Copy disabled (too large)
Download .txt
Showing preview only (94,648K chars total). Download the full file to get everything.
Repository: mitls/hacl-star
Branch: main
Commit: 504c2987452f
Files: 3635
Total size: 89.6 MB
Directory structure:
gitextract_a7f9amyb/
├── .ci/
│ ├── script.bat
│ └── script.sh
├── .docker/
│ └── build/
│ ├── build.sh
│ ├── build_helper.sh
│ ├── config.json
│ ├── linux/
│ │ └── Dockerfile
│ └── windows-nt/
│ └── Dockerfile
├── .drone.yml
├── .gitattributes
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug-report.md
│ │ ├── feature_request.md
│ │ ├── performance-issue.md
│ │ └── proof-issue.md
│ └── workflows/
│ ├── dist.yml
│ ├── hacl-packages-create-branch.yml
│ ├── hacl-packages-delete-branch.yml
│ ├── hintsanddist.yml
│ └── nix.yml
├── .gitignore
├── .nix/
│ ├── hacl.nix
│ └── vale.nix
├── .scripts/
│ ├── memhogs.sh
│ └── remove_stale_hints.sh
├── CHANGES.md
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── GOVERNANCE.md
├── Hacl.fst.config.json
├── LICENSE
├── MAINTAINERS.md
├── Makefile
├── Makefile.common
├── Makefile.include
├── Makefile.local
├── Makefile.openssl
├── PULL_REQUEST.md
├── README.md
├── SECURITY.md
├── build_local.sh
├── code/
│ ├── bignum/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Bignum.Addition.fst
│ │ ├── Hacl.Bignum.AlmostMontExponentiation.fst
│ │ ├── Hacl.Bignum.AlmostMontgomery.fst
│ │ ├── Hacl.Bignum.AlmostMontgomery.fsti
│ │ ├── Hacl.Bignum.Base.fst
│ │ ├── Hacl.Bignum.Comparison.fst
│ │ ├── Hacl.Bignum.Convert.fst
│ │ ├── Hacl.Bignum.Definitions.fst
│ │ ├── Hacl.Bignum.Exponentiation.fst
│ │ ├── Hacl.Bignum.Exponentiation.fsti
│ │ ├── Hacl.Bignum.Karatsuba.fst
│ │ ├── Hacl.Bignum.Lib.fst
│ │ ├── Hacl.Bignum.ModInv.fst
│ │ ├── Hacl.Bignum.ModInvLimb.fst
│ │ ├── Hacl.Bignum.ModInvLimb.fsti
│ │ ├── Hacl.Bignum.ModReduction.fst
│ │ ├── Hacl.Bignum.MontArithmetic.fst
│ │ ├── Hacl.Bignum.MontArithmetic.fsti
│ │ ├── Hacl.Bignum.MontExponentiation.fst
│ │ ├── Hacl.Bignum.Montgomery.fst
│ │ ├── Hacl.Bignum.Montgomery.fsti
│ │ ├── Hacl.Bignum.Multiplication.fst
│ │ ├── Hacl.Bignum.SafeAPI.fst
│ │ ├── Hacl.Bignum.fst
│ │ ├── Hacl.Bignum.fsti
│ │ ├── Hacl.Bignum256.fst
│ │ ├── Hacl.Bignum256.fsti
│ │ ├── Hacl.Bignum256_32.fst
│ │ ├── Hacl.Bignum256_32.fsti
│ │ ├── Hacl.Bignum32.fst
│ │ ├── Hacl.Bignum32.fsti
│ │ ├── Hacl.Bignum4096.fst
│ │ ├── Hacl.Bignum4096.fsti
│ │ ├── Hacl.Bignum4096_32.fst
│ │ ├── Hacl.Bignum4096_32.fsti
│ │ ├── Hacl.Bignum64.fst
│ │ ├── Hacl.Bignum64.fsti
│ │ ├── Hacl.GenericField32.fst
│ │ ├── Hacl.GenericField32.fsti
│ │ ├── Hacl.GenericField64.fst
│ │ ├── Hacl.GenericField64.fsti
│ │ ├── Hacl.Impl.Exponentiation.Definitions.fst
│ │ ├── Hacl.Impl.Exponentiation.fst
│ │ ├── Hacl.Impl.Exponentiation.fsti
│ │ ├── Hacl.Impl.Lib.fst
│ │ ├── Hacl.Impl.MultiExponentiation.fst
│ │ ├── Hacl.Impl.MultiExponentiation.fsti
│ │ ├── Hacl.Impl.PrecompTable.fst
│ │ ├── Hacl.Impl.PrecompTable.fsti
│ │ ├── Hacl.Spec.AlmostMontgomery.Lemmas.fst
│ │ ├── Hacl.Spec.Bignum.Addition.fst
│ │ ├── Hacl.Spec.Bignum.AlmostMontExponentiation.fst
│ │ ├── Hacl.Spec.Bignum.AlmostMontgomery.fst
│ │ ├── Hacl.Spec.Bignum.AlmostMontgomery.fsti
│ │ ├── Hacl.Spec.Bignum.Base.fst
│ │ ├── Hacl.Spec.Bignum.Comparison.fst
│ │ ├── Hacl.Spec.Bignum.Convert.fst
│ │ ├── Hacl.Spec.Bignum.Definitions.fst
│ │ ├── Hacl.Spec.Bignum.Exponentiation.fst
│ │ ├── Hacl.Spec.Bignum.Exponentiation.fsti
│ │ ├── Hacl.Spec.Bignum.Karatsuba.fst
│ │ ├── Hacl.Spec.Bignum.Lib.fst
│ │ ├── Hacl.Spec.Bignum.ModInv.fst
│ │ ├── Hacl.Spec.Bignum.ModInvLimb.fst
│ │ ├── Hacl.Spec.Bignum.ModInvLimb.fsti
│ │ ├── Hacl.Spec.Bignum.ModReduction.fst
│ │ ├── Hacl.Spec.Bignum.MontArithmetic.fst
│ │ ├── Hacl.Spec.Bignum.MontArithmetic.fsti
│ │ ├── Hacl.Spec.Bignum.MontExponentiation.fst
│ │ ├── Hacl.Spec.Bignum.Montgomery.fst
│ │ ├── Hacl.Spec.Bignum.Montgomery.fsti
│ │ ├── Hacl.Spec.Bignum.Multiplication.fst
│ │ ├── Hacl.Spec.Bignum.Squaring.fst
│ │ ├── Hacl.Spec.Bignum.fst
│ │ ├── Hacl.Spec.Bignum.fsti
│ │ ├── Hacl.Spec.Exponentiation.Lemmas.fst
│ │ ├── Hacl.Spec.Karatsuba.Lemmas.fst
│ │ ├── Hacl.Spec.Lib.fst
│ │ ├── Hacl.Spec.Montgomery.Lemmas.fst
│ │ ├── Hacl.Spec.PrecompBaseTable.fst
│ │ ├── Hacl.Spec.PrecompBaseTable.fsti
│ │ ├── Hacl.Spec.PrecompBaseTable256.fst
│ │ ├── Hacl.Spec.PrecompBaseTable256.fsti
│ │ ├── Hacl.Spec.PrecompTable.fst
│ │ ├── Makefile
│ │ └── README.md
│ ├── blake2/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Blake2b_256.fst
│ │ ├── Hacl.Blake2b_32.fst
│ │ ├── Hacl.Blake2s_128.fst
│ │ ├── Hacl.Blake2s_32.fst
│ │ ├── Hacl.Impl.Blake2.Constants.fst
│ │ ├── Hacl.Impl.Blake2.Core.fst
│ │ ├── Hacl.Impl.Blake2.Core.fsti
│ │ ├── Hacl.Impl.Blake2.Generic.fst
│ │ └── Makefile
│ ├── chacha20/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Chacha20.Vec128.fst
│ │ ├── Hacl.Chacha20.Vec256.fst
│ │ ├── Hacl.Chacha20.Vec32.fst
│ │ ├── Hacl.Chacha20.fst
│ │ ├── Hacl.Impl.Chacha20.Core32.fst
│ │ ├── Hacl.Impl.Chacha20.Core32xN.fst
│ │ ├── Hacl.Impl.Chacha20.Vec.fst
│ │ ├── Hacl.Impl.Chacha20.fst
│ │ ├── Hacl.Meta.Chacha20.Vec.fst
│ │ ├── Hacl.Spec.Chacha20.Equiv.fst
│ │ ├── Hacl.Spec.Chacha20.Lemmas.fst
│ │ ├── Hacl.Spec.Chacha20.Vec.fst
│ │ └── Makefile
│ ├── chacha20poly1305/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Chacha20Poly1305_128.fst
│ │ ├── Hacl.Chacha20Poly1305_256.fst
│ │ ├── Hacl.Chacha20Poly1305_32.fst
│ │ ├── Hacl.Impl.Chacha20Poly1305.PolyCore.fst
│ │ ├── Hacl.Impl.Chacha20Poly1305.fst
│ │ ├── Hacl.Meta.Chacha20Poly1305.fst
│ │ └── Makefile
│ ├── curve25519/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Curve25519_51.fst
│ │ ├── Hacl.Curve25519_51.fsti
│ │ ├── Hacl.Curve25519_64.fst
│ │ ├── Hacl.Curve25519_64.fsti
│ │ ├── Hacl.Curve25519_64_Local.fst
│ │ ├── Hacl.Curve25519_64_Local.fsti
│ │ ├── Hacl.Curve25519_64_Slow.fst
│ │ ├── Hacl.Curve25519_64_Slow.fsti
│ │ ├── Hacl.Impl.Curve25519.AddAndDouble.fst
│ │ ├── Hacl.Impl.Curve25519.Field51.fst
│ │ ├── Hacl.Impl.Curve25519.Field64.Hacl.fst
│ │ ├── Hacl.Impl.Curve25519.Field64.Hacl.fsti
│ │ ├── Hacl.Impl.Curve25519.Field64.Local.fsti
│ │ ├── Hacl.Impl.Curve25519.Field64.Vale.fst
│ │ ├── Hacl.Impl.Curve25519.Field64.Vale.fsti
│ │ ├── Hacl.Impl.Curve25519.Field64.fst
│ │ ├── Hacl.Impl.Curve25519.Fields.Core.fsti
│ │ ├── Hacl.Impl.Curve25519.Fields.fst
│ │ ├── Hacl.Impl.Curve25519.Finv.fst
│ │ ├── Hacl.Impl.Curve25519.Generic.fst
│ │ ├── Hacl.Impl.Curve25519.Generic.fsti
│ │ ├── Hacl.Impl.Curve25519.Lemmas.fst
│ │ ├── Hacl.Meta.Curve25519.fst
│ │ ├── Hacl.Meta.Curve25519.fsti
│ │ ├── Hacl.Spec.Curve25519.AddAndDouble.fst
│ │ ├── Hacl.Spec.Curve25519.Field51.Definition.fst
│ │ ├── Hacl.Spec.Curve25519.Field51.Lemmas.fst
│ │ ├── Hacl.Spec.Curve25519.Field51.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.Core.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.Definition.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.Lemmas.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.fst
│ │ ├── Hacl.Spec.Curve25519.Finv.fst
│ │ └── Makefile
│ ├── drbg/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.HMAC_DRBG.fst
│ │ ├── Hacl.HMAC_DRBG.fsti
│ │ └── Makefile
│ ├── ecdsap256/
│ │ ├── Hacl.Impl.P256.Bignum.fst
│ │ ├── Hacl.Impl.P256.Bignum.fsti
│ │ ├── Hacl.Impl.P256.Compression.fst
│ │ ├── Hacl.Impl.P256.Compression.fsti
│ │ ├── Hacl.Impl.P256.Constants.fst
│ │ ├── Hacl.Impl.P256.DH.fst
│ │ ├── Hacl.Impl.P256.DH.fsti
│ │ ├── Hacl.Impl.P256.Field.fst
│ │ ├── Hacl.Impl.P256.Field.fsti
│ │ ├── Hacl.Impl.P256.Finv.fst
│ │ ├── Hacl.Impl.P256.Finv.fsti
│ │ ├── Hacl.Impl.P256.Group.fst
│ │ ├── Hacl.Impl.P256.Point.fst
│ │ ├── Hacl.Impl.P256.Point.fsti
│ │ ├── Hacl.Impl.P256.PointAdd.fst
│ │ ├── Hacl.Impl.P256.PointAdd.fsti
│ │ ├── Hacl.Impl.P256.PointDouble.fst
│ │ ├── Hacl.Impl.P256.PointDouble.fsti
│ │ ├── Hacl.Impl.P256.PointMul.fst
│ │ ├── Hacl.Impl.P256.PointMul.fsti
│ │ ├── Hacl.Impl.P256.Qinv.fst
│ │ ├── Hacl.Impl.P256.Qinv.fsti
│ │ ├── Hacl.Impl.P256.Scalar.fst
│ │ ├── Hacl.Impl.P256.Scalar.fsti
│ │ ├── Hacl.Impl.P256.Sign.fst
│ │ ├── Hacl.Impl.P256.Verify.fst
│ │ ├── Hacl.P256.PrecompTable.fst
│ │ ├── Hacl.P256.PrecompTable.fsti
│ │ ├── Hacl.P256.fst
│ │ ├── Hacl.P256.fsti
│ │ ├── Hacl.Spec.P256.Finv.fst
│ │ ├── Hacl.Spec.P256.Montgomery.fst
│ │ ├── Hacl.Spec.P256.Montgomery.fsti
│ │ ├── Hacl.Spec.P256.PrecompTable.fst
│ │ ├── Hacl.Spec.P256.PrecompTable.fsti
│ │ ├── Hacl.Spec.P256.Qinv.fst
│ │ └── Makefile
│ ├── ed25519/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Benchmark.Ed25519.c
│ │ ├── Hacl.Bignum25519.fst
│ │ ├── Hacl.Bignum25519.fsti
│ │ ├── Hacl.EC.Ed25519.fst
│ │ ├── Hacl.Ed25519.PrecompTable.fst
│ │ ├── Hacl.Ed25519.PrecompTable.fsti
│ │ ├── Hacl.Ed25519.fst
│ │ ├── Hacl.Ed25519.fsti
│ │ ├── Hacl.Impl.BignumQ.Mul.fst
│ │ ├── Hacl.Impl.BignumQ.Mul.fsti
│ │ ├── Hacl.Impl.Ed25519.Field51.fst
│ │ ├── Hacl.Impl.Ed25519.Group.fst
│ │ ├── Hacl.Impl.Ed25519.Ladder.fst
│ │ ├── Hacl.Impl.Ed25519.Ladder.fsti
│ │ ├── Hacl.Impl.Ed25519.PointAdd.fst
│ │ ├── Hacl.Impl.Ed25519.PointCompress.fst
│ │ ├── Hacl.Impl.Ed25519.PointConstants.fst
│ │ ├── Hacl.Impl.Ed25519.PointDecompress.fst
│ │ ├── Hacl.Impl.Ed25519.PointDouble.fst
│ │ ├── Hacl.Impl.Ed25519.PointEqual.fst
│ │ ├── Hacl.Impl.Ed25519.PointNegate.fst
│ │ ├── Hacl.Impl.Ed25519.Pow2_252m2.fst
│ │ ├── Hacl.Impl.Ed25519.RecoverX.fst
│ │ ├── Hacl.Impl.Ed25519.Sign.fst
│ │ ├── Hacl.Impl.Ed25519.Verify.fst
│ │ ├── Hacl.Impl.Load56.fst
│ │ ├── Hacl.Impl.SHA512.ModQ.fst
│ │ ├── Hacl.Impl.Store56.fst
│ │ ├── Hacl.Spec.BignumQ.Definitions.fst
│ │ ├── Hacl.Spec.BignumQ.Lemmas.fst
│ │ ├── Hacl.Spec.BignumQ.Mul.fst
│ │ ├── Hacl.Spec.Ed25519.PrecompTable.fst
│ │ ├── Hacl.Spec.Ed25519.PrecompTable.fsti
│ │ ├── Hacl.Test.Ed25519.fst
│ │ └── Makefile
│ ├── fallback/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.IntTypes.Intrinsics.fst
│ │ ├── Hacl.IntTypes.Intrinsics_128.fst
│ │ ├── Makefile
│ │ └── README.md
│ ├── ffdhe/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.FFDHE.fst
│ │ ├── Hacl.Impl.FFDHE.Constants.fst
│ │ ├── Hacl.Impl.FFDHE.fst
│ │ ├── Hacl.Spec.FFDHE.Lemmas.fst
│ │ └── Makefile
│ ├── frodo/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.AES128.fsti
│ │ ├── Hacl.Frodo.KEM.fst
│ │ ├── Hacl.Frodo.Random.fst
│ │ ├── Hacl.Frodo.Random.fsti
│ │ ├── Hacl.Frodo1344.fst
│ │ ├── Hacl.Frodo64.fst
│ │ ├── Hacl.Frodo640.fst
│ │ ├── Hacl.Frodo976.fst
│ │ ├── Hacl.Impl.Frodo.Encode.fst
│ │ ├── Hacl.Impl.Frodo.Gen.fst
│ │ ├── Hacl.Impl.Frodo.KEM.Decaps.fst
│ │ ├── Hacl.Impl.Frodo.KEM.Encaps.fst
│ │ ├── Hacl.Impl.Frodo.KEM.KeyGen.fst
│ │ ├── Hacl.Impl.Frodo.KEM.fst
│ │ ├── Hacl.Impl.Frodo.Pack.fst
│ │ ├── Hacl.Impl.Frodo.Params.fst
│ │ ├── Hacl.Impl.Frodo.Sample.fst
│ │ ├── Hacl.Impl.Matrix.fst
│ │ ├── Hacl.Keccak.fst
│ │ ├── Hacl.Keccak.fsti
│ │ └── Makefile
│ ├── hash/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Hash.Blake2b_256.fst
│ │ ├── Hacl.Hash.Blake2b_256.fsti
│ │ ├── Hacl.Hash.Blake2b_32.fst
│ │ ├── Hacl.Hash.Blake2b_32.fsti
│ │ ├── Hacl.Hash.Blake2s_128.fst
│ │ ├── Hacl.Hash.Blake2s_128.fsti
│ │ ├── Hacl.Hash.Blake2s_32.fst
│ │ ├── Hacl.Hash.Blake2s_32.fsti
│ │ ├── Hacl.Hash.Core.MD5.fst
│ │ ├── Hacl.Hash.Core.MD5.fsti
│ │ ├── Hacl.Hash.Core.SHA1.fst
│ │ ├── Hacl.Hash.Core.SHA1.fsti
│ │ ├── Hacl.Hash.Definitions.fst
│ │ ├── Hacl.Hash.Lemmas.fst
│ │ ├── Hacl.Hash.MD.fst
│ │ ├── Hacl.Hash.MD.fsti
│ │ ├── Hacl.Hash.MD5.fst
│ │ ├── Hacl.Hash.MD5.fsti
│ │ ├── Hacl.Hash.PadFinish.fst
│ │ ├── Hacl.Hash.PadFinish.fsti
│ │ ├── Hacl.Hash.SHA1.fst
│ │ ├── Hacl.Hash.SHA1.fsti
│ │ ├── Hacl.Hash.SHA2.fst
│ │ ├── Hacl.Hash.SHA2.fsti
│ │ ├── Hacl.Hash.SHA3.fst
│ │ ├── Hacl.Hash.SHA3.fsti
│ │ ├── Makefile
│ │ └── README.md
│ ├── hkdf/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.HKDF.Blake2b_256.fst
│ │ ├── Hacl.HKDF.Blake2s_128.fst
│ │ ├── Hacl.HKDF.fst
│ │ ├── Hacl.HKDF.fsti
│ │ └── Makefile
│ ├── hmac/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.HMAC.Blake2b_256.fst
│ │ ├── Hacl.HMAC.Blake2s_128.fst
│ │ ├── Hacl.HMAC.fst
│ │ ├── Hacl.HMAC.fsti
│ │ └── Makefile
│ ├── hpke/
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA256.fst
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA512.fst
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA256.fst
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA512.fst
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA256.fst
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA512.fst
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA256.fst
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA512.fst
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA256.fst
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA512.fst
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA256.fst
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA512.fst
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA512.fsti
│ │ ├── Hacl.HPKE.Interface.AEAD.fst
│ │ ├── Hacl.HPKE.Interface.AEAD.fsti
│ │ ├── Hacl.HPKE.Interface.DH.fst
│ │ ├── Hacl.HPKE.Interface.HKDF.fst
│ │ ├── Hacl.HPKE.Interface.Hash.fst
│ │ ├── Hacl.HPKE.P256_CP128_SHA256.fst
│ │ ├── Hacl.HPKE.P256_CP128_SHA256.fsti
│ │ ├── Hacl.HPKE.P256_CP256_SHA256.fst
│ │ ├── Hacl.HPKE.P256_CP256_SHA256.fsti
│ │ ├── Hacl.HPKE.P256_CP32_SHA256.fst
│ │ ├── Hacl.HPKE.P256_CP32_SHA256.fsti
│ │ ├── Hacl.Impl.HPKE.fst
│ │ ├── Hacl.Impl.HPKE.fsti
│ │ ├── Hacl.Meta.HPKE.fst
│ │ ├── Hacl.Meta.HPKE.fsti
│ │ └── Makefile
│ ├── k256/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.EC.K256.fst
│ │ ├── Hacl.Impl.K256.Finv.fst
│ │ ├── Hacl.Impl.K256.GLV.Constants.fst
│ │ ├── Hacl.Impl.K256.GLV.Constants.fsti
│ │ ├── Hacl.Impl.K256.GLV.fst
│ │ ├── Hacl.Impl.K256.GLV.fsti
│ │ ├── Hacl.Impl.K256.Group.fst
│ │ ├── Hacl.Impl.K256.Point.fst
│ │ ├── Hacl.Impl.K256.Point.fsti
│ │ ├── Hacl.Impl.K256.PointAdd.fst
│ │ ├── Hacl.Impl.K256.PointDouble.fst
│ │ ├── Hacl.Impl.K256.PointMul.fst
│ │ ├── Hacl.Impl.K256.PointMul.fsti
│ │ ├── Hacl.Impl.K256.Qinv.fst
│ │ ├── Hacl.Impl.K256.Sign.fst
│ │ ├── Hacl.Impl.K256.Verify.fst
│ │ ├── Hacl.K256.ECDSA.fst
│ │ ├── Hacl.K256.ECDSA.fsti
│ │ ├── Hacl.K256.Field.fst
│ │ ├── Hacl.K256.Field.fsti
│ │ ├── Hacl.K256.PrecompTable.fst
│ │ ├── Hacl.K256.PrecompTable.fsti
│ │ ├── Hacl.K256.Scalar.fst
│ │ ├── Hacl.K256.Scalar.fsti
│ │ ├── Hacl.Spec.K256.ECSM.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Field52.Definitions.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Field52.Definitions.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas.fsti
│ │ ├── Hacl.Spec.K256.Field52.Lemmas1.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas2.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas3.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas4.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas5.fst
│ │ ├── Hacl.Spec.K256.Field52.fst
│ │ ├── Hacl.Spec.K256.Finv.fst
│ │ ├── Hacl.Spec.K256.GLV.Lemmas.fst
│ │ ├── Hacl.Spec.K256.GLV.fst
│ │ ├── Hacl.Spec.K256.MathLemmas.fst
│ │ ├── Hacl.Spec.K256.PrecompTable.fst
│ │ ├── Hacl.Spec.K256.PrecompTable.fsti
│ │ ├── Hacl.Spec.K256.Qinv.fst
│ │ ├── Hacl.Spec.K256.Scalar.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Scalar.fst
│ │ └── Makefile
│ ├── meta/
│ │ ├── AUTHORS.md
│ │ ├── DOCUMENTATION.md
│ │ ├── Makefile
│ │ ├── Meta.Attribute.fst
│ │ ├── Meta.Interface.fst
│ │ └── example/
│ │ ├── Client.fst
│ │ ├── Device.fst
│ │ ├── Example.fst
│ │ ├── Example.fst.hints
│ │ ├── Interface.fsti
│ │ └── Makefile
│ ├── nacl-box/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.Box.fst
│ │ ├── Hacl.Impl.SecretBox.fst
│ │ ├── Hacl.NaCl.fst
│ │ └── Makefile
│ ├── poly1305/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.Poly1305.Bignum128.fst
│ │ ├── Hacl.Impl.Poly1305.Bignum128.fsti
│ │ ├── Hacl.Impl.Poly1305.Field32xN.fst
│ │ ├── Hacl.Impl.Poly1305.Field32xN_128.fst
│ │ ├── Hacl.Impl.Poly1305.Field32xN_256.fst
│ │ ├── Hacl.Impl.Poly1305.Field32xN_32.fst
│ │ ├── Hacl.Impl.Poly1305.Fields.fst
│ │ ├── Hacl.Impl.Poly1305.Lemmas.fst
│ │ ├── Hacl.Impl.Poly1305.Lemmas.fsti
│ │ ├── Hacl.Impl.Poly1305.fst
│ │ ├── Hacl.Impl.Poly1305.fsti
│ │ ├── Hacl.Meta.Poly1305.fst
│ │ ├── Hacl.Meta.Poly1305.fsti
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas0.fst
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas0.fsti
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas1.fst
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas1.fsti
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas2.fst
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas2.fsti
│ │ ├── Hacl.Poly1305_128.fst
│ │ ├── Hacl.Poly1305_128.fsti
│ │ ├── Hacl.Poly1305_256.fst
│ │ ├── Hacl.Poly1305_256.fsti
│ │ ├── Hacl.Poly1305_32.fst
│ │ ├── Hacl.Poly1305_32.fsti
│ │ ├── Hacl.Spec.Poly1305.Equiv.fst
│ │ ├── Hacl.Spec.Poly1305.Equiv.fsti
│ │ ├── Hacl.Spec.Poly1305.Field32xN.Lemmas.fst
│ │ ├── Hacl.Spec.Poly1305.Field32xN.fst
