diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-05-11 23:05:36 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-05-11 23:05:36 +0000 |
commit | 306dcf52e8808de3e3c604a7df2e3384885aa8b2 (patch) | |
tree | 6277566361af6eb7fe6ee64cf862329996d3bff2 | |
parent | 3d20bdc0fee053343fc76e7c4fc0ad1f59e3db20 (diff) | |
parent | 1997a4293128d24fb5bbedb83a1dae1f503aedc1 (diff) | |
download | boringssl-android14-d1-s6-release.tar.gz |
Snap for 10117275 from 1997a4293128d24fb5bbedb83a1dae1f503aedc1 to udc-d1-releaseandroid-14.0.0_r9android-14.0.0_r8android-14.0.0_r7android-14.0.0_r6android-14.0.0_r5android-14.0.0_r4android-14.0.0_r3android-14.0.0_r12android-14.0.0_r11android-14.0.0_r10android14-d1-s7-releaseandroid14-d1-s6-releaseandroid14-d1-s5-releaseandroid14-d1-s4-releaseandroid14-d1-s3-releaseandroid14-d1-s2-releaseandroid14-d1-s1-releaseandroid14-d1-release
Change-Id: I137e0ff53430dd75d7b72354a08465ab9655fcff
88 files changed, 6366 insertions, 2166 deletions
diff --git a/BUILD.generated.bzl b/BUILD.generated.bzl index cd036188..738e1055 100644 --- a/BUILD.generated.bzl +++ b/BUILD.generated.bzl @@ -267,8 +267,10 @@ crypto_internal_headers = [ "src/crypto/x509v3/internal.h", "src/third_party/fiat/curve25519_32.h", "src/third_party/fiat/curve25519_64.h", + "src/third_party/fiat/curve25519_64_msvc.h", "src/third_party/fiat/p256_32.h", "src/third_party/fiat/p256_64.h", + "src/third_party/fiat/p256_64_msvc.h", ] crypto_sources = [ diff --git a/BUILD.generated_tests.bzl b/BUILD.generated_tests.bzl index c9961d06..92dec1e0 100644 --- a/BUILD.generated_tests.bzl +++ b/BUILD.generated_tests.bzl @@ -72,8 +72,10 @@ test_support_sources = [ "src/ssl/test/test_state.h", "src/third_party/fiat/curve25519_32.h", "src/third_party/fiat/curve25519_64.h", + "src/third_party/fiat/curve25519_64_msvc.h", "src/third_party/fiat/p256_32.h", "src/third_party/fiat/p256_64.h", + "src/third_party/fiat/p256_64_msvc.h", ] crypto_test_sources = [ diff --git a/src/BUILDING.md b/src/BUILDING.md index bedba3c3..4dcd0f48 100644 --- a/src/BUILDING.md +++ b/src/BUILDING.md @@ -48,17 +48,13 @@ most recent stable version of each tool. Using Ninja (note the 'N' is capitalized in the cmake invocation): - mkdir build - cd build - cmake -GNinja .. - ninja + cmake -GNinja -B build + ninja -C build Using Make (does not work on Windows): - mkdir build - cd build - cmake .. - make + cmake -B build + make -C build You usually don't need to run `cmake` again after changing `CMakeLists.txt` files because the build scripts will detect changes to them and rebuild @@ -69,10 +65,9 @@ debugging—optimisation isn't enabled. Pass `-DCMAKE_BUILD_TYPE=Release` to `cmake` to configure a release build. If you want to cross-compile then there is an example toolchain file for 32-bit -Intel in `util/`. Wipe out the build directory, recreate it and run `cmake` like -this: +Intel in `util/`. Wipe out the build directory, run `cmake` like this: - cmake -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja .. + cmake -B build -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja If you want to build as a shared library, pass `-DBUILD_SHARED_LIBS=1`. On Windows, where functions need to be tagged with `dllimport` when coming from a @@ -93,12 +88,12 @@ versions of the NDK include a CMake toolchain file which works with CMake 3.6.0 or later. This has been tested with version r16b of the NDK. Unpack the Android NDK somewhere and export `ANDROID_NDK` to point to the -directory. Then make a build directory as above and run CMake like this: +directory. Then run CMake like this: cmake -DANDROID_ABI=armeabi-v7a \ -DANDROID_PLATFORM=android-19 \ -DCMAKE_TOOLCHAIN_FILE=${ANDROID_NDK}/build/cmake/android.toolchain.cmake \ - -GNinja .. + -GNinja -B build Once you've run that, Ninja should produce Android-compatible binaries. You can replace `armeabi-v7a` in the above with `arm64-v8a` and use API level 21 or @@ -140,7 +135,7 @@ In order to build with prefixed symbols, the `BORINGSSL_PREFIX` CMake variable should specify the prefix to add to all symbols, and the `BORINGSSL_PREFIX_SYMBOLS` CMake variable should specify the path to a file which contains a list of symbols which should be prefixed (one per line; -comments are supported with `#`). In other words, `cmake .. +comments are supported with `#`). In other words, `cmake -B build -DBORINGSSL_PREFIX=MY_CUSTOM_PREFIX -DBORINGSSL_PREFIX_SYMBOLS=/path/to/symbols.txt` will configure the build to add the prefix `MY_CUSTOM_PREFIX` to all of the symbols listed in diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a1fb1539..aac5f0d1 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -17,6 +17,7 @@ endif() include(sources.cmake) include(cmake/go.cmake) +include(cmake/paths.cmake) include(cmake/perlasm.cmake) enable_language(C) diff --git a/src/FUZZING.md b/src/FUZZING.md index 5653acc1..89cf5e93 100644 --- a/src/FUZZING.md +++ b/src/FUZZING.md @@ -7,10 +7,8 @@ We use Clang's [libFuzzer](http://llvm.org/docs/LibFuzzer.html) for fuzz testing In order to build the fuzz tests you will need at least Clang 6.0. Pass `-DFUZZ=1` on the CMake command line to enable building BoringSSL with coverage and AddressSanitizer, and to build the fuzz test binaries. You'll probably need to set the `CC` and `CXX` environment variables too, like this: ``` -mkdir build -cd build -CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 .. -ninja +CC=clang CXX=clang++ cmake -GNinja -DFUZZ=1 -B build +ninja -C build ``` diff --git a/src/cmake/go.cmake b/src/cmake/go.cmake index 61a01f51..966ad32d 100644 --- a/src/cmake/go.cmake +++ b/src/cmake/go.cmake @@ -34,10 +34,7 @@ function(go_executable dest package) else() # Ninja expects the target in the depfile to match the output. This is a # relative path from the build directory. - string(LENGTH "${CMAKE_BINARY_DIR}" root_dir_length) - math(EXPR root_dir_length "${root_dir_length} + 1") - string(SUBSTRING "${CMAKE_CURRENT_BINARY_DIR}" ${root_dir_length} -1 target) - set(target "${target}/${dest}") + binary_dir_relative_path(${dest} target) set(depfile "${CMAKE_CURRENT_BINARY_DIR}/${dest}.d") add_custom_command(OUTPUT ${dest} diff --git a/src/cmake/paths.cmake b/src/cmake/paths.cmake new file mode 100644 index 00000000..43ebc406 --- /dev/null +++ b/src/cmake/paths.cmake @@ -0,0 +1,11 @@ +# binary_dir_relative_path sets outvar to +# ${CMAKE_CURRENT_BINARY_DIR}/${cur_bin_dir_relative}, but expressed relative to +# ${CMAKE_BINARY_DIR}. +# +# TODO(davidben): When we require CMake 3.20 or later, this can be replaced with +# the built-in cmake_path(RELATIVE_PATH) function. +function(binary_dir_relative_path cur_bin_dir_relative outvar) + string(LENGTH "${CMAKE_BINARY_DIR}/" root_dir_length) + string(SUBSTRING "${CMAKE_CURRENT_BINARY_DIR}/${cur_bin_dir_relative}" ${root_dir_length} -1 result) + set(${outvar} ${result} PARENT_SCOPE) +endfunction() diff --git a/src/crypto/cipher_extra/e_tls.c b/src/crypto/cipher_extra/e_tls.c index cfaf95dc..00b48243 100644 --- a/src/crypto/cipher_extra/e_tls.c +++ b/src/crypto/cipher_extra/e_tls.c @@ -442,13 +442,6 @@ static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, return 1; } -static int aead_null_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, - size_t key_len, size_t tag_len, - enum evp_aead_direction_t dir) { - return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_enc_null(), - EVP_sha1(), 1 /* implicit iv */); -} - static const EVP_AEAD aead_aes_128_cbc_sha1_tls = { SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128) 16, // nonce len (IV) @@ -551,23 +544,6 @@ static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = { aead_tls_tag_len, }; -static const EVP_AEAD aead_null_sha1_tls = { - SHA_DIGEST_LENGTH, // key len - 0, // nonce len - SHA_DIGEST_LENGTH, // overhead (SHA1) - SHA_DIGEST_LENGTH, // max tag length - 0, // seal_scatter_supports_extra_in - - NULL, // init - aead_null_sha1_tls_init, - aead_tls_cleanup, - aead_tls_open, - aead_tls_seal_scatter, - NULL, // open_gather - NULL, // get_iv - aead_tls_tag_len, -}; - const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) { return &aead_aes_128_cbc_sha1_tls; } @@ -591,5 +567,3 @@ const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) { const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) { return &aead_des_ede3_cbc_sha1_tls_implicit_iv; } - -const EVP_AEAD *EVP_aead_null_sha1_tls(void) { return &aead_null_sha1_tls; } diff --git a/src/crypto/crypto_test.cc b/src/crypto/crypto_test.cc index caccba53..4543d5c1 100644 --- a/src/crypto/crypto_test.cc +++ b/src/crypto/crypto_test.cc @@ -158,3 +158,12 @@ TEST(Crypto, OnDemandIntegrityTest) { BORINGSSL_integrity_test(); } #endif + +OPENSSL_DEPRECATED static void DeprecatedFunction() {} + +OPENSSL_BEGIN_ALLOW_DEPRECATED +TEST(CryptoTest, DeprecatedFunction) { + // This is deprecated, but should not trigger any warnings. + DeprecatedFunction(); +} +OPENSSL_END_ALLOW_DEPRECATED diff --git a/src/crypto/curve25519/curve25519.c b/src/crypto/curve25519/curve25519.c index 6a0af2d9..c0289ffe 100644 --- a/src/crypto/curve25519/curve25519.c +++ b/src/crypto/curve25519/curve25519.c @@ -35,11 +35,13 @@ // Various pre-computed constants. #include "./curve25519_tables.h" -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(BORINGSSL_HAS_UINT128) #include "../../third_party/fiat/curve25519_64.h" +#elif defined(OPENSSL_64_BIT) +#include "../../third_party/fiat/curve25519_64_msvc.h" #else #include "../../third_party/fiat/curve25519_32.h" -#endif // BORINGSSL_CURVE25519_64BIT +#endif // Low-level intrinsic operations @@ -64,7 +66,7 @@ static uint64_t load_4(const uint8_t *in) { // Field operations. -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) typedef uint64_t fe_limb_t; #define FE_NUM_LIMBS 5 @@ -144,7 +146,7 @@ typedef uint32_t fe_limb_t; } \ } while (0) -#endif // BORINGSSL_CURVE25519_64BIT +#endif // OPENSSL_64_BIT static_assert(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS, "fe_limb_t[FE_NUM_LIMBS] is inconsistent with fe"); diff --git a/src/crypto/curve25519/curve25519_tables.h b/src/crypto/curve25519/curve25519_tables.h index 310581cf..ad1f036a 100644 --- a/src/crypto/curve25519/curve25519_tables.h +++ b/src/crypto/curve25519/curve25519_tables.h @@ -17,7 +17,7 @@ static const fe d = {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 929955233495203, 466365720129213, 1662059464998953, 2033849074728123, 1442794654840575 #else @@ -27,7 +27,7 @@ static const fe d = {{ }}; static const fe sqrtm1 = {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1718705420411056, 234908883556509, 2233514472574048, 2117202627021982, 765476049583133 #else @@ -37,7 +37,7 @@ static const fe sqrtm1 = {{ }}; static const fe d2 = {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1859910466990425, 932731440258426, 1072319116312658, 1815898335770999, 633789495995903 #else @@ -146,7 +146,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1288382639258501, 245678601348599, 269427782077623, 1462984067271730, 137412439391563 #else @@ -155,7 +155,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 62697248952638, 204681361388450, 631292143396476, 338455783676468, 1213667448819585 #else @@ -164,7 +164,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 301289933810280, 1259582250014073, 1422107436869536, 796239922652654, 1953934009299142 #else @@ -175,7 +175,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1380971894829527, 790832306631236, 2067202295274102, 1995808275510000, 1566530869037010 #else @@ -184,7 +184,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 463307831301544, 432984605774163, 1610641361907204, 750899048855000, 1894842303421586 #else @@ -193,7 +193,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 748439484463711, 1033211726465151, 1396005112841647, 1611506220286469, 1972177495910992 #else @@ -204,7 +204,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1601611775252272, 1720807796594148, 1132070835939856, 1260455018889551, 2147779492816911 #else @@ -213,7 +213,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 316559037616741, 2177824224946892, 1459442586438991, 1461528397712656, 751590696113597 #else @@ -222,7 +222,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1850748884277385, 1200145853858453, 1068094770532492, 672251375690438, 1586055907191707 #else @@ -233,7 +233,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 934282339813791, 1846903124198670, 1172395437954843, 1007037127761661, 1830588347719256 #else @@ -242,7 +242,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1694390458783935, 1735906047636159, 705069562067493, 648033061693059, 696214010414170 #else @@ -251,7 +251,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1121406372216585, 192876649532226, 190294192191717, 1994165897297032, 2245000007398739 #else @@ -262,7 +262,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 769950342298419, 132954430919746, 844085933195555, 974092374476333, 726076285546016 #else @@ -271,7 +271,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 425251763115706, 608463272472562, 442562545713235, 837766094556764, 374555092627893 #else @@ -280,7 +280,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1086255230780037, 274979815921559, 1960002765731872, 929474102396301, 1190409889297339 #else @@ -291,7 +291,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1388594989461809, 316767091099457, 394298842192982, 1230079486801005, 1440737038838979 #else @@ -300,7 +300,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 7380825640100, 146210432690483, 304903576448906, 1198869323871120, 997689833219095 #else @@ -309,7 +309,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1181317918772081, 114573476638901, 262805072233344, 265712217171332, 294181933805782 #else @@ -320,7 +320,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 665000864555967, 2065379846933859, 370231110385876, 350988370788628, 1233371373142985 #else @@ -329,7 +329,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2019367628972465, 676711900706637, 110710997811333, 1108646842542025, 517791959672113 #else @@ -338,7 +338,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 965130719900578, 247011430587952, 526356006571389, 91986625355052, 2157223321444601 #else @@ -349,7 +349,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2068619540119183, 1966274918058806, 957728544705549, 729906502578991, 159834893065166 #else @@ -358,7 +358,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2073601412052185, 31021124762708, 264500969797082, 248034690651703, 1030252227928288 #else @@ -367,7 +367,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 551790716293402, 1989538725166328, 801169423371717, 2052451893578887, 678432056995012 #else @@ -380,7 +380,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1368953770187805, 790347636712921, 437508475667162, 2142576377050580, 1932081720066286 #else @@ -389,7 +389,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 953638594433374, 1092333936795051, 1419774766716690, 805677984380077, 859228993502513 #else @@ -398,7 +398,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1200766035879111, 20142053207432, 1465634435977050, 1645256912097844, 295121984874596 #else @@ -409,7 +409,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1735718747031557, 1248237894295956, 1204753118328107, 976066523550493, 65943769534592 #else @@ -418,7 +418,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1060098822528990, 1586825862073490, 212301317240126, 1975302711403555, 666724059764335 #else @@ -427,7 +427,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1091990273418756, 1572899409348578, 80968014455247, 306009358661350, 1520450739132526 #else @@ -438,7 +438,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1480517209436112, 1511153322193952, 1244343858991172, 304788150493241, 369136856496443 #else @@ -447,7 +447,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2151330273626164, 762045184746182, 1688074332551515, 823046109005759, 907602769079491 #else @@ -456,7 +456,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2047386910586836, 168470092900250, 1552838872594810, 340951180073789, 360819374702533 #else @@ -467,7 +467,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1982622644432056, 2014393600336956, 128909208804214, 1617792623929191, 105294281913815 #else @@ -476,7 +476,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 980234343912898, 1712256739246056, 588935272190264, 204298813091998, 841798321043288 #else @@ -485,7 +485,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 197561292938973, 454817274782871, 1963754960082318, 2113372252160468, 971377527342673 #else @@ -496,7 +496,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 164699448829328, 3127451757672, 1199504971548753, 1766155447043652, 1899238924683527 #else @@ -505,7 +505,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 732262946680281, 1674412764227063, 2182456405662809, 1350894754474250, 558458873295247 #else @@ -514,7 +514,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2103305098582922, 1960809151316468, 715134605001343, 1454892949167181, 40827143824949 #else @@ -525,7 +525,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1239289043050212, 1744654158124578, 758702410031698, 1796762995074688, 1603056663766 #else @@ -534,7 +534,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2232056027107988, 987343914584615, 2115594492994461, 1819598072792159, 1119305654014850 #else @@ -543,7 +543,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 320153677847348, 939613871605645, 641883205761567, 1930009789398224, 329165806634126 #else @@ -554,7 +554,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 980930490474130, 1242488692177893, 1251446316964684, 1086618677993530, 1961430968465772 #else @@ -563,7 +563,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 276821765317453, 1536835591188030, 1305212741412361, 61473904210175, 2051377036983058 #else @@ -572,7 +572,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 833449923882501, 1750270368490475, 1123347002068295, 185477424765687, 278090826653186 #else @@ -583,7 +583,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 794524995833413, 1849907304548286, 53348672473145, 1272368559505217, 1147304168324779 #else @@ -592,7 +592,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1504846112759364, 1203096289004681, 562139421471418, 274333017451844, 1284344053775441 #else @@ -601,7 +601,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 483048732424432, 2116063063343382, 30120189902313, 292451576741007, 1156379271702225 #else @@ -614,7 +614,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 928372153029038, 2147692869914564, 1455665844462196, 1986737809425946, 185207050258089 #else @@ -623,7 +623,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 137732961814206, 706670923917341, 1387038086865771, 1965643813686352, 1384777115696347 #else @@ -632,7 +632,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 481144981981577, 2053319313589856, 2065402289827512, 617954271490316, 1106602634668125 #else @@ -643,7 +643,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 696298019648792, 893299659040895, 1148636718636009, 26734077349617, 2203955659340681 #else @@ -652,7 +652,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 657390353372855, 998499966885562, 991893336905797, 810470207106761, 343139804608786 #else @@ -661,7 +661,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 791736669492960, 934767652997115, 824656780392914, 1759463253018643, 361530362383518 #else @@ -672,7 +672,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2022541353055597, 2094700262587466, 1551008075025686, 242785517418164, 695985404963562 #else @@ -681,7 +681,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1287487199965223, 2215311941380308, 1552928390931986, 1664859529680196, 1125004975265243 #else @@ -690,7 +690,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 677434665154918, 989582503122485, 1817429540898386, 1052904935475344, 1143826298169798 #else @@ -701,7 +701,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 367266328308408, 318431188922404, 695629353755355, 634085657580832, 24581612564426 #else @@ -710,7 +710,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 773360688841258, 1815381330538070, 363773437667376, 539629987070205, 783280434248437 #else @@ -719,7 +719,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 180820816194166, 168937968377394, 748416242794470, 1227281252254508, 1567587861004268 #else @@ -730,7 +730,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 478775558583645, 2062896624554807, 699391259285399, 358099408427873, 1277310261461761 #else @@ -739,7 +739,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1984740906540026, 1079164179400229, 1056021349262661, 1659958556483663, 1088529069025527 #else @@ -748,7 +748,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 580736401511151, 1842931091388998, 1177201471228238, 2075460256527244, 1301133425678027 #else @@ -759,7 +759,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1515728832059182, 1575261009617579, 1510246567196186, 191078022609704, 116661716289141 #else @@ -768,7 +768,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1295295738269652, 1714742313707026, 545583042462581, 2034411676262552, 1513248090013606 #else @@ -777,7 +777,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 230710545179830, 30821514358353, 760704303452229, 390668103790604, 573437871383156 #else @@ -788,7 +788,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1169380107545646, 263167233745614, 2022901299054448, 819900753251120, 2023898464874585 #else @@ -797,7 +797,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2102254323485823, 1570832666216754, 34696906544624, 1993213739807337, 70638552271463 #else @@ -806,7 +806,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 894132856735058, 548675863558441, 845349339503395, 1942269668326667, 1615682209874691 #else @@ -817,7 +817,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1287670217537834, 1222355136884920, 1846481788678694, 1150426571265110, 1613523400722047 #else @@ -826,7 +826,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 793388516527298, 1315457083650035, 1972286999342417, 1901825953052455, 338269477222410 #else @@ -835,7 +835,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 550201530671806, 778605267108140, 2063911101902983, 115500557286349, 2041641272971022 #else @@ -848,7 +848,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 717255318455100, 519313764361315, 2080406977303708, 541981206705521, 774328150311600 #else @@ -857,7 +857,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 261715221532238, 1795354330069993, 1496878026850283, 499739720521052, 389031152673770 #else @@ -866,7 +866,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1997217696294013, 1717306351628065, 1684313917746180, 1644426076011410, 1857378133465451 #else @@ -877,7 +877,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1475434724792648, 76931896285979, 1116729029771667, 2002544139318042, 725547833803938 #else @@ -886,7 +886,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2022306639183567, 726296063571875, 315345054448644, 1058733329149221, 1448201136060677 #else @@ -895,7 +895,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1710065158525665, 1895094923036397, 123988286168546, 1145519900776355, 1607510767693874 #else @@ -906,7 +906,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 561605375422540, 1071733543815037, 131496498800990, 1946868434569999, 828138133964203 #else @@ -915,7 +915,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1548495173745801, 442310529226540, 998072547000384, 553054358385281, 644824326376171 #else @@ -924,7 +924,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1445526537029440, 2225519789662536, 914628859347385, 1064754194555068, 1660295614401091 #else @@ -935,7 +935,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1199690223111956, 24028135822341, 66638289244341, 57626156285975, 565093967979607 #else @@ -944,7 +944,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 876926774220824, 554618976488214, 1012056309841565, 839961821554611, 1414499340307677 #else @@ -953,7 +953,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 703047626104145, 1266841406201770, 165556500219173, 486991595001879, 1011325891650656 #else @@ -964,7 +964,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1622861044480487, 1156394801573634, 1869132565415504, 327103985777730, 2095342781472284 #else @@ -973,7 +973,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 334886927423922, 489511099221528, 129160865966726, 1720809113143481, 619700195649254 #else @@ -982,7 +982,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1646545795166119, 1758370782583567, 714746174550637, 1472693650165135, 898994790308209 #else @@ -993,7 +993,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 333403773039279, 295772542452938, 1693106465353610, 912330357530760, 471235657950362 #else @@ -1002,7 +1002,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1811196219982022, 1068969825533602, 289602974833439, 1988956043611592, 863562343398367 #else @@ -1011,7 +1011,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 906282429780072, 2108672665779781, 432396390473936, 150625823801893, 1708930497638539 #else @@ -1022,7 +1022,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 925664675702328, 21416848568684, 1831436641861340, 601157008940113, 371818055044496 #else @@ -1031,7 +1031,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1479786007267725, 1738881859066675, 68646196476567, 2146507056100328, 1247662817535471 #else @@ -1040,7 +1040,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 52035296774456, 939969390708103, 312023458773250, 59873523517659, 1231345905848899 #else @@ -1051,7 +1051,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 643355106415761, 290186807495774, 2013561737429023, 319648069511546, 393736678496162 #else @@ -1060,7 +1060,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 129358342392716, 1932811617704777, 1176749390799681, 398040349861790, 1170779668090425 #else @@ -1069,7 +1069,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2051980782668029, 121859921510665, 2048329875753063, 1235229850149665, 519062146124755 #else @@ -1082,7 +1082,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1608170971973096, 415809060360428, 1350468408164766, 2038620059057678, 1026904485989112 #else @@ -1091,7 +1091,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1837656083115103, 1510134048812070, 906263674192061, 1821064197805734, 565375124676301 #else @@ -1100,7 +1100,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 578027192365650, 2034800251375322, 2128954087207123, 478816193810521, 2196171989962750 #else @@ -1111,7 +1111,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1633188840273139, 852787172373708, 1548762607215796, 1266275218902681, 1107218203325133 #else @@ -1120,7 +1120,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 462189358480054, 1784816734159228, 1611334301651368, 1303938263943540, 707589560319424 #else @@ -1129,7 +1129,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1038829280972848, 38176604650029, 753193246598573, 1136076426528122, 595709990562434 #else @@ -1140,7 +1140,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1408451820859834, 2194984964010833, 2198361797561729, 1061962440055713, 1645147963442934 #else @@ -1149,7 +1149,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 4701053362120, 1647641066302348, 1047553002242085, 1923635013395977, 206970314902065 #else @@ -1158,7 +1158,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1750479161778571, 1362553355169293, 1891721260220598, 966109370862782, 1024913988299801 #else @@ -1169,7 +1169,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 212699049131723, 1117950018299775, 1873945661751056, 1403802921984058, 130896082652698 #else @@ -1178,7 +1178,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 636808533673210, 1262201711667560, 390951380330599, 1663420692697294, 561951321757406 #else @@ -1187,7 +1187,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 520731594438141, 1446301499955692, 273753264629267, 1565101517999256, 1019411827004672 #else @@ -1198,7 +1198,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 926527492029409, 1191853477411379, 734233225181171, 184038887541270, 1790426146325343 #else @@ -1207,7 +1207,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1464651961852572, 1483737295721717, 1519450561335517, 1161429831763785, 405914998179977 #else @@ -1216,7 +1216,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 996126634382301, 796204125879525, 127517800546509, 344155944689303, 615279846169038 #else @@ -1227,7 +1227,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 738724080975276, 2188666632415296, 1961313708559162, 1506545807547587, 1151301638969740 #else @@ -1236,7 +1236,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 622917337413835, 1218989177089035, 1284857712846592, 970502061709359, 351025208117090 #else @@ -1245,7 +1245,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2067814584765580, 1677855129927492, 2086109782475197, 235286517313238, 1416314046739645 #else @@ -1256,7 +1256,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 586844262630358, 307444381952195, 458399356043426, 602068024507062, 1028548203415243 #else @@ -1265,7 +1265,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 678489922928203, 2016657584724032, 90977383049628, 1026831907234582, 615271492942522 #else @@ -1274,7 +1274,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 301225714012278, 1094837270268560, 1202288391010439, 644352775178361, 1647055902137983 #else @@ -1285,7 +1285,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1210746697896478, 1416608304244708, 686487477217856, 1245131191434135, 1051238336855737 #else @@ -1294,7 +1294,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1135604073198207, 1683322080485474, 769147804376683, 2086688130589414, 900445683120379 #else @@ -1303,7 +1303,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1971518477615628, 401909519527336, 448627091057375, 1409486868273821, 1214789035034363 #else @@ -1316,7 +1316,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1364039144731711, 1897497433586190, 2203097701135459, 145461396811251, 1349844460790699 #else @@ -1325,7 +1325,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1045230323257973, 818206601145807, 630513189076103, 1672046528998132, 807204017562437 #else @@ -1334,7 +1334,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 439961968385997, 386362664488986, 1382706320807688, 309894000125359, 2207801346498567 #else @@ -1345,7 +1345,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1229004686397588, 920643968530863, 123975893911178, 681423993215777, 1400559197080973 #else @@ -1354,7 +1354,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2003766096898049, 170074059235165, 1141124258967971, 1485419893480973, 1573762821028725 #else @@ -1363,7 +1363,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 729905708611432, 1270323270673202, 123353058984288, 426460209632942, 2195574535456672 #else @@ -1374,7 +1374,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1271140255321235, 2044363183174497, 52125387634689, 1445120246694705, 942541986339084 #else @@ -1383,7 +1383,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1761608437466135, 583360847526804, 1586706389685493, 2157056599579261, 1170692369685772 #else @@ -1392,7 +1392,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 871476219910823, 1878769545097794, 2241832391238412, 548957640601001, 690047440233174 #else @@ -1403,7 +1403,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 297194732135507, 1366347803776820, 1301185512245601, 561849853336294, 1533554921345731 #else @@ -1412,7 +1412,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 999628998628371, 1132836708493400, 2084741674517453, 469343353015612, 678782988708035 #else @@ -1421,7 +1421,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2189427607417022, 699801937082607, 412764402319267, 1478091893643349, 2244675696854460 #else @@ -1432,7 +1432,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1712292055966563, 204413590624874, 1405738637332841, 408981300829763, 861082219276721 #else @@ -1441,7 +1441,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 508561155940631, 966928475686665, 2236717801150132, 424543858577297, 2089272956986143 #else @@ -1450,7 +1450,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 221245220129925, 1156020201681217, 491145634799213, 542422431960839, 828100817819207 #else @@ -1461,7 +1461,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 153756971240384, 1299874139923977, 393099165260502, 1058234455773022, 996989038681183 #else @@ -1470,7 +1470,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 559086812798481, 573177704212711, 1629737083816402, 1399819713462595, 1646954378266038 #else @@ -1479,7 +1479,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1887963056288059, 228507035730124, 1468368348640282, 930557653420194, 613513962454686 #else @@ -1490,7 +1490,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1224529808187553, 1577022856702685, 2206946542980843, 625883007765001, 279930793512158 #else @@ -1499,7 +1499,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1076287717051609, 1114455570543035, 187297059715481, 250446884292121, 1885187512550540 #else @@ -1508,7 +1508,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 902497362940219, 76749815795675, 1657927525633846, 1420238379745202, 1340321636548352 #else @@ -1519,7 +1519,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1129576631190784, 1281994010027327, 996844254743018, 257876363489249, 1150850742055018 #else @@ -1528,7 +1528,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 628740660038789, 1943038498527841, 467786347793886, 1093341428303375, 235413859513003 #else @@ -1537,7 +1537,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 237425418909360, 469614029179605, 1512389769174935, 1241726368345357, 441602891065214 #else @@ -1550,7 +1550,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1736417953058555, 726531315520508, 1833335034432527, 1629442561574747, 624418919286085 #else @@ -1559,7 +1559,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1960754663920689, 497040957888962, 1909832851283095, 1271432136996826, 2219780368020940 #else @@ -1568,7 +1568,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1537037379417136, 1358865369268262, 2130838645654099, 828733687040705, 1999987652890901 #else @@ -1579,7 +1579,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 629042105241814, 1098854999137608, 887281544569320, 1423102019874777, 7911258951561 #else @@ -1588,7 +1588,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1811562332665373, 1501882019007673, 2213763501088999, 359573079719636, 36370565049116 #else @@ -1597,7 +1597,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 218907117361280, 1209298913016966, 1944312619096112, 1130690631451061, 1342327389191701 #else @@ -1608,7 +1608,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1369976867854704, 1396479602419169, 1765656654398856, 2203659200586299, 998327836117241 #else @@ -1617,7 +1617,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2230701885562825, 1348173180338974, 2172856128624598, 1426538746123771, 444193481326151 #else @@ -1626,7 +1626,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 784210426627951, 918204562375674, 1284546780452985, 1324534636134684, 1872449409642708 #else @@ -1637,7 +1637,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 319638829540294, 596282656808406, 2037902696412608, 1557219121643918, 341938082688094 #else @@ -1646,7 +1646,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1901860206695915, 2004489122065736, 1625847061568236, 973529743399879, 2075287685312905 #else @@ -1655,7 +1655,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1371853944110545, 1042332820512553, 1949855697918254, 1791195775521505, 37487364849293 #else @@ -1666,7 +1666,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 687200189577855, 1082536651125675, 644224940871546, 340923196057951, 343581346747396 #else @@ -1675,7 +1675,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2082717129583892, 27829425539422, 145655066671970, 1690527209845512, 1865260509673478 #else @@ -1684,7 +1684,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1059729620568824, 2163709103470266, 1440302280256872, 1769143160546397, 869830310425069 #else @@ -1695,7 +1695,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1609516219779025, 777277757338817, 2101121130363987, 550762194946473, 1905542338659364 #else @@ -1704,7 +1704,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2024821921041576, 426948675450149, 595133284085473, 471860860885970, 600321679413000 #else @@ -1713,7 +1713,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 598474602406721, 1468128276358244, 1191923149557635, 1501376424093216, 1281662691293476 #else @@ -1724,7 +1724,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1721138489890707, 1264336102277790, 433064545421287, 1359988423149466, 1561871293409447 #else @@ -1733,7 +1733,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 719520245587143, 393380711632345, 132350400863381, 1543271270810729, 1819543295798660 #else @@ -1742,7 +1742,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 396397949784152, 1811354474471839, 1362679985304303, 2117033964846756, 498041172552279 #else @@ -1753,7 +1753,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1812471844975748, 1856491995543149, 126579494584102, 1036244859282620, 1975108050082550 #else @@ -1762,7 +1762,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 650623932407995, 1137551288410575, 2125223403615539, 1725658013221271, 2134892965117796 #else @@ -1771,7 +1771,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 522584000310195, 1241762481390450, 1743702789495384, 2227404127826575, 1686746002148897 #else @@ -1784,7 +1784,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 427904865186312, 1703211129693455, 1585368107547509, 1436984488744336, 761188534613978 #else @@ -1793,7 +1793,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 318101947455002, 248138407995851, 1481904195303927, 309278454311197, 1258516760217879 #else @@ -1802,7 +1802,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1275068538599310, 513726919533379, 349926553492294, 688428871968420, 1702400196000666 #else @@ -1813,7 +1813,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1061864036265233, 961611260325381, 321859632700838, 1045600629959517, 1985130202504038 #else @@ -1822,7 +1822,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1558816436882417, 1962896332636523, 1337709822062152, 1501413830776938, 294436165831932 #else @@ -1831,7 +1831,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 818359826554971, 1862173000996177, 626821592884859, 573655738872376, 1749691246745455 #else @@ -1842,7 +1842,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1988022651432119, 1082111498586040, 1834020786104821, 1454826876423687, 692929915223122 #else @@ -1851,7 +1851,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2146513703733331, 584788900394667, 464965657279958, 2183973639356127, 238371159456790 #else @@ -1860,7 +1860,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1129007025494441, 2197883144413266, 265142755578169, 971864464758890, 1983715884903702 #else @@ -1871,7 +1871,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1291366624493075, 381456718189114, 1711482489312444, 1815233647702022, 892279782992467 #else @@ -1880,7 +1880,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 444548969917454, 1452286453853356, 2113731441506810, 645188273895859, 810317625309512 #else @@ -1889,7 +1889,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2242724082797924, 1373354730327868, 1006520110883049, 2147330369940688, 1151816104883620 #else @@ -1900,7 +1900,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1745720200383796, 1911723143175317, 2056329390702074, 355227174309849, 879232794371100 #else @@ -1909,7 +1909,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 163723479936298, 115424889803150, 1156016391581227, 1894942220753364, 1970549419986329 #else @@ -1918,7 +1918,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 681981452362484, 267208874112496, 1374683991933094, 638600984916117, 646178654558546 #else @@ -1929,7 +1929,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 13378654854251, 106237307029567, 1944412051589651, 1841976767925457, 230702819835573 #else @@ -1938,7 +1938,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 260683893467075, 854060306077237, 913639551980112, 4704576840123, 280254810808712 #else @@ -1947,7 +1947,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 715374893080287, 1173334812210491, 1806524662079626, 1894596008000979, 398905715033393 #else @@ -1958,7 +1958,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 500026409727661, 1596431288195371, 1420380351989370, 985211561521489, 392444930785633 #else @@ -1967,7 +1967,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2096421546958141, 1922523000950363, 789831022876840, 427295144688779, 320923973161730 #else @@ -1976,7 +1976,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1927770723575450, 1485792977512719, 1850996108474547, 551696031508956, 2126047405475647 #else @@ -1987,7 +1987,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2112099158080148, 742570803909715, 6484558077432, 1951119898618916, 93090382703416 #else @@ -1996,7 +1996,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 383905201636970, 859946997631870, 855623867637644, 1017125780577795, 794250831877809 #else @@ -2005,7 +2005,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 77571826285752, 999304298101753, 487841111777762, 1038031143212339, 339066367948762 #else @@ -2018,7 +2018,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 674994775520533, 266035846330789, 826951213393478, 1405007746162285, 1781791018620876 #else @@ -2027,7 +2027,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1001412661522686, 348196197067298, 1666614366723946, 888424995032760, 580747687801357 #else @@ -2036,7 +2036,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1939560076207777, 1409892634407635, 552574736069277, 383854338280405, 190706709864139 #else @@ -2047,7 +2047,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2177087163428741, 1439255351721944, 1208070840382793, 2230616362004769, 1396886392021913 #else @@ -2056,7 +2056,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 676962063230039, 1880275537148808, 2046721011602706, 888463247083003, 1318301552024067 #else @@ -2065,7 +2065,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1466980508178206, 617045217998949, 652303580573628, 757303753529064, 207583137376902 #else @@ -2076,7 +2076,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1511056752906902, 105403126891277, 493434892772846, 1091943425335976, 1802717338077427 #else @@ -2085,7 +2085,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1853982405405128, 1878664056251147, 1528011020803992, 1019626468153565, 1128438412189035 #else @@ -2094,7 +2094,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1963939888391106, 293456433791664, 697897559513649, 985882796904380, 796244541237972 #else @@ -2105,7 +2105,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 416770998629779, 389655552427054, 1314476859406756, 1749382513022778, 1161905598739491 #else @@ -2114,7 +2114,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1428358296490651, 1027115282420478, 304840698058337, 441410174026628, 1819358356278573 #else @@ -2123,7 +2123,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 204943430200135, 1554861433819175, 216426658514651, 264149070665950, 2047097371738319 #else @@ -2134,7 +2134,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1934415182909034, 1393285083565062, 516409331772960, 1157690734993892, 121039666594268 #else @@ -2143,7 +2143,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 662035583584445, 286736105093098, 1131773000510616, 818494214211439, 472943792054479 #else @@ -2152,7 +2152,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 665784778135882, 1893179629898606, 808313193813106, 276797254706413, 1563426179676396 #else @@ -2163,7 +2163,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 945205108984232, 526277562959295, 1324180513733566, 1666970227868664, 153547609289173 #else @@ -2172,7 +2172,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2031433403516252, 203996615228162, 170487168837083, 981513604791390, 843573964916831 #else @@ -2181,7 +2181,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1476570093962618, 838514669399805, 1857930577281364, 2017007352225784, 317085545220047 #else @@ -2192,7 +2192,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1461557121912842, 1600674043318359, 2157134900399597, 1670641601940616, 127765583803283 #else @@ -2201,7 +2201,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1293543509393474, 2143624609202546, 1058361566797508, 214097127393994, 946888515472729 #else @@ -2210,7 +2210,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 357067959932916, 1290876214345711, 521245575443703, 1494975468601005, 800942377643885 #else @@ -2221,7 +2221,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 566116659100033, 820247422481740, 994464017954148, 327157611686365, 92591318111744 #else @@ -2230,7 +2230,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 617256647603209, 1652107761099439, 1857213046645471, 1085597175214970, 817432759830522 #else @@ -2239,7 +2239,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 771808161440705, 1323510426395069, 680497615846440, 851580615547985, 1320806384849017 #else @@ -2252,7 +2252,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1219260086131915, 647169006596815, 79601124759706, 2161724213426748, 404861897060198 #else @@ -2261,7 +2261,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1327968293887866, 1335500852943256, 1401587164534264, 558137311952440, 1551360549268902 #else @@ -2270,7 +2270,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 417621685193956, 1429953819744454, 396157358457099, 1940470778873255, 214000046234152 #else @@ -2281,7 +2281,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1268047918491973, 2172375426948536, 1533916099229249, 1761293575457130, 1590622667026765 #else @@ -2290,7 +2290,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1627072914981959, 2211603081280073, 1912369601616504, 1191770436221309, 2187309757525860 #else @@ -2299,7 +2299,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1149147819689533, 378692712667677, 828475842424202, 2218619146419342, 70688125792186 #else @@ -2310,7 +2310,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1299739417079761, 1438616663452759, 1536729078504412, 2053896748919838, 1008421032591246 #else @@ -2319,7 +2319,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2040723824657366, 399555637875075, 632543375452995, 872649937008051, 1235394727030233 #else @@ -2328,7 +2328,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2211311599327900, 2139787259888175, 938706616835350, 12609661139114, 2081897930719789 #else @@ -2339,7 +2339,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1324994503390450, 336982330582631, 1183998925654177, 1091654665913274, 48727673971319 #else @@ -2348,7 +2348,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1845522914617879, 1222198248335542, 150841072760134, 1927029069940982, 1189913404498011 #else @@ -2357,7 +2357,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1079559557592645, 2215338383666441, 1903569501302605, 49033973033940, 305703433934152 #else @@ -2368,7 +2368,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 94653405416909, 1386121349852999, 1062130477891762, 36553947479274, 833669648948846 #else @@ -2377,7 +2377,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1432015813136298, 440364795295369, 1395647062821501, 1976874522764578, 934452372723352 #else @@ -2386,7 +2386,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1296625309219774, 2068273464883862, 1858621048097805, 1492281814208508, 2235868981918946 #else @@ -2397,7 +2397,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1490330266465570, 1858795661361448, 1436241134969763, 294573218899647, 1208140011028933 #else @@ -2406,7 +2406,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1282462923712748, 741885683986255, 2027754642827561, 518989529541027, 1826610009555945 #else @@ -2415,7 +2415,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1525827120027511, 723686461809551, 1597702369236987, 244802101764964, 1502833890372311 #else @@ -2426,7 +2426,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 113622036244513, 1233740067745854, 674109952278496, 2114345180342965, 166764512856263 #else @@ -2435,7 +2435,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2041668749310338, 2184405322203901, 1633400637611036, 2110682505536899, 2048144390084644 #else @@ -2444,7 +2444,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 503058759232932, 760293024620937, 2027152777219493, 666858468148475, 1539184379870952 #else @@ -2455,7 +2455,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1916168475367211, 915626432541343, 883217071712575, 363427871374304, 1976029821251593 #else @@ -2464,7 +2464,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 678039535434506, 570587290189340, 1605302676614120, 2147762562875701, 1706063797091704 #else @@ -2473,7 +2473,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1439489648586438, 2194580753290951, 832380563557396, 561521973970522, 584497280718389 #else @@ -2486,7 +2486,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 187989455492609, 681223515948275, 1933493571072456, 1872921007304880, 488162364135671 #else @@ -2495,7 +2495,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1413466089534451, 410844090765630, 1397263346404072, 408227143123410, 1594561803147811 #else @@ -2504,7 +2504,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2102170800973153, 719462588665004, 1479649438510153, 1097529543970028, 1302363283777685 #else @@ -2515,7 +2515,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 942065717847195, 1069313679352961, 2007341951411051, 70973416446291, 1419433790163706 #else @@ -2524,7 +2524,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1146565545556377, 1661971299445212, 406681704748893, 564452436406089, 1109109865829139 #else @@ -2533,7 +2533,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2214421081775077, 1165671861210569, 1890453018796184, 3556249878661, 442116172656317 #else @@ -2544,7 +2544,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 753830546620811, 1666955059895019, 1530775289309243, 1119987029104146, 2164156153857580 #else @@ -2553,7 +2553,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 615171919212796, 1523849404854568, 854560460547503, 2067097370290715, 1765325848586042 #else @@ -2562,7 +2562,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1094538949313667, 1796592198908825, 870221004284388, 2025558921863561, 1699010892802384 #else @@ -2573,7 +2573,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1951351290725195, 1916457206844795, 198025184438026, 1909076887557595, 1938542290318919 #else @@ -2582,7 +2582,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1014323197538413, 869150639940606, 1756009942696599, 1334952557375672, 1544945379082874 #else @@ -2591,7 +2591,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 764055910920305, 1603590757375439, 146805246592357, 1843313433854297, 954279890114939 #else @@ -2602,7 +2602,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 80113526615750, 764536758732259, 1055139345100233, 469252651759390, 617897512431515 #else @@ -2611,7 +2611,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 74497112547268, 740094153192149, 1745254631717581, 727713886503130, 1283034364416928 #else @@ -2620,7 +2620,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 525892105991110, 1723776830270342, 1476444848991936, 573789489857760, 133864092632978 #else @@ -2631,7 +2631,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 542611720192581, 1986812262899321, 1162535242465837, 481498966143464, 544600533583622 #else @@ -2640,7 +2640,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 64123227344372, 1239927720647794, 1360722983445904, 222610813654661, 62429487187991 #else @@ -2649,7 +2649,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1793193323953132, 91096687857833, 70945970938921, 2158587638946380, 1537042406482111 #else @@ -2660,7 +2660,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1895854577604609, 1394895708949416, 1728548428495944, 1140864900240149, 563645333603061 #else @@ -2669,7 +2669,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 141358280486863, 91435889572504, 1087208572552643, 1829599652522921, 1193307020643647 #else @@ -2678,7 +2678,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1611230858525381, 950720175540785, 499589887488610, 2001656988495019, 88977313255908 #else @@ -2689,7 +2689,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1189080501479658, 2184348804772597, 1040818725742319, 2018318290311834, 1712060030915354 #else @@ -2698,7 +2698,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 873966876953756, 1090638350350440, 1708559325189137, 672344594801910, 1320437969700239 #else @@ -2707,7 +2707,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1508590048271766, 1131769479776094, 101550868699323, 428297785557897, 561791648661744 #else @@ -2720,7 +2720,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 756417570499462, 237882279232602, 2136263418594016, 1701968045454886, 703713185137472 #else @@ -2729,7 +2729,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1781187809325462, 1697624151492346, 1381393690939988, 175194132284669, 1483054666415238 #else @@ -2738,7 +2738,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2175517777364616, 708781536456029, 955668231122942, 1967557500069555, 2021208005604118 #else @@ -2749,7 +2749,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1115135966606887, 224217372950782, 915967306279222, 593866251291540, 561747094208006 #else @@ -2758,7 +2758,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1443163092879439, 391875531646162, 2180847134654632, 464538543018753, 1594098196837178 #else @@ -2767,7 +2767,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 850858855888869, 319436476624586, 327807784938441, 740785849558761, 17128415486016 #else @@ -2778,7 +2778,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2132756334090067, 536247820155645, 48907151276867, 608473197600695, 1261689545022784 #else @@ -2787,7 +2787,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1525176236978354, 974205476721062, 293436255662638, 148269621098039, 137961998433963 #else @@ -2796,7 +2796,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1121075518299410, 2071745529082111, 1265567917414828, 1648196578317805, 496232102750820 #else @@ -2807,7 +2807,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 122321229299801, 1022922077493685, 2001275453369484, 2017441881607947, 993205880778002 #else @@ -2816,7 +2816,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 654925550560074, 1168810995576858, 575655959430926, 905758704861388, 496774564663534 #else @@ -2825,7 +2825,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1954109525779738, 2117022646152485, 338102630417180, 1194140505732026, 107881734943492 #else @@ -2836,7 +2836,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1714785840001267, 2036500018681589, 1876380234251966, 2056717182974196, 1645855254384642 #else @@ -2845,7 +2845,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 106431476499341, 62482972120563, 1513446655109411, 807258751769522, 538491469114 #else @@ -2854,7 +2854,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2002850762893643, 1243624520538135, 1486040410574605, 2184752338181213, 378495998083531 #else @@ -2865,7 +2865,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 922510868424903, 1089502620807680, 402544072617374, 1131446598479839, 1290278588136533 #else @@ -2874,7 +2874,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1867998812076769, 715425053580701, 39968586461416, 2173068014586163, 653822651801304 #else @@ -2883,7 +2883,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 162892278589453, 182585796682149, 75093073137630, 497037941226502, 133871727117371 #else @@ -2894,7 +2894,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1914596576579670, 1608999621851578, 1987629837704609, 1519655314857977, 1819193753409464 #else @@ -2903,7 +2903,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1949315551096831, 1069003344994464, 1939165033499916, 1548227205730856, 1933767655861407 #else @@ -2912,7 +2912,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1730519386931635, 1393284965610134, 1597143735726030, 416032382447158, 1429665248828629 #else @@ -2923,7 +2923,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 360275475604565, 547835731063078, 215360904187529, 596646739879007, 332709650425085 #else @@ -2932,7 +2932,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 47602113726801, 1522314509708010, 437706261372925, 814035330438027, 335930650933545 #else @@ -2941,7 +2941,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1291597595523886, 1058020588994081, 402837842324045, 1363323695882781, 2105763393033193 #else @@ -2954,7 +2954,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 109521982566564, 1715257748585139, 1112231216891516, 2046641005101484, 134249157157013 #else @@ -2963,7 +2963,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2156991030936798, 2227544497153325, 1869050094431622, 754875860479115, 1754242344267058 #else @@ -2972,7 +2972,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1846089562873800, 98894784984326, 1412430299204844, 171351226625762, 1100604760929008 #else @@ -2983,7 +2983,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 84172382130492, 499710970700046, 425749630620778, 1762872794206857, 612842602127960 #else @@ -2992,7 +2992,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 868309334532756, 1703010512741873, 1952690008738057, 4325269926064, 2071083554962116 #else @@ -3001,7 +3001,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 523094549451158, 401938899487815, 1407690589076010, 2022387426254453, 158660516411257 #else @@ -3012,7 +3012,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 612867287630009, 448212612103814, 571629077419196, 1466796750919376, 1728478129663858 #else @@ -3021,7 +3021,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1723848973783452, 2208822520534681, 1718748322776940, 1974268454121942, 1194212502258141 #else @@ -3030,7 +3030,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1254114807944608, 977770684047110, 2010756238954993, 1783628927194099, 1525962994408256 #else @@ -3041,7 +3041,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 232464058235826, 1948628555342434, 1835348780427694, 1031609499437291, 64472106918373 #else @@ -3050,7 +3050,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 767338676040683, 754089548318405, 1523192045639075, 435746025122062, 512692508440385 #else @@ -3059,7 +3059,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1255955808701983, 1700487367990941, 1166401238800299, 1175121994891534, 1190934801395380 #else @@ -3070,7 +3070,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 349144008168292, 1337012557669162, 1475912332999108, 1321618454900458, 47611291904320 #else @@ -3079,7 +3079,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 877519947135419, 2172838026132651, 272304391224129, 1655143327559984, 886229406429814 #else @@ -3088,7 +3088,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 375806028254706, 214463229793940, 572906353144089, 572168269875638, 697556386112979 #else @@ -3099,7 +3099,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1168827102357844, 823864273033637, 2071538752104697, 788062026895924, 599578340743362 #else @@ -3108,7 +3108,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1948116082078088, 2054898304487796, 2204939184983900, 210526805152138, 786593586607626 #else @@ -3117,7 +3117,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1915320147894736, 156481169009469, 655050471180417, 592917090415421, 2165897438660879 #else @@ -3128,7 +3128,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1726336468579724, 1119932070398949, 1929199510967666, 33918788322959, 1836837863503150 #else @@ -3137,7 +3137,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 829996854845988, 217061778005138, 1686565909803640, 1346948817219846, 1723823550730181 #else @@ -3146,7 +3146,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 384301494966394, 687038900403062, 2211195391021739, 254684538421383, 1245698430589680 #else @@ -3157,7 +3157,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1247567493562688, 1978182094455847, 183871474792955, 806570235643435, 288461518067916 #else @@ -3166,7 +3166,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1449077384734201, 38285445457996, 2136537659177832, 2146493000841573, 725161151123125 #else @@ -3175,7 +3175,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1201928866368855, 800415690605445, 1703146756828343, 997278587541744, 1858284414104014 #else @@ -3188,7 +3188,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 356468809648877, 782373916933152, 1718002439402870, 1392222252219254, 663171266061951 #else @@ -3197,7 +3197,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 759628738230460, 1012693474275852, 353780233086498, 246080061387552, 2030378857679162 #else @@ -3206,7 +3206,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2040672435071076, 888593182036908, 1298443657189359, 1804780278521327, 354070726137060 #else @@ -3217,7 +3217,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1894938527423184, 1463213041477277, 474410505497651, 247294963033299, 877975941029128 #else @@ -3226,7 +3226,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 207937160991127, 12966911039119, 820997788283092, 1010440472205286, 1701372890140810 #else @@ -3235,7 +3235,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 218882774543183, 533427444716285, 1233243976733245, 435054256891319, 1509568989549904 #else @@ -3246,7 +3246,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1888838535711826, 1052177758340622, 1213553803324135, 169182009127332, 463374268115872 #else @@ -3255,7 +3255,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 299137589460312, 1594371588983567, 868058494039073, 257771590636681, 1805012993142921 #else @@ -3264,7 +3264,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1806842755664364, 2098896946025095, 1356630998422878, 1458279806348064, 347755825962072 #else @@ -3275,7 +3275,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1402334161391744, 1560083671046299, 1008585416617747, 1147797150908892, 1420416683642459 #else @@ -3284,7 +3284,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 665506704253369, 273770475169863, 799236974202630, 848328990077558, 1811448782807931 #else @@ -3293,7 +3293,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1468412523962641, 771866649897997, 1931766110147832, 799561180078482, 524837559150077 #else @@ -3304,7 +3304,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2223212657821850, 630416247363666, 2144451165500328, 816911130947791, 1024351058410032 #else @@ -3313,7 +3313,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1266603897524861, 156378408858100, 1275649024228779, 447738405888420, 253186462063095 #else @@ -3322,7 +3322,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2022215964509735, 136144366993649, 1800716593296582, 1193970603800203, 871675847064218 #else @@ -3333,7 +3333,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1862751661970328, 851596246739884, 1519315554814041, 1542798466547449, 1417975335901520 #else @@ -3342,7 +3342,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1228168094547481, 334133883362894, 587567568420081, 433612590281181, 603390400373205 #else @@ -3351,7 +3351,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 121893973206505, 1843345804916664, 1703118377384911, 497810164760654, 101150811654673 #else @@ -3362,7 +3362,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 458346255946468, 290909935619344, 1452768413850679, 550922875254215, 1537286854336538 #else @@ -3371,7 +3371,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 584322311184395, 380661238802118, 114839394528060, 655082270500073, 2111856026034852 #else @@ -3380,7 +3380,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 996965581008991, 2148998626477022, 1012273164934654, 1073876063914522, 1688031788934939 #else @@ -3391,7 +3391,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 923487018849600, 2085106799623355, 528082801620136, 1606206360876188, 735907091712524 #else @@ -3400,7 +3400,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1697697887804317, 1335343703828273, 831288615207040, 949416685250051, 288760277392022 #else @@ -3409,7 +3409,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1419122478109648, 1325574567803701, 602393874111094, 2107893372601700, 1314159682671307 #else @@ -3422,7 +3422,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2201150872731804, 2180241023425241, 97663456423163, 1633405770247824, 848945042443986 #else @@ -3431,7 +3431,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1173339555550611, 818605084277583, 47521504364289, 924108720564965, 735423405754506 #else @@ -3440,7 +3440,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 830104860549448, 1886653193241086, 1600929509383773, 1475051275443631, 286679780900937 #else @@ -3451,7 +3451,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1577111294832995, 1030899169768747, 144900916293530, 1964672592979567, 568390100955250 #else @@ -3460,7 +3460,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 278388655910247, 487143369099838, 927762205508727, 181017540174210, 1616886700741287 #else @@ -3469,7 +3469,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1191033906638969, 940823957346562, 1606870843663445, 861684761499847, 658674867251089 #else @@ -3480,7 +3480,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1875032594195546, 1427106132796197, 724736390962158, 901860512044740, 635268497268760 #else @@ -3489,7 +3489,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 622869792298357, 1903919278950367, 1922588621661629, 1520574711600434, 1087100760174640 #else @@ -3498,7 +3498,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 25465949416618, 1693639527318811, 1526153382657203, 125943137857169, 145276964043999 #else @@ -3509,7 +3509,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 214739857969358, 920212862967915, 1939901550972269, 1211862791775221, 85097515720120 #else @@ -3518,7 +3518,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2006245852772938, 734762734836159, 254642929763427, 1406213292755966, 239303749517686 #else @@ -3527,7 +3527,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1619678837192149, 1919424032779215, 1357391272956794, 1525634040073113, 1310226789796241 #else @@ -3538,7 +3538,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1040763709762123, 1704449869235352, 605263070456329, 1998838089036355, 1312142911487502 #else @@ -3547,7 +3547,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1996723311435669, 1844342766567060, 985455700466044, 1165924681400960, 311508689870129 #else @@ -3556,7 +3556,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 43173156290518, 2202883069785309, 1137787467085917, 1733636061944606, 1394992037553852 #else @@ -3567,7 +3567,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 670078326344559, 555655025059356, 471959386282438, 2141455487356409, 849015953823125 #else @@ -3576,7 +3576,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2197214573372804, 794254097241315, 1030190060513737, 267632515541902, 2040478049202624 #else @@ -3585,7 +3585,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1812516004670529, 1609256702920783, 1706897079364493, 258549904773295, 996051247540686 #else @@ -3596,7 +3596,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1540374301420584, 1764656898914615, 1810104162020396, 923808779163088, 664390074196579 #else @@ -3605,7 +3605,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1323460699404750, 1262690757880991, 871777133477900, 1060078894988977, 1712236889662886 #else @@ -3614,7 +3614,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1696163952057966, 1391710137550823, 608793846867416, 1034391509472039, 1780770894075012 #else @@ -3625,7 +3625,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1367603834210841, 2131988646583224, 890353773628144, 1908908219165595, 270836895252891 #else @@ -3634,7 +3634,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 597536315471731, 40375058742586, 1942256403956049, 1185484645495932, 312666282024145 #else @@ -3643,7 +3643,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1919411405316294, 1234508526402192, 1066863051997083, 1008444703737597, 1348810787701552 #else @@ -3656,7 +3656,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2102881477513865, 1570274565945361, 1573617900503708, 18662635732583, 2232324307922098 #else @@ -3665,7 +3665,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1853931367696942, 8107973870707, 350214504129299, 775206934582587, 1752317649166792 #else @@ -3674,7 +3674,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1417148368003523, 721357181628282, 505725498207811, 373232277872983, 261634707184480 #else @@ -3685,7 +3685,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2186733281493267, 2250694917008620, 1014829812957440, 479998161452389, 83566193876474 #else @@ -3694,7 +3694,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1268116367301224, 560157088142809, 802626839600444, 2210189936605713, 1129993785579988 #else @@ -3703,7 +3703,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 615183387352312, 917611676109240, 878893615973325, 978940963313282, 938686890583575 #else @@ -3714,7 +3714,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 522024729211672, 1045059315315808, 1892245413707790, 1907891107684253, 2059998109500714 #else @@ -3723,7 +3723,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1799679152208884, 912132775900387, 25967768040979, 432130448590461, 274568990261996 #else @@ -3732,7 +3732,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 98698809797682, 2144627600856209, 1907959298569602, 811491302610148, 1262481774981493 #else @@ -3743,7 +3743,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1791451399743152, 1713538728337276, 118349997257490, 1882306388849954, 158235232210248 #else @@ -3752,7 +3752,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1217809823321928, 2173947284933160, 1986927836272325, 1388114931125539, 12686131160169 #else @@ -3761,7 +3761,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1650875518872272, 1136263858253897, 1732115601395988, 734312880662190, 1252904681142109 #else @@ -3772,7 +3772,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 372986456113865, 525430915458171, 2116279931702135, 501422713587815, 1907002872974925 #else @@ -3781,7 +3781,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 803147181835288, 868941437997146, 316299302989663, 943495589630550, 571224287904572 #else @@ -3790,7 +3790,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 227742695588364, 1776969298667369, 628602552821802, 457210915378118, 2041906378111140 #else @@ -3801,7 +3801,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 815000523470260, 913085688728307, 1052060118271173, 1345536665214223, 541623413135555 #else @@ -3810,7 +3810,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1580216071604333, 1877997504342444, 857147161260913, 703522726778478, 2182763974211603 #else @@ -3819,7 +3819,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1870080310923419, 71988220958492, 1783225432016732, 615915287105016, 1035570475990230 #else @@ -3830,7 +3830,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 730987750830150, 857613889540280, 1083813157271766, 1002817255970169, 1719228484436074 #else @@ -3839,7 +3839,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 377616581647602, 1581980403078513, 804044118130621, 2034382823044191, 643844048472185 #else @@ -3848,7 +3848,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 176957326463017, 1573744060478586, 528642225008045, 1816109618372371, 1515140189765006 #else @@ -3859,7 +3859,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1888911448245718, 1387110895611080, 1924503794066429, 1731539523700949, 2230378382645454 #else @@ -3868,7 +3868,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 443392177002051, 233793396845137, 2199506622312416, 1011858706515937, 974676837063129 #else @@ -3877,7 +3877,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1846351103143623, 1949984838808427, 671247021915253, 1946756846184401, 1929296930380217 #else @@ -3890,7 +3890,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 849646212452002, 1410198775302919, 73767886183695, 1641663456615812, 762256272452411 #else @@ -3899,7 +3899,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 692017667358279, 723305578826727, 1638042139863265, 748219305990306, 334589200523901 #else @@ -3908,7 +3908,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 22893968530686, 2235758574399251, 1661465835630252, 925707319443452, 1203475116966621 #else @@ -3919,7 +3919,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 801299035785166, 1733292596726131, 1664508947088596, 467749120991922, 1647498584535623 #else @@ -3928,7 +3928,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 903105258014366, 427141894933047, 561187017169777, 1884330244401954, 1914145708422219 #else @@ -3937,7 +3937,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1344191060517578, 1960935031767890, 1518838929955259, 1781502350597190, 1564784025565682 #else @@ -3948,7 +3948,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 673723351748086, 1979969272514923, 1175287312495508, 1187589090978666, 1881897672213940 #else @@ -3957,7 +3957,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1917185587363432, 1098342571752737, 5935801044414, 2000527662351839, 1538640296181569 #else @@ -3966,7 +3966,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2495540013192, 678856913479236, 224998292422872, 219635787698590, 1972465269000940 #else @@ -3977,7 +3977,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 271413961212179, 1353052061471651, 344711291283483, 2014925838520662, 2006221033113941 #else @@ -3986,7 +3986,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 194583029968109, 514316781467765, 829677956235672, 1676415686873082, 810104584395840 #else @@ -3995,7 +3995,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1980510813313589, 1948645276483975, 152063780665900, 129968026417582, 256984195613935 #else @@ -4006,7 +4006,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1860190562533102, 1936576191345085, 461100292705964, 1811043097042830, 957486749306835 #else @@ -4015,7 +4015,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 796664815624365, 1543160838872951, 1500897791837765, 1667315977988401, 599303877030711 #else @@ -4024,7 +4024,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1151480509533204, 2136010406720455, 738796060240027, 319298003765044, 1150614464349587 #else @@ -4035,7 +4035,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1731069268103150, 735642447616087, 1364750481334268, 417232839982871, 927108269127661 #else @@ -4044,7 +4044,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1017222050227968, 1987716148359, 2234319589635701, 621282683093392, 2132553131763026 #else @@ -4053,7 +4053,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1567828528453324, 1017807205202360, 565295260895298, 829541698429100, 307243822276582 #else @@ -4064,7 +4064,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 249079270936248, 1501514259790706, 947909724204848, 944551802437487, 552658763982480 #else @@ -4073,7 +4073,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2089966982947227, 1854140343916181, 2151980759220007, 2139781292261749, 158070445864917 #else @@ -4082,7 +4082,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1338766321464554, 1906702607371284, 1519569445519894, 115384726262267, 1393058953390992 #else @@ -4093,7 +4093,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1364621558265400, 1512388234908357, 1926731583198686, 2041482526432505, 920401122333774 #else @@ -4102,7 +4102,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1884844597333588, 601480070269079, 620203503079537, 1079527400117915, 1202076693132015 #else @@ -4111,7 +4111,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 840922919763324, 727955812569642, 1303406629750194, 522898432152867, 294161410441865 #else @@ -4124,7 +4124,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 353760790835310, 1598361541848743, 1122905698202299, 1922533590158905, 419107700666580 #else @@ -4133,7 +4133,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 359856369838236, 180914355488683, 861726472646627, 218807937262986, 575626773232501 #else @@ -4142,7 +4142,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 755467689082474, 909202735047934, 730078068932500, 936309075711518, 2007798262842972 #else @@ -4153,7 +4153,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1609384177904073, 362745185608627, 1335318541768201, 800965770436248, 547877979267412 #else @@ -4162,7 +4162,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 984339177776787, 815727786505884, 1645154585713747, 1659074964378553, 1686601651984156 #else @@ -4171,7 +4171,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1697863093781930, 599794399429786, 1104556219769607, 830560774794755, 12812858601017 #else @@ -4182,7 +4182,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1168737550514982, 897832437380552, 463140296333799, 302564600022547, 2008360505135501 #else @@ -4191,7 +4191,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1856930662813910, 678090852002597, 1920179140755167, 1259527833759868, 55540971895511 #else @@ -4200,7 +4200,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1158643631044921, 476554103621892, 178447851439725, 1305025542653569, 103433927680625 #else @@ -4211,7 +4211,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2176793111709008, 1576725716350391, 2009350167273523, 2012390194631546, 2125297410909580 #else @@ -4220,7 +4220,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 825403285195098, 2144208587560784, 1925552004644643, 1915177840006985, 1015952128947864 #else @@ -4229,7 +4229,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1807108316634472, 1534392066433717, 347342975407218, 1153820745616376, 7375003497471 #else @@ -4240,7 +4240,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 983061001799725, 431211889901241, 2201903782961093, 817393911064341, 2214616493042167 #else @@ -4249,7 +4249,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 228567918409756, 865093958780220, 358083886450556, 159617889659320, 1360637926292598 #else @@ -4258,7 +4258,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 234147501399755, 2229469128637390, 2175289352258889, 1397401514549353, 1885288963089922 #else @@ -4269,7 +4269,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1111762412951562, 252849572507389, 1048714233823341, 146111095601446, 1237505378776770 #else @@ -4278,7 +4278,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1113790697840279, 1051167139966244, 1045930658550944, 2011366241542643, 1686166824620755 #else @@ -4287,7 +4287,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1054097349305049, 1872495070333352, 182121071220717, 1064378906787311, 100273572924182 #else @@ -4298,7 +4298,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1306410853171605, 1627717417672447, 50983221088417, 1109249951172250, 870201789081392 #else @@ -4307,7 +4307,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 104233794644221, 1548919791188248, 2224541913267306, 2054909377116478, 1043803389015153 #else @@ -4316,7 +4316,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 216762189468802, 707284285441622, 190678557969733, 973969342604308, 1403009538434867 #else @@ -4327,7 +4327,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1279024291038477, 344776835218310, 273722096017199, 1834200436811442, 634517197663804 #else @@ -4336,7 +4336,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 343805853118335, 1302216857414201, 566872543223541, 2051138939539004, 321428858384280 #else @@ -4345,7 +4345,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 470067171324852, 1618629234173951, 2000092177515639, 7307679772789, 1117521120249968 #else @@ -4358,7 +4358,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 278151578291475, 1810282338562947, 1771599529530998, 1383659409671631, 685373414471841 #else @@ -4367,7 +4367,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 577009397403102, 1791440261786291, 2177643735971638, 174546149911960, 1412505077782326 #else @@ -4376,7 +4376,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 893719721537457, 1201282458018197, 1522349501711173, 58011597740583, 1130406465887139 #else @@ -4387,7 +4387,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 412607348255453, 1280455764199780, 2233277987330768, 14180080401665, 331584698417165 #else @@ -4396,7 +4396,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 262483770854550, 990511055108216, 526885552771698, 571664396646158, 354086190278723 #else @@ -4405,7 +4405,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1820352417585487, 24495617171480, 1547899057533253, 10041836186225, 480457105094042 #else @@ -4416,7 +4416,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2023310314989233, 637905337525881, 2106474638900687, 557820711084072, 1687858215057826 #else @@ -4425,7 +4425,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1144168702609745, 604444390410187, 1544541121756138, 1925315550126027, 626401428894002 #else @@ -4434,7 +4434,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1922168257351784, 2018674099908659, 1776454117494445, 956539191509034, 36031129147635 #else @@ -4445,7 +4445,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 544644538748041, 1039872944430374, 876750409130610, 710657711326551, 1216952687484972 #else @@ -4454,7 +4454,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 58242421545916, 2035812695641843, 2118491866122923, 1191684463816273, 46921517454099 #else @@ -4463,7 +4463,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 272268252444639, 1374166457774292, 2230115177009552, 1053149803909880, 1354288411641016 #else @@ -4474,7 +4474,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1857910905368338, 1754729879288912, 885945464109877, 1516096106802166, 1602902393369811 #else @@ -4483,7 +4483,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1193437069800958, 901107149704790, 999672920611411, 477584824802207, 364239578697845 #else @@ -4492,7 +4492,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 886299989548838, 1538292895758047, 1590564179491896, 1944527126709657, 837344427345298 #else @@ -4503,7 +4503,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 754558365378305, 1712186480903618, 1703656826337531, 750310918489786, 518996040250900 #else @@ -4512,7 +4512,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1309847803895382, 1462151862813074, 211370866671570, 1544595152703681, 1027691798954090 #else @@ -4521,7 +4521,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 803217563745370, 1884799722343599, 1357706345069218, 2244955901722095, 730869460037413 #else @@ -4532,7 +4532,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 689299471295966, 1831210565161071, 1375187341585438, 1106284977546171, 1893781834054269 #else @@ -4541,7 +4541,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 696351368613042, 1494385251239250, 738037133616932, 636385507851544, 927483222611406 #else @@ -4550,7 +4550,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1949114198209333, 1104419699537997, 783495707664463, 1747473107602770, 2002634765788641 #else @@ -4561,7 +4561,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1607325776830197, 530883941415333, 1451089452727895, 1581691157083423, 496100432831154 #else @@ -4570,7 +4570,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1068900648804224, 2006891997072550, 1134049269345549, 1638760646180091, 2055396084625778 #else @@ -4579,7 +4579,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2222475519314561, 1870703901472013, 1884051508440561, 1344072275216753, 1318025677799069 #else @@ -4592,7 +4592,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 155711679280656, 681100400509288, 389811735211209, 2135723811340709, 408733211204125 #else @@ -4601,7 +4601,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 7813206966729, 194444201427550, 2071405409526507, 1065605076176312, 1645486789731291 #else @@ -4610,7 +4610,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 16625790644959, 1647648827778410, 1579910185572704, 436452271048548, 121070048451050 #else @@ -4621,7 +4621,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1037263028552531, 568385780377829, 297953104144430, 1558584511931211, 2238221839292471 #else @@ -4630,7 +4630,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 190565267697443, 672855706028058, 338796554369226, 337687268493904, 853246848691734 #else @@ -4639,7 +4639,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1763863028400139, 766498079432444, 1321118624818005, 69494294452268, 858786744165651 #else @@ -4650,7 +4650,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1292056768563024, 1456632109855638, 1100631247050184, 1386133165675321, 1232898350193752 #else @@ -4659,7 +4659,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 366253102478259, 525676242508811, 1449610995265438, 1183300845322183, 185960306491545 #else @@ -4668,7 +4668,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 28315355815982, 460422265558930, 1799675876678724, 1969256312504498, 1051823843138725 #else @@ -4679,7 +4679,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 156914999361983, 1606148405719949, 1665208410108430, 317643278692271, 1383783705665320 #else @@ -4688,7 +4688,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 54684536365732, 2210010038536222, 1194984798155308, 535239027773705, 1516355079301361 #else @@ -4697,7 +4697,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1484387703771650, 198537510937949, 2186282186359116, 617687444857508, 647477376402122 #else @@ -4708,7 +4708,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2147715541830533, 500032538445817, 646380016884826, 352227855331122, 1488268620408052 #else @@ -4717,7 +4717,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 159386186465542, 1877626593362941, 618737197060512, 1026674284330807, 1158121760792685 #else @@ -4726,7 +4726,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1744544377739822, 1964054180355661, 1685781755873170, 2169740670377448, 1286112621104591 #else @@ -4737,7 +4737,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 81977249784993, 1667943117713086, 1668983819634866, 1605016835177615, 1353960708075544 #else @@ -4746,7 +4746,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1602253788689063, 439542044889886, 2220348297664483, 657877410752869, 157451572512238 #else @@ -4755,7 +4755,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1029287186166717, 65860128430192, 525298368814832, 1491902500801986, 1461064796385400 #else @@ -4766,7 +4766,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 408216988729246, 2121095722306989, 913562102267595, 1879708920318308, 241061448436731 #else @@ -4775,7 +4775,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1185483484383269, 1356339572588553, 584932367316448, 102132779946470, 1792922621116791 #else @@ -4784,7 +4784,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1966196870701923, 2230044620318636, 1425982460745905, 261167817826569, 46517743394330 #else @@ -4795,7 +4795,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 107077591595359, 884959942172345, 27306869797400, 2224911448949390, 964352058245223 #else @@ -4804,7 +4804,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1730194207717538, 431790042319772, 1831515233279467, 1372080552768581, 1074513929381760 #else @@ -4813,7 +4813,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1450880638731607, 1019861580989005, 1229729455116861, 1174945729836143, 826083146840706 #else @@ -4826,7 +4826,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1899935429242705, 1602068751520477, 940583196550370, 82431069053859, 1540863155745696 #else @@ -4835,7 +4835,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2136688454840028, 2099509000964294, 1690800495246475, 1217643678575476, 828720645084218 #else @@ -4844,7 +4844,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 765548025667841, 462473984016099, 998061409979798, 546353034089527, 2212508972466858 #else @@ -4855,7 +4855,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 46575283771160, 892570971573071, 1281983193144090, 1491520128287375, 75847005908304 #else @@ -4864,7 +4864,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1801436127943107, 1734436817907890, 1268728090345068, 167003097070711, 2233597765834956 #else @@ -4873,7 +4873,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1997562060465113, 1048700225534011, 7615603985628, 1855310849546841, 2242557647635213 #else @@ -4884,7 +4884,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1161017320376250, 492624580169043, 2169815802355237, 976496781732542, 1770879511019629 #else @@ -4893,7 +4893,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1357044908364776, 729130645262438, 1762469072918979, 1365633616878458, 181282906404941 #else @@ -4902,7 +4902,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1080413443139865, 1155205815510486, 1848782073549786, 622566975152580, 124965574467971 #else @@ -4913,7 +4913,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1184526762066993, 247622751762817, 692129017206356, 820018689412496, 2188697339828085 #else @@ -4922,7 +4922,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2020536369003019, 202261491735136, 1053169669150884, 2056531979272544, 778165514694311 #else @@ -4931,7 +4931,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 237404399610207, 1308324858405118, 1229680749538400, 720131409105291, 1958958863624906 #else @@ -4942,7 +4942,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 515583508038846, 17656978857189, 1717918437373989, 1568052070792483, 46975803123923 #else @@ -4951,7 +4951,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 281527309158085, 36970532401524, 866906920877543, 2222282602952734, 1289598729589882 #else @@ -4960,7 +4960,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1278207464902042, 494742455008756, 1262082121427081, 1577236621659884, 1888786707293291 #else @@ -4971,7 +4971,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 353042527954210, 1830056151907359, 1111731275799225, 174960955838824, 404312815582675 #else @@ -4980,7 +4980,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2064251142068628, 1666421603389706, 1419271365315441, 468767774902855, 191535130366583 #else @@ -4989,7 +4989,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1716987058588002, 1859366439773457, 1767194234188234, 64476199777924, 1117233614485261 #else @@ -5000,7 +5000,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 984292135520292, 135138246951259, 2220652137473167, 1722843421165029, 190482558012909 #else @@ -5009,7 +5009,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 298845952651262, 1166086588952562, 1179896526238434, 1347812759398693, 1412945390096208 #else @@ -5018,7 +5018,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1143239552672925, 906436640714209, 2177000572812152, 2075299936108548, 325186347798433 #else @@ -5029,7 +5029,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 721024854374772, 684487861263316, 1373438744094159, 2193186935276995, 1387043709851261 #else @@ -5038,7 +5038,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 418098668140962, 715065997721283, 1471916138376055, 2168570337288357, 937812682637044 #else @@ -5047,7 +5047,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1043584187226485, 2143395746619356, 2209558562919611, 482427979307092, 847556718384018 #else @@ -5060,7 +5060,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1248731221520759, 1465200936117687, 540803492710140, 52978634680892, 261434490176109 #else @@ -5069,7 +5069,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1057329623869501, 620334067429122, 461700859268034, 2012481616501857, 297268569108938 #else @@ -5078,7 +5078,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1055352180870759, 1553151421852298, 1510903185371259, 1470458349428097, 1226259419062731 #else @@ -5089,7 +5089,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1492988790301668, 790326625573331, 1190107028409745, 1389394752159193, 1620408196604194 #else @@ -5098,7 +5098,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 47000654413729, 1004754424173864, 1868044813557703, 173236934059409, 588771199737015 #else @@ -5107,7 +5107,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 30498470091663, 1082245510489825, 576771653181956, 806509986132686, 1317634017056939 #else @@ -5118,7 +5118,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 420308055751555, 1493354863316002, 165206721528088, 1884845694919786, 2065456951573059 #else @@ -5127,7 +5127,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1115636332012334, 1854340990964155, 83792697369514, 1972177451994021, 457455116057587 #else @@ -5136,7 +5136,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1698968457310898, 1435137169051090, 1083661677032510, 938363267483709, 340103887207182 #else @@ -5147,7 +5147,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1995325341336574, 911500251774648, 164010755403692, 855378419194762, 1573601397528842 #else @@ -5156,7 +5156,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 241719380661528, 310028521317150, 1215881323380194, 1408214976493624, 2141142156467363 #else @@ -5165,7 +5165,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1315157046163473, 727368447885818, 1363466668108618, 1668921439990361, 1398483384337907 #else @@ -5176,7 +5176,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 75029678299646, 1015388206460473, 1849729037055212, 1939814616452984, 444404230394954 #else @@ -5185,7 +5185,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2053597130993710, 2024431685856332, 2233550957004860, 2012407275509545, 872546993104440 #else @@ -5194,7 +5194,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1217269667678610, 599909351968693, 1390077048548598, 1471879360694802, 739586172317596 #else @@ -5205,7 +5205,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1718318639380794, 1560510726633958, 904462881159922, 1418028351780052, 94404349451937 #else @@ -5214,7 +5214,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2132502667405250, 214379346175414, 1502748313768060, 1960071701057800, 1353971822643138 #else @@ -5223,7 +5223,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 319394212043702, 2127459436033571, 717646691535162, 663366796076914, 318459064945314 #else @@ -5234,7 +5234,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 405989424923593, 1960452633787083, 667349034401665, 1492674260767112, 1451061489880787 #else @@ -5243,7 +5243,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 947085906234007, 323284730494107, 1485778563977200, 728576821512394, 901584347702286 #else @@ -5252,7 +5252,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1575783124125742, 2126210792434375, 1569430791264065, 1402582372904727, 1891780248341114 #else @@ -5263,7 +5263,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 838432205560695, 1997703511451664, 1018791879907867, 1662001808174331, 78328132957753 #else @@ -5272,7 +5272,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 739152638255629, 2074935399403557, 505483666745895, 1611883356514088, 628654635394878 #else @@ -5281,7 +5281,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1822054032121349, 643057948186973, 7306757352712, 577249257962099, 284735863382083 #else @@ -5294,7 +5294,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1366558556363930, 1448606567552086, 1478881020944768, 165803179355898, 1115718458123498 #else @@ -5303,7 +5303,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 204146226972102, 1630511199034723, 2215235214174763, 174665910283542, 956127674017216 #else @@ -5312,7 +5312,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1562934578796716, 1070893489712745, 11324610642270, 958989751581897, 2172552325473805 #else @@ -5323,7 +5323,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1770564423056027, 735523631664565, 1326060113795289, 1509650369341127, 65892421582684 #else @@ -5332,7 +5332,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 623682558650637, 1337866509471512, 990313350206649, 1314236615762469, 1164772974270275 #else @@ -5341,7 +5341,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 223256821462517, 723690150104139, 1000261663630601, 933280913953265, 254872671543046 #else @@ -5352,7 +5352,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1969087237026041, 624795725447124, 1335555107635969, 2069986355593023, 1712100149341902 #else @@ -5361,7 +5361,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1236103475266979, 