/src/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.c

Source (jump to first uncovered line)
/* MIT License
 *
 * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
 * Copyright (c) 2022-2023 HACL* Contributors
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#include "Hacl_Chacha20Poly1305_32.h"

#include "internal/Hacl_Krmllib.h"

static inline void
poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text)
{
    uint32_t n = len / (uint32_t)16U;
    uint32_t r = len % (uint32_t)16U;
    uint8_t *blocks = text;
    uint8_t *rem = text + n * (uint32_t)16U;
    uint64_t *pre0 = ctx + (uint32_t)5U;
    uint64_t *acc0 = ctx;
    uint32_t nb = n * (uint32_t)16U / (uint32_t)16U;
    uint32_t rem1 = n * (uint32_t)16U % (uint32_t)16U;
    for (uint32_t i = (uint32_t)0U; i < nb; i++) {
        uint8_t *block = blocks + i * (uint32_t)16U;
        uint64_t e[5U] = { 0U };
        uint64_t u0 = load64_le(block);
        uint64_t lo = u0;
        uint64_t u = load64_le(block + (uint32_t)8U);
        uint64_t hi = u;
        uint64_t f0 = lo;
        uint64_t f1 = hi;
        uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
        uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
        uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
        uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
        uint64_t f40 = f1 >> (uint32_t)40U;
        uint64_t f01 = f010;
        uint64_t f111 = f110;
        uint64_t f2 = f20;
        uint64_t f3 = f30;
        uint64_t f41 = f40;
        e[0U] = f01;
        e[1U] = f111;
        e[2U] = f2;
        e[3U] = f3;
        e[4U] = f41;
        uint64_t b = (uint64_t)0x1000000U;
        uint64_t mask = b;
        uint64_t f4 = e[4U];
        e[4U] = f4 | mask;
        uint64_t *r1 = pre0;
        uint64_t *r5 = pre0 + (uint32_t)5U;
        uint64_t r0 = r1[0U];
        uint64_t r11 = r1[1U];
        uint64_t r2 = r1[2U];
        uint64_t r3 = r1[3U];
        uint64_t r4 = r1[4U];
        uint64_t r51 = r5[1U];
        uint64_t r52 = r5[2U];
        uint64_t r53 = r5[3U];
        uint64_t r54 = r5[4U];
        uint64_t f10 = e[0U];
        uint64_t f11 = e[1U];
        uint64_t f12 = e[2U];
        uint64_t f13 = e[3U];
        uint64_t f14 = e[4U];
        uint64_t a0 = acc0[0U];
        uint64_t a1 = acc0[1U];
        uint64_t a2 = acc0[2U];
        uint64_t a3 = acc0[3U];
        uint64_t a4 = acc0[4U];
        uint64_t a01 = a0 + f10;
        uint64_t a11 = a1 + f11;
        uint64_t a21 = a2 + f12;
        uint64_t a31 = a3 + f13;
        uint64_t a41 = a4 + f14;
        uint64_t a02 = r0 * a01;
        uint64_t a12 = r11 * a01;
        uint64_t a22 = r2 * a01;
        uint64_t a32 = r3 * a01;
        uint64_t a42 = r4 * a01;
        uint64_t a03 = a02 + r54 * a11;
        uint64_t a13 = a12 + r0 * a11;
        uint64_t a23 = a22 + r11 * a11;
        uint64_t a33 = a32 + r2 * a11;
        uint64_t a43 = a42 + r3 * a11;
        uint64_t a04 = a03 + r53 * a21;
        uint64_t a14 = a13 + r54 * a21;
        uint64_t a24 = a23 + r0 * a21;
        uint64_t a34 = a33 + r11 * a21;
        uint64_t a44 = a43 + r2 * a21;
        uint64_t a05 = a04 + r52 * a31;
        uint64_t a15 = a14 + r53 * a31;
        uint64_t a25 = a24 + r54 * a31;
        uint64_t a35 = a34 + r0 * a31;
        uint64_t a45 = a44 + r11 * a31;
        uint64_t a06 = a05 + r51 * a41;
        uint64_t a16 = a15 + r52 * a41;
        uint64_t a26 = a25 + r53 * a41;
        uint64_t a36 = a35 + r54 * a41;
        uint64_t a46 = a45 + r0 * a41;
        uint64_t t0 = a06;
        uint64_t t1 = a16;
        uint64_t t2 = a26;
        uint64_t t3 = a36;
        uint64_t t4 = a46;
        uint64_t mask26 = (uint64_t)0x3ffffffU;
        uint64_t z0 = t0 >> (uint32_t)26U;
        uint64_t z1 = t3 >> (uint32_t)26U;
        uint64_t x0 = t0 & mask26;
        uint64_t x3 = t3 & mask26;
        uint64_t x1 = t1 + z0;
        uint64_t x4 = t4 + z1;
        uint64_t z01 = x1 >> (uint32_t)26U;
        uint64_t z11 = x4 >> (uint32_t)26U;
        uint64_t t = z11 << (uint32_t)2U;
        uint64_t z12 = z11 + t;
        uint64_t x11 = x1 & mask26;
        uint64_t x41 = x4 & mask26;
        uint64_t x2 = t2 + z01;
        uint64_t x01 = x0 + z12;
        uint64_t z02 = x2 >> (uint32_t)26U;
        uint64_t z13 = x01 >> (uint32_t)26U;
        uint64_t x21 = x2 & mask26;
        uint64_t x02 = x01 & mask26;
        uint64_t x31 = x3 + z02;
        uint64_t x12 = x11 + z13;
        uint64_t z03 = x31 >> (uint32_t)26U;
        uint64_t x32 = x31 & mask26;
        uint64_t x42 = x41 + z03;
        uint64_t o0 = x02;
        uint64_t o1 = x12;
        uint64_t o2 = x21;
        uint64_t o3 = x32;
        uint64_t o4 = x42;
        acc0[0U] = o0;
        acc0[1U] = o1;
        acc0[2U] = o2;
        acc0[3U] = o3;
        acc0[4U] = o4;
    }
    if (rem1 > (uint32_t)0U) {
        uint8_t *last = blocks + nb * (uint32_t)16U;
        uint64_t e[5U] = { 0U };
        uint8_t tmp[16U] = { 0U };
        memcpy(tmp, last, rem1 * sizeof(uint8_t));
        uint64_t u0 = load64_le(tmp);
        uint64_t lo = u0;
        uint64_t u = load64_le(tmp + (uint32_t)8U);
        uint64_t hi = u;
        uint64_t f0 = lo;
        uint64_t f1 = hi;
        uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
        uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
        uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
        uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
        uint64_t f40 = f1 >> (uint32_t)40U;
        uint64_t f01 = f010;
        uint64_t f111 = f110;
        uint64_t f2 = f20;
        uint64_t f3 = f30;
        uint64_t f4 = f40;
        e[0U] = f01;
        e[1U] = f111;
        e[2U] = f2;
        e[3U] = f3;
        e[4U] = f4;
        uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U;
        uint64_t mask = b;
        uint64_t fi = e[rem1 * (uint32_t)8U / (uint32_t)26U];
        e[rem1 * (uint32_t)8U / (uint32_t)26U] = fi | mask;
        uint64_t *r1 = pre0;
        uint64_t *r5 = pre0 + (uint32_t)5U;
        uint64_t r0 = r1[0U];
        uint64_t r11 = r1[1U];
        uint64_t r2 = r1[2U];
        uint64_t r3 = r1[3U];
        uint64_t r4 = r1[4U];
        uint64_t r51 = r5[1U];
        uint64_t r52 = r5[2U];
        uint64_t r53 = r5[3U];
        uint64_t r54 = r5[4U];
        uint64_t f10 = e[0U];
        uint64_t f11 = e[1U];
        uint64_t f12 = e[2U];
        uint64_t f13 = e[3U];
        uint64_t f14 = e[4U];
        uint64_t a0 = acc0[0U];
        uint64_t a1 = acc0[1U];
        uint64_t a2 = acc0[2U];
        uint64_t a3 = acc0[3U];