│ │ ├── Hacl.Spec.Poly1305.Lemmas.fst
│ │ ├── Hacl.Spec.Poly1305.Vec.fst
│ │ └── Makefile
│ ├── rsapss/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.RSAPSS.Keys.fst
│ │ ├── Hacl.Impl.RSAPSS.MGF.fst
│ │ ├── Hacl.Impl.RSAPSS.Padding.fst
│ │ ├── Hacl.Impl.RSAPSS.fst
│ │ ├── Hacl.RSAPSS.fst
│ │ ├── Hacl.Spec.RSAPSS.fst
│ │ └── Makefile
│ ├── salsa20/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.HSalsa20.fst
│ │ ├── Hacl.Impl.Salsa20.Core32.fst
│ │ ├── Hacl.Impl.Salsa20.fst
│ │ ├── Hacl.Salsa20.fst
│ │ └── Makefile
│ ├── sha2-mb/
│ │ ├── Hacl.Impl.SHA2.Core.fst
│ │ ├── Hacl.Impl.SHA2.Generic.fst
│ │ ├── Hacl.Impl.SHA2.Types.fst
│ │ ├── Hacl.SHA2.Scalar32.Lemmas.fst
│ │ ├── Hacl.SHA2.Scalar32.fst
│ │ ├── Hacl.SHA2.Vec128.fst
│ │ ├── Hacl.SHA2.Vec256.fst
│ │ ├── Hacl.Spec.SHA2.Equiv.fst
│ │ ├── Hacl.Spec.SHA2.EquivScalar.fst
│ │ ├── Hacl.Spec.SHA2.EquivScalar.fsti
│ │ ├── Hacl.Spec.SHA2.Lemmas.fst
│ │ ├── Hacl.Spec.SHA2.Vec.fst
│ │ ├── Hacl.Spec.SHA2.fst
│ │ └── Makefile
│ ├── sha3/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Hash.SHA3.Scalar.fst
│ │ ├── Hacl.Hash.SHA3.Simd256.fst
│ │ ├── Hacl.Impl.SHA3.Vec.fst
│ │ ├── Hacl.Impl.SHA3.Vec.fsti
│ │ ├── Hacl.Spec.SHA3.Equiv.fst
│ │ ├── Hacl.Spec.SHA3.Equiv.fsti
│ │ ├── Hacl.Spec.SHA3.Lemmas.fst
│ │ ├── Hacl.Spec.SHA3.Vec.Common.fst
│ │ ├── Hacl.Spec.SHA3.Vec.fst
│ │ └── Makefile
│ ├── streaming/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Agile.Hash.fst
│ │ ├── Hacl.Agile.Hash.fsti
│ │ ├── Hacl.Streaming.Blake2.Common.fst
│ │ ├── Hacl.Streaming.Blake2.Params.fst
│ │ ├── Hacl.Streaming.Blake2.Params.fsti
│ │ ├── Hacl.Streaming.Blake2b_256.fst
│ │ ├── Hacl.Streaming.Blake2b_32.fst
│ │ ├── Hacl.Streaming.Blake2s_128.fst
│ │ ├── Hacl.Streaming.Blake2s_32.fst
│ │ ├── Hacl.Streaming.Functor.fst
│ │ ├── Hacl.Streaming.Functor.fsti
│ │ ├── Hacl.Streaming.HMAC.Definitions.fst
│ │ ├── Hacl.Streaming.HMAC.Definitions.fsti
│ │ ├── Hacl.Streaming.HMAC.fst
│ │ ├── Hacl.Streaming.Interface.fsti
│ │ ├── Hacl.Streaming.Keccak.fst
│ │ ├── Hacl.Streaming.MD.fst
│ │ ├── Hacl.Streaming.MD5.fst
│ │ ├── Hacl.Streaming.Poly1305.fst
│ │ ├── Hacl.Streaming.Poly1305_128.fst
│ │ ├── Hacl.Streaming.Poly1305_128.fsti
│ │ ├── Hacl.Streaming.Poly1305_256.fst
│ │ ├── Hacl.Streaming.Poly1305_256.fsti
│ │ ├── Hacl.Streaming.Poly1305_32.fst
│ │ ├── Hacl.Streaming.Poly1305_32.fsti
│ │ ├── Hacl.Streaming.SHA1.fst
│ │ ├── Hacl.Streaming.SHA2.fst
│ │ ├── Hacl.Streaming.Spec.fst
│ │ ├── Hacl.Streaming.Types.fst
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── nohup.out
│ └── tests/
│ ├── Hacl.Benchmark.Ed25519.c
│ ├── Hacl.Test.ECDSA.fst
│ ├── Hacl.Test.HMAC_DRBG.fst
│ ├── Hacl.Test.K256.fst
│ ├── Hacl.Test.SHA2.fst
│ ├── Hacl.Test.SHA3.fst
│ └── Makefile
├── dist/
│ ├── LICENSE.txt
│ ├── META
│ ├── Makefile.test
│ ├── Makefile.tmpl
│ ├── configure
│ ├── gcc-compatible/
│ │ ├── EverCrypt_AEAD.c
│ │ ├── EverCrypt_AEAD.h
│ │ ├── EverCrypt_AutoConfig2.c
│ │ ├── EverCrypt_AutoConfig2.h
│ │ ├── EverCrypt_Chacha20Poly1305.c
│ │ ├── EverCrypt_Chacha20Poly1305.h
│ │ ├── EverCrypt_Cipher.c
│ │ ├── EverCrypt_Cipher.h
│ │ ├── EverCrypt_Curve25519.c
│ │ ├── EverCrypt_Curve25519.h
│ │ ├── EverCrypt_DRBG.c
│ │ ├── EverCrypt_DRBG.h
│ │ ├── EverCrypt_Ed25519.c
│ │ ├── EverCrypt_Ed25519.h
│ │ ├── EverCrypt_Error.h
│ │ ├── EverCrypt_HKDF.c
│ │ ├── EverCrypt_HKDF.h
│ │ ├── EverCrypt_HMAC.c
│ │ ├── EverCrypt_HMAC.h
│ │ ├── EverCrypt_Hash.c
│ │ ├── EverCrypt_Hash.h
│ │ ├── EverCrypt_Poly1305.c
│ │ ├── EverCrypt_Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_AES128.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Bignum256.c
│ │ ├── Hacl_Bignum256.h
│ │ ├── Hacl_Bignum256_32.c
│ │ ├── Hacl_Bignum256_32.h
│ │ ├── Hacl_Bignum32.c
│ │ ├── Hacl_Bignum32.h
│ │ ├── Hacl_Bignum4096.c
│ │ ├── Hacl_Bignum4096.h
│ │ ├── Hacl_Bignum4096_32.c
│ │ ├── Hacl_Bignum4096_32.h
│ │ ├── Hacl_Bignum64.c
│ │ ├── Hacl_Bignum64.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Chacha20_Vec32.c
│ │ ├── Hacl_Chacha20_Vec32.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_EC_Ed25519.c
│ │ ├── Hacl_EC_Ed25519.h
│ │ ├── Hacl_EC_K256.c
│ │ ├── Hacl_EC_K256.h
│ │ ├── Hacl_Ed25519.c
│ │ ├── Hacl_Ed25519.h
│ │ ├── Hacl_FFDHE.c
│ │ ├── Hacl_FFDHE.h
│ │ ├── Hacl_Frodo1344.c
│ │ ├── Hacl_Frodo1344.h
│ │ ├── Hacl_Frodo64.c
│ │ ├── Hacl_Frodo64.h
│ │ ├── Hacl_Frodo640.c
│ │ ├── Hacl_Frodo640.h
│ │ ├── Hacl_Frodo976.c
│ │ ├── Hacl_Frodo976.h
│ │ ├── Hacl_Frodo_KEM.c
│ │ ├── Hacl_GenericField32.c
│ │ ├── Hacl_GenericField32.h
│ │ ├── Hacl_GenericField64.c
│ │ ├── Hacl_GenericField64.h
│ │ ├── Hacl_HKDF.c
│ │ ├── Hacl_HKDF.h
│ │ ├── Hacl_HKDF_Blake2b_256.c
│ │ ├── Hacl_HKDF_Blake2b_256.h
│ │ ├── Hacl_HKDF_Blake2s_128.c
│ │ ├── Hacl_HKDF_Blake2s_128.h
│ │ ├── Hacl_HMAC.c
│ │ ├── Hacl_HMAC.h
│ │ ├── Hacl_HMAC_Blake2b_256.c
│ │ ├── Hacl_HMAC_Blake2b_256.h
│ │ ├── Hacl_HMAC_Blake2s_128.c
│ │ ├── Hacl_HMAC_Blake2s_128.h
│ │ ├── Hacl_HMAC_DRBG.c
│ │ ├── Hacl_HMAC_DRBG.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.h
│ │ ├── Hacl_Hash_Base.c
│ │ ├── Hacl_Hash_Base.h
│ │ ├── Hacl_Hash_Blake2b.c
│ │ ├── Hacl_Hash_Blake2b.h
│ │ ├── Hacl_Hash_Blake2b_Simd256.c
│ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ ├── Hacl_Hash_Blake2s.c
│ │ ├── Hacl_Hash_Blake2s.h
│ │ ├── Hacl_Hash_Blake2s_Simd128.c
│ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ ├── Hacl_Hash_MD5.c
│ │ ├── Hacl_Hash_MD5.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_Hash_SHA3_Simd256.c
│ │ ├── Hacl_Hash_SHA3_Simd256.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_K256_ECDSA.c
│ │ ├── Hacl_K256_ECDSA.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_NaCl.c
│ │ ├── Hacl_NaCl.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_SHA2_Vec128.c
│ │ ├── Hacl_SHA2_Vec128.h
│ │ ├── Hacl_SHA2_Vec256.c
│ │ ├── Hacl_SHA2_Vec256.h
│ │ ├── Hacl_Salsa20.c
│ │ ├── Hacl_Salsa20.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_HMAC.c
│ │ ├── Hacl_Streaming_HMAC.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_PrintBuffer.h
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── Lib_RandomBuffer_System.h
│ │ ├── META
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── clients/
│ │ │ └── krmlrenamings.h
│ │ ├── configure
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── ctypes.depend
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── evercrypt_targetconfig.h
│ │ ├── internal/
│ │ │ ├── EverCrypt_AEAD.h
│ │ │ ├── EverCrypt_DRBG.h
│ │ │ ├── EverCrypt_HMAC.h
│ │ │ ├── EverCrypt_Hash.h
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Bignum_K256.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Ed25519.h
│ │ │ ├── Hacl_Ed25519_PrecompTable.h
│ │ │ ├── Hacl_Frodo_KEM.h
│ │ │ ├── Hacl_HMAC.h
│ │ │ ├── Hacl_Hash_Blake2b.h
│ │ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ │ ├── Hacl_Hash_Blake2s.h
│ │ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ │ ├── Hacl_Hash_MD5.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Impl_Blake2_Constants.h
│ │ │ ├── Hacl_Impl_FFDHE_Constants.h
│ │ │ ├── Hacl_K256_ECDSA.h
│ │ │ ├── Hacl_K256_PrecompTable.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_HMAC.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib/
│ │ │ ├── EverCrypt_AEAD_bindings.ml
│ │ │ ├── EverCrypt_AutoConfig2_bindings.ml
│ │ │ ├── EverCrypt_Chacha20Poly1305_bindings.ml
│ │ │ ├── EverCrypt_Cipher_bindings.ml
│ │ │ ├── EverCrypt_Curve25519_bindings.ml
│ │ │ ├── EverCrypt_DRBG_bindings.ml
│ │ │ ├── EverCrypt_Ed25519_bindings.ml
│ │ │ ├── EverCrypt_Error_bindings.ml
│ │ │ ├── EverCrypt_HKDF_bindings.ml
│ │ │ ├── EverCrypt_HMAC_bindings.ml
│ │ │ ├── EverCrypt_Hash_bindings.ml
│ │ │ ├── EverCrypt_Poly1305_bindings.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_bindings.ml
│ │ │ ├── Hacl_Bignum25519_51_bindings.ml
│ │ │ ├── Hacl_Bignum256_32_bindings.ml
│ │ │ ├── Hacl_Bignum256_bindings.ml
│ │ │ ├── Hacl_Bignum32_bindings.ml
│ │ │ ├── Hacl_Bignum4096_32_bindings.ml
│ │ │ ├── Hacl_Bignum4096_bindings.ml
│ │ │ ├── Hacl_Bignum64_bindings.ml
│ │ │ ├── Hacl_Bignum_Base_bindings.ml
│ │ │ ├── Hacl_Bignum_K256_bindings.ml
│ │ │ ├── Hacl_Bignum_bindings.ml
│ │ │ ├── Hacl_Chacha20_Vec128_bindings.ml
│ │ │ ├── Hacl_Chacha20_Vec256_bindings.ml
│ │ │ ├── Hacl_Chacha20_Vec32_bindings.ml
│ │ │ ├── Hacl_Chacha20_bindings.ml
│ │ │ ├── Hacl_Curve25519_51_bindings.ml
│ │ │ ├── Hacl_Curve25519_64_bindings.ml
│ │ │ ├── Hacl_EC_Ed25519_bindings.ml
│ │ │ ├── Hacl_EC_K256_bindings.ml
│ │ │ ├── Hacl_Ed25519_bindings.ml
│ │ │ ├── Hacl_FFDHE_bindings.ml
│ │ │ ├── Hacl_Frodo1344_bindings.ml
│ │ │ ├── Hacl_Frodo640_bindings.ml
│ │ │ ├── Hacl_Frodo64_bindings.ml
│ │ │ ├── Hacl_Frodo976_bindings.ml
│ │ │ ├── Hacl_Frodo_KEM_bindings.ml
│ │ │ ├── Hacl_GenericField32_bindings.ml
│ │ │ ├── Hacl_GenericField64_bindings.ml
│ │ │ ├── Hacl_HKDF_Blake2b_256_bindings.ml
│ │ │ ├── Hacl_HKDF_Blake2s_128_bindings.ml
│ │ │ ├── Hacl_HKDF_bindings.ml
│ │ │ ├── Hacl_HMAC_Blake2b_256_bindings.ml
│ │ │ ├── Hacl_HMAC_Blake2s_128_bindings.ml
│ │ │ ├── Hacl_HMAC_DRBG_bindings.ml
│ │ │ ├── Hacl_HMAC_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.ml
│ │ │ ├── Hacl_HPKE_P256_CP128_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_P256_CP256_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_P256_CP32_SHA256_bindings.ml
│ │ │ ├── Hacl_Hash_Base_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2b_Simd256_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2b_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2s_Simd128_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2s_bindings.ml
│ │ │ ├── Hacl_Hash_MD5_bindings.ml
│ │ │ ├── Hacl_Hash_SHA1_bindings.ml
│ │ │ ├── Hacl_Hash_SHA2_bindings.ml
│ │ │ ├── Hacl_Hash_SHA3_Simd256_bindings.ml
│ │ │ ├── Hacl_Hash_SHA3_bindings.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_128_bindings.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_bindings.ml
│ │ │ ├── Hacl_K256_ECDSA_bindings.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd128_bindings.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd256_bindings.ml
│ │ │ ├── Hacl_MAC_Poly1305_bindings.ml
│ │ │ ├── Hacl_NaCl_bindings.ml
│ │ │ ├── Hacl_P256_bindings.ml
│ │ │ ├── Hacl_RSAPSS_bindings.ml
│ │ │ ├── Hacl_SHA2_Types_bindings.ml
│ │ │ ├── Hacl_SHA2_Vec128_bindings.ml
│ │ │ ├── Hacl_SHA2_Vec256_bindings.ml
│ │ │ ├── Hacl_Salsa20_bindings.ml
│ │ │ ├── Hacl_Spec_bindings.ml
│ │ │ ├── Hacl_Streaming_HMAC_bindings.ml
│ │ │ └── Hacl_Streaming_Types_bindings.ml
│ │ ├── lib_gen/
│ │ │ ├── EverCrypt_AEAD_gen.ml
│ │ │ ├── EverCrypt_AutoConfig2_gen.ml
│ │ │ ├── EverCrypt_Chacha20Poly1305_gen.ml
│ │ │ ├── EverCrypt_Cipher_gen.ml
│ │ │ ├── EverCrypt_Curve25519_gen.ml
│ │ │ ├── EverCrypt_DRBG_gen.ml
│ │ │ ├── EverCrypt_Ed25519_gen.ml
│ │ │ ├── EverCrypt_Error_gen.ml
│ │ │ ├── EverCrypt_HKDF_gen.ml
│ │ │ ├── EverCrypt_HMAC_gen.ml
│ │ │ ├── EverCrypt_Hash_gen.ml
│ │ │ ├── EverCrypt_Poly1305_gen.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128_gen.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256_gen.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_gen.ml
│ │ │ ├── Hacl_Bignum25519_51_gen.ml
│ │ │ ├── Hacl_Bignum256_32_gen.ml
│ │ │ ├── Hacl_Bignum256_gen.ml
│ │ │ ├── Hacl_Bignum32_gen.ml
│ │ │ ├── Hacl_Bignum4096_32_gen.ml
│ │ │ ├── Hacl_Bignum4096_gen.ml
│ │ │ ├── Hacl_Bignum64_gen.ml
│ │ │ ├── Hacl_Bignum_Base_gen.ml
│ │ │ ├── Hacl_Bignum_K256_gen.ml
│ │ │ ├── Hacl_Bignum_gen.ml
│ │ │ ├── Hacl_Chacha20_Vec128_gen.ml
│ │ │ ├── Hacl_Chacha20_Vec256_gen.ml
│ │ │ ├── Hacl_Chacha20_Vec32_gen.ml
│ │ │ ├── Hacl_Chacha20_gen.ml
│ │ │ ├── Hacl_Curve25519_51_gen.ml
│ │ │ ├── Hacl_Curve25519_64_gen.ml
│ │ │ ├── Hacl_EC_Ed25519_gen.ml
│ │ │ ├── Hacl_EC_K256_gen.ml
│ │ │ ├── Hacl_Ed25519_gen.ml
│ │ │ ├── Hacl_FFDHE_gen.ml
│ │ │ ├── Hacl_Frodo1344_gen.ml
│ │ │ ├── Hacl_Frodo640_gen.ml
│ │ │ ├── Hacl_Frodo64_gen.ml
│ │ │ ├── Hacl_Frodo976_gen.ml
│ │ │ ├── Hacl_Frodo_KEM_gen.ml
│ │ │ ├── Hacl_GenericField32_gen.ml
│ │ │ ├── Hacl_GenericField64_gen.ml
│ │ │ ├── Hacl_HKDF_Blake2b_256_gen.ml
│ │ │ ├── Hacl_HKDF_Blake2s_128_gen.ml
│ │ │ ├── Hacl_HKDF_gen.ml
│ │ │ ├── Hacl_HMAC_Blake2b_256_gen.ml
│ │ │ ├── Hacl_HMAC_Blake2s_128_gen.ml
│ │ │ ├── Hacl_HMAC_DRBG_gen.ml
│ │ │ ├── Hacl_HMAC_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_gen.ml
│ │ │ ├── Hacl_HPKE_P256_CP128_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_P256_CP256_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_P256_CP32_SHA256_gen.ml
│ │ │ ├── Hacl_Hash_Base_gen.ml
│ │ │ ├── Hacl_Hash_Blake2b_Simd256_gen.ml
│ │ │ ├── Hacl_Hash_Blake2b_gen.ml
│ │ │ ├── Hacl_Hash_Blake2s_Simd128_gen.ml
│ │ │ ├── Hacl_Hash_Blake2s_gen.ml
│ │ │ ├── Hacl_Hash_MD5_gen.ml
│ │ │ ├── Hacl_Hash_SHA1_gen.ml
│ │ │ ├── Hacl_Hash_SHA2_gen.ml
│ │ │ ├── Hacl_Hash_SHA3_Simd256_gen.ml
│ │ │ ├── Hacl_Hash_SHA3_gen.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_128_gen.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_gen.ml
│ │ │ ├── Hacl_K256_ECDSA_gen.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd128_gen.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd256_gen.ml
│ │ │ ├── Hacl_MAC_Poly1305_gen.ml
│ │ │ ├── Hacl_NaCl_gen.ml
│ │ │ ├── Hacl_P256_gen.ml
│ │ │ ├── Hacl_RSAPSS_gen.ml
│ │ │ ├── Hacl_SHA2_Types_gen.ml
│ │ │ ├── Hacl_SHA2_Vec128_gen.ml
│ │ │ ├── Hacl_SHA2_Vec256_gen.ml
│ │ │ ├── Hacl_Salsa20_gen.ml
│ │ │ ├── Hacl_Spec_gen.ml
│ │ │ ├── Hacl_Streaming_HMAC_gen.ml
│ │ │ ├── Hacl_Streaming_Types_gen.ml
│ │ │ └── Lib_RandomBuffer_System_gen.ml
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libevercrypt.def
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ ├── karamel/
│ │ ├── include/
│ │ │ ├── krml/
│ │ │ │ ├── c_endianness.h
│ │ │ │ ├── fstar_int.h
│ │ │ │ ├── internal/
│ │ │ │ │ ├── builtin.h
│ │ │ │ │ ├── callconv.h
│ │ │ │ │ ├── compat.h
│ │ │ │ │ ├── debug.h
│ │ │ │ │ ├── target.h
│ │ │ │ │ ├── types.h
│ │ │ │ │ └── wasmsupport.h
│ │ │ │ └── lowstar_endianness.h
│ │ │ └── krmllib.h
│ │ └── krmllib/
│ │ └── dist/
│ │ └── minimal/
│ │ ├── FStar_UInt128.h
│ │ ├── FStar_UInt128_Verified.h
│ │ ├── FStar_UInt_8_16_32_64.h
│ │ ├── LowStar_Endianness.h
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── fstar_uint128_gcc64.h
│ │ ├── fstar_uint128_msvc.h
│ │ ├── fstar_uint128_struct_endianness.h
│ │ └── libkrmllib.def
│ ├── mozilla/
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── configure
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── internal/
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ └── libintvector.h
│ ├── msvc-compatible/
│ │ ├── EverCrypt_AEAD.c
│ │ ├── EverCrypt_AEAD.h
│ │ ├── EverCrypt_AutoConfig2.c
│ │ ├── EverCrypt_AutoConfig2.h
│ │ ├── EverCrypt_Chacha20Poly1305.c
│ │ ├── EverCrypt_Chacha20Poly1305.h
│ │ ├── EverCrypt_Cipher.c
│ │ ├── EverCrypt_Cipher.h
│ │ ├── EverCrypt_Curve25519.c
│ │ ├── EverCrypt_Curve25519.h
│ │ ├── EverCrypt_DRBG.c
│ │ ├── EverCrypt_DRBG.h
│ │ ├── EverCrypt_Ed25519.c
│ │ ├── EverCrypt_Ed25519.h
│ │ ├── EverCrypt_Error.h
│ │ ├── EverCrypt_HKDF.c
│ │ ├── EverCrypt_HKDF.h
│ │ ├── EverCrypt_HMAC.c
│ │ ├── EverCrypt_HMAC.h
│ │ ├── EverCrypt_Hash.c
│ │ ├── EverCrypt_Hash.h
│ │ ├── EverCrypt_Poly1305.c
│ │ ├── EverCrypt_Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_AES128.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Bignum256.c
│ │ ├── Hacl_Bignum256.h
│ │ ├── Hacl_Bignum256_32.c
│ │ ├── Hacl_Bignum256_32.h
│ │ ├── Hacl_Bignum32.c
│ │ ├── Hacl_Bignum32.h
│ │ ├── Hacl_Bignum4096.c
│ │ ├── Hacl_Bignum4096.h
│ │ ├── Hacl_Bignum4096_32.c
│ │ ├── Hacl_Bignum4096_32.h
│ │ ├── Hacl_Bignum64.c
│ │ ├── Hacl_Bignum64.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Chacha20_Vec32.c
│ │ ├── Hacl_Chacha20_Vec32.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_EC_Ed25519.c
│ │ ├── Hacl_EC_Ed25519.h
│ │ ├── Hacl_EC_K256.c
│ │ ├── Hacl_EC_K256.h
│ │ ├── Hacl_Ed25519.c
│ │ ├── Hacl_Ed25519.h
│ │ ├── Hacl_FFDHE.c
│ │ ├── Hacl_FFDHE.h
│ │ ├── Hacl_Frodo1344.c
│ │ ├── Hacl_Frodo1344.h
│ │ ├── Hacl_Frodo64.c
│ │ ├── Hacl_Frodo64.h
│ │ ├── Hacl_Frodo640.c
│ │ ├── Hacl_Frodo640.h
│ │ ├── Hacl_Frodo976.c
│ │ ├── Hacl_Frodo976.h
│ │ ├── Hacl_Frodo_KEM.c
│ │ ├── Hacl_GenericField32.c
│ │ ├── Hacl_GenericField32.h
│ │ ├── Hacl_GenericField64.c
│ │ ├── Hacl_GenericField64.h
│ │ ├── Hacl_HKDF.c
│ │ ├── Hacl_HKDF.h
│ │ ├── Hacl_HKDF_Blake2b_256.c
│ │ ├── Hacl_HKDF_Blake2b_256.h
│ │ ├── Hacl_HKDF_Blake2s_128.c
│ │ ├── Hacl_HKDF_Blake2s_128.h
│ │ ├── Hacl_HMAC.c
│ │ ├── Hacl_HMAC.h
│ │ ├── Hacl_HMAC_Blake2b_256.c
│ │ ├── Hacl_HMAC_Blake2b_256.h
│ │ ├── Hacl_HMAC_Blake2s_128.c
│ │ ├── Hacl_HMAC_Blake2s_128.h
│ │ ├── Hacl_HMAC_DRBG.c
│ │ ├── Hacl_HMAC_DRBG.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.h
│ │ ├── Hacl_Hash_Base.c
│ │ ├── Hacl_Hash_Base.h
│ │ ├── Hacl_Hash_Blake2b.c
│ │ ├── Hacl_Hash_Blake2b.h
│ │ ├── Hacl_Hash_Blake2b_Simd256.c
│ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ ├── Hacl_Hash_Blake2s.c
│ │ ├── Hacl_Hash_Blake2s.h
│ │ ├── Hacl_Hash_Blake2s_Simd128.c
│ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ ├── Hacl_Hash_MD5.c
│ │ ├── Hacl_Hash_MD5.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_Hash_SHA3_Simd256.c
│ │ ├── Hacl_Hash_SHA3_Simd256.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_K256_ECDSA.c
│ │ ├── Hacl_K256_ECDSA.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_NaCl.c
│ │ ├── Hacl_NaCl.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_SHA2_Vec128.c
│ │ ├── Hacl_SHA2_Vec128.h
│ │ ├── Hacl_SHA2_Vec256.c
│ │ ├── Hacl_SHA2_Vec256.h
│ │ ├── Hacl_Salsa20.c
│ │ ├── Hacl_Salsa20.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_HMAC.c
│ │ ├── Hacl_Streaming_HMAC.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_PrintBuffer.h
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── Lib_RandomBuffer_System.h
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── clients/
│ │ │ └── krmlrenamings.h
│ │ ├── configure
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── evercrypt_targetconfig.h
│ │ ├── internal/
│ │ │ ├── EverCrypt_AEAD.h
│ │ │ ├── EverCrypt_DRBG.h
│ │ │ ├── EverCrypt_HMAC.h
│ │ │ ├── EverCrypt_Hash.h
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Bignum_K256.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Ed25519.h
│ │ │ ├── Hacl_Ed25519_PrecompTable.h
│ │ │ ├── Hacl_Frodo_KEM.h
│ │ │ ├── Hacl_HMAC.h
│ │ │ ├── Hacl_Hash_Blake2b.h
│ │ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ │ ├── Hacl_Hash_Blake2s.h
│ │ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ │ ├── Hacl_Hash_MD5.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Impl_Blake2_Constants.h
│ │ │ ├── Hacl_Impl_FFDHE_Constants.h
│ │ │ ├── Hacl_K256_ECDSA.h
│ │ │ ├── Hacl_K256_PrecompTable.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_HMAC.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libevercrypt.def
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ ├── package-mozilla.sh
│ ├── portable-gcc-compatible/
│ │ ├── EverCrypt_AEAD.c
│ │ ├── EverCrypt_AEAD.h
│ │ ├── EverCrypt_AutoConfig2.c
│ │ ├── EverCrypt_AutoConfig2.h
│ │ ├── EverCrypt_Chacha20Poly1305.c
│ │ ├── EverCrypt_Chacha20Poly1305.h
│ │ ├── EverCrypt_Cipher.c
│ │ ├── EverCrypt_Cipher.h
│ │ ├── EverCrypt_Curve25519.c
│ │ ├── EverCrypt_Curve25519.h
│ │ ├── EverCrypt_DRBG.c
│ │ ├── EverCrypt_DRBG.h
│ │ ├── EverCrypt_Ed25519.c
│ │ ├── EverCrypt_Ed25519.h
│ │ ├── EverCrypt_Error.h
│ │ ├── EverCrypt_HKDF.c
│ │ ├── EverCrypt_HKDF.h
│ │ ├── EverCrypt_HMAC.c
│ │ ├── EverCrypt_HMAC.h
│ │ ├── EverCrypt_Hash.c
│ │ ├── EverCrypt_Hash.h
│ │ ├── EverCrypt_Poly1305.c
│ │ ├── EverCrypt_Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_AES128.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Bignum256.c
│ │ ├── Hacl_Bignum256.h
│ │ ├── Hacl_Bignum256_32.c
│ │ ├── Hacl_Bignum256_32.h
│ │ ├── Hacl_Bignum32.c
│ │ ├── Hacl_Bignum32.h
│ │ ├── Hacl_Bignum4096.c
│ │ ├── Hacl_Bignum4096.h
│ │ ├── Hacl_Bignum4096_32.c
│ │ ├── Hacl_Bignum4096_32.h
│ │ ├── Hacl_Bignum64.c
│ │ ├── Hacl_Bignum64.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Chacha20_Vec32.c
│ │ ├── Hacl_Chacha20_Vec32.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_EC_Ed25519.c
│ │ ├── Hacl_EC_Ed25519.h
│ │ ├── Hacl_EC_K256.c
│ │ ├── Hacl_EC_K256.h
│ │ ├── Hacl_Ed25519.c
│ │ ├── Hacl_Ed25519.h
│ │ ├── Hacl_FFDHE.c
│ │ ├── Hacl_FFDHE.h
│ │ ├── Hacl_Frodo1344.c
│ │ ├── Hacl_Frodo1344.h
│ │ ├── Hacl_Frodo64.c
│ │ ├── Hacl_Frodo64.h
│ │ ├── Hacl_Frodo640.c
│ │ ├── Hacl_Frodo640.h
│ │ ├── Hacl_Frodo976.c
│ │ ├── Hacl_Frodo976.h
│ │ ├── Hacl_Frodo_KEM.c
│ │ ├── Hacl_GenericField32.c
│ │ ├── Hacl_GenericField32.h
│ │ ├── Hacl_GenericField64.c
│ │ ├── Hacl_GenericField64.h
│ │ ├── Hacl_HKDF.c
│ │ ├── Hacl_HKDF.h
│ │ ├── Hacl_HKDF_Blake2b_256.c
│ │ ├── Hacl_HKDF_Blake2b_256.h
│ │ ├── Hacl_HKDF_Blake2s_128.c
│ │ ├── Hacl_HKDF_Blake2s_128.h
│ │ ├── Hacl_HMAC.c
│ │ ├── Hacl_HMAC.h
│ │ ├── Hacl_HMAC_Blake2b_256.c
│ │ ├── Hacl_HMAC_Blake2b_256.h
│ │ ├── Hacl_HMAC_Blake2s_128.c
│ │ ├── Hacl_HMAC_Blake2s_128.h
│ │ ├── Hacl_HMAC_DRBG.c
│ │ ├── Hacl_HMAC_DRBG.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.h
│ │ ├── Hacl_Hash_Base.c
│ │ ├── Hacl_Hash_Base.h
│ │ ├── Hacl_Hash_Blake2b.c
│ │ ├── Hacl_Hash_Blake2b.h
│ │ ├── Hacl_Hash_Blake2b_Simd256.c
│ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ ├── Hacl_Hash_Blake2s.c
│ │ ├── Hacl_Hash_Blake2s.h
│ │ ├── Hacl_Hash_Blake2s_Simd128.c
│ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ ├── Hacl_Hash_MD5.c
│ │ ├── Hacl_Hash_MD5.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_Hash_SHA3_Simd256.c
│ │ ├── Hacl_Hash_SHA3_Simd256.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_K256_ECDSA.c
│ │ ├── Hacl_K256_ECDSA.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_NaCl.c
│ │ ├── Hacl_NaCl.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_SHA2_Vec128.c
│ │ ├── Hacl_SHA2_Vec128.h
│ │ ├── Hacl_SHA2_Vec256.c
│ │ ├── Hacl_SHA2_Vec256.h
│ │ ├── Hacl_Salsa20.c
│ │ ├── Hacl_Salsa20.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_HMAC.c
│ │ ├── Hacl_Streaming_HMAC.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_PrintBuffer.h
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── Lib_RandomBuffer_System.h
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── clients/
│ │ │ └── krmlrenamings.h
│ │ ├── configure
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── evercrypt_targetconfig.h
│ │ ├── internal/
│ │ │ ├── EverCrypt_AEAD.h
│ │ │ ├── EverCrypt_DRBG.h
│ │ │ ├── EverCrypt_HMAC.h
│ │ │ ├── EverCrypt_Hash.h
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Bignum_K256.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Ed25519.h
│ │ │ ├── Hacl_Ed25519_PrecompTable.h
│ │ │ ├── Hacl_Frodo_KEM.h
│ │ │ ├── Hacl_HMAC.h
│ │ │ ├── Hacl_Hash_Blake2b.h
│ │ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ │ ├── Hacl_Hash_Blake2s.h
│ │ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ │ ├── Hacl_Hash_MD5.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Impl_Blake2_Constants.h
│ │ │ ├── Hacl_Impl_FFDHE_Constants.h
│ │ │ ├── Hacl_K256_ECDSA.h
│ │ │ ├── Hacl_K256_PrecompTable.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_HMAC.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libevercrypt.def
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ ├── test/
│ │ ├── c/
│ │ │ ├── Hacl_Test_ECDSA.c
│ │ │ ├── Hacl_Test_ECDSA.h
│ │ │ ├── Hacl_Test_HMAC_DRBG.c
│ │ │ ├── Hacl_Test_HMAC_DRBG.h
│ │ │ ├── Hacl_Test_K256.c
│ │ │ ├── Hacl_Test_K256.h
│ │ │ ├── Hacl_Test_SHA2.c
│ │ │ ├── Hacl_Test_SHA2.h
│ │ │ ├── Hacl_Test_SHA3.c
│ │ │ ├── Hacl_Test_SHA3.h
│ │ │ ├── Makefile
│ │ │ ├── Makefile.basic
│ │ │ ├── Makefile.include
│ │ │ ├── Test.c
│ │ │ ├── Test.h
│ │ │ └── internal/
│ │ │ └── Test.h
│ │ └── ml/
│ │ ├── Spec_AES_Test_AutoTest.ml
│ │ ├── Spec_Blake2_Test_AutoTest.ml
│ │ ├── Spec_Box_Test_AutoTest.ml
│ │ ├── Spec_Chacha20Poly1305_Test_AutoTest.ml
│ │ ├── Spec_Chacha20_Test_AutoTest.ml
│ │ ├── Spec_Curve25519_Test_AutoTest.ml
│ │ ├── Spec_Ed25519_Test_AutoTest.ml
│ │ ├── Spec_Frodo_Test_AutoTest.ml
│ │ ├── Spec_HKDF_Test_AutoTest.ml
│ │ ├── Spec_HMAC_DRBG_Test_AutoTest.ml
│ │ ├── Spec_HMAC_Test_AutoTest.ml
│ │ ├── Spec_Hash_Test_AutoTest.ml
│ │ ├── Spec_K256_Test_AutoTest.ml
│ │ ├── Spec_P256_Test_AutoTest.ml
│ │ ├── Spec_Poly1305_Test_AutoTest.ml
│ │ ├── Spec_SHA3_Test_AutoTest.ml
│ │ ├── Spec_Salsa20_Test_AutoTest.ml
│ │ └── Spec_SecretBox_Test_AutoTest.ml
│ ├── vale/
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ └── wasm/
│ ├── EverCrypt.wasm
│ ├── EverCrypt_Hash.wasm
│ ├── EverCrypt_TargetConfig.wasm
│ ├── FStar.wasm
│ ├── Hacl_AEAD_Chacha20Poly1305.wasm
│ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.wasm
│ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.wasm
│ ├── Hacl_Bignum.wasm
│ ├── Hacl_Bignum25519_51.wasm
│ ├── Hacl_Bignum256.wasm
│ ├── Hacl_Bignum256_32.wasm
│ ├── Hacl_Bignum32.wasm
│ ├── Hacl_Bignum4096.wasm
│ ├── Hacl_Bignum4096_32.wasm
│ ├── Hacl_Bignum64.wasm
│ ├── Hacl_Bignum_Base.wasm
│ ├── Hacl_Bignum_K256.wasm
│ ├── Hacl_Chacha20.wasm
│ ├── Hacl_Chacha20_Vec128_Hacl_Chacha20_Vec256.wasm
│ ├── Hacl_Chacha20_Vec32.wasm
│ ├── Hacl_Curve25519_51.wasm
│ ├── Hacl_EC_Ed25519.wasm
│ ├── Hacl_EC_K256.wasm
│ ├── Hacl_Ed25519.wasm
│ ├── Hacl_Ed25519_PrecompTable.wasm
│ ├── Hacl_GenericField32.wasm
│ ├── Hacl_GenericField64.wasm
│ ├── Hacl_HKDF.wasm
│ ├── Hacl_HKDF_Blake2b_256.wasm
│ ├── Hacl_HKDF_Blake2s_128.wasm
│ ├── Hacl_HMAC.wasm
│ ├── Hacl_HMAC_Blake2b_256.wasm
│ ├── Hacl_HMAC_Blake2s_128.wasm
│ ├── Hacl_HMAC_DRBG.wasm
│ ├── Hacl_HPKE_Curve51_CP32_SHA256.wasm
│ ├── Hacl_HPKE_Curve51_CP32_SHA512.wasm
│ ├── Hacl_Hash_Base.wasm
│ ├── Hacl_Hash_Blake2b.wasm
│ ├── Hacl_Hash_Blake2b_Simd256.wasm
│ ├── Hacl_Hash_Blake2s.wasm
│ ├── Hacl_Hash_Blake2s_Simd128.wasm
│ ├── Hacl_Hash_MD5.wasm
│ ├── Hacl_Hash_SHA1.wasm
│ ├── Hacl_Hash_SHA2.wasm
│ ├── Hacl_Hash_SHA3.wasm
│ ├── Hacl_Hash_SHA3_Simd256.wasm
│ ├── Hacl_Impl_Blake2_Constants.wasm
│ ├── Hacl_IntTypes_Intrinsics.wasm
│ ├── Hacl_K256_ECDSA.wasm
│ ├── Hacl_K256_PrecompTable.wasm
│ ├── Hacl_Lib.wasm
│ ├── Hacl_MAC_Poly1305.wasm
│ ├── Hacl_NaCl.wasm
│ ├── Hacl_P256.wasm
│ ├── Hacl_P256_PrecompTable.wasm
│ ├── Hacl_Poly1305_128_Hacl_Poly1305_256_Hacl_Impl_Poly1305.wasm
│ ├── Hacl_SHA2_Vec128.wasm
│ ├── Hacl_SHA2_Vec256.wasm
│ ├── Hacl_Salsa20.wasm
│ ├── Hacl_Streaming_HMAC.wasm
│ ├── INFO.txt
│ ├── LowStar_Endianness.wasm
│ ├── Makefile.basic
│ ├── README
│ ├── Vale.wasm
│ ├── WasmSupport.wasm
│ ├── browser.js
│ ├── layouts.json
│ ├── loader.js
│ ├── main.html
│ ├── main.js
│ └── shell.js
├── doc/
│ ├── API.rst
│ ├── Applications.rst
│ ├── EverCryptAEAD.rst
│ ├── EverCryptAutoConfig.rst
│ ├── EverCryptCTR.rst
│ ├── EverCryptDRBG.rst
│ ├── EverCryptDeprecated.rst
│ ├── EverCryptDoc.rst
│ ├── EverCryptHKDF.rst
│ ├── EverCryptHMAC.rst
│ ├── EverCryptHash.rst
│ ├── EverCryptNonAgile.rst
│ ├── General.rst
│ ├── HaclAEAD.rst
│ ├── HaclDoc.rst
│ ├── HaclECDH.rst
│ ├── HaclHash.rst
│ ├── HaclNaCl.rst
│ ├── HaclSig.rst
│ ├── HaclValeEverCrypt.rst
│ ├── Makefile
│ ├── Obtaining.rst
│ ├── Overview.rst
│ ├── README.md
│ ├── Randomness.rst
│ ├── Supported.rst
│ ├── _static/
│ │ └── .gitignore
│ ├── _templates/
│ │ └── layout.html
│ ├── ci.sh
│ ├── conf.py
│ └── index.rst
├── flake.nix
├── hints/
│ ├── EverCrypt.AEAD.fst.hints
│ ├── EverCrypt.AEAD.fsti.hints
│ ├── EverCrypt.AutoConfig2.fst.hints
│ ├── EverCrypt.AutoConfig2.fsti.hints
│ ├── EverCrypt.CTR.Keys.fst.hints
│ ├── EverCrypt.CTR.Keys.fsti.hints
│ ├── EverCrypt.Chacha20Poly1305.fst.hints
│ ├── EverCrypt.Chacha20Poly1305.fsti.hints
│ ├── EverCrypt.Cipher.fst.hints
│ ├── EverCrypt.Cipher.fsti.hints
│ ├── EverCrypt.Curve25519.fst.hints
│ ├── EverCrypt.Curve25519.fsti.hints
│ ├── EverCrypt.DRBG.fst.hints
│ ├── EverCrypt.DRBG.fsti.hints
│ ├── EverCrypt.Ed25519.fst.hints
│ ├── EverCrypt.Ed25519.fsti.hints
│ ├── EverCrypt.Error.fsti.hints
│ ├── EverCrypt.HKDF.fst.hints
│ ├── EverCrypt.HKDF.fsti.hints
│ ├── EverCrypt.HMAC.fst.hints
│ ├── EverCrypt.HMAC.fsti.hints
│ ├── EverCrypt.Hash.Incremental.Macros.fst.hints
│ ├── EverCrypt.Hash.Incremental.fst.hints
│ ├── EverCrypt.Hash.fst.hints
│ ├── EverCrypt.Hash.fsti.hints
│ ├── EverCrypt.Helpers.fsti.hints
│ ├── EverCrypt.Poly1305.fst.hints
│ ├── EverCrypt.Poly1305.fsti.hints
│ ├── EverCrypt.TargetConfig.fsti.hints
│ ├── Hacl.AES128.fsti.hints
│ ├── Hacl.Agile.Hash.fst.hints
│ ├── Hacl.Agile.Hash.fsti.hints
│ ├── Hacl.Bignum.Addition.fst.hints
│ ├── Hacl.Bignum.AlmostMontExponentiation.fst.hints
│ ├── Hacl.Bignum.AlmostMontgomery.fst.hints
│ ├── Hacl.Bignum.AlmostMontgomery.fsti.hints
│ ├── Hacl.Bignum.Base.fst.hints
│ ├── Hacl.Bignum.Comparison.fst.hints
│ ├── Hacl.Bignum.Convert.fst.hints
│ ├── Hacl.Bignum.Definitions.fst.hints
│ ├── Hacl.Bignum.Exponentiation.fst.hints
│ ├── Hacl.Bignum.Exponentiation.fsti.hints
│ ├── Hacl.Bignum.Karatsuba.fst.hints
│ ├── Hacl.Bignum.Lib.fst.hints
│ ├── Hacl.Bignum.ModInv.fst.hints
│ ├── Hacl.Bignum.ModInvLimb.fst.hints
│ ├── Hacl.Bignum.ModInvLimb.fsti.hints
│ ├── Hacl.Bignum.ModReduction.fst.hints
│ ├── Hacl.Bignum.MontArithmetic.fst.hints
│ ├── Hacl.Bignum.MontArithmetic.fsti.hints
│ ├── Hacl.Bignum.MontExponentiation.fst.hints
│ ├── Hacl.Bignum.Montgomery.fst.hints
│ ├── Hacl.Bignum.Montgomery.fsti.hints
│ ├── Hacl.Bignum.Multiplication.fst.hints
│ ├── Hacl.Bignum.SafeAPI.fst.hints
│ ├── Hacl.Bignum.fst.hints
│ ├── Hacl.Bignum.fsti.hints
│ ├── Hacl.Bignum25519.fst.hints
│ ├── Hacl.Bignum25519.fsti.hints
│ ├── Hacl.Bignum256.fst.hints
│ ├── Hacl.Bignum256.fsti.hints
│ ├── Hacl.Bignum256_32.fst.hints
│ ├── Hacl.Bignum256_32.fsti.hints
│ ├── Hacl.Bignum32.fst.hints
│ ├── Hacl.Bignum32.fsti.hints
│ ├── Hacl.Bignum4096.fst.hints
│ ├── Hacl.Bignum4096.fsti.hints
│ ├── Hacl.Bignum4096_32.fst.hints
│ ├── Hacl.Bignum4096_32.fsti.hints
│ ├── Hacl.Bignum64.fst.hints
│ ├── Hacl.Bignum64.fsti.hints
│ ├── Hacl.Blake2b_256.fst.hints
│ ├── Hacl.Blake2b_32.fst.hints
│ ├── Hacl.Blake2s_128.fst.hints
│ ├── Hacl.Blake2s_32.fst.hints
│ ├── Hacl.Chacha20.Vec128.fst.hints
│ ├── Hacl.Chacha20.Vec256.fst.hints
│ ├── Hacl.Chacha20.Vec32.fst.hints
│ ├── Hacl.Chacha20.fst.hints
│ ├── Hacl.Chacha20Poly1305_128.fst.hints
│ ├── Hacl.Chacha20Poly1305_256.fst.hints
│ ├── Hacl.Chacha20Poly1305_32.fst.hints
│ ├── Hacl.Curve25519_51.fst.hints
│ ├── Hacl.Curve25519_51.fsti.hints
│ ├── Hacl.Curve25519_64.fst.hints
│ ├── Hacl.Curve25519_64.fsti.hints
│ ├── Hacl.Curve25519_64_Local.fst.hints
│ ├── Hacl.Curve25519_64_Local.fsti.hints
│ ├── Hacl.Curve25519_64_Slow.fst.hints
│ ├── Hacl.Curve25519_64_Slow.fsti.hints
│ ├── Hacl.EC.Ed25519.fst.hints
│ ├── Hacl.EC.K256.fst.hints
│ ├── Hacl.Ed25519.PrecompTable.fst.hints
│ ├── Hacl.Ed25519.PrecompTable.fsti.hints
│ ├── Hacl.Ed25519.fst.hints
│ ├── Hacl.Ed25519.fsti.hints
│ ├── Hacl.FFDHE.fst.hints
│ ├── Hacl.Frodo.KEM.fst.hints
│ ├── Hacl.Frodo.Random.fst.hints
│ ├── Hacl.Frodo.Random.fsti.hints
│ ├── Hacl.Frodo1344.fst.hints
│ ├── Hacl.Frodo64.fst.hints
│ ├── Hacl.Frodo640.fst.hints
│ ├── Hacl.Frodo976.fst.hints
│ ├── Hacl.GenericField32.fst.hints
│ ├── Hacl.GenericField32.fsti.hints
│ ├── Hacl.GenericField64.fst.hints
│ ├── Hacl.GenericField64.fsti.hints
│ ├── Hacl.HKDF.Blake2b_256.fst.hints
│ ├── Hacl.HKDF.Blake2s_128.fst.hints
│ ├── Hacl.HKDF.fst.hints
│ ├── Hacl.HKDF.fsti.hints
│ ├── Hacl.HMAC.Blake2b_256.fst.hints
│ ├── Hacl.HMAC.Blake2s_128.fst.hints
│ ├── Hacl.HMAC.fst.hints
│ ├── Hacl.HMAC.fsti.hints
│ ├── Hacl.HMAC_DRBG.fst.hints
│ ├── Hacl.HMAC_DRBG.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA512.fsti.hints
│ ├── Hacl.HPKE.Interface.AEAD.fst.hints
│ ├── Hacl.HPKE.Interface.AEAD.fsti.hints
│ ├── Hacl.HPKE.Interface.DH.fst.hints
│ ├── Hacl.HPKE.Interface.HKDF.fst.hints
│ ├── Hacl.HPKE.Interface.Hash.fst.hints
│ ├── Hacl.HPKE.P256_CP128_SHA256.fst.hints
│ ├── Hacl.HPKE.P256_CP128_SHA256.fsti.hints
│ ├── Hacl.HPKE.P256_CP256_SHA256.fst.hints
│ ├── Hacl.HPKE.P256_CP256_SHA256.fsti.hints
│ ├── Hacl.HPKE.P256_CP32_SHA256.fst.hints
│ ├── Hacl.HPKE.P256_CP32_SHA256.fsti.hints
│ ├── Hacl.Hash.Blake2b_256.fst.hints
│ ├── Hacl.Hash.Blake2b_256.fsti.hints
│ ├── Hacl.Hash.Blake2b_32.fst.hints
│ ├── Hacl.Hash.Blake2b_32.fsti.hints
│ ├── Hacl.Hash.Blake2s_128.fst.hints
│ ├── Hacl.Hash.Blake2s_128.fsti.hints
│ ├── Hacl.Hash.Blake2s_32.fst.hints
│ ├── Hacl.Hash.Blake2s_32.fsti.hints
│ ├── Hacl.Hash.Core.MD5.fst.hints
│ ├── Hacl.Hash.Core.MD5.fsti.hints
│ ├── Hacl.Hash.Core.SHA1.fst.hints
│ ├── Hacl.Hash.Core.SHA1.fsti.hints
│ ├── Hacl.Hash.Definitions.fst.hints
│ ├── Hacl.Hash.Lemmas.fst.hints
│ ├── Hacl.Hash.MD.fst.hints
│ ├── Hacl.Hash.MD.fsti.hints
│ ├── Hacl.Hash.MD5.fst.hints
│ ├── Hacl.Hash.MD5.fsti.hints
│ ├── Hacl.Hash.PadFinish.fst.hints
│ ├── Hacl.Hash.PadFinish.fsti.hints
│ ├── Hacl.Hash.SHA1.fst.hints
│ ├── Hacl.Hash.SHA1.fsti.hints
│ ├── Hacl.Hash.SHA2.fst.hints
│ ├── Hacl.Hash.SHA2.fsti.hints
│ ├── Hacl.Hash.SHA3.Scalar.fst.hints
│ ├── Hacl.Hash.SHA3.Simd256.fst.hints
│ ├── Hacl.Hash.SHA3.fst.hints
│ ├── Hacl.Hash.SHA3.fsti.hints
│ ├── Hacl.Impl.BignumQ.Mul.fst.hints
│ ├── Hacl.Impl.BignumQ.Mul.fsti.hints
│ ├── Hacl.Impl.Blake2.Constants.fst.hints
│ ├── Hacl.Impl.Blake2.Core.fst.hints
│ ├── Hacl.Impl.Blake2.Core.fsti.hints
│ ├── Hacl.Impl.Blake2.Generic.fst.hints
│ ├── Hacl.Impl.Box.fst.hints
│ ├── Hacl.Impl.Chacha20.Core32.fst.hints
│ ├── Hacl.Impl.Chacha20.Core32xN.fst.hints
│ ├── Hacl.Impl.Chacha20.Vec.fst.hints
│ ├── Hacl.Impl.Chacha20.fst.hints
│ ├── Hacl.Impl.Chacha20Poly1305.PolyCore.fst.hints
│ ├── Hacl.Impl.Chacha20Poly1305.fst.hints
│ ├── Hacl.Impl.Curve25519.AddAndDouble.fst.hints
│ ├── Hacl.Impl.Curve25519.Field51.fst.hints
│ ├── Hacl.Impl.Curve25519.Field64.Hacl.fst.hints
│ ├── Hacl.Impl.Curve25519.Field64.Hacl.fsti.hints