1837885883267218, 1026072585230455, 1025865513954973, 1801964901432134 #else @@ -5370,7 +5370,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1115241013365517, 1712251818829143, 2148864332502771, 2096001471438138, 2235017246626125 #else @@ -5381,7 +5381,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1299268198601632, 2047148477845621, 2165648650132450, 1612539282026145, 514197911628890 #else @@ -5390,7 +5390,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 118352772338543, 1067608711804704, 1434796676193498, 1683240170548391, 230866769907437 #else @@ -5399,7 +5399,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1850689576796636, 1601590730430274, 1139674615958142, 1954384401440257, 76039205311 #else @@ -5410,7 +5410,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1723387471374172, 997301467038410, 533927635123657, 20928644693965, 1756575222802513 #else @@ -5419,7 +5419,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2146711623855116, 503278928021499, 625853062251406, 1109121378393107, 1033853809911861 #else @@ -5428,7 +5428,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 571005965509422, 2005213373292546, 1016697270349626, 56607856974274, 914438579435146 #else @@ -5439,7 +5439,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1346698876211176, 2076651707527589, 1084761571110205, 265334478828406, 1068954492309671 #else @@ -5448,7 +5448,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1769967932677654, 1695893319756416, 1151863389675920, 1781042784397689, 400287774418285 #else @@ -5457,7 +5457,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1851867764003121, 403841933237558, 820549523771987, 761292590207581, 1743735048551143 #else @@ -5468,7 +5468,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 410915148140008, 2107072311871739, 1004367461876503, 99684895396761, 1180818713503224 #else @@ -5477,7 +5477,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 285945406881439, 648174397347453, 1098403762631981, 1366547441102991, 1505876883139217 #else @@ -5486,7 +5486,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 672095903120153, 1675918957959872, 636236529315028, 1569297300327696, 2164144194785875 #else @@ -5497,7 +5497,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1902708175321798, 1035343530915438, 1178560808893263, 301095684058146, 1280977479761118 #else @@ -5506,7 +5506,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1615357281742403, 404257611616381, 2160201349780978, 1160947379188955, 1578038619549541 #else @@ -5515,7 +5515,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2013087639791217, 822734930507457, 1785668418619014, 1668650702946164, 389450875221715 #else @@ -5528,7 +5528,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 453918449698368, 106406819929001, 2072540975937135, 308588860670238, 1304394580755385 #else @@ -5537,7 +5537,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1295082798350326, 2091844511495996, 1851348972587817, 3375039684596, 789440738712837 #else @@ -5546,7 +5546,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2083069137186154, 848523102004566, 993982213589257, 1405313299916317, 1532824818698468 #else @@ -5557,7 +5557,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1495961298852430, 1397203457344779, 1774950217066942, 139302743555696, 66603584342787 #else @@ -5566,7 +5566,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1782411379088302, 1096724939964781, 27593390721418, 542241850291353, 1540337798439873 #else @@ -5575,7 +5575,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 693543956581437, 171507720360750, 1557908942697227, 1074697073443438, 1104093109037196 #else @@ -5586,7 +5586,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 345288228393419, 1099643569747172, 134881908403743, 1740551994106740, 248212179299770 #else @@ -5595,7 +5595,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 231429562203065, 1526290236421172, 2021375064026423, 1520954495658041, 806337791525116 #else @@ -5604,7 +5604,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1079623667189886, 872403650198613, 766894200588288, 2163700860774109, 2023464507911816 #else @@ -5615,7 +5615,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 854645372543796, 1936406001954827, 151460662541253, 825325739271555, 1554306377287556 #else @@ -5624,7 +5624,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1497138821904622, 1044820250515590, 1742593886423484, 1237204112746837, 849047450816987 #else @@ -5633,7 +5633,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 667962773375330, 1897271816877105, 1399712621683474, 1143302161683099, 2081798441209593 #else @@ -5644,7 +5644,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 127147851567005, 1936114012888110, 1704424366552046, 856674880716312, 716603621335359 #else @@ -5653,7 +5653,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1072409664800960, 2146937497077528, 1508780108920651, 935767602384853, 1112800433544068 #else @@ -5662,7 +5662,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 333549023751292, 280219272863308, 2104176666454852, 1036466864875785, 536135186520207 #else @@ -5673,7 +5673,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 373666279883137, 146457241530109, 304116267127857, 416088749147715, 1258577131183391 #else @@ -5682,7 +5682,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1186115062588401, 2251609796968486, 1098944457878953, 1153112761201374, 1791625503417267 #else @@ -5691,7 +5691,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1870078460219737, 2129630962183380, 852283639691142, 292865602592851, 401904317342226 #else @@ -5702,7 +5702,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1361070124828035, 815664541425524, 1026798897364671, 1951790935390647, 555874891834790 #else @@ -5711,7 +5711,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1546301003424277, 459094500062839, 1097668518375311, 1780297770129643, 720763293687608 #else @@ -5720,7 +5720,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1212405311403990, 1536693382542438, 61028431067459, 1863929423417129, 1223219538638038 #else @@ -5731,7 +5731,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1294303766540260, 1183557465955093, 882271357233093, 63854569425375, 2213283684565087 #else @@ -5740,7 +5740,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 339050984211414, 601386726509773, 413735232134068, 966191255137228, 1839475899458159 #else @@ -5749,7 +5749,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 235605972169408, 2174055643032978, 1538335001838863, 1281866796917192, 1815940222628465 #else @@ -5762,7 +5762,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1632352921721536, 1833328609514701, 2092779091951987, 1923956201873226, 2210068022482919 #else @@ -5771,7 +5771,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 35271216625062, 1712350667021807, 983664255668860, 98571260373038, 1232645608559836 #else @@ -5780,7 +5780,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1998172393429622, 1798947921427073, 784387737563581, 1589352214827263, 1589861734168180 #else @@ -5791,7 +5791,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1733739258725305, 31715717059538, 201969945218860, 992093044556990, 1194308773174556 #else @@ -5800,7 +5800,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 846415389605137, 746163495539180, 829658752826080, 592067705956946, 957242537821393 #else @@ -5809,7 +5809,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1758148849754419, 619249044817679, 168089007997045, 1371497636330523, 1867101418880350 #else @@ -5820,7 +5820,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 326633984209635, 261759506071016, 1700682323676193, 1577907266349064, 1217647663383016 #else @@ -5829,7 +5829,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1714182387328607, 1477856482074168, 574895689942184, 2159118410227270, 1555532449716575 #else @@ -5838,7 +5838,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 853828206885131, 998498946036955, 1835887550391235, 207627336608048, 258363815956050 #else @@ -5849,7 +5849,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 141141474651677, 1236728744905256, 643101419899887, 1646615130509173, 1208239602291765 #else @@ -5858,7 +5858,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1501663228068911, 1354879465566912, 1444432675498247, 897812463852601, 855062598754348 #else @@ -5867,7 +5867,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 714380763546606, 1032824444965790, 1774073483745338, 1063840874947367, 1738680636537158 #else @@ -5878,7 +5878,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1640635546696252, 633168953192112, 2212651044092396, 30590958583852, 368515260889378 #else @@ -5887,7 +5887,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1171650314802029, 1567085444565577, 1453660792008405, 757914533009261, 1619511342778196 #else @@ -5896,7 +5896,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 420958967093237, 971103481109486, 2169549185607107, 1301191633558497, 1661514101014240 #else @@ -5907,7 +5907,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 907123651818302, 1332556122804146, 1824055253424487, 1367614217442959, 1982558335973172 #else @@ -5916,7 +5916,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1121533090144639, 1021251337022187, 110469995947421, 1511059774758394, 2110035908131662 #else @@ -5925,7 +5925,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 303213233384524, 2061932261128138, 352862124777736, 40828818670255, 249879468482660 #else @@ -5936,7 +5936,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 856559257852200, 508517664949010, 1378193767894916, 1723459126947129, 1962275756614521 #else @@ -5945,7 +5945,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1445691340537320, 40614383122127, 402104303144865, 485134269878232, 1659439323587426 #else @@ -5954,7 +5954,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 20057458979482, 1183363722525800, 2140003847237215, 2053873950687614, 2112017736174909 #else @@ -5965,7 +5965,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2228654250927986, 1483591363415267, 1368661293910956, 1076511285177291, 526650682059608 #else @@ -5974,7 +5974,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 709481497028540, 531682216165724, 316963769431931, 1814315888453765, 258560242424104 #else @@ -5983,7 +5983,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1053447823660455, 1955135194248683, 1010900954918985, 1182614026976701, 1240051576966610 #else @@ -5996,7 +5996,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1957943897155497, 1788667368028035, 137692910029106, 1039519607062, 826404763313028 #else @@ -6005,7 +6005,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1848942433095597, 1582009882530495, 1849292741020143, 1068498323302788, 2001402229799484 #else @@ -6014,7 +6014,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1528282417624269, 2142492439828191, 2179662545816034, 362568973150328, 1591374675250271 #else @@ -6025,7 +6025,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 160026679434388, 232341189218716, 2149181472355545, 598041771119831, 183859001910173 #else @@ -6034,7 +6034,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2013278155187349, 662660471354454, 793981225706267, 411706605985744, 804490933124791 #else @@ -6043,7 +6043,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2051892037280204, 488391251096321, 2230187337030708, 930221970662692, 679002758255210 #else @@ -6054,7 +6054,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1530723630438670, 875873929577927, 341560134269988, 449903119530753, 1055551308214179 #else @@ -6063,7 +6063,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1461835919309432, 1955256480136428, 180866187813063, 1551979252664528, 557743861963950 #else @@ -6072,7 +6072,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 359179641731115, 1324915145732949, 902828372691474, 294254275669987, 1887036027752957 #else @@ -6083,7 +6083,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2043271609454323, 2038225437857464, 1317528426475850, 1398989128982787, 2027639881006861 #else @@ -6092,7 +6092,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2072902725256516, 312132452743412, 309930885642209, 996244312618453, 1590501300352303 #else @@ -6101,7 +6101,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1397254305160710, 695734355138021, 2233992044438756, 1776180593969996, 1085588199351115 #else @@ -6112,7 +6112,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 440567051331029, 254894786356681, 493869224930222, 1556322069683366, 1567456540319218 #else @@ -6121,7 +6121,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1950722461391320, 1907845598854797, 1822757481635527, 2121567704750244, 73811931471221 #else @@ -6130,7 +6130,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 387139307395758, 2058036430315676, 1220915649965325, 1794832055328951, 1230009312169328 #else @@ -6141,7 +6141,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1765973779329517, 659344059446977, 19821901606666, 1301928341311214, 1116266004075885 #else @@ -6150,7 +6150,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1127572801181483, 1224743760571696, 1276219889847274, 1529738721702581, 1589819666871853 #else @@ -6159,7 +6159,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2181229378964934, 2190885205260020, 1511536077659137, 1246504208580490, 668883326494241 #else @@ -6170,7 +6170,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 437866655573314, 669026411194768, 81896997980338, 523874406393178, 245052060935236 #else @@ -6179,7 +6179,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1975438052228868, 1071801519999806, 594652299224319, 1877697652668809, 1489635366987285 #else @@ -6188,7 +6188,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 958592545673770, 233048016518599, 851568750216589, 567703851596087, 1740300006094761 #else @@ -6199,7 +6199,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2014540178270324, 192672779514432, 213877182641530, 2194819933853411, 1716422829364835 #else @@ -6208,7 +6208,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1540769606609725, 2148289943846077, 1597804156127445, 1230603716683868, 815423458809453 #else @@ -6217,7 +6217,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1738560251245018, 1779576754536888, 1783765347671392, 1880170990446751, 1088225159617541 #else @@ -6230,7 +6230,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 659303913929492, 1956447718227573, 1830568515922666, 841069049744408, 1669607124206368 #else @@ -6239,7 +6239,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1143465490433355, 1532194726196059, 1093276745494697, 481041706116088, 2121405433561163 #else @@ -6248,7 +6248,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1686424298744462, 1451806974487153, 266296068846582, 1834686947542675, 1720762336132256 #else @@ -6259,7 +6259,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 889217026388959, 1043290623284660, 856125087551909, 1669272323124636, 1603340330827879 #else @@ -6268,7 +6268,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1206396181488998, 333158148435054, 1402633492821422, 1120091191722026, 1945474114550509 #else @@ -6277,7 +6277,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 766720088232571, 1512222781191002, 1189719893490790, 2091302129467914, 2141418006894941 #else @@ -6288,7 +6288,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 419663647306612, 1998875112167987, 1426599870253707, 1154928355379510, 486538532138187 #else @@ -6297,7 +6297,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 938160078005954, 1421776319053174, 1941643234741774, 180002183320818, 1414380336750546 #else @@ -6306,7 +6306,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 398001940109652, 1577721237663248, 1012748649830402, 1540516006905144, 1011684812884559 #else @@ -6317,7 +6317,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1653276489969630, 6081825167624, 1921777941170836, 1604139841794531, 861211053640641 #else @@ -6326,7 +6326,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 996661541407379, 1455877387952927, 744312806857277, 139213896196746, 1000282908547789 #else @@ -6335,7 +6335,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1450817495603008, 1476865707053229, 1030490562252053, 620966950353376, 1744760161539058 #else @@ -6346,7 +6346,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 559728410002599, 37056661641185, 2038622963352006, 1637244893271723, 1026565352238948 #else @@ -6355,7 +6355,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 962165956135846, 1116599660248791, 182090178006815, 1455605467021751, 196053588803284 #else @@ -6364,7 +6364,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 796863823080135, 1897365583584155, 420466939481601, 2165972651724672, 932177357788289 #else @@ -6375,7 +6375,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 877047233620632, 1375632631944375, 643773611882121, 660022738847877, 19353932331831 #else @@ -6384,7 +6384,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2216943882299338, 394841323190322, 2222656898319671, 558186553950529, 1077236877025190 #else @@ -6393,7 +6393,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 801118384953213, 1914330175515892, 574541023311511, 1471123787903705, 1526158900256288 #else @@ -6404,7 +6404,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 949617889087234, 2207116611267331, 912920039141287, 501158539198789, 62362560771472 #else @@ -6413,7 +6413,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1474518386765335, 1760793622169197, 1157399790472736, 1622864308058898, 165428294422792 #else @@ -6422,7 +6422,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1961673048027128, 102619413083113, 1051982726768458, 1603657989805485, 1941613251499678 #else @@ -6433,7 +6433,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1401939116319266, 335306339903072, 72046196085786, 862423201496006, 850518754531384 #else @@ -6442,7 +6442,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1234706593321979, 1083343891215917, 898273974314935, 1640859118399498, 157578398571149 #else @@ -6451,7 +6451,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1143483057726416, 1992614991758919, 674268662140796, 1773370048077526, 674318359920189 #else @@ -6464,7 +6464,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1835401379538542, 173900035308392, 818247630716732, 1762100412152786, 1021506399448291 #else @@ -6473,7 +6473,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1506632088156630, 2127481795522179, 513812919490255, 140643715928370, 442476620300318 #else @@ -6482,7 +6482,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2056683376856736, 219094741662735, 2193541883188309, 1841182310235800, 556477468664293 #else @@ -6493,7 +6493,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1315019427910827, 1049075855992603, 2066573052986543, 266904467185534, 2040482348591520 #else @@ -6502,7 +6502,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 94096246544434, 922482381166992, 24517828745563, 2139430508542503, 2097139044231004 #else @@ -6511,7 +6511,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 537697207950515, 1399352016347350, 1563663552106345, 2148749520888918, 549922092988516 #else @@ -6522,7 +6522,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1747985413252434, 680511052635695, 1809559829982725, 594274250930054, 201673170745982 #else @@ -6531,7 +6531,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 323583936109569, 1973572998577657, 1192219029966558, 79354804385273, 1374043025560347 #else @@ -6540,7 +6540,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 213277331329947, 416202017849623, 1950535221091783, 1313441578103244, 2171386783823658 #else @@ -6551,7 +6551,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 189088804229831, 993969372859110, 895870121536987, 1547301535298256, 1477373024911350 #else @@ -6560,7 +6560,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1620578418245010, 541035331188469, 2235785724453865, 2154865809088198, 1974627268751826 #else @@ -6569,7 +6569,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1346805451740245, 1350981335690626, 942744349501813, 2155094562545502, 1012483751693409 #else @@ -6580,7 +6580,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2107080134091762, 1132567062788208, 1824935377687210, 769194804343737, 1857941799971888 #else @@ -6589,7 +6589,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1074666112436467, 249279386739593, 1174337926625354, 1559013532006480, 1472287775519121 #else @@ -6598,7 +6598,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1872620123779532, 1892932666768992, 1921559078394978, 1270573311796160, 1438913646755037 #else @@ -6609,7 +6609,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 837390187648199, 1012253300223599, 989780015893987, 1351393287739814, 328627746545550 #else @@ -6618,7 +6618,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1028328827183114, 1711043289969857, 1350832470374933, 1923164689604327, 1495656368846911 #else @@ -6627,7 +6627,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1900828492104143, 430212361082163, 687437570852799, 832514536673512, 1685641495940794 #else @@ -6638,7 +6638,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 842632847936398, 605670026766216, 290836444839585, 163210774892356, 2213815011799645 #else @@ -6647,7 +6647,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1176336383453996, 1725477294339771, 12700622672454, 678015708818208, 162724078519879 #else @@ -6656,7 +6656,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1448049969043497, 1789411762943521, 385587766217753, 90201620913498, 832999441066823 #else @@ -6667,7 +6667,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 516086333293313, 2240508292484616, 1351669528166508, 1223255565316488, 750235824427138 #else @@ -6676,7 +6676,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1263624896582495, 1102602401673328, 526302183714372, 2152015839128799, 1483839308490010 #else @@ -6685,7 +6685,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 442991718646863, 1599275157036458, 1925389027579192, 899514691371390, 350263251085160 #else @@ -6698,7 +6698,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1689713572022143, 593854559254373, 978095044791970, 1985127338729499, 1676069120347625 #else @@ -6707,7 +6707,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1557207018622683, 340631692799603, 1477725909476187, 614735951619419, 2033237123746766 #else @@ -6716,7 +6716,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 968764929340557, 1225534776710944, 662967304013036, 1155521416178595, 791142883466590 #else @@ -6727,7 +6727,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1487081286167458, 993039441814934, 1792378982844640, 698652444999874, 2153908693179754 #else @@ -6736,7 +6736,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1123181311102823, 685575944875442, 507605465509927, 1412590462117473, 568017325228626 #else @@ -6745,7 +6745,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 560258797465417, 2193971151466401, 1824086900849026, 579056363542056, 1690063960036441 #else @@ -6756,7 +6756,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1918407319222416, 353767553059963, 1930426334528099, 1564816146005724, 1861342381708096 #else @@ -6765,7 +6765,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2131325168777276, 1176636658428908, 1756922641512981, 1390243617176012, 1966325177038383 #else @@ -6774,7 +6774,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2063958120364491, 2140267332393533, 699896251574968, 273268351312140, 375580724713232 #else @@ -6785,7 +6785,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2024297515263178, 416959329722687, 1079014235017302, 171612225573183, 1031677520051053 #else @@ -6794,7 +6794,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2033900009388450, 1744902869870788, 2190580087917640, 1949474984254121, 231049754293748 #else @@ -6803,7 +6803,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 343868674606581, 550155864008088, 1450580864229630, 481603765195050, 896972360018042 #else @@ -6814,7 +6814,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2151139328380127, 314745882084928, 59756825775204, 1676664391494651, 2048348075599360 #else @@ -6823,7 +6823,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1528930066340597, 1605003907059576, 1055061081337675, 1458319101947665, 1234195845213142 #else @@ -6832,7 +6832,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 830430507734812, 1780282976102377, 1425386760709037, 362399353095425, 2168861579799910 #else @@ -6843,7 +6843,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1155762232730333, 980662895504006, 2053766700883521, 490966214077606, 510405877041357 #else @@ -6852,7 +6852,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1683750316716132, 652278688286128, 1221798761193539, 1897360681476669, 319658166027343 #else @@ -6861,7 +6861,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 618808732869972, 72755186759744, 2060379135624181, 1730731526741822, 48862757828238 #else @@ -6872,7 +6872,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1463171970593505, 1143040711767452, 614590986558883, 1409210575145591, 1882816996436803 #else @@ -6881,7 +6881,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2230133264691131, 563950955091024, 2042915975426398, 827314356293472, 672028980152815 #else @@ -6890,7 +6890,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 264204366029760, 1654686424479449, 2185050199932931, 2207056159091748, 506015669043634 #else @@ -6901,7 +6901,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1784446333136569, 1973746527984364, 334856327359575, 1156769775884610, 1023950124675478 #else @@ -6910,7 +6910,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2065270940578383, 31477096270353, 306421879113491, 181958643936686, 1907105536686083 #else @@ -6919,7 +6919,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1496516440779464, 1748485652986458, 872778352227340, 818358834654919, 97932669284220 #else @@ -6932,7 +6932,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 471636015770351, 672455402793577, 1804995246884103, 1842309243470804, 1501862504981682 #else @@ -6941,7 +6941,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1013216974933691, 538921919682598, 1915776722521558, 1742822441583877, 1886550687916656 #else @@ -6950,7 +6950,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2094270000643336, 303971879192276, 40801275554748, 649448917027930, 1818544418535447 #else @@ -6961,7 +6961,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2241737709499165, 549397817447461, 838180519319392, 1725686958520781, 1705639080897747 #else @@ -6970,7 +6970,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1216074541925116, 50120933933509, 1565829004133810, 721728156134580, 349206064666188 #else @@ -6979,7 +6979,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 948617110470858, 346222547451945, 1126511960599975, 1759386906004538, 493053284802266 #else @@ -6990,7 +6990,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1454933046815146, 874696014266362, 1467170975468588, 1432316382418897, 2111710746366763 #else @@ -6999,7 +6999,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2105387117364450, 1996463405126433, 1303008614294500, 851908115948209, 1353742049788635 #else @@ -7008,7 +7008,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 750300956351719, 1487736556065813, 15158817002104, 1511998221598392, 971739901354129 #else @@ -7019,7 +7019,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1874648163531693, 2124487685930551, 1810030029384882, 918400043048335, 586348627300650 #else @@ -7028,7 +7028,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1235084464747900, 1166111146432082, 1745394857881591, 1405516473883040, 4463504151617 #else @@ -7037,7 +7037,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1663810156463827, 327797390285791, 1341846161759410, 1964121122800605, 1747470312055380 #else @@ -7048,7 +7048,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 660005247548233, 2071860029952887, 1358748199950107, 911703252219107, 1014379923023831 #else @@ -7057,7 +7057,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2206641276178231, 1690587809721504, 1600173622825126, 2156096097634421, 1106822408548216 #else @@ -7066,7 +7066,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1344788193552206, 1949552134239140, 1735915881729557, 675891104100469, 1834220014427292 #else @@ -7077,7 +7077,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1920949492387964, 158885288387530, 70308263664033, 626038464897817, 1468081726101009 #else @@ -7086,7 +7086,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 622221042073383, 1210146474039168, 1742246422343683, 1403839361379025, 417189490895736 #else @@ -7095,7 +7095,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 22727256592983, 168471543384997, 1324340989803650, 1839310709638189, 504999476432775 #else @@ -7106,7 +7106,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1313240518756327, 1721896294296942, 52263574587266, 2065069734239232, 804910473424630 #else @@ -7115,7 +7115,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1337466662091884, 1287645354669772, 2018019646776184, 652181229374245, 898011753211715 #else @@ -7124,7 +7124,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1969792547910734, 779969968247557, 2011350094423418, 1823964252907487, 1058949448296945 #else @@ -7135,7 +7135,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 207343737062002, 1118176942430253, 758894594548164, 806764629546266, 1157700123092949 #else @@ -7144,7 +7144,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1273565321399022, 1638509681964574, 759235866488935, 666015124346707, 897983460943405 #else @@ -7153,7 +7153,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1717263794012298, 1059601762860786, 1837819172257618, 1054130665797229, 680893204263559 #else @@ -7166,7 +7166,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2237039662793603, 2249022333361206, 2058613546633703, 149454094845279, 2215176649164582 #else @@ -7175,7 +7175,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 79472182719605, 1851130257050174, 1825744808933107, 821667333481068, 781795293511946 #else @@ -7184,7 +7184,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 755822026485370, 152464789723500, 1178207602290608, 410307889503239, 156581253571278 #else @@ -7195,7 +7195,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1418185496130297, 484520167728613, 1646737281442950, 1401487684670265, 1349185550126961 #else @@ -7204,7 +7204,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1495380034400429, 325049476417173, 46346894893933, 1553408840354856, 828980101835683 #else @@ -7213,7 +7213,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1280337889310282, 2070832742866672, 1640940617225222, 2098284908289951, 450929509534434 #else @@ -7224,7 +7224,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 407703353998781, 126572141483652, 286039827513621, 1999255076709338, 2030511179441770 #else @@ -7233,7 +7233,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1254958221100483, 1153235960999843, 942907704968834, 637105404087392, 1149293270147267 #else @@ -7242,7 +7242,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 894249020470196, 400291701616810, 406878712230981, 1599128793487393, 1145868722604026 #else @@ -7253,7 +7253,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1497955250203334, 110116344653260, 1128535642171976, 1900106496009660, 129792717460909 #else @@ -7262,7 +7262,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 452487513298665, 1352120549024569, 1173495883910956, 1999111705922009, 367328130454226 #else @@ -7271,7 +7271,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1717539401269642, 1475188995688487, 891921989653942, 836824441505699, 1885988485608364 #else @@ -7282,7 +7282,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1241784121422547, 187337051947583, 1118481812236193, 428747751936362, 30358898927325 #else @@ -7291,7 +7291,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2022432361201842, 1088816090685051, 1977843398539868, 1854834215890724, 564238862029357 #else @@ -7300,7 +7300,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 938868489100585, 1100285072929025, 1017806255688848, 1957262154788833, 152787950560442 #else @@ -7311,7 +7311,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 867319417678923, 620471962942542, 226032203305716, 342001443957629, 1761675818237336 #else @@ -7320,7 +7320,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1295072362439987, 931227904689414, 1355731432641687, 922235735834035, 892227229410209 #else @@ -7329,7 +7329,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1680989767906154, 535362787031440, 2136691276706570, 1942228485381244, 1267350086882274 #else @@ -7340,7 +7340,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 366018233770527, 432660629755596, 126409707644535, 1973842949591662, 645627343442376 #else @@ -7349,7 +7349,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 535509430575217, 546885533737322, 1524675609547799, 2138095752851703, 1260738089896827 #else @@ -7358,7 +7358,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1159906385590467, 2198530004321610, 714559485023225, 81880727882151, 1484020820037082 #else @@ -7369,7 +7369,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1377485731340769, 2046328105512000, 1802058637158797, 62146136768173, 1356993908853901 #else @@ -7378,7 +7378,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2013612215646735, 1830770575920375, 536135310219832, 609272325580394, 270684344495013 #else @@ -7387,7 +7387,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1237542585982777, 2228682050256790, 1385281931622824, 593183794882890, 493654978552689 #else @@ -7400,7 +7400,7 @@ static const ge_precomp k25519Precomp[32][8] = { { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 47341488007760, 1891414891220257, 983894663308928, 176161768286818, 1126261115179708 #else @@ -7409,7 +7409,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1694030170963455, 502038567066200, 1691160065225467, 949628319562187, 275110186693066 #else @@ -7418,7 +7418,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1124515748676336, 1661673816593408, 1499640319059718, 1584929449166988, 558148594103306 #else @@ -7429,7 +7429,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1784525599998356, 1619698033617383, 2097300287550715, 258265458103756, 1905684794832758 #else @@ -7438,7 +7438,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1288941072872766, 931787902039402, 190731008859042, 2006859954667190, 1005931482221702 #else @@ -7447,7 +7447,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1465551264822703, 152905080555927, 680334307368453, 173227184634745, 666407097159852 #else @@ -7458,7 +7458,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2111017076203943, 1378760485794347, 1248583954016456, 1352289194864422, 1895180776543896 #else @@ -7467,7 +7467,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 171348223915638, 662766099800389, 462338943760497, 466917763340314, 656911292869115 #else @@ -7476,7 +7476,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 488623681976577, 866497561541722, 1708105560937768, 1673781214218839, 1506146329818807 #else @@ -7487,7 +7487,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 160425464456957, 950394373239689, 430497123340934, 711676555398832, 320964687779005 #else @@ -7496,7 +7496,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 988979367990485, 1359729327576302, 1301834257246029, 294141160829308, 29348272277475 #else @@ -7505,7 +7505,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1434382743317910, 100082049942065, 221102347892623, 186982837860588, 1305765053501834 #else @@ -7516,7 +7516,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2205916462268190, 499863829790820, 961960554686616, 158062762756985, 1841471168298305 #else @@ -7525,7 +7525,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1191737341426592, 1847042034978363, 1382213545049056, 1039952395710448, 788812858896859 #else @@ -7534,7 +7534,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1346965964571152, 1291881610839830, 2142916164336056, 786821641205979, 1571709146321039 #else @@ -7545,7 +7545,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 787164375951248, 202869205373189, 1356590421032140, 1431233331032510, 786341368775957 #else @@ -7554,7 +7554,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 492448143532951, 304105152670757, 1761767168301056, 233782684697790, 1981295323106089 #else @@ -7563,7 +7563,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 665807507761866, 1343384868355425, 895831046139653, 439338948736892, 1986828765695105 #else @@ -7574,7 +7574,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 756096210874553, 1721699973539149, 258765301727885, 1390588532210645, 1212530909934781 #else @@ -7583,7 +7583,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 852891097972275, 1816988871354562, 1543772755726524, 1174710635522444, 202129090724628 #else @@ -7592,7 +7592,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1205281565824323, 22430498399418, 992947814485516, 1392458699738672, 688441466734558 #else @@ -7603,7 +7603,7 @@ static const ge_precomp k25519Precomp[32][8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1050627428414972, 1955849529137135, 2171162376368357, 91745868298214, 447733118757826 #else @@ -7612,7 +7612,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1287181461435438, 622722465530711, 880952150571872, 741035693459198, 311565274989772 #else @@ -7621,7 +7621,7 @@ static const ge_precomp k25519Precomp[32][8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1003649078149734, 545233927396469, 1849786171789880, 1318943684880434, 280345687170552 #else @@ -7639,7 +7639,7 @@ static const ge_precomp k25519Precomp[32][8] = { static const ge_precomp Bi[8] = { { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1288382639258501, 245678601348599, 269427782077623, 1462984067271730, 137412439391563 #else @@ -7648,7 +7648,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 62697248952638, 204681361388450, 631292143396476, 338455783676468, 1213667448819585 #else @@ -7657,7 +7657,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 301289933810280, 1259582250014073, 1422107436869536, 796239922652654, 1953934009299142 #else @@ -7668,7 +7668,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1601611775252272, 1720807796594148, 1132070835939856, 1260455018889551, 2147779492816911 #else @@ -7677,7 +7677,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 316559037616741, 2177824224946892, 1459442586438991, 1461528397712656, 751590696113597 #else @@ -7686,7 +7686,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1850748884277385, 1200145853858453, 1068094770532492, 672251375690438, 1586055907191707 #else @@ -7697,7 +7697,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 769950342298419, 132954430919746, 844085933195555, 974092374476333, 726076285546016 #else @@ -7706,7 +7706,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 425251763115706, 608463272472562, 442562545713235, 837766094556764, 374555092627893 #else @@ -7715,7 +7715,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1086255230780037, 274979815921559, 1960002765731872, 929474102396301, 1190409889297339 #else @@ -7726,7 +7726,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 665000864555967, 2065379846933859, 370231110385876, 350988370788628, 1233371373142985 #else @@ -7735,7 +7735,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2019367628972465, 676711900706637, 110710997811333, 1108646842542025, 517791959672113 #else @@ -7744,7 +7744,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 965130719900578, 247011430587952, 526356006571389, 91986625355052, 2157223321444601 #else @@ -7755,7 +7755,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1802695059465007, 1664899123557221, 593559490740857, 2160434469266659, 927570450755031 #else @@ -7764,7 +7764,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1725674970513508, 1933645953859181, 1542344539275782, 1767788773573747, 1297447965928905 #else @@ -7773,7 +7773,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1381809363726107, 1430341051343062, 2061843536018959, 1551778050872521, 2036394857967624 #else @@ -7784,7 +7784,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1970894096313054, 528066325833207, 1619374932191227, 2207306624415883, 1169170329061080 #else @@ -7793,7 +7793,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 2070390218572616, 1458919061857835, 624171843017421, 1055332792707765, 433987520732508 #else @@ -7802,7 +7802,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 893653801273833, 1168026499324677, 1242553501121234, 1306366254304474, 1086752658510815 #else @@ -7813,7 +7813,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 213454002618221, 939771523987438, 1159882208056014, 317388369627517, 621213314200687 #else @@ -7822,7 +7822,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1971678598905747, 338026507889165, 762398079972271, 655096486107477, 42299032696322 #else @@ -7831,7 +7831,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 177130678690680, 1754759263300204, 1864311296286618, 1180675631479880, 1292726903152791 #else @@ -7842,7 +7842,7 @@ static const ge_precomp Bi[8] = { }, { {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1913163449625248, 460779200291993, 2193883288642314, 1008900146920800, 1721983679009502 #else @@ -7851,7 +7851,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 1070401523076875, 1272492007800961, 1910153608563310, 2075579521696771, 1191169788841221 #else @@ -7860,7 +7860,7 @@ static const ge_precomp Bi[8] = { #endif }}, {{ -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) 692896803108118, 500174642072499, 2068223309439677, 1162190621851337, 1426986007309901 #else diff --git a/src/crypto/curve25519/internal.h b/src/crypto/curve25519/internal.h index 76ff78fa..1420601b 100644 --- a/src/crypto/curve25519/internal.h +++ b/src/crypto/curve25519/internal.h @@ -32,11 +32,7 @@ void x25519_NEON(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]); #endif -#if defined(BORINGSSL_HAS_UINT128) -#define BORINGSSL_CURVE25519_64BIT -#endif - -#if defined(BORINGSSL_CURVE25519_64BIT) +#if defined(OPENSSL_64_BIT) // fe means field element. Here the field is \Z/(2^255-19). An element t, // entries t[0]...t[4], represents the integer t[0]+2^51 t[1]+2^102 t[2]+2^153 // t[3]+2^204 t[4]. diff --git a/src/crypto/curve25519/make_curve25519_tables.py b/src/crypto/curve25519/make_curve25519_tables.py index 50dee2a9..c3cf12ab 100755 --- a/src/crypto/curve25519/make_curve25519_tables.py +++ b/src/crypto/curve25519/make_curve25519_tables.py @@ -110,7 +110,7 @@ def to_base_51(x): return ret def to_literal(x): - ret = "{{\n#if defined(BORINGSSL_CURVE25519_64BIT)\n" + ret = "{{\n#if defined(OPENSSL_64_BIT)\n" ret += ", ".join(map(str, to_base_51(x))) ret += "\n#else\n" ret += ", ".join(map(str, to_base_25_5(x))) diff --git a/src/crypto/err/err_data_generate.go b/src/crypto/err/err_data_generate.go index 332b4e15..d4a7c28a 100644 --- a/src/crypto/err/err_data_generate.go +++ b/src/crypto/err/err_data_generate.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( @@ -115,23 +117,8 @@ func (st *stringList) Add(key uint32, value string) error { return nil } -// keySlice is a type that implements sorting of entries values. -type keySlice []uint32 - -func (ks keySlice) Len() int { - return len(ks) -} - -func (ks keySlice) Less(i, j int) bool { - return (ks[i] >> 15) < (ks[j] >> 15) -} - -func (ks keySlice) Swap(i, j int) { - ks[i], ks[j] = ks[j], ks[i] -} - func (st *stringList) buildList() []uint32 { - sort.Sort(keySlice(st.entries)) + sort.Slice(st.entries, func(i, j int) bool { return (st.entries[i] >> 15) < (st.entries[j] >> 15) }) return st.entries } diff --git a/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go b/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go index 1e48df35..2915db5f 100644 --- a/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go +++ b/src/crypto/fipsmodule/bn/bn_test_to_fuzzer.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/crypto/fipsmodule/bn/check_bn_tests.go b/src/crypto/fipsmodule/bn/check_bn_tests.go index dd1def80..032b9e32 100644 --- a/src/crypto/fipsmodule/bn/check_bn_tests.go +++ b/src/crypto/fipsmodule/bn/check_bn_tests.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/crypto/fipsmodule/ec/internal.h b/src/crypto/fipsmodule/ec/internal.h index 846431fd..3b6fa4a4 100644 --- a/src/crypto/fipsmodule/ec/internal.h +++ b/src/crypto/fipsmodule/ec/internal.h @@ -91,6 +91,8 @@ extern "C" { // be the largest fields anyone plausibly uses. #define EC_MAX_BYTES 66 #define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES) +#define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1) +#define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1) static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, "bn_*_small functions not usable"); @@ -119,8 +121,8 @@ OPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, // ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over // group |group| to |out|. It returns one on success and zero if |in| is // invalid. -int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, - const uint8_t *in, size_t len); +OPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, + const uint8_t *in, size_t len); // ec_scalar_reduce sets |out| to |words|, reduced modulo the group order. // |words| must be less than order^2. |num| must be at most twice the width of @@ -279,8 +281,8 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_RAW_POINT *out, // // If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is // slightly faster. -int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, - const EC_RAW_POINT *p); +OPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, + const EC_RAW_POINT *p); // ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian // coordinates to affine coordinates and writes the results to |out|. It returns diff --git a/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go b/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go index 169d226a..1d3896aa 100644 --- a/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go +++ b/src/crypto/fipsmodule/ec/make_ec_scalar_base_mult_tests.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go b/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go index 04a1a1c8..e10990b3 100644 --- a/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go +++ b/src/crypto/fipsmodule/ec/make_p256-nistz-tests.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/crypto/fipsmodule/ec/make_tables.go b/src/crypto/fipsmodule/ec/make_tables.go index 7fb9041c..120c40bd 100644 --- a/src/crypto/fipsmodule/ec/make_tables.go +++ b/src/crypto/fipsmodule/ec/make_tables.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( @@ -151,7 +153,7 @@ func writeP256Table(path string) error { // Tables for other points have table[i] = iG for i in 0 .. 16. // fiat_p256_g_pre_comp is the table of precomputed base points -#if defined(BORINGSSL_NISTP256_64BIT) +#if defined(OPENSSL_64_BIT) static const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = ` if _, err := f.WriteString(fileHeader); err != nil { return err diff --git a/src/crypto/fipsmodule/ec/p256.c b/src/crypto/fipsmodule/ec/p256.c index d67f6c08..cd2b6fc0 100644 --- a/src/crypto/fipsmodule/ec/p256.c +++ b/src/crypto/fipsmodule/ec/p256.c @@ -31,8 +31,9 @@ #include "./internal.h" #if defined(BORINGSSL_HAS_UINT128) -#define BORINGSSL_NISTP256_64BIT 1 #include "../../../third_party/fiat/p256_64.h" +#elif defined(OPENSSL_64_BIT) +#include "../../../third_party/fiat/p256_64_msvc.h" #else #include "../../../third_party/fiat/p256_32.h" #endif @@ -40,7 +41,7 @@ // utility functions, handwritten -#if defined(BORINGSSL_NISTP256_64BIT) +#if defined(OPENSSL_64_BIT) #define FIAT_P256_NLIMBS 4 typedef uint64_t fiat_p256_limb_t; typedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS]; @@ -748,5 +749,3 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { ec_simple_scalar_to_montgomery_inv_vartime; out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate; } - -#undef BORINGSSL_NISTP256_64BIT diff --git a/src/crypto/fipsmodule/ec/p256_table.h b/src/crypto/fipsmodule/ec/p256_table.h index 14129a36..d823d37f 100644 --- a/src/crypto/fipsmodule/ec/p256_table.h +++ b/src/crypto/fipsmodule/ec/p256_table.h @@ -50,7 +50,7 @@ // Tables for other points have table[i] = iG for i in 0 .. 