        uint64_t a4 = acc0[4U];
        uint64_t a01 = a0 + f10;
        uint64_t a11 = a1 + f11;
        uint64_t a21 = a2 + f12;
        uint64_t a31 = a3 + f13;
        uint64_t a41 = a4 + f14;
        uint64_t a02 = r0 * a01;
        uint64_t a12 = r11 * a01;
        uint64_t a22 = r2 * a01;
        uint64_t a32 = r3 * a01;
        uint64_t a42 = r4 * a01;
        uint64_t a03 = a02 + r54 * a11;
        uint64_t a13 = a12 + r0 * a11;
        uint64_t a23 = a22 + r11 * a11;
        uint64_t a33 = a32 + r2 * a11;
        uint64_t a43 = a42 + r3 * a11;
        uint64_t a04 = a03 + r53 * a21;
        uint64_t a14 = a13 + r54 * a21;
        uint64_t a24 = a23 + r0 * a21;
        uint64_t a34 = a33 + r11 * a21;
        uint64_t a44 = a43 + r2 * a21;
        uint64_t a05 = a04 + r52 * a31;
        uint64_t a15 = a14 + r53 * a31;
        uint64_t a25 = a24 + r54 * a31;
        uint64_t a35 = a34 + r0 * a31;
        uint64_t a45 = a44 + r11 * a31;
        uint64_t a06 = a05 + r51 * a41;
        uint64_t a16 = a15 + r52 * a41;
        uint64_t a26 = a25 + r53 * a41;
        uint64_t a36 = a35 + r54 * a41;
        uint64_t a46 = a45 + r0 * a41;
        uint64_t t0 = a06;
        uint64_t t1 = a16;
        uint64_t t2 = a26;
        uint64_t t3 = a36;
        uint64_t t4 = a46;
        uint64_t mask26 = (uint64_t)0x3ffffffU;
        uint64_t z0 = t0 >> (uint32_t)26U;
        uint64_t z1 = t3 >> (uint32_t)26U;
        uint64_t x0 = t0 & mask26;
        uint64_t x3 = t3 & mask26;
        uint64_t x1 = t1 + z0;
        uint64_t x4 = t4 + z1;
        uint64_t z01 = x1 >> (uint32_t)26U;
        uint64_t z11 = x4 >> (uint32_t)26U;
        uint64_t t = z11 << (uint32_t)2U;
        uint64_t z12 = z11 + t;
        uint64_t x11 = x1 & mask26;
        uint64_t x41 = x4 & mask26;
        uint64_t x2 = t2 + z01;
        uint64_t x01 = x0 + z12;
        uint64_t z02 = x2 >> (uint32_t)26U;
        uint64_t z13 = x01 >> (uint32_t)26U;
        uint64_t x21 = x2 & mask26;
        uint64_t x02 = x01 & mask26;
        uint64_t x31 = x3 + z02;
        uint64_t x12 = x11 + z13;
        uint64_t z03 = x31 >> (uint32_t)26U;
        uint64_t x32 = x31 & mask26;
        uint64_t x42 = x41 + z03;
        uint64_t o0 = x02;
        uint64_t o1 = x12;
        uint64_t o2 = x21;
        uint64_t o3 = x32;
        uint64_t o4 = x42;
        acc0[0U] = o0;
        acc0[1U] = o1;
        acc0[2U] = o2;
        acc0[3U] = o3;
        acc0[4U] = o4;
    }
    uint8_t tmp[16U] = { 0U };
    memcpy(tmp, rem, r * sizeof(uint8_t));
    if (r > (uint32_t)0U) {
        uint64_t *pre = ctx + (uint32_t)5U;
        uint64_t *acc = ctx;
        uint64_t e[5U] = { 0U };
        uint64_t u0 = load64_le(tmp);
        uint64_t lo = u0;
        uint64_t u = load64_le(tmp + (uint32_t)8U);
        uint64_t hi = u;
        uint64_t f0 = lo;
        uint64_t f1 = hi;
        uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
        uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
        uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
        uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
        uint64_t f40 = f1 >> (uint32_t)40U;
        uint64_t f01 = f010;
        uint64_t f111 = f110;
        uint64_t f2 = f20;
        uint64_t f3 = f30;
        uint64_t f41 = f40;
        e[0U] = f01;
        e[1U] = f111;
        e[2U] = f2;
        e[3U] = f3;
        e[4U] = f41;
        uint64_t b = (uint64_t)0x1000000U;
        uint64_t mask = b;
        uint64_t f4 = e[4U];
        e[4U] = f4 | mask;
        uint64_t *r1 = pre;
        uint64_t *r5 = pre + (uint32_t)5U;
        uint64_t r0 = r1[0U];
        uint64_t r11 = r1[1U];
        uint64_t r2 = r1[2U];
        uint64_t r3 = r1[3U];
        uint64_t r4 = r1[4U];
        uint64_t r51 = r5[1U];
        uint64_t r52 = r5[2U];
        uint64_t r53 = r5[3U];
        uint64_t r54 = r5[4U];
        uint64_t f10 = e[0U];
        uint64_t f11 = e[1U];
        uint64_t f12 = e[2U];
        uint64_t f13 = e[3U];
        uint64_t f14 = e[4U];
        uint64_t a0 = acc[0U];
        uint64_t a1 = acc[1U];
        uint64_t a2 = acc[2U];
        uint64_t a3 = acc[3U];
        uint64_t a4 = acc[4U];
        uint64_t a01 = a0 + f10;
        uint64_t a11 = a1 + f11;
        uint64_t a21 = a2 + f12;
        uint64_t a31 = a3 + f13;
        uint64_t a41 = a4 + f14;
        uint64_t a02 = r0 * a01;
        uint64_t a12 = r11 * a01;
        uint64_t a22 = r2 * a01;
        uint64_t a32 = r3 * a01;
        uint64_t a42 = r4 * a01;
        uint64_t a03 = a02 + r54 * a11;
        uint64_t a13 = a12 + r0 * a11;
        uint64_t a23 = a22 + r11 * a11;
        uint64_t a33 = a32 + r2 * a11;
        uint64_t a43 = a42 + r3 * a11;
        uint64_t a04 = a03 + r53 * a21;
        uint64_t a14 = a13 + r54 * a21;
        uint64_t a24 = a23 + r0 * a21;
        uint64_t a34 = a33 + r11 * a21;
        uint64_t a44 = a43 + r2 * a21;
        uint64_t a05 = a04 + r52 * a31;
        uint64_t a15 = a14 + r53 * a31;
        uint64_t a25 = a24 + r54 * a31;
        uint64_t a35 = a34 + r0 * a31;
        uint64_t a45 = a44 + r11 * a31;
        uint64_t a06 = a05 + r51 * a41;
        uint64_t a16 = a15 + r52 * a41;
        uint64_t a26 = a25 + r53 * a41;
        uint64_t a36 = a35 + r54 * a41;
        uint64_t a46 = a45 + r0 * a41;
        uint64_t t0 = a06;
        uint64_t t1 = a16;
        uint64_t t2 = a26;
        uint64_t t3 = a36;
        uint64_t t4 = a46;
        uint64_t mask26 = (uint64_t)0x3ffffffU;
        uint64_t z0 = t0 >> (uint32_t)26U;
        uint64_t z1 = t3 >> (uint32_t)26U;
        uint64_t x0 = t0 & mask26;
        uint64_t x3 = t3 & mask26;
        uint64_t x1 = t1 + z0;
        uint64_t x4 = t4 + z1;
        uint64_t z01 = x1 >> (uint32_t)26U;
        uint64_t z11 = x4 >> (uint32_t)26U;
        uint64_t t = z11 << (uint32_t)2U;
        uint64_t z12 = z11 + t;
        uint64_t x11 = x1 & mask26;
        uint64_t x41 = x4 & mask26;
        uint64_t x2 = t2 + z01;
        uint64_t x01 = x0 + z12;
        uint64_t z02 = x2 >> (uint32_t)26U;
        uint64_t z13 = x01 >> (uint32_t)26U;
        uint64_t x21 = x2 & mask26;
        uint64_t x02 = x01 & mask26;
        uint64_t x31 = x3 + z02;
        uint64_t x12 = x11 + z13;
        uint64_t z03 = x31 >> (uint32_t)26U;
        uint64_t x32 = x31 & mask26;
        uint64_t x42 = x41 + z03;
        uint64_t o0 = x02;
        uint64_t o1 = x12;
        uint64_t o2 = x21;
        uint64_t o3 = x32;
        uint64_t o4 = x42;
        acc[0U] = o0;
        acc[1U] = o1;
        acc[2U] = o2;
        acc[3U] = o3;
        acc[4U] = o4;
        return;
    }
}