│ ├── Hacl.Impl.Curve25519.Field64.Local.fsti.hints
│ ├── Hacl.Impl.Curve25519.Field64.Vale.fst.hints
│ ├── Hacl.Impl.Curve25519.Field64.Vale.fsti.hints
│ ├── Hacl.Impl.Curve25519.Field64.fst.hints
│ ├── Hacl.Impl.Curve25519.Fields.Core.fsti.hints
│ ├── Hacl.Impl.Curve25519.Fields.fst.hints
│ ├── Hacl.Impl.Curve25519.Finv.fst.hints
│ ├── Hacl.Impl.Curve25519.Generic.fst.hints
│ ├── Hacl.Impl.Curve25519.Generic.fsti.hints
│ ├── Hacl.Impl.Curve25519.Lemmas.fst.hints
│ ├── Hacl.Impl.Ed25519.Field51.fst.hints
│ ├── Hacl.Impl.Ed25519.Group.fst.hints
│ ├── Hacl.Impl.Ed25519.Ladder.fst.hints
│ ├── Hacl.Impl.Ed25519.Ladder.fsti.hints
│ ├── Hacl.Impl.Ed25519.PointAdd.fst.hints
│ ├── Hacl.Impl.Ed25519.PointCompress.fst.hints
│ ├── Hacl.Impl.Ed25519.PointConstants.fst.hints
│ ├── Hacl.Impl.Ed25519.PointDecompress.fst.hints
│ ├── Hacl.Impl.Ed25519.PointDouble.fst.hints
│ ├── Hacl.Impl.Ed25519.PointEqual.fst.hints
│ ├── Hacl.Impl.Ed25519.PointNegate.fst.hints
│ ├── Hacl.Impl.Ed25519.Pow2_252m2.fst.hints
│ ├── Hacl.Impl.Ed25519.RecoverX.fst.hints
│ ├── Hacl.Impl.Ed25519.Sign.fst.hints
│ ├── Hacl.Impl.Ed25519.Verify.fst.hints
│ ├── Hacl.Impl.Exponentiation.Definitions.fst.hints
│ ├── Hacl.Impl.Exponentiation.fst.hints
│ ├── Hacl.Impl.Exponentiation.fsti.hints
│ ├── Hacl.Impl.FFDHE.Constants.fst.hints
│ ├── Hacl.Impl.FFDHE.fst.hints
│ ├── Hacl.Impl.Frodo.Encode.fst.hints
│ ├── Hacl.Impl.Frodo.Gen.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.Decaps.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.Encaps.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.KeyGen.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.fst.hints
│ ├── Hacl.Impl.Frodo.Pack.fst.hints
│ ├── Hacl.Impl.Frodo.Params.fst.hints
│ ├── Hacl.Impl.Frodo.Sample.fst.hints
│ ├── Hacl.Impl.HPKE.fst.hints
│ ├── Hacl.Impl.HPKE.fsti.hints
│ ├── Hacl.Impl.HSalsa20.fst.hints
│ ├── Hacl.Impl.K256.Finv.fst.hints
│ ├── Hacl.Impl.K256.GLV.Constants.fst.hints
│ ├── Hacl.Impl.K256.GLV.Constants.fsti.hints
│ ├── Hacl.Impl.K256.GLV.fst.hints
│ ├── Hacl.Impl.K256.GLV.fsti.hints
│ ├── Hacl.Impl.K256.Group.fst.hints
│ ├── Hacl.Impl.K256.Point.fst.hints
│ ├── Hacl.Impl.K256.Point.fsti.hints
│ ├── Hacl.Impl.K256.PointAdd.fst.hints
│ ├── Hacl.Impl.K256.PointDouble.fst.hints
│ ├── Hacl.Impl.K256.PointMul.fst.hints
│ ├── Hacl.Impl.K256.PointMul.fsti.hints
│ ├── Hacl.Impl.K256.Qinv.fst.hints
│ ├── Hacl.Impl.K256.Sign.fst.hints
│ ├── Hacl.Impl.K256.Verify.fst.hints
│ ├── Hacl.Impl.Lib.fst.hints
│ ├── Hacl.Impl.Load56.fst.hints
│ ├── Hacl.Impl.Matrix.fst.hints
│ ├── Hacl.Impl.MultiExponentiation.fst.hints
│ ├── Hacl.Impl.MultiExponentiation.fsti.hints
│ ├── Hacl.Impl.P256.Bignum.fst.hints
│ ├── Hacl.Impl.P256.Bignum.fsti.hints
│ ├── Hacl.Impl.P256.Compression.fst.hints
│ ├── Hacl.Impl.P256.Compression.fsti.hints
│ ├── Hacl.Impl.P256.Constants.fst.hints
│ ├── Hacl.Impl.P256.DH.fst.hints
│ ├── Hacl.Impl.P256.DH.fsti.hints
│ ├── Hacl.Impl.P256.Field.fst.hints
│ ├── Hacl.Impl.P256.Field.fsti.hints
│ ├── Hacl.Impl.P256.Finv.fst.hints
│ ├── Hacl.Impl.P256.Finv.fsti.hints
│ ├── Hacl.Impl.P256.Group.fst.hints
│ ├── Hacl.Impl.P256.Point.fst.hints
│ ├── Hacl.Impl.P256.Point.fsti.hints
│ ├── Hacl.Impl.P256.PointAdd.fst.hints
│ ├── Hacl.Impl.P256.PointAdd.fsti.hints
│ ├── Hacl.Impl.P256.PointDouble.fst.hints
│ ├── Hacl.Impl.P256.PointDouble.fsti.hints
│ ├── Hacl.Impl.P256.PointMul.fst.hints
│ ├── Hacl.Impl.P256.PointMul.fsti.hints
│ ├── Hacl.Impl.P256.Qinv.fst.hints
│ ├── Hacl.Impl.P256.Qinv.fsti.hints
│ ├── Hacl.Impl.P256.Scalar.fst.hints
│ ├── Hacl.Impl.P256.Scalar.fsti.hints
│ ├── Hacl.Impl.P256.Sign.fst.hints
│ ├── Hacl.Impl.P256.Verify.fst.hints
│ ├── Hacl.Impl.Poly1305.Bignum128.fst.hints
│ ├── Hacl.Impl.Poly1305.Bignum128.fsti.hints
│ ├── Hacl.Impl.Poly1305.Field32xN.fst.hints
│ ├── Hacl.Impl.Poly1305.Field32xN_128.fst.hints
│ ├── Hacl.Impl.Poly1305.Field32xN_256.fst.hints
│ ├── Hacl.Impl.Poly1305.Field32xN_32.fst.hints
│ ├── Hacl.Impl.Poly1305.Fields.fst.hints
│ ├── Hacl.Impl.Poly1305.Lemmas.fst.hints
│ ├── Hacl.Impl.Poly1305.Lemmas.fsti.hints
│ ├── Hacl.Impl.Poly1305.fst.hints
│ ├── Hacl.Impl.Poly1305.fsti.hints
│ ├── Hacl.Impl.PrecompTable.fst.hints
│ ├── Hacl.Impl.PrecompTable.fsti.hints
│ ├── Hacl.Impl.RSAPSS.Keys.fst.hints
│ ├── Hacl.Impl.RSAPSS.MGF.fst.hints
│ ├── Hacl.Impl.RSAPSS.Padding.fst.hints
│ ├── Hacl.Impl.RSAPSS.fst.hints
│ ├── Hacl.Impl.SHA2.Core.fst.hints
│ ├── Hacl.Impl.SHA2.Generic.fst.hints
│ ├── Hacl.Impl.SHA2.Types.fst.hints
│ ├── Hacl.Impl.SHA3.Vec.fst.hints
│ ├── Hacl.Impl.SHA3.Vec.fsti.hints
│ ├── Hacl.Impl.SHA512.ModQ.fst.hints
│ ├── Hacl.Impl.Salsa20.Core32.fst.hints
│ ├── Hacl.Impl.Salsa20.fst.hints
│ ├── Hacl.Impl.SecretBox.fst.hints
│ ├── Hacl.Impl.Store56.fst.hints
│ ├── Hacl.IntTypes.Intrinsics.fst.hints
│ ├── Hacl.IntTypes.Intrinsics_128.fst.hints
│ ├── Hacl.K256.ECDSA.fst.hints
│ ├── Hacl.K256.ECDSA.fsti.hints
│ ├── Hacl.K256.Field.fst.hints
│ ├── Hacl.K256.Field.fsti.hints
│ ├── Hacl.K256.PrecompTable.fst.hints
│ ├── Hacl.K256.PrecompTable.fsti.hints
│ ├── Hacl.K256.Scalar.fst.hints
│ ├── Hacl.K256.Scalar.fsti.hints
│ ├── Hacl.Keccak.fst.hints
│ ├── Hacl.Keccak.fsti.hints
│ ├── Hacl.Meta.Chacha20.Vec.fst.hints
│ ├── Hacl.Meta.Chacha20Poly1305.fst.hints
│ ├── Hacl.Meta.Curve25519.fst.hints
│ ├── Hacl.Meta.Curve25519.fsti.hints
│ ├── Hacl.Meta.HPKE.fst.hints
│ ├── Hacl.Meta.HPKE.fsti.hints
│ ├── Hacl.Meta.Poly1305.fst.hints
│ ├── Hacl.Meta.Poly1305.fsti.hints
│ ├── Hacl.NaCl.fst.hints
│ ├── Hacl.P256.PrecompTable.fst.hints
│ ├── Hacl.P256.PrecompTable.fsti.hints
│ ├── Hacl.P256.fst.hints
│ ├── Hacl.P256.fsti.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas0.fst.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas0.fsti.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas1.fst.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas1.fsti.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas2.fst.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas2.fsti.hints
│ ├── Hacl.Poly1305_128.fst.hints
│ ├── Hacl.Poly1305_128.fsti.hints
│ ├── Hacl.Poly1305_256.fst.hints
│ ├── Hacl.Poly1305_256.fsti.hints
│ ├── Hacl.Poly1305_32.fst.hints
│ ├── Hacl.Poly1305_32.fsti.hints
│ ├── Hacl.RSAPSS.fst.hints
│ ├── Hacl.SHA2.Scalar32.Lemmas.fst.hints
│ ├── Hacl.SHA2.Scalar32.fst.hints
│ ├── Hacl.SHA2.Vec128.fst.hints
│ ├── Hacl.SHA2.Vec256.fst.hints
│ ├── Hacl.Salsa20.fst.hints
│ ├── Hacl.Spec.AlmostMontgomery.Lemmas.fst.hints
│ ├── Hacl.Spec.Bignum.Addition.fst.hints
│ ├── Hacl.Spec.Bignum.AlmostMontExponentiation.fst.hints
│ ├── Hacl.Spec.Bignum.AlmostMontgomery.fst.hints
│ ├── Hacl.Spec.Bignum.AlmostMontgomery.fsti.hints
│ ├── Hacl.Spec.Bignum.Base.fst.hints
│ ├── Hacl.Spec.Bignum.Comparison.fst.hints
│ ├── Hacl.Spec.Bignum.Convert.fst.hints
│ ├── Hacl.Spec.Bignum.Definitions.fst.hints
│ ├── Hacl.Spec.Bignum.Exponentiation.fst.hints
│ ├── Hacl.Spec.Bignum.Exponentiation.fsti.hints
│ ├── Hacl.Spec.Bignum.Karatsuba.fst.hints
│ ├── Hacl.Spec.Bignum.Lib.fst.hints
│ ├── Hacl.Spec.Bignum.ModInv.fst.hints
│ ├── Hacl.Spec.Bignum.ModInvLimb.fst.hints
│ ├── Hacl.Spec.Bignum.ModInvLimb.fsti.hints
│ ├── Hacl.Spec.Bignum.ModReduction.fst.hints
│ ├── Hacl.Spec.Bignum.MontArithmetic.fst.hints
│ ├── Hacl.Spec.Bignum.MontArithmetic.fsti.hints
│ ├── Hacl.Spec.Bignum.MontExponentiation.fst.hints
│ ├── Hacl.Spec.Bignum.Montgomery.fst.hints
│ ├── Hacl.Spec.Bignum.Montgomery.fsti.hints
│ ├── Hacl.Spec.Bignum.Multiplication.fst.hints
│ ├── Hacl.Spec.Bignum.Squaring.fst.hints
│ ├── Hacl.Spec.Bignum.fst.hints
│ ├── Hacl.Spec.Bignum.fsti.hints
│ ├── Hacl.Spec.BignumQ.Definitions.fst.hints
│ ├── Hacl.Spec.BignumQ.Lemmas.fst.hints
│ ├── Hacl.Spec.BignumQ.Mul.fst.hints
│ ├── Hacl.Spec.Chacha20.Equiv.fst.hints
│ ├── Hacl.Spec.Chacha20.Lemmas.fst.hints
│ ├── Hacl.Spec.Chacha20.Vec.fst.hints
│ ├── Hacl.Spec.Curve25519.AddAndDouble.fst.hints
│ ├── Hacl.Spec.Curve25519.Field51.Definition.fst.hints
│ ├── Hacl.Spec.Curve25519.Field51.Lemmas.fst.hints
│ ├── Hacl.Spec.Curve25519.Field51.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.Core.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.Definition.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.Lemmas.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.fst.hints
│ ├── Hacl.Spec.Curve25519.Finv.fst.hints
│ ├── Hacl.Spec.Ed25519.PrecompTable.fst.hints
│ ├── Hacl.Spec.Ed25519.PrecompTable.fsti.hints
│ ├── Hacl.Spec.Exponentiation.Lemmas.fst.hints
│ ├── Hacl.Spec.FFDHE.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.ECSM.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Field52.Definitions.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Field52.Definitions.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas.fsti.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas1.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas2.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas3.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas4.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas5.fst.hints
│ ├── Hacl.Spec.K256.Field52.fst.hints
│ ├── Hacl.Spec.K256.Finv.fst.hints
│ ├── Hacl.Spec.K256.GLV.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.GLV.fst.hints
│ ├── Hacl.Spec.K256.MathLemmas.fst.hints
│ ├── Hacl.Spec.K256.PrecompTable.fst.hints
│ ├── Hacl.Spec.K256.PrecompTable.fsti.hints
│ ├── Hacl.Spec.K256.Qinv.fst.hints
│ ├── Hacl.Spec.K256.Scalar.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Scalar.fst.hints
│ ├── Hacl.Spec.Karatsuba.Lemmas.fst.hints
│ ├── Hacl.Spec.Lib.fst.hints
│ ├── Hacl.Spec.Montgomery.Lemmas.fst.hints
│ ├── Hacl.Spec.P256.Finv.fst.hints
│ ├── Hacl.Spec.P256.Montgomery.fst.hints
│ ├── Hacl.Spec.P256.Montgomery.fsti.hints
│ ├── Hacl.Spec.P256.PrecompTable.fst.hints
│ ├── Hacl.Spec.P256.PrecompTable.fsti.hints
│ ├── Hacl.Spec.P256.Qinv.fst.hints
│ ├── Hacl.Spec.Poly1305.Equiv.fst.hints
│ ├── Hacl.Spec.Poly1305.Equiv.fsti.hints
│ ├── Hacl.Spec.Poly1305.Field32xN.Lemmas.fst.hints
│ ├── Hacl.Spec.Poly1305.Field32xN.fst.hints
│ ├── Hacl.Spec.Poly1305.Lemmas.fst.hints
│ ├── Hacl.Spec.Poly1305.Vec.fst.hints
│ ├── Hacl.Spec.PrecompBaseTable.fst.hints
│ ├── Hacl.Spec.PrecompBaseTable.fsti.hints
│ ├── Hacl.Spec.PrecompBaseTable256.fst.hints
│ ├── Hacl.Spec.PrecompBaseTable256.fsti.hints
│ ├── Hacl.Spec.PrecompTable.fst.hints
│ ├── Hacl.Spec.RSAPSS.fst.hints
│ ├── Hacl.Spec.SHA2.Equiv.fst.hints
│ ├── Hacl.Spec.SHA2.EquivScalar.fst.hints
│ ├── Hacl.Spec.SHA2.EquivScalar.fsti.hints
│ ├── Hacl.Spec.SHA2.Lemmas.fst.hints
│ ├── Hacl.Spec.SHA2.Vec.fst.hints
│ ├── Hacl.Spec.SHA2.fst.hints
│ ├── Hacl.Spec.SHA3.Equiv.fst.hints
│ ├── Hacl.Spec.SHA3.Equiv.fsti.hints
│ ├── Hacl.Spec.SHA3.Lemmas.fst.hints
│ ├── Hacl.Spec.SHA3.Vec.Common.fst.hints
│ ├── Hacl.Spec.SHA3.Vec.fst.hints
│ ├── Hacl.Streaming.Blake2.Common.fst.hints
│ ├── Hacl.Streaming.Blake2.Params.fst.hints
│ ├── Hacl.Streaming.Blake2.Params.fsti.hints
│ ├── Hacl.Streaming.Blake2b_256.fst.hints
│ ├── Hacl.Streaming.Blake2b_32.fst.hints
│ ├── Hacl.Streaming.Blake2s_128.fst.hints
│ ├── Hacl.Streaming.Blake2s_32.fst.hints
│ ├── Hacl.Streaming.Functor.fst.hints
│ ├── Hacl.Streaming.Functor.fsti.hints
│ ├── Hacl.Streaming.HMAC.Definitions.fst.hints
│ ├── Hacl.Streaming.HMAC.Definitions.fsti.hints
│ ├── Hacl.Streaming.HMAC.fst.hints
│ ├── Hacl.Streaming.Interface.fsti.hints
│ ├── Hacl.Streaming.Keccak.fst.hints
│ ├── Hacl.Streaming.MD.fst.hints
│ ├── Hacl.Streaming.MD5.fst.hints
│ ├── Hacl.Streaming.Poly1305.fst.hints
│ ├── Hacl.Streaming.Poly1305_128.fst.hints
│ ├── Hacl.Streaming.Poly1305_128.fsti.hints
│ ├── Hacl.Streaming.Poly1305_256.fst.hints
│ ├── Hacl.Streaming.Poly1305_256.fsti.hints
│ ├── Hacl.Streaming.Poly1305_32.fst.hints
│ ├── Hacl.Streaming.Poly1305_32.fsti.hints
│ ├── Hacl.Streaming.SHA1.fst.hints
│ ├── Hacl.Streaming.SHA2.fst.hints
│ ├── Hacl.Streaming.Spec.fst.hints
│ ├── Hacl.Streaming.Types.fst.hints
│ ├── Hacl.Test.ECDSA.fst.hints
│ ├── Hacl.Test.Ed25519.fst.hints
│ ├── Hacl.Test.HMAC_DRBG.fst.hints
│ ├── Hacl.Test.K256.fst.hints
│ ├── Hacl.Test.SHA2.fst.hints
│ ├── Hacl.Test.SHA3.fst.hints
│ ├── Lib.Buffer.fst.hints
│ ├── Lib.Buffer.fsti.hints
│ ├── Lib.ByteBuffer.fst.hints
│ ├── Lib.ByteBuffer.fsti.hints
│ ├── Lib.ByteSequence.fst.hints
│ ├── Lib.ByteSequence.fsti.hints
│ ├── Lib.Exponentiation.Definition.fst.hints
│ ├── Lib.Exponentiation.Definition.fsti.hints
│ ├── Lib.Exponentiation.fst.hints
│ ├── Lib.Exponentiation.fsti.hints
│ ├── Lib.IntTypes.Compatibility.fst.hints
│ ├── Lib.IntTypes.Intrinsics.fsti.hints
│ ├── Lib.IntTypes.fst.hints
│ ├── Lib.IntTypes.fsti.hints
│ ├── Lib.IntVector.Intrinsics.fsti.hints
│ ├── Lib.IntVector.Serialize.fst.hints
│ ├── Lib.IntVector.Serialize.fsti.hints
│ ├── Lib.IntVector.Transpose.fst.hints
│ ├── Lib.IntVector.Transpose.fsti.hints
│ ├── Lib.IntVector.fst.hints
│ ├── Lib.IntVector.fsti.hints
│ ├── Lib.LoopCombinators.fst.hints
│ ├── Lib.LoopCombinators.fsti.hints
│ ├── Lib.Loops.fst.hints
│ ├── Lib.Loops.fsti.hints
│ ├── Lib.Memzero0.fsti.hints
│ ├── Lib.Meta.fst.hints
│ ├── Lib.MultiBuffer.fst.hints
│ ├── Lib.NTuple.fst.hints
│ ├── Lib.NTuple.fsti.hints
│ ├── Lib.NatMod.fst.hints
│ ├── Lib.NatMod.fsti.hints
│ ├── Lib.PrintBuffer.fsti.hints
│ ├── Lib.PrintSequence.fst.hints
│ ├── Lib.PrintSequence.fsti.hints
│ ├── Lib.RandomBuffer.System.fsti.hints
│ ├── Lib.RandomSequence.fsti.hints
│ ├── Lib.RawIntTypes.fst.hints
│ ├── Lib.RawIntTypes.fsti.hints
│ ├── Lib.Sequence.Lemmas.fst.hints
│ ├── Lib.Sequence.Lemmas.fsti.hints
│ ├── Lib.Sequence.fst.hints
│ ├── Lib.Sequence.fsti.hints
│ ├── Lib.UpdateMulti.Lemmas.fst.hints
│ ├── Lib.UpdateMulti.Lemmas.fsti.hints
│ ├── Lib.UpdateMulti.fst.hints
│ ├── Lib.Vec.Lemmas.fst.hints
│ ├── Lib.Vec.Lemmas.fsti.hints
│ ├── Meta.Attribute.fst.hints
│ ├── Meta.Interface.fst.hints
│ ├── Spec.AES.Test.fst.hints
│ ├── Spec.AES.fst.hints
│ ├── Spec.Agile.AEAD.fst.hints
│ ├── Spec.Agile.AEAD.fsti.hints
│ ├── Spec.Agile.CTR.fst.hints
│ ├── Spec.Agile.Cipher.fst.hints
│ ├── Spec.Agile.Cipher.fsti.hints
│ ├── Spec.Agile.DH.fst.hints
│ ├── Spec.Agile.HKDF.fst.hints
│ ├── Spec.Agile.HKDF.fsti.hints
│ ├── Spec.Agile.HMAC.fst.hints
│ ├── Spec.Agile.HMAC.fsti.hints
│ ├── Spec.Agile.HPKE.fst.hints
│ ├── Spec.Agile.HPKE.fsti.hints
│ ├── Spec.Agile.Hash.fst.hints
│ ├── Spec.Agile.Hash.fsti.hints
│ ├── Spec.Blake2.Alternative.fst.hints
│ ├── Spec.Blake2.Alternative.fsti.hints
│ ├── Spec.Blake2.Definitions.fst.hints
│ ├── Spec.Blake2.Incremental.fst.hints
│ ├── Spec.Blake2.Incremental.fsti.hints
│ ├── Spec.Blake2.Test.fst.hints
│ ├── Spec.Blake2.fst.hints
│ ├── Spec.Box.Test.fst.hints
│ ├── Spec.Box.fst.hints
│ ├── Spec.Chacha20.Test.fst.hints
│ ├── Spec.Chacha20.fst.hints
│ ├── Spec.Chacha20Poly1305.Test.fst.hints
│ ├── Spec.Chacha20Poly1305.fst.hints
│ ├── Spec.Cipher.Expansion.fst.hints
│ ├── Spec.Cipher.Expansion.fsti.hints
│ ├── Spec.Curve25519.Lemmas.fst.hints
│ ├── Spec.Curve25519.Test.fst.hints
│ ├── Spec.Curve25519.fst.hints
│ ├── Spec.ECDSA.Test.Vectors.fst.hints
│ ├── Spec.Ed25519.Lemmas.fst.hints
│ ├── Spec.Ed25519.Lemmas.fsti.hints
│ ├── Spec.Ed25519.PointOps.fst.hints
│ ├── Spec.Ed25519.Test.fst.hints
│ ├── Spec.Ed25519.fst.hints
│ ├── Spec.Exponentiation.fst.hints
│ ├── Spec.Exponentiation.fsti.hints
│ ├── Spec.FFDHE.fst.hints
│ ├── Spec.Frodo.Encode.fst.hints
│ ├── Spec.Frodo.Gen.fst.hints
│ ├── Spec.Frodo.KEM.Decaps.fst.hints
│ ├── Spec.Frodo.KEM.Encaps.fst.hints
│ ├── Spec.Frodo.KEM.KeyGen.fst.hints
│ ├── Spec.Frodo.KEM.fst.hints
│ ├── Spec.Frodo.Lemmas.fst.hints
│ ├── Spec.Frodo.Pack.fst.hints
│ ├── Spec.Frodo.Params.fst.hints
│ ├── Spec.Frodo.Random.fst.hints
│ ├── Spec.Frodo.Sample.fst.hints
│ ├── Spec.Frodo.Test.fst.hints
│ ├── Spec.GaloisField.fst.hints
│ ├── Spec.HKDF.Test.fst.hints
│ ├── Spec.HMAC.Incremental.fst.hints
│ ├── Spec.HMAC.Incremental.fsti.hints
│ ├── Spec.HMAC.Test.fst.hints
│ ├── Spec.HMAC_DRBG.Test.Vectors.fst.hints
│ ├── Spec.HMAC_DRBG.Test.fst.hints
│ ├── Spec.HMAC_DRBG.fst.hints
│ ├── Spec.HMAC_DRBG.fsti.hints
│ ├── Spec.Hash.Definitions.fst.hints
│ ├── Spec.Hash.Incremental.Definitions.fst.hints
│ ├── Spec.Hash.Incremental.fst.hints
│ ├── Spec.Hash.Incremental.fsti.hints
│ ├── Spec.Hash.Lemmas.fst.hints
│ ├── Spec.Hash.Lemmas.fsti.hints
│ ├── Spec.Hash.MD.fst.hints
│ ├── Spec.Hash.Test.fst.hints
│ ├── Spec.K256.Lemmas.fst.hints
│ ├── Spec.K256.Lemmas.fsti.hints
│ ├── Spec.K256.PointOps.fst.hints
│ ├── Spec.K256.Test.fst.hints
│ ├── Spec.K256.fst.hints
│ ├── Spec.MD.Incremental.fst.hints
│ ├── Spec.MD.Incremental.fsti.hints
│ ├── Spec.MD5.fst.hints
│ ├── Spec.MD5.fsti.hints
│ ├── Spec.Matrix.fst.hints
│ ├── Spec.P256.Lemmas.fst.hints
│ ├── Spec.P256.Lemmas.fsti.hints
│ ├── Spec.P256.PointOps.fst.hints
│ ├── Spec.P256.Test.fst.hints
│ ├── Spec.P256.fst.hints
│ ├── Spec.Poly1305.Test.fst.hints
│ ├── Spec.Poly1305.fst.hints
│ ├── Spec.RSAPSS.fst.hints