16. // fiat_p256_g_pre_comp is the table of precomputed base points -#if defined(BORINGSSL_NISTP256_64BIT) +#if defined(OPENSSL_64_BIT) static const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = { {{{0x79e730d418a9143c, 0x75ba95fc5fedb601, 0x79fb732b77622510, 0x18905f76a53755c6}, diff --git a/src/crypto/fipsmodule/self_check/fips.c b/src/crypto/fipsmodule/self_check/fips.c index ce039576..31e11efd 100644 --- a/src/crypto/fipsmodule/self_check/fips.c +++ b/src/crypto/fipsmodule/self_check/fips.c @@ -31,7 +31,7 @@ int FIPS_mode_set(int on) { return on == FIPS_mode(); } const char *FIPS_module_name(void) { return "BoringCrypto"; } uint32_t FIPS_version(void) { - return 0; + return 2023042800; } int FIPS_query_algorithm_status(const char *algorithm) { diff --git a/src/crypto/fipsmodule/self_check/self_check.c b/src/crypto/fipsmodule/self_check/self_check.c index 3b51e2fe..525cd169 100644 --- a/src/crypto/fipsmodule/self_check/self_check.c +++ b/src/crypto/fipsmodule/self_check/self_check.c @@ -26,6 +26,7 @@ #include <openssl/ec.h> #include <openssl/ecdsa.h> #include <openssl/ec_key.h> +#include <openssl/hkdf.h> #include <openssl/hmac.h> #include <openssl/nid.h> #include <openssl/rsa.h> diff --git a/src/crypto/fipsmodule/tls/kdf.c b/src/crypto/fipsmodule/tls/kdf.c index 9c6cfaf0..c4f4976c 100644 --- a/src/crypto/fipsmodule/tls/kdf.c +++ b/src/crypto/fipsmodule/tls/kdf.c @@ -54,6 +54,7 @@ #include <openssl/bytestring.h> #include <openssl/digest.h> +#include <openssl/hkdf.h> #include <openssl/hmac.h> #include <openssl/mem.h> diff --git a/src/crypto/kyber/kyber.c b/src/crypto/kyber/kyber.c index f2ac30bd..010d9d4c 100644 --- a/src/crypto/kyber/kyber.c +++ b/src/crypto/kyber/kyber.c @@ -283,16 +283,23 @@ static void scalar_inner_product(scalar *out, const vector *lhs, // operates on public inputs. static void scalar_from_keccak_vartime(scalar *out, struct BORINGSSL_keccak_st *keccak_ctx) { - uint8_t bytes[3]; - for (int i = 0; i < DEGREE;) { - BORINGSSL_keccak_squeeze(keccak_ctx, bytes, sizeof(bytes)); - uint16_t d1 = bytes[0] + 256 * (bytes[1] % 16); - uint16_t d2 = bytes[1] / 16 + 16 * bytes[2]; - if (d1 < kPrime) { - out->c[i++] = d1; - } - if (d2 < kPrime && i < DEGREE) { - out->c[i++] = d2; + assert(keccak_ctx->offset == 0); + assert(keccak_ctx->rate_bytes == 168); + static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); + + int done = 0; + while (done < DEGREE) { + uint8_t block[168]; + BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block)); + for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) { + uint16_t d1 = block[i] + 256 * (block[i + 1] % 16); + uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2]; + if (d1 < kPrime) { + out->c[done++] = d1; + } + if (d2 < kPrime && done < DEGREE) { + out->c[done++] = d2; + } } } } diff --git a/src/crypto/obj/objects.go b/src/crypto/obj/objects.go index 1b9ded34..077a6e12 100644 --- a/src/crypto/obj/objects.go +++ b/src/crypto/obj/objects.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( @@ -520,21 +522,8 @@ extern "C" { return os.WriteFile(path, []byte(formatted), 0666) } -// TODO(davidben): Replace this with sort.Slice once Go 1.8 is sufficiently -// common. -type nidSorter struct { - nids []int - objs *objects - cmp func(a, b object) bool -} - -func (a nidSorter) obj(i int) object { return a.objs.byNID[a.nids[i]] } -func (a nidSorter) Len() int { return len(a.nids) } -func (a nidSorter) Swap(i, j int) { a.nids[i], a.nids[j] = a.nids[j], a.nids[i] } -func (a nidSorter) Less(i, j int) bool { return a.cmp(a.obj(i), a.obj(j)) } - func sortNIDs(nids []int, objs *objects, cmp func(a, b object) bool) { - sort.Sort(&nidSorter{nids, objs, cmp}) + sort.Slice(nids, func(i, j int) bool { return cmp(objs.byNID[nids[i]], objs.byNID[nids[j]]) }) } func writeData(path string, objs *objects) error { diff --git a/src/crypto/trust_token/internal.h b/src/crypto/trust_token/internal.h index e940565f..8fc5d6ea 100644 --- a/src/crypto/trust_token/internal.h +++ b/src/crypto/trust_token/internal.h @@ -239,6 +239,10 @@ STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count, int voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata); +OPENSSL_EXPORT int voprf_pst1_sign_with_proof_scalar_for_testing( + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, + size_t num_to_issue, uint8_t private_metadata, + const uint8_t *proof_scalar_buf, size_t proof_scalar_len); STACK_OF(TRUST_TOKEN) *voprf_pst1_unblind( const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, diff --git a/src/crypto/trust_token/trust_token_test.cc b/src/crypto/trust_token/trust_token_test.cc index 376eacfe..df679b61 100644 --- a/src/crypto/trust_token/trust_token_test.cc +++ b/src/crypto/trust_token/trust_token_test.cc @@ -314,6 +314,295 @@ TEST(TrustTokenTest, HPST1) { EXPECT_EQ(Bytes(h), Bytes(expected_bytes, expected_len)); } +static int ec_point_uncompressed_from_compressed( + const EC_GROUP *group, uint8_t out[EC_MAX_UNCOMPRESSED], size_t *out_len, + const uint8_t *in, size_t len) { + bssl::UniquePtr<EC_POINT> point(EC_POINT_new(group)); + if (!point || + !EC_POINT_oct2point(group, point.get(), in, len, nullptr)) { + return 0; + } + + *out_len = + EC_POINT_point2oct(group, point.get(), POINT_CONVERSION_UNCOMPRESSED, out, + EC_MAX_UNCOMPRESSED, nullptr); + return 1; +} + +static bool setup_voprf_test_key(const EC_GROUP *group, + TRUST_TOKEN_ISSUER_KEY *out) { + static const uint8_t kPrivateKey[] = { + 0x05, 0x16, 0x46, 0xb9, 0xe6, 0xe7, 0xa7, 0x1a, 0xe2, 0x7c, 0x1e, 0x1d, + 0x0b, 0x87, 0xb4, 0x38, 0x1d, 0xb6, 0xd3, 0x59, 0x5e, 0xee, 0xb1, 0xad, + 0xb4, 0x15, 0x79, 0xad, 0xbf, 0x99, 0x2f, 0x42, 0x78, 0xf9, 0x01, 0x6e, + 0xaf, 0xc9, 0x44, 0xed, 0xaa, 0x2b, 0x43, 0x18, 0x35, 0x81, 0x77, 0x9d + }; + + static const uint8_t kPublicKey[] = { + 0x03, 0x1d, 0x68, 0x96, 0x86, 0xc6, 0x11, 0x99, 0x1b, 0x55, + 0xf1, 0xa1, 0xd8, 0xf4, 0x30, 0x5c, 0xcd, 0x6c, 0xb7, 0x19, + 0x44, 0x6f, 0x66, 0x0a, 0x30, 0xdb, 0x61, 0xb7, 0xaa, 0x87, + 0xb4, 0x6a, 0xcf, 0x59, 0xb7, 0xc0, 0xd4, 0xa9, 0x07, 0x7b, + 0x3d, 0xa2, 0x1c, 0x25, 0xdd, 0x48, 0x22, 0x29, 0xa0 + }; + + if (!ec_scalar_from_bytes(group, &out->xs, kPrivateKey, + sizeof(kPrivateKey))) { + return false; + } + + bssl::UniquePtr<EC_POINT> pub(EC_POINT_new(group)); + return pub && + EC_POINT_oct2point(group, pub.get(), kPublicKey, sizeof(kPublicKey), + nullptr) && + ec_jacobian_to_affine(group, &out->pubs, &pub->raw); +} + +TEST(TrustTokenTest, PSTV1VOPRFTestVector1) { + const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1); + TRUST_TOKEN_ISSUER_KEY key; + ASSERT_TRUE(setup_voprf_test_key(group, &key)); + + static const uint8_t kBlindedElement[] = { + 0x02, 0xd3, 0x38, 0xc0, 0x5c, 0xbe, 0xcb, 0x82, 0xde, 0x13, + 0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7, + 0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56, + 0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99, + 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9 + }; + + static const uint8_t kEvaluatedElement[] = { + 0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1, + 0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10, + 0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee, + 0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62, + 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6 + }; + + static const uint8_t kProof[] = { + 0xbf, 0xc6, 0xcf, 0x38, 0x59, 0x12, 0x7f, 0x5f, 0xe2, 0x55, 0x48, 0x85, + 0x98, 0x56, 0xd6, 0xb7, 0xfa, 0x1c, 0x74, 0x59, 0xf0, 0xba, 0x57, 0x12, + 0xa8, 0x06, 0xfc, 0x09, 0x1a, 0x30, 0x00, 0xc4, 0x2d, 0x8b, 0xa3, 0x4f, + 0xf4, 0x5f, 0x32, 0xa5, 0x2e, 0x40, 0x53, 0x3e, 0xfd, 0x2a, 0x03, 0xbc, + 0x87, 0xf3, 0xbf, 0x4f, 0x9f, 0x58, 0x02, 0x82, 0x97, 0xcc, 0xb9, 0xcc, + 0xb1, 0x8a, 0xe7, 0x18, 0x2b, 0xcd, 0x1e, 0xf2, 0x39, 0xdf, 0x77, 0xe3, + 0xbe, 0x65, 0xef, 0x14, 0x7f, 0x3a, 0xcf, 0x8b, 0xc9, 0xcb, 0xfc, 0x55, + 0x24, 0xb7, 0x02, 0x26, 0x34, 0x14, 0xf0, 0x43, 0xe3, 0xb7, 0xca, 0x2e + }; + + static const uint8_t kProofScalar[] = { + 0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3, + 0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62, + 0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d, + 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1 + }; + + uint8_t blinded_buf[EC_MAX_UNCOMPRESSED]; + size_t blinded_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, blinded_buf, &blinded_len, kBlindedElement, + sizeof(kBlindedElement))); + + CBS sign_input; + CBS_init(&sign_input, blinded_buf, blinded_len); + bssl::ScopedCBB response; + ASSERT_TRUE(CBB_init(response.get(), 0)); + ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing( + &key, response.get(), &sign_input, /*num_requested=*/1, + /*num_to_issue=*/1, + /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar))); + + uint8_t evaluated_buf[EC_MAX_UNCOMPRESSED]; + size_t evaluated_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, evaluated_buf, &evaluated_len, kEvaluatedElement, + sizeof(kEvaluatedElement))); + + bssl::ScopedCBB expected_response; + ASSERT_TRUE(CBB_init(expected_response.get(), 0)); + ASSERT_TRUE( + CBB_add_bytes(expected_response.get(), evaluated_buf, evaluated_len)); + ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof))); + ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof))); + ASSERT_TRUE(CBB_flush(expected_response.get())); + + ASSERT_EQ(Bytes(CBB_data(expected_response.get()), + CBB_len(expected_response.get())), + Bytes(CBB_data(response.get()), CBB_len(response.get()))); +} + +TEST(TrustTokenTest, PSTV1VOPRFTestVector2) { + const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1); + TRUST_TOKEN_ISSUER_KEY key; + ASSERT_TRUE(setup_voprf_test_key(group, &key)); + + static const uint8_t kBlindedElement[] = { + 0x02, 0xf2, 0x74, 0x69, 0xe0, 0x59, 0x88, 0x6f, 0x22, 0x1b, + 0xe5, 0xf2, 0xcc, 0xa0, 0x3d, 0x2b, 0xdc, 0x61, 0xe5, 0x52, + 0x21, 0x72, 0x1c, 0x3b, 0x3e, 0x56, 0xfc, 0x01, 0x2e, 0x36, + 0xd3, 0x1a, 0xe5, 0xf8, 0xdc, 0x05, 0x81, 0x09, 0x59, 0x15, + 0x56, 0xa6, 0xdb, 0xd3, 0xa8, 0xc6, 0x9c, 0x43, 0x3b + }; + + static const uint8_t kEvaluatedElement[] = { + 0x03, 0xf1, 0x6f, 0x90, 0x39, 0x47, 0x03, 0x54, 0x00, 0xe9, + 0x6b, 0x7f, 0x53, 0x1a, 0x38, 0xd4, 0xa0, 0x7a, 0xc8, 0x9a, + 0x80, 0xf8, 0x9d, 0x86, 0xa1, 0xbf, 0x08, 0x9c, 0x52, 0x5a, + 0x92, 0xc7, 0xf4, 0x73, 0x37, 0x29, 0xca, 0x30, 0xc5, 0x6c, + 0xe7, 0x8b, 0x1a, 0xb4, 0xf7, 0xd9, 0x2d, 0xb8, 0xb4 + }; + + static const uint8_t kProof[] = { + 0xd0, 0x05, 0xd6, 0xda, 0xaa, 0xd7, 0x57, 0x14, 0x14, 0xc1, 0xe0, + 0xc7, 0x5f, 0x7e, 0x57, 0xf2, 0x11, 0x3c, 0xa9, 0xf4, 0x60, 0x4e, + 0x84, 0xbc, 0x90, 0xf9, 0xbe, 0x52, 0xda, 0x89, 0x6f, 0xff, 0x3b, + 0xee, 0x49, 0x6d, 0xcd, 0xe2, 0xa5, 0x78, 0xae, 0x9d, 0xf3, 0x15, + 0x03, 0x25, 0x85, 0xf8, 0x01, 0xfb, 0x21, 0xc6, 0x08, 0x0a, 0xc0, + 0x56, 0x72, 0xb2, 0x91, 0xe5, 0x75, 0xa4, 0x02, 0x95, 0xb3, 0x06, + 0xd9, 0x67, 0x71, 0x7b, 0x28, 0xe0, 0x8f, 0xcc, 0x8a, 0xd1, 0xca, + 0xb4, 0x78, 0x45, 0xd1, 0x6a, 0xf7, 0x3b, 0x3e, 0x64, 0x3d, 0xdc, + 0xc1, 0x91, 0x20, 0x8e, 0x71, 0xc6, 0x46, 0x30 + }; + + static const uint8_t kProofScalar[] = { + 0x80, 0x3d, 0x95, 0x5f, 0x0e, 0x07, 0x3a, 0x04, 0xaa, 0x5d, 0x92, 0xb3, + 0xfb, 0x73, 0x9f, 0x56, 0xf9, 0xdb, 0x00, 0x12, 0x66, 0x67, 0x7f, 0x62, + 0xc0, 0x95, 0x02, 0x1d, 0xb0, 0x18, 0xcd, 0x8c, 0xbb, 0x55, 0x94, 0x1d, + 0x40, 0x73, 0x69, 0x8c, 0xe4, 0x5c, 0x40, 0x5d, 0x13, 0x48, 0xb7, 0xb1 + }; + + uint8_t blinded_buf[EC_MAX_UNCOMPRESSED]; + size_t blinded_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, blinded_buf, &blinded_len, kBlindedElement, + sizeof(kBlindedElement))); + + CBS sign_input; + CBS_init(&sign_input, blinded_buf, blinded_len); + bssl::ScopedCBB response; + ASSERT_TRUE(CBB_init(response.get(), 0)); + ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing( + &key, response.get(), &sign_input, /*num_requested=*/1, + /*num_to_issue=*/1, + /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar))); + + uint8_t evaluated_buf[EC_MAX_UNCOMPRESSED]; + size_t evaluated_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, evaluated_buf, &evaluated_len, kEvaluatedElement, + sizeof(kEvaluatedElement))); + + bssl::ScopedCBB expected_response; + ASSERT_TRUE(CBB_init(expected_response.get(), 0)); + ASSERT_TRUE( + CBB_add_bytes(expected_response.get(), evaluated_buf, evaluated_len)); + ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof))); + ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof))); + ASSERT_TRUE(CBB_flush(expected_response.get())); + + ASSERT_EQ(Bytes(CBB_data(expected_response.get()), + CBB_len(expected_response.get())), + Bytes(CBB_data(response.get()), CBB_len(response.get()))); +} + +TEST(TrustTokenTest, PSTV1VOPRFTestVector3) { + const EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp384r1); + TRUST_TOKEN_ISSUER_KEY key; + ASSERT_TRUE(setup_voprf_test_key(group, &key)); + + static const uint8_t kBlindedElement1[] = { + 0x02, 0xd3, 0x38, 0xc0, 0x5c, 0xbe, 0xcb, 0x82, 0xde, 0x13, + 0xd6, 0x70, 0x0f, 0x09, 0xcb, 0x61, 0x19, 0x05, 0x43, 0xa7, + 0xb7, 0xe2, 0xc6, 0xcd, 0x4f, 0xca, 0x56, 0x88, 0x7e, 0x56, + 0x4e, 0xa8, 0x26, 0x53, 0xb2, 0x7f, 0xda, 0xd3, 0x83, 0x99, + 0x5e, 0xa6, 0xd0, 0x2c, 0xf2, 0x6d, 0x0e, 0x24, 0xd9 + }; + static const uint8_t kBlindedElement2[] = { + 0x02, 0xfa, 0x02, 0x47, 0x0d, 0x7f, 0x15, 0x10, 0x18, 0xb4, + 0x1e, 0x82, 0x22, 0x3c, 0x32, 0xfa, 0xd8, 0x24, 0xde, 0x6a, + 0xd4, 0xb5, 0xce, 0x9f, 0x8e, 0x9f, 0x98, 0x08, 0x3c, 0x9a, + 0x72, 0x6d, 0xe9, 0xa1, 0xfc, 0x39, 0xd7, 0xa0, 0xcb, 0x6f, + 0x4f, 0x18, 0x8d, 0xd9, 0xce, 0xa0, 0x14, 0x74, 0xcd + }; + + static const uint8_t kEvaluatedElement1[] = { + 0x02, 0xa7, 0xbb, 0xa5, 0x89, 0xb3, 0xe8, 0x67, 0x2a, 0xa1, + 0x9e, 0x8f, 0xd2, 0x58, 0xde, 0x2e, 0x6a, 0xae, 0x20, 0x10, + 0x1c, 0x8d, 0x76, 0x12, 0x46, 0xde, 0x97, 0xa6, 0xb5, 0xee, + 0x9c, 0xf1, 0x05, 0xfe, 0xbc, 0xe4, 0x32, 0x7a, 0x32, 0x62, + 0x55, 0xa3, 0xc6, 0x04, 0xf6, 0x3f, 0x60, 0x0e, 0xf6 + }; + + static const uint8_t kEvaluatedElement2[] = { + 0x02, 0x8e, 0x9e, 0x11, 0x56, 0x25, 0xff, 0x4c, 0x2f, 0x07, + 0xbf, 0x87, 0xce, 0x3f, 0xd7, 0x3f, 0xc7, 0x79, 0x94, 0xa7, + 0xa0, 0xc1, 0xdf, 0x03, 0xd2, 0xa6, 0x30, 0xa3, 0xd8, 0x45, + 0x93, 0x0e, 0x2e, 0x63, 0xa1, 0x65, 0xb1, 0x14, 0xd9, 0x8f, + 0xe3, 0x4e, 0x61, 0xb6, 0x8d, 0x23, 0xc0, 0xb5, 0x0a + }; + + static const uint8_t kProof[] = { + 0x6d, 0x8d, 0xcb, 0xd2, 0xfc, 0x95, 0x55, 0x0a, 0x02, 0x21, 0x1f, + 0xb7, 0x8a, 0xfd, 0x01, 0x39, 0x33, 0xf3, 0x07, 0xd2, 0x1e, 0x7d, + 0x85, 0x5b, 0x0b, 0x1e, 0xd0, 0xaf, 0x78, 0x07, 0x6d, 0x81, 0x37, + 0xad, 0x8b, 0x0a, 0x1b, 0xfa, 0x05, 0x67, 0x6d, 0x32, 0x52, 0x49, + 0xc1, 0xdb, 0xb9, 0xa5, 0x2b, 0xd8, 0x1b, 0x1c, 0x2b, 0x7b, 0x0e, + 0xfc, 0x77, 0xcf, 0x7b, 0x27, 0x8e, 0x1c, 0x94, 0x7f, 0x62, 0x83, + 0xf1, 0xd4, 0xc5, 0x13, 0x05, 0x3f, 0xc0, 0xad, 0x19, 0xe0, 0x26, + 0xfb, 0x0c, 0x30, 0x65, 0x4b, 0x53, 0xd9, 0xce, 0xa4, 0xb8, 0x7b, + 0x03, 0x72, 0x71, 0xb5, 0xd2, 0xe2, 0xd0, 0xea + }; + + static const uint8_t kProofScalar[] = { + 0xa0, 0x97, 0xe7, 0x22, 0xed, 0x24, 0x27, 0xde, 0x86, 0x96, + 0x69, 0x10, 0xac, 0xba, 0x9f, 0x5c, 0x35, 0x0e, 0x80, 0x40, + 0xf8, 0x28, 0xbf, 0x6c, 0xec, 0xa2, 0x74, 0x05, 0x42, 0x0c, + 0xdf, 0x3d, 0x63, 0xcb, 0x3a, 0xef, 0x00, 0x5f, 0x40, 0xba, + 0x51, 0x94, 0x3c, 0x80, 0x26, 0x87, 0x79, 0x63 + }; + + uint8_t blinded_buf[2*EC_MAX_UNCOMPRESSED]; + size_t blinded_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, blinded_buf, &blinded_len, kBlindedElement1, + sizeof(kBlindedElement1))); + size_t offset = blinded_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, blinded_buf + offset, &blinded_len, kBlindedElement2, + sizeof(kBlindedElement2))); + + CBS sign_input; + CBS_init(&sign_input, blinded_buf, offset + blinded_len); + bssl::ScopedCBB response; + ASSERT_TRUE(CBB_init(response.get(), 0)); + ASSERT_TRUE(voprf_pst1_sign_with_proof_scalar_for_testing( + &key, response.get(), &sign_input, /*num_requested=*/2, + /*num_to_issue=*/2, + /*private_metadata=*/0, kProofScalar, sizeof(kProofScalar))); + + uint8_t evaluated_buf[2 * EC_MAX_UNCOMPRESSED]; + size_t evaluated_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, evaluated_buf, &evaluated_len, kEvaluatedElement1, + sizeof(kEvaluatedElement1))); + offset = evaluated_len; + ASSERT_TRUE(ec_point_uncompressed_from_compressed( + group, evaluated_buf + offset, &evaluated_len, kEvaluatedElement2, + sizeof(kEvaluatedElement2))); + + bssl::ScopedCBB expected_response; + ASSERT_TRUE(CBB_init(expected_response.get(), 0)); + ASSERT_TRUE(CBB_add_bytes(expected_response.get(), evaluated_buf, + offset + evaluated_len)); + ASSERT_TRUE(CBB_add_u16(expected_response.get(), sizeof(kProof))); + ASSERT_TRUE(CBB_add_bytes(expected_response.get(), kProof, sizeof(kProof))); + ASSERT_TRUE(CBB_flush(expected_response.get())); + + ASSERT_EQ(Bytes(CBB_data(expected_response.get()), + CBB_len(expected_response.get())), + Bytes(CBB_data(response.get()), CBB_len(response.get()))); +} + static std::vector<const TRUST_TOKEN_METHOD *> AllMethods() { return { TRUST_TOKEN_experiment_v1(), diff --git a/src/crypto/trust_token/voprf.c b/src/crypto/trust_token/voprf.c index d414bfd5..aa7df8ef 100644 --- a/src/crypto/trust_token/voprf.c +++ b/src/crypto/trust_token/voprf.c @@ -63,18 +63,24 @@ static int voprf_init_method(VOPRF_METHOD *method, int curve_nid, static int cbb_add_point(CBB *out, const EC_GROUP *group, const EC_AFFINE *point) { - size_t len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); - if (len == 0) { - return 0; - } - uint8_t *p; + size_t len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); return CBB_add_space(out, &p, len) && ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p, len) == len && CBB_flush(out); } +static int cbb_serialize_point(CBB *out, const EC_GROUP *group, + const EC_AFFINE *point) { + uint8_t *p; + size_t len = ec_point_byte_len(group, POINT_CONVERSION_COMPRESSED); + return CBB_add_u16(out, len) && CBB_add_space(out, &p, len) && + ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, p, len) == + len && + CBB_flush(out); +} + static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) { CBS child; size_t plen = 1 + 2 * BN_num_bytes(&group->field); @@ -299,6 +305,30 @@ err: return ok; } +static int hash_to_scalar_challenge(const VOPRF_METHOD *method, EC_SCALAR *out, + const EC_AFFINE *Bm, const EC_AFFINE *a0, + const EC_AFFINE *a1, const EC_AFFINE *a2, + const EC_AFFINE *a3) { + static const uint8_t kChallengeLabel[] = "Challenge"; + + CBB cbb; + uint8_t transcript[5 * EC_MAX_COMPRESSED + 2 + sizeof(kChallengeLabel) - 1]; + size_t len; + if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) || + !cbb_serialize_point(&cbb, method->group, Bm) || + !cbb_serialize_point(&cbb, method->group, a0) || + !cbb_serialize_point(&cbb, method->group, a1) || + !cbb_serialize_point(&cbb, method->group, a2) || + !cbb_serialize_point(&cbb, method->group, a3) || + !CBB_add_bytes(&cbb, kChallengeLabel, sizeof(kChallengeLabel) - 1) || + !CBB_finish(&cbb, NULL, &len) || + !method->hash_to_scalar(method->group, out, transcript, len)) { + return 0; + } + + return 1; +} + static int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out, const CBB *points, size_t index) { static const uint8_t kDLEQBatchLabel[] = "DLEQ BATCH"; @@ -455,9 +485,9 @@ static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs, return 1; } -static int voprf_sign(const VOPRF_METHOD *method, - const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, - size_t num_requested, size_t num_to_issue) { +static int voprf_sign_tt(const VOPRF_METHOD *method, + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + size_t num_requested, size_t num_to_issue) { const EC_GROUP *group = method->group; if (num_requested < num_to_issue) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); @@ -553,7 +583,7 @@ err: return ret; } -static STACK_OF(TRUST_TOKEN) *voprf_unblind( +static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, uint32_t key_id) { @@ -673,6 +703,397 @@ err: return ret; } +static void sha384_update_u16(SHA512_CTX *ctx, uint16_t v) { + uint8_t buf[2] = {v >> 8, v & 0xff}; + SHA384_Update(ctx, buf, 2); +} + +static void sha384_update_point_with_length( + SHA512_CTX *ctx, const EC_GROUP *group, const EC_AFFINE *point) { + uint8_t buf[EC_MAX_COMPRESSED]; + size_t len = ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, + buf, sizeof(buf)); + assert(len > 0); + sha384_update_u16(ctx, (uint16_t)len); + SHA384_Update(ctx, buf, len); +} + +static int compute_composite_seed(const VOPRF_METHOD *method, + uint8_t out[SHA384_DIGEST_LENGTH], + const EC_AFFINE *pub) { + const EC_GROUP *group = method->group; + static const uint8_t kSeedDST[] = "Seed-OPRFV1-\x01-P384-SHA384"; + + SHA512_CTX hash_ctx; + SHA384_Init(&hash_ctx); + sha384_update_point_with_length(&hash_ctx, group, pub); + sha384_update_u16(&hash_ctx, sizeof(kSeedDST) - 1); + SHA384_Update(&hash_ctx, kSeedDST, sizeof(kSeedDST) - 1); + SHA384_Final(out, &hash_ctx); + + return 1; +} + +static int compute_composite_element(const VOPRF_METHOD *method, + uint8_t seed[SHA384_DIGEST_LENGTH], + EC_SCALAR *di, size_t index, + const EC_AFFINE *C, const EC_AFFINE *D) { + static const uint8_t kCompositeLabel[] = "Composite"; + const EC_GROUP *group = method->group; + + if (index > UINT16_MAX) { + return 0; + } + + CBB cbb; + uint8_t transcript[2 + SHA384_DIGEST_LENGTH + 2 + 2 * EC_MAX_COMPRESSED + + sizeof(kCompositeLabel) - 1]; + size_t len; + if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) || + !CBB_add_u16(&cbb, SHA384_DIGEST_LENGTH) || + !CBB_add_bytes(&cbb, seed, SHA384_DIGEST_LENGTH) || + !CBB_add_u16(&cbb, index) || + !cbb_serialize_point(&cbb, group, C) || + !cbb_serialize_point(&cbb, group, D) || + !CBB_add_bytes(&cbb, kCompositeLabel, + sizeof(kCompositeLabel) - 1) || + !CBB_finish(&cbb, NULL, &len) || + !method->hash_to_scalar(method->group, di, transcript, len)) { + return 0; + } + + return 1; +} + +static int generate_proof(const VOPRF_METHOD *method, CBB *cbb, + const TRUST_TOKEN_ISSUER_KEY *priv, + const EC_SCALAR *r, const EC_RAW_POINT *M, + const EC_RAW_POINT *Z) { + const EC_GROUP *group = method->group; + + enum { + idx_M, + idx_Z, + idx_t2, + idx_t3, + num_idx, + }; + EC_RAW_POINT jacobians[num_idx]; + + if (!ec_point_mul_scalar_base(group, &jacobians[idx_t2], r) || + !ec_point_mul_scalar(group, &jacobians[idx_t3], M, r)) { + return 0; + } + + + EC_AFFINE affines[num_idx]; + jacobians[idx_M] = *M; + jacobians[idx_Z] = *Z; + if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) { + return 0; + } + + EC_SCALAR c; + if (!hash_to_scalar_challenge(method, &c, &priv->pubs, &affines[idx_M], + &affines[idx_Z], &affines[idx_t2], + &affines[idx_t3])) { + return 0; + } + + EC_SCALAR c_mont; + ec_scalar_to_montgomery(group, &c_mont, &c); + + // s = r - c*xs + EC_SCALAR s; + ec_scalar_mul_montgomery(group, &s, &priv->xs, &c_mont); + ec_scalar_sub(group, &s, r, &s); + + // Store DLEQ proof in transcript. + if (!scalar_to_cbb(cbb, group, &c) || + !scalar_to_cbb(cbb, group, &s)) { + return 0; + } + + return 1; +} + +static int verify_proof(const VOPRF_METHOD *method, CBS *cbs, + const TRUST_TOKEN_CLIENT_KEY *pub, + const EC_RAW_POINT *M, const EC_RAW_POINT *Z) { + const EC_GROUP *group = method->group; + + enum { + idx_M, + idx_Z, + idx_t2, + idx_t3, + num_idx, + }; + EC_RAW_POINT jacobians[num_idx]; + + EC_SCALAR c, s; + if (!scalar_from_cbs(cbs, group, &c) || + !scalar_from_cbs(cbs, group, &s)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return 0; + } + + EC_RAW_POINT pubs; + ec_affine_to_jacobian(group, &pubs, &pub->pubs); + if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs, + &c) || + !mul_public_2(group, &jacobians[idx_t3], M, &s, Z, &c)) { + return 0; + } + + EC_AFFINE affines[num_idx]; + jacobians[idx_M] = *M; + jacobians[idx_Z] = *Z; + if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) { + return 0; + } + + EC_SCALAR expected_c; + if (!hash_to_scalar_challenge(method, &expected_c, &pub->pubs, + &affines[idx_M], &affines[idx_Z], + &affines[idx_t2], &affines[idx_t3])) { + return 0; + } + + // c == expected_c + if (!ec_scalar_equal_vartime(group, &c, &expected_c)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF); + return 0; + } + + return 1; +} + +static int voprf_sign_impl(const VOPRF_METHOD *method, + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, + CBS *cbs, size_t num_requested, size_t num_to_issue, + const EC_SCALAR *proof_scalar) { + const EC_GROUP *group = method->group; + if (num_requested < num_to_issue) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); + return 0; + } + + if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) || + num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); + return 0; + } + + int ret = 0; + EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT)); + EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT)); + EC_SCALAR *dis = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + if (!BTs || !Zs || !dis) { + goto err; + } + + uint8_t seed[SHA384_DIGEST_LENGTH]; + if (!compute_composite_seed(method, seed, &key->pubs)) { + goto err; + } + + // This implements the BlindEvaluateBatch as defined in section 4 of + // draft-robert-privacypass-batched-tokens-01, based on the constructions + // in draft-irtf-cfrg-voprf-21. To optimize the computation of the proof, + // the computation of di is done during the token signing and passed into + // the proof generation. + for (size_t i = 0; i < num_to_issue; i++) { + EC_AFFINE BT_affine, Z_affine; + EC_RAW_POINT BT, Z; + if (!cbs_get_point(cbs, group, &BT_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + goto err; + } + ec_affine_to_jacobian(group, &BT, &BT_affine); + if (!ec_point_mul_scalar(group, &Z, &BT, &key->xs) || + !ec_jacobian_to_affine(group, &Z_affine, &Z) || + !cbb_add_point(cbb, group, &Z_affine)) { + goto err; + } + BTs[i] = BT; + Zs[i] = Z; + if (!compute_composite_element(method, seed, &dis[i], i, &BT_affine, + &Z_affine)) { + goto err; + } + + if (!CBB_flush(cbb)) { + goto err; + } + } + + EC_RAW_POINT M, Z; + if (!ec_point_mul_scalar_public_batch(group, &M, + /*g_scalar=*/NULL, BTs, dis, + num_to_issue) || + !ec_point_mul_scalar(group, &Z, &M, &key->xs)) { + goto err; + } + + CBB proof; + if (!CBB_add_u16_length_prefixed(cbb, &proof) || + !generate_proof(method, &proof, key, proof_scalar, &M, &Z) || + !CBB_flush(cbb)) { + goto err; + } + + // Skip over any unused requests. + size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + goto err; + } + + ret = 1; + +err: + OPENSSL_free(BTs); + OPENSSL_free(Zs); + OPENSSL_free(dis); + return ret; +} + +static int voprf_sign(const VOPRF_METHOD *method, + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + size_t num_requested, size_t num_to_issue) { + EC_SCALAR proof_scalar; + if (!ec_random_nonzero_scalar(method->group, &proof_scalar, + kDefaultAdditionalData)) { + return 0; + } + + return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue, + &proof_scalar); +} + +static int voprf_sign_with_proof_scalar_for_testing( + const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, + CBS *cbs, size_t num_requested, size_t num_to_issue, + const uint8_t *proof_scalar_buf, size_t proof_scalar_len) { + EC_SCALAR proof_scalar; + if (!ec_scalar_from_bytes(method->group, &proof_scalar, proof_scalar_buf, + proof_scalar_len)) { + return 0; + } + return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue, + &proof_scalar); +} + +static STACK_OF(TRUST_TOKEN) *voprf_unblind( + const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, + uint32_t key_id) { + const EC_GROUP *group = method->group; + if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return NULL; + } + + if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) || + count > ((size_t)-1) / sizeof(EC_SCALAR)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); + return NULL; + } + + int ok = 0; + STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); + EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT)); + EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT)); + EC_SCALAR *dis = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + if (ret == NULL || !BTs || !Zs || !dis) { + goto err; + } + + uint8_t seed[SHA384_DIGEST_LENGTH]; + if (!compute_composite_seed(method, seed, &key->pubs)) { + goto err; + } + + for (size_t i = 0; i < count; i++) { + const TRUST_TOKEN_PRETOKEN *pretoken = + sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i); + + EC_AFFINE Z_affine; + if (!cbs_get_point(cbs, group, &Z_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + goto err; + } + + ec_affine_to_jacobian(group, &BTs[i], &pretoken->Tp); + ec_affine_to_jacobian(group, &Zs[i], &Z_affine); + if (!compute_composite_element(method, seed, &dis[i], i, &pretoken->Tp, + &Z_affine)) { + goto err; + } + + // Unblind the token. + // pretoken->r is rinv. + EC_RAW_POINT N; + EC_AFFINE N_affine; + if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) || + !ec_jacobian_to_affine(group, &N_affine, &N)) { + goto err; + } + + // Serialize the token. Include |key_id| to avoid an extra copy in the layer + // above. + CBB token_cbb; + size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) || + !CBB_add_u32(&token_cbb, key_id) || + !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) || + !cbb_add_point(&token_cbb, group, &N_affine) || + !CBB_flush(&token_cbb)) { + CBB_cleanup(&token_cbb); + goto err; + } + + TRUST_TOKEN *token = + TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb)); + CBB_cleanup(&token_cbb); + if (token == NULL || + !sk_TRUST_TOKEN_push(ret, token)) { + TRUST_TOKEN_free(token); + goto err; + } + } + + EC_RAW_POINT M, Z; + if (!ec_point_mul_scalar_public_batch(group, &M, + /*g_scalar=*/NULL, BTs, dis, + count) || + !ec_point_mul_scalar_public_batch(group, &Z, + /*g_scalar=*/NULL, Zs, dis, + count)) { + goto err; + } + + CBS proof; + if (!CBS_get_u16_length_prefixed(cbs, &proof) || + !verify_proof(method, &proof, key, &M, &Z) || + CBS_len(&proof) != 0) { + goto err; + } + + ok = 1; + +err: + OPENSSL_free(BTs); + OPENSSL_free(Zs); + OPENSSL_free(dis); + if (!ok) { + sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free); + ret = NULL; + } + return ret; +} + static int voprf_read(const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], @@ -804,8 +1225,8 @@ int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, if (!voprf_exp2_init_method() || private_metadata != 0) { return 0; } - return voprf_sign(&voprf_exp2_method, key, cbb, cbs, num_requested, - num_to_issue); + return voprf_sign_tt(&voprf_exp2_method, key, cbb, cbs, num_requested, + num_to_issue); } STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind( @@ -815,7 +1236,8 @@ STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind( if (!voprf_exp2_init_method()) { return NULL; } - return voprf_unblind(&voprf_exp2_method, key, pretokens, cbs, count, key_id); + return voprf_unblind_tt(&voprf_exp2_method, key, pretokens, cbs, count, + key_id); } int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, @@ -834,16 +1256,17 @@ int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, static int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out, const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) { - const uint8_t kHashTLabel[] = "TrustToken VOPRF PST V1 HashToGroup"; - return ec_hash_to_curve_p384_xmd_sha384_sswu( - group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE); + const uint8_t kHashTLabel[] = "HashToGroup-OPRFV1-\x01-P384-SHA384"; + return ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashTLabel, + sizeof(kHashTLabel) - 1, t, + TRUST_TOKEN_NONCE_SIZE); } static int voprf_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, uint8_t *buf, size_t len) { - const uint8_t kHashCLabel[] = "TrustToken VOPRF PST V1 HashToScalar"; - return ec_hash_to_scalar_p384_xmd_sha384( - group, out, kHashCLabel, sizeof(kHashCLabel), buf, len); + const uint8_t kHashCLabel[] = "HashToScalar-OPRFV1-\x01-P384-SHA384"; + return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashCLabel, + sizeof(kHashCLabel) - 1, buf, len); } static int voprf_pst1_ok = 0; @@ -921,6 +1344,19 @@ int voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, num_to_issue); } + +int voprf_pst1_sign_with_proof_scalar_for_testing( + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, + size_t num_to_issue, uint8_t private_metadata, + const uint8_t *proof_scalar_buf, size_t proof_scalar_len) { + if (!voprf_pst1_init_method() || private_metadata != 0) { + return 0; + } + return voprf_sign_with_proof_scalar_for_testing( + &voprf_pst1_method, key, cbb, cbs, num_requested, num_to_issue, + proof_scalar_buf, proof_scalar_len); +} + STACK_OF(TRUST_TOKEN) *voprf_pst1_unblind( const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, diff --git a/src/crypto/x509/a_sign.c b/src/crypto/x509/a_sign.c index 8ee47798..7f80e5b0 100644 --- a/src/crypto/x509/a_sign.c +++ b/src/crypto/x509/a_sign.c @@ -126,7 +126,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, out = NULL; signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); signature->flags |= ASN1_STRING_FLAG_BITS_LEFT; - ret = 1; + ret = (int)out_len; err: EVP_MD_CTX_cleanup(ctx); diff --git a/src/crypto/x509/name_print.c b/src/crypto/x509/name_print.c index 29207ccb..5dc34dae 100644 --- a/src/crypto/x509/name_print.c +++ b/src/crypto/x509/name_print.c @@ -56,6 +56,7 @@ #include <openssl/x509.h> +#include <assert.h> #include <inttypes.h> #include <string.h> @@ -84,8 +85,7 @@ static int do_indent(BIO *out, int indent) { static int do_name_ex(BIO *out, const X509_NAME *n, int indent, unsigned long flags) { - int i, prev = -1, orflags, cnt; - int fn_opt, fn_nid; + int prev = -1, orflags; char objtmp[80]; const char *objbuf; int outlen, len; @@ -142,10 +142,8 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent, sep_eq_len = 1; } - fn_opt = flags & XN_FLAG_FN_MASK; - - cnt = X509_NAME_entry_count(n); - for (i = 0; i < cnt; i++) { + int cnt = X509_NAME_entry_count(n); + for (int i = 0; i < cnt; i++) { const X509_NAME_ENTRY *ent; if (flags & XN_FLAG_DN_REV) { ent = X509_NAME_get_entry(n, cnt - i - 1); @@ -172,40 +170,20 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent, prev = X509_NAME_ENTRY_set(ent); const ASN1_OBJECT *fn = X509_NAME_ENTRY_get_object(ent); const ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent); - fn_nid = OBJ_obj2nid(fn); - if (fn_opt != XN_FLAG_FN_NONE) { - int objlen, fld_len; - if ((fn_opt == XN_FLAG_FN_OID) || (fn_nid == NID_undef)) { - OBJ_obj2txt(objtmp, sizeof objtmp, fn, 1); - fld_len = 0; // XXX: what should this be? - objbuf = objtmp; - } else { - if (fn_opt == XN_FLAG_FN_SN) { - fld_len = FN_WIDTH_SN; - objbuf = OBJ_nid2sn(fn_nid); - } else if (fn_opt == XN_FLAG_FN_LN) { - fld_len = FN_WIDTH_LN; - objbuf = OBJ_nid2ln(fn_nid); - } else { - fld_len = 0; // XXX: what should this be? - objbuf = ""; - } - } - objlen = strlen(objbuf); - if (!maybe_write(out, objbuf, objlen)) { - return -1; - } - if ((objlen < fld_len) && (flags & XN_FLAG_FN_ALIGN)) { - if (!do_indent(out, fld_len - objlen)) { - return -1; - } - outlen += fld_len - objlen; - } - if (!maybe_write(out, sep_eq, sep_eq_len)) { - return -1; - } - outlen += objlen + sep_eq_len; + assert((flags & XN_FLAG_FN_MASK) == XN_FLAG_FN_SN); + int fn_nid = OBJ_obj2nid(fn); + if (fn_nid == NID_undef) { + OBJ_obj2txt(objtmp, sizeof(objtmp), fn, 1); + objbuf = objtmp; + } else { + objbuf = OBJ_nid2sn(fn_nid); + } + int objlen = strlen(objbuf); + if (!maybe_write(out, objbuf, objlen) || + !maybe_write(out, sep_eq, sep_eq_len)) { + return -1; } + outlen += objlen + sep_eq_len; // If the field name is unknown then fix up the DER dump flag. We // might want to limit this further so it will DER dump on anything // other than a few 'standard' fields. diff --git a/src/crypto/x509/t_x509.c b/src/crypto/x509/t_x509.c index 6694e3d1..1d71576c 100644 --- a/src/crypto/x509/t_x509.c +++ b/src/crypto/x509/t_x509.c @@ -91,14 +91,8 @@ int X509_print(BIO *bp, X509 *x) { int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) { - long l; - int ret = 0, i; - char *m = NULL, mlch = ' '; + char mlch = ' '; int nmindent = 0; - X509_CINF *ci; - EVP_PKEY *pkey = NULL; - const char *neg; - if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; @@ -108,26 +102,26 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, nmindent = 16; } - ci = x->cert_info; + const X509_CINF *ci = x->cert_info; if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate:\n", 13) <= 0) { - goto err; + return 0; } if (BIO_write(bp, " Data:\n", 10) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_VERSION)) { - l = X509_get_version(x); + long l = X509_get_version(x); assert(X509_VERSION_1 <= l && l <= X509_VERSION_3); if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, (unsigned long)l) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_SERIAL)) { if (BIO_write(bp, " Serial Number:", 22) <= 0) { - goto err; + return 0; } const ASN1_INTEGER *serial = X509_get0_serialNumber(x); @@ -136,19 +130,20 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, assert(serial->type != V_ASN1_NEG_INTEGER); if (BIO_printf(bp, " %" PRIu64 " (0x%" PRIx64 ")\n", serial_u64, serial_u64) <= 0) { - goto err; + return 0; } } else { ERR_clear_error(); // Clear |ASN1_INTEGER_get_uint64|'s error. - neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; + const char *neg = + (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) { - goto err; + return 0; } - for (i = 0; i < serial->length; i++) { + for (int i = 0; i < serial->length; i++) { if (BIO_printf(bp, "%02x%c", serial->data[i], ((i + 1 == serial->length) ? '\n' : ':')) <= 0) { - goto err; + return 0; } } } @@ -156,69 +151,69 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, if (!(cflag & X509_FLAG_NO_SIGNAME)) { if (X509_signature_print(bp, ci->signature, NULL) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_ISSUER)) { if (BIO_printf(bp, " Issuer:%c", mlch) <= 0) { - goto err; + return 0; } if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) < 0) { - goto err; + return 0; } if (BIO_write(bp, "\n", 1) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_VALIDITY)) { if (BIO_write(bp, " Validity\n", 17) <= 0) { - goto err; + return 0; } if (BIO_write(bp, " Not Before: ", 24) <= 0) { - goto err; + return 0; } if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) { - goto err; + return 0; } if (BIO_write(bp, "\n Not After : ", 25) <= 0) { - goto err; + return 0; } if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) { - goto err; + return 0; } if (BIO_write(bp, "\n", 1) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_SUBJECT)) { if (BIO_printf(bp, " Subject:%c", mlch) <= 0) { - goto err; + return 0; } if (X509_NAME_print_ex(bp, X509_get_subject_name(x), nmindent, nmflags) < 0) { - goto err; + return 0; } if (BIO_write(bp, "\n", 1) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_PUBKEY)) { if (BIO_write(bp, " Subject Public Key Info:\n", 33) <= 0) { - goto err; + return 0; } if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0) { - goto err; + return 0; } if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0) { - goto err; + return 0; } if (BIO_puts(bp, "\n") <= 0) { - goto err; + return 0; } - pkey = X509_get_pubkey(x); + EVP_PKEY *pkey = X509_get_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); @@ -231,18 +226,18 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, if (!(cflag & X509_FLAG_NO_IDS)) { if (ci->issuerUID) { if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0) { - goto err; + return 0; } if (!X509_signature_dump(bp, ci->issuerUID, 12)) { - goto err; + return 0; } } if (ci->subjectUID) { if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0) { - goto err; + return 0; } if (!X509_signature_dump(bp, ci->subjectUID, 12)) { - goto err; + return 0; } } } @@ -253,20 +248,16 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, if (!(cflag & X509_FLAG_NO_SIGDUMP)) { if (X509_signature_print(bp, x->sig_alg, x->signature) <= 0) { - goto err; + return 0; } } if (!(cflag & X509_FLAG_NO_AUX)) { if (!X509_CERT_AUX_print(bp, x->aux, 0)) { - goto err; + return 0; } } - ret = 1; -err: - if (m != NULL) { - OPENSSL_free(m); - } - return ret; + + return 1; } int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg, diff --git a/src/crypto/x509/test/make_basic_constraints.go b/src/crypto/x509/test/make_basic_constraints.go index 67f4b913..ea502b4c 100644 --- a/src/crypto/x509/test/make_basic_constraints.go +++ b/src/crypto/x509/test/make_basic_constraints.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // make_basic_constraints.go generates self-signed certificates with the basic // constraints extension. package main diff --git a/src/crypto/x509/test/make_invalid_extensions.go b/src/crypto/x509/test/make_invalid_extensions.go index 884d9335..8287bf8d 100644 --- a/src/crypto/x509/test/make_invalid_extensions.go +++ b/src/crypto/x509/test/make_invalid_extensions.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // make_invalid_extensions.go generates a number of certificate chains with // invalid extension encodings. package main diff --git a/src/crypto/x509/test/make_many_constraints.go b/src/crypto/x509/test/make_many_constraints.go index 07f2edc7..24a5c407 100644 --- a/src/crypto/x509/test/make_many_constraints.go +++ b/src/crypto/x509/test/make_many_constraints.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // make_many_constraints.go generates test certificates many_constraints.pem, // many_names*.pem, and some_names*.pem for x509_test.cc package main diff --git a/src/crypto/x509/test/make_policy_certs.go b/src/crypto/x509/test/make_policy_certs.go index b1c5a60e..739d8ced 100644 --- a/src/crypto/x509/test/make_policy_certs.go +++ b/src/crypto/x509/test/make_policy_certs.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // make_policy_certs.go generates certificates for testing policy handling. package main diff --git a/src/crypto/x509/x509_att.c b/src/crypto/x509/x509_att.c index 0dda757f..23e92f29 100644 --- a/src/crypto/x509/x509_att.c +++ b/src/crypto/x509/x509_att.c @@ -56,153 +56,13 @@ #include <openssl/asn1.h> #include <openssl/err.h> -#include <openssl/evp.h> #include <openssl/obj.h> -#include <openssl/stack.h> #include <openssl/x509.h> #include "../asn1/internal.h" #include "internal.h" -int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) { - return sk_X509_ATTRIBUTE_num(x); -} - -int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, - int lastpos) { - const ASN1_OBJECT *obj = OBJ_nid2obj(nid); - if (obj == NULL) { - return -1; - } - return X509at_get_attr_by_OBJ(x, obj, lastpos); -} - -int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, - const ASN1_OBJECT *obj, int lastpos) { - int n; - X509_ATTRIBUTE *ex; - - if (sk == NULL) { - return -1; - } - lastpos++; - if (lastpos < 0) { - lastpos = 0; - } - n = sk_X509_ATTRIBUTE_num(sk); - for (; lastpos < n; lastpos++) { - ex = sk_X509_ATTRIBUTE_value(sk, lastpos); - if (OBJ_cmp(ex->object, obj) == 0) { - return lastpos; - } - } - return -1; -} - -X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc) { - if (x == NULL || loc < 0 || sk_X509_ATTRIBUTE_num(x) <= (size_t)loc) { - return NULL; - } else { - return sk_X509_ATTRIBUTE_value(x, loc); - } -} - -X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc) { - X509_ATTRIBUTE *ret; - - if (x == NULL || loc < 0 || sk_X509_ATTRIBUTE_num(x) <= (size_t)loc) { - return NULL; - } - ret = sk_X509_ATTRIBUTE_delete(x, loc); - return ret; -} - -STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, - X509_ATTRIBUTE *attr) { - X509_ATTRIBUTE *new_attr = NULL; - STACK_OF(X509_ATTRIBUTE) *sk = NULL; - - if (x == NULL) { - OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER); - goto err; - } - - if (*x == NULL) { - if ((sk = sk_X509_ATTRIBUTE_new_null()) == NULL) { - goto err; - } - } else { - sk = *x; - } - - if ((new_attr = X509_ATTRIBUTE_dup(attr)) == NULL) { - goto err; - } - if (!sk_X509_ATTRIBUTE_push(sk, new_attr)) { - goto err; - } - if (*x == NULL) { - *x = sk; - } - return sk; -err: - if (new_attr != NULL) { - X509_ATTRIBUTE_free(new_attr); - } - if (sk != NULL) { - sk_X509_ATTRIBUTE_free(sk); - } - return NULL; -} - -STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x, - const ASN1_OBJECT *obj, - int type, - const unsigned char *bytes, - int len) { - X509_ATTRIBUTE *attr; - STACK_OF(X509_ATTRIBUTE) *ret; - attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, type, bytes, len); - if (!attr) { - return 0; - } - ret = X509at_add1_attr(x, attr); - X509_ATTRIBUTE_free(attr); - return ret; -} - -STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x, - int nid, int type, - const unsigned char *bytes, - int len) { - X509_ATTRIBUTE *attr; - STACK_OF(X509_ATTRIBUTE) *ret; - attr = X509_ATTRIBUTE_create_by_NID(NULL, nid, type, bytes, len); - if (!attr) { - return 0; - } - ret = X509at_add1_attr(x, attr); - X509_ATTRIBUTE_free(attr); - return ret; -} - -STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, - const char *attrname, - int type, - const unsigned char *bytes, - int len) { - X509_ATTRIBUTE *attr; - STACK_OF(X509_ATTRIBUTE) *ret; - attr = X509_ATTRIBUTE_create_by_txt(NULL, attrname, type, bytes, len); - if (!attr) { - return 0; - } - ret = X509at_add1_attr(x, attr); - X509_ATTRIBUTE_free(attr); - return ret; -} - X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len) { diff --git a/src/crypto/x509/x509_req.c b/src/crypto/x509/x509_req.c index 8734897f..69eb63c2 100644 --- a/src/crypto/x509/x509_req.c +++ b/src/crypto/x509/x509_req.c @@ -160,62 +160,111 @@ int X509_REQ_add_extensions(X509_REQ *req, return X509_REQ_add_extensions_nid(req, exts, NID_ext_req); } -// Request attribute functions - int X509_REQ_get_attr_count(const X509_REQ *req) { - return X509at_get_attr_count(req->req_info->attributes); + return sk_X509_ATTRIBUTE_num(req->req_info->attributes); } int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos) { - return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos); + const ASN1_OBJECT *obj = OBJ_nid2obj(nid); + if (obj == NULL) { + return -1; + } + return X509_REQ_get_attr_by_OBJ(req, obj, lastpos); } int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, int lastpos) { - return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos); + if (req->req_info->attributes == NULL) { + return -1; + } + lastpos++; + if (lastpos < 0) { + lastpos = 0; + } + int n = sk_X509_ATTRIBUTE_num(req->req_info->attributes); + for (; lastpos < n; lastpos++) { + const X509_ATTRIBUTE *attr = + sk_X509_ATTRIBUTE_value(req->req_info->attributes, lastpos); + if (OBJ_cmp(attr->object, obj) == 0) { + return lastpos; + } + } + return -1; } X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc) { - return X509at_get_attr(req->req_info->attributes, loc); + if (req->req_info->attributes == NULL || loc < 0 || + sk_X509_ATTRIBUTE_num(req->req_info->attributes) <= (size_t)loc) { + return NULL; + } + return sk_X509_ATTRIBUTE_value(req->req_info->attributes, loc); } X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc) { - return X509at_delete_attr(req->req_info->attributes, loc); + if (req->req_info->attributes == NULL || loc < 0 || + sk_X509_ATTRIBUTE_num(req->req_info->attributes) <= (size_t)loc) { + return NULL; + } + return sk_X509_ATTRIBUTE_delete(req->req_info->attributes, loc); } -int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) { - if (X509at_add1_attr(&req->req_info->attributes, attr)) { - return 1; +static int X509_REQ_add0_attr(X509_REQ *req, X509_ATTRIBUTE *attr) { + if (req->req_info->attributes == NULL) { + req->req_info->attributes = sk_X509_ATTRIBUTE_new_null(); } - return 0; + if (req->req_info->attributes == NULL || + !sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) { + return 0; + } + + return 1; +} + +int X509_REQ_add1_attr(X509_REQ *req, const X509_ATTRIBUTE *attr) { + X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_dup(attr); + if (new_attr == NULL || !X509_REQ_add0_attr(req, new_attr)) { + X509_ATTRIBUTE_free(new_attr); + return 0; + } + + return 1; } int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int attrtype, const unsigned char *data, int len) { - if (X509at_add1_attr_by_OBJ(&req->req_info->attributes, obj, attrtype, data, - len)) { - return 1; + X509_ATTRIBUTE *attr = + X509_ATTRIBUTE_create_by_OBJ(NULL, obj, attrtype, data, len); + if (attr == NULL || !X509_REQ_add0_attr(req, attr)) { + X509_ATTRIBUTE_free(attr); + return 0; } - return 0; + + return 1; } int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int attrtype, const unsigned char *data, int len) { - if (X509at_add1_attr_by_NID(&req->req_info->attributes, nid, attrtype, data, - len)) { - return 1; + X509_ATTRIBUTE *attr = + X509_ATTRIBUTE_create_by_NID(NULL, nid, attrtype, data, len); + if (attr == NULL || !X509_REQ_add0_attr(req, attr)) { + X509_ATTRIBUTE_free(attr); + return 0; } - return 0; + + return 1; } int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int attrtype, const unsigned char *data, int len) { - if (X509at_add1_attr_by_txt(&req->req_info->attributes, attrname, attrtype, - data, len)) { - return 1; + X509_ATTRIBUTE *attr = + X509_ATTRIBUTE_create_by_txt(NULL, attrname, attrtype, data, len); + if (attr == NULL || !X509_REQ_add0_attr(req, attr)) { + X509_ATTRIBUTE_free(attr); + return 0; } - return 0; + + return 1; } void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, diff --git a/src/crypto/x509/x509_test.cc b/src/crypto/x509/x509_test.cc index 530c24d5..404ce5ba 100644 --- a/src/crypto/x509/x509_test.cc +++ b/src/crypto/x509/x509_test.cc @@ -2048,7 +2048,12 @@ TEST(X509Test, SignCertificate) { ASSERT_TRUE( X509_set1_signature_value(cert.get(), sig.data(), sig.size())); } else { - ASSERT_TRUE(X509_sign(cert.get(), pkey.get(), EVP_sha384())); + int ret = X509_sign(cert.get(), pkey.get(), EVP_sha384()); + ASSERT_GT(ret, 0); + // |X509_sign| returns the length of the signature on success. + const ASN1_BIT_STRING *sig; + X509_get0_signature(&sig, /*out_alg=*/nullptr, cert.get()); + EXPECT_EQ(ret, ASN1_STRING_length(sig)); } // Check the signature. @@ -4702,50 +4707,35 @@ TEST(X509Test, NamePrint) { "CN = \"Common " "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\", " "CN = \" spaces \""}, - // |XN_FLAG_MULTILINE| is an OpenSSL-specific multi-line format that tries - // to vertically align the equal sizes. The vertical alignment doesn't - // quite handle multi-valued RDNs right and uses a non-RFC-2253 escaping. + // Callers can also customize the output, with both |XN_FLAG_*| and + // |ASN1_STRFLGS_*|. |XN_FLAG_SEP_SPLUS_SPC| uses semicolon separators. {/*indent=*/0, - /*flags=*/XN_FLAG_MULTILINE, - "countryName = US\n" - "stateOrProvinceName = Some State + " - "stateOrProvinceName = Some Other State \\U2603 + " - "stateOrProvinceName = Another State \\U2603 + " - "1.2.840.113554.4.1.72585.2 = \\U2603\n" - "1.2.840.113554.4.1.72585.3 = 0\\06\\02\\01\\01\\02\\01\\02\n" - "organizationName = Org Name\n" - "commonName = Common " - "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\n" - "commonName = spaces "}, - // The multiline format indents every line. - {/*indent=*/2, - /*flags=*/XN_FLAG_MULTILINE, - " countryName = US\n" - " stateOrProvinceName = Some State + " - "stateOrProvinceName = Some Other State \\U2603 + " - "stateOrProvinceName = Another State \\U2603 + " - "1.2.840.113554.4.1.72585.2 = \\U2603\n" - " 1.2.840.113554.4.1.72585.3 = 0\\06\\02\\01\\01\\02\\01\\02\n" - " organizationName = Org Name\n" - " commonName = Common " - "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\n" - " commonName = spaces "}, - // Callers can also customize the output, wuith both |XN_FLAG_*| and - // |ASN1_STRFLGS_*|. |XN_FLAG_SEP_SPLUS_SPC| uses semicolon separators and - // |XN_FLAG_FN_OID| forces OIDs. - {/*indent=*/0, - /*flags=*/XN_FLAG_SEP_SPLUS_SPC | XN_FLAG_FN_OID | ASN1_STRFLGS_RFC2253 | + /*flags=*/XN_FLAG_SEP_SPLUS_SPC | ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE, - "2.5.4.6=US; " - "2.5.4.8=Some State + " - "2.5.4.8=Some Other State \\E2\\98\\83 + " - "2.5.4.8=Another State \\E2\\98\\83 + " + "C=US; " + "ST=Some State + " + "ST=Some Other State \\E2\\98\\83 + " + "ST=Another State \\E2\\98\\83 + " "1.2.840.113554.4.1.72585.2=\\E2\\98\\83; " "1.2.840.113554.4.1.72585.3=#3006020101020102; " - "2.5.4.10=Org Name; " - "2.5.4.3=\"Common " + "O=Org Name; " + "CN=\"Common " "Name/CN=A/CN=B,CN=A,CN=B+CN=A+CN=B;CN=A;CN=B\\0ACN=A\\0A\"; " - "2.5.4.3=\" spaces \""}, + "CN=\" spaces \""}, + // Node uses these parameters. + {/*indent=*/0, + /*flags=*/ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | + ASN1_STRFLGS_UTF8_CONVERT | XN_FLAG_SEP_MULTILINE | XN_FLAG_FN_SN, + "C=US\n" + "ST=Some State + " + "ST=Some Other State \xE2\x98\x83 + " + "ST=Another State \xE2\x98\x83 + " + "1.2.840.113554.4.1.72585.2=\xE2\x98\x83\n" + "1.2.840.113554.4.1.72585.3=0\\06\\02\\01\\01\\02\\01\\02\n" + "O=Org Name\n" + "CN=Common " + "Name/CN=A/CN=B\\,CN=A\\,CN=B\\+CN=A\\+CN=B\\;CN=A\\;CN=B\\0ACN=A\\0A\n" + "CN=\\ spaces\\ "}, // |XN_FLAG_COMPAT| matches |X509_NAME_print|, rather than // |X509_NAME_print_ex|. // diff --git a/src/crypto/x509v3/v3_lib.c b/src/crypto/x509v3/v3_lib.c index 52528eac..61cbeea2 100644 --- a/src/crypto/x509v3/v3_lib.c +++ b/src/crypto/x509v3/v3_lib.c @@ -141,6 +141,7 @@ int X509V3_EXT_free(int nid, void *ext_data) { } int X509V3_EXT_add_alias(int nid_to, int nid_from) { +OPENSSL_BEGIN_ALLOW_DEPRECATED const X509V3_EXT_METHOD *ext; X509V3_EXT_METHOD *tmpext; @@ -159,6 +160,7 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from) { return 0; } return 1; +OPENSSL_END_ALLOW_DEPRECATED } // Legacy function: we don't need to add standard extensions any more because diff --git a/src/include/openssl/aead.h b/src/include/openssl/aead.h index 131cfecd..26338800 100644 --- a/src/include/openssl/aead.h +++ b/src/include/openssl/aead.h @@ -408,8 +408,6 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void); -OPENSSL_EXPORT const EVP_AEAD *EVP_aead_null_sha1_tls(void); - // EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS // 1.2 nonce construction. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void); diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h index fb1815f8..80d18a78 100644 --- a/src/include/openssl/base.h +++ b/src/include/openssl/base.h @@ -221,6 +221,33 @@ extern "C" { #endif // defined(BORINGSSL_SHARED_LIBRARY) +#if defined(_MSC_VER) + +// OPENSSL_DEPRECATED is used to mark a function as deprecated. Use +// of any functions so marked in caller code will produce a warning. +// OPENSSL_BEGIN_ALLOW_DEPRECATED and OPENSSL_END_ALLOW_DEPRECATED +// can be used to suppress the warning in regions of caller code. +#define OPENSSL_DEPRECATED __declspec(deprecated) +#define OPENSSL_BEGIN_ALLOW_DEPRECATED \ + __pragma(warning(push)) __pragma(warning(disable : 4996)) +#define OPENSSL_END_ALLOW_DEPRECATED __pragma(warning(pop)) + +#elif defined(__GNUC__) || defined(__clang__) + +#define OPENSSL_DEPRECATED __attribute__((__deprecated__)) +#define OPENSSL_BEGIN_ALLOW_DEPRECATED \ + _Pragma("GCC diagnostic push") \ + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") +#define OPENSSL_END_ALLOW_DEPRECATED _Pragma("GCC diagnostic pop") + +#else + +#define OPENSSL_DEPRECATED +#define OPENSSL_BEGIN_ALLOW_DEPRECATED +#define OPENSSL_END_ALLOW_DEPRECATED + +#endif + #if defined(__GNUC__) || defined(__clang__) // MinGW has two different printf implementations. Ensure the format macro diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h index abe7aec9..707a4b15 100644 --- a/src/include/openssl/bio.h +++ b/src/include/openssl/bio.h @@ -873,7 +873,6 @@ struct bio_st { #define BIO_C_GET_FILE_PTR 107 #define BIO_C_SET_FILENAME 108 #define BIO_C_SET_SSL 109 -#define BIO_C_GET_SSL 110 #define BIO_C_SET_MD 111 #define BIO_C_GET_MD 112 #define BIO_C_GET_CIPHER_STATUS 113 @@ -887,9 +886,6 @@ struct bio_st { #define BIO_C_GET_PROXY_PARAM 121 #define BIO_C_SET_BUFF_READ_DATA 122 // data to read first #define BIO_C_GET_ACCEPT 124 -#define BIO_C_SET_SSL_RENEGOTIATE_BYTES 125 -#define BIO_C_GET_SSL_NUM_RENEGOTIATES 126 -#define BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT 127 #define BIO_C_FILE_SEEK 128 #define BIO_C_GET_CIPHER_CTX 129 #define BIO_C_SET_BUF_MEM_EOF_RETURN 130 // return end of input value diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h index da78d1a5..5b5e3feb 100644 --- a/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h @@ -1449,9 +1449,6 @@ OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, // // |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1. // -// Although implemented, authentication-only ciphers match no rules and must be -// explicitly selected by name. -// // Deprecated cipher rules: // // |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|, @@ -2410,21 +2407,51 @@ OPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups); // SSL_CTX_set_verify configures certificate verification behavior. |mode| is // one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is -// used to customize certificate verification. See the behavior of -// |X509_STORE_CTX_set_verify_cb|. +// used to customize certificate verification, but is deprecated. See +// |X509_STORE_CTX_set_verify_cb| for details. // // The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with // |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. +// +// WARNING: |callback| should be NULL. This callback does not replace the +// default certificate verification process and is, instead, called multiple +// times in the course of that process. It is very difficult to implement this +// callback safely, without inadvertently relying on implementation details or +// making incorrect assumptions about when the callback is called. +// +// Instead, use |SSL_CTX_set_custom_verify| or +// |SSL_CTX_set_cert_verify_callback| to customize certificate verification. +// Those callbacks can inspect the peer-sent chain, call |X509_verify_cert| and +// inspect the result, or perform other operations more straightforwardly. +// +// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but +// haven't documented it yet. Later that will have a more detailed warning about +// why one should not use this callback. OPENSSL_EXPORT void SSL_CTX_set_verify( SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx)); // SSL_set_verify configures certificate verification behavior. |mode| is one of // the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to -// customize certificate verification. See the behavior of +// customize certificate verification, but is deprecated. See the behavior of // |X509_STORE_CTX_set_verify_cb|. // // The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with // |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. +// +// WARNING: |callback| should be NULL. This callback does not replace the +// default certificate verification process and is, instead, called multiple +// times in the course of that process. It is very difficult to implement this +// callback safely, without inadvertently relying on implementation details or +// making incorrect assumptions about when the callback is called. +// +// Instead, use |SSL_set_custom_verify| or |SSL_CTX_set_cert_verify_callback| to +// customize certificate verification. Those callbacks can inspect the peer-sent +// chain, call |X509_verify_cert| and inspect the result, or perform other +// operations more straightforwardly. +// +// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but +// haven't documented it yet. Later that will have a more detailed warning about +// why one should not use this callback. OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx)); @@ -5160,6 +5187,10 @@ OPENSSL_EXPORT uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher); // parameters of a TLS connection. enum ssl_compliance_policy_t BORINGSSL_ENUM_INT { + // ssl_compliance_policy_none does nothing. However, since setting this + // doesn't undo other policies it's an error to try and set it. + ssl_compliance_policy_none, + // ssl_policy_fips_202205 configures a TLS connection to use: // * TLS 1.2 or 1.3 // * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*. @@ -5174,12 +5205,32 @@ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT { // Note: this setting aids with compliance with NIST requirements but does not // guarantee it. Careful reading of SP 800-52r2 is recommended. ssl_compliance_policy_fips_202205, + + // ssl_compliance_policy_wpa3_192_202304 configures a TLS connection to use: + // * TLS 1.2 or 1.3. + // * For TLS 1.2, only TLS_ECDHE_[ECDSA|RSA]_WITH_AES_256_GCM_SHA384. + // * For TLS 1.3, only AES-256-GCM. + // * P-384 for key agreement. + // * For handshake signatures, only ECDSA with P-384 and SHA-384, or RSA + // with SHA-384 or SHA-512. + // + // No limitations on the certificate chain nor leaf public key are imposed, + // other than by the supported signature algorithms. But WPA3's "192-bit" + // mode requires at least P-384 or 3072-bit along the chain. The caller must + // enforce this themselves on the verified chain using functions such as + // `X509_STORE_CTX_get0_chain`. + // + // Note that this setting is less secure than the default. The + // implementation risks of using a more obscure primitive like P-384 + // dominate other considerations. + ssl_compliance_policy_wpa3_192_202304, }; // SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on // the given policy requirements. Subsequently calling other functions that // configure |ctx| may override |policy|, or may not. This should be the final -// configuration function called in order to have defined behaviour. +// configuration function called in order to have defined behaviour. It's a +// fatal error if |policy| is |ssl_compliance_policy_none|. OPENSSL_EXPORT int SSL_CTX_set_compliance_policy( SSL_CTX *ctx, enum ssl_compliance_policy_t policy); diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index 2ab7564b..8deb767e 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -277,6 +277,12 @@ OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); // |i2d_re_X509_tbs| instead. OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp); +// X509_verify checks that |x509| has a valid signature by |pkey|. It returns +// one if the signature is valid and zero otherwise. Note this function only +// checks the signature itself and does not perform a full certificate +// validation. +OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); + // Issuing certificates. // @@ -342,16 +348,17 @@ OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc); // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and -// signature fields. It returns one on success and zero on error. This function -// uses digest algorithm |md|, or |pkey|'s default if NULL. Other signing -// parameters use |pkey|'s defaults. To customize them, use |X509_sign_ctx|. +// signature fields. It returns the length of the signature on success and zero +// on error. This function uses digest algorithm |md|, or |pkey|'s default if +// NULL. Other signing parameters use |pkey|'s defaults. To customize them, use +// |X509_sign_ctx|. OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); // X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm -// and signature fields. It returns one on success and zero on error. The -// signature algorithm and parameters come from |ctx|, which must have been -// initialized with |EVP_DigestSignInit|. The caller should configure the -// corresponding |EVP_PKEY_CTX| before calling this function. +// and signature fields. It returns the length of the signature on success and +// zero on error. The signature algorithm and parameters come from |ctx|, which +// must have been initialized with |EVP_DigestSignInit|. The caller should +// configure the corresponding |EVP_PKEY_CTX| before calling this function. OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described @@ -576,6 +583,10 @@ OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl); // instead. OPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); +// X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns +// one if the signature is valid and zero otherwise. +OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey); + // Issuing certificate revocation lists. // @@ -624,18 +635,18 @@ OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc); // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm -// and signature fields. It returns one on success and zero on error. This -// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other -// signing parameters use |pkey|'s defaults. To customize them, use -// |X509_CRL_sign_ctx|. +// and signature fields. It returns the length of the signature on success and +// zero on error. This function uses digest algorithm |md|, or |pkey|'s default +// if NULL. Other signing parameters use |pkey|'s defaults. To customize them, +// use |X509_CRL_sign_ctx|. OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, const EVP_MD *md); // X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm -// and signature fields. It returns one on success and zero on error. The -// signature algorithm and parameters come from |ctx|, which must have been -// initialized with |EVP_DigestSignInit|. The caller should configure the -// corresponding |EVP_PKEY_CTX| before calling this function. +// and signature fields. It returns the length of the signature on success and +// zero on error. The signature algorithm and parameters come from |ctx|, which +// must have been initialized with |EVP_DigestSignInit|. The caller should +// configure the corresponding |EVP_PKEY_CTX| before calling this function. OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described @@ -710,7 +721,6 @@ OPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp, // mutated. OPENSSL_EXPORT int i2d_X509_REQ(X509_REQ *req, uint8_t **outp); - // X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other // versions are defined. #define X509_REQ_VERSION_1 0 @@ -731,6 +741,46 @@ OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); // |EVP_PKEY_free| when done. OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); +// X509_REQ_get_attr_count returns the number of attributes in |req|. +OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); + +// X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if +// out of bounds. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); + +// X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type +// |nid|, or a negative number if not found. If found, callers can use +// |X509_REQ_get_attr| to look up the attribute by index. +// +// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers +// can thus loop over all matching attributes by first passing -1 and then +// passing the previously-returned value until no match is returned. +OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, + int lastpos); + +// X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks +// for attributes of type |obj|. +OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, + const ASN1_OBJECT *obj, + int lastpos); + +// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type +// for carrying extensions and zero otherwise. The supported types are +// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| +// (a Microsoft szOID_CERT_EXTENSIONS variant). +OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); + +// X509_REQ_get_extensions decodes the list of requested extensions in |req| and +// returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. +// It returns NULL on error, or if |req| did not request extensions. +// +// CSRs do not store extensions directly. Instead there are attribute types +// which are defined to hold extensions. See |X509_REQ_extension_nid|. This +// function supports both pkcs-9-at-extensionRequest from RFC 2985 and the +// Microsoft szOID_CERT_EXTENSIONS variant. If both are present, +// pkcs-9-at-extensionRequest is preferred. +OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); + // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and // signature algorithm of |req|, respectively. Either output pointer may be NULL // to ignore the value. @@ -743,6 +793,10 @@ OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, // a known NID. OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); +// X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns +// one if the signature is valid and zero otherwise. +OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); + // Issuing certificate requests. // @@ -770,19 +824,68 @@ OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); // and internally copies and updates reference counts as needed. OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey); +// X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It +// returns the removed attribute to the caller, or NULL if |loc| was out of +// bounds. If non-NULL, the caller must release the result with +// |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call +// |X509_ATTRIBUTE_free| if the result is NULL. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); + +// X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It +// returns one on success and zero on error. +OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, + const X509_ATTRIBUTE *attr); + +// X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|. +// It returns one on success and zero on error. The value is determined by +// |X509_ATTRIBUTE_set1_data|. +// +// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and +// error-prone. See |X509_ATTRIBUTE_set1_data| for details. +OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, + const ASN1_OBJECT *obj, + int attrtype, + const unsigned char *data, + int len); + +// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the +// attribute type is determined by |nid|. +OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, + int attrtype, + const unsigned char *data, + int len); + +// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the +// attribute type is determined by calling |OBJ_txt2obj| with |attrname|. +OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req, + const char *attrname, int attrtype, + const unsigned char *data, + int len); + +// X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to +// request the certificate extensions in |exts|. It returns one on success and +// zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|. +OPENSSL_EXPORT int X509_REQ_add_extensions_nid( + X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid); + +// X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the +// standard |NID_ext_req| for the attribute type. +OPENSSL_EXPORT int X509_REQ_add_extensions( + X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts); + // X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm -// and signature fields. It returns one on success and zero on error. This -// function uses digest algorithm |md|, or |pkey|'s default if NULL. Other -// signing parameters use |pkey|'s defaults. To customize them, use -// |X509_REQ_sign_ctx|. +// and signature fields. It returns the length of the signature on success and +// zero on error. This function uses digest algorithm |md|, or |pkey|'s default +// if NULL. Other signing parameters use |pkey|'s defaults. To customize them, +// use |X509_REQ_sign_ctx|. OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, const EVP_MD *md); // X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm -// and signature fields. It returns one on success and zero on error. The -// signature algorithm and parameters come from |ctx|, which must have been -// initialized with |EVP_DigestSignInit|. The caller should configure the -// corresponding |EVP_PKEY_CTX| before calling this function. +// and signature fields. It returns the length of the signature on success and +// zero on error. The signature algorithm and parameters come from |ctx|, which +// must have been initialized with |EVP_DigestSignInit|. The caller should +// configure the corresponding |EVP_PKEY_CTX| before calling this function. OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) @@ -1296,11 +1399,442 @@ OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); +// Attributes. +// +// Unlike certificates and CRLs, CSRs use a separate Attribute structure (RFC +// 2985, RFC 2986) for extensibility. This is represented by the library as +// |X509_ATTRIBUTE|. + +DEFINE_STACK_OF(X509_ATTRIBUTE) + +// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and +// C type is |X509_ATTRIBUTE*|. +DECLARE_ASN1_ITEM(X509_ATTRIBUTE) + +// X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object, +// or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing +// it. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_new(void); + +// X509_ATTRIBUTE_dup returns a newly-allocated copy of |attr|, or NULL on +// error. This function works by serializing the structure, so if |attr| is +// incomplete, it may fail. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *attr); + +// X509_ATTRIBUTE_free releases memory associated with |attr|. +OPENSSL_EXPORT void X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr); + +// d2i_X509_ATTRIBUTE parses up to |len| bytes from |*inp| as a DER-encoded +// Attribute (RFC 2986), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **out, + const uint8_t **inp, + long len); + +// i2d_X509_ATTRIBUTE marshals |alg| as a DER-encoded Attribute (RFC 2986), as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_ATTRIBUTE(const X509_ATTRIBUTE *alg, + uint8_t **outp); + +// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on +// error. The attribute has type |nid| and contains a single value determined by +// |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note +// this function takes ownership of |value|. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, + void *value); + +// X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of +// type |nid|, or NULL on error. The value is determined as in +// |X509_ATTRIBUTE_set1_data|. +// +// If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to +// |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is +// reused instead of creating a new object. +// +// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and +// error-prone. See |X509_ATTRIBUTE_set1_data| for details. +// +// WARNING: The object reuse form is deprecated and may be removed in the +// future. It also currently incorrectly appends to the reused object's value +// set rather than overwriting it. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID( + X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len); + +// X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID| +// except the attribute's type is determined by |obj|. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ( + X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype, + const void *data, int len); + +// X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID| +// except the attribute's type is determined by calling |OBJ_txt2obj| with +// |attrname|. +OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt( + X509_ATTRIBUTE **attr, const char *attrname, int type, + const unsigned char *bytes, int len); + +// X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on +// success and zero on error. +OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, + const ASN1_OBJECT *obj); + +// X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns +// one on success or zero on error. The value is determined as follows: +// +// If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The +// string is determined by decoding |len| bytes from |data| in the encoding +// specified by |attrtype|, and then re-encoding it in a form appropriate for +// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See +// |ASN1_STRING_set_by_NID| for details. +// +// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an +// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the +// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. +// +// WARNING: If this form is used to construct a negative INTEGER or ENUMERATED, +// |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function +// forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is +// probably a bug. For now, do not use this form with negative values. +// +// Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and +// |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, +// and |data| is cast to the corresponding pointer type. +// +// WARNING: Despite the name, this function appends to |attr|'s value set, +// rather than overwriting it. To overwrite the value set, create a new +// |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|. +// +// WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on +// |strlen|. In particular, |strlen| will not behave correctly if the input is +// |MBSTRING_BMP| or |MBSTRING_UNIV|. +// +// WARNING: This function currently misinterprets |V_ASN1_OTHER| as an +// |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to +// construct a value with a non-universal tag. +OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, + const void *data, int len); + +// X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a +// type-specific representation to |attrtype|, or NULL if out of bounds or the +// type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On +// match, the return value uses the same representation as |ASN1_TYPE_set0|. See +// |ASN1_TYPE| for details. +OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, + int attrtype, void *unused); + +// X509_ATTRIBUTE_count returns the number of values in |attr|. +OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); + +// X509_ATTRIBUTE_get0_object returns the type of |attr|. +OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); + +// X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out +// of bounds. Note this function returns one of |attr|'s values, not the type. +OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, + int idx); + + +// SignedPublicKeyAndChallenge structures. +// +// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request +// certificates, primarily in the legacy <keygen> HTML tag. An SPKAC structure +// is represented by a |NETSCAPE_SPKI| structure. +// +// The structure is described in +// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen + +// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a +// SignedPublicKeyAndChallenge structure. Although this structure contains a +// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the +// entire structure, not the signed portion. +struct Netscape_spki_st { + NETSCAPE_SPKAC *spkac; + X509_ALGOR *sig_algor; + ASN1_BIT_STRING *signature; +} /* NETSCAPE_SPKI */; + +// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is +// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. +DECLARE_ASN1_ITEM(NETSCAPE_SPKI) + +// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or +// NULL on error. +OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); + +// NETSCAPE_SPKI_free releases memory associated with |spki|. +OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); + +// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, + const uint8_t **inp, long len); + +// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); + +// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It +// returns one if the signature is valid and zero otherwise. +OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); + +// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded +// SignedPublicKeyAndChallenge structure. It returns a newly-allocated +// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or +// negative, the length is calculated with |strlen| and |str| must be a +// NUL-terminated C string. +OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, + ossl_ssize_t len); + +// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded +// SignedPublicKeyAndChallenge structure. It returns a newly-allocated +// NUL-terminated C string with the result, or NULL on error. The caller must +// release the memory with |OPENSSL_free| when done. +OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); + +// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an +// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting +// pointer and must call |EVP_PKEY_free| when done. +OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki); + +// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one +// on success or zero on error. This function does not take ownership of |pkey|, +// so the caller may continue to manage its lifetime independently of |spki|. +OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, + EVP_PKEY *pkey); + +// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature +// algorithm and signature fields. It returns the length of the signature on +// success and zero on error. This function uses digest algorithm |md|, or +// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. +OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, + const EVP_MD *md); + +// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge +// structure. This type is misnamed. The full SPKAC includes the signature, +// which is represented with the |NETSCAPE_SPKI| type. +struct Netscape_spkac_st { + X509_PUBKEY *pubkey; + ASN1_IA5STRING *challenge; +} /* NETSCAPE_SPKAC */; + +// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge +// and C type is |NETSCAPE_SPKAC*|. +DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) + +// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, +// or NULL on error. +OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); + +// NETSCAPE_SPKAC_free releases memory associated with |spkac|. +OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); + +// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded +// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, + const uint8_t **inp, + long len); + +// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge +// structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, + uint8_t **outp); + + // Printing functions. // // The following functions output human-readable representations of // X.509-related structures. They should only be used for debugging or logging -// and not parsed programmatically. +// and not parsed programmatically. In many cases, the outputs are ambiguous, so +// attempting to parse them can lead to string injection vulnerabilities. + +// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. + +// X509_FLAG_COMPAT disables all flags. It additionally causes names to be +// printed with a 16-byte indent. +#define X509_FLAG_COMPAT 0 + +// X509_FLAG_NO_HEADER skips a header identifying the type of object printed. +#define X509_FLAG_NO_HEADER 1L + +// X509_FLAG_NO_VERSION skips printing the X.509 version number. +#define X509_FLAG_NO_VERSION (1L << 1) + +// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in +// |X509_REQ_print_fp|. +#define X509_FLAG_NO_SERIAL (1L << 2) + +// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the +// TBSCertificate. It is ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_SIGNAME (1L << 3) + +// X509_FLAG_NO_ISSUER skips printing the issuer. +#define X509_FLAG_NO_ISSUER (1L << 4) + +// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is +// ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_VALIDITY (1L << 5) + +// X509_FLAG_NO_SUBJECT skips printing the subject. +#define X509_FLAG_NO_SUBJECT (1L << 6) + +// X509_FLAG_NO_PUBKEY skips printing the public key. +#define X509_FLAG_NO_PUBKEY (1L << 7) + +// X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in +// |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by +// |X509_FLAG_NO_ATTRIBUTES|. +#define X509_FLAG_NO_EXTENSIONS (1L << 8) + +// X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature +// algorithm. +#define X509_FLAG_NO_SIGDUMP (1L << 9) + +// X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and +// related functions.) +#define X509_FLAG_NO_AUX (1L << 10) + +// X509_FLAG_NO_ATTRIBUTES skips printing CSR attributes. It does nothing for +// certificates and CRLs. +#define X509_FLAG_NO_ATTRIBUTES (1L << 11) + +// X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a +// certificate. It is ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_IDS (1L << 12) + +// X509_print_ex writes a human-readable representation of |x| to |bp|. It +// returns one on success and zero on error. |nmflags| is the flags parameter +// for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should +// be some combination of the |X509_FLAG_*| constants. +OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, + unsigned long cflag); + +// X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|. +OPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, + unsigned long cflag); + +// X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT| +// flags. +OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); + +// X509_print_fp behaves like |X509_print| but writes to |fp|. +OPENSSL_EXPORT int X509_print_fp(FILE *fp, X509 *x); + +// X509_CRL_print writes a human-readable representation of |x| to |bp|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); + +// X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|. +OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x); + +// X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It +// returns one on success and zero on error. |nmflags| is the flags parameter +// for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some +// combination of the |X509_FLAG_*| constants. +OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, + unsigned long cflag); + +// X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and +// |X509_FLAG_COMPAT| flags. +OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); + +// X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|. +OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, X509_REQ *req); + +// The following flags are control |X509_NAME_print_ex|. They must not collide +// with |ASN1_STRFLGS_*|. +// +// TODO(davidben): This is far, far too many options and most of them are +// useless. Trim this down. + +// XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value +// convention. +#define XN_FLAG_COMPAT 0 + +// XN_FLAG_SEP_MASK determines the separators to use between attributes. +#define XN_FLAG_SEP_MASK (0xf << 16) + +// XN_FLAG_SEP_COMMA_PLUS separates RDNs with "," and attributes within an RDN +// with "+", as in RFC 2253. +#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) + +// XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces +// between the separators. +#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) + +// XN_FLAG_SEP_SPLUS_SPC separates RDNs with "; " and attributes within an RDN +// with " + ". +#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) + +// XN_FLAG_SEP_MULTILINE prints each attribute on one line. +#define XN_FLAG_SEP_MULTILINE (4 << 16) + +// XN_FLAG_DN_REV prints RDNs in reverse, from least significant to most +// significant, as RFC 2253. +#define XN_FLAG_DN_REV (1 << 20) + +// XN_FLAG_FN_MASK determines how attribute types are displayed. +#define XN_FLAG_FN_MASK (0x3 << 21) + +// XN_FLAG_FN_SN uses the attribute type's short name, when available. +#define XN_FLAG_FN_SN 0 + +// XN_FLAG_SPC_EQ wraps the "=" operator with spaces when printing attributes. +#define XN_FLAG_SPC_EQ (1 << 23) + +// XN_FLAG_DUMP_UNKNOWN_FIELDS causes unknown attribute types to be printed in +// hex, as in RFC 2253. +#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) + +// XN_FLAG_RFC2253 prints like RFC 2253. +#define XN_FLAG_RFC2253 \ + (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ + XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) + +// XN_FLAG_ONELINE prints a one-line representation of the name. +#define XN_FLAG_ONELINE \ + (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ + XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) + +// X509_NAME_print_ex writes a human-readable representation of |nm| to |out|. +// Each line of output is indented by |indent| spaces. It returns the number of +// bytes written on success, and -1 on error. If |out| is NULL, it returns the +// number of bytes it would have written but does not write anything. |flags| +// should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and +// determines the output. If unsure, use |XN_FLAG_RFC2253|. +// +// If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls +// |X509_NAME_print| instead. In that case, it returns one on success, rather +// than the output length. +OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, + unsigned long flags); + +// X509_NAME_print prints a human-readable representation of |name| to |bp|. It +// returns one on success and zero on error. |obase| is ignored. +// +// This function outputs a legacy format that does not correctly handle string +// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for +// debugging purposes. +OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); + +// X509_NAME_oneline writes a human-readable representation to |name| to a +// buffer as a NUL-terminated C string. +// +// If |buf| is NULL, returns a newly-allocated buffer containing the result on +// success, or NULL on error. The buffer must be released with |OPENSSL_free| +// when done. +// +// If |buf| is non-NULL, at most |size| bytes of output are written to |buf| +// instead. |size| includes the trailing NUL. The function then returns |buf| on +// success or NULL on error. If the output does not fit in |size| bytes, the +// output is silently truncated at an attribute boundary. +// +// This function outputs a legacy format that does not correctly handle string +// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for +// debugging purposes. +OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size); + +// X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|. +OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, + int indent, unsigned long flags); // X509_signature_dump writes a human-readable representation of |sig| to |bio|, // indented with |indent| spaces. It returns one on success and zero on error. @@ -1459,6 +1993,39 @@ OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, X509_NAME *name); +// X509_cmp_time compares |s| against |*t|. On success, it returns a negative +// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it +// returns zero. If |t| is NULL, it uses the current time instead of |*t|. +// +// WARNING: Unlike most comparison functions, this function returns zero on +// error, not equality. +OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); + +// X509_cmp_time_posix compares |s| against |t|. On success, it returns a +// negative number if |s| <= |t| and a positive number if |s| > |t|. On error, +// it returns zero. +// +// WARNING: Unlike most comparison functions, this function returns zero on +// error, not equality. +OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t); + +// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against +// the current time. +OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); + +// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. +OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, + time_t *t); + +// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If +// |t| is NULL, it uses the current time instead of |*t|. +OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, + long offset_sec, time_t *t); + +// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the +// current time. +OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); + // ex_data functions. // @@ -1580,8 +2147,6 @@ struct X509_algor_st { #define X509v3_KU_DECIPHER_ONLY 0x8000 #define X509v3_KU_UNDEF 0xffff -DEFINE_STACK_OF(X509_ATTRIBUTE) - // This stuff is certificate "auxiliary info" // it contains details which are useful in certificate // stores and databases. When used this is tagged onto @@ -1631,74 +2196,6 @@ DEFINE_STACK_OF(X509_TRUST) #define X509_TRUST_REJECTED 2 #define X509_TRUST_UNTRUSTED 3 -// Flags for X509_print_ex() - -#define X509_FLAG_COMPAT 0 -#define X509_FLAG_NO_HEADER 1L -#define X509_FLAG_NO_VERSION (1L << 1) -#define X509_FLAG_NO_SERIAL (1L << 2) -#define X509_FLAG_NO_SIGNAME (1L << 3) -#define X509_FLAG_NO_ISSUER (1L << 4) -#define X509_FLAG_NO_VALIDITY (1L << 5) -#define X509_FLAG_NO_SUBJECT (1L << 6) -#define X509_FLAG_NO_PUBKEY (1L << 7) -#define X509_FLAG_NO_EXTENSIONS (1L << 8) -#define X509_FLAG_NO_SIGDUMP (1L << 9) -#define X509_FLAG_NO_AUX (1L << 10) -#define X509_FLAG_NO_ATTRIBUTES (1L << 11) -#define X509_FLAG_NO_IDS (1L << 12) - -// Flags specific to X509_NAME_print_ex(). These flags must not collide with -// |ASN1_STRFLGS_*|. - -// The field separator information - -#define XN_FLAG_SEP_MASK (0xf << 16) - -#define XN_FLAG_COMPAT 0 // Traditional SSLeay: use old X509_NAME_print -#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC 2253 ,+ -#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) // ,+ spaced: more readable -#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) // ;+ spaced -#define XN_FLAG_SEP_MULTILINE (4 << 16) // One line per field - -#define XN_FLAG_DN_REV (1 << 20) // Reverse DN order - -// How the field name is shown - -#define XN_FLAG_FN_MASK (0x3 << 21) - -#define XN_FLAG_FN_SN 0 // Object short name -#define XN_FLAG_FN_LN (1 << 21) // Object long name -#define XN_FLAG_FN_OID (2 << 21) // Always use OIDs -#define XN_FLAG_FN_NONE (3 << 21) // No field names - -#define XN_FLAG_SPC_EQ (1 << 23) // Put spaces round '=' - -// This determines if we dump fields we don't recognise: -// RFC 2253 requires this. - -#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) - -#define XN_FLAG_FN_ALIGN (1 << 25) // Align field names to 20 characters - -// Complete set of RFC 2253 flags - -#define XN_FLAG_RFC2253 \ - (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ - XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) - -// readable oneline form - -#define XN_FLAG_ONELINE \ - (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ - XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) - -// readable multiline form - -#define XN_FLAG_MULTILINE \ - (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \ - XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN) - DEFINE_STACK_OF(X509_REVOKED) DECLARE_STACK_OF(GENERAL_NAMES) @@ -1734,20 +2231,6 @@ struct X509_info_st { DEFINE_STACK_OF(X509_INFO) -// The next 2 structures and their 8 routines were sent to me by -// Pat Richard <patr@x509.com> and are used to manipulate -// Netscapes spki structures - useful if you are writing a CA web page -struct Netscape_spkac_st { - X509_PUBKEY *pubkey; - ASN1_IA5STRING *challenge; // challenge sent in atlas >= PR2 -} /* NETSCAPE_SPKAC */; - -struct Netscape_spki_st { - NETSCAPE_SPKAC *spkac; // signed public key and challenge - X509_ALGOR *sig_algor; - ASN1_BIT_STRING *signature; -} /* NETSCAPE_SPKI */; - // X509_get_pathlen returns path length constraint from the basic constraints // extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the // constraint is not present, or if some extension in |x509| was invalid. @@ -1773,99 +2256,11 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, // a default description. OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); -// X509_verify checks that |x509| has a valid signature by |pkey|. It returns -// one if the signature is valid and zero otherwise. Note this function only -// checks the signature itself and does not perform a full certificate -// validation. -OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); - -// X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns -// one if the signature is valid and zero otherwise. -OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); - -// X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns -// one if the signature is valid and zero otherwise. -OPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey); - -// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It -// returns one if the signature is valid and zero otherwise. -OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); - -// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded -// Netscape signed public key and challenge (SPKAC) structure. It returns a -// newly-allocated |NETSCAPE_SPKI| structure with the result, or NULL on error. -// If |len| is 0 or negative, the length is calculated with |strlen| and |str| -// must be a NUL-terminated C string. -OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, - ossl_ssize_t len); - -// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded Netscape signed -// public key and challenge (SPKAC) structure. It returns a newly-allocated -// NUL-terminated C string with the result, or NULL on error. The caller must -// release the memory with |OPENSSL_free| when done. -OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); - -// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an -// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting -// pointer and must call |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki); - -// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one -// on success or zero on error. This function does not take ownership of |pkey|, -// so the caller may continue to manage its lifetime independently of |spki|. -OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, - EVP_PKEY *pkey); - -// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature -// algorithm and signature fields. It returns one on success and zero on error. -// This function uses digest algorithm |md|, or |pkey|'s default if NULL. Other -// signing parameters use |pkey|'s defaults. -OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, - const EVP_MD *md); - -// X509_ATTRIBUTE_dup returns a newly-allocated copy of |xa|, or NULL on error. -// This function works by serializing the structure, so if |xa| is incomplete, -// it may fail. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *xa); - // X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. // This function works by serializing the structure, so if |rev| is incomplete, // it may fail. OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); -// X509_cmp_time compares |s| against |*t|. On success, it returns a negative -// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it -// returns zero. If |t| is NULL, it uses the current time instead of |*t|. -// -// WARNING: Unlike most comparison functions, this function returns zero on -// error, not equality. -OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); - -// X509_cmp_time_posix compares |s| against |t|. On success, it returns a -// negative number if |s| <= |t| and a positive number if |s| > |t|. On error, -// it returns zero. -// -// WARNING: Unlike most comparison functions, this function returns zero on -// error, not equality. -OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t); - -// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against -// the current time. -OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); - -// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. -OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, - time_t *t); - -// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If -// |t| is NULL, it uses the current time instead of |*t|. -OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, - long offset_sec, time_t *t); - -// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the -// current time. -OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); - OPENSSL_EXPORT const char *X509_get_default_cert_area(void); OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); OPENSSL_EXPORT const char *X509_get_default_cert_file(void); @@ -1888,15 +2283,6 @@ OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); DECLARE_ASN1_FUNCTIONS_const(X509_SIG) -DECLARE_ASN1_FUNCTIONS_const(X509_ATTRIBUTE) - -// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on -// error. The attribute has type |nid| and contains a single value determined by -// |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note -// this function takes ownership of |value|. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, - void *value); - OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); OPENSSL_EXPORT void X509_trust_clear(X509 *x); @@ -1916,12 +2302,8 @@ OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void); OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a); -DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKI) -DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_SPKAC) - OPENSSL_EXPORT X509_INFO *X509_INFO_new(void); OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a); -OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size); OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, unsigned char *md, unsigned int *len); @@ -1944,93 +2326,6 @@ OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx); -// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type -// for carrying extensions and zero otherwise. The supported types are -// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| -// (a Microsoft szOID_CERT_EXTENSIONS variant). -OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); - -// X509_REQ_get_extensions decodes the list of requested extensions in |req| and -// returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. -// It returns NULL on error, or if |req| did not request extensions. -// -// This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the -// Microsoft szOID_CERT_EXTENSIONS variant. -OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); - -// X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to -// request the certificate extensions in |exts|. It returns one on success and -// zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|. -OPENSSL_EXPORT int X509_REQ_add_extensions_nid( - X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid); - -// X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the -// standard |NID_ext_req| for the attribute type. -OPENSSL_EXPORT int X509_REQ_add_extensions( - X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts); - -// X509_REQ_get_attr_count returns the number of attributes in |req|. -OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); - -// X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type -// |nid|, or a negative number if not found. If found, callers can use -// |X509_REQ_get_attr| to look up the attribute by index. -// -// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers -// can thus loop over all matching attributes by first passing -1 and then -// passing the previously-returned value until no match is returned. -OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, - int lastpos); - -// X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks -// for attributes of type |obj|. -OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, - const ASN1_OBJECT *obj, - int lastpos); - -// X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if -// out of bounds. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); - -// X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It -// returns the removed attribute to the caller, or NULL if |loc| was out of -// bounds. If non-NULL, the caller must release the result with -// |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call -// |X509_ATTRIBUTE_free| if the result is NULL. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); - -// X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It -// returns one on success and zero on error. -// -// TODO(https://crbug.com/boringssl/407): |attr| should be const. -OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr); - -// X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|. -// It returns one on success and zero on error. The value is determined by -// |X509_ATTRIBUTE_set1_data|. -// -// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and -// error-prone. See |X509_ATTRIBUTE_set1_data| for details. -OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, - const ASN1_OBJECT *obj, - int attrtype, - const unsigned char *data, - int len); - -// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the -// attribute type is determined by |nid|. -OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, - int attrtype, - const unsigned char *data, - int len); - -// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the -// attribute type is determined by calling |OBJ_txt2obj| with |attrname|. -OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req, - const char *attrname, int attrtype, - const unsigned char *data, - int len); - OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); // X509_REVOKED_get0_serialNumber returns the serial number of the certificate @@ -2082,24 +2377,6 @@ OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); -OPENSSL_EXPORT int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, - unsigned long cflag); -OPENSSL_EXPORT int X509_print_fp(FILE *bp, X509 *x); -OPENSSL_EXPORT int X509_CRL_print_fp(FILE *bp, X509_CRL *x); -OPENSSL_EXPORT int X509_REQ_print_fp(FILE *bp, X509_REQ *req); -OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, - int indent, unsigned long flags); - -OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); -OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, - unsigned long flags); -OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, - unsigned long cflag); -OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); -OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); -OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, - unsigned long cflag); -OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); // X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in // |x509|'s extension list. @@ -2195,153 +2472,6 @@ OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, unsigned long flags); -// X509at_get_attr_count returns the number of attributes in |x|. -OPENSSL_EXPORT int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x); - -// X509at_get_attr_by_NID returns the index of the attribute in |x| of type -// |nid|, or a negative number if not found. If found, callers can use -// |X509at_get_attr| to look up the attribute by index. -// -// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers -// can thus loop over all matching attributes by first passing -1 and then -// passing the previously-returned value until no match is returned. -OPENSSL_EXPORT int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, - int nid, int lastpos); - -// X509at_get_attr_by_OBJ behaves like |X509at_get_attr_by_NID| but looks for -// attributes of type |obj|. -OPENSSL_EXPORT int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, - const ASN1_OBJECT *obj, int lastpos); - -// X509at_get_attr returns the attribute at index |loc| in |x|, or NULL if -// out of bounds. -OPENSSL_EXPORT X509_ATTRIBUTE *X509at_get_attr( - const STACK_OF(X509_ATTRIBUTE) *x, int loc); - -// X509at_delete_attr removes the attribute at index |loc| in |x|. It returns -// the removed attribute to the caller, or NULL if |loc| was out of bounds. If -// non-NULL, the caller must release the result with |X509_ATTRIBUTE_free| when -// done. It is also safe, but not necessary, to call |X509_ATTRIBUTE_free| if -// the result is NULL. -OPENSSL_EXPORT X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, - int loc); - -// X509at_add1_attr appends a copy of |attr| to the attribute list in |*x|. If -// |*x| is NULL, it allocates a new |STACK_OF(X509_ATTRIBUTE)| to hold the copy -// and sets |*x| to the new list. It returns |*x| on success and NULL on error. -// The caller retains ownership of |attr| and can release it independently of -// |*x|. -OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr( - STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr); - -// X509at_add1_attr_by_OBJ behaves like |X509at_add1_attr|, but adds an -// attribute created by |X509_ATTRIBUTE_create_by_OBJ|. -OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ( - STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len); - -// X509at_add1_attr_by_NID behaves like |X509at_add1_attr|, but adds an -// attribute created by |X509_ATTRIBUTE_create_by_NID|. -OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID( - STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, const unsigned char *bytes, - int len); - -// X509at_add1_attr_by_txt behaves like |X509at_add1_attr|, but adds an -// attribute created by |X509_ATTRIBUTE_create_by_txt|. -OPENSSL_EXPORT STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt( - STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type, - const unsigned char *bytes, int len); - -// X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of -// type |nid|, or NULL on error. The value is determined as in -// |X509_ATTRIBUTE_set1_data|. -// -// If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to -// |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is -// reused instead of creating a new object. -// -// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and -// error-prone. See |X509_ATTRIBUTE_set1_data| for details. -// -// WARNING: The object reuse form is deprecated and may be removed in the -// future. It also currently incorrectly appends to the reused object's value -// set rather than overwriting it. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID( - X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len); - -// X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID| -// except the attribute's type is determined by |obj|. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ( - X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype, - const void *data, int len); - -// X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID| -// except the attribute's type is determined by calling |OBJ_txt2obj| with -// |attrname|. -OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt( - X509_ATTRIBUTE **attr, const char *attrname, int type, - const unsigned char *bytes, int len); - -// X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on -// success and zero on error. -OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, - const ASN1_OBJECT *obj); - -// X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns -// one on success or zero on error. The value is determined as follows: -// -// If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The -// string is determined by decoding |len| bytes from |data| in the encoding -// specified by |attrtype|, and then re-encoding it in a form appropriate for -// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See -// |ASN1_STRING_set_by_NID| for details. -// -// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an -// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the -// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. -// -// WARNING: If this form is used to construct a negative INTEGER or ENUMERATED, -// |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function -// forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is -// probably a bug. For now, do not use this form with negative values. -// -// Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and -// |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, -// and |data| is cast to the corresponding pointer type. -// -// WARNING: Despite the name, this function appends to |attr|'s value set, -// rather than overwriting it. To overwrite the value set, create a new -// |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|. -// -// WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on -// |strlen|. In particular, |strlen| will not behave correctly if the input is -// |MBSTRING_BMP| or |MBSTRING_UNIV|. -// -// WARNING: This function currently misinterprets |V_ASN1_OTHER| as an -// |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to -// construct a value with a non-universal tag. -OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, - const void *data, int len); - -// X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a -// type-specific representation to |attrtype|, or NULL if out of bounds or the -// type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On -// match, the return value uses the same representation as |ASN1_TYPE_set0|. See -// |ASN1_TYPE| for details. -OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, - int attrtype, void *unused); - -// X509_ATTRIBUTE_count returns the number of values in |attr|. -OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); - -// X509_ATTRIBUTE_get0_object returns the type of |attr|. -OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); - -// X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out -// of bounds. Note this function returns one of |attr|'s values, not the type. -OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, - int idx); - OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); // PKCS#8 utilities diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h index ee90f584..d9c862da 100644 --- a/src/include/openssl/x509v3.h +++ b/src/include/openssl/x509v3.h @@ -688,14 +688,15 @@ OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *meth, // callers should simply handle the custom extension with the byte-based // |X509_EXTENSION| APIs directly. Registering |ext| with the library has little // practical value. -OPENSSL_EXPORT int X509V3_EXT_add(X509V3_EXT_METHOD *ext); +OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); // X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The // corresponding ASN.1 type is copied from |nid_from|. It returns one on success // and zero on error. // // WARNING: Do not use this function. See |X509V3_EXT_add|. -OPENSSL_EXPORT int X509V3_EXT_add_alias(int nid_to, int nid_from); +OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, + int nid_from); OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( const X509_EXTENSION *ext); diff --git a/src/rust/bssl-crypto/Cargo.toml b/src/rust/bssl-crypto/Cargo.toml index 57a64401..c60e9ca2 100644 --- a/src/rust/bssl-crypto/Cargo.toml +++ b/src/rust/bssl-crypto/Cargo.toml @@ -6,6 +6,4 @@ publish = false license = "MIT" [dependencies] -# the crate will need to be generated at this path by running this command at root -# `mkdir build && cd build && cmake -G Ninja .. -DRUST_BINDINGS="$(gcc -dumpmachine)" && ninja` -bssl-sys = {path = "../../build/rust/bssl-sys"}
\ No newline at end of file +bssl-sys = {path = "../bssl-sys"} diff --git a/src/rust/bssl-crypto/README.md b/src/rust/bssl-crypto/README.md index 9e10fad8..dff669bc 100644 --- a/src/rust/bssl-crypto/README.md +++ b/src/rust/bssl-crypto/README.md @@ -1,14 +1,9 @@ bssl-crypto ============ -rust bindings to boringssl which wrap bssl-sys, a low level autogenerated binding - -Before using this crate, first generate the bssl-sys bindings by running this command from the root of the repo: -``` -mkdir build && cd build && cmake -G Ninja .. -DRUST_BINDINGS="$(gcc -dumpmachine)" && ninja -``` +Rust bindings to BoringSSL which wrap bssl-sys. Before using this crate, first [set up `bssl-sys`](../bssl-sys/README.md). Then to run all tests: ``` cd rust/bssl-crypto && cargo clippy && cargo deny check && cargo test -```
\ No newline at end of file +``` diff --git a/src/rust/bssl-sys/CMakeLists.txt b/src/rust/bssl-sys/CMakeLists.txt index 05f03f45..d17a8f10 100644 --- a/src/rust/bssl-sys/CMakeLists.txt +++ b/src/rust/bssl-sys/CMakeLists.txt @@ -2,37 +2,48 @@ add_library(rust_wrapper STATIC rust_wrapper.c) target_link_libraries(rust_wrapper crypto) +# Generate architecture-specific wrappers. bindgen must be called from +# ${CMAKE_BINARY_DIR}, with the output path as a relative path. bindgen writes +# the depfile using the same syntax as the command-line argument, and ninja +# requires a path relative to the top-level build directory. +set(wrapper wrapper_${RUST_BINDINGS}.rs) +binary_dir_relative_path(${wrapper} wrapper_relative) +binary_dir_relative_path(${wrapper}.d depfile_relative) -# Generate architecture-specific wrappers. -set(WRAPPER_TARGET ${CMAKE_BINARY_DIR}/rust/bssl-sys/src/wrapper_${RUST_BINDINGS}.rs) -set(COMMAND ${BINDGEN_EXECUTABLE} "wrapper.h" - -o ${WRAPPER_TARGET} - --no-derive-default - --enable-function-attribute-detection - --use-core - --size_t-is-usize - --default-macro-constant-type="signed" - --rustified-enum="point_conversion_form_t" - --allowlist-file=".*/include/openssl/.*\\.h" - --allowlist-file=".*/rust_wrapper\\.h" - -- # these are LLVM arg passthroughs - -I../../include - # https://doc.rust-lang.org/nightly/rustc/platform-support.html - --target=${RUST_BINDINGS}) - -add_custom_target( - bindgen_rust_${RUST_BINDINGS} - ALL - ${COMMAND} - BYPRODUCTS ${WRAPPER_TARGET} - WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR} +add_custom_command( + OUTPUT ${wrapper} + COMMAND ${BINDGEN_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/wrapper.h + -o ${wrapper_relative} + --depfile=${depfile_relative} + --no-derive-default + --enable-function-attribute-detection + --use-core + --default-macro-constant-type=signed + --rustified-enum=point_conversion_form_t + # These regexes need to accept both / and \ to handle Windows file + # path differences, due a bindgen issue. See + # https://crbug.com/boringssl/595. Ideally, we would write [/\\], but + # there are many layers of escaping here. First, CMake interprets + # backslashes. Then CMake generates a Ninja or Make file. That, in + # turn, uses the shell on POSIX, and does something else on Windows. + # + # It is unlikely that every layer here has sufficiently well-defined + # escaping and correctly handled the next layer's escaping. On top of + # that, we'd likely need to detect Windows vs POSIX hosts and change + # the input. Instead, just use [[:punct:]] which is more permissive + # than necessary, but we only need to exclude unwanted libc headers. + # + # If bindgen ever supports some file-based config (see + # https://github.com/rust-lang/rust-bindgen/issues/2508), we can + # switch to that. + --allowlist-file=".*[[:punct:]]include[[:punct:]]openssl[[:punct:]].*\\.h" + --allowlist-file=".*[[:punct:]]rust_wrapper\\.h" + -- # these are LLVM arg passthroughs + -I${PROJECT_SOURCE_DIR}/include + # https://doc.rust-lang.org/nightly/rustc/platform-support.html + --target=${RUST_BINDINGS} + DEPENDS wrapper.h + DEPFILE ${CMAKE_CURRENT_BINARY_DIR}/${wrapper}.d + WORKING_DIRECTORY ${CMAKE_BINARY_DIR} ) - -# move files into build directory -configure_file("src/lib.rs" "src/lib.rs") - -if(NOT BUILD_SHARED_LIBS) - configure_file("build.rs" "build.rs" COPYONLY) -endif() - -configure_file("Cargo.toml" "Cargo.toml" COPYONLY)
\ No newline at end of file +add_custom_target(bssl_sys ALL DEPENDS ${wrapper}) diff --git a/src/rust/bssl-sys/README.md b/src/rust/bssl-sys/README.md index fb5230a8..e2efd6c4 100644 --- a/src/rust/bssl-sys/README.md +++ b/src/rust/bssl-sys/README.md @@ -4,10 +4,9 @@ bssl-sys A low-level binding crate for Rust that moves in lockstop with BoringSSL. BoringSSL explicitly does not have a stable ABI, `bssl-sys` is the solution for preventing subtle-memory corruption bugs due to version skew. ### How it works -`bssl-sys` uses `bindgen` as part of the cmake build process to generate Rust compatibility shims for the targeted platform. It is important to generate it for the correct platform because `bindgen` uses LLVM information for alignment which varies depending on architecture. These files are then packaged into a Rust crate. +`bssl-sys` uses `bindgen` as part of the cmake build process to generate Rust compatibility shims for the targeted platform. It is important to generate it for the correct platform because `bindgen` uses LLVM information for alignment which varies depending on architecture. ### To Use -Build `boringssl` with `-DRUST_BINDINGS=<rust-triple>` and ensure that you have `bindgen` installed. - -The `rust-triple` option should be one of the supported targets at https://doc.rust-lang.org/nightly/rustc/platform-support.html. +Build `boringssl` with `-DRUST_BINDINGS=<rust-triple>` and ensure that you have `bindgen` installed. The `rust-triple` option should match the [Rust target triple](https://doc.rust-lang.org/nightly/rustc/platform-support.html) when building `bssl-sys`. +From there, the `bssl-sys` crate can be built. By default, it looks for `bindgen` output and BoringSSL static libraries in the `build` directory. This can be reconfigured with `BORINGSSL_BUILD_DIR` environment variable. Note the environment variable is evaluated relative to `rust/bssl-sys/src`, so using an absolute path may be more convenient. diff --git a/src/rust/bssl-sys/build.rs b/src/rust/bssl-sys/build.rs index c2b7358a..2d7461ab 100644 --- a/src/rust/bssl-sys/build.rs +++ b/src/rust/bssl-sys/build.rs @@ -15,38 +15,43 @@ use std::env; use std::path::Path; +use std::path::PathBuf; + +fn get_bssl_build_dir() -> PathBuf { + println!("cargo:rerun-if-env-changed=BORINGSSL_BUILD_DIR"); + if let Some(build_dir) = env::var_os("BORINGSSL_BUILD_DIR") { + return PathBuf::from(build_dir); + } + + let crate_dir = env::var_os("CARGO_MANIFEST_DIR").unwrap(); + return Path::new(&crate_dir).join("../../build"); +} fn main() { - let dir = env::var("CARGO_MANIFEST_DIR").unwrap(); - let crate_path = Path::new(&dir); + let bssl_build_dir = get_bssl_build_dir(); + let bssl_sys_build_dir = bssl_build_dir.join("rust/bssl-sys"); + let target = env::var("TARGET").unwrap(); // Find the bindgen generated target platform bindings file and set BINDGEN_RS_FILE - let bindgen_file = crate_path - .join("src") - .read_dir() - .unwrap() - .map(|file| file.unwrap().file_name().into_string().unwrap()) - .find(|file| file.starts_with("wrapper_")) - .unwrap(); - println!("cargo:rustc-env=BINDGEN_RS_FILE={}", bindgen_file); - - // building bssl-sys with: `mkdir build && cd build && cmake -G Ninja .. -DRUST_BINDINGS="$(gcc -dumpmachine)" && ninja` - // outputs this crate to /build/rust/bssl-sys/ so need to go up 3 levels to the root of the repo - let repo_root = crate_path.parent().unwrap().parent().unwrap(); + let bindgen_file = bssl_sys_build_dir.join(format!("wrapper_{}.rs", target)); + println!("cargo:rustc-env=BINDGEN_RS_FILE={}", bindgen_file.display()); // Statically link libraries. println!( "cargo:rustc-link-search=native={}", - repo_root.join("crypto").display() + bssl_build_dir.join("crypto").display() ); println!("cargo:rustc-link-lib=static=crypto"); println!( "cargo:rustc-link-search=native={}", - repo_root.join("ssl").display() + bssl_build_dir.join("ssl").display() ); println!("cargo:rustc-link-lib=static=ssl"); - println!("cargo:rustc-link-search=native={}", crate_path.display()); + println!( + "cargo:rustc-link-search=native={}", + bssl_sys_build_dir.display() + ); println!("cargo:rustc-link-lib=static=rust_wrapper"); } diff --git a/src/rust/bssl-sys/wrapper.h b/src/rust/bssl-sys/wrapper.h index 101b455d..bd740495 100644 --- a/src/rust/bssl-sys/wrapper.h +++ b/src/rust/bssl-sys/wrapper.h @@ -1,79 +1,79 @@ -#include "../../include/openssl/aes.h" -#include "../../include/openssl/asn1.h" -#include "../../include/openssl/asn1_mac.h" -#include "../../include/openssl/asn1t.h" -#include "../../include/openssl/base.h" -#include "../../include/openssl/base64.h" -#include "../../include/openssl/bio.h" -#include "../../include/openssl/blake2.h" -#include "../../include/openssl/blowfish.h" -#include "../../include/openssl/bn.h" -#include "../../include/openssl/buf.h" -#include "../../include/openssl/buffer.h" -#include "../../include/openssl/bytestring.h" -#include "../../include/openssl/cast.h" -#include "../../include/openssl/chacha.h" -#include "../../include/openssl/cipher.h" -#include "../../include/openssl/cmac.h" -#include "../../include/openssl/conf.h" -#include "../../include/openssl/cpu.h" -#include "../../include/openssl/crypto.h" -#include "../../include/openssl/ctrdrbg.h" -#include "../../include/openssl/curve25519.h" -#include "../../include/openssl/des.h" -#include "../../include/openssl/dh.h" -#include "../../include/openssl/digest.h" -#include "../../include/openssl/dsa.h" -#include "../../include/openssl/dtls1.h" -#include "../../include/openssl/e_os2.h" -#include "../../include/openssl/ec.h" -#include "../../include/openssl/ec_key.h" -#include "../../include/openssl/ecdh.h" -#include "../../include/openssl/ecdsa.h" -#include "../../include/openssl/engine.h" -#include "../../include/openssl/err.h" -#include "../../include/openssl/evp.h" -#include "../../include/openssl/evp_errors.h" -#include "../../include/openssl/ex_data.h" -#include "../../include/openssl/hkdf.h" -#include "../../include/openssl/hmac.h" -#include "../../include/openssl/hpke.h" -#include "../../include/openssl/hrss.h" -#include "../../include/openssl/is_boringssl.h" -#include "../../include/openssl/kdf.h" -#include "../../include/openssl/lhash.h" -#include "../../include/openssl/md4.h" -#include "../../include/openssl/md5.h" -#include "../../include/openssl/mem.h" -#include "../../include/openssl/obj.h" -#include "../../include/openssl/obj_mac.h" -#include "../../include/openssl/objects.h" -#include "../../include/openssl/opensslconf.h" -#include "../../include/openssl/opensslv.h" -#include "../../include/openssl/ossl_typ.h" -#include "../../include/openssl/pem.h" -#include "../../include/openssl/pkcs12.h" -#include "../../include/openssl/pkcs7.h" -#include "../../include/openssl/pkcs8.h" -#include "../../include/openssl/poly1305.h" -#include "../../include/openssl/pool.h" -#include "../../include/openssl/rand.h" -#include "../../include/openssl/rc4.h" -#include "../../include/openssl/ripemd.h" -#include "../../include/openssl/rsa.h" -#include "../../include/openssl/safestack.h" -#include "../../include/openssl/sha.h" -#include "../../include/openssl/siphash.h" -#include "../../include/openssl/span.h" -#include "../../include/openssl/srtp.h" -#include "../../include/openssl/ssl.h" -#include "../../include/openssl/ssl3.h" -#include "../../include/openssl/stack.h" -#include "../../include/openssl/thread.h" -#include "../../include/openssl/tls1.h" -#include "../../include/openssl/trust_token.h" -#include "../../include/openssl/x509.h" -#include "../../include/openssl/x509_vfy.h" -#include "../../include/openssl/x509v3.h" +#include <openssl/aes.h> +#include <openssl/asn1.h> +#include <openssl/asn1_mac.h> +#include <openssl/asn1t.h> +#include <openssl/base.h> +#include <openssl/base64.h> +#include <openssl/bio.h> +#include <openssl/blake2.h> +#include <openssl/blowfish.h> +#include <openssl/bn.h> +#include <openssl/buf.h> +#include <openssl/buffer.h> +#include <openssl/bytestring.h> +#include <openssl/cast.h> +#include <openssl/chacha.h> +#include <openssl/cipher.h> +#include <openssl/cmac.h> +#include <openssl/conf.h> +#include <openssl/cpu.h> +#include <openssl/crypto.h> +#include <openssl/ctrdrbg.h> +#include <openssl/curve25519.h> +#include <openssl/des.h> +#include <openssl/dh.h> +#include <openssl/digest.h> +#include <openssl/dsa.h> +#include <openssl/dtls1.h> +#include <openssl/e_os2.h> +#include <openssl/ec.h> +#include <openssl/ec_key.h> +#include <openssl/ecdh.h> +#include <openssl/ecdsa.h> +#include <openssl/engine.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/evp_errors.h> +#include <openssl/ex_data.h> +#include <openssl/hkdf.h> +#include <openssl/hmac.h> +#include <openssl/hpke.h> +#include <openssl/hrss.h> +#include <openssl/is_boringssl.h> +#include <openssl/kdf.h> +#include <openssl/lhash.h> +#include <openssl/md4.h> +#include <openssl/md5.h> +#include <openssl/mem.h> +#include <openssl/obj.h> +#include <openssl/obj_mac.h> +#include <openssl/objects.h> +#include <openssl/opensslconf.h> +#include <openssl/opensslv.h> +#include <openssl/ossl_typ.h> +#include <openssl/pem.h> +#include <openssl/pkcs12.h> +#include <openssl/pkcs7.h> +#include <openssl/pkcs8.h> +#include <openssl/poly1305.h> +#include <openssl/pool.h> +#include <openssl/rand.h> +#include <openssl/rc4.h> +#include <openssl/ripemd.h> +#include <openssl/rsa.h> +#include <openssl/safestack.h> +#include <openssl/sha.h> +#include <openssl/siphash.h> +#include <openssl/span.h> +#include <openssl/srtp.h> +#include <openssl/ssl.h> +#include <openssl/ssl3.h> +#include <openssl/stack.h> +#include <openssl/thread.h> +#include <openssl/tls1.h> +#include <openssl/trust_token.h> +#include <openssl/x509.h> +#include <openssl/x509_vfy.h> +#include <openssl/x509v3.h> #include "rust_wrapper.h" diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc index 7fe2a2b5..971ebd0b 100644 --- a/src/ssl/handshake_client.cc +++ b/src/ssl/handshake_client.cc @@ -215,6 +215,14 @@ static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs, } } +static bool ssl_add_tls13_cipher(CBB *cbb, uint16_t cipher_id, + ssl_compliance_policy_t policy) { + if (ssl_tls13_cipher_meets_policy(cipher_id, policy)) { + return CBB_add_u16(cbb, cipher_id); + } + return true; +} + static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out, ssl_client_hello_type_t type) { const SSL *const ssl = hs->ssl; @@ -235,26 +243,22 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out, // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on // hardware support. if (hs->max_version >= TLS1_3_VERSION) { - const bool include_chacha20 = ssl_tls13_cipher_meets_policy( - TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, - ssl->config->only_fips_cipher_suites_in_tls13); - const bool has_aes_hw = ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(); - if (!has_aes_hw && // - include_chacha20 && // - !CBB_add_u16(&child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) { - return false; - } - if (!CBB_add_u16(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff) || - !CBB_add_u16(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff)) { - return false; - } - if (has_aes_hw && // - include_chacha20 && // - !CBB_add_u16(&child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) { + if ((!has_aes_hw && // + !ssl_add_tls13_cipher(&child, + TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, + ssl->config->tls13_cipher_policy)) || + !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff, + ssl->config->tls13_cipher_policy) || + !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff, + ssl->config->tls13_cipher_policy) || + (has_aes_hw && // + !ssl_add_tls13_cipher(&child, + TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, + ssl->config->tls13_cipher_policy))) { return false; } } diff --git a/src/ssl/internal.h b/src/ssl/internal.h index 15ad6c21..01decb03 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -547,8 +547,7 @@ BSSL_NAMESPACE_BEGIN #define SSL_AES256 0x00000004u #define SSL_AES128GCM 0x00000008u #define SSL_AES256GCM 0x00000010u -#define SSL_eNULL 0x00000020u -#define SSL_CHACHA20POLY1305 0x00000040u +#define SSL_CHACHA20POLY1305 0x00000020u #define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM) @@ -661,17 +660,17 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); // ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best // available from |cipher_suites| compatible with |version|, |group_id|, and -// |only_fips|. It returns NULL if there isn't a compatible cipher. |has_aes_hw| +// |policy|. It returns NULL if there isn't a compatible cipher. |has_aes_hw| // indicates if the choice should be made as if support for AES in hardware // is available. const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw, uint16_t version, uint16_t group_id, - bool only_fips); + enum ssl_compliance_policy_t policy); // ssl_tls13_cipher_meets_policy returns true if |cipher_id| is acceptable given -// |only_fips|. (For now there's only a single policy and so the policy argument -// is just a bool.) -bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, bool only_fips); +// |policy|. +bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, + enum ssl_compliance_policy_t policy); // Transcript layer. @@ -3064,6 +3063,10 @@ struct SSL_CONFIG { // structure for the client to use when negotiating ECH. Array<uint8_t> client_ech_config_list; + // tls13_cipher_policy limits the set of ciphers that can be selected when + // negotiating a TLS 1.3 connection. + enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none; + // verify_mode is a bitmask of |SSL_VERIFY_*| values. uint8_t verify_mode = SSL_VERIFY_NONE; @@ -3113,10 +3116,6 @@ struct SSL_CONFIG { // permute_extensions is whether to permute extensions when sending messages. bool permute_extensions : 1; - // only_fips_cipher_suites_in_tls13 constrains the selection of cipher suites - // in TLS 1.3 such that only FIPS approved ones will be selected. - bool only_fips_cipher_suites_in_tls13 : 1; - // aes_hw_override if set indicates we should override checking for aes // hardware support, and use the value in aes_hw_override_value instead. bool aes_hw_override : 1; @@ -3685,6 +3684,10 @@ struct ssl_ctx_st { int (*legacy_ocsp_callback)(SSL *ssl, void *arg) = nullptr; void *legacy_ocsp_callback_arg = nullptr; + // tls13_cipher_policy limits the set of ciphers that can be selected when + // negotiating a TLS 1.3 connection. + enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none; + // verify_sigalgs, if not empty, is the set of signature algorithms // accepted from the peer in decreasing order of preference. bssl::Array<uint16_t> verify_sigalgs; @@ -3732,10 +3735,6 @@ struct ssl_ctx_st { // If enable_early_data is true, early data can be sent and accepted. bool enable_early_data : 1; - // only_fips_cipher_suites_in_tls13 constrains the selection of cipher suites - // in TLS 1.3 such that only FIPS approved ones will be selected. - bool only_fips_cipher_suites_in_tls13 : 1; - // aes_hw_override if set indicates we should override checking for AES // hardware support, and use the value in aes_hw_override_value instead. bool aes_hw_override : 1; diff --git a/src/ssl/s3_both.cc b/src/ssl/s3_both.cc index f8352f3d..6d33c6d7 100644 --- a/src/ssl/s3_both.cc +++ b/src/ssl/s3_both.cc @@ -685,26 +685,44 @@ class CipherScorer { const bool aes_is_fine_; }; -bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, bool only_fips) { - if (!only_fips) { - return true; - } - - switch (cipher_id) { - case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff: - case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff: +bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, + enum ssl_compliance_policy_t policy) { + switch (policy) { + case ssl_compliance_policy_none: return true; - case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff: - return false; - default: - assert(false); - return false; + + case ssl_compliance_policy_fips_202205: + switch (cipher_id) { + case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff: + case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff: + return true; + case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff: + return false; + default: + assert(false); + return false; + } + + case ssl_compliance_policy_wpa3_192_202304: + switch (cipher_id) { + case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff: + return true; + case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff: + case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff: + return false; + default: + assert(false); + return false; + } } + + assert(false); + return false; } const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw, uint16_t version, uint16_t group_id, - bool only_fips) { + enum ssl_compliance_policy_t policy) { if (CBS_len(&cipher_suites) % 2 != 0) { return nullptr; } @@ -728,7 +746,7 @@ const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw, } if (!ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(candidate), - only_fips)) { + policy)) { continue; } diff --git a/src/ssl/ssl_cipher.cc b/src/ssl/ssl_cipher.cc index 73564b39..f6259b24 100644 --- a/src/ssl/ssl_cipher.cc +++ b/src/ssl/ssl_cipher.cc @@ -157,17 +157,6 @@ BSSL_NAMESPACE_BEGIN static constexpr SSL_CIPHER kCiphers[] = { // The RSA ciphers - // Cipher 02 - { - SSL3_TXT_RSA_NULL_SHA, - "TLS_RSA_WITH_NULL_SHA", - SSL3_CK_RSA_NULL_SHA, - SSL_kRSA, - SSL_aRSA, - SSL_eNULL, - SSL_SHA1, - SSL_HANDSHAKE_MAC_DEFAULT, - }, // Cipher 0A { @@ -466,6 +455,16 @@ Span<const SSL_CIPHER> AllCiphers() { return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers)); } +static constexpr size_t NumTLS13Ciphers() { + size_t num = 0; + for (const auto &cipher : kCiphers) { + if (cipher.algorithm_mkey == SSL_kGENERIC) { + num++; + } + } + return num; +} + #define CIPHER_ADD 1 #define CIPHER_KILL 2 #define CIPHER_DEL 3 @@ -498,7 +497,6 @@ typedef struct cipher_alias_st { } CIPHER_ALIAS; static const CIPHER_ALIAS kCipherAliases[] = { - // "ALL" doesn't include eNULL. It must be explicitly enabled. {"ALL", ~0u, ~0u, ~0u, ~0u, 0}, // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. @@ -599,9 +597,7 @@ bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead); } } else if (cipher->algorithm_mac == SSL_SHA1) { - if (cipher->algorithm_enc == SSL_eNULL) { - *out_aead = EVP_aead_null_sha1_tls(); - } else if (cipher->algorithm_enc == SSL_3DES) { + if (cipher->algorithm_enc == SSL_3DES) { if (version == TLS1_VERSION) { *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(); *out_fixed_iv_len = 8; @@ -703,54 +699,6 @@ static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, *head = curr; } -static bool ssl_cipher_collect_ciphers(Array<CIPHER_ORDER> *out_co_list, - CIPHER_ORDER **out_head, - CIPHER_ORDER **out_tail) { - Array<CIPHER_ORDER> co_list; - if (!co_list.Init(OPENSSL_ARRAY_SIZE(kCiphers))) { - return false; - } - - size_t co_list_num = 0; - for (const SSL_CIPHER &cipher : kCiphers) { - // TLS 1.3 ciphers do not participate in this mechanism. - if (cipher.algorithm_mkey != SSL_kGENERIC) { - co_list[co_list_num].cipher = &cipher; - co_list[co_list_num].next = NULL; - co_list[co_list_num].prev = NULL; - co_list[co_list_num].active = false; - co_list[co_list_num].in_group = false; - co_list_num++; - } - } - - // Prepare linked list from list entries. - if (co_list_num > 0) { - co_list[0].prev = NULL; - - if (co_list_num > 1) { - co_list[0].next = &co_list[1]; - - for (size_t i = 1; i < co_list_num - 1; i++) { - co_list[i].prev = &co_list[i - 1]; - co_list[i].next = &co_list[i + 1]; - } - - co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; - } - - co_list[co_list_num - 1].next = NULL; - - *out_head = &co_list[0]; - *out_tail = &co_list[co_list_num - 1]; - } else { - *out_head = nullptr; - *out_tail = nullptr; - } - *out_co_list = std::move(co_list); - return true; -} - SSLCipherPreferenceList::~SSLCipherPreferenceList() { OPENSSL_free(in_group_flags); } @@ -866,9 +814,7 @@ static void ssl_cipher_apply_rule( !(alg_auth & cp->algorithm_auth) || !(alg_enc & cp->algorithm_enc) || !(alg_mac & cp->algorithm_mac) || - (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) || - // The NULL cipher must be selected explicitly. - cp->algorithm_enc == SSL_eNULL) { + (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) { continue; } } @@ -1155,67 +1101,79 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list, return false; } - // Now we have to collect the available ciphers from the compiled in ciphers. - // We cannot get more than the number compiled in, so it is used for - // allocation. - Array<CIPHER_ORDER> co_list; - CIPHER_ORDER *head = nullptr, *tail = nullptr; - if (!ssl_cipher_collect_ciphers(&co_list, &head, &tail)) { - return false; + // We prefer ECDHE ciphers over non-PFS ciphers. Then we prefer AEAD over + // non-AEAD. The constants are masked by 0xffff to remove the vestigial 0x03 + // byte from SSL 2.0. + static const uint16_t kAESCiphers[] = { + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 & 0xffff, + TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & 0xffff, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 & 0xffff, + TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 & 0xffff, + }; + static const uint16_t kChaChaCiphers[] = { + TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff, + TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff, + TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff, + }; + static const uint16_t kLegacyCiphers[] = { + TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA & 0xffff, + TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA & 0xffff, + TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA & 0xffff, + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA & 0xffff, + TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA & 0xffff, + TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA & 0xffff, + TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 & 0xffff, + TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 & 0xffff, + TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff, + TLS1_CK_PSK_WITH_AES_128_CBC_SHA & 0xffff, + TLS1_CK_RSA_WITH_AES_256_SHA & 0xffff, + TLS1_CK_PSK_WITH_AES_256_CBC_SHA & 0xffff, + SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff, + }; + + // Set up a linked list of ciphers. + CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kAESCiphers) + + OPENSSL_ARRAY_SIZE(kChaChaCiphers) + + OPENSSL_ARRAY_SIZE(kLegacyCiphers)]; + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(co_list); i++) { + co_list[i].next = + i + 1 < OPENSSL_ARRAY_SIZE(co_list) ? &co_list[i + 1] : nullptr; + co_list[i].prev = i == 0 ? nullptr : &co_list[i - 1]; + co_list[i].active = false; + co_list[i].in_group = false; } - - // Now arrange all ciphers by preference: - // TODO(davidben): Compute this order once and copy it. - - // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other - // key exchange mechanisms - ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1, - false, &head, &tail); - ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, - &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head, - &tail); - - // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer - // CHACHA20 unless there is hardware support for fast and constant-time - // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the - // old one. + CIPHER_ORDER *head = &co_list[0]; + CIPHER_ORDER *tail = &co_list[OPENSSL_ARRAY_SIZE(co_list) - 1]; + + // Order AES ciphers vs ChaCha ciphers based on whether we have AES hardware. + // + // TODO(crbug.com/boringssl/29): We should also set up equipreference groups + // as a server. + size_t num = 0; if (has_aes_hw) { - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, - false, &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, - false, &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, - -1, false, &head, &tail); - } else { - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, - -1, false, &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, - false, &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, - false, &head, &tail); - } - - // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, - // 3DES_EDE_CBC_SHA. - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, false, - &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, false, - &head, &tail); - ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, false, - &head, &tail); - - // Temporarily enable everything else for sorting - ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, &head, - &tail); - - // Move ciphers without forward secrecy to the end. - ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD, - -1, false, &head, &tail); - - // Now disable everything (maintaining the ordering!) - ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head, - &tail); + for (uint16_t id : kAESCiphers) { + co_list[num++].cipher = SSL_get_cipher_by_value(id); + assert(co_list[num - 1].cipher != nullptr); + } + } + for (uint16_t id : kChaChaCiphers) { + co_list[num++].cipher = SSL_get_cipher_by_value(id); + assert(co_list[num - 1].cipher != nullptr); + } + if (!has_aes_hw) { + for (uint16_t id : kAESCiphers) { + co_list[num++].cipher = SSL_get_cipher_by_value(id); + assert(co_list[num - 1].cipher != nullptr); + } + } + for (uint16_t id : kLegacyCiphers) { + co_list[num++].cipher = SSL_get_cipher_by_value(id); + assert(co_list[num - 1].cipher != nullptr); + } + assert(num == OPENSSL_ARRAY_SIZE(co_list)); + static_assert(OPENSSL_ARRAY_SIZE(co_list) + NumTLS13Ciphers() == + OPENSSL_ARRAY_SIZE(kCiphers), + "Not all ciphers are included in the cipher order"); // If the rule_string begins with DEFAULT, apply the default rule before // using the (possibly available) additional rules. @@ -1383,8 +1341,6 @@ int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) { int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) { switch (cipher->algorithm_enc) { - case SSL_eNULL: - return NID_undef; case SSL_3DES: return NID_des_ede3_cbc; case SSL_AES128: @@ -1457,8 +1413,7 @@ int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) { } int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) { - return (cipher->algorithm_enc & SSL_eNULL) == 0 && - cipher->algorithm_mac != SSL_AEAD; + return cipher->algorithm_mac != SSL_AEAD; } uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { @@ -1557,11 +1512,6 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) { strength_bits = 112; break; - case SSL_eNULL: - alg_bits = 0; - strength_bits = 0; - break; - default: assert(0); alg_bits = 0; @@ -1652,10 +1602,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, enc = "ChaCha20-Poly1305"; break; - case SSL_eNULL: - enc="None"; - break; - default: enc = "unknown"; break; diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc index 6b454963..838761af 100644 --- a/src/ssl/ssl_lib.cc +++ b/src/ssl/ssl_lib.cc @@ -536,7 +536,6 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) false_start_allowed_without_alpn(false), handoff(false), enable_early_data(false), - only_fips_cipher_suites_in_tls13(false), aes_hw_override(false), aes_hw_override_value(false) { CRYPTO_MUTEX_init(&lock); @@ -658,10 +657,9 @@ SSL *SSL_new(SSL_CTX *ctx) { ssl->config->retain_only_sha256_of_client_certs = ctx->retain_only_sha256_of_client_certs; ssl->config->permute_extensions = ctx->permute_extensions; - ssl->config->only_fips_cipher_suites_in_tls13 = - ctx->only_fips_cipher_suites_in_tls13; ssl->config->aes_hw_override = ctx->aes_hw_override; ssl->config->aes_hw_override_value = ctx->aes_hw_override_value; + ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy; if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || !ssl->config->alpn_client_proto_list.CopyFrom( @@ -3175,7 +3173,7 @@ static const char kTLS12Ciphers[] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; static int Configure(SSL_CTX *ctx) { - ctx->only_fips_cipher_suites_in_tls13 = true; + ctx->tls13_cipher_policy = ssl_compliance_policy_fips_202205; return // Section 3.1: @@ -3198,7 +3196,7 @@ static int Configure(SSL_CTX *ctx) { } static int Configure(SSL *ssl) { - ssl->config->only_fips_cipher_suites_in_tls13 = true; + ssl->config->tls13_cipher_policy = ssl_compliance_policy_fips_202205; // See |Configure(SSL_CTX)|, above, for reasoning. return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && @@ -3213,11 +3211,59 @@ static int Configure(SSL *ssl) { } // namespace fips202205 +namespace wpa202304 { + +// See WPA version 3.1, section 3.5. + +static const int kCurves[] = {NID_secp384r1}; + +static const uint16_t kSigAlgs[] = { + SSL_SIGN_RSA_PKCS1_SHA384, // + SSL_SIGN_RSA_PKCS1_SHA512, // + SSL_SIGN_ECDSA_SECP384R1_SHA384, // + SSL_SIGN_RSA_PSS_RSAE_SHA384, // + SSL_SIGN_RSA_PSS_RSAE_SHA512, // +}; + +static const char kTLS12Ciphers[] = + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:" + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; + +static int Configure(SSL_CTX *ctx) { + ctx->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304; + + return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) && + SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) && + SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) && + SSL_CTX_set1_curves(ctx, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) && + SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs, + OPENSSL_ARRAY_SIZE(kSigAlgs)) && + SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs, + OPENSSL_ARRAY_SIZE(kSigAlgs)); +} + +static int Configure(SSL *ssl) { + ssl->config->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304; + + return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && + SSL_set_max_proto_version(ssl, TLS1_3_VERSION) && + SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) && + SSL_set1_curves(ssl, kCurves, OPENSSL_ARRAY_SIZE(kCurves)) && + SSL_set_signing_algorithm_prefs(ssl, kSigAlgs, + OPENSSL_ARRAY_SIZE(kSigAlgs)) && + SSL_set_verify_algorithm_prefs(ssl, kSigAlgs, + OPENSSL_ARRAY_SIZE(kSigAlgs)); +} + +} // namespace wpa202304 + int SSL_CTX_set_compliance_policy(SSL_CTX *ctx, enum ssl_compliance_policy_t policy) { switch (policy) { case ssl_compliance_policy_fips_202205: return fips202205::Configure(ctx); + case ssl_compliance_policy_wpa3_192_202304: + return wpa202304::Configure(ctx); default: return 0; } @@ -3227,6 +3273,8 @@ int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) { switch (policy) { case ssl_compliance_policy_fips_202205: return fips202205::Configure(ssl); + case ssl_compliance_policy_wpa3_192_202304: + return wpa202304::Configure(ssl); default: return 0; } diff --git a/src/ssl/test/fuzzer.h b/src/ssl/test/fuzzer.h index 8f73fc01..e18a8205 100644 --- a/src/ssl/test/fuzzer.h +++ b/src/ssl/test/fuzzer.h @@ -414,7 +414,7 @@ class TLSFuzzer { SSL_CTX_enable_ocsp_stapling(ctx_.get()); // Enable versions and ciphers that are off by default. - if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:NULL-SHA")) { + if (!SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL")) { return false; } diff --git a/src/ssl/test/runner/cipher_suites.go b/src/ssl/test/runner/cipher_suites.go index 5db57498..b86f515f 100644 --- a/src/ssl/test/runner/cipher_suites.go +++ b/src/ssl/test/runner/cipher_suites.go @@ -127,11 +127,6 @@ var cipherSuites = []*cipherSuite{ {TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil}, {TLS_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil}, {TLS_PSK_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, pskKA, suitePSK, cipherAES, macSHA1, nil}, - {TLS_RSA_WITH_NULL_SHA, 0, 20, noIV, rsaKA, 0, cipherNull, macSHA1, nil}, -} - -func noIV(vers uint16) int { - return 0 } func ivLenChaCha20Poly1305(vers uint16) int { @@ -364,7 +359,6 @@ func cipherSuiteFromID(id uint16) *cipherSuite { // A list of the possible cipher suite ids. Taken from // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml const ( - TLS_RSA_WITH_NULL_SHA uint16 = 0x0002 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go index ce06779b..cb974989 100644 --- a/src/ssl/test/runner/common.go +++ b/src/ssl/test/runner/common.go @@ -222,9 +222,13 @@ const ( // algorithms. var supportedSignatureAlgorithms = []signatureAlgorithm{ signatureRSAPSSWithSHA256, + signatureRSAPSSWithSHA384, signatureRSAPKCS1WithSHA256, signatureECDSAWithP256AndSHA256, + signatureECDSAWithP384AndSHA384, signatureRSAPKCS1WithSHA1, + signatureRSAPKCS1WithSHA256, + signatureRSAPKCS1WithSHA384, signatureECDSAWithSHA1, signatureEd25519, } diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go index dde60dfd..b361e195 100644 --- a/src/ssl/test/runner/runner.go +++ b/src/ssl/test/runner/runner.go @@ -65,6 +65,7 @@ var ( allowHintMismatch = flag.String("allow-hint-mismatch", "", "Semicolon-separated patterns of tests where hints may mismatch") numWorkersFlag = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.") shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.") + shimExtraFlags = flag.String("shim-extra-flags", "", "Semicolon-separated extra flags to pass to the shim binary on each invocation.") handshakerPath = flag.String("handshaker-path", "../../../build/ssl/test/handshaker", "The location of the handshaker binary.") resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.") fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.") @@ -1433,6 +1434,9 @@ func runTest(statusChan chan statusMsg, test *testCase, shimPath string, mallocN }() var flags []string + if len(*shimExtraFlags) > 0 { + flags = strings.Split(*shimExtraFlags, ";") + } if test.testType == serverTest { flags = append(flags, "-server") @@ -1850,7 +1854,6 @@ var testCipherSuites = []testCipherSuite{ {"CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256}, {"AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256}, {"AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384}, - {"RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA}, } func hasComponent(suiteName, component string) bool { @@ -1878,7 +1881,12 @@ func bigFromHex(hex string) *big.Int { func convertToSplitHandshakeTests(tests []testCase) (splitHandshakeTests []testCase, err error) { var stdout bytes.Buffer - shim := exec.Command(*shimPath, "-is-handshaker-supported") + var flags []string + if len(*shimExtraFlags) > 0 { + flags = strings.Split(*shimExtraFlags, ";") + } + flags = append(flags, "-is-handshaker-supported") + shim := exec.Command(*shimPath, flags...) shim.Stdout = &stdout if err := shim.Run(); err != nil { return nil, err @@ -3673,10 +3681,6 @@ func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol proto "-psk", psk, "-psk-identity", pskIdentity) } - if hasComponent(suite.name, "NULL") { - // NULL ciphers must be explicitly enabled. - flags = append(flags, "-cipher", "DEFAULT:NULL-SHA") - } var shouldFail bool if isTLS12Only(suite.name) && ver.version < VersionTLS12 { @@ -9720,26 +9724,29 @@ var testSignatureAlgorithms = []struct { name string id signatureAlgorithm cert testCert + // If non-zero, the curve that must be supported in TLS 1.2 for cert to be + // accepted. + curve CurveID }{ - {"RSA_PKCS1_SHA1", signatureRSAPKCS1WithSHA1, testCertRSA}, - {"RSA_PKCS1_SHA256", signatureRSAPKCS1WithSHA256, testCertRSA}, - {"RSA_PKCS1_SHA384", signatureRSAPKCS1WithSHA384, testCertRSA}, - {"RSA_PKCS1_SHA512", signatureRSAPKCS1WithSHA512, testCertRSA}, - {"ECDSA_SHA1", signatureECDSAWithSHA1, testCertECDSAP256}, + {"RSA_PKCS1_SHA1", signatureRSAPKCS1WithSHA1, testCertRSA, 0}, + {"RSA_PKCS1_SHA256", signatureRSAPKCS1WithSHA256, testCertRSA, 0}, + {"RSA_PKCS1_SHA384", signatureRSAPKCS1WithSHA384, testCertRSA, 0}, + {"RSA_PKCS1_SHA512", signatureRSAPKCS1WithSHA512, testCertRSA, 0}, + {"ECDSA_SHA1", signatureECDSAWithSHA1, testCertECDSAP256, CurveP256}, // The “P256” in the following line is not a mistake. In TLS 1.2 the // hash function doesn't have to match the curve and so the same // signature algorithm works with P-224. - {"ECDSA_P224_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224}, - {"ECDSA_P256_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256}, - {"ECDSA_P384_SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384}, - {"ECDSA_P521_SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521}, - {"RSA_PSS_SHA256", signatureRSAPSSWithSHA256, testCertRSA}, - {"RSA_PSS_SHA384", signatureRSAPSSWithSHA384, testCertRSA}, - {"RSA_PSS_SHA512", signatureRSAPSSWithSHA512, testCertRSA}, - {"Ed25519", signatureEd25519, testCertEd25519}, + {"ECDSA_P224_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224, CurveP224}, + {"ECDSA_P256_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256, CurveP256}, + {"ECDSA_P384_SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384, CurveP384}, + {"ECDSA_P521_SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521, CurveP521}, + {"RSA_PSS_SHA256", signatureRSAPSSWithSHA256, testCertRSA, 0}, + {"RSA_PSS_SHA384", signatureRSAPSSWithSHA384, testCertRSA, 0}, + {"RSA_PSS_SHA512", signatureRSAPSSWithSHA512, testCertRSA, 0}, + {"Ed25519", signatureEd25519, testCertEd25519, 0}, // Tests for key types prior to TLS 1.2. - {"RSA", 0, testCertRSA}, - {"ECDSA", 0, testCertECDSAP256}, + {"RSA", 0, testCertRSA, 0}, + {"ECDSA", 0, testCertECDSAP256, CurveP256}, } const fakeSigAlg1 signatureAlgorithm = 0x2a01 @@ -9791,6 +9798,14 @@ func addSignatureAlgorithmTests() { rejectByDefault = true } + var curveFlags []string + if alg.curve != 0 && ver.version <= VersionTLS12 { + // In TLS 1.2, the ECDH curve list also constrains ECDSA keys. Ensure the + // corresponding curve is enabled on the shim. Also include X25519 to + // ensure the shim and runner have something in common for ECDH. + curveFlags = flagInts("-curves", []int{int(CurveX25519), int(alg.curve)}) + } + var signError, signLocalError, verifyError, verifyLocalError, defaultError, defaultLocalError string if shouldFail { signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:" @@ -9829,7 +9844,7 @@ func addSignatureAlgorithmTests() { "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), }, - flagInts("-curves", shimConfig.AllCurves)..., + curveFlags..., ), shouldFail: shouldFail, expectedError: signError, @@ -9853,7 +9868,7 @@ func addSignatureAlgorithmTests() { "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)), "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)), }, - flagInts("-curves", shimConfig.AllCurves)..., + curveFlags..., ), expectations: connectionExpectations{ peerSignatureAlgorithm: alg.id, @@ -9894,7 +9909,7 @@ func addSignatureAlgorithmTests() { IgnorePeerSignatureAlgorithmPreferences: shouldFail, }, }, - flags: flagInts("-curves", shimConfig.AllCurves), + flags: curveFlags, // Resume the session to assert the peer signature // algorithm is reported on both handshakes. resumeSession: !shouldFail, @@ -9927,7 +9942,7 @@ func addSignatureAlgorithmTests() { }, flags: append( []string{"-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id))}, - flagInts("-curves", shimConfig.AllCurves)..., + curveFlags..., ), // Resume the session to assert the peer signature // algorithm is reported on both handshakes. @@ -9951,7 +9966,7 @@ func addSignatureAlgorithmTests() { InvalidSignature: true, }, }, - flags: flagInts("-curves", shimConfig.AllCurves), + flags: curveFlags, shouldFail: true, expectedError: ":BAD_SIGNATURE:", } @@ -19179,13 +19194,21 @@ func addCompliancePolicyTests() { isFIPSCipherSuite = true } + var isWPACipherSuite bool + switch suite.id { + case TLS_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + isWPACipherSuite = true + } + var certFile string var keyFile string var certs []Certificate if hasComponent(suite.name, "ECDSA") { - certFile = ecdsaP256CertificateFile - keyFile = ecdsaP256KeyFile - certs = []Certificate{ecdsaP256Certificate} + certFile = ecdsaP384CertificateFile + keyFile = ecdsaP384KeyFile + certs = []Certificate{ecdsaP384Certificate} } else { certFile = rsaCertificateFile keyFile = rsaKeyFile @@ -19200,38 +19223,48 @@ func addCompliancePolicyTests() { maxVersion = VersionTLS12 } - testCases = append(testCases, testCase{ - testType: serverTest, - protocol: protocol, - name: "Compliance-fips202205-" + protocol.String() + "-Server-" + suite.name, - config: Config{ - MinVersion: VersionTLS12, - MaxVersion: maxVersion, - CipherSuites: []uint16{suite.id}, - }, - certFile: certFile, - keyFile: keyFile, - flags: []string{ - "-fips-202205", - }, - shouldFail: !isFIPSCipherSuite, - }) + policies := []struct { + flag string + cipherSuiteOk bool + }{ + {"-fips-202205", isFIPSCipherSuite}, + {"-wpa-202304", isWPACipherSuite}, + } - testCases = append(testCases, testCase{ - testType: clientTest, - protocol: protocol, - name: "Compliance-fips202205-" + protocol.String() + "-Client-" + suite.name, - config: Config{ - MinVersion: VersionTLS12, - MaxVersion: maxVersion, - CipherSuites: []uint16{suite.id}, - Certificates: certs, - }, - flags: []string{ - "-fips-202205", - }, - shouldFail: !isFIPSCipherSuite, - }) + for _, policy := range policies { + testCases = append(testCases, testCase{ + testType: serverTest, + protocol: protocol, + name: "Compliance" + policy.flag + "-" + protocol.String() + "-Server-" + suite.name, + config: Config{ + MinVersion: VersionTLS12, + MaxVersion: maxVersion, + CipherSuites: []uint16{suite.id}, + }, + certFile: certFile, + keyFile: keyFile, + flags: []string{ + policy.flag, + }, + shouldFail: !policy.cipherSuiteOk, + }) + + testCases = append(testCases, testCase{ + testType: clientTest, + protocol: protocol, + name: "Compliance" + policy.flag + "-" + protocol.String() + "-Client-" + suite.name, + config: Config{ + MinVersion: VersionTLS12, + MaxVersion: maxVersion, + CipherSuites: []uint16{suite.id}, + Certificates: certs, + }, + flags: []string{ + policy.flag, + }, + shouldFail: !policy.cipherSuiteOk, + }) + } } // Check that a TLS 1.3 client won't accept ChaCha20 even if the server @@ -19261,35 +19294,51 @@ func addCompliancePolicyTests() { isFIPSCurve = true } - testCases = append(testCases, testCase{ - testType: serverTest, - protocol: protocol, - name: "Compliance-fips202205-" + protocol.String() + "-Server-" + curve.name, - config: Config{ - MinVersion: VersionTLS12, - MaxVersion: VersionTLS13, - CurvePreferences: []CurveID{curve.id}, - }, - flags: []string{ - "-fips-202205", - }, - shouldFail: !isFIPSCurve, - }) + var isWPACurve bool + switch curve.id { + case CurveP384: + isWPACurve = true + } - testCases = append(testCases, testCase{ - testType: clientTest, - protocol: protocol, - name: "Compliance-fips202205-" + protocol.String() + "-Client-" + curve.name, - config: Config{ - MinVersion: VersionTLS12, - MaxVersion: VersionTLS13, - CurvePreferences: []CurveID{curve.id}, - }, - flags: []string{ - "-fips-202205", - }, - shouldFail: !isFIPSCurve, - }) + policies := []struct { + flag string + curveOk bool + }{ + {"-fips-202205", isFIPSCurve}, + {"-wpa-202304", isWPACurve}, + } + + for _, policy := range policies { + testCases = append(testCases, testCase{ + testType: serverTest, + protocol: protocol, + name: "Compliance" + policy.flag + "-" + protocol.String() + "-Server-" + curve.name, + config: Config{ + MinVersion: VersionTLS12, + MaxVersion: VersionTLS13, + CurvePreferences: []CurveID{curve.id}, + }, + flags: []string{ + policy.flag, + }, + shouldFail: !policy.curveOk, + }) + + testCases = append(testCases, testCase{ + testType: clientTest, + protocol: protocol, + name: "Compliance" + policy.flag + "-" + protocol.String() + "-Client-" + curve.name, + config: Config{ + MinVersion: VersionTLS12, + MaxVersion: VersionTLS13, + CurvePreferences: []CurveID{curve.id}, + }, + flags: []string{ + policy.flag, + }, + shouldFail: !policy.curveOk, + }) + } } for _, sigalg := range testSignatureAlgorithms { @@ -19306,6 +19355,16 @@ func addCompliancePolicyTests() { isFIPSSigAlg = true } + var isWPASigAlg bool + switch sigalg.id { + case signatureRSAPKCS1WithSHA384, + signatureRSAPKCS1WithSHA512, + signatureECDSAWithP384AndSHA384, + signatureRSAPSSWithSHA384, + signatureRSAPSSWithSHA512: + isWPASigAlg = true + } + if sigalg.cert == testCertECDSAP224 { // This can work in TLS 1.2, but not with TLS 1.3. // For consistency it's not permitted in FIPS mode. @@ -19320,38 +19379,48 @@ func addCompliancePolicyTests() { maxVersion = VersionTLS12 } - testCases = append(testCases, testCase{ - testType: serverTest, - protocol: protocol, - name: "Compliance-fips202205-" + protocol.String() + "-Server-" + sigalg.name, - config: Config{ - MinVersion: VersionTLS12, - MaxVersion: maxVersion, - VerifySignatureAlgorithms: []signatureAlgorithm{sigalg.id}, - }, - flags: []string{ - "-fips-202205", - "-cert-file", path.Join(*resourceDir, getShimCertificate(sigalg.cert)), - "-key-file", path.Join(*resourceDir, getShimKey(sigalg.cert)), - }, - shouldFail: !isFIPSSigAlg, - }) + policies := []struct { + flag string + sigAlgOk bool + }{ + {"-fips-202205", isFIPSSigAlg}, + {"-wpa-202304", isWPASigAlg}, + } - testCases = append(testCases, testCase{ - testType: clientTest, - protocol: protocol, - name: "Compliance-fips202205-" + protocol.String() + "-Client-" + sigalg.name, - config: Config{ - MinVersion: VersionTLS12, - MaxVersion: maxVersion, - SignSignatureAlgorithms: []signatureAlgorithm{sigalg.id}, - Certificates: []Certificate{getRunnerCertificate(sigalg.cert)}, - }, - flags: []string{ - "-fips-202205", - }, - shouldFail: !isFIPSSigAlg, - }) + for _, policy := range policies { + testCases = append(testCases, testCase{ + testType: serverTest, + protocol: protocol, + name: "Compliance" + policy.flag + "-" + protocol.String() + "-Server-" + sigalg.name, + config: Config{ + MinVersion: VersionTLS12, + MaxVersion: maxVersion, + VerifySignatureAlgorithms: []signatureAlgorithm{sigalg.id}, + }, + flags: []string{ + policy.flag, + "-cert-file", path.Join(*resourceDir, getShimCertificate(sigalg.cert)), + "-key-file", path.Join(*resourceDir, getShimKey(sigalg.cert)), + }, + shouldFail: !policy.sigAlgOk, + }) + + testCases = append(testCases, testCase{ + testType: clientTest, + protocol: protocol, + name: "Compliance" + policy.flag + "-" + protocol.String() + "-Client-" + sigalg.name, + config: Config{ + MinVersion: VersionTLS12, + MaxVersion: maxVersion, + SignSignatureAlgorithms: []signatureAlgorithm{sigalg.id}, + Certificates: []Certificate{getRunnerCertificate(sigalg.cert)}, + }, + flags: []string{ + policy.flag, + }, + shouldFail: !policy.sigAlgOk, + }) + } } } } diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc index ba10a331..0ee5580e 100644 --- a/src/ssl/test/test_config.cc +++ b/src/ssl/test/test_config.cc @@ -390,6 +390,7 @@ std::vector<Flag> SortedFlags() { IntFlag("-early-write-after-message", &TestConfig::early_write_after_message), BoolFlag("-fips-202205", &TestConfig::fips_202205), + BoolFlag("-wpa-202304", &TestConfig::wpa_202304), }; std::sort(flags.begin(), flags.end(), [](const Flag &a, const Flag &b) { return strcmp(a.name, b.name) < 0; @@ -1765,11 +1766,20 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL( if (enable_ech_grease) { SSL_set_enable_ech_grease(ssl.get(), 1); } + if (static_cast<int>(fips_202205) + static_cast<int>(wpa_202304) > 1) { + fprintf(stderr, "Multiple policy options given\n"); + return nullptr; + } if (fips_202205 && !SSL_set_compliance_policy( ssl.get(), ssl_compliance_policy_fips_202205)) { fprintf(stderr, "SSL_set_compliance_policy failed\n"); return nullptr; } + if (wpa_202304 && !SSL_set_compliance_policy( + ssl.get(), ssl_compliance_policy_wpa3_192_202304)) { + fprintf(stderr, "SSL_set_compliance_policy failed\n"); + return nullptr; + } if (!ech_config_list.empty() && !SSL_set1_ech_config_list( ssl.get(), reinterpret_cast<const uint8_t *>(ech_config_list.data()), diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h index 5cc59264..e8c473a1 100644 --- a/src/ssl/test/test_config.h +++ b/src/ssl/test/test_config.h @@ -195,6 +195,7 @@ struct TestConfig { std::string quic_early_data_context; int early_write_after_message = 0; bool fips_202205 = false; + bool wpa_202304 = false; int argc; char **argv; diff --git a/src/ssl/tls13_client.cc b/src/ssl/tls13_client.cc index 92e26f22..1971596c 100644 --- a/src/ssl/tls13_client.cc +++ b/src/ssl/tls13_client.cc @@ -200,7 +200,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) || !ssl_tls13_cipher_meets_policy( SSL_CIPHER_get_value(cipher), - ssl->config->only_fips_cipher_suites_in_tls13)) { + ssl->config->tls13_cipher_policy)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc index c97e3f55..9d26f4e0 100644 --- a/src/ssl/tls13_server.cc +++ b/src/ssl/tls13_server.cc @@ -120,7 +120,7 @@ static const SSL_CIPHER *choose_tls13_cipher( cipher_suites, ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(), - version, group_id, ssl->config->only_fips_cipher_suites_in_tls13); + version, group_id, ssl->config->tls13_cipher_policy); } static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { diff --git a/src/third_party/fiat/curve25519_64_msvc.h b/src/third_party/fiat/curve25519_64_msvc.h new file mode 100644 index 00000000..d20ec853 --- /dev/null +++ b/src/third_party/fiat/curve25519_64_msvc.h @@ -0,0 +1,1281 @@ +/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier --no-wide-int 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */ +/* curve description: 25519 */ +/* machine_wordsize = 64 (from "64") */ +/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */ +/* n = 5 (from "(auto)") */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* tight_bounds_multiplier = 1 (from "") */ +/* */ +/* Computed values: */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ + +#include <stdint.h> +#include <intrin.h> +#if defined(_M_X64) +#include <immintrin.h> +#endif + +typedef unsigned char fiat_25519_uint1; +typedef signed char fiat_25519_int1; + +#define FIAT_25519_FIAT_INLINE inline + +/* The type fiat_25519_loose_field_element is a field element with loose bounds. */ +/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ +typedef uint64_t fiat_25519_loose_field_element[5]; + +/* The type fiat_25519_tight_field_element is a field element with tight bounds. */ +/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ +typedef uint64_t fiat_25519_tight_field_element[5]; + +#if (-1 & 3) != 3 +#error "This code only works on a two's complement system" +#endif + +#define fiat_25519_value_barrier_u64(x) (x) + +/* + * The function fiat_25519_addcarryx_u64 is an addition with carry. + * + * Postconditions: + * out1 = (arg1 + arg2 + arg3) mod 2^64 + * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u64(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { +// NOTE: edited after generation +#if defined(_M_X64) + *out2 = _addcarry_u64(arg1, arg2, arg3, out1); +#else + arg2 += arg1; + arg1 = arg2 < arg1; + arg3 += arg2; + arg1 += arg3 < arg2; + *out1 = arg3; + *out2 = arg1; +#endif +} + +/* + * The function fiat_25519_subborrowx_u64 is a subtraction with borrow. + * + * Postconditions: + * out1 = (-arg1 + arg2 + -arg3) mod 2^64 + * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u64(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { +#if defined(_M_X64) + *out2 = _subborrow_u64(arg1, arg2, arg3, out1); // NOTE: edited after generation +#else + *out1 = arg2 - arg3 - arg1; + *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1); +#endif +} + +/* + * The function fiat_25519_addcarryx_u51 is an addition with carry. + * + * Postconditions: + * out1 = (arg1 + arg2 + arg3) mod 2^51 + * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0x7ffffffffffff] + * arg3: [0x0 ~> 0x7ffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0x7ffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + uint64_t x1; + uint64_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT64_C(0x7ffffffffffff)); + x3 = (fiat_25519_uint1)(x1 >> 51); + *out1 = x2; + *out2 = x3; +} + +/* + * The function fiat_25519_subborrowx_u51 is a subtraction with borrow. + * + * Postconditions: + * out1 = (-arg1 + arg2 + -arg3) mod 2^51 + * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0x7ffffffffffff] + * arg3: [0x0 ~> 0x7ffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0x7ffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + int64_t x1; + fiat_25519_int1 x2; + uint64_t x3; + x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 51); + x3 = (x1 & UINT64_C(0x7ffffffffffff)); + *out1 = x3; + *out2 = (fiat_25519_uint1)(0x0 - x2); +} + +/* + * The function fiat_25519_mulx_u64 is a multiplication, returning the full double-width result. + * + * Postconditions: + * out1 = (arg1 * arg2) mod 2^64 + * out2 = ⌊arg1 * arg2 / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { +// NOTE: edited after generation +#if defined(_M_X64) + *out1 = _umul128(arg1, arg2, out2); +#elif defined(_M_ARM64) + *out1 = arg1 * arg2; + *out2 = __umulh(arg1, arg2); +#else +#error "This file is intended for MSVC on X64 or ARM64" +#endif +} + +/* + * The function fiat_25519_cmovznz_u64 is a single-word conditional move. + * + * Postconditions: + * out1 = (if arg1 = 0 then arg2 else arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_25519_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2)); + *out1 = x3; +} + +/* + * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * + * Postconditions: + * eval out1 mod m = (eval arg1 * eval arg2) mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + fiat_25519_uint1 x52; + uint64_t x53; + fiat_25519_uint1 x54; + uint64_t x55; + fiat_25519_uint1 x56; + uint64_t x57; + fiat_25519_uint1 x58; + uint64_t x59; + fiat_25519_uint1 x60; + uint64_t x61; + fiat_25519_uint1 x62; + uint64_t x63; + fiat_25519_uint1 x64; + uint64_t x65; + fiat_25519_uint1 x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + fiat_25519_uint1 x70; + uint64_t x71; + fiat_25519_uint1 x72; + uint64_t x73; + fiat_25519_uint1 x74; + uint64_t x75; + fiat_25519_uint1 x76; + uint64_t x77; + fiat_25519_uint1 x78; + uint64_t x79; + fiat_25519_uint1 x80; + uint64_t x81; + fiat_25519_uint1 x82; + uint64_t x83; + fiat_25519_uint1 x84; + uint64_t x85; + fiat_25519_uint1 x86; + uint64_t x87; + fiat_25519_uint1 x88; + uint64_t x89; + fiat_25519_uint1 x90; + uint64_t x91; + fiat_25519_uint1 x92; + uint64_t x93; + fiat_25519_uint1 x94; + uint64_t x95; + fiat_25519_uint1 x96; + uint64_t x97; + fiat_25519_uint1 x98; + uint64_t x99; + fiat_25519_uint1 x100; + uint64_t x101; + fiat_25519_uint1 x102; + uint64_t x103; + fiat_25519_uint1 x104; + uint64_t x105; + fiat_25519_uint1 x106; + uint64_t x107; + fiat_25519_uint1 x108; + uint64_t x109; + fiat_25519_uint1 x110; + uint64_t x111; + fiat_25519_uint1 x112; + uint64_t x113; + fiat_25519_uint1 x114; + uint64_t x115; + fiat_25519_uint1 x116; + uint64_t x117; + fiat_25519_uint1 x118; + uint64_t x119; + fiat_25519_uint1 x120; + uint64_t x121; + fiat_25519_uint1 x122; + uint64_t x123; + fiat_25519_uint1 x124; + uint64_t x125; + fiat_25519_uint1 x126; + uint64_t x127; + fiat_25519_uint1 x128; + uint64_t x129; + fiat_25519_uint1 x130; + uint64_t x131; + fiat_25519_uint1 x132; + uint64_t x133; + fiat_25519_uint1 x134; + uint64_t x135; + uint64_t x136; + uint64_t x137; + uint64_t x138; + fiat_25519_uint1 x139; + uint64_t x140; + uint64_t x141; + uint64_t x142; + uint64_t x143; + fiat_25519_uint1 x144; + uint64_t x145; + uint64_t x146; + uint64_t x147; + uint64_t x148; + fiat_25519_uint1 x149; + uint64_t x150; + uint64_t x151; + uint64_t x152; + uint64_t x153; + uint64_t x154; + uint64_t x155; + uint64_t x156; + uint64_t x157; + fiat_25519_uint1 x158; + uint64_t x159; + uint64_t x160; + fiat_25519_mulx_u64(&x1, &x2, (arg1[4]), ((arg2[4]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x3, &x4, (arg1[4]), ((arg2[3]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x5, &x6, (arg1[4]), ((arg2[2]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x7, &x8, (arg1[4]), ((arg2[1]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x9, &x10, (arg1[3]), ((arg2[4]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x11, &x12, (arg1[3]), ((arg2[3]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x13, &x14, (arg1[3]), ((arg2[2]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x15, &x16, (arg1[2]), ((arg2[4]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x17, &x18, (arg1[2]), ((arg2[3]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x19, &x20, (arg1[1]), ((arg2[4]) * UINT8_C(0x13))); + fiat_25519_mulx_u64(&x21, &x22, (arg1[4]), (arg2[0])); + fiat_25519_mulx_u64(&x23, &x24, (arg1[3]), (arg2[1])); + fiat_25519_mulx_u64(&x25, &x26, (arg1[3]), (arg2[0])); + fiat_25519_mulx_u64(&x27, &x28, (arg1[2]), (arg2[2])); + fiat_25519_mulx_u64(&x29, &x30, (arg1[2]), (arg2[1])); + fiat_25519_mulx_u64(&x31, &x32, (arg1[2]), (arg2[0])); + fiat_25519_mulx_u64(&x33, &x34, (arg1[1]), (arg2[3])); + fiat_25519_mulx_u64(&x35, &x36, (arg1[1]), (arg2[2])); + fiat_25519_mulx_u64(&x37, &x38, (arg1[1]), (arg2[1])); + fiat_25519_mulx_u64(&x39, &x40, (arg1[1]), (arg2[0])); + fiat_25519_mulx_u64(&x41, &x42, (arg1[0]), (arg2[4])); + fiat_25519_mulx_u64(&x43, &x44, (arg1[0]), (arg2[3])); + fiat_25519_mulx_u64(&x45, &x46, (arg1[0]), (arg2[2])); + fiat_25519_mulx_u64(&x47, &x48, (arg1[0]), (arg2[1])); + fiat_25519_mulx_u64(&x49, &x50, (arg1[0]), (arg2[0])); + fiat_25519_addcarryx_u64(&x51, &x52, 0x0, x13, x7); + fiat_25519_addcarryx_u64(&x53, &x54, x52, x14, x8); + fiat_25519_addcarryx_u64(&x55, &x56, 0x0, x17, x51); + fiat_25519_addcarryx_u64(&x57, &x58, x56, x18, x53); + fiat_25519_addcarryx_u64(&x59, &x60, 0x0, x19, x55); + fiat_25519_addcarryx_u64(&x61, &x62, x60, x20, x57); + fiat_25519_addcarryx_u64(&x63, &x64, 0x0, x49, x59); + fiat_25519_addcarryx_u64(&x65, &x66, x64, x50, x61); + x67 = ((x63 >> 51) | ((x65 << 13) & UINT64_C(0xffffffffffffffff))); + x68 = (x63 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x69, &x70, 0x0, x23, x21); + fiat_25519_addcarryx_u64(&x71, &x72, x70, x24, x22); + fiat_25519_addcarryx_u64(&x73, &x74, 0x0, x27, x69); + fiat_25519_addcarryx_u64(&x75, &x76, x74, x28, x71); + fiat_25519_addcarryx_u64(&x77, &x78, 0x0, x33, x73); + fiat_25519_addcarryx_u64(&x79, &x80, x78, x34, x75); + fiat_25519_addcarryx_u64(&x81, &x82, 0x0, x41, x77); + fiat_25519_addcarryx_u64(&x83, &x84, x82, x42, x79); + fiat_25519_addcarryx_u64(&x85, &x86, 0x0, x25, x1); + fiat_25519_addcarryx_u64(&x87, &x88, x86, x26, x2); + fiat_25519_addcarryx_u64(&x89, &x90, 0x0, x29, x85); + fiat_25519_addcarryx_u64(&x91, &x92, x90, x30, x87); + fiat_25519_addcarryx_u64(&x93, &x94, 0x0, x35, x89); + fiat_25519_addcarryx_u64(&x95, &x96, x94, x36, x91); + fiat_25519_addcarryx_u64(&x97, &x98, 0x0, x43, x93); + fiat_25519_addcarryx_u64(&x99, &x100, x98, x44, x95); + fiat_25519_addcarryx_u64(&x101, &x102, 0x0, x9, x3); + fiat_25519_addcarryx_u64(&x103, &x104, x102, x10, x4); + fiat_25519_addcarryx_u64(&x105, &x106, 0x0, x31, x101); + fiat_25519_addcarryx_u64(&x107, &x108, x106, x32, x103); + fiat_25519_addcarryx_u64(&x109, &x110, 0x0, x37, x105); + fiat_25519_addcarryx_u64(&x111, &x112, x110, x38, x107); + fiat_25519_addcarryx_u64(&x113, &x114, 0x0, x45, x109); + fiat_25519_addcarryx_u64(&x115, &x116, x114, x46, x111); + fiat_25519_addcarryx_u64(&x117, &x118, 0x0, x11, x5); + fiat_25519_addcarryx_u64(&x119, &x120, x118, x12, x6); + fiat_25519_addcarryx_u64(&x121, &x122, 0x0, x15, x117); + fiat_25519_addcarryx_u64(&x123, &x124, x122, x16, x119); + fiat_25519_addcarryx_u64(&x125, &x126, 0x0, x39, x121); + fiat_25519_addcarryx_u64(&x127, &x128, x126, x40, x123); + fiat_25519_addcarryx_u64(&x129, &x130, 0x0, x47, x125); + fiat_25519_addcarryx_u64(&x131, &x132, x130, x48, x127); + fiat_25519_addcarryx_u64(&x133, &x134, 0x0, x67, x129); + x135 = (x134 + x131); + x136 = ((x133 >> 51) | ((x135 << 13) & UINT64_C(0xffffffffffffffff))); + x137 = (x133 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x138, &x139, 0x0, x136, x113); + x140 = (x139 + x115); + x141 = ((x138 >> 51) | ((x140 << 13) & UINT64_C(0xffffffffffffffff))); + x142 = (x138 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x143, &x144, 0x0, x141, x97); + x145 = (x144 + x99); + x146 = ((x143 >> 51) | ((x145 << 13) & UINT64_C(0xffffffffffffffff))); + x147 = (x143 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x148, &x149, 0x0, x146, x81); + x150 = (x149 + x83); + x151 = ((x148 >> 51) | ((x150 << 13) & UINT64_C(0xffffffffffffffff))); + x152 = (x148 & UINT64_C(0x7ffffffffffff)); + x153 = (x151 * UINT8_C(0x13)); + x154 = (x68 + x153); + x155 = (x154 >> 51); + x156 = (x154 & UINT64_C(0x7ffffffffffff)); + x157 = (x155 + x137); + x158 = (fiat_25519_uint1)(x157 >> 51); + x159 = (x157 & UINT64_C(0x7ffffffffffff)); + x160 = (x158 + x142); + out1[0] = x156; + out1[1] = x159; + out1[2] = x160; + out1[3] = x147; + out1[4] = x152; +} + +/* + * The function fiat_25519_carry_square squares a field element and reduces the result. + * + * Postconditions: + * eval out1 mod m = (eval arg1 * eval arg1) mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + fiat_25519_uint1 x40; + uint64_t x41; + fiat_25519_uint1 x42; + uint64_t x43; + fiat_25519_uint1 x44; + uint64_t x45; + fiat_25519_uint1 x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + fiat_25519_uint1 x50; + uint64_t x51; + fiat_25519_uint1 x52; + uint64_t x53; + fiat_25519_uint1 x54; + uint64_t x55; + fiat_25519_uint1 x56; + uint64_t x57; + fiat_25519_uint1 x58; + uint64_t x59; + fiat_25519_uint1 x60; + uint64_t x61; + fiat_25519_uint1 x62; + uint64_t x63; + fiat_25519_uint1 x64; + uint64_t x65; + fiat_25519_uint1 x66; + uint64_t x67; + fiat_25519_uint1 x68; + uint64_t x69; + fiat_25519_uint1 x70; + uint64_t x71; + fiat_25519_uint1 x72; + uint64_t x73; + fiat_25519_uint1 x74; + uint64_t x75; + fiat_25519_uint1 x76; + uint64_t x77; + fiat_25519_uint1 x78; + uint64_t x79; + fiat_25519_uint1 x80; + uint64_t x81; + fiat_25519_uint1 x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + fiat_25519_uint1 x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + fiat_25519_uint1 x92; + uint64_t x93; + uint64_t x94; + uint64_t x95; + uint64_t x96; + fiat_25519_uint1 x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + fiat_25519_uint1 x106; + uint64_t x107; + uint64_t x108; + x1 = ((arg1[4]) * UINT8_C(0x13)); + x2 = (x1 * 0x2); + x3 = ((arg1[4]) * 0x2); + x4 = ((arg1[3]) * UINT8_C(0x13)); + x5 = (x4 * 0x2); + x6 = ((arg1[3]) * 0x2); + x7 = ((arg1[2]) * 0x2); + x8 = ((arg1[1]) * 0x2); + fiat_25519_mulx_u64(&x9, &x10, (arg1[4]), x1); + fiat_25519_mulx_u64(&x11, &x12, (arg1[3]), x2); + fiat_25519_mulx_u64(&x13, &x14, (arg1[3]), x4); + fiat_25519_mulx_u64(&x15, &x16, (arg1[2]), x2); + fiat_25519_mulx_u64(&x17, &x18, (arg1[2]), x5); + fiat_25519_mulx_u64(&x19, &x20, (arg1[2]), (arg1[2])); + fiat_25519_mulx_u64(&x21, &x22, (arg1[1]), x2); + fiat_25519_mulx_u64(&x23, &x24, (arg1[1]), x6); + fiat_25519_mulx_u64(&x25, &x26, (arg1[1]), x7); + fiat_25519_mulx_u64(&x27, &x28, (arg1[1]), (arg1[1])); + fiat_25519_mulx_u64(&x29, &x30, (arg1[0]), x3); + fiat_25519_mulx_u64(&x31, &x32, (arg1[0]), x6); + fiat_25519_mulx_u64(&x33, &x34, (arg1[0]), x7); + fiat_25519_mulx_u64(&x35, &x36, (arg1[0]), x8); + fiat_25519_mulx_u64(&x37, &x38, (arg1[0]), (arg1[0])); + fiat_25519_addcarryx_u64(&x39, &x40, 0x0, x21, x17); + fiat_25519_addcarryx_u64(&x41, &x42, x40, x22, x18); + fiat_25519_addcarryx_u64(&x43, &x44, 0x0, x37, x39); + fiat_25519_addcarryx_u64(&x45, &x46, x44, x38, x41); + x47 = ((x43 >> 51) | ((x45 << 13) & UINT64_C(0xffffffffffffffff))); + x48 = (x43 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x49, &x50, 0x0, x23, x19); + fiat_25519_addcarryx_u64(&x51, &x52, x50, x24, x20); + fiat_25519_addcarryx_u64(&x53, &x54, 0x0, x29, x49); + fiat_25519_addcarryx_u64(&x55, &x56, x54, x30, x51); + fiat_25519_addcarryx_u64(&x57, &x58, 0x0, x25, x9); + fiat_25519_addcarryx_u64(&x59, &x60, x58, x26, x10); + fiat_25519_addcarryx_u64(&x61, &x62, 0x0, x31, x57); + fiat_25519_addcarryx_u64(&x63, &x64, x62, x32, x59); + fiat_25519_addcarryx_u64(&x65, &x66, 0x0, x27, x11); + fiat_25519_addcarryx_u64(&x67, &x68, x66, x28, x12); + fiat_25519_addcarryx_u64(&x69, &x70, 0x0, x33, x65); + fiat_25519_addcarryx_u64(&x71, &x72, x70, x34, x67); + fiat_25519_addcarryx_u64(&x73, &x74, 0x0, x15, x13); + fiat_25519_addcarryx_u64(&x75, &x76, x74, x16, x14); + fiat_25519_addcarryx_u64(&x77, &x78, 0x0, x35, x73); + fiat_25519_addcarryx_u64(&x79, &x80, x78, x36, x75); + fiat_25519_addcarryx_u64(&x81, &x82, 0x0, x47, x77); + x83 = (x82 + x79); + x84 = ((x81 >> 51) | ((x83 << 13) & UINT64_C(0xffffffffffffffff))); + x85 = (x81 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x86, &x87, 0x0, x84, x69); + x88 = (x87 + x71); + x89 = ((x86 >> 51) | ((x88 << 13) & UINT64_C(0xffffffffffffffff))); + x90 = (x86 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x91, &x92, 0x0, x89, x61); + x93 = (x92 + x63); + x94 = ((x91 >> 51) | ((x93 << 13) & UINT64_C(0xffffffffffffffff))); + x95 = (x91 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x96, &x97, 0x0, x94, x53); + x98 = (x97 + x55); + x99 = ((x96 >> 51) | ((x98 << 13) & UINT64_C(0xffffffffffffffff))); + x100 = (x96 & UINT64_C(0x7ffffffffffff)); + x101 = (x99 * UINT8_C(0x13)); + x102 = (x48 + x101); + x103 = (x102 >> 51); + x104 = (x102 & UINT64_C(0x7ffffffffffff)); + x105 = (x103 + x85); + x106 = (fiat_25519_uint1)(x105 >> 51); + x107 = (x105 & UINT64_C(0x7ffffffffffff)); + x108 = (x106 + x90); + out1[0] = x104; + out1[1] = x107; + out1[2] = x108; + out1[3] = x95; + out1[4] = x100; +} + +/* + * The function fiat_25519_carry reduces a field element. + * + * Postconditions: + * eval out1 mod m = eval arg1 mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + x1 = (arg1[0]); + x2 = ((x1 >> 51) + (arg1[1])); + x3 = ((x2 >> 51) + (arg1[2])); + x4 = ((x3 >> 51) + (arg1[3])); + x5 = ((x4 >> 51) + (arg1[4])); + x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13))); + x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff))); + x8 = (x6 & UINT64_C(0x7ffffffffffff)); + x9 = (x7 & UINT64_C(0x7ffffffffffff)); + x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff))); + x11 = (x4 & UINT64_C(0x7ffffffffffff)); + x12 = (x5 & UINT64_C(0x7ffffffffffff)); + out1[0] = x8; + out1[1] = x9; + out1[2] = x10; + out1[3] = x11; + out1[4] = x12; +} + +/* + * The function fiat_25519_add adds two field elements. + * + * Postconditions: + * eval out1 mod m = (eval arg1 + eval arg2) mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = ((arg1[0]) + (arg2[0])); + x2 = ((arg1[1]) + (arg2[1])); + x3 = ((arg1[2]) + (arg2[2])); + x4 = ((arg1[3]) + (arg2[3])); + x5 = ((arg1[4]) + (arg2[4])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; +} + +/* + * The function fiat_25519_sub subtracts two field elements. + * + * Postconditions: + * eval out1 mod m = (eval arg1 - eval arg2) mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0])); + x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1])); + x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2])); + x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3])); + x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; +} + +/* + * The function fiat_25519_opp negates a field element. + * + * Postconditions: + * eval out1 mod m = -eval arg1 mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = (UINT64_C(0xfffffffffffda) - (arg1[0])); + x2 = (UINT64_C(0xffffffffffffe) - (arg1[1])); + x3 = (UINT64_C(0xffffffffffffe) - (arg1[2])); + x4 = (UINT64_C(0xffffffffffffe) - (arg1[3])); + x5 = (UINT64_C(0xffffffffffffe) - (arg1[4])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; +} + +/* + * The function fiat_25519_selectznz is a multi-limb conditional select. + * + * Postconditions: + * out1 = (if arg1 = 0 then arg2 else arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); + fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; +} + +/* + * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * + * Postconditions: + * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] + * + * Output Bounds: + * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) { + uint64_t x1; + fiat_25519_uint1 x2; + uint64_t x3; + fiat_25519_uint1 x4; + uint64_t x5; + fiat_25519_uint1 x6; + uint64_t x7; + fiat_25519_uint1 x8; + uint64_t x9; + fiat_25519_uint1 x10; + uint64_t x11; + uint64_t x12; + fiat_25519_uint1 x13; + uint64_t x14; + fiat_25519_uint1 x15; + uint64_t x16; + fiat_25519_uint1 x17; + uint64_t x18; + fiat_25519_uint1 x19; + uint64_t x20; + fiat_25519_uint1 x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint8_t x26; + uint64_t x27; + uint8_t x28; + uint64_t x29; + uint8_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint8_t x34; + uint64_t x35; + uint8_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; + uint8_t x50; + uint64_t x51; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; + uint8_t x60; + uint64_t x61; + uint8_t x62; + uint64_t x63; + uint8_t x64; + fiat_25519_uint1 x65; + uint64_t x66; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; + uint8_t x77; + uint8_t x78; + uint64_t x79; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; + uint8_t x88; + uint64_t x89; + uint8_t x90; + uint8_t x91; + fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed)); + fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff)); + fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed))); + fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff))); + x22 = (x20 << 4); + x23 = (x18 * (uint64_t)0x2); + x24 = (x16 << 6); + x25 = (x14 << 3); + x26 = (uint8_t)(x12 & UINT8_C(0xff)); + x27 = (x12 >> 8); + x28 = (uint8_t)(x27 & UINT8_C(0xff)); + x29 = (x27 >> 8); + x30 = (uint8_t)(x29 & UINT8_C(0xff)); + x31 = (x29 >> 8); + x32 = (uint8_t)(x31 & UINT8_C(0xff)); + x33 = (x31 >> 8); + x34 = (uint8_t)(x33 & UINT8_C(0xff)); + x35 = (x33 >> 8); + x36 = (uint8_t)(x35 & UINT8_C(0xff)); + x37 = (uint8_t)(x35 >> 8); + x38 = (x25 + (uint64_t)x37); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (x24 + (uint64_t)x50); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (x59 >> 8); + x62 = (uint8_t)(x61 & UINT8_C(0xff)); + x63 = (x61 >> 8); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (fiat_25519_uint1)(x63 >> 8); + x66 = (x23 + (uint64_t)x65); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (x22 + (uint64_t)x78); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (x87 >> 8); + x90 = (uint8_t)(x89 & UINT8_C(0xff)); + x91 = (uint8_t)(x89 >> 8); + out1[0] = x26; + out1[1] = x28; + out1[2] = x30; + out1[3] = x32; + out1[4] = x34; + out1[5] = x36; + out1[6] = x39; + out1[7] = x41; + out1[8] = x43; + out1[9] = x45; + out1[10] = x47; + out1[11] = x49; + out1[12] = x52; + out1[13] = x54; + out1[14] = x56; + out1[15] = x58; + out1[16] = x60; + out1[17] = x62; + out1[18] = x64; + out1[19] = x67; + out1[20] = x69; + out1[21] = x71; + out1[22] = x73; + out1[23] = x75; + out1[24] = x77; + out1[25] = x80; + out1[26] = x82; + out1[27] = x84; + out1[28] = x86; + out1[29] = x88; + out1[30] = x90; + out1[31] = x91; +} + +/* + * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * + * Postconditions: + * eval out1 mod m = bytes_eval arg1 mod m + * + * Input Bounds: + * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint8_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint8_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + x1 = ((uint64_t)(arg1[31]) << 44); + x2 = ((uint64_t)(arg1[30]) << 36); + x3 = ((uint64_t)(arg1[29]) << 28); + x4 = ((uint64_t)(arg1[28]) << 20); + x5 = ((uint64_t)(arg1[27]) << 12); + x6 = ((uint64_t)(arg1[26]) << 4); + x7 = ((uint64_t)(arg1[25]) << 47); + x8 = ((uint64_t)(arg1[24]) << 39); + x9 = ((uint64_t)(arg1[23]) << 31); + x10 = ((uint64_t)(arg1[22]) << 23); + x11 = ((uint64_t)(arg1[21]) << 15); + x12 = ((uint64_t)(arg1[20]) << 7); + x13 = ((uint64_t)(arg1[19]) << 50); + x14 = ((uint64_t)(arg1[18]) << 42); + x15 = ((uint64_t)(arg1[17]) << 34); + x16 = ((uint64_t)(arg1[16]) << 26); + x17 = ((uint64_t)(arg1[15]) << 18); + x18 = ((uint64_t)(arg1[14]) << 10); + x19 = ((uint64_t)(arg1[13]) << 2); + x20 = ((uint64_t)(arg1[12]) << 45); + x21 = ((uint64_t)(arg1[11]) << 37); + x22 = ((uint64_t)(arg1[10]) << 29); + x23 = ((uint64_t)(arg1[9]) << 21); + x24 = ((uint64_t)(arg1[8]) << 13); + x25 = ((uint64_t)(arg1[7]) << 5); + x26 = ((uint64_t)(arg1[6]) << 48); + x27 = ((uint64_t)(arg1[5]) << 40); + x28 = ((uint64_t)(arg1[4]) << 32); + x29 = ((uint64_t)(arg1[3]) << 24); + x30 = ((uint64_t)(arg1[2]) << 16); + x31 = ((uint64_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x38 & UINT64_C(0x7ffffffffffff)); + x40 = (uint8_t)(x38 >> 51); + x41 = (x25 + (uint64_t)x40); + x42 = (x24 + x41); + x43 = (x23 + x42); + x44 = (x22 + x43); + x45 = (x21 + x44); + x46 = (x20 + x45); + x47 = (x46 & UINT64_C(0x7ffffffffffff)); + x48 = (uint8_t)(x46 >> 51); + x49 = (x19 + (uint64_t)x48); + x50 = (x18 + x49); + x51 = (x17 + x50); + x52 = (x16 + x51); + x53 = (x15 + x52); + x54 = (x14 + x53); + x55 = (x13 + x54); + x56 = (x55 & UINT64_C(0x7ffffffffffff)); + x57 = (uint8_t)(x55 >> 51); + x58 = (x12 + (uint64_t)x57); + x59 = (x11 + x58); + x60 = (x10 + x59); + x61 = (x9 + x60); + x62 = (x8 + x61); + x63 = (x7 + x62); + x64 = (x63 & UINT64_C(0x7ffffffffffff)); + x65 = (uint8_t)(x63 >> 51); + x66 = (x6 + (uint64_t)x65); + x67 = (x5 + x66); + x68 = (x4 + x67); + x69 = (x3 + x68); + x70 = (x2 + x69); + x71 = (x1 + x70); + out1[0] = x39; + out1[1] = x47; + out1[2] = x56; + out1[3] = x64; + out1[4] = x71; +} + +/* + * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements. + * + * Postconditions: + * out1 = arg1 + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = (arg1[0]); + x2 = (arg1[1]); + x3 = (arg1[2]); + x4 = (arg1[3]); + x5 = (arg1[4]); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; +} + +/* + * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * + * Postconditions: + * eval out1 mod m = (121666 * eval arg1) mod m + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_25519_uint1 x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + fiat_25519_uint1 x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + fiat_25519_uint1 x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + fiat_25519_uint1 x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + fiat_25519_uint1 x35; + uint64_t x36; + uint64_t x37; + fiat_25519_uint1 x38; + uint64_t x39; + uint64_t x40; + fiat_25519_mulx_u64(&x1, &x2, UINT32_C(0x1db42), (arg1[4])); + fiat_25519_mulx_u64(&x3, &x4, UINT32_C(0x1db42), (arg1[3])); + fiat_25519_mulx_u64(&x5, &x6, UINT32_C(0x1db42), (arg1[2])); + fiat_25519_mulx_u64(&x7, &x8, UINT32_C(0x1db42), (arg1[1])); + fiat_25519_mulx_u64(&x9, &x10, UINT32_C(0x1db42), (arg1[0])); + x11 = ((x9 >> 51) | ((x10 << 13) & UINT64_C(0xffffffffffffffff))); + x12 = (x9 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x13, &x14, 0x0, x11, x7); + x15 = (x14 + x8); + x16 = ((x13 >> 51) | ((x15 << 13) & UINT64_C(0xffffffffffffffff))); + x17 = (x13 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x18, &x19, 0x0, x16, x5); + x20 = (x19 + x6); + x21 = ((x18 >> 51) | ((x20 << 13) & UINT64_C(0xffffffffffffffff))); + x22 = (x18 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x23, &x24, 0x0, x21, x3); + x25 = (x24 + x4); + x26 = ((x23 >> 51) | ((x25 << 13) & UINT64_C(0xffffffffffffffff))); + x27 = (x23 & UINT64_C(0x7ffffffffffff)); + fiat_25519_addcarryx_u64(&x28, &x29, 0x0, x26, x1); + x30 = (x29 + x2); + x31 = ((x28 >> 51) | ((x30 << 13) & UINT64_C(0xffffffffffffffff))); + x32 = (x28 & UINT64_C(0x7ffffffffffff)); + x33 = (x31 * UINT8_C(0x13)); + x34 = (x12 + x33); + x35 = (fiat_25519_uint1)(x34 >> 51); + x36 = (x34 & UINT64_C(0x7ffffffffffff)); + x37 = (x35 + x17); + x38 = (fiat_25519_uint1)(x37 >> 51); + x39 = (x37 & UINT64_C(0x7ffffffffffff)); + x40 = (x38 + x22); + out1[0] = x36; + out1[1] = x39; + out1[2] = x40; + out1[3] = x27; + out1[4] = x32; +} diff --git a/src/third_party/fiat/p256_64_msvc.h b/src/third_party/fiat/p256_64_msvc.h new file mode 100644 index 00000000..8b65a373 --- /dev/null +++ b/src/third_party/fiat/p256_64_msvc.h @@ -0,0 +1,2002 @@ +/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier --no-wide-int p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ +/* curve description: p256 */ +/* machine_wordsize = 64 (from "64") */ +/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */ +/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ +/* */ +/* NOTE: In addition to the bounds specified above each function, all */ +/* functions synthesized for this Montgomery arithmetic require the */ +/* input to be strictly less than the prime modulus (m), and also */ +/* require the input to be in the unique saturated representation. */ +/* All functions also ensure that these two properties are true of */ +/* return values. */ +/* */ +/* Computed values: */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ + +#include <stdint.h> +#include <intrin.h> +#if defined(_M_X64) +#include <immintrin.h> +#endif + +typedef unsigned char fiat_p256_uint1; +typedef signed char fiat_p256_int1; + +#define FIAT_P256_FIAT_INLINE inline + +/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ +typedef uint64_t fiat_p256_montgomery_domain_field_element[4]; + +/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ +typedef uint64_t