static inline void
poly1305_do_32(
    uint8_t *k,
    uint32_t aadlen,
    uint8_t *aad,
    uint32_t mlen,
    uint8_t *m,
    uint8_t *out)
{
    uint64_t ctx[25U] = { 0U };
    uint8_t block[16U] = { 0U };
    Hacl_Poly1305_32_poly1305_init(ctx, k);
    if (aadlen != (uint32_t)0U) {
        poly1305_padded_32(ctx, aadlen, aad);
    }
    if (mlen != (uint32_t)0U) {
        poly1305_padded_32(ctx, mlen, m);
    }
    store64_le(block, (uint64_t)aadlen);
    store64_le(block + (uint32_t)8U, (uint64_t)mlen);
    uint64_t *pre = ctx + (uint32_t)5U;
    uint64_t *acc = ctx;
    uint64_t e[5U] = { 0U };
    uint64_t u0 = load64_le(block);
    uint64_t lo = u0;
    uint64_t u = load64_le(block + (uint32_t)8U);
    uint64_t hi = u;
    uint64_t f0 = lo;
    uint64_t f1 = hi;
    uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
    uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
    uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
    uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
    uint64_t f40 = f1 >> (uint32_t)40U;
    uint64_t f01 = f010;
    uint64_t f111 = f110;
    uint64_t f2 = f20;
    uint64_t f3 = f30;
    uint64_t f41 = f40;
    e[0U] = f01;
    e[1U] = f111;
    e[2U] = f2;
    e[3U] = f3;
    e[4U] = f41;
    uint64_t b = (uint64_t)0x1000000U;
    uint64_t mask = b;
    uint64_t f4 = e[4U];
    e[4U] = f4 | mask;
    uint64_t *r = pre;
    uint64_t *r5 = pre + (uint32_t)5U;
    uint64_t r0 = r[0U];
    uint64_t r1 = r[1U];
    uint64_t r2 = r[2U];
    uint64_t r3 = r[3U];
    uint64_t r4 = r[4U];
    uint64_t r51 = r5[1U];
    uint64_t r52 = r5[2U];
    uint64_t r53 = r5[3U];
    uint64_t r54 = r5[4U];
    uint64_t f10 = e[0U];
    uint64_t f11 = e[1U];
    uint64_t f12 = e[2U];
    uint64_t f13 = e[3U];
    uint64_t f14 = e[4U];
    uint64_t a0 = acc[0U];
    uint64_t a1 = acc[1U];
    uint64_t a2 = acc[2U];
    uint64_t a3 = acc[3U];
    uint64_t a4 = acc[4U];
    uint64_t a01 = a0 + f10;
    uint64_t a11 = a1 + f11;
    uint64_t a21 = a2 + f12;
    uint64_t a31 = a3 + f13;
    uint64_t a41 = a4 + f14;
    uint64_t a02 = r0 * a01;
    uint64_t a12 = r1 * a01;
    uint64_t a22 = r2 * a01;
    uint64_t a32 = r3 * a01;
    uint64_t a42 = r4 * a01;
    uint64_t a03 = a02 + r54 * a11;
    uint64_t a13 = a12 + r0 * a11;
    uint64_t a23 = a22 + r1 * a11;
    uint64_t a33 = a32 + r2 * a11;
    uint64_t a43 = a42 + r3 * a11;
    uint64_t a04 = a03 + r53 * a21;
    uint64_t a14 = a13 + r54 * a21;
    uint64_t a24 = a23 + r0 * a21;
    uint64_t a34 = a33 + r1 * a21;
    uint64_t a44 = a43 + r2 * a21;
    uint64_t a05 = a04 + r52 * a31;
    uint64_t a15 = a14 + r53 * a31;
    uint64_t a25 = a24 + r54 * a31;
    uint64_t a35 = a34 + r0 * a31;
    uint64_t a45 = a44 + r1 * a31;
    uint64_t a06 = a05 + r51 * a41;
    uint64_t a16 = a15 + r52 * a41;
    uint64_t a26 = a25 + r53 * a41;
    uint64_t a36 = a35 + r54 * a41;
    uint64_t a46 = a45 + r0 * a41;
    uint64_t t0 = a06;
    uint64_t t1 = a16;
    uint64_t t2 = a26;
    uint64_t t3 = a36;
    uint64_t t4 = a46;
    uint64_t mask26 = (uint64_t)0x3ffffffU;
    uint64_t z0 = t0 >> (uint32_t)26U;
    uint64_t z1 = t3 >> (uint32_t)26U;
    uint64_t x0 = t0 & mask26;
    uint64_t x3 = t3 & mask26;
    uint64_t x1 = t1 + z0;
    uint64_t x4 = t4 + z1;
    uint64_t z01 = x1 >> (uint32_t)26U;
    uint64_t z11 = x4 >> (uint32_t)26U;
    uint64_t t = z11 << (uint32_t)2U;
    uint64_t z12 = z11 + t;
    uint64_t x11 = x1 & mask26;
    uint64_t x41 = x4 & mask26;
    uint64_t x2 = t2 + z01;
    uint64_t x01 = x0 + z12;
    uint64_t z02 = x2 >> (uint32_t)26U;
    uint64_t z13 = x01 >> (uint32_t)26U;
    uint64_t x21 = x2 & mask26;
    uint64_t x02 = x01 & mask26;
    uint64_t x31 = x3 + z02;
    uint64_t x12 = x11 + z13;
    uint64_t z03 = x31 >> (uint32_t)26U;
    uint64_t x32 = x31 & mask26;
    uint64_t x42 = x41 + z03;
    uint64_t o0 = x02;
    uint64_t o1 = x12;
    uint64_t o2 = x21;
    uint64_t o3 = x32;
    uint64_t o4 = x42;
    acc[0U] = o0;
    acc[1U] = o1;
    acc[2U] = o2;
    acc[3U] = o3;
    acc[4U] = o4;
    Hacl_Poly1305_32_poly1305_finish(out, k, ctx);
}