│ ├── Spec.SHA1.fst.hints
│ ├── Spec.SHA1.fsti.hints
│ ├── Spec.SHA2.Constants.fst.hints
│ ├── Spec.SHA2.Lemmas.fst.hints
│ ├── Spec.SHA2.Lemmas.fsti.hints
│ ├── Spec.SHA2.fst.hints
│ ├── Spec.SHA2.fsti.hints
│ ├── Spec.SHA3.Constants.fst.hints
│ ├── Spec.SHA3.Equivalence.fst.hints
│ ├── Spec.SHA3.Incremental.fst.hints
│ ├── Spec.SHA3.Incremental.fsti.hints
│ ├── Spec.SHA3.Test.fst.hints
│ ├── Spec.SHA3.fst.hints
│ ├── Spec.Salsa20.Test.fst.hints
│ ├── Spec.Salsa20.fst.hints
│ ├── Spec.SecretBox.Test.fst.hints
│ ├── Spec.SecretBox.fst.hints
│ ├── Test.Hash.fst.hints
│ ├── Test.Lowstarize.fst.hints
│ ├── Test.NoHeap.fst.hints
│ ├── Test.NoHeap.fsti.hints
│ ├── Test.Vectors.Aes128.fst.hints
│ ├── Test.Vectors.Aes128Gcm.fst.hints
│ ├── Test.Vectors.Chacha20Poly1305.fst.hints
│ ├── Test.Vectors.Curve25519.fst.hints
│ ├── Test.Vectors.Poly1305.fst.hints
│ ├── Test.Vectors.fst.hints
│ ├── Test.fst.hints
│ ├── Test.fsti.hints
│ ├── Vale.AES.AES256_helpers.fst.hints
│ ├── Vale.AES.AES256_helpers.fsti.hints
│ ├── Vale.AES.AES256_helpers_BE.fst.hints
│ ├── Vale.AES.AES256_helpers_BE.fsti.hints
│ ├── Vale.AES.AES_BE_s.fst.hints
│ ├── Vale.AES.AES_common_s.fst.hints
│ ├── Vale.AES.AES_helpers.fst.hints
│ ├── Vale.AES.AES_helpers.fsti.hints
│ ├── Vale.AES.AES_helpers_BE.fst.hints
│ ├── Vale.AES.AES_helpers_BE.fsti.hints
│ ├── Vale.AES.AES_s.fst.hints
│ ├── Vale.AES.GCM.fst.hints
│ ├── Vale.AES.GCM.fsti.hints
│ ├── Vale.AES.GCM_BE.fst.hints
│ ├── Vale.AES.GCM_BE.fsti.hints
│ ├── Vale.AES.GCM_BE_s.fst.hints
│ ├── Vale.AES.GCM_helpers.fst.hints
│ ├── Vale.AES.GCM_helpers.fsti.hints
│ ├── Vale.AES.GCM_helpers_BE.fst.hints
│ ├── Vale.AES.GCM_helpers_BE.fsti.hints
│ ├── Vale.AES.GCM_s.fst.hints
│ ├── Vale.AES.GCTR.fst.hints
│ ├── Vale.AES.GCTR.fsti.hints
│ ├── Vale.AES.GCTR_BE.fst.hints
│ ├── Vale.AES.GCTR_BE.fsti.hints
│ ├── Vale.AES.GCTR_BE_s.fst.hints
│ ├── Vale.AES.GCTR_s.fst.hints
│ ├── Vale.AES.GF128.fst.hints
│ ├── Vale.AES.GF128.fsti.hints
│ ├── Vale.AES.GF128_s.fst.hints
│ ├── Vale.AES.GF128_s.fsti.hints
│ ├── Vale.AES.GHash.fst.hints
│ ├── Vale.AES.GHash.fsti.hints
│ ├── Vale.AES.GHash_BE.fst.hints
│ ├── Vale.AES.GHash_BE.fsti.hints
│ ├── Vale.AES.GHash_BE_s.fst.hints
│ ├── Vale.AES.GHash_s.fst.hints
│ ├── Vale.AES.Gcm_simplify.fst.hints
│ ├── Vale.AES.Gcm_simplify.fsti.hints
│ ├── Vale.AES.OptPublic.fst.hints
│ ├── Vale.AES.OptPublic.fsti.hints
│ ├── Vale.AES.OptPublic_BE.fst.hints
│ ├── Vale.AES.OptPublic_BE.fsti.hints
│ ├── Vale.AES.PPC64LE.AES.fst.hints
│ ├── Vale.AES.PPC64LE.AES.fsti.hints
│ ├── Vale.AES.PPC64LE.AES128.fst.hints
│ ├── Vale.AES.PPC64LE.AES128.fsti.hints
│ ├── Vale.AES.PPC64LE.AES256.fst.hints
│ ├── Vale.AES.PPC64LE.AES256.fsti.hints
│ ├── Vale.AES.PPC64LE.GCMdecrypt.fst.hints
│ ├── Vale.AES.PPC64LE.GCMdecrypt.fsti.hints
│ ├── Vale.AES.PPC64LE.GCMencrypt.fst.hints
│ ├── Vale.AES.PPC64LE.GCMencrypt.fsti.hints
│ ├── Vale.AES.PPC64LE.GCTR.fst.hints
│ ├── Vale.AES.PPC64LE.GCTR.fsti.hints
│ ├── Vale.AES.PPC64LE.GF128_Init.fst.hints
│ ├── Vale.AES.PPC64LE.GF128_Init.fsti.hints
│ ├── Vale.AES.PPC64LE.GF128_Mul.fst.hints
│ ├── Vale.AES.PPC64LE.GF128_Mul.fsti.hints
│ ├── Vale.AES.PPC64LE.GHash.fst.hints
│ ├── Vale.AES.PPC64LE.GHash.fsti.hints
│ ├── Vale.AES.PPC64LE.PolyOps.fst.hints
│ ├── Vale.AES.PPC64LE.PolyOps.fsti.hints
│ ├── Vale.AES.Types_helpers.fst.hints
│ ├── Vale.AES.Types_helpers.fsti.hints
│ ├── Vale.AES.X64.AES.fst.hints
│ ├── Vale.AES.X64.AES.fsti.hints
│ ├── Vale.AES.X64.AES128.fst.hints
│ ├── Vale.AES.X64.AES128.fsti.hints
│ ├── Vale.AES.X64.AES256.fst.hints
│ ├── Vale.AES.X64.AES256.fsti.hints
│ ├── Vale.AES.X64.AESCTR.fst.hints
│ ├── Vale.AES.X64.AESCTR.fsti.hints
│ ├── Vale.AES.X64.AESCTRplain.fst.hints
│ ├── Vale.AES.X64.AESCTRplain.fsti.hints
│ ├── Vale.AES.X64.AESGCM.fst.hints
│ ├── Vale.AES.X64.AESGCM.fsti.hints
│ ├── Vale.AES.X64.AESGCM_expected_code.fst.hints
│ ├── Vale.AES.X64.AESGCM_expected_code.fsti.hints
│ ├── Vale.AES.X64.AESopt.fst.hints
│ ├── Vale.AES.X64.AESopt.fsti.hints
│ ├── Vale.AES.X64.AESopt2.fst.hints
│ ├── Vale.AES.X64.AESopt2.fsti.hints
│ ├── Vale.AES.X64.GCMdecryptOpt.fst.hints
│ ├── Vale.AES.X64.GCMdecryptOpt.fsti.hints
│ ├── Vale.AES.X64.GCMencryptOpt.fst.hints
│ ├── Vale.AES.X64.GCMencryptOpt.fsti.hints
│ ├── Vale.AES.X64.GCTR.fst.hints
│ ├── Vale.AES.X64.GCTR.fsti.hints
│ ├── Vale.AES.X64.GF128_Init.fst.hints
│ ├── Vale.AES.X64.GF128_Init.fsti.hints
│ ├── Vale.AES.X64.GF128_Mul.fst.hints
│ ├── Vale.AES.X64.GF128_Mul.fsti.hints
│ ├── Vale.AES.X64.GHash.fst.hints
│ ├── Vale.AES.X64.GHash.fsti.hints
│ ├── Vale.AES.X64.PolyOps.fst.hints
│ ├── Vale.AES.X64.PolyOps.fsti.hints
│ ├── Vale.Arch.BufferFriend.fst.hints
│ ├── Vale.Arch.BufferFriend.fsti.hints
│ ├── Vale.Arch.Heap.fst.hints
│ ├── Vale.Arch.Heap.fsti.hints
│ ├── Vale.Arch.HeapImpl.fst.hints
│ ├── Vale.Arch.HeapImpl.fsti.hints
│ ├── Vale.Arch.HeapLemmas.fst.hints
│ ├── Vale.Arch.HeapLemmas.fsti.hints
│ ├── Vale.Arch.HeapTypes_s.fst.hints
│ ├── Vale.Arch.MachineHeap.fst.hints
│ ├── Vale.Arch.MachineHeap.fsti.hints
│ ├── Vale.Arch.MachineHeap_s.fst.hints
│ ├── Vale.Arch.Types.fst.hints
│ ├── Vale.Arch.Types.fsti.hints
│ ├── Vale.Arch.TypesNative.fst.hints
│ ├── Vale.Arch.TypesNative.fsti.hints
│ ├── Vale.AsLowStar.LowStarSig.fst.hints
│ ├── Vale.AsLowStar.MemoryHelpers.fst.hints
│ ├── Vale.AsLowStar.MemoryHelpers.fsti.hints
│ ├── Vale.AsLowStar.Test.fst.hints
│ ├── Vale.AsLowStar.ValeSig.fst.hints
│ ├── Vale.AsLowStar.Wrapper.fst.hints
│ ├── Vale.AsLowStar.Wrapper.fsti.hints
│ ├── Vale.Bignum.Defs.fst.hints
│ ├── Vale.Bignum.Defs.fsti.hints
│ ├── Vale.Bignum.Lemmas.fst.hints
│ ├── Vale.Bignum.Lemmas.fsti.hints
│ ├── Vale.Bignum.X64.fst.hints
│ ├── Vale.Bignum.X64.fsti.hints
│ ├── Vale.Curve25519.FastHybrid_helpers.fst.hints
│ ├── Vale.Curve25519.FastHybrid_helpers.fsti.hints
│ ├── Vale.Curve25519.FastMul_helpers.fst.hints
│ ├── Vale.Curve25519.FastMul_helpers.fsti.hints
│ ├── Vale.Curve25519.FastSqr_helpers.fst.hints
│ ├── Vale.Curve25519.FastSqr_helpers.fsti.hints
│ ├── Vale.Curve25519.FastUtil_helpers.fst.hints
│ ├── Vale.Curve25519.FastUtil_helpers.fsti.hints
│ ├── Vale.Curve25519.Fast_defs.fst.hints
│ ├── Vale.Curve25519.Fast_lemmas_external.fst.hints
│ ├── Vale.Curve25519.Fast_lemmas_external.fsti.hints
│ ├── Vale.Curve25519.Fast_lemmas_internal.fst.hints
│ ├── Vale.Curve25519.Fast_lemmas_internal.fsti.hints
│ ├── Vale.Curve25519.X64.FastHybrid.fst.hints
│ ├── Vale.Curve25519.X64.FastHybrid.fsti.hints
│ ├── Vale.Curve25519.X64.FastMul.fst.hints
│ ├── Vale.Curve25519.X64.FastMul.fsti.hints
│ ├── Vale.Curve25519.X64.FastSqr.fst.hints
│ ├── Vale.Curve25519.X64.FastSqr.fsti.hints
│ ├── Vale.Curve25519.X64.FastUtil.fst.hints
│ ├── Vale.Curve25519.X64.FastUtil.fsti.hints
│ ├── Vale.Curve25519.X64.FastWide.fst.hints
│ ├── Vale.Curve25519.X64.FastWide.fsti.hints
│ ├── Vale.Def.Opaque_s.fst.hints
│ ├── Vale.Def.Opaque_s.fsti.hints
│ ├── Vale.Def.PossiblyMonad.fst.hints
│ ├── Vale.Def.Prop_s.fst.hints
│ ├── Vale.Def.Sel.fst.hints
│ ├── Vale.Def.TypesNative_s.fst.hints
│ ├── Vale.Def.Types_s.fst.hints
│ ├── Vale.Def.Words.Four_s.fst.hints
│ ├── Vale.Def.Words.Four_s.fsti.hints
│ ├── Vale.Def.Words.Seq.fst.hints
│ ├── Vale.Def.Words.Seq.fsti.hints
│ ├── Vale.Def.Words.Seq_s.fst.hints
│ ├── Vale.Def.Words.Seq_s.fsti.hints
│ ├── Vale.Def.Words.Two.fst.hints
│ ├── Vale.Def.Words.Two.fsti.hints
│ ├── Vale.Def.Words.Two_s.fst.hints
│ ├── Vale.Def.Words.Two_s.fsti.hints
│ ├── Vale.Def.Words_s.fst.hints
│ ├── Vale.Def.Words_s.fsti.hints
│ ├── Vale.FDefMulx.X64.fst.hints
│ ├── Vale.FDefMulx.X64.fsti.hints
│ ├── Vale.Inline.X64.Fadd_inline.fst.hints
│ ├── Vale.Inline.X64.Fadd_inline.fsti.hints
│ ├── Vale.Inline.X64.Fmul_inline.fst.hints
│ ├── Vale.Inline.X64.Fmul_inline.fsti.hints
│ ├── Vale.Inline.X64.Fsqr_inline.fst.hints
│ ├── Vale.Inline.X64.Fsqr_inline.fsti.hints
│ ├── Vale.Inline.X64.Fswap_inline.fst.hints
│ ├── Vale.Inline.X64.Fswap_inline.fsti.hints
│ ├── Vale.Interop.Assumptions.fst.hints
│ ├── Vale.Interop.Base.fst.hints
│ ├── Vale.Interop.Heap_s.fst.hints
│ ├── Vale.Interop.Types.fst.hints
│ ├── Vale.Interop.Views.fst.hints
│ ├── Vale.Interop.Views.fsti.hints
│ ├── Vale.Interop.X64.fst.hints
│ ├── Vale.Interop.X64.fsti.hints
│ ├── Vale.Interop.fst.hints
│ ├── Vale.Interop.fsti.hints
│ ├── Vale.Lib.Basic.fst.hints
│ ├── Vale.Lib.Basic.fsti.hints
│ ├── Vale.Lib.BufferViewHelpers.fst.hints
│ ├── Vale.Lib.Bv_s.fst.hints
│ ├── Vale.Lib.Lists.fst.hints
│ ├── Vale.Lib.Lists.fsti.hints
│ ├── Vale.Lib.Map16.fst.hints
│ ├── Vale.Lib.Map16.fsti.hints
│ ├── Vale.Lib.MapTree.fst.hints
│ ├── Vale.Lib.MapTree.fsti.hints
│ ├── Vale.Lib.Meta.fst.hints
│ ├── Vale.Lib.Meta.fsti.hints
│ ├── Vale.Lib.Operator.fst.hints
│ ├── Vale.Lib.Operator.fsti.hints
│ ├── Vale.Lib.Seqs.fst.hints
│ ├── Vale.Lib.Seqs.fsti.hints
│ ├── Vale.Lib.Seqs_s.fst.hints
│ ├── Vale.Lib.Set.fst.hints
│ ├── Vale.Lib.Set.fsti.hints
│ ├── Vale.Lib.Tactics.fst.hints
│ ├── Vale.Lib.X64.Cpuid.fst.hints
│ ├── Vale.Lib.X64.Cpuid.fsti.hints
│ ├── Vale.Lib.X64.Cpuidstdcall.fst.hints
│ ├── Vale.Lib.X64.Cpuidstdcall.fsti.hints
│ ├── Vale.Math.Bits.fst.hints
│ ├── Vale.Math.Bits.fsti.hints
│ ├── Vale.Math.Lemmas.Int.fst.hints
│ ├── Vale.Math.Lemmas.Int.fsti.hints
│ ├── Vale.Math.Poly2.Bits.fst.hints
│ ├── Vale.Math.Poly2.Bits.fsti.hints
│ ├── Vale.Math.Poly2.Bits_s.fst.hints
│ ├── Vale.Math.Poly2.Bits_s.fsti.hints
│ ├── Vale.Math.Poly2.Defs.fst.hints
│ ├── Vale.Math.Poly2.Defs_s.fst.hints
│ ├── Vale.Math.Poly2.Galois.IntTypes.fst.hints
│ ├── Vale.Math.Poly2.Galois.IntTypes.fsti.hints
│ ├── Vale.Math.Poly2.Galois.Lemmas.fst.hints
│ ├── Vale.Math.Poly2.Galois.Lemmas.fsti.hints
│ ├── Vale.Math.Poly2.Galois.fst.hints
│ ├── Vale.Math.Poly2.Galois.fsti.hints
│ ├── Vale.Math.Poly2.Lemmas.fst.hints
│ ├── Vale.Math.Poly2.Lemmas.fsti.hints
│ ├── Vale.Math.Poly2.Words.fst.hints
│ ├── Vale.Math.Poly2.Words.fsti.hints
│ ├── Vale.Math.Poly2.fst.hints
│ ├── Vale.Math.Poly2.fsti.hints
│ ├── Vale.Math.Poly2_s.fst.hints
│ ├── Vale.Math.Poly2_s.fsti.hints
│ ├── Vale.PPC64LE.Decls.fst.hints
│ ├── Vale.PPC64LE.Decls.fsti.hints
│ ├── Vale.PPC64LE.InsBasic.fst.hints
│ ├── Vale.PPC64LE.InsBasic.fsti.hints
│ ├── Vale.PPC64LE.InsMem.fst.hints
│ ├── Vale.PPC64LE.InsMem.fsti.hints
│ ├── Vale.PPC64LE.InsStack.fst.hints
│ ├── Vale.PPC64LE.InsStack.fsti.hints
│ ├── Vale.PPC64LE.InsVector.fst.hints
│ ├── Vale.PPC64LE.InsVector.fsti.hints
│ ├── Vale.PPC64LE.Lemmas.fst.hints
│ ├── Vale.PPC64LE.Lemmas.fsti.hints
│ ├── Vale.PPC64LE.Machine_s.fst.hints
│ ├── Vale.PPC64LE.Memory.fst.hints
│ ├── Vale.PPC64LE.Memory.fsti.hints
│ ├── Vale.PPC64LE.Memory_Sems.fst.hints
│ ├── Vale.PPC64LE.Memory_Sems.fsti.hints
│ ├── Vale.PPC64LE.Print_s.fst.hints
│ ├── Vale.PPC64LE.QuickCode.fst.hints
│ ├── Vale.PPC64LE.QuickCodes.fst.hints
│ ├── Vale.PPC64LE.QuickCodes.fsti.hints
│ ├── Vale.PPC64LE.Regs.fst.hints
│ ├── Vale.PPC64LE.Regs.fsti.hints
│ ├── Vale.PPC64LE.Semantics_s.fst.hints
│ ├── Vale.PPC64LE.Stack_Sems.fst.hints
│ ├── Vale.PPC64LE.Stack_Sems.fsti.hints
│ ├── Vale.PPC64LE.Stack_i.fst.hints
│ ├── Vale.PPC64LE.Stack_i.fsti.hints
│ ├── Vale.PPC64LE.State.fst.hints
│ ├── Vale.PPC64LE.State.fsti.hints
│ ├── Vale.PPC64LE.StateLemmas.fst.hints
│ ├── Vale.PPC64LE.StateLemmas.fsti.hints
│ ├── Vale.PPC64LE.Vecs.fst.hints
│ ├── Vale.PPC64LE.Vecs.fsti.hints
│ ├── Vale.Poly1305.Bitvectors.fst.hints
│ ├── Vale.Poly1305.Bitvectors.fsti.hints
│ ├── Vale.Poly1305.CallingFromLowStar.fst.hints
│ ├── Vale.Poly1305.CallingFromLowStar.fsti.hints
│ ├── Vale.Poly1305.Equiv.fst.hints
│ ├── Vale.Poly1305.Equiv.fsti.hints
│ ├── Vale.Poly1305.Math.fst.hints
│ ├── Vale.Poly1305.Math.fsti.hints
│ ├── Vale.Poly1305.Spec_s.fst.hints
│ ├── Vale.Poly1305.Util.fst.hints
│ ├── Vale.Poly1305.Util.fsti.hints
│ ├── Vale.Poly1305.X64.fst.hints
│ ├── Vale.Poly1305.X64.fsti.hints
│ ├── Vale.SHA.PPC64LE.Loop.fst.hints
│ ├── Vale.SHA.PPC64LE.Loop.fsti.hints
│ ├── Vale.SHA.PPC64LE.Rounds.Core.fst.hints
│ ├── Vale.SHA.PPC64LE.Rounds.Core.fsti.hints
│ ├── Vale.SHA.PPC64LE.Rounds.fst.hints
│ ├── Vale.SHA.PPC64LE.Rounds.fsti.hints
│ ├── Vale.SHA.PPC64LE.SHA_helpers.fst.hints
│ ├── Vale.SHA.PPC64LE.SHA_helpers.fsti.hints
│ ├── Vale.SHA.PPC64LE.fst.hints
│ ├── Vale.SHA.PPC64LE.fsti.hints
│ ├── Vale.SHA.SHA_helpers.fst.hints
│ ├── Vale.SHA.SHA_helpers.fsti.hints
│ ├── Vale.SHA.Simplify_Sha.fst.hints
│ ├── Vale.SHA.Simplify_Sha.fsti.hints
│ ├── Vale.SHA.X64.fst.hints
│ ├── Vale.SHA.X64.fsti.hints
│ ├── Vale.SHA2.Wrapper.fst.hints
│ ├── Vale.SHA2.Wrapper.fsti.hints
│ ├── Vale.Stdcalls.X64.Aes.fst.hints
│ ├── Vale.Stdcalls.X64.Aes.fsti.hints
│ ├── Vale.Stdcalls.X64.AesHash.fst.hints
│ ├── Vale.Stdcalls.X64.Cpuid.fst.hints
│ ├── Vale.Stdcalls.X64.Cpuid.fsti.hints
│ ├── Vale.Stdcalls.X64.Fadd.fst.hints
│ ├── Vale.Stdcalls.X64.Fadd.fsti.hints
│ ├── Vale.Stdcalls.X64.Fmul.fst.hints
│ ├── Vale.Stdcalls.X64.Fmul.fsti.hints
│ ├── Vale.Stdcalls.X64.Fsqr.fst.hints
│ ├── Vale.Stdcalls.X64.Fsqr.fsti.hints
│ ├── Vale.Stdcalls.X64.Fsub.fst.hints
│ ├── Vale.Stdcalls.X64.Fsub.fsti.hints
│ ├── Vale.Stdcalls.X64.Fswap.fst.hints
│ ├── Vale.Stdcalls.X64.Fswap.fsti.hints
│ ├── Vale.Stdcalls.X64.GCM_IV.fst.hints
│ ├── Vale.Stdcalls.X64.GCMdecryptOpt.fst.hints
│ ├── Vale.Stdcalls.X64.GCMencryptOpt.fst.hints
│ ├── Vale.Stdcalls.X64.GCTR.fst.hints
│ ├── Vale.Stdcalls.X64.Poly.fst.hints
│ ├── Vale.Stdcalls.X64.Poly.fsti.hints
│ ├── Vale.Stdcalls.X64.Sha.fst.hints
│ ├── Vale.Stdcalls.X64.Sha.fsti.hints
│ ├── Vale.Test.TestInline.fst.hints
│ ├── Vale.Test.X64.Args.fst.hints
│ ├── Vale.Test.X64.Args.fsti.hints
│ ├── Vale.Test.X64.Memcpy.fst.hints
│ ├── Vale.Test.X64.Memcpy.fsti.hints
│ ├── Vale.Test.X64.Vale_memcpy.fst.hints
│ ├── Vale.Test.X64.Vale_memcpy.fsti.hints
│ ├── Vale.Transformers.BoundedInstructionEffects.fst.hints
│ ├── Vale.Transformers.BoundedInstructionEffects.fsti.hints
│ ├── Vale.Transformers.Common.fst.hints
│ ├── Vale.Transformers.Common.fsti.hints
│ ├── Vale.Transformers.DebugPrint.fst.hints
│ ├── Vale.Transformers.InstructionReorder.fst.hints
│ ├── Vale.Transformers.InstructionReorderSanityChecks.fst.hints
│ ├── Vale.Transformers.InstructionReorderSanityChecks.fsti.hints
│ ├── Vale.Transformers.Locations.fst.hints
│ ├── Vale.Transformers.Locations.fsti.hints
│ ├── Vale.Transformers.MovMovElim.fst.hints
│ ├── Vale.Transformers.MovbeElim.fst.hints
│ ├── Vale.Transformers.PeepHole.fst.hints
│ ├── Vale.Transformers.PeepHole.fsti.hints
│ ├── Vale.Transformers.PrefetchElim.fst.hints
│ ├── Vale.Transformers.Transform.fst.hints
│ ├── Vale.Transformers.Transform.fsti.hints
│ ├── Vale.Wrapper.X64.AES.fst.hints
│ ├── Vale.Wrapper.X64.AES.fsti.hints
│ ├── Vale.Wrapper.X64.AEShash.fst.hints
│ ├── Vale.Wrapper.X64.AEShash.fsti.hints
│ ├── Vale.Wrapper.X64.Cpuid.fst.hints
│ ├── Vale.Wrapper.X64.Cpuid.fsti.hints
│ ├── Vale.Wrapper.X64.Fadd.fst.hints
│ ├── Vale.Wrapper.X64.Fadd.fsti.hints
│ ├── Vale.Wrapper.X64.Fmul.fst.hints
│ ├── Vale.Wrapper.X64.Fmul.fsti.hints
│ ├── Vale.Wrapper.X64.Fsqr.fst.hints
│ ├── Vale.Wrapper.X64.Fsqr.fsti.hints
│ ├── Vale.Wrapper.X64.Fsub.fst.hints
│ ├── Vale.Wrapper.X64.Fsub.fsti.hints
│ ├── Vale.Wrapper.X64.Fswap.fst.hints
│ ├── Vale.Wrapper.X64.Fswap.fsti.hints
│ ├── Vale.Wrapper.X64.GCM_IV.fst.hints
│ ├── Vale.Wrapper.X64.GCM_IV.fsti.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt.fst.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt.fsti.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fst.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fsti.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt.fst.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt.fsti.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt256.fst.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt256.fsti.hints
│ ├── Vale.Wrapper.X64.GCTR.fst.hints
│ ├── Vale.Wrapper.X64.GCTR.fsti.hints
│ ├── Vale.Wrapper.X64.Poly.fst.hints
│ ├── Vale.Wrapper.X64.Poly.fsti.hints
│ ├── Vale.Wrapper.X64.Sha.fst.hints
│ ├── Vale.Wrapper.X64.Sha.fsti.hints
│ ├── Vale.X64.BufferViewStore.fst.hints
│ ├── Vale.X64.BufferViewStore.fsti.hints
│ ├── Vale.X64.Bytes_Code_s.fst.hints
│ ├── Vale.X64.Bytes_Semantics.fst.hints
│ ├── Vale.X64.Bytes_Semantics.fsti.hints
│ ├── Vale.X64.CPU_Features_s.fst.hints
│ ├── Vale.X64.CryptoInstructions_s.fst.hints
│ ├── Vale.X64.CryptoInstructions_s.fsti.hints
│ ├── Vale.X64.Decls.fst.hints
│ ├── Vale.X64.Decls.fsti.hints
│ ├── Vale.X64.Flags.fst.hints
│ ├── Vale.X64.Flags.fsti.hints
│ ├── Vale.X64.InsAes.fst.hints
│ ├── Vale.X64.InsAes.fsti.hints
│ ├── Vale.X64.InsBasic.fst.hints
│ ├── Vale.X64.InsBasic.fsti.hints
│ ├── Vale.X64.InsLemmas.fst.hints
│ ├── Vale.X64.InsLemmas.fsti.hints
│ ├── Vale.X64.InsMem.fst.hints
│ ├── Vale.X64.InsMem.fsti.hints
│ ├── Vale.X64.InsSha.fst.hints
│ ├── Vale.X64.InsSha.fsti.hints
│ ├── Vale.X64.InsStack.fst.hints
│ ├── Vale.X64.InsStack.fsti.hints
│ ├── Vale.X64.InsVector.fst.hints
