec128 *pre0 = ctx + 1U; + acc[0U] = Lib_IntVector_Intrinsics_vec128_zero; + load_precompute_r(pre0, key); + Lib_IntVector_Intrinsics_vec128 *acc0 = ctx; + Lib_IntVector_Intrinsics_vec128 *pre = ctx + 1U; + uint32_t len0 = len / 64U * 64U; + uint8_t *t0 = text; + if (len0 > 0U) + { + KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 f[4U] KRML_POST_ALIGN(16) = { 0U }; + Lib_IntVector_Intrinsics_vec128 *b4 = f; + uint32_t nb = len0 / 64U; + for (uint32_t i = 0U; i < nb; i++) + { + uint8_t *tb = t0 + i * 64U; + b4[0U] = Lib_IntVector_Intrinsics_vec128_load_be(tb); + b4[1U] = Lib_IntVector_Intrinsics_vec128_load_be(tb + 16U); + b4[2U] = Lib_IntVector_Intrinsics_vec128_load_be(tb + 32U); + b4[3U] = Lib_IntVector_Intrinsics_vec128_load_be(tb + 48U); + b4[0U] = Lib_IntVector_Intrinsics_vec128_xor(acc0[0U], b4[0U]); + normalize4(acc0, b4, pre); + } + } + uint32_t len1 = len - len0; + uint8_t *t1 = text + len0; + Lib_IntVector_Intrinsics_vec128 *r1 = pre + 3U; + uint32_t nb = len1 / 16U; + uint32_t rem = len1 % 16U; + for (uint32_t i = 0U; i < nb; i++) + { + uint8_t *tb = t1 + i * 16U; + Lib_IntVector_Intrinsics_vec128 elem = Lib_IntVector_Intrinsics_vec128_zero; + elem = Lib_IntVector_Intrinsics_vec128_load_be(tb); + fadd0(acc0, &elem); + fmul0(acc0, r1); + } + if (rem > 0U) + { + uint8_t *last = t1 + nb * 16U; + Lib_IntVector_Intrinsics_vec128 elem = Lib_IntVector_Intrinsics_vec128_zero; + uint8_t b[16U] = { 0U }; + memcpy(b, last, rem * sizeof (uint8_t)); + elem = Lib_IntVector_Intrinsics_vec128_load_be(b); + fadd0(acc0, &elem); + fmul0(acc0, r1); + } + Lib_IntVector_Intrinsics_vec128 *acc1 = ctx; + Lib_IntVector_Intrinsics_vec128_store_be(tag, acc1[0U]); +} + diff --git a/src/Hacl_HMAC.c b/src/Hacl_HMAC.c index b03bc7ac..e4f37c61 100644 --- a/src/Hacl_HMAC.c +++ b/src/Hacl_HMAC.c @@ -609,7 +609,7 @@ Hacl_HMAC_compute_blake2s_32( if (data_len == 0U) { uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -644,6 +644,7 @@ Hacl_HMAC_compute_blake2s_32( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -682,6 +683,7 @@ Hacl_HMAC_compute_blake2s_32( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -752,7 +754,13 @@ Hacl_HMAC_compute_blake2b_32( if (data_len == 0U) { uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -787,6 +795,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -826,6 +835,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/Hacl_HMAC_Blake2b_256.c b/src/Hacl_HMAC_Blake2b_256.c index 6197490a..d5a00213 100644 --- a/src/Hacl_HMAC_Blake2b_256.c +++ b/src/Hacl_HMAC_Blake2b_256.c @@ -96,6 +96,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(128U, wv, s0, + false, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); @@ -138,6 +139,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -182,6 +184,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/Hacl_HMAC_Blake2s_128.c b/src/Hacl_HMAC_Blake2s_128.c index 0741bffb..489cf3b0 100644 --- a/src/Hacl_HMAC_Blake2s_128.c +++ b/src/Hacl_HMAC_Blake2s_128.c @@ -92,7 +92,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( if (data_len == 0U) { KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -127,6 +127,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -165,6 +166,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); diff --git a/src/Hacl_Hash_Blake2b.c b/src/Hacl_Hash_Blake2b.c index d490a1a5..93953b28 100644 --- a/src/Hacl_Hash_Blake2b.c +++ b/src/Hacl_Hash_Blake2b.c @@ -29,7 +29,14 @@ #include "lib_memzero0.h" static void -update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totlen, uint8_t *d) +update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + bool last_node, + FStar_UInt128_uint128 totlen, + uint8_t *d +) { uint64_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -52,7 +59,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)); mask[2U] = wv_14; @@ -647,11 +662,11 @@ static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -674,7 +689,7 @@ Hacl_Hash_Blake2b_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -683,6 +698,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -693,7 +709,7 @@ Hacl_Hash_Blake2b_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -727,7 +743,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -771,7 +787,13 @@ static Hacl_Hash_Blake2b_state_t uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -790,7 +812,8 @@ static Hacl_Hash_Blake2b_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -800,7 +823,7 @@ static Hacl_Hash_Blake2b_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } @@ -820,11 +843,15 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); @@ -844,7 +871,7 @@ The caller must satisfy the following requirements. Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params @@ -855,7 +882,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, k); + Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, false, k); return s; } @@ -872,9 +899,11 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_state_t *s) { Hacl_Hash_Blake2b_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -886,14 +915,18 @@ reset_raw( Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -903,7 +936,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -921,7 +954,7 @@ reset_raw( /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -1040,7 +1073,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1065,7 +1098,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1133,7 +1166,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1159,7 +1192,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1190,16 +1223,20 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_state_t scrut = *state; + Hacl_Hash_Blake2b_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_state_t scrut = *s; Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1217,9 +1254,14 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) uint64_t b[16U] = { 0U }; Hacl_Hash_Blake2b_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint64_t *src_b = block_state.thd.snd; - uint64_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint64_t *src_b = block_state.f3.snd; + uint64_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1233,7 +1275,7 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint64_t___uint64_t_ acc0 = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc0 = tmp_block_state.f3; uint64_t *wv1 = acc0.fst; uint64_t *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1244,17 +1286,35 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint64_t___uint64_t_ acc = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; Hacl_Hash_Blake2b_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2b_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s) +{ + Hacl_Hash_Blake2b_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1265,8 +1325,8 @@ void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state) Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; - uint64_t *b = block_state.thd.snd; - uint64_t *wv = block_state.thd.fst; + uint64_t *b = block_state.f3.snd; + uint64_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1282,17 +1342,24 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_copy(Hacl_Hash_Blake2b_state_t *sta Hacl_Hash_Blake2b_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); memcpy(buf, buf0, 128U * sizeof (uint8_t)); uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint64_t *src_b = block_state0.thd.snd; - uint64_t *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + uint64_t *src_b = block_state0.f3.snd; + uint64_t *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); Hacl_Hash_Blake2b_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1338,7 +1405,7 @@ parameters `params` into `output`. The `key` array must be of length `params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_Blake2b_Simd256.c b/src/Hacl_Hash_Blake2b_Simd256.c index 0afd93bc..35a8e811 100644 --- a/src/Hacl_Hash_Blake2b_Simd256.c +++ b/src/Hacl_Hash_Blake2b_Simd256.c @@ -34,6 +34,7 @@ update_block( Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, bool flag, + bool last_node, FStar_UInt128_uint128 totlen, uint8_t *d ) @@ -59,7 +60,15 @@ update_block( { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask = Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)), @@ -372,11 +381,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -399,7 +408,7 @@ Hacl_Hash_Blake2b_Simd256_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -408,6 +417,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -418,7 +428,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -452,7 +462,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_Simd256_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -610,7 +620,13 @@ static Hacl_Hash_Blake2b_Simd256_state_t sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -632,7 +648,8 @@ static Hacl_Hash_Blake2b_Simd256_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -642,42 +659,58 @@ static Hacl_Hash_Blake2b_Simd256_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -685,21 +718,16 @@ Hacl_Hash_Blake2b_Simd256_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2b_Simd256_state_t - *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) { @@ -709,9 +737,11 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_Simd256_state_t *s) { Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -723,14 +753,18 @@ reset_raw( Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -740,7 +774,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -757,9 +791,11 @@ reset_raw( } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -773,10 +809,11 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k) { @@ -795,7 +832,12 @@ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) { @@ -803,7 +845,7 @@ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -873,8 +915,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -899,7 +940,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -967,8 +1008,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -994,7 +1034,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1020,16 +1060,25 @@ Hacl_Hash_Blake2b_Simd256_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; + Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_Simd256_state_t scrut = *s; Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1047,9 +1096,14 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 b[4U] KRML_POST_ALIGN(32) = { 0U }; Hacl_Hash_Blake2b_Simd256_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1064,7 +1118,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec256 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec256 *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1076,17 +1130,35 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; Hacl_Hash_Blake2b_Simd256_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s) +{ + Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1097,8 +1169,8 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec256 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *wv = block_state.thd.fst; + Lib_IntVector_Intrinsics_vec256 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1106,7 +1178,7 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state) @@ -1115,9 +1187,10 @@ Hacl_Hash_Blake2b_Simd256_state_t Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); memcpy(buf, buf0, 128U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec256 @@ -1131,9 +1204,15 @@ Hacl_Hash_Blake2b_Simd256_state_t sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1175,8 +1254,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256, void *); } +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_Blake2s.c b/src/Hacl_Hash_Blake2s.c index 6e19d83d..60bdd0ac 100644 --- a/src/Hacl_Hash_Blake2s.c +++ b/src/Hacl_Hash_Blake2s.c @@ -30,7 +30,14 @@ #include "lib_memzero0.h" static inline void -update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +update_block( + uint32_t *wv, + uint32_t *hash, + bool flag, + bool last_node, + uint64_t totlen, + uint8_t *d +) { uint32_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -53,7 +60,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask[0U] = (uint32_t)totlen; mask[1U] = (uint32_t)(totlen >> 32U); mask[2U] = wv_14; @@ -642,11 +657,11 @@ static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -666,7 +681,7 @@ Hacl_Hash_Blake2s_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -675,6 +690,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -684,7 +700,7 @@ Hacl_Hash_Blake2s_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -712,7 +728,7 @@ update_blocks(uint32_t len, uint32_t *wv, uint32_t *hash, uint64_t prev, uint8_t rem = rem0; } Hacl_Hash_Blake2s_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -756,7 +772,13 @@ static Hacl_Hash_Blake2s_state_t uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -775,7 +797,8 @@ static Hacl_Hash_Blake2s_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -785,38 +808,57 @@ static Hacl_Hash_Blake2s_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -824,20 +866,15 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; - Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + Hacl_Hash_Blake2b_blake2_params p0 = p; + Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) { @@ -847,9 +884,11 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_state_t *s) { Hacl_Hash_Blake2s_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -861,14 +900,18 @@ reset_raw( Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -878,7 +921,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -895,9 +938,11 @@ reset_raw( } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -911,10 +956,11 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) { @@ -933,7 +979,12 @@ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) { @@ -941,7 +992,7 @@ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len) @@ -1007,7 +1058,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1027,7 +1078,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1090,7 +1141,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1111,7 +1162,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1132,15 +1183,25 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_state_t scrut = *state; + Hacl_Hash_Blake2s_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_state_t scrut = *s; Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1158,9 +1219,14 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) uint32_t b[16U] = { 0U }; Hacl_Hash_Blake2s_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint32_t *src_b = block_state.thd.snd; - uint32_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint32_t *src_b = block_state.f3.snd; + uint32_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1174,18 +1240,35 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint32_t___uint32_t_ acc0 = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc0 = tmp_block_state.f3; uint32_t *wv1 = acc0.fst; uint32_t *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint32_t___uint32_t_ acc = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; - Hacl_Hash_Blake2s_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2s_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s) +{ + Hacl_Hash_Blake2s_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1196,8 +1279,8 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; - uint32_t *b = block_state.thd.snd; - uint32_t *wv = block_state.thd.fst; + uint32_t *b = block_state.f3.snd; + uint32_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1205,7 +1288,7 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state) { @@ -1213,17 +1296,24 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *sta Hacl_Hash_Blake2s_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint32_t *src_b = block_state0.thd.snd; - uint32_t *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + uint32_t *src_b = block_state0.f3.snd; + uint32_t *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); Hacl_Hash_Blake2s_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1262,8 +1352,14 @@ Hacl_Hash_Blake2s_hash_with_key( Lib_Memzero0_memzero(b, 16U, uint32_t, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/Hacl_Hash_Blake2s_Simd128.c b/src/Hacl_Hash_Blake2s_Simd128.c index c02da8fa..628d273a 100644 --- a/src/Hacl_Hash_Blake2s_Simd128.c +++ b/src/Hacl_Hash_Blake2s_Simd128.c @@ -34,6 +34,7 @@ update_block( Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, bool flag, + bool last_node, uint64_t totlen, uint8_t *d ) @@ -59,7 +60,15 @@ update_block( { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask = Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, (uint32_t)(totlen >> 32U), @@ -366,11 +375,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -390,7 +399,7 @@ Hacl_Hash_Blake2s_Simd128_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -399,6 +408,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -408,7 +418,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -442,7 +452,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2s_Simd128_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -600,7 +610,13 @@ static Hacl_Hash_Blake2s_Simd128_state_t sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -622,7 +638,8 @@ static Hacl_Hash_Blake2s_Simd128_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -632,42 +649,58 @@ static Hacl_Hash_Blake2s_Simd128_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -675,21 +708,16 @@ Hacl_Hash_Blake2s_Simd128_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2s_Simd128_state_t - *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) { @@ -699,9 +727,11 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_Simd128_state_t *s) { Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -713,14 +743,18 @@ reset_raw( Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -730,7 +764,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -747,9 +781,11 @@ reset_raw( } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -763,10 +799,11 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k) { @@ -785,7 +822,12 @@ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) { @@ -793,7 +835,7 @@ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -863,8 +905,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -884,7 +925,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -947,8 +988,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -969,7 +1009,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -990,16 +1030,25 @@ Hacl_Hash_Blake2s_Simd128_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; + Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_Simd128_state_t scrut = *s; Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1017,9 +1066,14 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 b[4U] KRML_POST_ALIGN(16) = { 0U }; Hacl_Hash_Blake2s_Simd128_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1034,19 +1088,36 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec128 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec128 *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_Simd128_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; - Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s) +{ + Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1057,8 +1128,8 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec128 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *wv = block_state.thd.fst; + Lib_IntVector_Intrinsics_vec128 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1066,7 +1137,7 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state) @@ -1075,9 +1146,10 @@ Hacl_Hash_Blake2s_Simd128_state_t Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec128 @@ -1091,9 +1163,15 @@ Hacl_Hash_Blake2s_Simd128_state_t sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1135,8 +1213,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/EverCrypt_HMAC.c b/src/msvc/EverCrypt_HMAC.c index 386cb17f..649f1e15 100644 --- a/src/msvc/EverCrypt_HMAC.c +++ b/src/msvc/EverCrypt_HMAC.c @@ -620,7 +620,7 @@ EverCrypt_HMAC_compute_blake2s( if (data_len == 0U) { uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -655,6 +655,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -693,6 +694,7 @@ EverCrypt_HMAC_compute_blake2s( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -757,7 +759,13 @@ EverCrypt_HMAC_compute_blake2b( if (data_len == 0U) { uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -792,6 +800,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -831,6 +840,7 @@ EverCrypt_HMAC_compute_blake2b( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/msvc/EverCrypt_Hash.c b/src/msvc/EverCrypt_Hash.c index bfafa9be..153063cc 100644 --- a/src/msvc/EverCrypt_Hash.c +++ b/src/msvc/EverCrypt_Hash.c @@ -616,7 +616,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ { uint32_t *p1 = scrut.case_Blake2S_s; uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; } if (scrut.tag == Blake2S_128_s) @@ -624,7 +624,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Lib_IntVector_Intrinsics_vec128 *p1 = scrut.case_Blake2S_128_s; #if HACL_CAN_COMPILE_VEC128 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, prev_len, last_len, last); + Hacl_Hash_Blake2s_Simd128_update_last(last_len, wv, p1, false, prev_len, last_len, last); return; #else KRML_MAYBE_UNUSED_VAR(p1); @@ -638,6 +638,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); @@ -651,6 +652,7 @@ update_last(EverCrypt_Hash_state_s *s, uint64_t prev_len, uint8_t *last, uint32_ Hacl_Hash_Blake2b_Simd256_update_last(last_len, wv, p1, + false, FStar_UInt128_uint64_to_uint128(prev_len), last_len, last); diff --git a/src/msvc/Hacl_HMAC.c b/src/msvc/Hacl_HMAC.c index 63ab2032..32dab3a5 100644 --- a/src/msvc/Hacl_HMAC.c +++ b/src/msvc/Hacl_HMAC.c @@ -609,7 +609,7 @@ Hacl_HMAC_compute_blake2s_32( if (data_len == 0U) { uint32_t wv[16U] = { 0U }; - Hacl_Hash_Blake2s_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -644,6 +644,7 @@ Hacl_HMAC_compute_blake2s_32( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -682,6 +683,7 @@ Hacl_HMAC_compute_blake2s_32( Hacl_Hash_Blake2s_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -752,7 +754,13 @@ Hacl_HMAC_compute_blake2b_32( if (data_len == 0U) { uint64_t wv[16U] = { 0U }; - Hacl_Hash_Blake2b_update_last(128U, wv, s0, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); + Hacl_Hash_Blake2b_update_last(128U, + wv, + s0, + false, + FStar_UInt128_uint64_to_uint128(0ULL), + 128U, + ipad); } else { @@ -787,6 +795,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -826,6 +835,7 @@ Hacl_HMAC_compute_blake2b_32( Hacl_Hash_Blake2b_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/msvc/Hacl_HMAC_Blake2b_256.c b/src/msvc/Hacl_HMAC_Blake2b_256.c index cd16e65e..5e7605bf 100644 --- a/src/msvc/Hacl_HMAC_Blake2b_256.c +++ b/src/msvc/Hacl_HMAC_Blake2b_256.c @@ -96,6 +96,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(128U, wv, s0, + false, FStar_UInt128_uint64_to_uint128(0ULL), 128U, ipad); @@ -138,6 +139,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, @@ -182,6 +184,7 @@ Hacl_HMAC_Blake2b_256_compute_blake2b_256( Hacl_Hash_Blake2b_Simd256_update_last(rem_len, wv1, s0, + false, FStar_UInt128_add(FStar_UInt128_uint64_to_uint128((uint64_t)128U), FStar_UInt128_uint64_to_uint128((uint64_t)full_blocks_len)), rem_len, diff --git a/src/msvc/Hacl_HMAC_Blake2s_128.c b/src/msvc/Hacl_HMAC_Blake2s_128.c index bf2033a8..f9fa97e6 100644 --- a/src/msvc/Hacl_HMAC_Blake2s_128.c +++ b/src/msvc/Hacl_HMAC_Blake2s_128.c @@ -92,7 +92,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( if (data_len == 0U) { KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 wv[4U] KRML_POST_ALIGN(16) = { 0U }; - Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, 0ULL, 64U, ipad); + Hacl_Hash_Blake2s_Simd128_update_last(64U, wv, s0, false, 0ULL, 64U, ipad); } else { @@ -127,6 +127,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); @@ -165,6 +166,7 @@ Hacl_HMAC_Blake2s_128_compute_blake2s_128( Hacl_Hash_Blake2s_Simd128_update_last(rem_len, wv1, s0, + false, (uint64_t)64U + (uint64_t)full_blocks_len, rem_len, rem); diff --git a/src/msvc/Hacl_Hash_Blake2b.c b/src/msvc/Hacl_Hash_Blake2b.c index d490a1a5..93953b28 100644 --- a/src/msvc/Hacl_Hash_Blake2b.c +++ b/src/msvc/Hacl_Hash_Blake2b.c @@ -29,7 +29,14 @@ #include "lib_memzero0.h" static void -update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totlen, uint8_t *d) +update_block( + uint64_t *wv, + uint64_t *hash, + bool flag, + bool last_node, + FStar_UInt128_uint128 totlen, + uint8_t *d +) { uint64_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -52,7 +59,15 @@ update_block(uint64_t *wv, uint64_t *hash, bool flag, FStar_UInt128_uint128 totl { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask[0U] = FStar_UInt128_uint128_to_uint64(totlen); mask[1U] = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)); mask[2U] = wv_14; @@ -647,11 +662,11 @@ static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -674,7 +689,7 @@ Hacl_Hash_Blake2b_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -683,6 +698,7 @@ Hacl_Hash_Blake2b_update_last( uint32_t len, uint64_t *wv, uint64_t *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -693,7 +709,7 @@ Hacl_Hash_Blake2b_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -727,7 +743,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -771,7 +787,13 @@ static Hacl_Hash_Blake2b_state_t uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -790,7 +812,8 @@ static Hacl_Hash_Blake2b_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -800,7 +823,7 @@ static Hacl_Hash_Blake2b_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } @@ -820,11 +843,15 @@ The caller must satisfy the following requirements. */ Hacl_Hash_Blake2b_state_t -*Hacl_Hash_Blake2b_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2b_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); @@ -844,7 +871,7 @@ The caller must satisfy the following requirements. Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; uint8_t salt[16U] = { 0U }; uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params @@ -855,7 +882,7 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k, uint8_t .personal = personal }; Hacl_Hash_Blake2b_blake2_params p0 = p; - Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, k); + Hacl_Hash_Blake2b_state_t *s = Hacl_Hash_Blake2b_malloc_with_params_and_key(&p0, false, k); return s; } @@ -872,9 +899,11 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_state_t *s) { Hacl_Hash_Blake2b_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -886,14 +915,18 @@ reset_raw( Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -903,7 +936,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -921,7 +954,7 @@ reset_raw( /** General-purpose re-initialization function with parameters and -key. You cannot change digest_length or key_length, meaning those values in +key. You cannot change digest_length, key_length, or last_node, meaning those values in the parameters object must be the same as originally decided via one of the malloc functions. All other values of the parameter can be changed. The behavior is unspecified if you violate this precondition. @@ -1040,7 +1073,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1065,7 +1098,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1133,7 +1166,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = 1U; @@ -1159,7 +1192,7 @@ Hacl_Hash_Blake2b_update(Hacl_Hash_Blake2b_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint64_t___uint64_t_ acc = block_state1.thd; + K____uint64_t___uint64_t_ acc = block_state1.f3; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1190,16 +1223,20 @@ at least `digest_length` bytes, where `digest_length` was determined by your choice of `malloc` function. Concretely, if you used `malloc` or `malloc_with_key`, then the expected length is 32 for S, or 64 for B (default digest length). If you used `malloc_with_params_and_key`, then the expected -length is whatever you chose for the `digest_length` field of your -parameters. +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_state_t scrut = *state; + Hacl_Hash_Blake2b_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_state_t scrut = *s; Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1217,9 +1254,14 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) uint64_t b[16U] = { 0U }; Hacl_Hash_Blake2b_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint64_t *src_b = block_state.thd.snd; - uint64_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint64_t *src_b = block_state.f3.snd; + uint64_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1233,7 +1275,7 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint64_t___uint64_t_ acc0 = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc0 = tmp_block_state.f3; uint64_t *wv1 = acc0.fst; uint64_t *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1244,17 +1286,35 @@ void Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *state, uint8_t *output) buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint64_t___uint64_t_ acc = tmp_block_state.thd; + K____uint64_t___uint64_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint64_t *wv = acc.fst; uint64_t *hash = acc.snd; Hacl_Hash_Blake2b_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2b_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t *s) +{ + Hacl_Hash_Blake2b_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1265,8 +1325,8 @@ void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state) Hacl_Hash_Blake2b_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_block_state_t block_state = scrut.block_state; - uint64_t *b = block_state.thd.snd; - uint64_t *wv = block_state.thd.fst; + uint64_t *b = block_state.f3.snd; + uint64_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1282,17 +1342,24 @@ Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_copy(Hacl_Hash_Blake2b_state_t *sta Hacl_Hash_Blake2b_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); memcpy(buf, buf0, 128U * sizeof (uint8_t)); uint64_t *wv = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); uint64_t *b = (uint64_t *)KRML_HOST_CALLOC(16U, sizeof (uint64_t)); Hacl_Hash_Blake2b_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint64_t *src_b = block_state0.thd.snd; - uint64_t *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + uint64_t *src_b = block_state0.f3.snd; + uint64_t *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint64_t)); Hacl_Hash_Blake2b_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1338,7 +1405,7 @@ parameters `params` into `output`. The `key` array must be of length `params.digest_length`. */ void -Hacl_Hash_Blake2b_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_Blake2b_Simd256.c b/src/msvc/Hacl_Hash_Blake2b_Simd256.c index 0afd93bc..35a8e811 100644 --- a/src/msvc/Hacl_Hash_Blake2b_Simd256.c +++ b/src/msvc/Hacl_Hash_Blake2b_Simd256.c @@ -34,6 +34,7 @@ update_block( Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, bool flag, + bool last_node, FStar_UInt128_uint128 totlen, uint8_t *d ) @@ -59,7 +60,15 @@ update_block( { wv_14 = 0ULL; } - uint64_t wv_15 = 0ULL; + uint64_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFFFFFFFFFULL; + } + else + { + wv_15 = 0ULL; + } mask = Lib_IntVector_Intrinsics_vec256_load64s(FStar_UInt128_uint128_to_uint64(totlen), FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(totlen, 64U)), @@ -372,11 +381,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -399,7 +408,7 @@ Hacl_Hash_Blake2b_Simd256_update_multi( FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)((i + 1U) * 128U))); uint8_t *b = blocks + i * 128U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -408,6 +417,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec256 *wv, Lib_IntVector_Intrinsics_vec256 *hash, + bool last_node, FStar_UInt128_uint128 prev, uint32_t rem, uint8_t *d @@ -418,7 +428,7 @@ Hacl_Hash_Blake2b_Simd256_update_last( memcpy(b, last, rem * sizeof (uint8_t)); FStar_UInt128_uint128 totlen = FStar_UInt128_add_mod(prev, FStar_UInt128_uint64_to_uint128((uint64_t)len)); - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 128U, uint8_t, void *); } @@ -452,7 +462,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2b_Simd256_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2b_Simd256_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -610,7 +620,13 @@ static Hacl_Hash_Blake2b_Simd256_state_t sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -632,7 +648,8 @@ static Hacl_Hash_Blake2b_Simd256_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -642,42 +659,58 @@ static Hacl_Hash_Blake2b_Simd256_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (256 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 256 for S, 64 for B. +- The digest_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (256 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 256 for S, 64 for B. + */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 64U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(16U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[16U] = { 0U }; + uint8_t personal[16U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -685,21 +718,16 @@ Hacl_Hash_Blake2b_Simd256_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2b_Simd256_state_t - *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2b_Simd256_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) { @@ -709,9 +737,11 @@ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_Simd256_state_t *s) { Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -723,14 +753,18 @@ reset_raw( Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -740,7 +774,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -757,9 +791,11 @@ reset_raw( } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( @@ -773,10 +809,11 @@ Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params( } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *k) { @@ -795,7 +832,12 @@ void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_state_t } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) { @@ -803,7 +845,7 @@ void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2b_Simd256_update( @@ -873,8 +915,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -899,7 +940,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -967,8 +1008,7 @@ Hacl_Hash_Blake2b_Simd256_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = 1U; @@ -994,7 +1034,7 @@ Hacl_Hash_Blake2b_Simd256_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; uint32_t nb = data1_len / 128U; @@ -1020,16 +1060,25 @@ Hacl_Hash_Blake2b_Simd256_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 256 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2B_256_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; + Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2b_Simd256_state_t scrut = *s; Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1047,9 +1096,14 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 KRML_PRE_ALIGN(32) Lib_IntVector_Intrinsics_vec256 b[4U] KRML_POST_ALIGN(32) = { 0U }; Hacl_Hash_Blake2b_Simd256_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1064,7 +1118,7 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec256 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec256 *hash0 = acc0.snd; uint32_t nb = 0U; @@ -1076,17 +1130,35 @@ Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state_t *state, uint8 nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec256___Lib_IntVector_Intrinsics_vec256_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec256 *wv = acc.fst; Lib_IntVector_Intrinsics_vec256 *hash = acc.snd; Hacl_Hash_Blake2b_Simd256_update_last(r, wv, hash, + last_node1, FStar_UInt128_uint64_to_uint128(prev_len_last), r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2b_Simd256_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2b_Simd256_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b_Simd256_state_t *s) +{ + Hacl_Hash_Blake2b_Simd256_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1097,8 +1169,8 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) Hacl_Hash_Blake2b_Simd256_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2b_Simd256_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec256 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec256 *wv = block_state.thd.fst; + Lib_IntVector_Intrinsics_vec256 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec256 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1106,7 +1178,7 @@ void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_copy(Hacl_Hash_Blake2b_Simd256_state_t *state) @@ -1115,9 +1187,10 @@ Hacl_Hash_Blake2b_Simd256_state_t Hacl_Hash_Blake2b_Simd256_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(128U, sizeof (uint8_t)); memcpy(buf, buf0, 128U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec256 @@ -1131,9 +1204,15 @@ Hacl_Hash_Blake2b_Simd256_state_t sizeof (Lib_IntVector_Intrinsics_vec256) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec256 *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + Lib_IntVector_Intrinsics_vec256 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec256 *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec256)); Hacl_Hash_Blake2b_Simd256_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1175,8 +1254,14 @@ Hacl_Hash_Blake2b_Simd256_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec256, void *); } +/** +Write the BLAKE2b digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2b_Simd256_hash_with_key_and_paramas( +Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_Blake2s.c b/src/msvc/Hacl_Hash_Blake2s.c index 6e19d83d..60bdd0ac 100644 --- a/src/msvc/Hacl_Hash_Blake2s.c +++ b/src/msvc/Hacl_Hash_Blake2s.c @@ -30,7 +30,14 @@ #include "lib_memzero0.h" static inline void -update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t *d) +update_block( + uint32_t *wv, + uint32_t *hash, + bool flag, + bool last_node, + uint64_t totlen, + uint8_t *d +) { uint32_t m_w[16U] = { 0U }; KRML_MAYBE_FOR16(i, @@ -53,7 +60,15 @@ update_block(uint32_t *wv, uint32_t *hash, bool flag, uint64_t totlen, uint8_t * { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask[0U] = (uint32_t)totlen; mask[1U] = (uint32_t)(totlen >> 32U); mask[2U] = wv_14; @@ -642,11 +657,11 @@ static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_t *k, ui memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -666,7 +681,7 @@ Hacl_Hash_Blake2s_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -675,6 +690,7 @@ Hacl_Hash_Blake2s_update_last( uint32_t len, uint32_t *wv, uint32_t *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -684,7 +700,7 @@ Hacl_Hash_Blake2s_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -712,7 +728,7 @@ update_blocks(uint32_t len, uint32_t *wv, uint32_t *hash, uint64_t prev, uint8_t rem = rem0; } Hacl_Hash_Blake2s_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -756,7 +772,13 @@ static Hacl_Hash_Blake2s_state_t uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -775,7 +797,8 @@ static Hacl_Hash_Blake2s_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -785,38 +808,57 @@ static Hacl_Hash_Blake2s_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (32 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 32 for S, 64 for B. +- The digest_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t -*Hacl_Hash_Blake2s_malloc_with_params_and_key(Hacl_Hash_Blake2b_blake2_params *p, uint8_t *k) +*Hacl_Hash_Blake2s_malloc_with_params_and_key( + Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, + uint8_t *k +) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (32 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 32 for S, 64 for B. + */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -824,20 +866,15 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k, uint8_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; - Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + Hacl_Hash_Blake2b_blake2_params p0 = p; + Hacl_Hash_Blake2s_state_t *s = Hacl_Hash_Blake2s_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) { @@ -847,9 +884,11 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_state_t *s) { Hacl_Hash_Blake2s_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -861,14 +900,18 @@ reset_raw( Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -878,7 +921,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -895,9 +938,11 @@ reset_raw( } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key_and_params( @@ -911,10 +956,11 @@ Hacl_Hash_Blake2s_reset_with_key_and_params( } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) { @@ -933,7 +979,12 @@ void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint8_t *k) } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) { @@ -941,7 +992,7 @@ void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint32_t chunk_len) @@ -1007,7 +1058,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1027,7 +1078,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1090,7 +1141,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = 1U; @@ -1111,7 +1162,7 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____uint32_t___uint32_t_ acc = block_state1.thd; + K____uint32_t___uint32_t_ acc = block_state1.f3; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -1132,15 +1183,25 @@ Hacl_Hash_Blake2s_update(Hacl_Hash_Blake2s_state_t *state, uint8_t *chunk, uint3 } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 32 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_32_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_state_t scrut = *state; + Hacl_Hash_Blake2s_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_state_t scrut = *s; Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1158,9 +1219,14 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) uint32_t b[16U] = { 0U }; Hacl_Hash_Blake2s_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - uint32_t *src_b = block_state.thd.snd; - uint32_t *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + uint32_t *src_b = block_state.f3.snd; + uint32_t *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1174,18 +1240,35 @@ void Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *state, uint8_t *output) } uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; - K____uint32_t___uint32_t_ acc0 = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc0 = tmp_block_state.f3; uint32_t *wv1 = acc0.fst; uint32_t *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; - K____uint32_t___uint32_t_ acc = tmp_block_state.thd; + K____uint32_t___uint32_t_ acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; uint32_t *wv = acc.fst; uint32_t *hash = acc.snd; - Hacl_Hash_Blake2s_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2s_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t *s) +{ + Hacl_Hash_Blake2s_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1196,8 +1279,8 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) Hacl_Hash_Blake2s_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_block_state_t block_state = scrut.block_state; - uint32_t *b = block_state.thd.snd; - uint32_t *wv = block_state.thd.fst; + uint32_t *b = block_state.f3.snd; + uint32_t *wv = block_state.f3.fst; KRML_HOST_FREE(wv); KRML_HOST_FREE(b); KRML_HOST_FREE(buf); @@ -1205,7 +1288,7 @@ void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *state) { @@ -1213,17 +1296,24 @@ Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_state_t *sta Hacl_Hash_Blake2s_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); uint32_t *wv = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); uint32_t *b = (uint32_t *)KRML_HOST_CALLOC(16U, sizeof (uint32_t)); Hacl_Hash_Blake2s_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - uint32_t *src_b = block_state0.thd.snd; - uint32_t *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + uint32_t *src_b = block_state0.f3.snd; + uint32_t *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 16U * sizeof (uint32_t)); Hacl_Hash_Blake2s_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1262,8 +1352,14 @@ Hacl_Hash_Blake2s_hash_with_key( Lib_Memzero0_memzero(b, 16U, uint32_t, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/msvc/Hacl_Hash_Blake2s_Simd128.c b/src/msvc/Hacl_Hash_Blake2s_Simd128.c index c02da8fa..628d273a 100644 --- a/src/msvc/Hacl_Hash_Blake2s_Simd128.c +++ b/src/msvc/Hacl_Hash_Blake2s_Simd128.c @@ -34,6 +34,7 @@ update_block( Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, bool flag, + bool last_node, uint64_t totlen, uint8_t *d ) @@ -59,7 +60,15 @@ update_block( { wv_14 = 0U; } - uint32_t wv_15 = 0U; + uint32_t wv_15; + if (last_node) + { + wv_15 = 0xFFFFFFFFU; + } + else + { + wv_15 = 0U; + } mask = Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)totlen, (uint32_t)(totlen >> 32U), @@ -366,11 +375,11 @@ update_key( memcpy(b, k, kk * sizeof (uint8_t)); if (ll == 0U) { - update_block(wv, hash, true, lb, b); + update_block(wv, hash, true, false, lb, b); } else { - update_block(wv, hash, false, lb, b); + update_block(wv, hash, false, false, lb, b); } Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -390,7 +399,7 @@ Hacl_Hash_Blake2s_Simd128_update_multi( { uint64_t totlen = prev + (uint64_t)((i + 1U) * 64U); uint8_t *b = blocks + i * 64U; - update_block(wv, hash, false, totlen, b); + update_block(wv, hash, false, false, totlen, b); } } @@ -399,6 +408,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint32_t len, Lib_IntVector_Intrinsics_vec128 *wv, Lib_IntVector_Intrinsics_vec128 *hash, + bool last_node, uint64_t prev, uint32_t rem, uint8_t *d @@ -408,7 +418,7 @@ Hacl_Hash_Blake2s_Simd128_update_last( uint8_t *last = d + len - rem; memcpy(b, last, rem * sizeof (uint8_t)); uint64_t totlen = prev + (uint64_t)len; - update_block(wv, hash, true, totlen, b); + update_block(wv, hash, true, last_node, totlen, b); Lib_Memzero0_memzero(b, 64U, uint8_t, void *); } @@ -442,7 +452,7 @@ update_blocks( rem = rem0; } Hacl_Hash_Blake2s_Simd128_update_multi(len, wv, hash, prev, blocks, nb); - Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, prev, rem, blocks); + Hacl_Hash_Blake2s_Simd128_update_last(len, wv, hash, false, prev, rem, blocks); } static inline void @@ -600,7 +610,13 @@ static Hacl_Hash_Blake2s_Simd128_state_t sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = kk.key_length, .snd = kk.digest_length, .thd = { .fst = wv, .snd = b } }; + block_state = + { + .fst = kk.key_length, + .snd = kk.digest_length, + .thd = kk.last_node, + .f3 = { .fst = wv, .snd = b } + }; uint8_t kk10 = kk.key_length; uint32_t ite; if (kk10 != 0U) @@ -622,7 +638,8 @@ static Hacl_Hash_Blake2s_Simd128_state_t Hacl_Hash_Blake2b_blake2_params *p1 = key.fst; uint8_t kk1 = p1->key_length; uint8_t nn = p1->digest_length; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -632,42 +649,58 @@ static Hacl_Hash_Blake2s_Simd128_state_t memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p1[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); return p; } /** - State allocation function when there are parameters and a key. The -length of the key k MUST match the value of the field key_length in the -parameters. Furthermore, there is a static (not dynamically checked) requirement -that key_length does not exceed max_key (128 for S, 64 for B).) + General-purpose allocation function that gives control over all +Blake2 parameters, including the key. Further resettings of the state SHALL be +done with `reset_with_params_and_key`, and SHALL feature the exact same values +for the `key_length` and `digest_length` fields as passed here. In other words, +once you commit to a digest and key length, the only way to change these +parameters is to allocate a new object. + +The caller must satisfy the following requirements. +- The length of the key k MUST match the value of the field key_length in the + parameters. +- The key_length must not exceed 128 for S, 64 for B. +- The digest_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key( Hacl_Hash_Blake2b_blake2_params *p, + bool last_node, uint8_t *k ) { Hacl_Hash_Blake2b_blake2_params pv = p[0U]; Hacl_Hash_Blake2b_index - i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length }; + i1 = { .key_length = pv.key_length, .digest_length = pv.digest_length, .last_node = last_node }; return malloc_raw(i1, ((K____Hacl_Impl_Blake2_Core_blake2_params___uint8_t_){ .fst = p, .snd = k })); } /** - State allocation function when there is just a custom key. All -other parameters are set to their respective default values, meaning the output -length is the maximum allowed output (128 for S, 64 for B). + Specialized allocation function that picks default values for all +parameters, except for the key_length. Further resettings of the state SHALL be +done with `reset_with_key`, and SHALL feature the exact same key length `kk` as +passed here. In other words, once you commit to a key length, the only way to +change this parameter is to allocate a new object. + +The caller must satisfy the following requirements. +- The key_length must not exceed 128 for S, 64 for B. + */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc_with_key0(uint8_t *k, uint8_t kk) { uint8_t nn = 32U; - Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn }; - uint8_t *salt = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); - uint8_t *personal = (uint8_t *)KRML_HOST_CALLOC(8U, sizeof (uint8_t)); + Hacl_Hash_Blake2b_index i = { .key_length = kk, .digest_length = nn, .last_node = false }; + uint8_t salt[8U] = { 0U }; + uint8_t personal[8U] = { 0U }; Hacl_Hash_Blake2b_blake2_params p = { @@ -675,21 +708,16 @@ Hacl_Hash_Blake2s_Simd128_state_t .leaf_length = 0U, .node_offset = 0ULL, .node_depth = 0U, .inner_length = 0U, .salt = salt, .personal = personal }; - Hacl_Hash_Blake2b_blake2_params - *p0 = - (Hacl_Hash_Blake2b_blake2_params *)KRML_HOST_MALLOC(sizeof (Hacl_Hash_Blake2b_blake2_params)); - p0[0U] = p; + Hacl_Hash_Blake2b_blake2_params p0 = p; Hacl_Hash_Blake2s_Simd128_state_t - *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(p0, k); - Hacl_Hash_Blake2b_blake2_params p1 = p0[0U]; - KRML_HOST_FREE(p1.salt); - KRML_HOST_FREE(p1.personal); - KRML_HOST_FREE(p0); + *s = Hacl_Hash_Blake2s_Simd128_malloc_with_params_and_key(&p0, false, k); return s; } /** - State allocation function when there is no key + Specialized allocation function that picks default values for all +parameters, and has no key. Effectively, this is what you want if you intend to +use Blake2 as a hash function. Further resettings of the state SHALL be done with `reset`. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) { @@ -699,9 +727,11 @@ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void) static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_Simd128_state_t *s) { Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; uint8_t nn = block_state.snd; uint8_t kk1 = block_state.fst; - return ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn }); + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk1, .digest_length = nn, .last_node = last_node }); } static void @@ -713,14 +743,18 @@ reset_raw( Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; + bool last_node0 = block_state.thd; uint8_t nn0 = block_state.snd; uint8_t kk10 = block_state.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk10, .digest_length = nn0 }; + Hacl_Hash_Blake2b_index + i = { .key_length = kk10, .digest_length = nn0, .last_node = last_node0 }; KRML_MAYBE_UNUSED_VAR(i); Hacl_Hash_Blake2b_blake2_params *p = key.fst; uint8_t kk1 = p->key_length; uint8_t nn = p->digest_length; - Hacl_Hash_Blake2b_index i1 = { .key_length = kk1, .digest_length = nn }; + bool last_node = block_state.thd; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint32_t kk2 = (uint32_t)i1.key_length; uint8_t *k_1 = key.snd; if (!(kk2 == 0U)) @@ -730,7 +764,7 @@ reset_raw( memcpy(buf, k_1, kk2 * sizeof (uint8_t)); } Hacl_Hash_Blake2b_blake2_params pv = p[0U]; - init_with_params(block_state.thd.snd, pv); + init_with_params(block_state.f3.snd, pv); uint8_t kk11 = i.key_length; uint32_t ite; if (kk11 != 0U) @@ -747,9 +781,11 @@ reset_raw( } /** - Re-initialization function. The reinitialization API is tricky -- -you MUST reuse the same original parameters for digest (output) length and key -length. + General-purpose re-initialization function with parameters and +key. You cannot change digest_length, key_length, or last_node, meaning those values in +the parameters object must be the same as originally decided via one of the +malloc functions. All other values of the parameter can be changed. The behavior +is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( @@ -763,10 +799,11 @@ Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params( } /** - Re-initialization function when there is a key. Note that the key -size is not allowed to change, which is why this function does not take a key -length -- the key has to be same key size that was originally passed to -`malloc_with_key` + Specialized-purpose re-initialization function with no parameters, +and a key. The key length must be the same as originally decided via your choice +of malloc function. All other parameters are reset to their default values. The +original call to malloc MUST have set digest_length to the default value. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *k) { @@ -785,7 +822,12 @@ void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_state_t } /** - Re-initialization function when there is no key + Specialized-purpose re-initialization function with no parameters +and no key. This is what you want if you intend to use Blake2 as a hash +function. The key length and digest length must have been set to their +respective default values via your choice of malloc function (always true if you +used `malloc`). All other parameters are reset to their default values. The +behavior is unspecified if you violate this precondition. */ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) { @@ -793,7 +835,7 @@ void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s) } /** - Update function when there is no key; 0 = success, 1 = max length exceeded + Update function; 0 = success, 1 = max length exceeded */ Hacl_Streaming_Types_error_code Hacl_Hash_Blake2s_Simd128_update( @@ -863,8 +905,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -884,7 +925,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - data1_len; uint8_t *data1 = chunk; uint8_t *data2 = chunk + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -947,8 +988,7 @@ Hacl_Hash_Blake2s_Simd128_update( if (!(sz1 == 0U)) { uint64_t prevlen = total_len1 - (uint64_t)sz1; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = 1U; @@ -969,7 +1009,7 @@ Hacl_Hash_Blake2s_Simd128_update( uint32_t data2_len = chunk_len - diff - data1_len; uint8_t *data1 = chunk2; uint8_t *data2 = chunk2 + data1_len; - K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.thd; + K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ acc = block_state1.f3; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; uint32_t nb = data1_len / 64U; @@ -990,16 +1030,25 @@ Hacl_Hash_Blake2s_Simd128_update( } /** - Finish function when there is no key + Digest function. This function expects the `output` array to hold +at least `digest_length` bytes, where `digest_length` was determined by your +choice of `malloc` function. Concretely, if you used `malloc` or +`malloc_with_key`, then the expected length is 128 for S, or 64 for B (default +digest length). If you used `malloc_with_params_and_key`, then the expected +length is whatever you chose for the `digest_length` field of your parameters. +For convenience, this function returns `digest_length`. When in doubt, callers +can pass an array of size HACL_BLAKE2S_128_OUT_BYTES, then use the return value +to see how many bytes were actually written. */ -void -Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8_t *output) +uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *s, uint8_t *dst) { - Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = (*state).block_state; - uint8_t nn = block_state0.snd; - uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; - Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; + Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = (*s).block_state; + bool last_node0 = block_state0.thd; + uint8_t nn0 = block_state0.snd; + uint8_t kk0 = block_state0.fst; + Hacl_Hash_Blake2b_index + i1 = { .key_length = kk0, .digest_length = nn0, .last_node = last_node0 }; + Hacl_Hash_Blake2s_Simd128_state_t scrut = *s; Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; uint8_t *buf_ = scrut.buf; uint64_t total_len = scrut.total_len; @@ -1017,9 +1066,14 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 KRML_PRE_ALIGN(16) Lib_IntVector_Intrinsics_vec128 b[4U] KRML_POST_ALIGN(16) = { 0U }; Hacl_Hash_Blake2s_Simd128_block_state_t tmp_block_state = - { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv0, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.thd.snd; + { + .fst = i1.key_length, + .snd = i1.digest_length, + .thd = i1.last_node, + .f3 = { .fst = wv0, .snd = b } + }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = tmp_block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); uint64_t prev_len = total_len - (uint64_t)r; uint32_t ite; @@ -1034,19 +1088,36 @@ Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state_t *state, uint8 uint8_t *buf_last = buf_1 + r - ite; uint8_t *buf_multi = buf_1; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc0 = tmp_block_state.thd; + acc0 = tmp_block_state.f3; Lib_IntVector_Intrinsics_vec128 *wv1 = acc0.fst; Lib_IntVector_Intrinsics_vec128 *hash0 = acc0.snd; uint32_t nb = 0U; Hacl_Hash_Blake2s_Simd128_update_multi(0U, wv1, hash0, prev_len, buf_multi, nb); uint64_t prev_len_last = total_len - (uint64_t)r; K____Lib_IntVector_Intrinsics_vec128___Lib_IntVector_Intrinsics_vec128_ - acc = tmp_block_state.thd; + acc = tmp_block_state.f3; + bool last_node1 = tmp_block_state.thd; Lib_IntVector_Intrinsics_vec128 *wv = acc.fst; Lib_IntVector_Intrinsics_vec128 *hash = acc.snd; - Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, prev_len_last, r, buf_last); - uint8_t nn0 = tmp_block_state.snd; - Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn0, output, tmp_block_state.thd.snd); + Hacl_Hash_Blake2s_Simd128_update_last(r, wv, hash, last_node1, prev_len_last, r, buf_last); + uint8_t nn1 = tmp_block_state.snd; + Hacl_Hash_Blake2s_Simd128_finish((uint32_t)nn1, dst, tmp_block_state.f3.snd); + Hacl_Hash_Blake2s_Simd128_block_state_t block_state1 = (*s).block_state; + bool last_node = block_state1.thd; + uint8_t nn = block_state1.snd; + uint8_t kk = block_state1.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }).digest_length; +} + +Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s_Simd128_state_t *s) +{ + Hacl_Hash_Blake2s_Simd128_block_state_t block_state = (*s).block_state; + bool last_node = block_state.thd; + uint8_t nn = block_state.snd; + uint8_t kk = block_state.fst; + return + ((Hacl_Hash_Blake2b_index){ .key_length = kk, .digest_length = nn, .last_node = last_node }); } /** @@ -1057,8 +1128,8 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) Hacl_Hash_Blake2s_Simd128_state_t scrut = *state; uint8_t *buf = scrut.buf; Hacl_Hash_Blake2s_Simd128_block_state_t block_state = scrut.block_state; - Lib_IntVector_Intrinsics_vec128 *b = block_state.thd.snd; - Lib_IntVector_Intrinsics_vec128 *wv = block_state.thd.fst; + Lib_IntVector_Intrinsics_vec128 *b = block_state.f3.snd; + Lib_IntVector_Intrinsics_vec128 *wv = block_state.f3.fst; KRML_ALIGNED_FREE(wv); KRML_ALIGNED_FREE(b); KRML_HOST_FREE(buf); @@ -1066,7 +1137,7 @@ void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *state) } /** - Copying. The key length (or absence thereof) must match between source and destination. + Copying. This preserves all parameters. */ Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_copy(Hacl_Hash_Blake2s_Simd128_state_t *state) @@ -1075,9 +1146,10 @@ Hacl_Hash_Blake2s_Simd128_state_t Hacl_Hash_Blake2s_Simd128_block_state_t block_state0 = scrut.block_state; uint8_t *buf0 = scrut.buf; uint64_t total_len0 = scrut.total_len; + bool last_node = block_state0.thd; uint8_t nn = block_state0.snd; uint8_t kk1 = block_state0.fst; - Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn }; + Hacl_Hash_Blake2b_index i = { .key_length = kk1, .digest_length = nn, .last_node = last_node }; uint8_t *buf = (uint8_t *)KRML_HOST_CALLOC(64U, sizeof (uint8_t)); memcpy(buf, buf0, 64U * sizeof (uint8_t)); Lib_IntVector_Intrinsics_vec128 @@ -1091,9 +1163,15 @@ Hacl_Hash_Blake2s_Simd128_state_t sizeof (Lib_IntVector_Intrinsics_vec128) * 4U); memset(b, 0U, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_block_state_t - block_state = { .fst = i.key_length, .snd = i.digest_length, .thd = { .fst = wv, .snd = b } }; - Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.thd.snd; - Lib_IntVector_Intrinsics_vec128 *dst_b = block_state.thd.snd; + block_state = + { + .fst = i.key_length, + .snd = i.digest_length, + .thd = i.last_node, + .f3 = { .fst = wv, .snd = b } + }; + Lib_IntVector_Intrinsics_vec128 *src_b = block_state0.f3.snd; + Lib_IntVector_Intrinsics_vec128 *dst_b = block_state.f3.snd; memcpy(dst_b, src_b, 4U * sizeof (Lib_IntVector_Intrinsics_vec128)); Hacl_Hash_Blake2s_Simd128_state_t s = { .block_state = block_state, .buf = buf, .total_len = total_len0 }; @@ -1135,8 +1213,14 @@ Hacl_Hash_Blake2s_Simd128_hash_with_key( Lib_Memzero0_memzero(b, 4U, Lib_IntVector_Intrinsics_vec128, void *); } +/** +Write the BLAKE2s digest of message `input` using key `key` and +parameters `params` into `output`. The `key` array must be of length +`params.key_length`. The `output` array must be of length +`params.digest_length`. +*/ void -Hacl_Hash_Blake2s_Simd128_hash_with_key_and_paramas( +Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params( uint8_t *output, uint8_t *input, uint32_t input_len, diff --git a/src/wasm/EverCrypt_Hash.wasm b/src/wasm/EverCrypt_Hash.wasm index 1447feb38afaaca8ed624e0dc44b1238d670b653..70c58ff8fbe9165f06e52dc9e9869015bdcc23ce 100644 GIT binary patch delta 84 zcmaEIl=;%=&j&HjvC ie2o7#-{LRjW4y9CK+c4N$&q1mi<&kgh+eO5x*GuJb{vWT delta 59 zcmV-B0L1_5#RKHU0}23Pb8P_t0005AkqYvWuoRI+8Iv#p1+y>#s}2GBv)m7L4gt`! RQXVu2vxp`u0kgFyHM??26z%{3 diff --git a/src/wasm/Hacl_Bignum.wasm b/src/wasm/Hacl_Bignum.wasm index 6e090b50b5acc4b01d3eaa14e9a14507c7cc0467..9858cc28d9d2b50006974993d3546bb2ac6e8ea0 100644 GIT binary patch delta 2595 zcmeHI`%~0a6yNjRFR%jyh_DEX0?