/**
Encrypt a message `m` with key `k`.

The arguments `k`, `n`, `aadlen`, and `aad` are same in encryption/decryption.
Note: Encryption and decryption can be executed in-place, i.e., `m` and `cipher` can point to the same memory.

@param k Pointer to 32 bytes of memory where the AEAD key is read from.
@param n Pointer to 12 bytes of memory where the AEAD nonce is read from.
@param aadlen Length of the associated data.
@param aad Pointer to `aadlen` bytes of memory where the associated data is read from.

@param mlen Length of the message.
@param m Pointer to `mlen` bytes of memory where the message is read from.
@param cipher Pointer to `mlen` bytes of memory where the ciphertext is written to.
@param mac Pointer to 16 bytes of memory where the mac is written to.
*/
void
Hacl_Chacha20Poly1305_32_aead_encrypt(
    uint8_t *k,
    uint8_t *n,
    uint32_t aadlen,
    uint8_t *aad,
    uint32_t mlen,
    uint8_t *m,
    uint8_t *cipher,
    uint8_t *mac)
{
    Hacl_Chacha20_chacha20_encrypt(mlen, cipher, m, k, n, (uint32_t)1U);
    uint8_t tmp[64U] = { 0U };
    Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U);
    uint8_t *key = tmp;
    poly1305_do_32(key, aadlen, aad, mlen, cipher, mac);
}

/**
Decrypt a ciphertext `cipher` with key `k`.

The arguments `k`, `n`, `aadlen`, and `aad` are same in encryption/decryption.
Note: Encryption and decryption can be executed in-place, i.e., `m` and `cipher` can point to the same memory.

If decryption succeeds, the resulting plaintext is stored in `m` and the function returns the success code 0.
If decryption fails, the array `m` remains unchanged and the function returns the error code 1.

@param k Pointer to 32 bytes of memory where the AEAD key is read from.
@param n Pointer to 12 bytes of memory where the AEAD nonce is read from.
@param aadlen Length of the associated data.
@param aad Pointer to `aadlen` bytes of memory where the associated data is read from.

@param mlen Length of the ciphertext.
@param m Pointer to `mlen` bytes of memory where the message is written to.
@param cipher Pointer to `mlen` bytes of memory where the ciphertext is read from.
@param mac Pointer to 16 bytes of memory where the mac is read from.

@returns 0 on succeess; 1 on failure.
*/
uint32_t
Hacl_Chacha20Poly1305_32_aead_decrypt(
    uint8_t *k,
    uint8_t *n,
    uint32_t aadlen,
    uint8_t *aad,
    uint32_t mlen,
    uint8_t *m,
    uint8_t *cipher,
    uint8_t *mac)
{
    uint8_t computed_mac[16U] = { 0U };
    uint8_t tmp[64U] = { 0U };
    Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U);
    uint8_t *key = tmp;
    poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac);
    uint8_t res = (uint8_t)255U;
    KRML_MAYBE_FOR16(i,
                     (uint32_t)0U,
                     (uint32_t)16U,
                     (uint32_t)1U,
                     uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]);
                     res = uu____0 & res;);
    uint8_t z = res;
    if (z == (uint8_t)255U) {
        Hacl_Chacha20_chacha20_encrypt(mlen, m, cipher, k, n, (uint32_t)1U);
        return (uint32_t)0U;
    }
    return (uint32_t)1U;
}