│ ├── Vale.X64.InsVector.fsti.hints
│ ├── Vale.X64.Instruction_s.fst.hints
│ ├── Vale.X64.Instruction_s.fsti.hints
│ ├── Vale.X64.Instructions_s.fst.hints
│ ├── Vale.X64.Instructions_s.fsti.hints
│ ├── Vale.X64.Leakage.fst.hints
│ ├── Vale.X64.Leakage.fsti.hints
│ ├── Vale.X64.Leakage_Helpers.fst.hints
│ ├── Vale.X64.Leakage_Ins.fst.hints
│ ├── Vale.X64.Leakage_Ins.fsti.hints
│ ├── Vale.X64.Leakage_s.fst.hints
│ ├── Vale.X64.Lemmas.fst.hints
│ ├── Vale.X64.Lemmas.fsti.hints
│ ├── Vale.X64.Machine_Semantics_s.fst.hints
│ ├── Vale.X64.Machine_s.fst.hints
│ ├── Vale.X64.Memory.fst.hints
│ ├── Vale.X64.Memory.fsti.hints
│ ├── Vale.X64.MemoryAdapters.fst.hints
│ ├── Vale.X64.MemoryAdapters.fsti.hints
│ ├── Vale.X64.Memory_Sems.fst.hints
│ ├── Vale.X64.Memory_Sems.fsti.hints
│ ├── Vale.X64.Print_Inline_s.fst.hints
│ ├── Vale.X64.Print_s.fst.hints
│ ├── Vale.X64.QuickCode.fst.hints
│ ├── Vale.X64.QuickCodes.fst.hints
│ ├── Vale.X64.QuickCodes.fsti.hints
│ ├── Vale.X64.Regs.fst.hints
│ ├── Vale.X64.Regs.fsti.hints
│ ├── Vale.X64.Stack.fst.hints
│ ├── Vale.X64.Stack.fsti.hints
│ ├── Vale.X64.Stack_Sems.fst.hints
│ ├── Vale.X64.Stack_Sems.fsti.hints
│ ├── Vale.X64.Stack_i.fst.hints
│ ├── Vale.X64.Stack_i.fsti.hints
│ ├── Vale.X64.State.fst.hints
│ ├── Vale.X64.State.fsti.hints
│ ├── Vale.X64.StateLemmas.fst.hints
│ ├── Vale.X64.StateLemmas.fsti.hints
│ ├── Vale.X64.Taint_Semantics.fst.hints
│ ├── Vale.X64.Xmms.fst.hints
│ └── Vale.X64.Xmms.fsti.hints
├── lib/
│ ├── Lib.Buffer.fst
│ ├── Lib.Buffer.fsti
│ ├── Lib.ByteBuffer.fst
│ ├── Lib.ByteBuffer.fsti
│ ├── Lib.ByteSequence.fst
│ ├── Lib.ByteSequence.fsti
│ ├── Lib.Exponentiation.Definition.fst
│ ├── Lib.Exponentiation.Definition.fsti
│ ├── Lib.Exponentiation.fst
│ ├── Lib.Exponentiation.fsti
│ ├── Lib.IntTypes.Compatibility.fst
│ ├── Lib.IntTypes.Intrinsics.fsti
│ ├── Lib.IntTypes.fst
│ ├── Lib.IntTypes.fsti
│ ├── Lib.IntVector.Intrinsics.fsti
│ ├── Lib.IntVector.Serialize.fst
│ ├── Lib.IntVector.Serialize.fsti
│ ├── Lib.IntVector.Transpose.fst
│ ├── Lib.IntVector.Transpose.fsti
│ ├── Lib.IntVector.fst
│ ├── Lib.IntVector.fsti
│ ├── Lib.LoopCombinators.fst
│ ├── Lib.LoopCombinators.fsti
│ ├── Lib.Loops.fst
│ ├── Lib.Loops.fsti
│ ├── Lib.Memzero0.fsti
│ ├── Lib.Meta.fst
│ ├── Lib.MultiBuffer.fst
│ ├── Lib.NTuple.fst
│ ├── Lib.NTuple.fsti
│ ├── Lib.NatMod.fst
│ ├── Lib.NatMod.fsti
│ ├── Lib.PrintBuffer.fsti
│ ├── Lib.PrintSequence.fst
│ ├── Lib.PrintSequence.fsti
│ ├── Lib.RandomBuffer.System.fsti
│ ├── Lib.RandomSequence.fsti
│ ├── Lib.RawIntTypes.fst
│ ├── Lib.RawIntTypes.fsti
│ ├── Lib.Sequence.Lemmas.fst
│ ├── Lib.Sequence.Lemmas.fsti
│ ├── Lib.Sequence.fst
│ ├── Lib.Sequence.fsti
│ ├── Lib.UpdateMulti.Lemmas.fst
│ ├── Lib.UpdateMulti.Lemmas.fsti
│ ├── Lib.UpdateMulti.fst
│ ├── Lib.Vec.Lemmas.fst
│ ├── Lib.Vec.Lemmas.fsti
│ ├── Makefile
│ ├── c/
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── evercrypt_targetconfig.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ └── libintvector_debug.h
│ └── ml/
│ ├── Lib_RandomBuffer_System_bindings.ml
│ └── Lib_RandomBuffer_System_gen.ml
├── obj/
│ └── .gitignore
├── providers/
│ ├── Changes.md
│ ├── Documentation.md
│ ├── evercrypt/
│ │ ├── EverCrypt.AEAD.fsti
│ │ ├── EverCrypt.AutoConfig2.fsti
│ │ ├── EverCrypt.CTR.Keys.fsti
│ │ ├── EverCrypt.Chacha20Poly1305.fsti
│ │ ├── EverCrypt.Cipher.fsti
│ │ ├── EverCrypt.Curve25519.fsti
│ │ ├── EverCrypt.DRBG.fsti
│ │ ├── EverCrypt.Ed25519.fsti
│ │ ├── EverCrypt.Error.fsti
│ │ ├── EverCrypt.HKDF.fsti
│ │ ├── EverCrypt.HMAC.fsti
│ │ ├── EverCrypt.Hash.fsti
│ │ ├── EverCrypt.Helpers.fsti
│ │ ├── EverCrypt.Poly1305.fsti
│ │ ├── EverCrypt.TargetConfig.fsti
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── fst/
│ │ ├── EverCrypt.AEAD.fst
│ │ ├── EverCrypt.AutoConfig2.fst
│ │ ├── EverCrypt.CTR.Keys.fst
│ │ ├── EverCrypt.Chacha20Poly1305.fst
│ │ ├── EverCrypt.Cipher.fst
│ │ ├── EverCrypt.Curve25519.fst
│ │ ├── EverCrypt.DRBG.fst
│ │ ├── EverCrypt.Ed25519.fst
│ │ ├── EverCrypt.HKDF.fst
│ │ ├── EverCrypt.HMAC.fst
│ │ ├── EverCrypt.Hash.Incremental.Macros.fst
│ │ ├── EverCrypt.Hash.Incremental.fst
│ │ ├── EverCrypt.Hash.fst
│ │ ├── EverCrypt.Poly1305.fst
│ │ └── Makefile
│ ├── include/
│ │ └── README.md
│ └── test/
│ ├── Makefile
│ ├── Test.Hash.fst
│ ├── Test.Lowstarize.fst
│ ├── Test.NoHeap.fst
│ ├── Test.NoHeap.fsti
│ ├── Test.Vectors.fst
│ ├── Test.fst
│ ├── Test.fsti
│ └── vectors/
│ ├── .merlin
│ ├── Test.Vectors.Aes128.fst
│ ├── Test.Vectors.Aes128Gcm.fst
│ ├── Test.Vectors.Chacha20Poly1305.fst
│ ├── Test.Vectors.Curve25519.fst
│ ├── Test.Vectors.Poly1305.fst
│ ├── aead_aes128gcm_test_vectors.json
│ ├── aead_chacha20poly1305_test_vectors.json
│ ├── aes128_test_vectors.json
│ ├── curve25519_test_vectors.json
│ ├── gen.ml
│ └── poly1305_test_vectors.json
├── pull_request_template.md
├── runtimeconfig.json
├── specs/
│ ├── Makefile
│ ├── README.md
│ ├── Spec.AES.fst
│ ├── Spec.Agile.AEAD.fst
│ ├── Spec.Agile.AEAD.fsti
│ ├── Spec.Agile.CTR.fst
│ ├── Spec.Agile.Cipher.fst
│ ├── Spec.Agile.Cipher.fsti
│ ├── Spec.Agile.DH.fst
│ ├── Spec.Agile.HKDF.fst
│ ├── Spec.Agile.HKDF.fsti
│ ├── Spec.Agile.HMAC.fst
│ ├── Spec.Agile.HMAC.fsti
│ ├── Spec.Agile.HPKE.fst
│ ├── Spec.Agile.HPKE.fsti
│ ├── Spec.Agile.Hash.fst
│ ├── Spec.Agile.Hash.fsti
│ ├── Spec.Blake2.Definitions.fst
│ ├── Spec.Blake2.fst
│ ├── Spec.Box.fst
│ ├── Spec.Chacha20.fst
│ ├── Spec.Chacha20Poly1305.fst
│ ├── Spec.Cipher.Expansion.fst
│ ├── Spec.Cipher.Expansion.fsti
│ ├── Spec.Curve25519.fst
│ ├── Spec.Ed25519.PointOps.fst
│ ├── Spec.Ed25519.fst
│ ├── Spec.Exponentiation.fst
│ ├── Spec.Exponentiation.fsti
│ ├── Spec.FFDHE.fst
│ ├── Spec.GaloisField.fst
│ ├── Spec.Hash.Definitions.fst
│ ├── Spec.Hash.MD.fst
│ ├── Spec.K256.PointOps.fst
│ ├── Spec.K256.fst
│ ├── Spec.MD5.fst
│ ├── Spec.MD5.fsti
│ ├── Spec.P256.PointOps.fst
│ ├── Spec.P256.fst
│ ├── Spec.Poly1305.fst
│ ├── Spec.RSAPSS.fst
│ ├── Spec.SHA1.fst
│ ├── Spec.SHA1.fsti
│ ├── Spec.SHA2.Constants.fst
│ ├── Spec.SHA2.fst
│ ├── Spec.SHA2.fsti
│ ├── Spec.SHA3.Constants.fst
│ ├── Spec.SHA3.fst
│ ├── Spec.Salsa20.fst
│ ├── Spec.SecretBox.fst
│ ├── drbg/
│ │ ├── Makefile
│ │ ├── Spec.HMAC_DRBG.Test.Vectors.fst
│ │ ├── Spec.HMAC_DRBG.Test.Vectors.fstp
│ │ ├── Spec.HMAC_DRBG.fst
│ │ ├── Spec.HMAC_DRBG.fsti
│ │ └── cavp_parse.py
│ ├── frodo/
│ │ ├── AUTHORS.md
│ │ ├── Makefile
│ │ ├── Spec.Frodo.Encode.fst
│ │ ├── Spec.Frodo.Gen.fst
│ │ ├── Spec.Frodo.KEM.Decaps.fst
│ │ ├── Spec.Frodo.KEM.Encaps.fst
│ │ ├── Spec.Frodo.KEM.KeyGen.fst
│ │ ├── Spec.Frodo.KEM.fst
│ │ ├── Spec.Frodo.Lemmas.fst
│ │ ├── Spec.Frodo.Pack.fst
│ │ ├── Spec.Frodo.Params.fst
│ │ ├── Spec.Frodo.Random.fst
│ │ ├── Spec.Frodo.Sample.fst
│ │ └── Spec.Matrix.fst
│ ├── lemmas/
│ │ ├── Makefile
│ │ ├── Spec.Blake2.Alternative.fst
│ │ ├── Spec.Blake2.Alternative.fsti
│ │ ├── Spec.Blake2.Incremental.fst
│ │ ├── Spec.Blake2.Incremental.fsti
│ │ ├── Spec.Curve25519.Lemmas.fst
│ │ ├── Spec.Ed25519.Lemmas.fst
│ │ ├── Spec.Ed25519.Lemmas.fsti
│ │ ├── Spec.HMAC.Incremental.fst
│ │ ├── Spec.HMAC.Incremental.fsti
│ │ ├── Spec.Hash.Incremental.Definitions.fst
│ │ ├── Spec.Hash.Incremental.fst
│ │ ├── Spec.Hash.Incremental.fsti
│ │ ├── Spec.Hash.Lemmas.fst
│ │ ├── Spec.Hash.Lemmas.fsti
│ │ ├── Spec.K256.Lemmas.fst
│ │ ├── Spec.K256.Lemmas.fsti
│ │ ├── Spec.MD.Incremental.fst
│ │ ├── Spec.MD.Incremental.fsti
│ │ ├── Spec.P256.Lemmas.fst
│ │ ├── Spec.P256.Lemmas.fsti
│ │ ├── Spec.SHA2.Lemmas.fst
│ │ ├── Spec.SHA2.Lemmas.fsti
│ │ ├── Spec.SHA3.Equivalence.fst
│ │ ├── Spec.SHA3.Incremental.fst
│ │ └── Spec.SHA3.Incremental.fsti
│ ├── make_hpke_constants.py
│ ├── make_md5_tests.sh
│ ├── make_sha1_tests.sh
│ └── tests/
│ ├── Makefile
│ ├── Spec.AES.Test.fst
│ ├── Spec.Blake2.Test.fst
│ ├── Spec.Box.Test.fst
│ ├── Spec.Chacha20.Test.fst
│ ├── Spec.Chacha20Poly1305.Test.fst
│ ├── Spec.Curve25519.Test.fst
│ ├── Spec.Ed25519.Test.fst
│ ├── Spec.Frodo.Test.fst
│ ├── Spec.HKDF.Test.fst
│ ├── Spec.HMAC.Test.fst
│ ├── Spec.HMAC_DRBG.Test.fst
│ ├── Spec.Hash.Test.fst
│ ├── Spec.K256.Test.fst
│ ├── Spec.P256.Test.fst
│ ├── Spec.Poly1305.Test.fst
│ ├── Spec.SHA3.Test.fst
│ ├── Spec.Salsa20.Test.fst
│ ├── Spec.SecretBox.Test.fst
│ ├── hpke/
│ │ ├── Test_Spec_Agile_HPKE.ml
│ │ ├── test-vectors-final-pp.json
│ │ └── test-vectors-supported.json
│ └── p256/
│ ├── Makefile
│ ├── SigGen.txt
│ ├── SigVer.rsp
│ ├── Spec.ECDSA.Test.Vectors.fst
│ ├── Spec.ECDSA.Test.Vectors.fstp
│ └── cavp_parse.py
├── tests/
│ ├── FrodoKEM-64-test.c
│ ├── FrodoKEM-64_vectors.h
│ ├── Makefile
│ ├── README
│ ├── bignum4096-test.c
│ ├── bignum4096_vectors.h
│ ├── blake2-32-test.c
│ ├── blake2_vectors.h
│ ├── blake2b-256-test-streaming.c
│ ├── blake2b-256-test.c
│ ├── blake2b-32-test-streaming.c
│ ├── blake2s-128-test-streaming.c
│ ├── blake2s-128-test.c
│ ├── blake2s-32-test-streaming.c
│ ├── chacha20-test.c
│ ├── chacha20-vec-test.c
│ ├── chacha20_vectors.h
│ ├── chacha20poly1305-128-test.c
│ ├── chacha20poly1305-256-test.c
│ ├── chacha20poly1305-32-test.c
│ ├── chacha20poly1305_vectors.h
│ ├── curve25519_vectors.h
│ ├── curve51-ours.c
│ ├── curve64-ours.c
│ ├── curve64-rfc.c
│ ├── ecdhp256-test.c
│ ├── ecdhp256-tvs.h
│ ├── ecdhp256_tv_w.h
│ ├── ecdsap256_tv_w.h
│ ├── ed25519-test.c
│ ├── ffdhe-test.c
│ ├── ffdhe_vectors.h
│ ├── gen_vectors/
│ │ └── gen_uint128_intrinsics_vectors.py
│ ├── k256-ecdsa-test.c
│ ├── k256-ecdsa_vectors.h
│ ├── naclbox-test.c
│ ├── naclbox_vectors.h
│ ├── p256-test.c
│ ├── poly1305-128-test-streaming.c
│ ├── poly1305-128-test.c
│ ├── poly1305-256-test-streaming.c
│ ├── poly1305-256-test.c
│ ├── poly1305-32-test-streaming.c
│ ├── poly1305-32-test.c
│ ├── poly1305_vectors.h
│ ├── rfc7748_src/
│ │ ├── fp25519_x64.c
│ │ ├── fp25519_x64.h
│ │ ├── fp448_x64.c
│ │ ├── fp448_x64.h
│ │ ├── rfc7748_precomputed.h
│ │ ├── table_ladder_x25519.h
│ │ ├── table_ladder_x448.h
│ │ ├── x25519_x64.c
│ │ └── x448_x64.c
│ ├── rsapss-test.c
│ ├── rsapss_vectors.h
│ ├── salsa20-test.c
│ ├── sha2-mb-test.c
│ ├── sha2-test-streaming.c
│ ├── sha2-test.c
│ ├── sha2_vectors.h
│ ├── sha2mb_vectors.h
│ ├── sha3-streaming-test.c
│ ├── test_helpers.h
│ ├── tests-openssl/
│ │ ├── chacha20-vec-test.c
│ │ ├── jasmin-chacha-avx2/
│ │ │ ├── Makefile
│ │ │ ├── api.h
│ │ │ ├── chacha20.japp
│ │ │ ├── chacha20.jazz
│ │ │ ├── chacha20.s
│ │ │ ├── chacha20_jazz.c
│ │ │ └── impl.h
│ │ ├── jasmin-poly-avx2/
│ │ │ ├── Makefile
│ │ │ ├── api.h
│ │ │ ├── auth_jazz.c
│ │ │ ├── impl.h
│ │ │ ├── poly1305.japp
│ │ │ ├── poly1305.jazz
│ │ │ ├── poly1305.s
│ │ │ └── verify_jazz.c
│ │ └── poly1305-test.c
│ ├── uint128-intrinsics-test.c
│ ├── uint128-intrinsics_vectors.h
│ └── vec-128-test.c
├── tools/
│ ├── findpython3.sh
│ ├── get_vale.sh
│ ├── sloccount.sh
│ └── valedepend.py
└── vale/
├── .gitignore
├── .tested_fstar_version
├── .tested_z3_version
├── .vale_version
├── CODE.md
├── Hacl.Vale.fst.config.json
├── INSTALL.md
├── LICENSE
├── Makefile
├── README.md
├── SConstruct
├── code/
│ ├── .gitattributes
│ ├── arch/
│ │ ├── Makefile
│ │ ├── Vale.Arch.BufferFriend.fst
│ │ ├── Vale.Arch.BufferFriend.fsti
│ │ ├── Vale.Arch.Heap.fst
│ │ ├── Vale.Arch.HeapImpl.fst
│ │ ├── Vale.Arch.HeapImpl.fsti
│ │ ├── Vale.Arch.HeapLemmas.fst
│ │ ├── Vale.Arch.HeapLemmas.fsti
│ │ ├── Vale.Arch.MachineHeap.fst
│ │ ├── Vale.Arch.MachineHeap.fsti
│ │ ├── Vale.Arch.Types.fst
│ │ ├── Vale.Arch.Types.fsti
│ │ ├── Vale.Arch.TypesNative.fst
│ │ ├── Vale.Arch.TypesNative.fsti
│ │ ├── ppc64le/
│ │ │ ├── Makefile
│ │ │ ├── Vale.PPC64LE.Decls.fst
│ │ │ ├── Vale.PPC64LE.Decls.fsti
│ │ │ ├── Vale.PPC64LE.InsBasic.vaf
│ │ │ ├── Vale.PPC64LE.InsMem.vaf
│ │ │ ├── Vale.PPC64LE.InsStack.vaf
│ │ │ ├── Vale.PPC64LE.InsVector.vaf
│ │ │ ├── Vale.PPC64LE.Lemmas.fst
│ │ │ ├── Vale.PPC64LE.Lemmas.fsti
│ │ │ ├── Vale.PPC64LE.Memory.fst
│ │ │ ├── Vale.PPC64LE.Memory.fsti
│ │ │ ├── Vale.PPC64LE.Memory_Sems.fst
│ │ │ ├── Vale.PPC64LE.Memory_Sems.fsti
│ │ │ ├── Vale.PPC64LE.QuickCode.fst
│ │ │ ├── Vale.PPC64LE.QuickCodes.fst
│ │ │ ├── Vale.PPC64LE.QuickCodes.fsti
│ │ │ ├── Vale.PPC64LE.Regs.fst
│ │ │ ├── Vale.PPC64LE.Regs.fsti
│ │ │ ├── Vale.PPC64LE.Stack_Sems.fst
│ │ │ ├── Vale.PPC64LE.Stack_Sems.fsti
│ │ │ ├── Vale.PPC64LE.Stack_i.fst
│ │ │ ├── Vale.PPC64LE.Stack_i.fsti
│ │ │ ├── Vale.PPC64LE.State.fst
│ │ │ ├── Vale.PPC64LE.State.fsti
│ │ │ ├── Vale.PPC64LE.StateLemmas.fst
│ │ │ ├── Vale.PPC64LE.StateLemmas.fsti
│ │ │ ├── Vale.PPC64LE.Vecs.fst
│ │ │ └── Vale.PPC64LE.Vecs.fsti
│ │ └── x64/
│ │ ├── Makefile
│ │ ├── Vale.Interop.fst
│ │ ├── Vale.Interop.fsti
│ │ ├── Vale.X64.BufferViewStore.fst
│ │ ├── Vale.X64.BufferViewStore.fsti
│ │ ├── Vale.X64.Bytes_Semantics.fst
│ │ ├── Vale.X64.Bytes_Semantics.fsti
│ │ ├── Vale.X64.Decls.fst
│ │ ├── Vale.X64.Decls.fsti
│ │ ├── Vale.X64.Flags.fst
│ │ ├── Vale.X64.Flags.fsti
│ │ ├── Vale.X64.InsAes.vaf
│ │ ├── Vale.X64.InsBasic.vaf
│ │ ├── Vale.X64.InsLemmas.fst
│ │ ├── Vale.X64.InsLemmas.fsti
│ │ ├── Vale.X64.InsMem.vaf
│ │ ├── Vale.X64.InsSha.vaf
│ │ ├── Vale.X64.InsStack.vaf
│ │ ├── Vale.X64.InsVector.vaf
│ │ ├── Vale.X64.Leakage.fst
│ │ ├── Vale.X64.Leakage.fsti
│ │ ├── Vale.X64.Leakage_Helpers.fst
│ │ ├── Vale.X64.Leakage_Ins.fst
│ │ ├── Vale.X64.Leakage_Ins.fsti
│ │ ├── Vale.X64.Lemmas.fst
│ │ ├── Vale.X64.Lemmas.fsti
│ │ ├── Vale.X64.Memory.fst
│ │ ├── Vale.X64.Memory.fsti
│ │ ├── Vale.X64.Memory_Sems.fst
│ │ ├── Vale.X64.Memory_Sems.fsti
│ │ ├── Vale.X64.QuickCode.fst
│ │ ├── Vale.X64.QuickCodes.fst
│ │ ├── Vale.X64.QuickCodes.fsti
│ │ ├── Vale.X64.Regs.fst
│ │ ├── Vale.X64.Regs.fsti
│ │ ├── Vale.X64.Stack_Sems.fst
│ │ ├── Vale.X64.Stack_Sems.fsti
│ │ ├── Vale.X64.Stack_i.fst
│ │ ├── Vale.X64.Stack_i.fsti
│ │ ├── Vale.X64.State.fst
│ │ ├── Vale.X64.State.fsti
│ │ ├── Vale.X64.StateLemmas.fst
│ │ ├── Vale.X64.StateLemmas.fsti
│ │ ├── Vale.X64.Taint_Semantics.fst
│ │ ├── Vale.X64.Xmms.fst
│ │ ├── Vale.X64.Xmms.fsti
│ │ └── interop/
│ │ ├── Makefile
│ │ ├── Vale.AES.Gcm_simplify.fst
│ │ ├── Vale.AES.Gcm_simplify.fsti
│ │ ├── Vale.AsLowStar.LowStarSig.fst
│ │ ├── Vale.AsLowStar.MemoryHelpers.fst
│ │ ├── Vale.AsLowStar.MemoryHelpers.fsti
│ │ ├── Vale.AsLowStar.Test.fst
│ │ ├── Vale.AsLowStar.ValeSig.fst
│ │ ├── Vale.AsLowStar.Wrapper.fst
│ │ ├── Vale.AsLowStar.Wrapper.fsti
│ │ ├── Vale.Inline.X64.Fadd_inline.fst
│ │ ├── Vale.Inline.X64.Fadd_inline.fsti
│ │ ├── Vale.Inline.X64.Fmul_inline.fst
│ │ ├── Vale.Inline.X64.Fmul_inline.fsti
│ │ ├── Vale.Inline.X64.Fsqr_inline.fst
│ │ ├── Vale.Inline.X64.Fsqr_inline.fsti
│ │ ├── Vale.Inline.X64.Fswap_inline.fst
│ │ ├── Vale.Inline.X64.Fswap_inline.fsti
│ │ ├── Vale.SHA.Simplify_Sha.fst
│ │ ├── Vale.SHA.Simplify_Sha.fsti
│ │ ├── Vale.Stdcalls.X64.Aes.fst
│ │ ├── Vale.Stdcalls.X64.Aes.fsti
│ │ ├── Vale.Stdcalls.X64.AesHash.fst
│ │ ├── Vale.Stdcalls.X64.Cpuid.fst
│ │ ├── Vale.Stdcalls.X64.Cpuid.fsti
│ │ ├── Vale.Stdcalls.X64.Fadd.fst
│ │ ├── Vale.Stdcalls.X64.Fadd.fsti
│ │ ├── Vale.Stdcalls.X64.Fmul.fst
│ │ ├── Vale.Stdcalls.X64.Fmul.fsti
│ │ ├── Vale.Stdcalls.X64.Fsqr.fst
│ │ ├── Vale.Stdcalls.X64.Fsqr.fsti
│ │ ├── Vale.Stdcalls.X64.Fsub.fst
│ │ ├── Vale.Stdcalls.X64.Fsub.fsti
│ │ ├── Vale.Stdcalls.X64.Fswap.fst
│ │ ├── Vale.Stdcalls.X64.Fswap.fsti
│ │ ├── Vale.Stdcalls.X64.GCM_IV.fst
│ │ ├── Vale.Stdcalls.X64.GCMdecryptOpt.fst
│ │ ├── Vale.Stdcalls.X64.GCMencryptOpt.fst
│ │ ├── Vale.Stdcalls.X64.GCTR.fst
│ │ ├── Vale.Stdcalls.X64.Poly.fst
│ │ ├── Vale.Stdcalls.X64.Poly.fsti
│ │ ├── Vale.Stdcalls.X64.Sha.fst
│ │ ├── Vale.Stdcalls.X64.Sha.fsti
│ │ ├── Vale.Wrapper.X64.AES.fst
│ │ ├── Vale.Wrapper.X64.AES.fsti
│ │ ├── Vale.Wrapper.X64.AEShash.fst
│ │ ├── Vale.Wrapper.X64.AEShash.fsti
│ │ ├── Vale.Wrapper.X64.Cpuid.fst
│ │ ├── Vale.Wrapper.X64.Cpuid.fsti
│ │ ├── Vale.Wrapper.X64.Fadd.fst
│ │ ├── Vale.Wrapper.X64.Fadd.fsti
│ │ ├── Vale.Wrapper.X64.Fmul.fst
│ │ ├── Vale.Wrapper.X64.Fmul.fsti
│ │ ├── Vale.Wrapper.X64.Fsqr.fst
│ │ ├── Vale.Wrapper.X64.Fsqr.fsti
│ │ ├── Vale.Wrapper.X64.Fsub.fst
│ │ ├── Vale.Wrapper.X64.Fsub.fsti
│ │ ├── Vale.Wrapper.X64.Fswap.fst
│ │ ├── Vale.Wrapper.X64.Fswap.fsti
│ │ ├── Vale.Wrapper.X64.GCM_IV.fst
│ │ ├── Vale.Wrapper.X64.GCM_IV.fsti
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt.fst
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt.fsti
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fst
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fsti
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt.fst
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt.fsti
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt256.fst
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt256.fsti
│ │ ├── Vale.Wrapper.X64.GCTR.fst
│ │ ├── Vale.Wrapper.X64.GCTR.fsti
│ │ ├── Vale.Wrapper.X64.Poly.fst
│ │ ├── Vale.Wrapper.X64.Poly.fsti
│ │ ├── Vale.Wrapper.X64.Sha.fst
│ │ ├── Vale.Wrapper.X64.Sha.fsti
│ │ ├── Vale.X64.MemoryAdapters.fst
│ │ └── Vale.X64.MemoryAdapters.fsti
│ ├── crypto/