~{FDn7#3P`e{G)=ZQ$xxn|kU{n49{_?r!p8GlH zeD3|8d%s6o#3L=Dd5&7WYnMekyHeK)Y!F<<#fwzHVud;4!Wfmn9txqL#%ZAYhO~E5 zGm>MLs6;kP2mu$CB1C{I%NJ&Y8*39HL9<_smR?qyH6Tje9#sMk7Oy=t_)i<4LGZgt z!)>j*h{K;j_xLPWRO9S!$RQdE!gFZwp6l<1!!rx)E;#fo;aN5=O{X=-3KPY>66;B` z^*R#`U8|aiS@_aDN^OZx6+pxKNBlu#-fPp*wPWpz$YV9t;Vf_SYH8jZKdC`u)dc`i zyb_3FN~m(hi6wrkRG8v9HNm`1OUDyPd7IlsB{+Q>1$S@j9}5m=ebwG<=-p@0IrBZ- z+k_5-M7)cVL15F34BdU-&%ko^#!YDN+d+1gDUlu89w)Cw+Y{Jp+4=H(GPgwbN86Pg z<#q%6CfiSn+?frSvZgu-s|Ni5G?{grA%1)Ob;O~Zrx7D+o@>Xs9PMI7t6$Gz?%dal*Ik7bhUBdAQ?Nh%ZEK*3456r7VwVQmeBx46Bm zk?f2{Dl;vgnAuIlEN&uyeLkT_Goha22hCJQx0lMa{m9Go7f_k}Qxx2LDjad}(-nv> zoF?4Pv1A|FL#LY&OU;RhBW7YQYbF0%7QzZ{U+3t({|0b8jN^Eu%&pTgxoFEZdWLS?tY<1@c;E zSpxgJ!d=c2dh{G-v&8@Jr4ZB@^KTa-i(R!*{;@TuMwiO%UUY6x8XOPdNrOMy;BT`v zJ(Y52PVQQIIwv}NYR4K_On(%vkNrL93GVFA#LKek(sG!g360XL=BiX75qe0|i)nna z)kkCpE+0is-0$=5nAJvvNxjQ6r+x+4Hp>DX&##*?McE00t0ki`5W| zLakXMXhF2*if|0QD_tNGcVSC)g;!~H?7wbpcf%NYrkf6Q`uw}w92z+3#QfUbnK|DB zOfs{{13Zb@;R*OOTJdAxCdVt-HarFXxXp=afe&bLqmNf#0BfBe_@V4`esIM}j6>@z zW?g`jn1O&vVtfOg#pDITc_%T(U}$g>;}ZsE)L$9~c<@$77*ttXLSd1j_7TD_{{Xpm BQD*=E delta 2622 zcmeHI`%~0a6yNjRg=K&Mk%wRu5Y0%S;v;-TvLiOuOq4U_3?Ft%vJtr{figS0>bal6IXU(1l=Q^Ntp`joohX(fr-fA44UTk&1p?5jYvSmdYt=U!^ zDDLGbSDI~(Hqg+$u9=vHFOE@aQ*4TWq6Wsj0hs&7G<5CW_yY1+ZA}Qv+qPa@`1%h@ zP@AKDfhcZqL@~rwJL1F?yF)BYa-E%E;no#X3B>QX34q^Q@?rh|p zXV5wSUEJHW4y{PMOQKd_b9D^e{ol^Rat*qzXdl>3cBUbo9oZEltwmVl*sJ<{X+D!% zBKae%a*hhCmVKr762r3efGKNh60oZOcW489`~*Y%`owF9BRNkYhSoldn8L z8|o}**VGZy?IbY+_R;G0lY~Va>$%6d{t|kw*T08l5*tFPOx`If6VOP(3Aq%UlS^S| z8wqc7du0>Z=}lB-PCha9&BQEjCVxXdp-T&)hU5D!R3>^ql{x!8FEda;W%5r`aNp?= z#Nm%uBd$F|xQk=S0kTKVv>=um;}OS=#9Y}%{x?m8mE69;(f!~Z^!T>#!7_*2*VAr# z&lMwPb>KO&UppumY-+s(GEhimN((7?qL6}DbrUt|Q^G24-{u(l3zg|FBIfhO#Qfj_af*uxN4On+k?idk zsZ2r-mFevn0=a3=eWpX-hR?elv5A)SQ}d-&P!n}lkZtUXXP)KMh?8p>dcv4OHb!?XV30fEsGoo$Mwm-2R*@E0~vT()?Ho&^VC7%8pQ&IA}~|~ zsTx%(pX~4ecIe7662vnrbD&2Q0X*!3vY0!;s64x&3hp#=13?Gur?p~I;`+t{}c;1th zd~xr;m9*cNmBjqfDJu#8>l^uhdVl;QY}vgNix7`b^iIoVc7F2~fD!q%$|&D#ZV~|B zNy{=NMA18zsRGn(&Q-y2^saG$Fx-VD#Svbi)ye<5xm}Gh(kyx|(CPE+RT diff --git a/src/wasm/Hacl_Bignum32.wasm b/src/wasm/Hacl_Bignum32.wasm index c2102b8189b2a5ab8d663a53be33e8f1e9a552e4..cfbbf5e97f243a758c4f16e6e02022a1f45f1ed6 100644 GIT binary patch delta 681 zcmaEs{w#fhloE4&eLZ7+0wb8HW2%QS5rPvBicQvMWJpd{VB(Zx=MGOS&J8XtD9A4=5kO+cmlP!yY~IK8 zo0XA$^Dd6%OpNT4cX4EGKEvI?B*iM_$e_W%;K-uDkmJahO5VM-Mk6d1D5OtKaD1Xr5J7d`obL>|y70zwLmK)r^-%i)smg}Z?w z)gpR8=~W`mAZY{f^^@m{O#%uSh}$v3RU#Y1!^ok)ps1msApmnvrBp6Z>vO41Ky9<6 z)j;MPltEZiFM9|m;Uve&%)=_BzyNWr0Q2N<#b9A%0Yz>FZbt^Q$%6ValW!_c1)7qt zbQ(xnD+3)kIZJsfkW^5y0LDzD%4|lC&0kd(F^WS&RDlyM5Z0;P16tav{+vmSRT1c5 zN5*VNmOMvBXkY=YKd;j(!Kx?okU)vK9&*inf!!Nfsu7GE0ZQ8+vJ5za*XVg z^_jFc?`QhO%E+>L7sqlYMwZFDII=dM;qG9P;*fG=&|qM2WKm$qab(PKWXS>ZvjkWs z=kZO(CoRq2$H+0+Ku{ED+yVY%m{J7>1%@m%lWYY(!IkFmMNfVpkq2~&fRF+sP_Loz za=7Gs;clQvwTK>2dXd%?PI23^nc4W+UWXW@6ga#JS`tv%y5*&)6;0RC<25AQ(Q0xF>W3#??7b7_uC+lnH sZ+@)H3<^3&17Kur{;LNJSSV-mU%i^imkrhcg&PblfZ?=xr;#or0J_YeQ~&?~ diff --git a/src/wasm/Hacl_Bignum_Base.wasm b/src/wasm/Hacl_Bignum_Base.wasm index e407cd7801c73d69dfcdfc15c6db86c600fcf01f..9e75139e78655daed16185b0b7c989c0559e0df4 100644 GIT binary patch delta 1271 zcmZXSTS(J!6vy{-n=Z_pbDKJK?xuOS2rqb_mr|!wx7pNOVrJl)X6;S z5wBY7Egtm#JiwSx%M2_)m|=P*_Rbm%l3-_BUzdHLr>DEOU-3`f+STUqbhnG7LLf_G zfx;1{WkEtOOYtqT3C1Kot2kTAB!X4k>H8{sCgB}l2;&cgM~4K?%1{UAOsJ7_B{Y+B zpO`L3eU^AjzQAi+7?O9xklYBvQ>Fm3iCx4yiXGk=4Zp-S`{7B@7*x%hsny31UXsV~RB88*yvMjKt6Lq^gV z^LV{YRGU!Sh!ds_UN^@h`6M36op?NrN&p*(UgBngpLbRcLsOdA4UI1e8hbK^A0%V= zZ8F9bDWH`&PFziaW;zwgy;LMsX~@(QuM^ja(sXEkq(d{Dag%F&%A>sj{A=u(J3u4T zm_>;qk&b`dX67+VJoMWw=WEOQ%v1YWJ!1aVnM>DmJ`eBvcOI7I$j7n<^RcXX;s>Ip z0G+x5tW{Qsq^l6g(L(eWh+l}tB6OOHb~v+(vDW!wTI)MAG@cR+FPC8WV+o?srC>dA zjQF$^nt?JTUzH)bTZW9O9Bd{|5m(EhnL7?m^a;|GS3t8>f#LK@yhVE@u3>_>PLx!k zQ&jbWQ)eBT#vOLv?1xXAvtM7e}fogM_o!BvHN-5?||mJgRZCJBs5YdhTEMOzUsulb8xy5 zWj=AR5tgzhmt0~N>81KWom3Z?B@*fPgo_pxfAq2mVR189L>wkAG(&pt6qgEVEvx?> ZkL>U9_(EJ(Ty)E6tVh|3i5so&{{Y>NQ7-@h delta 1294 zcmZXSSxA&&6o%)U#WBnr_uOY3HFuG4A(wGnN*&jkF_$#6GH}u~mr#r*Z!)CR@h^x1 zy-4ULq?pQX!lg1zyy&7xLApu0DU+B$f~fPJ3khQ2`Okm8_x)eyJI6IIT=QZ)B23tY z{gk*Ow-dSCgTiiiWM7uFVxJIFywD1{V=7W8B$J5KDm`jjdO9q9U0t2sy_$dO=HBj> zE}6sm7nsw`4W=dtG220iX$|I>u@J=QLu-fw zp;5%i&?Cfkre7H9O6Ew|GS!ywM&hGzDBp+UR1*Q3nAeyK5kIK&M0=HD(sV`mH-nK= z#1MTGaX`;8`Yft9m;q6!&CJoLRjM1Jp?n?<ont{aNNWrrv-~yk%zI)0>tzcLix53%I!jEqKd!<<~Vby2r<(~5fgHZV~UCqvtA5yatUtH zQi5$5Wv(!lrRW$+UlUa(Y|m*El*1WeJpx{loWG)eLZ7+0wb8HW2%QS>lrtih%!#jVH9O#n!J=zfsuLgF-A>BmdX4~ z+KjA|Z5fpq*?^?v#?Fv@MVV(McSXO(hf&|qLtU~pv2apcGWbFu{3C*Nm1 z$;iHWC7U}V533YRR)Bf(ANF8WfoP5$K=VX6uK>xHoO(b~f(s;ak;?+;1}^T|j2xSn zaho$UvQCmwWMrSje;nu>0eK0a=@0q!7=e_4pac_K%t=^<5ymjRKLp#04WeJpx{6fa{vV|@a1eLaX`oG2@~(Seh3vKpf>i=i0<(_~vlMMmbyKN*!6StiFb zDloE6ZeY}8WScC*B*(};c@?AfW-F#XW^oQFM+OZB1_cI3#vDhE955$KfMxQ1){~4Z zn^&^AGxBgq!DIzkC;wp&Miq$W*a5Ubg!2lJe95T?Bqg{&A{V(VfOc|m&t_!byo}qN znUQ0Xj3Oh;B>v-!9Fqm)C4iaQUZb!OmHzLVHHLo$4>#MU~+><0+9VsL=>p% zy9g%>oFgvz0;mOxfl`cP1BS|GA&&JVcIlr7S^iO;y%E&ZXo>763d9nkeCL_z_PDX7; y)`^AkEQV$bY!eG5xe{|S)AQoZOc>ZFXEDlc-onVk$jCbRAd@sB`{uh$lbHbhnH&rN delta 86 zcmeys^?_@G6fa{vV|@a1eLaX`oG2?f(V=-_tuTwB83WVA?TU=d6AL9L_b_rYvP`_G pz{ooBmnI|I$D7_~QVVdPe( BBc%WU diff --git a/src/wasm/Hacl_Hash_Blake2b.wasm b/src/wasm/Hacl_Hash_Blake2b.wasm index 29138d3dc1dc597d2e8982aa1a7293c07bf36257..57b34c6b6b7777a4b39813bdb1186cb1dd52831c 100644 GIT binary patch literal 23807 zcmdUX2Y6h^b?%+Tf>>Zt7QGSVIRHrj6iKjxB&fm#i%5|YEmNdT+Y$tlAcaLC1%k2) zNI+#JS(fA$+j8V4r#OiXCr)wV#7UHw^5VpCsuSlWah}uT6en?cQC=M9KQnXZ&hB1- zjKB9i$M`X12*IkDMNxy)Zd8xIGB`E}d~*MlOz?nHW18D8FX`veC)$ z^V1_hmhihY_{gS4CnqnQ3CjEq1vm^t+qMQtze~o)F*`GQF(~(&V=!zP3|9DEx_k_0 z?i)KZF>?CyxpQMPBbUY>9t$e`zKwogOyI*~GZ%tX$Dz?PlOu4aNPmWHEZ5`Qn zVfxbS==AKRZryZf^wNE{>Ga6R$oa8Z;66V!de`Xb$+4hvndf<_=f@w=504B7RpE+O zogJMW9Rb~$*|Pbd{NQnvn)G$##Np}LEn9buT;8@7tAN(B7ZxB4t?BBT+PX}ALt|5O zOKV$uN9W3}RjY|te2=uQm=CfGDvj&QL3GVXQD4wj@v%HQwzQOTIX*o;8&t0tggU7nmB59+#>>@YccX*S4o9m?)II&vs`{Lsko(d>}}TZeH!w(rQu@Tt2F94||B zmbM=|ahGi^i)lS_;FN7mt}K1_c=l-ca5iBv7wZEBgP|d9G|@p zY5`5VG%`AUc4T7gp`a;dG5zk+r@3t@ltIf4rA;$qmmo`;7@pRY4AG#CuGKqeZ(X8G z&=JFhS+}4wrs?eX`7tck%2+WtcOmGCX*f4CHWsXkX*hG?;zPme)upW6CrT6!HK6s^ z=;2QWR~prTK9^NgedVK%LiGRUZ{ebC-9%dztqd! zFE8DeysGBSf9n4s4xuOi*`O~7xGJ0BG^H~Y9U9JNvT8D$n$$oplgI{~;z~+Up+lxYQB)M1jrfNW`$sASp2VSQF4ArV!rPEZ+HK?w|^R?N`;qdty zuA_3)fI4_klR3^%2DrGM>bZd$xRL5~bB-E?iQ25nacvC#Y?7O($qgyF+>n~7*$k;k zhSUU>n!F)31Ck*%+aZ}wF(j#(TPTsdIy_%K9HhCG%3QgPS}2)?iPK{;h+qJF)Zyej z?%CjAa-NdqX8Kh&vGnw}Q+pvMJihpJK~<_pp>ksJ$vK&!!tN>EeP@sY{~grMoz$7W z9Wwl>{m<5f<~j zj@BB8*2!qrh)Au8A%Uu1VC~ITJFLCgs*6}u?!z$pso#m)vKq9W)*Er_m%;P{WxqH2 z^?*d&*4q)APBHAzdcJ{f;0<&`)=GDdHv&k7)36DEo0Ea;m%s6euU*Mh@@Cphec2$F zO-|-S`?t83t+W*_%C&5BE!$~3S`w~hhie(6L9~>)mYuF;7wtkz(zWb%EkiVfmU7p! z$FQYq`m_+)Ov4rNXt`;#&67UbLiKOV+gv(=b{pUCTb#vY+;&rOLG&a4iSv zAX?I{+TsP3GpnSO9Day5hUM(=mz zQ|Nyr1YQT=SO~nH1_18!a1GEY!8Jgy6I=uIdck!Azrh#%yM58W#~1w(D9^oF#iQ8- zpU#%?84BoLNPnm&X916T@EH1^gI1pN%*ROK?tdeewyuOqWa> zT^8gsf_x?pc|fPVAw5tu#5dxR2SNBjkMINh5IukzJES+d;v7Fr4;hFa7OD>l)d%CL z`a8gQfUZ`FXs#oHuKEewM^^YpxepGqL z7Zg9HXhBJ>ozKS=J+88Cm{HvNWJ;eL=eybw%My+Myc@N0*+Z3UL zX{EPmE&zZFTw}NZzPC%mJA~3Zd`fRu{9TIPuB6sb;&&=~r^;rqxVUYW#eJ6|bTU2Y zU78vIP{TEbTA{qYTgL29!VB`ydxVqs_?*03@pmgiZ`9f`zu*CL{GuXsFs<~W<^lk? zz%`bOQBQZ@D_r<$^gem${ldljeJo){P!yQUX{HCGmo2+ng2dT=wy1(_i1VXKn>RzYC#l$ zeLn`AbrINy1#%(S4=DP6#XqR%2UUNN;vX`F41dHF+W4cU5b&ZD=!Z066h4ANN@_le zLPiRUD74Xs6@N_8$AB%vKWqwZ{3E6i@W)Ld#Xl+q`eBU?g&)z_Q24mUhQg0(Y(Jp* z#}xe-u(k1zn?k@pVG1e!geheBC#66?uCbx;6B-)|pU~J)_({QrY5FP57=IEkGyKyE zUiW826i^rW-A_pkIz%-;E7SXPvSvT$ui2**|GXk}N3E5PpY?z_epwMZm{xjOvjza` zg=^`0q3Rce#xE4n_#c`EYAua>q=zZb@h>VuyQ!dG)Fc3a1g@ndFtDHT2lh)Pga2iD z>{o=1U-8-aCB^?!5xS$+vhm9vkmp}jgbt>aepT}U0DRyY!w2wvS{i;$DE*pG>C=jT zUD2nN)EY|s8AYE_+GFb*6yY}%p_A!BzoDrC05x1=s0D+uD7>`#T4KlOR}6UF~q5xS$+ zj`|B8Fvnk1gbt>azNq;C06uUn0_o4@Z+YC;wMZY!+9ytV~L#sqV@zmjzUTbPoR*ILLP-S`ljM16Z9mo zW%wymXyd0%A>cQeLW-Y}0zIX%q42cEhQgaPHWZ%G*cKA}<^;VN*i!tgDP;ILQ)uJo zO##8N6zExv4Ta}4HWZ%M*id+j#?~v-)f+ck2&EH*B?(`$-nOFC_>aOa;B9X#fBXT;pg^RY7(7 zBhM@>1kH)7jYuRQN4(^JxlV>O+GIlown|f!D%>i?UcY1_OtPVzS0D$lVlW7hb*Rh+ zLqR|glL<~?h}dR!$p+*kAYM7D+!%PBz+{BMZVp$*=Qx%kiyVg`yJU_-$W~jjrc)eQ zo#Vi`vQUJgE&Yf^u0p*_0$q+~ivAil1DhRLnj!cB>~igUQW!lUol6l0x6i~qAszit6aruTHPNIldE9j z{-6&T0<+s)#XZ#1A8f{ceps=V*7gUxu<73{d58eF4zatyYs6-Iliu4GlPH-j?B2@+ zY@iLikv8%s3b+0@32p5A=NO5B5@ANw0M=?C>l0idNU>bJxqx6Bx<#q9Ewn`lVw<10 z(Kgl0jn+3>sM_IGK*f1jX}L8i$^omAkx}K4Kjuua!c``+%mjVZf(3vZp6Fg*2hC~ z+su39wu^71HrkQro2Y{Z^L#VXSv&K53$3DEdEQGzyYrl-ZW_w-Fs-3IdEQ6s=*B$n zr$)L-7;mJTh1o{BMR;kXy~0ZqWu>i&hNZ2E_DNe4?MGWSpo)UYOn>1iV=vRo*h;aZ zh4yj>ms66;#a_a&8kMdPm9Bu8fCpzUQ-EZ-Qf-U!|*km9BBR1xqH2Q|Bsl@;1fwt^z4sS+GV|fh4UgU9+obp%z)hR#(wRZL*y0 zuA+lFWMMm91(K7p#9hcf*U7l5sa}?&T2jOr+?r*nY9#v@;MOi}HPk6>HPj_-i1)0H zZVVJMm_8gZ5}8bxO7b+WGE#B&x{HdFr*YlXEfWGG#A|2`Qjn~hbF@}?A<;OBnSWHR z1Hp9#1f7ca77%Phw@AhNs80wY7s*I7!o>9I<{aH11lI|{buk2~l2$L$Dx>25=&g$T zRaV8Ls$vzd^!T$X?pJ9QkDe}2@k*oOl`@76gjNn+&06Y z;kJvn;b_2yJa4CZ+L(uhXrxVfScqmC$iqUk(&jwxLOOg)9u}gLw&r0Wx@cP-7NW{n zz$)4yvQb5YA{$k-Q)DAeyJYIpv|HNJG$d_l+GA9FMZsjIKl2z=JdwDXp4Tpy5xp4q zpD1$w6;Ra*N{P-^A+B0bi$bJIh7SffjT%N2;UdF5UR*r*Hc3VQ!Ud3 z0Sh>q472>`QWW8T@JY;mGNF$zRoj`r9??X&4U2-%G~jPhG$Rb2Xs&?Rl#2k03_?un zAf~k#aXB|Y6dF8H#ZW_0MciPER#XLKbmn3jORaCz4?!-%T&=2&Mrs;y$_Nr3$%z~t zil8|-wk4#-!`gBkeGn~M%B_ZSDqn6`BhT(SeSUckDYd?m_+dkH59_vIDe(lE) zpWDZ}%wt`M)vx^+qImn*YV+7?CPdqX^NP`W^D2r|*ds+4nCk&W!l^C-)2=GWqXO(i z6;}w(Hv;pXBDFBwI`l?S8GJTOmS>_wccRrxzaqz4Ve>0On~&INK~3xEX+d3-lXWnG zqFP7phas$j_?1&t8s^=v$0OyGPD5W{DJcQ6Ntpk-4g*3p%V4jPnM|>P{B=2K?okJs zYnndc$aS_;wj9Ce+L#}ZCDSHkBzGCHYTZvOw&kk3a16`3o9YZX12Q`T5@)hIwg)O7uk(9A)3JZM>lpr0$z)`=> z`{UN$rL29ZpnzctjLj>aT5ppLJBea4q6L%j7FOxKH@vCHl*7JX2U3^`!seVrwF%jy z6Ej)`v)x$y>i^j%j8$uJR_$ek%1cp*W=rgxFoX?Ist}355QII1Zjss2gV(kTOkuHbO-jvn!p+K^=~( z8_Q-41|U1?Mlm@snI$Sh4RU}z8&HsGVu@vn6yZZQ>tasgQTqLFo!93c{*>y2>=>iy^1cdWatbd*$ z>(?z2!5T`7AlFcptb)9C71~vV^^Q3qhS~RE`4GToCLxi0yz+a*C2Y?K@kXi_;*HcG z#3gu_aNRjZ%(Kr-l3U=R!Uza^#Gzen6}#Fz!EFS;fcfsgg2Qb%o7fJ>+QbeaD^R>& zY2i*N^GbX=&;=au5e~;nKo&=*D_WtE7I7#gLX!<5yIKc#5=~WPS67K$l{d_2*xJ1m zxp6oYGq1}CJA;L8@ZIgXan$9g8%Y^ZFd_rU^4%@M-W|g?Vr=Y%WN;(x#+iH2YYkAZ z@mx0qJV$GCgtpLiuL)7F5!B-2qGb=v85CD1k^zsMU8v=+OWPs)dL zQ1+Hc*$YNy6h9nE!YY0UD~wbOK?q}OYN?S$lPsaK3`u+-hNN&y$;iHqt|B85uiH6W z)-fUlW;_&n#izi;L)BaHHJxH)jF18gr)n8>5i zxZz+t6e@>;dfU1Z zv=B^R)A(Zlo?1nEvCl38X+tQD&ypa$*YaqhmznlrkM{LpQdSOwg?Hk|hJ!l^yU-`?3yrP)a2if9Ay&U? z;&ypSHgENw(a>-6)+&ilg`2}lN7N)13i0FR&*3+lh#awrC_2iv(d1QI?1zGC!dugnxqxS)7yQj5qGlGv3Qn^m$(R@+4Ah%tXw~ zQ-mXYd6M*W1{+u{dea>1-zvLM+zBb{EVl2RIqyY^IzuV!6e;YCAC*lIV^_uORmg{E z@Q&W<;6=)M+5t9W>~Pc<~B%>%F9e&bs33BfMjYTQWWs zbIbB>6~Refn^n9noOb<~21<@R^de=0taCuUIwZx2`>2=uMfTRFMTExd<@kh~q> zn;E2S{S>gDDqgQsIYL{w zUZ+Crrv&?{80@He9oFOZ^!kGJc!P$c^|;%EWj*epd)#{5X-IzW0fYQoyGR;3S`ckvbbr^fE?jjK=6*QQ@&rh0oC#p9gz%n$F;ZxVz~r zbojndD)r%;G>^mD9Gvj%ltA7{qE?J1r#n;57_14B`y@}A+Q|u?qC-55Z!%q`>q60B zFVe+=!QNj0CwT^siY>f!9RtRvY;=zdcs3mHWt!y&@Esk#ccTYrnl53yZ=}2VLArpC z(H_KiXH)zLq~#G$4;}_&_23~_bb2tSs~8W&>A{td%Vlg9j@a=$XwG}`kGdSq=k(lI z`JWFZbY3JBAyNrFe7$zJ$p2Nk$1IsOTUg(#{HVeck15c3OckrbV=70|9x4N1Yah`U z#BeR8hN{PvO)8}EO`Gf@=k?cMcpdS0OMmfMgnlWLkE}zeCt+U)_!obRBKe%q^u-vl*mxB7C3L?b;1NkFLO3t!+sOU;vmlTkwt3Kkj0zAgnhM${4}CIO;!&3 z32&xT9NA?unh}c#9@`6EqVOIhKXOp?UZskvbT*@%nkAco-5JSdAQP&$L5xzk{Sj=) zM2WK@<(a&N7Zuz(Nz=K#?Vc-IiBT z$q)i8H?8?o7rcV9e^tM&TA5qQz05txjlP4oqyK$(7_Yf_F#>3nQ|Q3!63?_oWxh(CZv~bA1UPAkBs>G`;$-w~obqb_oEgo10D(k$s9(6fdhs29B41g>Z zcc3`p)XMW(92V#;R{T#D!2h9 zOQ{PrrXV}Y-cqKYdk&tfC2_SLp6hx(d8@JBE%vkq1}|@}CNhoAVoPelNZgXAHN=LN z96pOMSczLA1-BGgXoMlV44{j4g!+6 z_n`GcrW0f&!eG_*Ao3Kq@*%o4@}e+Dg3bA==kL2nX#&a=HAzR*RlP_hG-l= gL_Ib&Ha$yIqtlm1Cka1PePQMyfkw~k27KxEpL9v1hX4Qo literal 22942 zcmdU1cYNH%mH*9ZWv#R;Y1P-VWxbJ`gqz%CVN<-uxL}(Su!#d$$o67uRcy;L1S3nv zcuh|rfj}S-Qb|*Ka=BD4X6BWdH}jL%dvs8Eo+rL>>&cUzyk3lnG5kcv$FCRTVv3)V@$vlnQXmw{)PMxu zx7Zn~no&V1q*A}-{wgsvB9F4d7h@E(A`>gxfNYSnojJfuSA{i?~f{U1Ed1 z0|STlc_nUxJQ`Y{l`Fic+a&4I7#Z$8?3KFJArzK(c{AK5EiQ$92Q&Nnd-fi?;fBm` z&(Xf)8L!N3Tj#dL03Oc_AM#?