Coverage Report

Created: 2025-07-04 06:19

Line	Count	Source (jump to first uncovered line)
1		/* MIT License
2		*
3		* Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
4		* Copyright (c) 2022-2023 HACL* Contributors
5		*
6		* Permission is hereby granted, free of charge, to any person obtaining a copy
7		* of this software and associated documentation files (the "Software"), to deal
8		* in the Software without restriction, including without limitation the rights
9		* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10		* copies of the Software, and to permit persons to whom the Software is
11		* furnished to do so, subject to the following conditions:
12		*
13		* The above copyright notice and this permission notice shall be included in all
14		* copies or substantial portions of the Software.
15		*
16		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19		* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20		* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21		* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22		* SOFTWARE.
23		*/
24
25		#include "Hacl_Chacha20Poly1305_32.h"
26
27		#include "internal/Hacl_Krmllib.h"
28
29		static inline void
30		poly1305_padded_32(uint64_t ctx, uint32_t len, uint8_t text)
31	0	{
32	0	uint32_t n = len / (uint32_t)16U;
33	0	uint32_t r = len % (uint32_t)16U;
34	0	uint8_t *blocks = text;
35	0	uint8_t rem = text + n (uint32_t)16U;
36	0	uint64_t *pre0 = ctx + (uint32_t)5U;
37	0	uint64_t *acc0 = ctx;
38	0	uint32_t nb = n * (uint32_t)16U / (uint32_t)16U;
39	0	uint32_t rem1 = n * (uint32_t)16U % (uint32_t)16U;
40	0	for (uint32_t i = (uint32_t)0U; i < nb; i++) {
41	0	uint8_t block = blocks + i (uint32_t)16U;
42	0	uint64_t e[5U] = { 0U };
43	0	uint64_t u0 = load64_le(block);
44	0	uint64_t lo = u0;
45	0	uint64_t u = load64_le(block + (uint32_t)8U);
46	0	uint64_t hi = u;
47	0	uint64_t f0 = lo;
48	0	uint64_t f1 = hi;
49	0	uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
50	0	uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
51	0	uint64_t f20 = f0 >> (uint32_t)52U \| (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
52	0	uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
53	0	uint64_t f40 = f1 >> (uint32_t)40U;
54	0	uint64_t f01 = f010;
55	0	uint64_t f111 = f110;
56	0	uint64_t f2 = f20;
57	0	uint64_t f3 = f30;
58	0	uint64_t f41 = f40;
59	0	e[0U] = f01;
60	0	e[1U] = f111;
61	0	e[2U] = f2;
62	0	e[3U] = f3;
63	0	e[4U] = f41;
64	0	uint64_t b = (uint64_t)0x1000000U;
65	0	uint64_t mask = b;
66	0	uint64_t f4 = e[4U];
67	0	e[4U] = f4 \| mask;
68	0	uint64_t *r1 = pre0;
69	0	uint64_t *r5 = pre0 + (uint32_t)5U;
70	0	uint64_t r0 = r1[0U];
71	0	uint64_t r11 = r1[1U];
72	0	uint64_t r2 = r1[2U];
73	0	uint64_t r3 = r1[3U];
74	0	uint64_t r4 = r1[4U];
75	0	uint64_t r51 = r5[1U];
76	0	uint64_t r52 = r5[2U];
77	0	uint64_t r53 = r5[3U];
78	0	uint64_t r54 = r5[4U];
79	0	uint64_t f10 = e[0U];
80	0	uint64_t f11 = e[1U];
81	0	uint64_t f12 = e[2U];
82	0	uint64_t f13 = e[3U];
83	0	uint64_t f14 = e[4U];
84	0	uint64_t a0 = acc0[0U];
85	0	uint64_t a1 = acc0[1U];
86	0	uint64_t a2 = acc0[2U];
87	0	uint64_t a3 = acc0[3U];
88	0	uint64_t a4 = acc0[4U];
89	0	uint64_t a01 = a0 + f10;
90	0	uint64_t a11 = a1 + f11;
91	0	uint64_t a21 = a2 + f12;
92	0	uint64_t a31 = a3 + f13;
93	0	uint64_t a41 = a4 + f14;
94	0	uint64_t a02 = r0 * a01;
95	0	uint64_t a12 = r11 * a01;
96	0	uint64_t a22 = r2 * a01;
97	0	uint64_t a32 = r3 * a01;
98	0	uint64_t a42 = r4 * a01;
99	0	uint64_t a03 = a02 + r54 * a11;
100	0	uint64_t a13 = a12 + r0 * a11;
101	0	uint64_t a23 = a22 + r11 * a11;
102	0	uint64_t a33 = a32 + r2 * a11;
103	0	uint64_t a43 = a42 + r3 * a11;
104	0	uint64_t a04 = a03 + r53 * a21;
105	0	uint64_t a14 = a13 + r54 * a21;
106	0	uint64_t a24 = a23 + r0 * a21;
107	0	uint64_t a34 = a33 + r11 * a21;
108	0	uint64_t a44 = a43 + r2 * a21;
109	0	uint64_t a05 = a04 + r52 * a31;
110	0	uint64_t a15 = a14 + r53 * a31;
111	0	uint64_t a25 = a24 + r54 * a31;
112	0	uint64_t a35 = a34 + r0 * a31;
113	0	uint64_t a45 = a44 + r11 * a31;
114	0	uint64_t a06 = a05 + r51 * a41;
115	0	uint64_t a16 = a15 + r52 * a41;
116	0	uint64_t a26 = a25 + r53 * a41;
117	0	uint64_t a36 = a35 + r54 * a41;
118	0	uint64_t a46 = a45 + r0 * a41;
119	0	uint64_t t0 = a06;
120	0	uint64_t t1 = a16;
121	0	uint64_t t2 = a26;
122	0	uint64_t t3 = a36;
123	0	uint64_t t4 = a46;
124	0	uint64_t mask26 = (uint64_t)0x3ffffffU;
125	0	uint64_t z0 = t0 >> (uint32_t)26U;
126	0	uint64_t z1 = t3 >> (uint32_t)26U;
127	0	uint64_t x0 = t0 & mask26;
128	0	uint64_t x3 = t3 & mask26;
129	0	uint64_t x1 = t1 + z0;
130	0	uint64_t x4 = t4 + z1;
131	0	uint64_t z01 = x1 >> (uint32_t)26U;
132	0	uint64_t z11 = x4 >> (uint32_t)26U;
133	0	uint64_t t = z11 << (uint32_t)2U;
134	0	uint64_t z12 = z11 + t;
135	0	uint64_t x11 = x1 & mask26;
136	0	uint64_t x41 = x4 & mask26;
137	0	uint64_t x2 = t2 + z01;
138	0	uint64_t x01 = x0 + z12;
139	0	uint64_t z02 = x2 >> (uint32_t)26U;
140	0	uint64_t z13 = x01 >> (uint32_t)26U;
141	0	uint64_t x21 = x2 & mask26;
142	0	uint64_t x02 = x01 & mask26;
143	0	uint64_t x31 = x3 + z02;
144	0	uint64_t x12 = x11 + z13;
145	0	uint64_t z03 = x31 >> (uint32_t)26U;
146	0	uint64_t x32 = x31 & mask26;
147	0	uint64_t x42 = x41 + z03;
148	0	uint64_t o0 = x02;
149	0	uint64_t o1 = x12;
150	0	uint64_t o2 = x21;
151	0	uint64_t o3 = x32;
152	0	uint64_t o4 = x42;