│ │ ├── aes/
│ │ │ ├── Makefile
│ │ │ ├── Vale.AES.AES256_helpers.fst
│ │ │ ├── Vale.AES.AES256_helpers.fsti
│ │ │ ├── Vale.AES.AES256_helpers_BE.fst
│ │ │ ├── Vale.AES.AES256_helpers_BE.fsti
│ │ │ ├── Vale.AES.AES_helpers.fst
│ │ │ ├── Vale.AES.AES_helpers.fsti
│ │ │ ├── Vale.AES.AES_helpers_BE.fst
│ │ │ ├── Vale.AES.AES_helpers_BE.fsti
│ │ │ ├── Vale.AES.GCM.fst
│ │ │ ├── Vale.AES.GCM.fsti
│ │ │ ├── Vale.AES.GCM_BE.fst
│ │ │ ├── Vale.AES.GCM_BE.fsti
│ │ │ ├── Vale.AES.GCM_helpers.fst
│ │ │ ├── Vale.AES.GCM_helpers.fsti
│ │ │ ├── Vale.AES.GCM_helpers_BE.fst
│ │ │ ├── Vale.AES.GCM_helpers_BE.fsti
│ │ │ ├── Vale.AES.GCTR.fst
│ │ │ ├── Vale.AES.GCTR.fsti
│ │ │ ├── Vale.AES.GCTR_BE.fst
│ │ │ ├── Vale.AES.GCTR_BE.fsti
│ │ │ ├── Vale.AES.GF128.fst
│ │ │ ├── Vale.AES.GF128.fsti
│ │ │ ├── Vale.AES.GHash.fst
│ │ │ ├── Vale.AES.GHash.fsti
│ │ │ ├── Vale.AES.GHash_BE.fst
│ │ │ ├── Vale.AES.GHash_BE.fsti
│ │ │ ├── Vale.AES.OptPublic.fst
│ │ │ ├── Vale.AES.OptPublic.fsti
│ │ │ ├── Vale.AES.OptPublic_BE.fst
│ │ │ ├── Vale.AES.OptPublic_BE.fsti
│ │ │ ├── Vale.AES.Types_helpers.fst
│ │ │ ├── Vale.AES.Types_helpers.fsti
│ │ │ ├── aes.h
│ │ │ ├── ppc64le/
│ │ │ │ ├── Main.ml
│ │ │ │ ├── TestAesGcm.cpp
│ │ │ │ ├── Vale.AES.PPC64LE.AES.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.AES128.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.AES256.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GCMdecrypt.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GCMencrypt.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GCTR.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GF128_Init.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GF128_Mul.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GHash.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.PolyOps.vaf
│ │ │ │ └── aes-gcm.h
│ │ │ ├── testaes.c
│ │ │ └── x64/
│ │ │ ├── Main.ml
│ │ │ ├── TestAesGcm.cpp
│ │ │ ├── Vale.AES.X64.AES.vaf
│ │ │ ├── Vale.AES.X64.AES128.vaf
│ │ │ ├── Vale.AES.X64.AES256.vaf
│ │ │ ├── Vale.AES.X64.GCMdecryptOpt.vaf
│ │ │ ├── Vale.AES.X64.GCMencryptOpt.vaf
│ │ │ ├── Vale.AES.X64.GCTR.vaf
│ │ │ ├── Vale.AES.X64.GF128_Init.vaf
│ │ │ ├── Vale.AES.X64.GF128_Mul.vaf
│ │ │ ├── Vale.AES.X64.GHash.vaf
│ │ │ ├── Vale.AES.X64.PolyOps.vaf
│ │ │ └── aes-gcm.h
│ │ ├── bignum/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Bignum.Defs.fst
│ │ │ ├── Vale.Bignum.Defs.fsti
│ │ │ ├── Vale.Bignum.Lemmas.fst
│ │ │ ├── Vale.Bignum.Lemmas.fsti
│ │ │ └── Vale.Bignum.X64.vaf
│ │ ├── ecc/
│ │ │ └── curve25519/
│ │ │ ├── Inline25519.ml
│ │ │ ├── Main25519.ml
│ │ │ ├── Makefile
│ │ │ ├── Vale.Curve25519.FastHybrid_helpers.fst
│ │ │ ├── Vale.Curve25519.FastHybrid_helpers.fsti
│ │ │ ├── Vale.Curve25519.FastMul_helpers.fst
│ │ │ ├── Vale.Curve25519.FastMul_helpers.fsti
│ │ │ ├── Vale.Curve25519.FastSqr_helpers.fst
│ │ │ ├── Vale.Curve25519.FastSqr_helpers.fsti
│ │ │ ├── Vale.Curve25519.FastUtil_helpers.fst
│ │ │ ├── Vale.Curve25519.FastUtil_helpers.fsti
│ │ │ ├── Vale.Curve25519.Fast_defs.fst
│ │ │ ├── Vale.Curve25519.Fast_lemmas_external.fst
│ │ │ ├── Vale.Curve25519.Fast_lemmas_external.fsti
│ │ │ ├── Vale.Curve25519.Fast_lemmas_internal.fst
│ │ │ ├── Vale.Curve25519.Fast_lemmas_internal.fsti
│ │ │ └── test_ecc.c
│ │ ├── poly1305/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Poly1305.Equiv.fst
│ │ │ ├── Vale.Poly1305.Equiv.fsti
│ │ │ ├── testpoly1305.c
│ │ │ └── x64/
│ │ │ ├── Makefile
│ │ │ ├── PolyMain.ml
│ │ │ ├── Vale.Poly1305.Bitvectors.fst
│ │ │ ├── Vale.Poly1305.Bitvectors.fsti
│ │ │ ├── Vale.Poly1305.CallingFromLowStar.fst
│ │ │ ├── Vale.Poly1305.CallingFromLowStar.fsti
│ │ │ ├── Vale.Poly1305.Math.fst
│ │ │ ├── Vale.Poly1305.Math.fsti
│ │ │ ├── Vale.Poly1305.Util.fst
│ │ │ └── Vale.Poly1305.Util.fsti
│ │ └── sha/
│ │ ├── Makefile
│ │ ├── ShaMain.ml
│ │ ├── ShaMainPPC64LE.ml
│ │ ├── TestSha.cpp
│ │ ├── TestShaPPC64LE.cpp
│ │ ├── Vale.SHA.PPC64LE.SHA_helpers.fst
│ │ ├── Vale.SHA.PPC64LE.SHA_helpers.fsti
│ │ ├── Vale.SHA.SHA_helpers.fst
│ │ └── Vale.SHA.SHA_helpers.fsti
│ ├── lib/
│ │ ├── collections/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Lib.Lists.fst
│ │ │ ├── Vale.Lib.Lists.fsti
│ │ │ ├── Vale.Lib.Map16.fst
│ │ │ ├── Vale.Lib.Map16.fsti
│ │ │ ├── Vale.Lib.MapTree.fst
│ │ │ ├── Vale.Lib.MapTree.fsti
│ │ │ ├── Vale.Lib.Seqs.fst
│ │ │ └── Vale.Lib.Seqs.fsti
│ │ ├── math/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Math.Bits.fst
│ │ │ ├── Vale.Math.Bits.fsti
│ │ │ ├── Vale.Math.Lemmas.Int.fst
│ │ │ ├── Vale.Math.Lemmas.Int.fsti
│ │ │ ├── Vale.Math.Poly2.Bits.fst
│ │ │ ├── Vale.Math.Poly2.Bits.fsti
│ │ │ ├── Vale.Math.Poly2.Defs.fst
│ │ │ ├── Vale.Math.Poly2.Galois.IntTypes.fst
│ │ │ ├── Vale.Math.Poly2.Galois.IntTypes.fsti
│ │ │ ├── Vale.Math.Poly2.Galois.Lemmas.fst
│ │ │ ├── Vale.Math.Poly2.Galois.Lemmas.fsti
│ │ │ ├── Vale.Math.Poly2.Galois.fst
│ │ │ ├── Vale.Math.Poly2.Galois.fsti
│ │ │ ├── Vale.Math.Poly2.Lemmas.fst
│ │ │ ├── Vale.Math.Poly2.Lemmas.fsti
│ │ │ ├── Vale.Math.Poly2.Words.fst
│ │ │ ├── Vale.Math.Poly2.Words.fsti
│ │ │ ├── Vale.Math.Poly2.fst
│ │ │ └── Vale.Math.Poly2.fsti
│ │ ├── transformers/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Transformers.BoundedInstructionEffects.fst
│ │ │ ├── Vale.Transformers.BoundedInstructionEffects.fsti
│ │ │ ├── Vale.Transformers.Common.fst
│ │ │ ├── Vale.Transformers.Common.fsti
│ │ │ ├── Vale.Transformers.DebugPrint.fst
│ │ │ ├── Vale.Transformers.InstructionReorder.fst
│ │ │ ├── Vale.Transformers.InstructionReorderSanityChecks.fst
│ │ │ ├── Vale.Transformers.InstructionReorderSanityChecks.fsti
│ │ │ ├── Vale.Transformers.Locations.fst
│ │ │ ├── Vale.Transformers.Locations.fsti
│ │ │ ├── Vale.Transformers.MovMovElim.fst
│ │ │ ├── Vale.Transformers.MovbeElim.fst
│ │ │ ├── Vale.Transformers.PeepHole.fst
│ │ │ ├── Vale.Transformers.PeepHole.fsti
│ │ │ ├── Vale.Transformers.PrefetchElim.fst
│ │ │ ├── Vale.Transformers.Transform.fst
│ │ │ └── Vale.Transformers.Transform.fsti
│ │ └── util/
│ │ ├── CmdLineParser.ml
│ │ ├── Makefile
│ │ ├── Vale.Def.Words.Seq.fst
│ │ ├── Vale.Def.Words.Seq.fsti
│ │ ├── Vale.Def.Words.Two.fst
│ │ ├── Vale.Def.Words.Two.fsti
│ │ ├── Vale.Lib.Basic.vaf
│ │ ├── Vale.Lib.BufferViewHelpers.fst
│ │ ├── Vale.Lib.Meta.fst
│ │ ├── Vale.Lib.Meta.fsti
│ │ ├── Vale.Lib.Operator.vaf
│ │ ├── Vale.Lib.Tactics.fst
│ │ └── x64/
│ │ ├── CpuidMain.ml
│ │ ├── Vale.Lib.X64.Cpuid.vaf
│ │ ├── Vale.X64.Stack.vaf
│ │ └── stdcalls/
│ │ └── Vale.Lib.X64.Cpuidstdcall.vaf
│ ├── test/
│ │ ├── Makefile
│ │ ├── TestInline.c
│ │ ├── TestInlineMain.ml
│ │ ├── Vale.Test.TestInline.fst
│ │ ├── Vale.Test.X64.Args.vaf
│ │ ├── Vale.Test.X64.Memcpy.vaf
│ │ └── Vale.Test.X64.Vale_memcpy.vaf
│ └── thirdPartyPorts/
│ ├── Intel/
│ │ ├── README.md
│ │ └── aes/
│ │ └── x64/
│ │ ├── Vale.AES.X64.AESCTR.vaf
│ │ └── Vale.AES.X64.AESCTRplain.vaf
│ ├── OpenSSL/
│ │ ├── README.md
│ │ ├── aes/
│ │ │ ├── Vale.AES.X64.AESGCM.vaf
│ │ │ ├── Vale.AES.X64.AESGCM_expected_code.vaf
│ │ │ ├── Vale.AES.X64.AESopt.vaf
│ │ │ └── Vale.AES.X64.AESopt2.vaf
│ │ ├── poly1305/
│ │ │ └── x64/
│ │ │ └── Vale.Poly1305.X64.vaf
│ │ └── sha/
│ │ ├── Vale.SHA.PPC64LE.Loop.vaf
│ │ ├── Vale.SHA.PPC64LE.Rounds.Core.vaf
│ │ ├── Vale.SHA.PPC64LE.Rounds.vaf
│ │ ├── Vale.SHA.PPC64LE.vaf
│ │ └── Vale.SHA.X64.vaf
│ ├── SymCrypt/
│ │ ├── README.md
│ │ └── bignum/
│ │ └── Vale.FDefMulx.X64.vaf
│ └── rfc7748/
│ ├── README.md
│ └── curve25519/
│ └── x64/
│ ├── Vale.Curve25519.X64.FastHybrid.vaf
│ ├── Vale.Curve25519.X64.FastMul.vaf
│ ├── Vale.Curve25519.X64.FastSqr.vaf
│ ├── Vale.Curve25519.X64.FastUtil.vaf
│ └── Vale.Curve25519.X64.FastWide.vaf
├── doc/
│ ├── .gitattributes
│ └── compilation.txt
├── run_scons.sh
├── scons_cygwin.sh
├── scripts/
│ └── ingest-openssl-perl.py
└── specs/
├── crypto/
│ ├── Makefile
│ ├── Vale.AES.AES_BE_s.fst
│ ├── Vale.AES.AES_common_s.fst
│ ├── Vale.AES.AES_s.fst
│ ├── Vale.AES.GCM_BE_s.fst
│ ├── Vale.AES.GCM_s.fst
│ ├── Vale.AES.GCTR_BE_s.fst
│ ├── Vale.AES.GCTR_s.fst
│ ├── Vale.AES.GF128_s.fst
│ ├── Vale.AES.GF128_s.fsti
│ ├── Vale.AES.GHash_BE_s.fst
│ ├── Vale.AES.GHash_s.fst
│ ├── Vale.Poly1305.Spec_s.fst
│ ├── Vale.SHA2.Wrapper.fst
│ └── Vale.SHA2.Wrapper.fsti
├── defs/
│ ├── Makefile
│ ├── Vale.Def.Opaque_s.fst
│ ├── Vale.Def.Opaque_s.fsti
│ ├── Vale.Def.PossiblyMonad.fst
│ ├── Vale.Def.Prop_s.fst
│ ├── Vale.Def.Sel.fst
│ ├── Vale.Def.TypesNative_s.fst
│ ├── Vale.Def.Types_s.fst
│ ├── Vale.Def.Words.Four_s.fst
│ ├── Vale.Def.Words.Four_s.fsti
│ ├── Vale.Def.Words.Seq_s.fst
│ ├── Vale.Def.Words.Seq_s.fsti
│ ├── Vale.Def.Words.Two_s.fst
│ ├── Vale.Def.Words.Two_s.fsti
│ ├── Vale.Def.Words_s.fst
│ ├── Vale.Def.Words_s.fsti
│ ├── Vale.Lib.Bv_s.fst
│ ├── Vale.Lib.Seqs_s.fst
│ ├── Vale.Lib.Set.fst
│ └── Vale.Lib.Set.fsti
├── hardware/
│ ├── Makefile
│ ├── Vale.Arch.Heap.fsti
│ ├── Vale.Arch.HeapTypes_s.fst
│ ├── Vale.Arch.MachineHeap_s.fst
│ ├── Vale.PPC64LE.Machine_s.fst
│ ├── Vale.PPC64LE.Print_s.fst
│ ├── Vale.PPC64LE.Semantics_s.fst
│ ├── Vale.X64.Bytes_Code_s.fst
│ ├── Vale.X64.CPU_Features_s.fst
│ ├── Vale.X64.CryptoInstructions_s.fst
│ ├── Vale.X64.CryptoInstructions_s.fsti
│ ├── Vale.X64.Instruction_s.fst
│ ├── Vale.X64.Instruction_s.fsti
│ ├── Vale.X64.Instructions_s.fst
│ ├── Vale.X64.Instructions_s.fsti
│ ├── Vale.X64.Leakage_s.fst
│ ├── Vale.X64.Machine_Semantics_s.fst
│ ├── Vale.X64.Machine_s.fst
│ ├── Vale.X64.Print_Inline_s.fst
│ └── Vale.X64.Print_s.fst
├── interop/
│ ├── Makefile
│ ├── Vale.Interop.Assumptions.fst
│ ├── Vale.Interop.Base.fst
│ ├── Vale.Interop.Heap_s.fst
│ ├── Vale.Interop.Types.fst
│ ├── Vale.Interop.Views.fst
│ ├── Vale.Interop.Views.fsti
│ ├── Vale.Interop.X64.fst
│ └── Vale.Interop.X64.fsti
└── math/
├── Makefile
├── Vale.Math.Poly2.Bits_s.fst
├── Vale.Math.Poly2.Bits_s.fsti
├── Vale.Math.Poly2.Defs_s.fst
├── Vale.Math.Poly2_s.fst
└── Vale.Math.Poly2_s.fsti
================================================
FILE CONTENTS
================================================
================================================
FILE: .ci/script.bat
================================================
call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -host_arch=amd64 -arch=amd64
call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" -test
cd dist/msvc-compatible
type nul > config.h
cl *.c /I ../karamel/include /I . /I ../karamel/krmllib/dist/minimal /c /DHACL_CAN_COMPILE_INTRINSICS /DHACL_CAN_COMPILE_VALE /DHACL_CAN_COMPILE_VEC128 /DHACL_CAN_COMPILE_VEC256 || goto :error
for /F %%i in ('dir /b *-x86_64-msvc.asm') do (
ml64 /c %%i || goto :error
)
lib *.obj || goto :error
echo "SUCCESS"
exit /b 0
:error
echo "Failed"
exit /b %errorlevel%
================================================
FILE: .ci/script.sh
================================================
#!/usr/bin/env bash
set -e
set -o pipefail
if [[ $OS == "Windows_NT" ]]; then
# The usual issue of return codes not being forwarded.
.ci/script.bat 2>&1 | tee log
if grep "SUCCESS" log; then
exit 0
else
exit 1
fi
fi
# ARM cross builds are handled a little different
if [[ $ARM_CROSS_CI == "aarch64-none-linux-gnu" ]]; then
pushd dist/gcc-compatible
export TOOLCHAIN=$PWD/../../gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu
./configure -target aarch64-none-linux-gnu
make -j
popd
exit 0
fi
# Cross compile for other targets. Build and static library only.
if [ ! -z "$CROSS_CI" ]; then
pushd dist/gcc-compatible
rm -rf *.o *.d libevercrypt.a
./configure -target $CROSS_CI
make -j libevercrypt.a
popd
exit 0
fi
if [[ $TARGET == "IA32" ]]; then
# Test 32-bit build; Tests don't work here yet.
pushd dist/gcc-compatible
./configure -target ia32
make -j
popd
exit 0
fi
# For OSX... seems like the most reliable way to figure out which OpenSSL is
# installed? We have both 1.1.1d and 1.1.1f and neither can be installed on the
# other configuration.
for p in /usr/local/Cellar/openssl@1.1/*; do export CFLAGS="-I$p/include/"; export LDFLAGS="-L$p/lib"; done
# Most likely running without OCaml -- need to configure
pushd dist/gcc-compatible
./configure
make -j
popd
make -C tests -j test
# Extracted C tests -- need full krmllib, don't work on ARM because of
# intrinsics for x86 in cpu cycle count routines in testlib.c
pushd dist/test/c/
git clone https://github.com/fstarlang/karamel --depth 10
export KRML_LIBDIR=$(pwd)/karamel/krmllib
export KRML_INCLUDEDIR=$(pwd)/karamel/include
make -C karamel/krmllib/dist/generic -f Makefile.basic -j
make -j -k
popd
================================================
FILE: .docker/build/build.sh
================================================
#!/usr/bin/env bash
#set -x
target=$1
out_file=$2
threads=$3
branchname=$4
function export_home() {
local home_path=""
if command -v cygpath >/dev/null 2>&1; then
home_path=$(cygpath -m "$2")
else
home_path="$2"
fi
export $1_HOME=$home_path
# Update .bashrc file
local s_token=$1_HOME=
if grep -q "$s_token" ~/.bashrc; then
sed -i -E "s@$s_token.*@$s_token$home_path@" ~/.bashrc
else
echo "export $1_HOME=$home_path" >> ~/.bashrc
fi
}
function vale_test() {
echo Running Vale Test &&
fetch_karamel &&
fetch_vale &&
make -j $threads vale.build -k
}
# This is just out of complete obsessiveness about CI: we check that the code
# compiles on antediluvian machines: mtune=generic is the lowest target GCC
# accepts, and seems to default to -mtune=core2 on most recent versions of GCC.
declare -A cflags
cflags[portable-gcc-compatible]="-mtune=generic"
cflags[gcc-compatible]="-march=native -mtune=native"
function hacl_test() {
make_target=ci
if [[ $target == "mozilla-ci" ]]; then
make_target=mozilla-ci
fi
fetch_and_make_karamel &&
fetch_and_make_mlcrypto &&
fetch_mitls &&
fetch_vale &&
export_home OPENSSL "$(pwd)/mlcrypto/openssl" &&
(
unset KRML_HOME;
cd dist
r=true
for a in *; do
if [[ $a != "karamel" && $a != "vale" && $a != "linux" && $a != "wasm" && $a != "merkle-tree" && $a != "test" && -d $a ]]; then
echo "Building snapshot: $a"
CFLAGS="${cflags[$a]}" make -C $a -j $threads || r=false
echo
fi
done
$r
) &&
make -j $threads $make_target -k
}
function hacl_test_hints_dist() {
hacl_test && refresh_hacl_hints_dist
}
function fetch_and_make_karamel() {
fetch_karamel
# Default build target is minimal, unless specified otherwise
local localTarget
if [[ $1 == "" ]]; then
localTarget="minimal"
else
localTarget="$1"
fi
make -C karamel -j $threads $localTarget ||
(cd karamel && git clean -fdx && make -j $threads $localTarget)
OTHERFLAGS='--admit_smt_queries true' make -C karamel/krmllib -j $threads
export PATH="$(pwd)/karamel:$PATH"
}
# By default, karamel master works against F* stable. Can also be overridden.
function fetch_karamel() {
if [ ! -d karamel ]; then
git clone https://github.com/FStarLang/karamel karamel || return 1
fi
cd karamel
git fetch origin
local ref=$(jq -c -r '.RepoVersions["karamel_version"]' "$rootPath/.docker/build/config.json" )
if [[ $ref == "" || $ref == "null" ]]; then
echo "Unable to find RepoVersions.karamel_version on $rootPath/.docker/build/config.json"
return -1
fi
echo Switching to KaRaMeL $ref
git reset --hard $ref
cd ..
export_home KRML "$(pwd)/karamel"
}
function fetch_and_make_mlcrypto() {
fetch_mlcrypto
make -C mlcrypto -j $threads
}
function fetch_mlcrypto() {
if [ ! -d mlcrypto ]; then
git clone https://github.com/project-everest/MLCrypto mlcrypto || return 1
fi
cd mlcrypto
git fetch origin
local ref=$(jq -c -r '.RepoVersions["mlcrypto_version"]' "$rootPath/.docker/build/config.json" )
if [[ $ref == "" || $ref == "null" ]]; then
echo "Unable to find RepoVersions.mlcrypto_version on $rootPath/.docker/build/config.json"
return -1
fi
echo Switching to MLCrypto $ref
git reset --hard $ref
git submodule update
cd ..
export_home MLCRYPTO "$(pwd)/mlcrypto"
}
# By default, mitls-fstar master works against F* stable. Can also be overridden.
function fetch_mitls() {
if [ ! -d mitls-fstar ]; then
git clone https://github.com/mitls/mitls-fstar mitls-fstar || return 1
fi
cd mitls-fstar
git fetch origin
local ref=$(jq -c -r '.RepoVersions["mitls_version"]' "$rootPath/.docker/build/config.json" )
if [[ $ref == "" || $ref == "null" ]]; then
echo "Unable to find RepoVersions.mitls_version on $rootPath/.docker/build/config.json"
return -1
fi
echo Switching to mitls-fstar $ref
git reset --hard $ref
git clean -fdx
cd ..
export_home MITLS "$(pwd)/mitls-fstar"
}
function fetch_vale() {
HACL_HOME=$(pwd) tools/get_vale.sh
export_home VALE "$(pwd)/../vale"
}
function refresh_doc() {
git config --global user.name "Dzomo, the Everest Yak"
git config --global user.email "everbld@microsoft.com"
git clone git@github.com:hacl-star/hacl-star.github.io website
(cd doc && ./ci.sh ../website/)
pushd website && {
git add -A . &&
if ! git diff --exit-code HEAD > /dev/null; then
git commit -m "[CI] Refresh HACL & EverCrypt doc" &&
git push
else
echo No git diff for the tutorial, not generating a commit
fi
errcode=$?