&TYC2m^lTkGJkYaYptnD>qUWMRLq|t?henRJsj4l# zM-Q5+y*)iW2Qnj|ePFQns@}Z=8Lxbb_vK{o_uZ&o?%Ci~_%m9uzjvg!2YiP|O2)m? zO;@5+uYP-WZXFs~zM{M5*vb`{1=N;2bP~$Y7*AAIRVQm|>*^aCn^H5IXU%Sz(@HaL z=Snf|rB8}@*|WC+NH!J=(l^vM;w9!3R~$PGNiscy#|B3Fyy})o8w~Uw9r2Qji|e&6 z^xV`pauB)&bv@eCJG8&2KXbEJA2K3tb8gd+nvA5^xTv^lICB&eqL|@r#Yr>uQgpV~ z-pr;+nt072Qs|NKW`$Jk?>mseaLf)F=o^MJ8LuUzV&9>|H+yqhizPV73g`F8YYpji zUW=g5y+=JN*LnoyFNswA;>lZ~C*OVtbYN#>tbDv=tYkbgRyi)lI>r-Y2|OeC7sWru z^V2O)UKbq`otB3ag~;B+!A2GX$s1!R+vv?t4CjLIn1 zg~oA;Z}8T59#y18zpN-(kAk-?x?Z)WIH1@-mf{_r(osxO*A`YCU& z*cu(jGwp4Pj#Ejg9(IwAOg`)>O660+>l1h6p<;6dko^;9MtNlNo5xi1HC_yI&!m)W zrsnu`*v_I^`8+^puIQh*gIUbtQDcg;X_joEmbjdQ{?5toZw#o$HC_^rrZw;sLbj48 z2`VQs(9#)b0wns?Shw1u8Fa3ZXzXaB(IYRN&~uxWZK$6MqI1(xt59un9<>3383ZW^ z;TLmqKF!k*&F9|CWmTG+E@lDL0#IF$PFSi7(iMj>sd6E@(N67F&8D=R4(iZq*3O-2 z2g!D)_Z@&(%{okvb)yh*s6(DZ=g38LPTFX7RxSn*^M_#x06Qj2)4%-7dw+i-SuU5+ zGFq7SvgznRmaV?i)-0#xs1deig{@ghD^U}%HLGmRYFdq&5?j+{Yu3;j)I@Dfx2-vs z&P7eBtyybp*3mlD%&;}**_!j|eAJZLnhR{rg>)fmVzy?ztw~cFHRZNugRQxUE<#O( zt=VX6E~bl76Sp;+Y|UocjGBb4*jPH;xWEUl zqQwALIJ6ei^O)9Rx{_%vrmHlqjs6=u(SC~$>;kae2d<_i0M|RTme5Y7wS;ytttE7| zrnSj`;Luu1&u3aoX*bhaN-tnq=g4bZ)xXwN{p(!S-vi_6 zNeg*>IwE`1C2}u$)C2AJ?PMR|>m7JM+Gk*u8OMF>lQ+;lV2u0NZ;PYy0NtP=I>7Uh zVfT>^9ZeI06aSt$ zEk|fr*U<+Nx|zA& z#9VI*=jtlKad35|xCO6_g6pWm^|(Ai$AK|iZ?VOk9HSE&qA}(=%3MdoxE`0|K%W#K zeNs5I$K|bp#u;Y@^OT@dBAvo;;?d6Id7B`#(JkmU!F&LK5q^uK7y9EW#%TeB+u>HL#|iIR_Y(cL+iQT}yW;DF8qU{1!_A)Sb-Z&H^5HDIUNY9@laU zT^^Np3qrj{(A|m!0ILcGWo;vOMiEC{WEHA39$06BS| zAT-dmbf1y}0HnZgh!miAKUchjIlaW?bia@<6?DH~tmY&i5cGgZCo#Erbn@grCbs zKnnbZO5tkMqbxwq`+^8 z6rlG6SG^!b@W{Vb5E|(g^jgIY0Jz~dgqs(v zzFvn82g|S5Gi29aPYQaSkZ%z52GQZgCeME@{0P}_4 z;`svVDdzE10gr!DJb*PkuHzQEJSsmb2=y94A5|;>fCYYwS)gO@cRTj6qRxMuU;6}$ z@d;Oqj|utDg3ugTBgV%aASXX52n}>CeNxE*0CM0rL=MnKV?oo zbvgY+$o~@b6Tw)`N&ZaG&vb;xLq+(X3qm8^f_|>J0RT7rhHxuT;$LvD^UUj){MxTr zmS4HD{6ffI3qo^XO|O6H0Hg9Zg3v(M(r=U;03Zi`L*;lM$lJ}+Z&{8!^ZFgX_IsA& z_pThj74i>)&>UDJ$L|~QE~u)9QX~91N5Hdia#=^Kf0Wr74p9YJu4V% zM*mNO{-mQk9xBTJSr8iO7W8Mu4FI^|H-wuL<^O^n2T}fi7_w3RuY&#}w+im z(1n=1lM8f4QA6Q&MGb{J6g3p?RMh?|9ucC&+ixjm5JX{OHMhi>n2w_V69rk?@r26j1Pk?#}LpD|QQikj(J`e%X2P2r* z2P4jw=*1EFvIv1PuttMG(*im9P=wGxBj_O|J^%=b-{Lt1>S5;bZ~>2(D;~fa9+1rf zIr&J0&_E;T5yb-lc;Gjb$D_>SQJ2Sk5&4P;VN8HEJTMv-$jQedga#Txk0~AizyrUb zJRWBrj~DQGrQ!js;qgF(n`j^>pNJ3|Xaqf>cmMzo{D$$M@;r3>&3BzV=`}>g>Tr61 z1Jp_Xm8uhvI&;EMhCFGEV)=PeB>4IGL7y;`${AEjGrBw+M=;N|o<~rVei=g-kz=+e z4CRbQp0s?4=QM(l0R@v8E|(Qxi<5@wu}u&TB$#cS*~Y;(?yyZT8f+7Wt!@;?Ho@l+ z=vP{~%e-ThKtvpKRHdI%?5dcn04Uaa5&bB^!|U>*RHZWP46TKCP>&iMfK+sO^?VM} z1y4~WtJ5()9Us9Mi6M zExW-r>_(IRtiXXt6G+RHMa-m`?3J1=0w)ga^k!QG4i?y_&asGAYVGhyl0`_89bP-q z|2oxOA?MQE4zE+rvxxaLzr*X63y}X$vFB}|X7;-cG@HFH&MesHHWG1NBeii|BhBNw zMq0piBK=o!L@uO=dLnNxJ1}$|>4-fNs11DFIaG}^5aL*gOnW_=1;<&7Xb}&uam^W`e)RMlBp z#SE7*!(|~1sg~L&XyHUUHgU$GzQl`6AYYM>Dw#lj%0;z%(FtrR&gAePbE$PGV77U9 zUDOgUIpMTe;?*d&cr{72tgR`kp=#=aD(JjxT z6s^w5^QoD-a`FP2O>1)ULYhO}Ik}#Q&dtd*PKVa!S#U7Qcr2FtEUZIS5FslT|I3?UD~6vyuplr=XUKc<5T!b_M`d!at2Jg zjLN1k>8LEFD3!9mgk#kvUB)I|1~q{U)?eb_R+)4RBgkUwMi4TfVEknap4Y=cuw&A3 z*Q67!Nmp9if+yq2skR9CBA%uii>T$NkPEUr8-ap^Q?6DP;w+Ng~O1WriKqj@-Hl&U(bj~R(AjzY#CD1FQr z_>}UrHSvXc3{yCb3``s+kjxP0i{@l-p{mZ(BJR9ht`$vqIkisE9Btxm?~RGOC}ZLQ zs?fyC9r=ujyC`Mi!P|KzUan2Nocpkt@QBGJ{7Aw(;*rA1B_1R@`Oz+y^P>|E4UcZQ zlB#KOPOhRFT9Si@sH3Ghc!&mCmV<|AqRyP`rkS)n2M;leR^;FzT4-es9-=~fzzSN; zx=}%0tQ!@yhIJ!O-8^)0I+yF>w3h4Qv`(A&jJ(;4KYa=&9*K;_kc=c zG4?KrTp{8_LH+3*C$4eJBSw5FCQ7V1N>MOPSeFSbQ#=?%Z4v{`g9O#`WH1zZ;?aZ$ zH9*H7KZCK4M$~PkgdKM%rMrg4v=u64K!Vlxxh$ds3Pvfhh{krnqbRE$YacI|p`?{i z(&%$j(n227m|X-e@|2OPWe8R+Sn=jhH*N~KI#WLlstwa(`nQXwUu{La=#lwtj84Y?;PubFcu@Le9~z&B2wRf_qYg z-a6yTW|ZF|M(CJr0W-pyf*`a-c{v~;PJlQ;2M3rncmA-o_Fp+2Y z#wUDzneXedCORpG)T-&EILwv;*T;sn?Fg=R@g2ERs=!^hJUm`0rFa}V4yQ;FDuE3r zlGT_516EQrnJjdTpW%Dg4sS3ytJ7n7Oq@~I_7Kb(RHIRldVt6tyBBujXC zt6j>Z%UcdkF%y%fT;8VbJx6m<3*<3EEG|1kM6-&L^=k6``-qd?XDnJw@qNZ54+4kp zfIQrmCXbtn{pPx35T*UQjJ$$o8FV8IQxSRI=1(%+L0e7(Kp~M}Q$EuSNj?f$27y+I zE{+~l-Q^`z5XpNBF{C!_ZRWi$?kPf9(_UP{(`j`>5*YLu&}$NhKir>ezz{Y#S2}^q zQUh`d*7yJ!(Hb~7!5#Fyf3fG1jeb4_a|Y)iQ(%)ylU)n|m!(ve8o@?y zy#X0EDQ3gRlYyuv&NSgRBri+#fT2r#GtyGvjlrxu7`suXY-gJ zLlO;&J4)Dxlp_JsDi?wV?g3gF3ji4!^KH=#9M?!RE~1zAeAj^SlI_mqs^l)x9#LG2 ztZc^8yI{5aCga6ozSR@fkJA`axB={4{kg@=aDVerDvt(_G!1H4e-konuzC`lXv6B8 z%8@CoD-`z=r?r!+^~FWjZrbwtGO`Y^T-N<4OHxh(S`=zYDv)p&Cv{8g_2Oopbfb`Y zVs{_7rL(i;w4~ZpOzN(fZIxj=Eq67AyI^;P*|K(_#w#DC<`g5vxl#2f;e;hmSyD$C zK%5&@52P>IvDM=N$ChHp=Ig=~Qoz-jOW(7tHvuk7b=qkeZ&K%b6I=k#vNtR;3M>zK z72+lNB6vfgCcWA$9sC^)oNC%jHV~e&L`HcL0ELWyH>VY@)mJ#S4@dLcu`kwYuey|l zpi*Vb&B}&-R)rc>ed!!i#mj%~x~K42Sh-W26)r&)tgpNRcYTznQr3?B@s`oCM_kdL z1{b8CshYW9s+bF>kula*130DZa*bj{G1SI0A`|C(#s>C`b^WrD8f-X#>$hI534y?P zwG{JX2r(pN(&`ZckbtH-ISZZCZ zg$nJQu)u?|CUeT6oK=lI;Us3@yv11pL1x@+HS>O+l13qQqY$l`uJ^_s9sbRll8Pbu zC>29$bqrCD681SfyZ*Lb#}FXbdPtj46~~ZTs^J)dEx)feQ^b&9;Tyydf8mSweOsB% z!k4|&S-myR(WsHtv`MdDnj|*Vpr{%8+_1H%As7 zc)GB^UxU%=&6(*Pr)tY7GO=Nt%1`XV#-XGXE(p8NQyaW12wC1;W;bE5PsX9(5%%L1 z{X2L&s&~(h4XItTq0VuyQq8oE$IOjaD?WW}vn+j$1$`upl)9-5Qj!F+Wl2PwNYO`L zwH#S=nzP0hwT419IR-(MIpzl*z|W!~)>om|qrtot>Phg94OJ;;gXHgAV4TL~h3s4c z8vf3OkAIV_1}Z6yAl8IaRL=yl0*^f_>+E7^mhZ6<#Ih=g6;cNsa{!C%h0Y3i{DoJZ zhnu5d|Clq0Jq_0fvqMC7cF36>jm7Lp4kISC6Um7a*yr#zDZ)FeEI#ewGZetV=8Qks z3gD=mpB8d~Z!YRJ1r%K=SV#-`RM(@0YSD=9wbMe`!MZn(=2Hiv-hyPcJV&QH{H={# zgn6}HfMN$4X7K35V&rcY_oLO2#DOlJ130#b(9(Xn4Eokdf|mMgmgNP#!$ZU2J39mn!yDMCGkR-8C>W~IfeSK$E#`ZOgriiT$a*VH8wgt0y4oN%?g?h z;YaJKmDPVe5!;?Nfeo}?UWCRQ!C|A58t|CI#w?-Ecf=cg4jY-n#t;rbUF@raa#3;< z=5sUVbCW-xTi~+r4H&2fVgC{Z2S%~Yf!Sqkr|njwwmS-?vCyX-_;hTC&*4(qjE}-D zm6y{dc?EiPg)>)|12S`UnJwD6dY(c_ybv~5SJHOc1ebNyH0Eq4NbCadUCx{Vm!(}< ze8^>8)-HcUckzhs3gJsTX&cYkPW62m8eB~~<@52}4eGlK=WBPCQ0LFrZlC&YroKCb zI#4gbd|X4<>&-Qv3aZp2A6GC_~q?lgjuej1SD@0fUa;L;4`m+=zU6LiR*o10Brmt+JYH=i@5=H zn=tA7xIB#}ahVf@{|h!UFTWd0zZf51i?M3_<7HnR8!9Y4yu z6Tic}^s91Uwp;8*tld^S+ODzCbX=E1_J>z{wfWnY$&$ACa{;V|xUB?rlC_u#><8?& zr4A6^jH@%5dffMHd>UA!Ujs9RXraNq^OAx2ylw1(iK|OZ5{(jli(08z#?O={~`c}VGf27 zOFBD@Er4LGJd(3*(e#aLaLq4dNUJFczuSr=AI{j|jXB%L=W75&_oo(G!eIU}?VkcmfYZPAPt*GM!j_8KcNN$Nh#jJ(?T?@ZR%KQ1YS zubjb~d=m`VH z^I(A$bA)3@U9NK1e%_07(|n5K!&Bs@gPb@Ahr--6OrN*^tkWkE1li_sFvw8>IUFSH zc%Z8=Ge}We-Q|Qe>u$A~4c!Ri9k4Q+>uQ7#++ZYx4`x&cLfHIULQ`Z5&<>o@xQHmc zAx;NaV3j?KvAl>9+WFV>TlHXrq>*LQ0Ej(hgVAi=D1AR*35JeOPVzU^YFraaGCF{{(!@+(JalyNN5WK zWVj&pkwyNaSkGu4j(Hapn)3%uy1LPra_FZKc}pYbY6t93>k%%Kg?}2sYML-(ts6nI zfPyhA{xpJ@a>{IZf$5uq6N!SC*qSxlNv)aL@}Gxdzi+KMpx{_DUndjEL^DDp7x}m? zlB{j!(1)1)Au&P>)TEbEGA zuZ}Go*2;hHNyrw^Y;k%&8;}Wmvux3f1lLG34xwqn9_9tQfcv2AFI0i^j!ygdz4sy> zHAcp25Razw;Zdbg^w3lHJVg&~#6H){Kmi3a!IPZ2PsSD&p%s17Q+HPMqDw+WY^U=r zQ1B8fzGjPn^f!D96i_g|D!<}hBz7vz6}bf+i!zhl=*NV zKox#CQ0t6ehyQI*&|G~u;DUd*-v(hzm~i?E-9Z$>=dvaW;SZ2a6@`L1KpuLNUgTcP zW_xkTdb&6rtb#TH;zjNz<9l@@=tw}pnC&KHvp35vv^j`ETVcnSxOTh^FK!2i?N0RA z0w{eEaksSx|a4G8a&)L&^yw1Xoxby!-s}x>`HAO2u&W-v1}LW8|S$9nO1yE21^hHqx5_kgOv_eTE_&dZ&dojdQl&vC|e7hEvO-7*Z%mb$j9o32&{F)hA?<6CMJ zggUEcA4G!f1ic|BK|&=a3qj-uA?TA-1O|Of{{RV!@I%(`+JdHMniT`#NK5_AZY$_|YxcT3dvW>o8&ccy z!3@mu(U=`iBvVd0lkLg5`9iT&u2g&b!k?(saEpl<&BpId*7 z8)f;C{(Nisn0RWUF(#(Q8lw|pe8cL|#?J2p&(wA#{klRI|= zR{BG%#y9K=tU~pUuT6^&oe~rC-i(2c-D0z6H*BAp+$tslm*(7WdQ&s@AKrIFHjHX` z-?6=WSp`9oUR@zC>m_;7Nb0?-gKlD^F@1PX+EUuZFZBv{lYD}=EV={_$4CZFd&votA+&ZgQO9?ojq!TrXktUej7p-ac=gvpR zH2Gs}P34j*o1veIw={hHOW7zkk5gQ7yAp}=7)2>2uUSvDf_~=$37(`d9GeG(b`YN? zPf?0Hl;mkLc_y@;GJ=g8>pj1e#z<3^O>)}ZA;#7sNVURY%om^GZ55i(4+{CfPCVIJ z=UK`UyQ)%@Mc$Z2S>8j204Tk?Abr%+Jvza2@@BLU?{eX)iN3ChJmmwQdEaNA7Z%$T zsTkN4eVZaLEw(9BIj|}FHf3H}Y*VFbU{m#Ns=Qa(bmf`%QD0!w=iBsgB6m@gg#}Tn zgeRz=tp#3&`xQ zmwjIjCU@(C&0R>oq2;azP`3h9MF0#p_bB(GFMOj96OI0am2n8J!q zs8D+=_(BXAM57NggKS_mMsX)i5!}b*VKOOScgio#yw^XP{z?9xugR^Mt>66%ONn`4h|( z_x}3okCS!@8q@1%W5i3Ju#~6_01LeiR+9??2ZIFLB>vWp8Z8883TAVXmrKB*V{?v^ zmf?EKgtK{Gr!d!~WljGCIhz|81M;n5=Aa?yO@TPCVP75l>Vn$)loV6FNmvVTjZqL* zU1&{Sm!IaAXKx3@usg(%N9x7=5Yv^wW3#Vc3RN+(QKke%RuE!n03i)cRFxVJ zfi^Xg1XL+%BzO%Ao7qC`IIh9L{wV+iZ29;u{Xs z&{*nR&<;!jyxUAVnw~Hn;MSR+8BbGM(T1tLWJ5`hFCQz zftR3mr7;S!oKRd!C@#sd`kvYy(|Z8|v3ZCacuW~e{AbSkX$`9v8~Hj|3H#gg2vcJgZbRw9VwBZIiA3(2po?PAMD#^B&AJNR1=IzJ z251FA6GP(Wnn*NJgHaO_9!!n#NlkoEq7S@~@Ti6t6XW88;RV!lrbB57W`AbRJ$KGM zKi~J=v(NnYbe1)j_j1MTLUyLfzMrm=D{w{pbg+R8ikeDTvMo_Mc=-hz5o zEBJ{w>7BQkJa5~{D{r9TRFu>M^_}(76`%i3^C!c?LVS$Z?uH^jw7hh%Nwc)n2 z@r*V$6}_g_x;w0TbD34l=b8tabIW^PTZnP%^!Ie$2b7bh9Zj?)YcQrDS7;kc;d{%` zBoj$tKoX2;#)J*_4BNyQSduRaE4CG1*dzMZa5va!8A~m&C)mKIp$I7+=Qc(WsTz~4 z<-{47LmTYt$2*{68OMwR1Fl}NYW!;Ved}SaF56S(4^Lw1x^^_x z=J*#TAuQS9l&3mvmem&9R!=53se=hG01BZmO1^}@Es=qY$U<5;pexUsP8z}l159-- zCDdb%J(YtTuya&vj!HHlC-M-JOgiEBSR&*Ht;51o7cf1a{(A)|L|+$rUl&9%bd;bJ zIZ8c8NsNS!0D{O7^c;a04IO1DM~-sOQ5Iw5Xjh;TIVwFzMO4ARCCB1Wj#SR@4g*F8 zb{L1j!=KTCC3XTA#s(LTK$T4OrR}Zr1po(4asWs>W&mkyztkOrfFYuuB694jYD;#$ zdnS8``)4D-8PUWNfEZKz>$UX;P9TY~A#Cvm#y4ZW!%J*4F@Ae46QC z;owcM9TyUKx-R0NL!3^3iwJ}m&#OzW^o1!Mf!{jGKsr4IyuGY`zk2_HOBK=}Tw6Mog@K&UCNVE%HVcScn`;oTSKcz~%sD%RD`zGMB8EBa`p|B6Xb0P-N9f35r5<8t--SAQR|17u*C=pRu^8og%dPdfrg8EN1VeXlJSPqAcZvob zGGK%lfM*Z`3_1!KfY?U3DLGPC-N zycDu7C()xJ-tZA4*irsB#8KiFhZZ+87vp87nTHQ|8rzD(84k+B0)1?*FU$Sr;#v#* zRw$)C)}s{-%BMm3G^iL7j__Y90s@n|SL_kKC{RtI(mAs%s|x zuWjwyv<*cF+lFlj`QF03kfUVx(rPdVCw0@FU?plOLh;HzH2n1M$9nlD@CvilskO6+B@2?I9J^yehZyKsFQs;? zfZ)-j8YE&Ux#6wm#KN3H!exkX8EiM|NS~pkD#Yn*)Z*SI)oFN{EM{v6)D@A#c*-hI z)<`ZE1?q>mnMv;g$C^B>X*H?-YD{X!O;w$ktbJ_V?mo9Kyp0udR%7;gySs1V1ue6; lxwN!@e(uno1H0!I7u4$Hz3Q{cZQYCO=QORktgcKR{0}T_uOI*b diff --git a/src/wasm/Hacl_Hash_Blake2s.wasm b/src/wasm/Hacl_Hash_Blake2s.wasm index 8e69e8f79009ec683e00f949be0a3edf8511e7bd..814d98984084ca3d4daa6115489ed1c01751760e 100644 GIT binary patch literal 21925 zcmds9cYIvOaejL^5C_}=I8>q$oCQD-ETAYBP$DIYj}j?Lq(s_Ob%Q_(q;LQM3J21b zVv&?&l}L_k%SE=FII-iFLbupXl&UzrIEj-uy*P22)0{YV632F&@7sNE-`?E=rTCxt zmp|}sXLjGr?Ck8!?(9AUQ{_`C2mdv39tX~1d z`E$fYRiFW&o@f?Wf6kN|h_OZ1ns?0Grq;ezLBmM09KNEZZIno!kd5WYeBohqw7KEn z)Z)~s>AAX7)2A{)F@HPsaP-XS(+i7BonCqJ*!0rE-1Nk@An=>?r!|>8J#~C``tCsa zEh~sk&CQ&gp9Hat-=y6qc4}&FZsB-P=QpUJVFlW{CCK_siaw2{#i`Rly&ZgTJ3 z)a>+@$!izp%S%)9OXVR`bzrJ|PgHema&q$I^b%;FJT-O8)Umngpz#v#>*d~`Icr{? zJQ_5`BieNL)Y8->_%1Hhoe%2XegVV1GGAzJX)U(3cXW1juk7jV>mOJ(xLWjzce8fI z`5=5g$m1#Qkz>g`E~tFNhaN$*?(S+S%9AtmGfP2Xu(smNX^1gBdFssE(oE30YS{*J zQ{|w+$!DH0Y5RY8~{hT&79Tmm-B7x1c|z>h777 z(-^FQR5LiS5Ufh6II%cA9So*a9A7wnU$A<0t!VdflEhsNWc>@Y@Rgw(t?6UF)~#rI z?p+VU@GpJ{mYd0(dvoS|7>oshZVHP!FZp6apMk?-sOG}#oB>M3Oc>~#Zj_ufPM~o? z3SoeP4o zV89(RsJW6ZN|7?QNt9SqwWS2T2 zQm5CYE2Aqn&xhyh!yvC$N}VhBNVjA^K!Nca%EiY~&Z4|>BFN#V zXCf$w(!CPsK8!^_BK;tS_Um7t10p->UdQO3!ns4C2Vq3Q9d0O=d?yQhGfX;|B@y(EW=j+ zL+s2DNDg_u9|lDI4@W(=jZ(ysVLc)vdX0>P(QudaD1cn7hP42kPR7D7e&ds0d7#*+ z*U383VNi-xq1U^b4YC0>%GGRiHRCdlnvAR2lYOXZaW(s0&Gm9UYFb^*0cn;^ z@sQjAU`q_#2w)-x4$2yU>m!inx<+o`tz(%K!raTx9Q#=sE(`(xlGvKHV@kJef_Oj>K@2x+aAmsnbR z;x}H3_SeP0Q2+;G;1(GJc$G(MOkPS_V{(+V#^e^#8qv4+$MfWsfM4dpuR{At%*sj6eY{fNC9fpLx{p`6Vo6WQT^5olj>jb3 z$7ITU1?m{69;={w98`g^RBv^~lD=DxTS)FE)nlZ3EQKm$e}yOeG+@7PC-BNia6Rd9 zo!0lrG%=Rz30ExZ8M((oGDEH>$@OF!*J)h>dKQ%7sGU13={YG8V<_uWaw;sI(D|~2T$Xbd%^ZzkL`k9lm%jJhfcdsfL=o5poX-v{*lpnSha z`9A#}avw2Pjjxs0hJ~|ubV7{}$amNpd4QzvC+YjsNLSjyIdsVHAeKV`ggGEfhb!NZjdUPlJRSq8Ty<&u6x394Pi z+#2iMO1@X=_b7Rf8Vj=e`)who-)jp6{XSa=^!r(m?>CH5crOZBV%~>Bj)nK5P>}Ca z`U6Tn0BSk?L0c&3AFzc$|DY{o^$)QiA2ifZ_yI!=g&#E3Q1~H3?cGZMu#z7JwSvBA z3xWQSEoAkFZ6T*W!h&2h)KK`4p@zbT4K)-#LTXUcN1-wOF@>o5BMM>l<1_@|lEC^2 zV$dMLe3I(@QI6P;`XlxUrGHEbniFenyzs0YFQ9&$Jbt{2 z$4?j@#9AJ=n-->A(m$yL^|n%e(y#yk7I@aOK*v5#I`JCfr)oO?(|qk`D8|qDV*HfS z&nrQ5VyzfI?Ez)|vr5pw*2>QsIRHQoJX7QVy-%^?=g8^jd`_QI`sbB=N*S!-q<=xl zFDQm&J~0h`Q3;yxElh)7G`s+S7oI7+0>MBhef}l(xk3xS%-4Q}lKhG<$uBAWt4h$E zSlj1c_JET9H6>_ZYvtFB8~`8(o~d$F7}c*+jta>>&DVZ|a{Pub$FD2>n@Z4}SS!b; zJ)o?AO9>j-TKO#_2LQ-{XNnx4_Ze3FHaY#a&*?Kt|BjN+D1)`S|6L`&s~E@eWFY^n z5;Wmk(EVo(F96_$X9};Xsr7s8^T+sdY=OVe*ZzQ#{DCjY?OU$K>(HRXqO0@F3RmxWlwC<&yqWC8)QR@~4Ic0IGMkewUW;(gEgG=-zfPT6WQ@(WdBf`3oLU(*LLg4Q#Faqmcsu;Yx{uS(Fs*2=#cIRHQoJX7QVy)Uui-^l6Td`@3d`pZhbqzu;T z{wqqpVxl{qjPC!g1WouBbpP*$7Xa|WGliEI-TwpqO``jM5^~Y~t4jVu>HkvlUnYWn z%@zXvbz8{lZ`eXk|2GTrHNzN%ucMG9<{K#FSom)g3i6*ye^bdfO?1DIF@=JD&=vyy zkS%2O!z{>!%tR2d@E{6V79K(&$HK!X6y&Q)zb+%M%W&oKh%Mywqqb1ckJ$ni#4N}o zh8hZw8fqv!W~ia?xS=Lgm!xS6%jb+hwXxrMA|ru*5|0G+dO|J@^<9LV7N5$1=o>N^ z)i-3koyT`(^cyn*%EVgx0Zj*#^_wz+1{NW2GU5Y(ka*UPDNs+7$J13j-fVafYk5F6 z2bA?&GJ*ycA#X7}0DuRcsXX3F9&hz|Jdx3F%LsHrtmOf1IH0Vb$p{))ggj$-000j> zQ+d3dJlB)B4JU!VKBDS_s8e5a6N54XPk1)4PCtHw-7ji=`erKSV zm){v=>`xt$oTDv!gB_Tmrb*HMv`LFJO$43zX`aB*O^a?tCz127)Gaut>K3O0Hgk;p z@~kdGw?