153	0	acc0[0U] = o0;
154	0	acc0[1U] = o1;
155	0	acc0[2U] = o2;
156	0	acc0[3U] = o3;
157	0	acc0[4U] = o4;
158	0	}
159	0	if (rem1 > (uint32_t)0U) {
160	0	uint8_t last = blocks + nb (uint32_t)16U;
161	0	uint64_t e[5U] = { 0U };
162	0	uint8_t tmp[16U] = { 0U };
163	0	memcpy(tmp, last, rem1 * sizeof(uint8_t));
164	0	uint64_t u0 = load64_le(tmp);
165	0	uint64_t lo = u0;
166	0	uint64_t u = load64_le(tmp + (uint32_t)8U);
167	0	uint64_t hi = u;
168	0	uint64_t f0 = lo;
169	0	uint64_t f1 = hi;
170	0	uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
171	0	uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
172	0	uint64_t f20 = f0 >> (uint32_t)52U \| (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
173	0	uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
174	0	uint64_t f40 = f1 >> (uint32_t)40U;
175	0	uint64_t f01 = f010;
176	0	uint64_t f111 = f110;
177	0	uint64_t f2 = f20;
178	0	uint64_t f3 = f30;
179	0	uint64_t f4 = f40;
180	0	e[0U] = f01;
181	0	e[1U] = f111;
182	0	e[2U] = f2;
183	0	e[3U] = f3;
184	0	e[4U] = f4;
185	0	uint64_t b = (uint64_t)1U << rem1 * (uint32_t)8U % (uint32_t)26U;
186	0	uint64_t mask = b;
187	0	uint64_t fi = e[rem1 * (uint32_t)8U / (uint32_t)26U];
188	0	e[rem1 * (uint32_t)8U / (uint32_t)26U] = fi \| mask;
189	0	uint64_t *r1 = pre0;
190	0	uint64_t *r5 = pre0 + (uint32_t)5U;
191	0	uint64_t r0 = r1[0U];
192	0	uint64_t r11 = r1[1U];
193	0	uint64_t r2 = r1[2U];
194	0	uint64_t r3 = r1[3U];
195	0	uint64_t r4 = r1[4U];
196	0	uint64_t r51 = r5[1U];
197	0	uint64_t r52 = r5[2U];
198	0	uint64_t r53 = r5[3U];
199	0	uint64_t r54 = r5[4U];
200	0	uint64_t f10 = e[0U];
201	0	uint64_t f11 = e[1U];
202	0	uint64_t f12 = e[2U];
203	0	uint64_t f13 = e[3U];
204	0	uint64_t f14 = e[4U];
205	0	uint64_t a0 = acc0[0U];
206	0	uint64_t a1 = acc0[1U];
207	0	uint64_t a2 = acc0[2U];
208	0	uint64_t a3 = acc0[3U];
209	0	uint64_t a4 = acc0[4U];
210	0	uint64_t a01 = a0 + f10;
211	0	uint64_t a11 = a1 + f11;
212	0	uint64_t a21 = a2 + f12;
213	0	uint64_t a31 = a3 + f13;
214	0	uint64_t a41 = a4 + f14;
215	0	uint64_t a02 = r0 * a01;
216	0	uint64_t a12 = r11 * a01;
217	0	uint64_t a22 = r2 * a01;
218	0	uint64_t a32 = r3 * a01;
219	0	uint64_t a42 = r4 * a01;
220	0	uint64_t a03 = a02 + r54 * a11;
221	0	uint64_t a13 = a12 + r0 * a11;
222	0	uint64_t a23 = a22 + r11 * a11;
223	0	uint64_t a33 = a32 + r2 * a11;
224	0	uint64_t a43 = a42 + r3 * a11;
225	0	uint64_t a04 = a03 + r53 * a21;
226	0	uint64_t a14 = a13 + r54 * a21;
227	0	uint64_t a24 = a23 + r0 * a21;
228	0	uint64_t a34 = a33 + r11 * a21;
229	0	uint64_t a44 = a43 + r2 * a21;
230	0	uint64_t a05 = a04 + r52 * a31;
231	0	uint64_t a15 = a14 + r53 * a31;
232	0	uint64_t a25 = a24 + r54 * a31;
233	0	uint64_t a35 = a34 + r0 * a31;
234	0	uint64_t a45 = a44 + r11 * a31;
235	0	uint64_t a06 = a05 + r51 * a41;
236	0	uint64_t a16 = a15 + r52 * a41;
237	0	uint64_t a26 = a25 + r53 * a41;
238	0	uint64_t a36 = a35 + r54 * a41;
239	0	uint64_t a46 = a45 + r0 * a41;
240	0	uint64_t t0 = a06;
241	0	uint64_t t1 = a16;
242	0	uint64_t t2 = a26;
243	0	uint64_t t3 = a36;
244	0	uint64_t t4 = a46;
245	0	uint64_t mask26 = (uint64_t)0x3ffffffU;
246	0	uint64_t z0 = t0 >> (uint32_t)26U;
247	0	uint64_t z1 = t3 >> (uint32_t)26U;
248	0	uint64_t x0 = t0 & mask26;
249	0	uint64_t x3 = t3 & mask26;
250	0	uint64_t x1 = t1 + z0;
251	0	uint64_t x4 = t4 + z1;
252	0	uint64_t z01 = x1 >> (uint32_t)26U;
253	0	uint64_t z11 = x4 >> (uint32_t)26U;
254	0	uint64_t t = z11 << (uint32_t)2U;
255	0	uint64_t z12 = z11 + t;
256	0	uint64_t x11 = x1 & mask26;
257	0	uint64_t x41 = x4 & mask26;
258	0	uint64_t x2 = t2 + z01;
259	0	uint64_t x01 = x0 + z12;
260	0	uint64_t z02 = x2 >> (uint32_t)26U;
261	0	uint64_t z13 = x01 >> (uint32_t)26U;
262	0	uint64_t x21 = x2 & mask26;
263	0	uint64_t x02 = x01 & mask26;
264	0	uint64_t x31 = x3 + z02;
265	0	uint64_t x12 = x11 + z13;
266	0	uint64_t z03 = x31 >> (uint32_t)26U;
267	0	uint64_t x32 = x31 & mask26;
268	0	uint64_t x42 = x41 + z03;
269	0	uint64_t o0 = x02;
270	0	uint64_t o1 = x12;
271	0	uint64_t o2 = x21;
272	0	uint64_t o3 = x32;
273	0	uint64_t o4 = x42;
274	0	acc0[0U] = o0;
275	0	acc0[1U] = o1;
276	0	acc0[2U] = o2;
277	0	acc0[3U] = o3;
278	0	acc0[4U] = o4;
279	0	}
280	0	uint8_t tmp[16U] = { 0U };
281	0	memcpy(tmp, rem, r * sizeof(uint8_t));
282	0	if (r > (uint32_t)0U) {
283	0	uint64_t *pre = ctx + (uint32_t)5U;
284	0	uint64_t *acc = ctx;
285	0	uint64_t e[5U] = { 0U };
286	0	uint64_t u0 = load64_le(tmp);
287	0	uint64_t lo = u0;
288	0	uint64_t u = load64_le(tmp + (uint32_t)8U);
289	0	uint64_t hi = u;
290	0	uint64_t f0 = lo;
291	0	uint64_t f1 = hi;
292	0	uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
293	0	uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
294	0	uint64_t f20 = f0 >> (uint32_t)52U \| (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
295	0	uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
296	0	uint64_t f40 = f1 >> (uint32_t)40U;
297	0	uint64_t f01 = f010;
298	0	uint64_t f111 = f110;
299	0	uint64_t f2 = f20;
300	0	uint64_t f3 = f30;
301	0	uint64_t f41 = f40;
302	0	e[0U] = f01;
303	0	e[1U] = f111;
304	0	e[2U] = f2;
305	0	e[3U] = f3;
306	0	e[4U] = f41;
307	0	uint64_t b = (uint64_t)0x1000000U;
308	0	uint64_t mask = b;
309	0	uint64_t f4 = e[4U];
310	0	e[4U] = f4 \| mask;
311	0	uint64_t *r1 = pre;
312	0	uint64_t *r5 = pre + (uint32_t)5U;
313	0	uint64_t r0 = r1[0U];