fiat_p256_non_montgomery_domain_field_element[4]; + +#if (-1 & 3) != 3 +#error "This code only works on a two's complement system" +#endif + +#define fiat_p256_value_barrier_u64(x) (x) + + +/* + * The function fiat_p256_addcarryx_u64 is an addition with carry. + * + * Postconditions: + * out1 = (arg1 + arg2 + arg3) mod 2^64 + * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { +#if defined(_M_X64) + *out2 = _addcarry_u64(arg1, arg2, arg3, out1); +#else + arg2 += arg1; + arg1 = arg2 < arg1; + arg3 += arg2; + arg1 += arg3 < arg2; + *out1 = arg3; + *out2 = arg1; +#endif +} + +/* + * The function fiat_p256_subborrowx_u64 is a subtraction with borrow. + * + * Postconditions: + * out1 = (-arg1 + arg2 + -arg3) mod 2^64 + * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { +#if defined(_M_X64) + *out2 = _subborrow_u64(arg1, arg2, arg3, out1); // NOTE: edited after generation +#else + *out1 = arg2 - arg3 - arg1; + *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1); +#endif +} + +/* + * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result. + * + * Postconditions: + * out1 = (arg1 * arg2) mod 2^64 + * out2 = ⌊arg1 * arg2 / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { +// NOTE: edited after generation +#if defined(_M_X64) + *out1 = _umul128(arg1, arg2, out2); +#elif defined(_M_ARM64) + *out1 = arg1 * arg2; + *out2 = __umulh(arg1, arg2); +#else +#error "This file is intended for MSVC on X64 or ARM64" +#endif +} + +/* + * The function fiat_p256_cmovznz_u64 is a single-word conditional move. + * + * Postconditions: + * out1 = (if arg1 = 0 then arg2 else arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_p256_value_barrier_u64(x2) & arg3) | (fiat_p256_value_barrier_u64((~x2)) & arg2)); + *out1 = x3; +} + +/* + * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * 0 ≤ eval arg2 < m + * Postconditions: + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_p256_uint1 x14; + uint64_t x15; + fiat_p256_uint1 x16; + uint64_t x17; + fiat_p256_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + fiat_p256_uint1 x27; + uint64_t x28; + uint64_t x29; + fiat_p256_uint1 x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + fiat_p256_uint1 x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + fiat_p256_uint1 x50; + uint64_t x51; + fiat_p256_uint1 x52; + uint64_t x53; + uint64_t x54; + fiat_p256_uint1 x55; + uint64_t x56; + fiat_p256_uint1 x57; + uint64_t x58; + fiat_p256_uint1 x59; + uint64_t x60; + fiat_p256_uint1 x61; + uint64_t x62; + fiat_p256_uint1 x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + fiat_p256_uint1 x71; + uint64_t x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + fiat_p256_uint1 x76; + uint64_t x77; + fiat_p256_uint1 x78; + uint64_t x79; + fiat_p256_uint1 x80; + uint64_t x81; + fiat_p256_uint1 x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + fiat_p256_uint1 x93; + uint64_t x94; + fiat_p256_uint1 x95; + uint64_t x96; + fiat_p256_uint1 x97; + uint64_t x98; + uint64_t x99; + fiat_p256_uint1 x100; + uint64_t x101; + fiat_p256_uint1 x102; + uint64_t x103; + fiat_p256_uint1 x104; + uint64_t x105; + fiat_p256_uint1 x106; + uint64_t x107; + fiat_p256_uint1 x108; + uint64_t x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint64_t x115; + fiat_p256_uint1 x116; + uint64_t x117; + uint64_t x118; + fiat_p256_uint1 x119; + uint64_t x120; + fiat_p256_uint1 x121; + uint64_t x122; + fiat_p256_uint1 x123; + uint64_t x124; + fiat_p256_uint1 x125; + uint64_t x126; + fiat_p256_uint1 x127; + uint64_t x128; + uint64_t x129; + uint64_t x130; + uint64_t x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + uint64_t x135; + uint64_t x136; + uint64_t x137; + fiat_p256_uint1 x138; + uint64_t x139; + fiat_p256_uint1 x140; + uint64_t x141; + fiat_p256_uint1 x142; + uint64_t x143; + uint64_t x144; + fiat_p256_uint1 x145; + uint64_t x146; + fiat_p256_uint1 x147; + uint64_t x148; + fiat_p256_uint1 x149; + uint64_t x150; + fiat_p256_uint1 x151; + uint64_t x152; + fiat_p256_uint1 x153; + uint64_t x154; + uint64_t x155; + uint64_t x156; + uint64_t x157; + uint64_t x158; + uint64_t x159; + uint64_t x160; + fiat_p256_uint1 x161; + uint64_t x162; + uint64_t x163; + fiat_p256_uint1 x164; + uint64_t x165; + fiat_p256_uint1 x166; + uint64_t x167; + fiat_p256_uint1 x168; + uint64_t x169; + fiat_p256_uint1 x170; + uint64_t x171; + fiat_p256_uint1 x172; + uint64_t x173; + uint64_t x174; + fiat_p256_uint1 x175; + uint64_t x176; + fiat_p256_uint1 x177; + uint64_t x178; + fiat_p256_uint1 x179; + uint64_t x180; + fiat_p256_uint1 x181; + uint64_t x182; + fiat_p256_uint1 x183; + uint64_t x184; + uint64_t x185; + uint64_t x186; + uint64_t x187; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3])); + fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2])); + fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1])); + fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0])); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + x19 = (x18 + x6); + fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); + x28 = (x27 + x23); + fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); + fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3])); + fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2])); + fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1])); + fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0])); + fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); + fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); + x53 = (x52 + x40); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); + fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); + fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); + x72 = (x71 + x67); + fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); + fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); + fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); + fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); + fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); + x83 = ((uint64_t)x82 + x63); + fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3])); + fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2])); + fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1])); + fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0])); + fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); + fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); + x98 = (x97 + x85); + fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); + fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); + fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); + fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); + fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); + fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); + x117 = (x116 + x112); + fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); + fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); + fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); + fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); + fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); + x128 = ((uint64_t)x127 + x108); + fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3])); + fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2])); + fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1])); + fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0])); + fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); + fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); + fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); + x143 = (x142 + x130); + fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); + fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); + fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); + fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); + fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); + fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); + x162 = (x161 + x157); + fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); + fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); + fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); + fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); + fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); + x173 = ((uint64_t)x172 + x153); + fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); + fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); + fiat_p256_cmovznz_u64(&x184, x183, x174, x165); + fiat_p256_cmovznz_u64(&x185, x183, x176, x167); + fiat_p256_cmovznz_u64(&x186, x183, x178, x169); + fiat_p256_cmovznz_u64(&x187, x183, x180, x171); + out1[0] = x184; + out1[1] = x185; + out1[2] = x186; + out1[3] = x187; +} + +/* + * The function fiat_p256_square squares a field element in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_p256_uint1 x14; + uint64_t x15; + fiat_p256_uint1 x16; + uint64_t x17; + fiat_p256_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + fiat_p256_uint1 x27; + uint64_t x28; + uint64_t x29; + fiat_p256_uint1 x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + fiat_p256_uint1 x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + fiat_p256_uint1 x50; + uint64_t x51; + fiat_p256_uint1 x52; + uint64_t x53; + uint64_t x54; + fiat_p256_uint1 x55; + uint64_t x56; + fiat_p256_uint1 x57; + uint64_t x58; + fiat_p256_uint1 x59; + uint64_t x60; + fiat_p256_uint1 x61; + uint64_t x62; + fiat_p256_uint1 x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + fiat_p256_uint1 x71; + uint64_t x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + fiat_p256_uint1 x76; + uint64_t x77; + fiat_p256_uint1 x78; + uint64_t x79; + fiat_p256_uint1 x80; + uint64_t x81; + fiat_p256_uint1 x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + fiat_p256_uint1 x93; + uint64_t x94; + fiat_p256_uint1 x95; + uint64_t x96; + fiat_p256_uint1 x97; + uint64_t x98; + uint64_t x99; + fiat_p256_uint1 x100; + uint64_t x101; + fiat_p256_uint1 x102; + uint64_t x103; + fiat_p256_uint1 x104; + uint64_t x105; + fiat_p256_uint1 x106; + uint64_t x107; + fiat_p256_uint1 x108; + uint64_t x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint64_t x115; + fiat_p256_uint1 x116; + uint64_t x117; + uint64_t x118; + fiat_p256_uint1 x119; + uint64_t x120; + fiat_p256_uint1 x121; + uint64_t x122; + fiat_p256_uint1 x123; + uint64_t x124; + fiat_p256_uint1 x125; + uint64_t x126; + fiat_p256_uint1 x127; + uint64_t x128; + uint64_t x129; + uint64_t x130; + uint64_t x131; + uint64_t x132; + uint64_t x133; + uint64_t x134; + uint64_t x135; + uint64_t x136; + uint64_t x137; + fiat_p256_uint1 x138; + uint64_t x139; + fiat_p256_uint1 x140; + uint64_t x141; + fiat_p256_uint1 x142; + uint64_t x143; + uint64_t x144; + fiat_p256_uint1 x145; + uint64_t x146; + fiat_p256_uint1 x147; + uint64_t x148; + fiat_p256_uint1 x149; + uint64_t x150; + fiat_p256_uint1 x151; + uint64_t x152; + fiat_p256_uint1 x153; + uint64_t x154; + uint64_t x155; + uint64_t x156; + uint64_t x157; + uint64_t x158; + uint64_t x159; + uint64_t x160; + fiat_p256_uint1 x161; + uint64_t x162; + uint64_t x163; + fiat_p256_uint1 x164; + uint64_t x165; + fiat_p256_uint1 x166; + uint64_t x167; + fiat_p256_uint1 x168; + uint64_t x169; + fiat_p256_uint1 x170; + uint64_t x171; + fiat_p256_uint1 x172; + uint64_t x173; + uint64_t x174; + fiat_p256_uint1 x175; + uint64_t x176; + fiat_p256_uint1 x177; + uint64_t x178; + fiat_p256_uint1 x179; + uint64_t x180; + fiat_p256_uint1 x181; + uint64_t x182; + fiat_p256_uint1 x183; + uint64_t x184; + uint64_t x185; + uint64_t x186; + uint64_t x187; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3])); + fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2])); + fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1])); + fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0])); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + x19 = (x18 + x6); + fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); + x28 = (x27 + x23); + fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); + fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3])); + fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2])); + fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1])); + fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0])); + fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); + fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); + x53 = (x52 + x40); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); + fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); + fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); + x72 = (x71 + x67); + fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); + fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); + fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); + fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); + fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); + x83 = ((uint64_t)x82 + x63); + fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3])); + fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2])); + fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1])); + fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0])); + fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); + fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); + x98 = (x97 + x85); + fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); + fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); + fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); + fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); + fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); + fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); + x117 = (x116 + x112); + fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); + fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); + fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); + fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); + fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); + x128 = ((uint64_t)x127 + x108); + fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3])); + fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2])); + fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1])); + fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0])); + fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); + fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); + fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); + x143 = (x142 + x130); + fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); + fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); + fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); + fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); + fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); + fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); + x162 = (x161 + x157); + fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); + fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); + fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); + fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); + fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); + x173 = ((uint64_t)x172 + x153); + fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); + fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); + fiat_p256_cmovznz_u64(&x184, x183, x174, x165); + fiat_p256_cmovznz_u64(&x185, x183, x176, x167); + fiat_p256_cmovznz_u64(&x186, x183, x178, x169); + fiat_p256_cmovznz_u64(&x187, x183, x180, x171); + out1[0] = x184; + out1[1] = x185; + out1[2] = x186; + out1[3] = x187; +} + +/* + * The function fiat_p256_add adds two field elements in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * 0 ≤ eval arg2 < m + * Postconditions: + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint64_t x1; + fiat_p256_uint1 x2; + uint64_t x3; + fiat_p256_uint1 x4; + uint64_t x5; + fiat_p256_uint1 x6; + uint64_t x7; + fiat_p256_uint1 x8; + uint64_t x9; + fiat_p256_uint1 x10; + uint64_t x11; + fiat_p256_uint1 x12; + uint64_t x13; + fiat_p256_uint1 x14; + uint64_t x15; + fiat_p256_uint1 x16; + uint64_t x17; + fiat_p256_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0); + fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0); + fiat_p256_cmovznz_u64(&x19, x18, x9, x1); + fiat_p256_cmovznz_u64(&x20, x18, x11, x3); + fiat_p256_cmovznz_u64(&x21, x18, x13, x5); + fiat_p256_cmovznz_u64(&x22, x18, x15, x7); + out1[0] = x19; + out1[1] = x20; + out1[2] = x21; + out1[3] = x22; +} + +/* + * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * 0 ≤ eval arg2 < m + * Postconditions: + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint64_t x1; + fiat_p256_uint1 x2; + uint64_t x3; + fiat_p256_uint1 x4; + uint64_t x5; + fiat_p256_uint1 x6; + uint64_t x7; + fiat_p256_uint1 x8; + uint64_t x9; + uint64_t x10; + fiat_p256_uint1 x11; + uint64_t x12; + fiat_p256_uint1 x13; + uint64_t x14; + fiat_p256_uint1 x15; + uint64_t x16; + fiat_p256_uint1 x17; + fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); + fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001))); + out1[0] = x10; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; +} + +/* + * The function fiat_p256_opp negates a field element in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; + fiat_p256_uint1 x2; + uint64_t x3; + fiat_p256_uint1 x4; + uint64_t x5; + fiat_p256_uint1 x6; + uint64_t x7; + fiat_p256_uint1 x8; + uint64_t x9; + uint64_t x10; + fiat_p256_uint1 x11; + uint64_t x12; + fiat_p256_uint1 x13; + uint64_t x14; + fiat_p256_uint1 x15; + uint64_t x16; + fiat_p256_uint1 x17; + fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); + fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); + fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); + fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); + fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); + fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001))); + out1[0] = x10; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; +} + +/* + * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + fiat_p256_uint1 x9; + uint64_t x10; + fiat_p256_uint1 x11; + uint64_t x12; + fiat_p256_uint1 x13; + uint64_t x14; + fiat_p256_uint1 x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + fiat_p256_uint1 x23; + uint64_t x24; + fiat_p256_uint1 x25; + uint64_t x26; + fiat_p256_uint1 x27; + uint64_t x28; + fiat_p256_uint1 x29; + uint64_t x30; + fiat_p256_uint1 x31; + uint64_t x32; + fiat_p256_uint1 x33; + uint64_t x34; + fiat_p256_uint1 x35; + uint64_t x36; + fiat_p256_uint1 x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + fiat_p256_uint1 x45; + uint64_t x46; + fiat_p256_uint1 x47; + uint64_t x48; + fiat_p256_uint1 x49; + uint64_t x50; + fiat_p256_uint1 x51; + uint64_t x52; + fiat_p256_uint1 x53; + uint64_t x54; + fiat_p256_uint1 x55; + uint64_t x56; + fiat_p256_uint1 x57; + uint64_t x58; + fiat_p256_uint1 x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + fiat_p256_uint1 x67; + uint64_t x68; + fiat_p256_uint1 x69; + uint64_t x70; + fiat_p256_uint1 x71; + uint64_t x72; + fiat_p256_uint1 x73; + uint64_t x74; + fiat_p256_uint1 x75; + uint64_t x76; + uint64_t x77; + fiat_p256_uint1 x78; + uint64_t x79; + fiat_p256_uint1 x80; + uint64_t x81; + fiat_p256_uint1 x82; + uint64_t x83; + fiat_p256_uint1 x84; + uint64_t x85; + fiat_p256_uint1 x86; + uint64_t x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + x1 = (arg1[0]); + fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6); + fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8); + fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1])); + fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18); + fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20); + fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22); + fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19)); + fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16); + fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2])); + fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0); + fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0); + fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40); + fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42); + fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44); + fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41)); + fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3])); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0); + fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62); + fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64); + fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66); + fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63)); + fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60); + x76 = (x75 + x61); + fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0); + fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0); + fiat_p256_cmovznz_u64(&x87, x86, x77, x70); + fiat_p256_cmovznz_u64(&x88, x86, x79, x72); + fiat_p256_cmovznz_u64(&x89, x86, x81, x74); + fiat_p256_cmovznz_u64(&x90, x86, x83, x76); + out1[0] = x87; + out1[1] = x88; + out1[2] = x89; + out1[3] = x90; +} + +/* + * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = eval arg1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_p256_uint1 x14; + uint64_t x15; + fiat_p256_uint1 x16; + uint64_t x17; + fiat_p256_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + fiat_p256_uint1 x26; + uint64_t x27; + fiat_p256_uint1 x28; + uint64_t x29; + fiat_p256_uint1 x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + fiat_p256_uint1 x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + fiat_p256_uint1 x50; + uint64_t x51; + fiat_p256_uint1 x52; + uint64_t x53; + fiat_p256_uint1 x54; + uint64_t x55; + fiat_p256_uint1 x56; + uint64_t x57; + fiat_p256_uint1 x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + fiat_p256_uint1 x66; + uint64_t x67; + fiat_p256_uint1 x68; + uint64_t x69; + fiat_p256_uint1 x70; + uint64_t x71; + fiat_p256_uint1 x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + fiat_p256_uint1 x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + fiat_p256_uint1 x86; + uint64_t x87; + fiat_p256_uint1 x88; + uint64_t x89; + fiat_p256_uint1 x90; + uint64_t x91; + fiat_p256_uint1 x92; + uint64_t x93; + fiat_p256_uint1 x94; + uint64_t x95; + fiat_p256_uint1 x96; + uint64_t x97; + fiat_p256_uint1 x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + fiat_p256_uint1 x106; + uint64_t x107; + fiat_p256_uint1 x108; + uint64_t x109; + fiat_p256_uint1 x110; + uint64_t x111; + fiat_p256_uint1 x112; + uint64_t x113; + fiat_p256_uint1 x114; + uint64_t x115; + fiat_p256_uint1 x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + fiat_p256_uint1 x126; + uint64_t x127; + fiat_p256_uint1 x128; + uint64_t x129; + fiat_p256_uint1 x130; + uint64_t x131; + fiat_p256_uint1 x132; + uint64_t x133; + fiat_p256_uint1 x134; + uint64_t x135; + fiat_p256_uint1 x136; + uint64_t x137; + fiat_p256_uint1 x138; + uint64_t x139; + uint64_t x140; + uint64_t x141; + uint64_t x142; + uint64_t x143; + uint64_t x144; + uint64_t x145; + fiat_p256_uint1 x146; + uint64_t x147; + fiat_p256_uint1 x148; + uint64_t x149; + fiat_p256_uint1 x150; + uint64_t x151; + fiat_p256_uint1 x152; + uint64_t x153; + fiat_p256_uint1 x154; + uint64_t x155; + fiat_p256_uint1 x156; + uint64_t x157; + fiat_p256_uint1 x158; + uint64_t x159; + fiat_p256_uint1 x160; + uint64_t x161; + fiat_p256_uint1 x162; + uint64_t x163; + fiat_p256_uint1 x164; + uint64_t x165; + fiat_p256_uint1 x166; + uint64_t x167; + uint64_t x168; + uint64_t x169; + uint64_t x170; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x7, &x8, x4, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x9, &x10, x4, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x11, &x12, x4, 0x3); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + fiat_p256_mulx_u64(&x19, &x20, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x21, &x22, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x23, &x24, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x25, &x26, 0x0, x24, x21); + fiat_p256_addcarryx_u64(&x27, &x28, 0x0, x11, x23); + fiat_p256_addcarryx_u64(&x29, &x30, x28, x13, x25); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x15, (x26 + x22)); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x17, x19); + fiat_p256_addcarryx_u64(&x35, &x36, x34, (x18 + x6), x20); + fiat_p256_mulx_u64(&x37, &x38, x1, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x39, &x40, x1, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x41, &x42, x1, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x43, &x44, x1, 0x3); + fiat_p256_addcarryx_u64(&x45, &x46, 0x0, x44, x41); + fiat_p256_addcarryx_u64(&x47, &x48, x46, x42, x39); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x40, x37); + fiat_p256_addcarryx_u64(&x51, &x52, 0x0, x29, x43); + fiat_p256_addcarryx_u64(&x53, &x54, x52, x31, x45); + fiat_p256_addcarryx_u64(&x55, &x56, x54, x33, x47); + fiat_p256_addcarryx_u64(&x57, &x58, x56, x35, x49); + fiat_p256_mulx_u64(&x59, &x60, x51, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x61, &x62, x51, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x63, &x64, x51, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x65, &x66, 0x0, x64, x61); + fiat_p256_addcarryx_u64(&x67, &x68, 0x0, x51, x63); + fiat_p256_addcarryx_u64(&x69, &x70, x68, x53, x65); + fiat_p256_addcarryx_u64(&x71, &x72, x70, x55, (x66 + x62)); + fiat_p256_addcarryx_u64(&x73, &x74, x72, x57, x59); + fiat_p256_addcarryx_u64(&x75, &x76, x74, (((uint64_t)x58 + x36) + (x50 + x38)), x60); + fiat_p256_mulx_u64(&x77, &x78, x2, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x79, &x80, x2, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x81, &x82, x2, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x83, &x84, x2, 0x3); + fiat_p256_addcarryx_u64(&x85, &x86, 0x0, x84, x81); + fiat_p256_addcarryx_u64(&x87, &x88, x86, x82, x79); + fiat_p256_addcarryx_u64(&x89, &x90, x88, x80, x77); + fiat_p256_addcarryx_u64(&x91, &x92, 0x0, x69, x83); + fiat_p256_addcarryx_u64(&x93, &x94, x92, x71, x85); + fiat_p256_addcarryx_u64(&x95, &x96, x94, x73, x87); + fiat_p256_addcarryx_u64(&x97, &x98, x96, x75, x89); + fiat_p256_mulx_u64(&x99, &x100, x91, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x101, &x102, x91, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x103, &x104, x91, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x105, &x106, 0x0, x104, x101); + fiat_p256_addcarryx_u64(&x107, &x108, 0x0, x91, x103); + fiat_p256_addcarryx_u64(&x109, &x110, x108, x93, x105); + fiat_p256_addcarryx_u64(&x111, &x112, x110, x95, (x106 + x102)); + fiat_p256_addcarryx_u64(&x113, &x114, x112, x97, x99); + fiat_p256_addcarryx_u64(&x115, &x116, x114, (((uint64_t)x98 + x76) + (x90 + x78)), x100); + fiat_p256_mulx_u64(&x117, &x118, x3, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x119, &x120, x3, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x121, &x122, x3, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x123, &x124, x3, 0x3); + fiat_p256_addcarryx_u64(&x125, &x126, 0x0, x124, x121); + fiat_p256_addcarryx_u64(&x127, &x128, x126, x122, x119); + fiat_p256_addcarryx_u64(&x129, &x130, x128, x120, x117); + fiat_p256_addcarryx_u64(&x131, &x132, 0x0, x109, x123); + fiat_p256_addcarryx_u64(&x133, &x134, x132, x111, x125); + fiat_p256_addcarryx_u64(&x135, &x136, x134, x113, x127); + fiat_p256_addcarryx_u64(&x137, &x138, x136, x115, x129); + fiat_p256_mulx_u64(&x139, &x140, x131, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x141, &x142, x131, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x143, &x144, x131, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x145, &x146, 0x0, x144, x141); + fiat_p256_addcarryx_u64(&x147, &x148, 0x0, x131, x143); + fiat_p256_addcarryx_u64(&x149, &x150, x148, x133, x145); + fiat_p256_addcarryx_u64(&x151, &x152, x150, x135, (x146 + x142)); + fiat_p256_addcarryx_u64(&x153, &x154, x152, x137, x139); + fiat_p256_addcarryx_u64(&x155, &x156, x154, (((uint64_t)x138 + x116) + (x130 + x118)), x140); + fiat_p256_subborrowx_u64(&x157, &x158, 0x0, x149, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x159, &x160, x158, x151, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x161, &x162, x160, x153, 0x0); + fiat_p256_subborrowx_u64(&x163, &x164, x162, x155, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x165, &x166, x164, x156, 0x0); + fiat_p256_cmovznz_u64(&x167, x166, x157, x149); + fiat_p256_cmovznz_u64(&x168, x166, x159, x151); + fiat_p256_cmovznz_u64(&x169, x166, x161, x153); + fiat_p256_cmovznz_u64(&x170, x166, x163, x155); + out1[0] = x167; + out1[1] = x168; + out1[2] = x169; + out1[3] = x170; +} + +/* + * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { + uint64_t x1; + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); + *out1 = x1; +} + +/* + * The function fiat_p256_selectznz is a multi-limb conditional select. + * + * Postconditions: + * out1 = (if arg1 = 0 then arg2 else arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; +} + +/* + * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint8_t x5; + uint64_t x6; + uint8_t x7; + uint64_t x8; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; + uint8_t x17; + uint8_t x18; + uint8_t x19; + uint64_t x20; + uint8_t x21; + uint64_t x22; + uint8_t x23; + uint64_t x24; + uint8_t x25; + uint64_t x26; + uint8_t x27; + uint64_t x28; + uint8_t x29; + uint64_t x30; + uint8_t x31; + uint8_t x32; + uint8_t x33; + uint64_t x34; + uint8_t x35; + uint64_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint8_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; + uint64_t x50; + uint8_t x51; + uint64_t x52; + uint8_t x53; + uint64_t x54; + uint8_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint8_t x59; + uint8_t x60; + x1 = (arg1[3]); + x2 = (arg1[2]); + x3 = (arg1[1]); + x4 = (arg1[0]); + x5 = (uint8_t)(x4 & UINT8_C(0xff)); + x6 = (x4 >> 8); + x7 = (uint8_t)(x6 & UINT8_C(0xff)); + x8 = (x6 >> 8); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (uint8_t)(x16 >> 8); + x19 = (uint8_t)(x3 & UINT8_C(0xff)); + x20 = (x3 >> 8); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); + x22 = (x20 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (x24 >> 8); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); + x28 = (x26 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x2 & UINT8_C(0xff)); + x34 = (x2 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x1 & UINT8_C(0xff)); + x48 = (x1 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); + x52 = (x50 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (x54 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (x56 >> 8); + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (uint8_t)(x58 >> 8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; +} + +/* + * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * + * Preconditions: + * 0 ≤ bytes_eval arg1 < m + * Postconditions: + * eval out1 mod m = bytes_eval arg1 mod m + * 0 ≤ eval out1 < m + * + * Input Bounds: + * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint8_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint8_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint8_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + x1 = ((uint64_t)(arg1[31]) << 56); + x2 = ((uint64_t)(arg1[30]) << 48); + x3 = ((uint64_t)(arg1[29]) << 40); + x4 = ((uint64_t)(arg1[28]) << 32); + x5 = ((uint64_t)(arg1[27]) << 24); + x6 = ((uint64_t)(arg1[26]) << 16); + x7 = ((uint64_t)(arg1[25]) << 8); + x8 = (arg1[24]); + x9 = ((uint64_t)(arg1[23]) << 56); + x10 = ((uint64_t)(arg1[22]) << 48); + x11 = ((uint64_t)(arg1[21]) << 40); + x12 = ((uint64_t)(arg1[20]) << 32); + x13 = ((uint64_t)(arg1[19]) << 24); + x14 = ((uint64_t)(arg1[18]) << 16); + x15 = ((uint64_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint64_t)(arg1[15]) << 56); + x18 = ((uint64_t)(arg1[14]) << 48); + x19 = ((uint64_t)(arg1[13]) << 40); + x20 = ((uint64_t)(arg1[12]) << 32); + x21 = ((uint64_t)(arg1[11]) << 24); + x22 = ((uint64_t)(arg1[10]) << 16); + x23 = ((uint64_t)(arg1[9]) << 8); + x24 = (arg1[8]); + x25 = ((uint64_t)(arg1[7]) << 56); + x26 = ((uint64_t)(arg1[6]) << 48); + x27 = ((uint64_t)(arg1[5]) << 40); + x28 = ((uint64_t)(arg1[4]) << 32); + x29 = ((uint64_t)(arg1[3]) << 24); + x30 = ((uint64_t)(arg1[2]) << 16); + x31 = ((uint64_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x25 + x38); + x40 = (x23 + (uint64_t)x24); + x41 = (x22 + x40); + x42 = (x21 + x41); + x43 = (x20 + x42); + x44 = (x19 + x43); + x45 = (x18 + x44); + x46 = (x17 + x45); + x47 = (x15 + (uint64_t)x16); + x48 = (x14 + x47); + x49 = (x13 + x48); + x50 = (x12 + x49); + x51 = (x11 + x50); + x52 = (x10 + x51); + x53 = (x9 + x52); + x54 = (x7 + (uint64_t)x8); + x55 = (x6 + x54); + x56 = (x5 + x55); + x57 = (x4 + x56); + x58 = (x3 + x57); + x59 = (x2 + x58); + x60 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; +} + +/* + * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * + * Postconditions: + * eval (from_montgomery out1) mod m = 1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) { + out1[0] = 0x1; + out1[1] = UINT64_C(0xffffffff00000000); + out1[2] = UINT64_C(0xffffffffffffffff); + out1[3] = UINT32_C(0xfffffffe); +} + +/* + * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * + * Postconditions: + * twos_complement_eval out1 = m + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint64_t out1[5]) { + out1[0] = UINT64_C(0xffffffffffffffff); + out1[1] = UINT32_C(0xffffffff); + out1[2] = 0x0; + out1[3] = UINT64_C(0xffffffff00000001); + out1[4] = 0x0; +} + +/* + * The function fiat_p256_divstep computes a divstep. + * + * Preconditions: + * 0 ≤ eval arg4 < m + * 0 ≤ eval arg5 < m + * Postconditions: + * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) + * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) + * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) + * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) + * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) + * 0 ≤ eval out5 < m + * 0 ≤ eval out5 < m + * 0 ≤ eval out2 < m + * 0 ≤ eval out3 < m + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5], uint64_t out4[4], uint64_t out5[4], uint64_t arg1, const uint64_t arg2[5], const uint64_t arg3[5], const uint64_t arg4[4], const uint64_t arg5[4]) { + uint64_t x1; + fiat_p256_uint1 x2; + fiat_p256_uint1 x3; + uint64_t x4; + fiat_p256_uint1 x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + fiat_p256_uint1 x13; + uint64_t x14; + fiat_p256_uint1 x15; + uint64_t x16; + fiat_p256_uint1 x17; + uint64_t x18; + fiat_p256_uint1 x19; + uint64_t x20; + fiat_p256_uint1 x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + fiat_p256_uint1 x38; + uint64_t x39; + fiat_p256_uint1 x40; + uint64_t x41; + fiat_p256_uint1 x42; + uint64_t x43; + fiat_p256_uint1 x44; + uint64_t x45; + fiat_p256_uint1 x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + fiat_p256_uint1 x54; + uint64_t x55; + fiat_p256_uint1 x56; + uint64_t x57; + fiat_p256_uint1 x58; + uint64_t x59; + fiat_p256_uint1 x60; + uint64_t x61; + uint64_t x62; + fiat_p256_uint1 x63; + uint64_t x64; + fiat_p256_uint1 x65; + uint64_t x66; + fiat_p256_uint1 x67; + uint64_t x68; + fiat_p256_uint1 x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + uint64_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + fiat_p256_uint1 x81; + uint64_t x82; + fiat_p256_uint1 x83; + uint64_t x84; + fiat_p256_uint1 x85; + uint64_t x86; + fiat_p256_uint1 x87; + uint64_t x88; + fiat_p256_uint1 x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + uint64_t x93; + uint64_t x94; + fiat_p256_uint1 x95; + uint64_t x96; + fiat_p256_uint1 x97; + uint64_t x98; + fiat_p256_uint1 x99; + uint64_t x100; + fiat_p256_uint1 x101; + uint64_t x102; + fiat_p256_uint1 x103; + uint64_t x104; + fiat_p256_uint1 x105; + uint64_t x106; + fiat_p256_uint1 x107; + uint64_t x108; + fiat_p256_uint1 x109; + uint64_t x110; + fiat_p256_uint1 x111; + uint64_t x112; + fiat_p256_uint1 x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + uint64_t x126; + fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1); + x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 63) & (fiat_p256_uint1)((arg3[0]) & 0x1)); + fiat_p256_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1); + fiat_p256_cmovznz_u64(&x6, x3, arg1, x4); + fiat_p256_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4])); + fiat_p256_addcarryx_u64(&x12, &x13, 0x0, 0x1, (~(arg2[0]))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, 0x0, (~(arg2[1]))); + fiat_p256_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[2]))); + fiat_p256_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[3]))); + fiat_p256_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[4]))); + fiat_p256_cmovznz_u64(&x22, x3, (arg3[0]), x12); + fiat_p256_cmovznz_u64(&x23, x3, (arg3[1]), x14); + fiat_p256_cmovznz_u64(&x24, x3, (arg3[2]), x16); + fiat_p256_cmovznz_u64(&x25, x3, (arg3[3]), x18); + fiat_p256_cmovznz_u64(&x26, x3, (arg3[4]), x20); + fiat_p256_cmovznz_u64(&x27, x3, (arg4[0]), (arg5[0])); + fiat_p256_cmovznz_u64(&x28, x3, (arg4[1]), (arg5[1])); + fiat_p256_cmovznz_u64(&x29, x3, (arg4[2]), (arg5[2])); + fiat_p256_cmovznz_u64(&x30, x3, (arg4[3]), (arg5[3])); + fiat_p256_addcarryx_u64(&x31, &x32, 0x0, x27, x27); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x28, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x29, x29); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x30, x30); + fiat_p256_subborrowx_u64(&x39, &x40, 0x0, x31, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x41, &x42, x40, x33, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x43, &x44, x42, x35, 0x0); + fiat_p256_subborrowx_u64(&x45, &x46, x44, x37, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x47, &x48, x46, x38, 0x0); + x49 = (arg4[3]); + x50 = (arg4[2]); + x51 = (arg4[1]); + x52 = (arg4[0]); + fiat_p256_subborrowx_u64(&x53, &x54, 0x0, 0x0, x52); + fiat_p256_subborrowx_u64(&x55, &x56, x54, 0x0, x51); + fiat_p256_subborrowx_u64(&x57, &x58, x56, 0x0, x50); + fiat_p256_subborrowx_u64(&x59, &x60, x58, 0x0, x49); + fiat_p256_cmovznz_u64(&x61, x60, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x62, &x63, 0x0, x53, x61); + fiat_p256_addcarryx_u64(&x64, &x65, x63, x55, (x61 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x66, &x67, x65, x57, 0x0); + fiat_p256_addcarryx_u64(&x68, &x69, x67, x59, (x61 & UINT64_C(0xffffffff00000001))); + fiat_p256_cmovznz_u64(&x70, x3, (arg5[0]), x62); + fiat_p256_cmovznz_u64(&x71, x3, (arg5[1]), x64); + fiat_p256_cmovznz_u64(&x72, x3, (arg5[2]), x66); + fiat_p256_cmovznz_u64(&x73, x3, (arg5[3]), x68); + x74 = (fiat_p256_uint1)(x22 & 0x1); + fiat_p256_cmovznz_u64(&x75, x74, 0x0, x7); + fiat_p256_cmovznz_u64(&x76, x74, 0x0, x8); + fiat_p256_cmovznz_u64(&x77, x74, 0x0, x9); + fiat_p256_cmovznz_u64(&x78, x74, 0x0, x10); + fiat_p256_cmovznz_u64(&x79, x74, 0x0, x11); + fiat_p256_addcarryx_u64(&x80, &x81, 0x0, x22, x75); + fiat_p256_addcarryx_u64(&x82, &x83, x81, x23, x76); + fiat_p256_addcarryx_u64(&x84, &x85, x83, x24, x77); + fiat_p256_addcarryx_u64(&x86, &x87, x85, x25, x78); + fiat_p256_addcarryx_u64(&x88, &x89, x87, x26, x79); + fiat_p256_cmovznz_u64(&x90, x74, 0x0, x27); + fiat_p256_cmovznz_u64(&x91, x74, 0x0, x28); + fiat_p256_cmovznz_u64(&x92, x74, 0x0, x29); + fiat_p256_cmovznz_u64(&x93, x74, 0x0, x30); + fiat_p256_addcarryx_u64(&x94, &x95, 0x0, x70, x90); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x71, x91); + fiat_p256_addcarryx_u64(&x98, &x99, x97, x72, x92); + fiat_p256_addcarryx_u64(&x100, &x101, x99, x73, x93); + fiat_p256_subborrowx_u64(&x102, &x103, 0x0, x94, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x104, &x105, x103, x96, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x106, &x107, x105, x98, 0x0); + fiat_p256_subborrowx_u64(&x108, &x109, x107, x100, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x110, &x111, x109, x101, 0x0); + fiat_p256_addcarryx_u64(&x112, &x113, 0x0, x6, 0x1); + x114 = ((x80 >> 1) | ((x82 << 63) & UINT64_C(0xffffffffffffffff))); + x115 = ((x82 >> 1) | ((x84 << 63) & UINT64_C(0xffffffffffffffff))); + x116 = ((x84 >> 1) | ((x86 << 63) & UINT64_C(0xffffffffffffffff))); + x117 = ((x86 >> 1) | ((x88 << 63) & UINT64_C(0xffffffffffffffff))); + x118 = ((x88 & UINT64_C(0x8000000000000000)) | (x88 >> 1)); + fiat_p256_cmovznz_u64(&x119, x48, x39, x31); + fiat_p256_cmovznz_u64(&x120, x48, x41, x33); + fiat_p256_cmovznz_u64(&x121, x48, x43, x35); + fiat_p256_cmovznz_u64(&x122, x48, x45, x37); + fiat_p256_cmovznz_u64(&x123, x111, x102, x94); + fiat_p256_cmovznz_u64(&x124, x111, x104, x96); + fiat_p256_cmovznz_u64(&x125, x111, x106, x98); + fiat_p256_cmovznz_u64(&x126, x111, x108, x100); + *out1 = x112; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out3[0] = x114; + out3[1] = x115; + out3[2] = x116; + out3[3] = x117; + out3[4] = x118; + out4[0] = x119; + out4[1] = x120; + out4[2] = x121; + out4[3] = x122; + out5[0] = x123; + out5[1] = x124; + out5[2] = x125; + out5[3] = x126; +} + +/* + * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * + * Postconditions: + * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋) + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint64_t out1[4]) { + out1[0] = UINT64_C(0x67ffffffb8000000); + out1[1] = UINT64_C(0xc000000038000000); + out1[2] = UINT64_C(0xd80000007fffffff); + out1[3] = UINT64_C(0x2fffffffffffffff); +} diff --git a/src/util/all_tests.go b/src/util/all_tests.go index 8d81463e..c0dceba5 100644 --- a/src/util/all_tests.go +++ b/src/util/all_tests.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/util/check_filenames.go b/src/util/check_filenames.go index 886c3f60..384c19f5 100644 --- a/src/util/check_filenames.go +++ b/src/util/check_filenames.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // check_filenames.go checks that filenames are unique. Some of our consumers do // not support multiple files with the same name in the same build target, even // if they are in different directories. diff --git a/src/util/check_imported_libraries.go b/src/util/check_imported_libraries.go index 187e5144..f3803f1c 100644 --- a/src/util/check_imported_libraries.go +++ b/src/util/check_imported_libraries.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // check_imported_libraries.go checks that each of its arguments only imports // allowed libraries. This is used to avoid accidental dependencies on // libstdc++.so. diff --git a/src/util/check_stack.go b/src/util/check_stack.go index b718ea4a..ad763e65 100644 --- a/src/util/check_stack.go +++ b/src/util/check_stack.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // check_stack.go checks that each of its arguments has a non-executable stack. // See https://www.airs.com/blog/archives/518 for details. package main diff --git a/src/util/compare_benchmarks.go b/src/util/compare_benchmarks.go index d631f832..05e1b5db 100644 --- a/src/util/compare_benchmarks.go +++ b/src/util/compare_benchmarks.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // compare_benchmarks takes the JSON-formatted output of bssl speed and // compares it against a baseline output. package main diff --git a/src/util/convert_comments.go b/src/util/convert_comments.go index 917f29c8..df9e3d3a 100644 --- a/src/util/convert_comments.go +++ b/src/util/convert_comments.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/util/convert_wycheproof.go b/src/util/convert_wycheproof/convert_wycheproof.go index a7dfc818..076f8e48 100644 --- a/src/util/convert_wycheproof.go +++ b/src/util/convert_wycheproof/convert_wycheproof.go @@ -12,8 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -// convert_wycheproof.go converts Wycheproof test vectors into a format more -// easily consumed by BoringSSL. +// convert_wycheproof converts Wycheproof test vectors into a format more easily +// consumed by BoringSSL. package main import ( diff --git a/src/util/diff_asm.go b/src/util/diff_asm.go index 27c0aa20..5ac1c04b 100644 --- a/src/util/diff_asm.go +++ b/src/util/diff_asm.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/util/doc.go b/src/util/doc.go index e7f1b591..4fb73ca0 100644 --- a/src/util/doc.go +++ b/src/util/doc.go @@ -1,3 +1,5 @@ +//go:build ignore + // doc generates HTML files from the comments in header files. // // doc expects to be given the path to a JSON file via the --config option. diff --git a/src/util/embed_test_data.go b/src/util/embed_test_data.go index 0a0d1e3f..ae7135fa 100644 --- a/src/util/embed_test_data.go +++ b/src/util/embed_test_data.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // embed_test_data generates a C++ source file which exports a function, // GetTestData, which looks up the specified data files. package main diff --git a/src/util/fetch_ech_config_list.go b/src/util/fetch_ech_config_list.go index 8f09e66b..732d0d3b 100644 --- a/src/util/fetch_ech_config_list.go +++ b/src/util/fetch_ech_config_list.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/util/fipstools/acvp/acvptool/test/check_expected.go b/src/util/fipstools/acvp/acvptool/test/check_expected.go index c5dc0f67..d02f2729 100644 --- a/src/util/fipstools/acvp/acvptool/test/check_expected.go +++ b/src/util/fipstools/acvp/acvptool/test/check_expected.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( diff --git a/src/util/fipstools/acvp/acvptool/test/trim_vectors.go b/src/util/fipstools/acvp/acvptool/test/trim_vectors.go index 53e970e0..703f75fd 100644 --- a/src/util/fipstools/acvp/acvptool/test/trim_vectors.go +++ b/src/util/fipstools/acvp/acvptool/test/trim_vectors.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // trimvectors takes an ACVP vector set file and discards all but a single test // from each test group. This hope is that this achieves good coverage without // having to check in megabytes worth of JSON files. diff --git a/src/util/fipstools/break-hash.go b/src/util/fipstools/break-hash.go index e37da752..a4ab8083 100644 --- a/src/util/fipstools/break-hash.go +++ b/src/util/fipstools/break-hash.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // break-hash parses an ELF binary containing the FIPS module and corrupts the // first byte of the module. This should cause the integrity check to fail. package main diff --git a/src/util/fipstools/break-kat.go b/src/util/fipstools/break-kat.go index c412d0e2..e4d323ab 100644 --- a/src/util/fipstools/break-kat.go +++ b/src/util/fipstools/break-kat.go @@ -1,3 +1,5 @@ +//go:build + // break-kat corrupts a known-answer-test input in a binary and writes the // corrupted binary to stdout. This is used to demonstrate that the KATs in the // binary notice the error. diff --git a/src/util/godeps.go b/src/util/godeps.go index 960faa46..56be5594 100644 --- a/src/util/godeps.go +++ b/src/util/godeps.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // godeps prints out dependencies of a package in either CMake or Make depfile // format, for incremental rebuilds. // diff --git a/src/util/make_errors.go b/src/util/make_errors.go index 4e2718b8..874a001b 100644 --- a/src/util/make_errors.go +++ b/src/util/make_errors.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( @@ -188,28 +190,13 @@ type assignment struct { value int } -type assignmentsSlice []assignment - -func (a assignmentsSlice) Len() int { - return len(a) -} - -func (a assignmentsSlice) Less(i, j int) bool { - return a[i].value < a[j].value -} - -func (a assignmentsSlice) Swap(i, j int) { - a[i], a[j] = a[j], a[i] -} - func outputAssignments(w io.Writer, assignments map[string]int) { - var sorted assignmentsSlice - + sorted := make([]assignment, 0, len(assignments)) for key, value := range assignments { sorted = append(sorted, assignment{key, value}) } - sort.Sort(sorted) + sort.Slice(sorted, func(i, j int) bool { return sorted[i].value < sorted[j].value }) for _, assignment := range sorted { fmt.Fprintf(w, "#define %s %d\n", assignment.key, assignment.value) diff --git a/src/util/make_prefix_headers.go b/src/util/make_prefix_headers.go index b39e4ec7..8787654b 100644 --- a/src/util/make_prefix_headers.go +++ b/src/util/make_prefix_headers.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // This program takes a file containing newline-separated symbols, and generates // boringssl_prefix_symbols.h, boringssl_prefix_symbols_asm.h, and // boringssl_prefix_symbols_nasm.inc. These header files can be used to build diff --git a/src/util/read_symbols.go b/src/util/read_symbols.go index b407ecb1..ab2184c0 100644 --- a/src/util/read_symbols.go +++ b/src/util/read_symbols.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + // read_symbols scans one or more .a files and, for each object contained in // the .a files, reads the list of symbols in that object file. package main diff --git a/src/util/run_android_tests.go b/src/util/run_android_tests.go index 67a13e7e..ce878195 100644 --- a/src/util/run_android_tests.go +++ b/src/util/run_android_tests.go @@ -12,6 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +//go:build ignore + package main import ( |