$94ZGd18(gyMAENr8+PV#Iaz}bQ~XFL5V+vU&L?kH#3gcScukk&m8(JQ@l zH+>G#Fa6xB3^>FpS;g(fphK*d)nh?Xi$iG9V>mGzatNfy$ATU`;t*?O%~&v?N2QA= z2LXQisNOCapablZLAt+g5!Q9f5bL^Sgmv9AYPTwDp{liE#wDuS6K6Fhtzi%f*HJhb z=tMKSrs81?QswOMdRecL8`m3=dSrD;Hj>v`PN}si`UPqn496=Nu81AxrV55VXqGTU zHk}MN%Vv%Ax!xk1Om#`Nkl{EPj;An`cFBa_RQJL!;~D0bJQm|Y25bEaL>*Qr<+4eL zwR;s9O6tx>tqXEEy2(}J%#n`w=6F!7=Fw(&aAexqqpkeO>TUeV>FxX}=n4K5^$z}Y z>MQuuqp#%8fZi!RvbC&tNuO*h>#J~fv%RdZ#!1aYS??B+9c6uu49OK`y+=mm%CZiT zuijbKd!<8mQCS^w6?@YmSF-~hvYWDW$~CO(ls&BLl#q3uve#ING*qZI|H;R!8=Q#T z;0jFD25Gp&RL$yo$x1y~&|liA+Q6yW0CNC!cW#&iL_5ksHx$S=0{etQZi6cvY zs^Yz7sU=r-G7R`e=JuEoYGb$b?uR+e7!4&-hH3Ehs6%5@}T~ooZ2hEbH zIx3@NxK`HcF&TraFb8oM({*GxLWUzL45iVdiD*;-VFR&LfiP1y>GXKuOUbkX3o`}SLaql)3-5vKDdZQ#q&YM zs^WQsdb5d6B5ng_Z-eB(&L02&@0S$`h2;2O>NKK04*WAUk-OEzYO^qEam8q<;-YvB z&1@L#&z={W5QYzWYA)vM4H(2=zE7Ib;V@gobq1&?p^^Uv@BKhUS*S=wD&jiOTyc6h|!ihV!w_L}NZSM~bwKAVNYR z8k}Yf%nB&3em3q_tF&TO)`Dvo^|~E&+daB%fN(v5q>HW?@nDTc<60hB3823Yqb?3t~j-;CHjdVzq7jHMwJCIDPEMaN1l1*9;h1o3rGKEq%D* z5$w07h)#k}Uh0c&^)@EJAPq7ME)tuswt;s(Zu>dvVk|5m3bOIw7wc>^tABNt$S3m|48{1M)_j^e)t+Zo+_5vGFAx3e8}hhc`?bVZ3UBHS`biFw08v z+%1?ln@PSI1* zRkg}+|5B6!y=sxcyC6lFe+41lND71NxyHm*AJ`V}{dB}4Av9KOmpqYhzesnX+g;w( zC*W|&2)h-CS~Q{pilptL6Tu~=S`BydR#p*9wvLNCuz%{*-SI{Z!?+S}^nguID9(KW zSCXERbi0)UpomQm+4Q8bS&7R@42f2UjDlF|I11x|()|^1pa;B;V9Cu3M0TWLW6P;! z5X;$qS~adFaYS$piK8%x8%e7jbI7WtLYS-u!p*rxluZCD=^>1X$Sf8=LuT!<2D%vb zENui(XVvkbjhSvf&4Fk$-5AKx1K@uG%Drppk{(0zBH+VZhkmN|f2S zV|7H8GuiOMMBygHOi}njvj~B^ZGuDXfLro282L}X&Pv_xyqah zfd+vdP&$OtFc*6*L!~wq;!!c)j8vBOW^|VMXwYn(oh==?hI1LxO6 z=NAvyC8S`e@4yV{2nU?U0S>n{tz)xk1wc`+JLqxXF>7XswDbOE7)Vg;)VQEoJrCX! ztq1BNi-PM7gJPH9SJ&w*BRgV8{;5Z;;py1$FkKK$-9+G;oqJELIp~&35LKImUF3r4 zxv;!Ky>-d-bomMx>$6xdm+))|fl@HGAbA>cvovuOxX`L}t5|3`;m8cy_h8EL4$`e+`QdfjM3<^4j(B4AdI@9K==%`l9`d3%a3vWkd8`3Nau3nihtiB) zb8}S`En=d$HbH0vq({8S4FfO92rj}pg8&qfUUqvO2Guj?vrz=eM^ge31OyZFH;Ec& z?iox6#*M`Mn<`-Jk77+#o4*%*u!W)Bb5jJnSNLh91$w#VOS}v}DvAri78_-->XSfP ziz}<6%yW;}$=;nz_KKd_i68eQ6HWXWR_G}mK@20wv|P^;yW>ikUE)3*UE*3l$DaKk zhKiK*Ih0Flwnr15@Fsmu;q9Ip_6FDQrXbVjj8JWnjoC(N=8N=stg1^)7rG(%N;mOL zgsMcD2!)tn+>?z^2o8);9X3J%VuUh3ZJ>wHgr%>vGeW_iy$C6|ita{FyS)en92UeS z#+zt?1Ssk?*3%^{s#79V7uVM>=zNhQwCTMb8gW*7c+FpWVZBu=yPAl`d0FhOj%W`) z4I}TgX$qz)8t~VMKYZYJZnz3wolJ4NV~l#Y4!NmD$z0rfUK$^`4O^GGdN?d>Xdl`e zyhIxJ2De4~nF#xVJc3|`UcYJfChm6a2GMgGW}6*RXH0G8w%g;zwNOkS$3Tw0#e#k- zLSkziV2Yv;=!)20WunzYVwLR}{3tNM0HUHDD-05hfx&?*ip2fI!2$6NE(BQz3}?D? zPu}tNPRZ9P@!pA6Y~4i4-YKCGWm8u2Xsd`kUpIDW5Udwr6MLuVGmm6vX8e19$=gRs ze{6;L%%fyJ^Qfi{I?>@0(j7MGfNwn*O1;tH=N$29aCBCCFl|9Z+~|lmIu?u3(So=Z zEd)gL#Rv2dQpkbbb(iq10k&AffRpVZw^j+9)oVhfM`=ML$O{i489iET)obl0C=S|s z45Q-&fq5o&65%1rI?2eoS+tthIEKRSoZbM`hFQH4Rx>V2HpFJMsY*s1CV4UidUFMw zMV@wpp}R#k$Y!}5S{auu5Ob@nM!I$ra<$u#sNJY{)a{WSo}-)q6q)39S9B(Mg+Xb& zkYro%(7t z-VF}BtCt(QOM<#+BFpZW!)|ieox%aAYvMsQ?n3XusDv1mJ@KgQh5NtPA4(Sl!@? zZmbR&l*S8bV|A14mpyPFH@}E6I}8#>!25_dX26x?NC{tgIQMZR*60yx^hgR{IV}4) zW{2fwJ6TPw!nHUlT)ak~d| zJnoP?+<4sKjfcfzJnqEJ^VnhBA$P)Iyi9Hb3zMcZ4&&vxBb_*i03V_Fa8|z(4&zl| zBCo&~Aup5L``z>23eTJ`jNTP*uAo6Iqc=iQjljupW0i?xn}Ih&Yq ziM<;#F>Y~Wv9R1WoW8Upk&YF#I|<_2oIFw&_9k`0Et6dhVOX#tatnJdl9<28@wUm{ zxg}GwHHeljNWFk9&b?n8Til1Sd3`LJXQNei!WIi4! zAD3+^_7m6{U}0T>!bU<>p-f)Cmj~}T)R-@Cdy&j$M!?PkmnuMRf+_B5?11!RfrZa! zp_$dt>}pT5gMcuTsoYhr7l7*+Fl&mY>&3^5)R?h#&l~MHgs1yw}JR}NU`0!pm{kV9@7|E zwi<|EQq!`x(}8YJkqD>>(3$Y)Y$4?6Y%@?yXM%JlQs~HLTou@%ufW>sN*UKXK@$r? zr=cqWMFHgsSB$j98jZ%aX1F;Np1k5P6hob?&G6AM;CLi6xO(Kn3U`ov80*M*>OwWk z9rW;{;@uqJYvgK9(QD)?ZuzglYH^RVGnh^F9@+dy8k~MKeOtJCD6tuuZw~8Ru3Isz zHsfBU>jj`l^T_byen5)m!3 ztzm99i}g6-hdgyjzWmF);)P2PD-cr$BPA!y6K0lqvOvsv!ZD;(rqY;0M*w$5#2mU0 zUm}N|$i}d`Ob#865<#_<&gJ>QPDz}8Mh6*471HEeF;cDG9ARReUZfa}j%`$-jVK86 z*f)nyTo5he z8D1TnleUPR{gqjE&h|=_3C@)$6P)|)zr{fG<)M2&jt3H3iA^}m5bP`}!6MUv?8cxL zXh5TjNL#or3ZN)BaDMVE6FGh1)z!OWNkF&GDO~a`To19x1H??Ry)P6@{x&C0?W!dqW-o)#%-bkV8^((3xOmk9|6%-1 zdt?Q+QJOgXCpSEs>qu5DUD6EqfNL>yZkVQ+;qlFmWWs0oEqyXk%@F&`geH7c1!V4F`_<+iwvX`c zVf%!ld)PiIzK30f3;AEMDwvvk*glWs9yV_32T04~=iB-d3f%iHRCGxpu;61s8(5G8 zzeHe3#z$Yrj4=btwVblo*6l$d2`tQ=b0K?O6j*E{*iS+snzGj+uf7kt^nFQSxgK-) zfIo+Cz>7D6!;M}**iXm>gaZbO1Hz3A2sfs11Ip&!lK^$S9Q5cg{SHSF1t?_YOD6AL zBlSLgNDk?nB+xfk=rYiUA?IOF6E_2jR^m6gVx$$;Xf&?X%Dyi?VcPaen%4Sz3_AGxJL`r>5n^)XdzO#p$N~_IGUPmc!Q_-YGNqcbU_trstRB Z)YSZ$sX4*F(_C1*kI>XfQ!%tI_#c8&M}`0Z literal 21136 zcmds92bf$(k$ycptDW7M-JQ)@TeZrTR%Fe( zepS`o6}qc?*2@(}mFIctD>oiF;_+4LusV!KVruFtHKmU8sF<26uCD~*u%Ln(kN_Z9 zU6`S(1r?R-CxXI%s5D=>Pc4Q)6j9dra*Ret^g{lLAKr}q)mClGP2@%gM=C}KM-yH) zeKESf^T7D{{)x$Er#!H0aB~01;K~)A=QinzYcepN+dVwE$5U?0B4W9bp?zZmAeL~O zG`hq_b0Z`BcY76XgCZJ6pykWFq}wFx(wLmcjeC`Dbqs~2E4>+RlOC7C?yCoP4-f1* zuy^m^#6V%_xCqXIFR6%wC#tyHu(v&%Y~?uKKMgMz*z-RbgOg zY-rNU%q*`sFb-aW1EU8MkvyeAH)>QwA)_i)8dNv~bS=KG^|M>T?=xISNnpSo zGN_R}*HgX7n58T?Py;toovzMPqtLJQRi0~O==(`-q9)s=19Z9 zJ9*rJIp_puOo1KD4nS&HGjF%WKnkg0GR8z zPVf5w$+-6gJvNPE#GyW(MYDJ|&GLh3&hs1qsc;zP0_P}Frcoh`;So3@B?&8DqlTp3ytez6U}@(?%&z^V{9m*xOm=+K%& z+l1B}I!9>Dp>qwb)59;$Lwi32wgcD{0y}6fz*8MsbLl*xHJ7#vt+}+r&^jah;(WB< z7y{1&a8?NHqI<)4|`9fPA&(0sRLhu_E*9xuXNnUvaFjpMq9hk(w5GBnt_!yz7~A;DG zO%06->AaB6$C38vGN(ghB^}(4PsYJ^++jP$*U*??Oo#T{VxA}H8UxXUa2*$}xJ|oA$=&0bg>@XfDXAGJd97Kz;?=EdjlU)bc3Kw zj}F^no^MoyN?k=aD&agOoUxLM)AO4YNZ+K2Xx}Wf1!ss~7?tyUiy~B;O1edp2LSqb zmNP(CT$R670paTWZSv9WBEs#i2)8PJks`DftP$ci2Pp6ziqOE+(j8g~0FVOD7%4#S zPN}#{INjxPx>NCs72T;c*39AEitbi^>YzN^F^%^qLKFE4q5dAt3jlcG8N;hs8($(l zc8B0z`RG28<33l8mngnp5n2n@^!Q!}$nyh=(7@Ev16m3IkOI$GDO?qLP^55;ucs3J5lwe+Z#0sy4IGe!!~drT@`Dx6;Ga(Ybh-za)a zX{;IdmnnLg@~aNYvjgM)az$t&Ut!!|u6Y3fFFa#-dC}7973glXwtA&Nc5(G8MXyl& zYDKSB^SvZLZVD-WjVWaKwWi?l>!d)BYsM(N28E*UL$6f)dPT1XwG=;L z3K@QbDR}%wQ%LfYQlKX^H5A^UsiE*jO$~)7HMLhMev_g%fm(*&YziJ9HH9R<#S~Kf zRw>Y%H8m8DYHBFFMN>oJtwIgM^tTu>ew#u#{X2zt`gTzS;G&574#A*7gn6e7?^7~k zPq{Pp4#j`32+aj+bmN^4kmq+PLIYDv@6w_Hz6{zpY&e_(O_5q$C#06K3#XMQ9>l z!3;jEc>w?~JY#rygo%#&{1NGM(I|XWKKqzR@-bJEk0}0UMQAQq)8~&mK%PIY2n|dv zeO$`{0CM0ND@T!1eM00YlI)Z6*{4K~Pq}h@Lh-*SLUX|yIX>wC1^%=mG%&UFX)Ol; z$bn~!9H93ZsramL`mD?8Gm8IJ(Pxy#nz8?!qR%M_;CM;||GXkJk*_fJpVzzqfES)I zyh=>#3)1Je$;Y7veo;RAl1TC;SCTI%{x?NvE?Cp&FFHV;zpMxiOf7v`%K-p#;8`vQ zP+t)qUn$}7@0y2T4Uda;3ti6hR~4b&RMJ;93jkn&XE}>frTUt5waBl0T|WDUi17_q zjISyFrXn;KtP$hu4p884DMABNOW)FR0Dv5L#>fGB-dcUW60RS&NV|bM)@b{(9MW*!w`Rs=x$q!vgzOVQ{6`{Fc zO`m_@0D1nAA~Z0y^dl_?0LX!7tQ=rQ#RD=@%}irxpKF(bGy}&Dj4+(XVuL$5W#FGm6ke zzQWi)qj>=UFFa#-Inn*s=x-F=eqX zzt@aW_yY<_!Tb@0lobAiLWX{$_|J;|tfTv1Od-QZ5*p+2ji!*~o1{R0(bP~lk`QVr z+=xO-3OAvUq2DULIYBokWaV*-DWv#TQ^@dbrho;p6zCRw;z{9FO$~+HG&K}%*VKAt zxO(G83(MyOVQ53Yb4LRCyF2lSPn2$ThD z^anI8P~dwLga!sd_iFJ0KuA2x=M<>>gvWg)Jnq*#1Z#LeHVYK^fdrv}LC^!52LSNE zGnU7L!s9`g#~lfNC_xw#!5SVI4GR?b;RK<9LD0jR2LSNEGnU6A!sC$=9*=4sf;Bwu zPUt2YDDYzmLIYDvk7*tNzyr@X9#ma~PTzFr5uGAm7i7q*{1h_aDVx^RQ;P((q|Z%; zypm^7CCz|RakWre<9UQu!<>TfDJQL2EofL}b-(8{0{e(UkjSm(8n8vC{KVKI*=5+K zg>4#ak*K%1li-u9I?*;NgV8vDs$VWLsQ|Z4Hu@HOS|;fi$;UL*akW?Doq_0IRQOcue!^Klf`XA!e#)_kv>XIsP^nls<)=DEn$w@bfTs8fa)xqESd zEt0O!P%DwtwNjtdwbE>vV6(a0x9DhRB)o zQd-K(kX6^&U|J>&`-NeD3`1(9g#QQ-P_J zv2#%iycEuCQl&V3mg9Wc?`2DQG-w_&GmX-t4M3VEgY6nSNMrM$AdN?y&pT3+pZ zs=T^+4Ykwq0hfj3YS zt(BfN(P`3~COTa@&_wG*mS#Fb>Y8c2)HRbYb_ zQPpuwHOZBfq)M<5e`!p$N=&s1>HzB2AK^Sv>ro10BLbO5U>{Kk++Ye0)x-IuW2$M_ zR5Pxr)>@l^gOXvdw+Q$cnSch1Xq0hIag#;h98e~u#Ufg%Ri>xSBHF24CaS|CI;m5p ztji+0saqzmhcZ+z{mM{-40MK?WS}$DB9l-nCx1A+qz#|7bW9a0AsuF7#=#nn#CkzROm&v2lcT7c!(7(Z7-%SAJ4XoYA- z4V@xdlctq2uxVN)b!l2Hb!j@)nC^_Cp-#W_CYWwAakyei9i9=GZ?%8SJBmfcF@1_} zt@s#1y>|Ff#Ep(@_&F{sA_{>SV_88JINh(siGHFia@Xrv4LR~y7)aQbVz5-PQM`<1 z()Tter$|&tVU%jK=}HZF21s|}egJxx%%(~gcz=*fF&LgChDQa%gL@2S*+i8#OjZyU zN_h|&IeI;Y0>dulFj&=+Lf8=_2kTDVl(FbyaamxA*$Pj*JSK{+Tv6_~nAw!YJXwUo?eOSR&=!W*+9Mib4-QSihpZ!?-^h-K?K zNwm)>U{aG!Q)RZH(nJC%qDK1OQNhZ!7SoPP@tlXp)(BF?@*VhEbbD?aQEO^5!M~iw6Iykgj|zM z)N3uN8s)$bF$SM{hq0Jpo(1`3mC`3>xL!*^vj7FYXtwYZh|!>2e~9N$HFi(EY<58r zjk&Ug(Xj@Lm#`QNoPaEwo2YZ4HxG>*?02wxJEpOkCI@NKEk z>Ip`F0%MA$G(12!x0o5}Z!t=5!r|RdfEwHYX^X2NrB@m71J%efG?j{b+bu@irchj; zPFUPfL{R||D;0X5AaxRYAL+@oHwneLrGx1(jbf&Q#QUT|?-P;N-bct!>wScLT|oYX zyw7p0U%U?n->SLpe=$l=5xk@1N%X4%FHA&|vL;UgXbtRMzmUohKh=yE{8YR6DaQ%G zLk0H~yR8!dE>BIy*O<*bprCiSvzQkrR;J6;$k_FemzBGVa5S^v3-j4ZuT&Kt52A8K zpbGGczL#wwyt#st5?|rN)8D++XiRUYF{0p(>dK1Q=&c^gJeXmrB;#hhqd1+KA{a}u z6HsZn=#`ea&QOhLoGdnFK_5C9PgXU6&A14c`XU(jOHY6cl224GTrfGpMUqGubvx&h zP;$8@F}4`=V3B|=c<9<%#I-dIb1Su2e-7VmU0WMGdEl1Xg`YtBK53~d!jyHuygI3g zyWk#i-_z3Q1QgKdu*E=>2xx<;M6lU5FG){JqF7d$E*sp$3+ml6{Nacm}>&(=u6f=X3PMq_Z=ktQkxt(%V+M zYXOP-t_?KWG>X#4cxCs^}@CuY_ayVY~hSG+ibwrG>T&@{`%Ps0RBU^ zE!LED)F?*jsL^PmhJICu&ym?}G*JVPL=F9F0KGbi8jX^6YKM3K>sGE&GznL(_&&6i z6Ir>6mx@hP=*IE+j%TC=+fdba@Cn`%lN-7rPfH(Z33e?=u+5b`BAZSc;g>J8pS!FC|P zK9PokC&Z7}44*4IL$jH3Y)EfN1L_j@YV}N;2qfGjB8BvEP-5vDEa+nsuGLL64!awL zok|uFCsFnbg+_@iW)<6Di$+7Cni7Mc$`bt}2NSMj5%ufP>+7R=D_!G6-`G&q?zro4 z>jC2o-F5laBcc&x1lr{ACo5`z4GskBpf>$u1{1_eJa$*!*@jS8=&=#R%r6{Dse@i{ z{DQ=Q*`Rw!$Rb2JvxDC{Sk0E%>2+Y49U`)`L(c3NEM|u#j0B;bh>zZYjf(7Z^bR$T zYxu~(&H@}QLF5Mt5uD^XzT&x}L9?;>=tJz9o2|!&L&x7R3}btdIBErfdPaH@;33Ka zaZDE-suzCUc>tyNnjn$+Q%s z(of4E=5lPNR?uQ(Ggly$xrkR)tfy6uqg)9nP{~tl(W>NXjbeNdr;?|JF620>xCWoD z1<$pPDgu|MwRzpcVCAqjRF<`(ENf%<;g=D;qKa$KHQ0es$J1yHpN_`sz+s)U&(;fw zb$LQv=oHt59M%bkbuk=(3Vu6LiJ^qM;PsdlAG5MPoRtl59~)^Ss74|9Obr`%Aqu+5 zfki>_y9tmp?rF2576uEgIEyynrv$-f`fT!f3!TkdX+3X4ueLdJwG~h>S6gh+&eb^@ z#rPm@uFj>+v>xu`yc3wS?I5uOymvTr23($YB6GUB6DmpJobu$Yfaaqm2I7?;qca2S`-MPLy*jOXJnbL1dAzPt!d@)d9xSBef@PFK)n zbTM5COB^V17+1ma*AF{BLm)?i@@cnkk>s7bg>X>OF^`y5W|lq=wi{u z33N>lZQw#CX+r6-pY zxwDc=98P1!Qy;8)8vbY3_b?lMT;#YhS*V9S6*pGrz+yI7m|L@{chuBip`y4qf~B-9 zd>ZWvK1ea^c`n;H;AfvE>x|X%FgIfS8y&@J0wiaYO<1MM64W%p07vW7V2#qm&0yO? zEhoknXT^ps^18!8A~@POV5hIy;yhWiHI3rfwlbDfW(j?qWH%0?i#86}0$>GQgu-4z z0o5$Y?soH2({?PhWantMTQF}IdF!O>e?2rt2HvsB-s@rS9ObjGtURo&%)+V{ zODim_Is@kON=V`48eNYTX$y+rBob#hj&|-7eBBOM2>4;F8U2~ z9cBjkRI9s^O%>g(4`#zO!fZsW0iRh+k35~XkA@EZxg_H%-o6;6y?v+o!vb(pa z;&+)jCNV z$%vF~pjLh2IQn9E5mQ!HVNBI>Vk!rQ(TVA7d@u(+n&T|PfXmYy+>P=>dj}M7!M+@S zKp>9GY#buaEzLf?JIJNB2Butt0dz0zmM>PKOBiOkB)&B*!EGUs} z?DPp%-f*1281=y%qliwMJ0uu|24@tI%hb-LF_@p}FPb3TiIWgXcM77b6(q zNP0`4z5i=}3&!3bnMQk~%U?QksugqElU>o?vU?>Fg}`V|fE(id9YYJH*AMK~8)T|&WyRu>gsXf46{@^^)bnCc6yE|2I!E3Q0a(Jwcj z|4-jV$8IfC)Fp+$f?r*kz=B-qaRN&;Ka4*+V^*yj#bh^Dtf!5Bv-<6O*aJG2oMhJhxZ~w$0fpYtFMc)E%dQs%BwEg$<|1aiq B*0KNq diff --git a/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm b/src/wasm/Hacl_Hash_Blake2s_Simd128.wasm index b1a26f75e6b90a9bd26ab9ade9ca6c22708f4a85..64e5c9a79e954f01a2c4d73f2a32b9440113175c 100644 GIT binary patch delta 2511 zcma)7TZ>y&6yE3LBsrIy(qdEiqcoZPZhZWig_s8_V_b@@K*FrFB=YNp0%l64tvc+sU}u zoaYB&zEJEcb@%l4^$!fDF00j4gNbjLgMVuOnQ9dMU9+9^&DXH4DCdn{`M&;CW8I{9 zc)B(zW+!Xo(_(63bhb9T`_V@>j&6oM^YBz{eBa!}Y(lHtec#O9xpjI8dvbKBz+duC@I6VvgP$(3L9x@H_ce&~d(8U3k4rw$%ueMpk@ z{(IzQy+>X$viiViJaoru^T!X=7UoaQA3MzktpoFC=4+=9zjQE>vcLaIf&77@Lf02l z4Z%hjvI5<+Ikb{K(qW^WHglPw0zwLtAY6cfhLhCZ99= z(iXSLB3r&2KG=xI2qvQ?HOC>BXDNkSlShPh6u&ypQI30*`6*0XvjiztQRndGcF<@_OkwfF0S ztvv1cTH$Jptr=sRCO{-l29^6Qq-6?dHwt_M(^MF1rx2NjDXi#Z$rHi)`xtU3hx95l z$N@$+WjvqKh#<*Rl%y2aoo`=h@)=0(?g0AgIA{?jptR*eI4oau_sTP2S>AMS$a1zU zKh4fqV2ODFFOYnrP?no=Me7|^JHsKEPis=wn@AFTLPZ+jR^POb2MTo6jf&+N$YfsSN_sdPF5ng={biLHg2N@UV8GONtPhpvpV5^-L^ zxgnez64XAYs+xxCgtb_tu;SQu*?bp>7Z3>;cjicO|`n}+4r zfg`Wyd`Mq$mEo?cgwZTP7E0LJrm(Y+1*4o-xKr3)yxJ6GQQnT+m}*0Z8;jC%e=w{h zC@%zlj!fkSbpq)_l9BXpy3;a|4&`E4dcY@NRR<$aQQ;wfuY)^ZO`})%an8+6itvOF zAp-9GN`z>Nv7qA`UON@la44c0jy`B0XrmxD9A{(9RMu8-5q*5zm#eb8Qgao=K+Vce z6^i9WgjW=OZF(?Qr(!))d$WhYibE|bdWun~1>V)FnXVE+-3sWE!rPz{?*`D_E3X%} zTh@8ihYfu(BflG14-WqW+(T_}i79Y_f^if;)DafST-nX2MwkaaSMBwzgfjP_+bieB z*%RcAvnOL6$Fm4rVUmM zo2y`RTdJ0y4<4xel#E_Blo(HN1Kr*^&6 zw7WD(V52&tm+rx+*`U0H%;Y!kSv?-VfF7VSc|bl7)u}wPMf+<%c_FO0{{-z}oUK}c zz7}{fRlpN|D<$9J_v*i=<(K$eu;kff-gU0OiA*(CVa_#s#VS9quiPH0>2jj-!r$DW B*Af5# delta 2136 zcmZ`)U5Fc16ux&dnaod;xs#bm(#>}F+)cMlZ7XzJQ*8^~yV6Qgse-gmb`9HAJDbw# zRz#6atx5$cxLo|91(Cj33Jc02LLZ8c76psG_#o)3Alf${D%5i(v)QaD1ai;)IX~a` zoiiUl^TRQpbr#QX#u&fz=7kGveA(a4^UE_WZY_5wxUu~HLtlJ*nOh%Sz{9FOX;fqD z60LcUsoS1cxcfF5VoV=0NAxY@1mBA*Sp7S9loy_Vd48TX(xbxM*>kV4(QWCq>-jR@ ztUG2yU(c8HFL}4uS!83*sm}S%?BeOy=X2bB_a=qAN*Ni(lGRhJ#h7%IkS@5QFp}Cz zDBe|OH#HJrC?*Tih631ayzGIe7%sq7d_lUoXK#SAO1pL8r z7i0Ue20D>}K4(P_=76odAuGVaP#h|h-UyV`*G!qhCM0B*10v-8r3=Nm)owB1@r?{} zJA>Q;1XTw?bBB!?7Zg*F=D3S-inwtLli+}U>HZWF1%3R1x0wkpGU9+I0*vZ|dmNJo%mb7-y4G>HmjEO~ z0np0w0L2ptRLImgb+3SN7+cxL>M$-P`kFvr6AA{ts2yP<0X$Qn9|&7|C9F8NGVQwh zn{YDEsmJv9a;v^y@=Gq^g#sjgJnaV~xa&=o02!wlQ38WBT0+JdltoNRmw9PnV_Kxq zYng^(y$qA6p}y|dHIzzz6Gg6@^V`pw{p&N0Or&Dl=>!v&q_zIHrFA`YX3tgnvOB zL9NJeEmk|iLSuwCR-*%WaW8>5A(3Y7j#frhOjN~0RSvt2^k1t13X@Q*^*g;L>xg1~ z^>FQw5YJ@&l5}u+mr160BSLTWUbrVS)DLNEv{Ug zVNZiU!;WX#%yvKXaG;iDpiEi8De+T2o#^Q>(gz$@pPx9@{KHB&QO+_aO~`>s?EgkX z9BZ&}h0r;W?qAxFOZH9ju@qYdAY_FCh3E*$8aUER^+pqSFa~Z9mC}EX2tfpKU#? Tqt=ntN4L!yMrTo