314	0	uint64_t r11 = r1[1U];
315	0	uint64_t r2 = r1[2U];
316	0	uint64_t r3 = r1[3U];
317	0	uint64_t r4 = r1[4U];
318	0	uint64_t r51 = r5[1U];
319	0	uint64_t r52 = r5[2U];
320	0	uint64_t r53 = r5[3U];
321	0	uint64_t r54 = r5[4U];
322	0	uint64_t f10 = e[0U];
323	0	uint64_t f11 = e[1U];
324	0	uint64_t f12 = e[2U];
325	0	uint64_t f13 = e[3U];
326	0	uint64_t f14 = e[4U];
327	0	uint64_t a0 = acc[0U];
328	0	uint64_t a1 = acc[1U];
329	0	uint64_t a2 = acc[2U];
330	0	uint64_t a3 = acc[3U];
331	0	uint64_t a4 = acc[4U];
332	0	uint64_t a01 = a0 + f10;
333	0	uint64_t a11 = a1 + f11;
334	0	uint64_t a21 = a2 + f12;
335	0	uint64_t a31 = a3 + f13;
336	0	uint64_t a41 = a4 + f14;
337	0	uint64_t a02 = r0 * a01;
338	0	uint64_t a12 = r11 * a01;
339	0	uint64_t a22 = r2 * a01;
340	0	uint64_t a32 = r3 * a01;
341	0	uint64_t a42 = r4 * a01;
342	0	uint64_t a03 = a02 + r54 * a11;
343	0	uint64_t a13 = a12 + r0 * a11;
344	0	uint64_t a23 = a22 + r11 * a11;
345	0	uint64_t a33 = a32 + r2 * a11;
346	0	uint64_t a43 = a42 + r3 * a11;
347	0	uint64_t a04 = a03 + r53 * a21;
348	0	uint64_t a14 = a13 + r54 * a21;
349	0	uint64_t a24 = a23 + r0 * a21;
350	0	uint64_t a34 = a33 + r11 * a21;
351	0	uint64_t a44 = a43 + r2 * a21;
352	0	uint64_t a05 = a04 + r52 * a31;
353	0	uint64_t a15 = a14 + r53 * a31;
354	0	uint64_t a25 = a24 + r54 * a31;
355	0	uint64_t a35 = a34 + r0 * a31;
356	0	uint64_t a45 = a44 + r11 * a31;
357	0	uint64_t a06 = a05 + r51 * a41;
358	0	uint64_t a16 = a15 + r52 * a41;
359	0	uint64_t a26 = a25 + r53 * a41;
360	0	uint64_t a36 = a35 + r54 * a41;
361	0	uint64_t a46 = a45 + r0 * a41;
362	0	uint64_t t0 = a06;
363	0	uint64_t t1 = a16;
364	0	uint64_t t2 = a26;
365	0	uint64_t t3 = a36;
366	0	uint64_t t4 = a46;
367	0	uint64_t mask26 = (uint64_t)0x3ffffffU;
368	0	uint64_t z0 = t0 >> (uint32_t)26U;
369	0	uint64_t z1 = t3 >> (uint32_t)26U;
370	0	uint64_t x0 = t0 & mask26;
371	0	uint64_t x3 = t3 & mask26;
372	0	uint64_t x1 = t1 + z0;
373	0	uint64_t x4 = t4 + z1;
374	0	uint64_t z01 = x1 >> (uint32_t)26U;
375	0	uint64_t z11 = x4 >> (uint32_t)26U;
376	0	uint64_t t = z11 << (uint32_t)2U;
377	0	uint64_t z12 = z11 + t;
378	0	uint64_t x11 = x1 & mask26;
379	0	uint64_t x41 = x4 & mask26;
380	0	uint64_t x2 = t2 + z01;
381	0	uint64_t x01 = x0 + z12;
382	0	uint64_t z02 = x2 >> (uint32_t)26U;
383	0	uint64_t z13 = x01 >> (uint32_t)26U;
384	0	uint64_t x21 = x2 & mask26;
385	0	uint64_t x02 = x01 & mask26;
386	0	uint64_t x31 = x3 + z02;
387	0	uint64_t x12 = x11 + z13;
388	0	uint64_t z03 = x31 >> (uint32_t)26U;
389	0	uint64_t x32 = x31 & mask26;
390	0	uint64_t x42 = x41 + z03;
391	0	uint64_t o0 = x02;
392	0	uint64_t o1 = x12;
393	0	uint64_t o2 = x21;
394	0	uint64_t o3 = x32;
395	0	uint64_t o4 = x42;
396	0	acc[0U] = o0;
397	0	acc[1U] = o1;
398	0	acc[2U] = o2;
399	0	acc[3U] = o3;
400	0	acc[4U] = o4;
401	0	return;
402	0	}
403	0	}
404
405		static inline void
406		poly1305_do_32(
407		uint8_t *k,
408		uint32_t aadlen,
409		uint8_t *aad,
410		uint32_t mlen,
411		uint8_t *m,
412		uint8_t *out)
413	0	{
414	0	uint64_t ctx[25U] = { 0U };
415	0	uint8_t block[16U] = { 0U };
416	0	Hacl_Poly1305_32_poly1305_init(ctx, k);
417	0	if (aadlen != (uint32_t)0U) {
418	0	poly1305_padded_32(ctx, aadlen, aad);
419	0	}
420	0	if (mlen != (uint32_t)0U) {
421	0	poly1305_padded_32(ctx, mlen, m);
422	0	}
423	0	store64_le(block, (uint64_t)aadlen);
424	0	store64_le(block + (uint32_t)8U, (uint64_t)mlen);
425	0	uint64_t *pre = ctx + (uint32_t)5U;
426	0	uint64_t *acc = ctx;
427	0	uint64_t e[5U] = { 0U };
428	0	uint64_t u0 = load64_le(block);
429	0	uint64_t lo = u0;
430	0	uint64_t u = load64_le(block + (uint32_t)8U);
431	0	uint64_t hi = u;
432	0	uint64_t f0 = lo;
433	0	uint64_t f1 = hi;
434	0	uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
435	0	uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
436	0	uint64_t f20 = f0 >> (uint32_t)52U \| (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
437	0	uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
438	0	uint64_t f40 = f1 >> (uint32_t)40U;
439	0	uint64_t f01 = f010;
440	0	uint64_t f111 = f110;
441	0	uint64_t f2 = f20;
442	0	uint64_t f3 = f30;
443	0	uint64_t f41 = f40;
444	0	e[0U] = f01;
445	0	e[1U] = f111;
446	0	e[2U] = f2;
447	0	e[3U] = f3;
448	0	e[4U] = f41;
449	0	uint64_t b = (uint64_t)0x1000000U;
450	0	uint64_t mask = b;
451	0	uint64_t f4 = e[4U];
452	0	e[4U] = f4 \| mask;
453	0	uint64_t *r = pre;
454	0	uint64_t *r5 = pre + (uint32_t)5U;
455	0	uint64_t r0 = r[0U];
456	0	uint64_t r1 = r[1U];
457	0	uint64_t r2 = r[2U];
458	0	uint64_t r3 = r[3U];
459	0	uint64_t r4 = r[4U];
460	0	uint64_t r51 = r5[1U];
461	0	uint64_t r52 = r5[2U];
462	0	uint64_t r53 = r5[3U];
463	0	uint64_t r54 = r5[4U];
464	0	uint64_t f10 = e[0U];
465	0	uint64_t f11 = e[1U];
466	0	uint64_t f12 = e[2U];
467	0	uint64_t f13 = e[3U];
468	0	uint64_t f14 = e[4U];
469	0	uint64_t a0 = acc[0U];
470	0	uint64_t a1 = acc[1U];
471	0	uint64_t a2 = acc[2U];
472	0	uint64_t a3 = acc[3U];
473	0	uint64_t a4 = acc[4U];
474	0	uint64_t a01 = a0 + f10;
475	0	uint64_t a11 = a1 + f11;
476	0	uint64_t a21 = a2 + f12;
477	0	uint64_t a31 = a3 + f13;
478	0	uint64_t a41 = a4 + f14;
479	0	uint64_t a02 = r0 * a01;
480	0	uint64_t a12 = r1 * a01;
481	0	uint64_t a22 = r2 * a01;
482	0	uint64_t a32 = r3 * a01;
483	0	uint64_t a42 = r4 * a01;
484	0	uint64_t a03 = a02 + r54 * a11;
485	0	uint64_t a13 = a12 + r0 * a11;
486	0	uint64_t a23 = a22 + r1 * a11;
487	0	uint64_t a33 = a32 + r2 * a11;
488	0	uint64_t a43 = a42 + r3 * a11;
489	0	uint64_t a04 = a03 + r53 * a21;
490	0	uint64_t a14 = a13 + r54 * a21;
491	0	uint64_t a24 = a23 + r0 * a21;
492	0	uint64_t a34 = a33 + r1 * a21;
493	0	uint64_t a44 = a43 + r2 * a21;
494	0	uint64_t a05 = a04 + r52 * a31;
495	0	uint64_t a15 = a14 + r53 * a31;
496	0	uint64_t a25 = a24 + r54 * a31;
497	0	uint64_t a35 = a34 + r0 * a31;
498	0	uint64_t a45 = a44 + r1 * a31;
499	0	uint64_t a06 = a05 + r51 * a41;
500	0	uint64_t a16 = a15 + r52 * a41;
501	0	uint64_t a26 = a25 + r53 * a41;
502	0	uint64_t a36 = a35 + r54 * a41;
503	0	uint64_t a46 = a45 + r0 * a41;
504	0	uint64_t t0 = a06;
505	0	uint64_t t1 = a16;
506	0	uint64_t t2 = a26;
507	0	uint64_t t3 = a36;
508	0	uint64_t t4 = a46;
509	0	uint64_t mask26 = (uint64_t)0x3ffffffU;
510	0	uint64_t z0 = t0 >> (uint32_t)26U;
511	0	uint64_t z1 = t3 >> (uint32_t)26U;
512	0	uint64_t x0 = t0 & mask26;
513	0	uint64_t x3 = t3 & mask26;
514	0	uint64_t x1 = t1 + z0;
515	0	uint64_t x4 = t4 + z1;
516	0	uint64_t z01 = x1 >> (uint32_t)26U;
517	0	uint64_t z11 = x4 >> (uint32_t)26U;
518	0	uint64_t t = z11 << (uint32_t)2U;
519	0	uint64_t z12 = z11 + t;
520	0	uint64_t x11 = x1 & mask26;
521	0	uint64_t x41 = x4 & mask26;
522	0	uint64_t x2 = t2 + z01;
523	0	uint64_t x01 = x0 + z12;
524	0	uint64_t z02 = x2 >> (uint32_t)26U;
525	0	uint64_t z13 = x01 >> (uint32_t)26U;
526	0	uint64_t x21 = x2 & mask26;
527	0	uint64_t x02 = x01 & mask26;
528	0	uint64_t x31 = x3 + z02;
529	0	uint64_t x12 = x11 + z13;
530	0	uint64_t z03 = x31 >> (uint32_t)26U;
531	0	uint64_t x32 = x31 & mask26;
532	0	uint64_t x42 = x41 + z03;
533	0	uint64_t o0 = x02;
534	0	uint64_t o1 = x12;
535	0	uint64_t o2 = x21;
536	0	uint64_t o3 = x32;
537	0	uint64_t o4 = x42;
538	0	acc[0U] = o0;
539	0	acc[1U] = o1;
540	0	acc[2U] = o2;
541	0	acc[3U] = o3;
542	0	acc[4U] = o4;
543	0	Hacl_Poly1305_32_poly1305_finish(out, k, ctx);
544	0	}
545
546		/**
547		Encrypt a message `m` with key `k`.
548
549		The arguments `k`, `n`, `aadlen`, and `aad` are same in encryption/decryption.
550		Note: Encryption and decryption can be executed in-place, i.e., `m` and `cipher` can point to the same memory.
551
552		@param k Pointer to 32 bytes of memory where the AEAD key is read from.
553		@param n Pointer to 12 bytes of memory where the AEAD nonce is read from.
554		@param aadlen Length of the associated data.
555		@param aad Pointer to `aadlen` bytes of memory where the associated data is read from.
556
557		@param mlen Length of the message.
558		@param m Pointer to `mlen` bytes of memory where the message is read from.
559		@param cipher Pointer to `mlen` bytes of memory where the ciphertext is written to.
560		@param mac Pointer to 16 bytes of memory where the mac is written to.
561		*/
562		void
563		Hacl_Chacha20Poly1305_32_aead_encrypt(
564		uint8_t *k,
565		uint8_t *n,
566		uint32_t aadlen,
567		uint8_t *aad,
568		uint32_t mlen,
569		uint8_t *m,
570		uint8_t *cipher,
571		uint8_t *mac)
572	0	{
573	0	Hacl_Chacha20_chacha20_encrypt(mlen, cipher, m, k, n, (uint32_t)1U);
574	0	uint8_t tmp[64U] = { 0U };
575	0	Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U);
576	0	uint8_t *key = tmp;
577	0	poly1305_do_32(key, aadlen, aad, mlen, cipher, mac);
578	0	}
579
580		/**
581		Decrypt a ciphertext `cipher` with key `k`.
582
583		The arguments `k`, `n`, `aadlen`, and `aad` are same in encryption/decryption.
584		Note: Encryption and decryption can be executed in-place, i.e., `m` and `cipher` can point to the same memory.
585
586		If decryption succeeds, the resulting plaintext is stored in `m` and the function returns the success code 0.
587		If decryption fails, the array `m` remains unchanged and the function returns the error code 1.
588
589		@param k Pointer to 32 bytes of memory where the AEAD key is read from.
590		@param n Pointer to 12 bytes of memory where the AEAD nonce is read from.
591		@param aadlen Length of the associated data.
592		@param aad Pointer to `aadlen` bytes of memory where the associated data is read from.
593
594		@param mlen Length of the ciphertext.
595		@param m Pointer to `mlen` bytes of memory where the message is written to.
596		@param cipher Pointer to `mlen` bytes of memory where the ciphertext is read from.
597		@param mac Pointer to 16 bytes of memory where the mac is read from.
598
599		@returns 0 on succeess; 1 on failure.
600		*/
601		uint32_t
602		Hacl_Chacha20Poly1305_32_aead_decrypt(
603		uint8_t *k,
604		uint8_t *n,
605		uint32_t aadlen,
606		uint8_t *aad,
607		uint32_t mlen,
608		uint8_t *m,
609		uint8_t *cipher,
610		uint8_t *mac)
611	0	{
612	0	uint8_t computed_mac[16U] = { 0U };
613	0	uint8_t tmp[64U] = { 0U };
614	0	Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n, (uint32_t)0U);
615	0	uint8_t *key = tmp;
616	0	poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac);
617	0	uint8_t res = (uint8_t)255U;
618	0	KRML_MAYBE_FOR16(i,
619	0	(uint32_t)0U,
620	0	(uint32_t)16U,
621	0	(uint32_t)1U,
622	0	uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]);
623	0	res = uu____0 & res;);
624	0	uint8_t z = res;
625	0	if (z == (uint8_t)255U) {
626	0	Hacl_Chacha20_chacha20_encrypt(mlen, m, cipher, k, n, (uint32_t)1U);
627	0	return (uint32_t)0U;
628	0	}
629	0	return (uint32_t)1U;
630	0	}