} &&
popd &&
return $errcode
}
function refresh_hacl_hints_dist() {
# We should not generate hints when building on Windows
if [[ "$OS" != "Windows_NT" ]]; then
if [[ ${branchname##refs/heads/} == "master" ]] ; then
refresh_doc
else
echo "Branch is $branchname, not regenerating doc"
fi
refresh_hints_dist "git@github.com:mitls/hacl-star.git" "true" "regenerate hints and dist" "hints"
fi
}
# Re-build and re-test all C code.
# Then add changes to git.
function clean_build_dist() {
ORANGE_FILE="../orange_file.txt"
rm -rf dist/*/* &&
make -j $threads all-unstaged test-c -k &&
echo "Searching for a diff in dist/" &&
if ! git diff --exit-code --name-only -- dist :!dist/*/INFO.txt; then
echo "GIT DIFF: the files in dist/ have a git diff"
{ echo " - dist-diff (hacl-star)" >> $ORANGE_FILE; }
fi &&
git add dist
}
# Note: this performs an _approximate_ refresh of the hints, in the sense that
# since the hint refreshing job takes about 80 minutes, it's very likely someone
# merged to $CI_BRANCH in the meanwhile, which would invalidate some hints. So, we
# reset to origin/$CI_BRANCH, take in our hints, and push. This is short enough that
# the chances of someone merging in-between fetch and push are low.
function refresh_hints_dist() {
local remote=$1
local extra="$2"
local msg="$3"
local hints_dir="$4"
# Figure out the branch
CI_BRANCH=${branchname##refs/heads/}
echo "Current branch_name=$CI_BRANCH"
# Add all the hints, even those not under version control
find $hints_dir -iname '*.hints' -and -not -path '*/.*' -and -not -path '*/dependencies/*' | xargs git add
# Without the eval, this was doing weird stuff such as,
# when $2 = "git ls-files src/ocaml-output/ | xargs git add",
# outputting the list of files to stdout
eval "$extra"
clean_build_dist || return 1
# If no changes were staged, then exit.
# From: https://stackoverflow.com/a/2659808
if git diff-index --quiet --cached HEAD -- ; then
return 0
fi
# Commit. This will fail if the commit is empty,
# but that scenario should be ruled out by the test above
git commit -m "[CI] $msg"
# Memorize that commit
commit=$(git rev-parse HEAD)
# Drop any other files that were modified as part of the build (e.g.
# parse.fsi)
git reset --hard HEAD
# Move to whatever is the most recent master (that most likely changed in the
# meantime)
git fetch
git checkout $CI_BRANCH
git reset --hard origin/$CI_BRANCH
# Silent, always-successful merge
export GIT_MERGE_AUTOEDIT=no
git merge $commit -Xtheirs
# If build hints branch exists on remote, remove it
exists=$(git branch -r -l "origin/BuildHints-$CI_BRANCH")
if [ ! -z $exists ]; then
git push $remote :BuildHints-$CI_BRANCH
fi
# Push.
git checkout -b BuildHints-$CI_BRANCH
git push $remote BuildHints-$CI_BRANCH
}
function exec_build() {
result_file="../result.txt"
local status_file="../status.txt"
echo -n false >$status_file
if [ ! -d "secure_api" ]; then
echo "I don't seem to be in the right directory, bailing"
echo Failure >$result_file
return
fi
ORANGE_FILE="../orange_file.txt"
echo '' >$ORANGE_FILE
export_home HACL "$(pwd)"
export_home EVERCRYPT "$(pwd)/providers"
if [[ $target == "hacl-ci" || $target == "mozilla-ci" ]]; then
echo target - >hacl-ci
hacl_test && echo -n true >$status_file
elif [[ $target == "hacl-nightly" ]]; then
echo target - >hacl-nightly
export OTHERFLAGS="--record_hints $OTHERFLAGS --z3rlimit_factor 2"
hacl_test_hints_dist && echo -n true >$status_file
else
echo "Invalid target"
echo Failure >$result_file
return
fi
if [[ $(cat $status_file) != "true" ]]; then
echo "Build failed"
echo Failure >$result_file
elif [[ $(cat $ORANGE_FILE) != "" ]]; then
echo "Build had breakages"
echo Success with breakages $(cat $ORANGE_FILE) >$result_file
else
echo "Build succeeded"
echo Success >$result_file
fi
}
# Some environment variables we want
export OCAMLRUNPARAM=b
export OTHERFLAGS="--use_hints --query_stats"
export MAKEFLAGS="$MAKEFLAGS -Otarget"
export_home FSTAR "$(pwd)/FStar"
cd hacl-star
rootPath=$(pwd)
exec_build
cd ..
================================================
FILE: .docker/build/build_helper.sh
================================================
#!/usr/bin/env bash
target=$1
out_file=$2
threads=$3
branchname=$4
export FSTAR_EXE=$(pwd)/FStar/bin/fstar.exe
eval $(opam config env)
echo $(date -u "+%Y-%m-%d %H:%M:%S") >> $out_file
tail -f $out_file &
tail_pd=$!
{ { { { { { stdbuf -e0 -o0 timeout -s 9 1h ./build.sh "$@" ; } 3>&1 1>&2 2>&3 ; } | sed -u 's!^![STDERR]!' ; } 3>&1 1>&2 2>&3 ; } | sed -u 's!^![STDOUT]!' ; } 2>&1 ; } >> $out_file
kill $tail_pd
echo $(date -u "+%Y-%m-%d %H:%M:%S") >> $out_file
# Generate query-stats.
# List the hints that fail to replay.
FStar/.scripts/query-stats.py -f $out_file -F html -o log_no_replay.html -n all '--filter=fstar_usedhints=+' '--filter=fstar_tag=-' -g
# Worst offenders (longest times)
FStar/.scripts/query-stats.py -f $out_file -F html -o log_worst.html -c -g -n 10
================================================
FILE: .docker/build/config.json
================================================
{
"ProjectName" : "hacl-star",
"BaseContainerIsEverestImage" : true,
"BaseContainerImageName" : "fstar",
"BaseContainerImageTagOrCommitId": "latest",
"BranchName" : "master",
"GithubCommitUrl" : "https://github.com/FStarLang/FStar/commit",
"OnDemandBuildDefinition" : "FStar\\FStar-{agentOS}",
"DockerFile": ".docker/build/{agentOS}/Dockerfile",
"DependencyFiles" : [
".docker/build/build_helper.sh",
".docker/build/build.sh"
],
"ArtifactPath": "",
"DockerCommand": "docker",
"DockerCacheEnabled" : true,
"CIBuildTarget" : "hacl-ci",
"NightlyBuildTarget" : "hacl-nightly",
"HasLogsToExtract" : true,
"NotificationEnabled" : true,
"NotificationChannel" : "#hacl-build",
"PublicBranches" : [ "dev", "_dev", "fstar-master", "master" ],
"CompressBuildFolder": true,
"FolderToCompress" : "hacl-star",
"FoldersToExclude" : [ ],
"TrackPerformance" : false,
"RepoVersions" : {
"karamel_version" : "origin/master",
"mitls_version" : "origin/master",
"mlcrypto_version" : "origin/master",
".vale_version" : "origin/master"
}
}
================================================
FILE: .docker/build/linux/Dockerfile
================================================
# hacl build container
# Define on fstar-version.json what FStar base container image
# hacl build should use.
# By default it always look for the latest FStar container available
# In case you would like to reference a specific commit,
# replace latest with the commit id from github using 12 characters.
ARG DOCKERHUBPROJECT
ARG COMMITID
FROM ${DOCKERHUBPROJECT}fstar-linux:${COMMITID}
ARG BUILDLOGFILE
ARG MAXTHREADS
ARG BUILDTARGET
ARG BRANCHNAME
# ADD SSH KEY
RUN mkdir -p ${MYHOME}/.ssh
RUN chown everest ${MYHOME}/.ssh
RUN chmod 700 ${MYHOME}/.ssh
COPY --chown=everest id_rsa ${MYHOME}/.ssh/id_rsa
RUN chmod 600 ${MYHOME}/.ssh/id_rsa
# Copy source files
RUN mkdir ${MYHOME}/hacl-star
COPY --chown=everest / ${MYHOME}/hacl-star/
# Do some cleanup
RUN rm -f build.sh
RUN rm -f build_helper.sh
RUN rm -f buildlogfile.txt
RUN rm -f log_no_replay.html
RUN rm -f log_worst.html
RUN rm -f orange_status.txt
RUN rm -f result.txt
RUN rm -f status.txt
RUN rm -f commitinfofilename.json
RUN rm hacl-star/Dockerfile
RUN rm hacl-star/build.sh
RUN rm hacl-star/build_helper.sh
RUN rm hacl-star/id_rsa
RUN rm hacl-star/commitinfofilename.json
COPY --chown=everest build.sh ${MYHOME}/build.sh
RUN chmod +x build.sh
COPY --chown=everest build_helper.sh ${MYHOME}/build_helper.sh
RUN chmod +x build_helper.sh
RUN ./build_helper.sh ${BUILDTARGET} ${BUILDLOGFILE} ${MAXTHREADS} ${BRANCHNAME} || true
# Remove ssh identities.
RUN rm ${MYHOME}/.ssh/id_rsa
================================================
FILE: .docker/build/windows-nt/Dockerfile
================================================
# hacl build container
# Define on fstar-version.json what FStar base container image
# hacl build should use.
# By default it always look for the latest FStar container available
# In case you would like to reference a specific commit,
# replace latest with the commit id from github using 12 characters.
ARG DOCKERHUBPROJECT
ARG COMMITID
FROM ${DOCKERHUBPROJECT}fstar-windows-nt:${COMMITID}
ARG BUILDLOGFILE
ARG MAXTHREADS
ARG BUILDTARGET
ARG BRANCHNAME
# Add ssh key
# We cannot copy directly to the .ssh folder, instead we copy to a temp folder
WORKDIR "everestsshkey"
COPY id_rsa .
WORKDIR ".."
# Now, using bash we copy the file, set the correct security and remove the previous folder
RUN Invoke-BashCmd '"cd .ssh && cp ../everestsshkey/id_rsa . && chmod 600 id_rsa && rm -rf ../everestsshkey"'
# Copy source files
WORKDIR "hacl-star"
COPY / .
WORKDIR ".."
# Do some cleanup
RUN Invoke-BashCmd rm -f build.sh
RUN Invoke-BashCmd rm -f build_helper.sh
RUN Invoke-BashCmd rm -f buildlogfile.txt
RUN Invoke-BashCmd rm -f log_no_replay.html
RUN Invoke-BashCmd rm -f log_worst.html
RUN Invoke-BashCmd rm -f orange_status.txt
RUN Invoke-BashCmd rm -f result.txt
RUN Invoke-BashCmd rm -f status.txt
RUN Invoke-BashCmd rm -f commitinfofilename.json
RUN Invoke-BashCmd rm hacl-star/Dockerfile
RUN Invoke-BashCmd rm hacl-star/build.sh
RUN Invoke-BashCmd rm hacl-star/build_helper.sh
RUN Invoke-BashCmd rm hacl-star/id_rsa
RUN Invoke-BashCmd rm hacl-star/commitinfofilename.json
COPY build.sh build.sh
COPY build_helper.sh build_helper.sh
RUN Invoke-BashCmd ./build_helper.sh $Env:BUILDTARGET $Env:BUILDLOGFILE $Env:MAXTHREADS $Env:BRANCHNAME '||' true
# Remove ssh key.
RUN Invoke-BashCmd rm .ssh/id_rsa
================================================
FILE: .drone.yml
================================================
kind: pipeline
type: docker
name: arm64
platform:
arch: arm64
steps:
- name: test
image: rust:latest
commands:
- apt update -qq --yes && apt install -qq --yes opam aspcud ocaml clang
- opam init --yes --bare --disable-sandboxing
- opam switch create 4.09.1 --yes
- eval $(opam config env)
- opam install --yes cppo ctypes ctypes-foreign dune zarith
- bash .ci/script.sh
================================================
FILE: .gitattributes
================================================
# Linguist
*.fst linguist-language=FStar
*.fst linguist-documentation=false
*.fsti linguist-language=FStar
*.fsti linguist-documentation=false
# Line endings
Makefile.* eol=lf
Makefile eol=lf
configure eol=lf
.gitignore eol=lf
.ignore eol=lf
*.sh text eol=lf
*.fst eol=lf
*.fsti eol=lf
*.ml* eol=lf
*.hints eol=lf -diff linguist-generated
================================================
FILE: .github/ISSUE_TEMPLATE/bug-report.md
================================================
---
name: Bug Report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
1. Repository version (commit)
2. Version of F* (if relevant: `fstar.exe --version`)
3. Version of KaraMeL (if relevant: `krml -version`)
3. Run steps
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Platform (please complete the following information):**
- OS: [e.g. linux]
- Architecture: [e.g. ARM]
- Version [e.g. 22]
**Additional context**
Add any other context about the problem here.
================================================
FILE: .github/ISSUE_TEMPLATE/feature_request.md
================================================
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
================================================
FILE: .github/ISSUE_TEMPLATE/performance-issue.md
================================================
---
name: Performance Issue
about: Notify performance regression for some algorithm
title: ''
labels: ''
assignees: ''
---
Platform (please complete the following information):
OS: [e.g. linux]
Architecture: [e.g. ARM]
Version [e.g. 22]
Additional context:
Did the performance regress with some commit?
Post comparisons with prior version or other library.
================================================
FILE: .github/ISSUE_TEMPLATE/proof-issue.md
================================================
---
name: Proof Issue
about: Report proof failures and regressions
title: ''
labels: ''
assignees: ''
---
Setup on which you are running the proof:
OS: [e.g. linux]
Architecture: [e.g. ARM]
F* Version:
KaRaMeL Version:
HACL* Commit:
Algorithms that fail:
Additional context:
================================================
FILE: .github/workflows/dist.yml
================================================
name: Dist CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
workflow_dispatch:
permissions: {}
defaults:
run:
shell: bash
jobs:
dist-ci:
strategy:
fail-fast: false
matrix:
os:
- macos-latest
- ubuntu-latest
- windows-latest
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- name: Run CI script
run: .ci/script.sh
- name: Apple Silicon Build
if: matrix.os == 'macos-latest'
run: |
sudo rm -Rf /Library/Developer/CommandLineTools/SDKs/*
sudo xcode-select -s /Applications/Xcode_16.4.app
CROSS_CI="aarch64-apple-darwin" .ci/script.sh
- name: iOS aarch64
if: matrix.os == 'macos-latest'
run: |
sudo rm -Rf /Library/Developer/CommandLineTools/SDKs/*
sudo xcode-select -s /Applications/Xcode_16.4.app
CROSS_CI="aarch64-apple-ios" .ci/script.sh
- name: iOS x64 simulator
if: matrix.os == 'macos-latest'
run: |
sudo rm -Rf /Library/Developer/CommandLineTools/SDKs/*
sudo xcode-select -s /Applications/Xcode_16.4.app
CROSS_CI="x86_64-apple-ios-simulator" .ci/script.sh
================================================
FILE: .github/workflows/hacl-packages-create-branch.yml
================================================
name: Create branch on hacl-packages
on:
pull_request_target:
branches: [ main ]
permissions:
pull-requests: write
jobs:
hacl-packages-create-branch:
runs-on: ubuntu-latest
steps:
- name: checkout hacl-star
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
path: hacl-star
- name: checkout hacl-packages
uses: actions/checkout@v4
with:
repository: cryspen/hacl-packages
path: hacl-packages
token: ${{ secrets.HACL_BOT }}
- name: install dependencies
run: |
sudo apt-get install -y ninja-build
- name: update hacl-packages
working-directory: hacl-packages
run: |
./mach update -s ../hacl-star
- name: push to hacl-packages
working-directory: hacl-packages
env:
branch: hacl-star-${{ github.head_ref }}
token: ${{ secrets.HACL_BOT }}
run: |
git config --local user.name "Hacl Bot"
git config --local user.email "hacl-star@mailo.com"
git checkout -b $branch
git add .
git commit --allow-empty -m "[CI] update code"
git push --force --set-upstream origin $branch
- name: comment pr
uses: thollander/actions-comment-pull-request@v1
with:
message: |
[CI] Important!
The code in `dist/gcc-compatible`, `dist/msvc-compatible`, and `dist/wasm`
is tested on [cryspen/hacl-packages](https://github.com/cryspen/hacl-packages).
`dist` is not automatically re-generated, be sure to do it manually.
(A fresh snapshot can also be downloaded from [CI](https://github.com/hacl-star/hacl-star/actions/workflows/nix.yml) by going to the "artifacts" section of your run.)
Then check the following tests before merging this PR.
Always check the latest run, it corresponds to the most recent version of this branch.
All jobs are expected to be successful.
In some cases manual intervention is needed. Please ping the hacl-packages maintainers.
- [Build, Test, Benchmark](https://github.com/cryspen/hacl-packages/actions?query=branch%3Ahacl-star-${{ github.head_ref }}+workflow%3Abuild_pull_request): Build on Linux (x86, x64), Windows (x86, x64), MacOS (x64, arm64), s390x, Android (arm64) and test on Linux (x86, x64), Windows (x86, x64), MacOS (x64).
- [Performance Regression Tests](https://github.com/cryspen/hacl-packages/actions?query=branch%3Ahacl-star-${{ github.head_ref }}+workflow%3Abenchmark_pull_request): Navigate to the terminal output in “Run benchmarks”. The comparison with the main branch will be at the bottom. The run fails if the performance regresses too much.
- [OCaml bindings](https://github.com/cryspen/hacl-packages/actions?query=branch%3Ahacl-star-${{ github.head_ref }}+workflow%3Aocaml): Build & Tests
- [JS bindings](https://github.com/cryspen/hacl-packages/actions?query=branch%3Ahacl-star-${{ github.head_ref }}+workflow%3Ajs): Build & Tests
- [Rust bindings](https://github.com/cryspen/hacl-packages/actions?query=branch%3Ahacl-star-${{ github.head_ref }}+workflow%3Arust): Build & Tests
comment_includes: "[CI]"
================================================
FILE: .github/workflows/hacl-packages-delete-branch.yml
================================================
name: Delete branch on hacl-packages
on:
pull_request:
types: [ closed ]
permissions: {}
jobs:
hacl-packages-delete-branch:
runs-on: ubuntu-latest
steps:
- name: checkout hacl-packages
uses: actions/checkout@v4
with:
repository: cryspen/hacl-packages
token: ${{ secrets.HACL_BOT }}
- name: delete remote branch
run: |
git push -d origin hacl-star-${{ github.head_ref }}
================================================
FILE: .github/workflows/hintsanddist.yml
================================================
name: regenerate hints and dist
on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
jobs:
regenerate-hints-and-dist:
runs-on: self-hosted
steps:
- name: checkout
uses: actions/checkout@v4
- name: regenerate hints and dist
run: |
# build the new artifacts (in ./result)
nix build --no-write-lock-file .#hacl.passthru.build-products
# delete the old ones
git rm -r hints dist/*/*
# copy the new artifacts
tar -xvf result/hints.tar.gz
tar -xvf result/dist.tar.gz
- name: commit changes
run: |
git config --local user.name "Hacl Bot"
git config --local user.email "hacl-star@mailo.com"
git add hints dist
git commit -m "[CI] regenerate hints and dist"
- name: avoid trivial changes
run: |
[[ 1 -lt $(git diff --compact-summary HEAD~.. | grep -v INFO.txt | wc -l) ]]
- name: leave no uncommitted changes
run: |
git restore .
git clean -xfd
- name: create pull request
uses: peter-evans/create-pull-request@v6
with:
token: ${{ secrets.HACL_BOT }}
branch: "hints-and-dist-main"
title: "[CI] regenerate hints and dist"
================================================
FILE: .github/workflows/nix.yml
================================================
name: Nix
on:
push:
branches-ignore: [ '_**' ]
pull_request:
workflow_dispatch:
permissions: {}
# Cancel previous versions of this job that are still running.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
nix:
runs-on: self-hosted
steps:
- name: checkout
uses: actions/checkout@v4
- name: build hacl
run: |
nix build -L .#hacl
- name: build logs
run: |
nix log .#hacl
- name: resource monitor
run: |
nix build .#hacl.passthru.resource-monitor
cat result/resources.txt
- name: generate artifacts
run: |
nix build .#hacl.passthru.build-products
- uses: actions/upload-artifact@v4
with:
name: hints.tar.gz
path: result/hints.tar.gz
- uses: actions/upload-artifact@v4
with:
name: dist.tar.gz
path: result/dist.tar.gz
================================================
FILE: .gitignore
================================================
*~
*.o
*.d
*.d.*
*.cm*
*.so
*.dll
*.a
*.exe
*.exe.dSYM
out.krml
*.checked
*.checked.lax
*.dump
.extracted
.*depend*
.evercrypt_config
code/**/dist
!code/**/dist/Makefile
code/old/experimental/aesgcm/aesgcm-c
code/old/experimental/aesgcm/aesgcm-c89
*.orig
.didhelp
.last_vale_version
Makefile.config
.#*
tests/benchmark/build
dist/**/lib/*_stubs.ml
dist/**/lib/*_c_stubs.c
dist/wasm/*.wast
doc/_build
config.h
*.smt2
*.runlim
dist/**/*.rsp
# lockfile in Makefile, see MEMHOGS
.top.lk
================================================
FILE: .nix/hacl.nix
================================================
{
bash,
dotnet-runtime,
fetchFromGitHub,
flock,
fstar,
fstar-scripts,
git,
karamel,
lib,
ocamlPackages,
openssl,
python3,
rustc,
sd,
stdenv,
time,
vale,
which,
writeTextFile,
z3,
}: let
runlim = stdenv.mkDerivation rec {
name = "runlim";
src = fetchFromGitHub {
owner = "arminbiere";
repo = "runlim";
rev = "3821e7a1d1ada328cda7a9cff33ea13228d8013a";
sha256 = "sha256-f1jp83GDrRjqEqXEDW2eD6IJzI53pBFkp+qOdpOR6sc=";
};
configurePhase = ''
CC="" ./configure.sh
'';
installPhase = ''
mkdir -p $out/bin
cp ./runlim ./runlim-remount-proc $out/bin
'';
};
hacl = stdenv.mkDerivation {
name = "hacl-star";
src = lib.cleanSourceWith {
src = ./..;
filter = path: type: let
relPath = lib.removePrefix (toString ./.. + "/") (toString path);
in
type
== "directory"
|| lib.elem relPath [
".gitignore"
"Makefile"
"Makefile.common"
"Makefile.include"
"Makefile.openssl"
"dist/LICENSE.txt"
"dist/META"
"dist/Makefile.test"
"dist/Makefile.tmpl"
"dist/configure"
"dist/package-mozilla.sh"
".scripts/remove_stale_hints.sh"
]
|| lib.any (lib.flip lib.hasPrefix relPath) [
"code"
"hints"
"lib"
"providers"
"secure_api"
"specs"
"tests"
"tools"
"vale"
];
};
postPatch = ''
patchShebangs tools
patchShebangs dist/configure
patchShebangs dist/package-mozilla.sh
substituteInPlace Makefile --replace "NOSHORTLOG=1" ""
echo "0.3.19" > vale/.vale_version
'';
nativeBuildInputs =
[
bash
z3
fstar
python3
which
dotnet-runtime
time
runlim
rustc
flock
]
++ (with ocamlPackages; [
ocaml
findlib
batteries
pprint
stdint
yojson
zarith
ppxlib
ppx_deriving
ppx_deriving_yojson
ctypes
cppo
alcotest
qcheck-core
secp256k1-internal
menhirLib
process
sedlex
mtime
]);
buildInputs = [openssl.dev];
VALE_HOME = vale;
KRML_HOME = karamel;
configurePhase = "export HACL_HOME=$(pwd)";
enableParallelBuilding = true;
buildPhase = ''
RESOURCEMONITOR=1 make -j$NIX_BUILD_CORES ci 2>&1 | tee log.txt
bash .scripts/remove_stale_hints.sh
'';
installPhase = ''
cp -r ./. $out
'';
dontFixup = true;
passthru = rec {
info = writeTextFile {
name = "INFO.txt";
text = ''
This code was generated with the following toolchain.
F* version: ${fstar.version}
Karamel version: ${karamel.version}
Vale version: ${vale.version}
'';
};
dist-compare = stdenv.mkDerivation {
name = "hacl-diff-compare";
src = "${hacl.build-products}/dist.tar.gz";
phases = ["unpackPhase" "buildPhase" "installPhase"];
buildPhase = ''
for file in ./*/*.c ./*/*.h
do
if ! diff $file ${../dist}/$file 2>&1 > /dev/null
then
echo "*** $file"
diff -y --suppress-common-lines $file ${../dist}/$file || true
fi
done
'';
installPhase = ''
touch $out
'';
};
dist-list = stdenv.mkDerivation {
name = "hacl-diff-list";
src = "${hacl.build-products}/dist.tar.gz";
phases = ["unpackPhase" "buildPhase" "installPhase"];
buildPhase = ''
diff -rq . ${../dist} 2>&1 \
| sed 's/\/nix\/store\/[a-z0-9]\{32\}-//g' \
| sed 's/^Files \([^ ]*\).*/\1/' \
| sed 's/^Only in source\/dist\([^\:]*\)\: \(.*\)/\.\1\/\2/' \
| sed 's/^Only in \.\([^\:]*\)\: \(.*\)/\.\1\/\2/' \
| { grep '\.\/[^\/]*\/' || true; } \
| { grep -v INFO.txt || true; }
'';
installPhase = ''
touch $out
'';
};
build-products = stdenv.mkDerivation {
name = "hacl-build-products";
src = hacl;
buildInputs = [git sd];
buildPhase = ''
sd '${bash}/bin/bash' '/usr/bin/env bash' dist/configure
sd '${bash}/bin/bash' '/usr/bin/env bash' dist/package-mozilla.sh
for target in gcc-compatible msvc-compatible portable-gcc-compatible mozilla
do
sd '${bash}/bin/bash' '/usr/bin/env bash' dist/$target/configure
done
for target in gcc-compatible mozilla msvc-compatible portable-gcc-compatible wasm
do
cp ${info} dist/$target/INFO.txt
done
git init
git config --local user.name "John Doe"
git config --local user.email johndoe@example.com
git add *
git commit -m "initial commit"
git archive HEAD hints -o hints.tar.gz
git archive HEAD dist/* -o dist.tar.gz
'';
installPhase = ''
mkdir -p $out
cp hints.tar.gz dist.tar.gz $out
'';
};
stats = stdenv.mkDerivation {
name = "hacl-stats";
phases = ["installPhase"];
installPhase = ''
mkdir -p $out
cat ${hacl}/log.txt \
| grep "^\[VERIFY\]" \
| sed 's/\[VERIFY\] \(.*\), \(.*\)/\2 \1/' \
| sort -rg - > $out/stats.txt
'';
};
resource-monitor = stdenv.mkDerivation {
name = "hacl-resource-monitor";
src = hacl;
dontBuild = true;
installPhase = ''
mkdir -p $out
bash ${fstar-scripts}/res_summary.sh > $out/resources.txt
'';
};
};
};
in
hacl
================================================
FILE: .nix/vale.nix
================================================
{
fetchFromGitHub,
fetchNuGet,
fsharp,
mono,
dotnet-runtime,
scons,
stdenv,
}: let
FsLexYacc = fetchNuGet {
pname = "FsLexYacc";
version = "6.1.0";
sha256 = "1v5myn62zqs431i046gscqw2v0c969fc7pdplx7z9cnpy0p2s4rv";
outputFiles = ["build/*"];
};
FsLexYaccRuntime = fetchNuGet {
pname = "FsLexYacc.Runtime";
version = "6.1.0";
sha256 = "18vrx4lxsn4hkfishg4abv0d4q21dsph0bm4mdq5z8afaypp5cr7";
outputFiles = ["lib/net40/*"];
};
vale = stdenv.mkDerivation rec {
pname = "vale";
version = "0.3.19";
src = fetchFromGitHub {
owner = "project-everest";
repo = "vale";
rev = "v${version}";
sha256 = "sha256-Y6BlLtX8o9gfJgk8FXymwsQ423+vt5QhHIfvGBiLGWE=";
};
postPatch = ''
substituteInPlace SConstruct --replace "common_env = Environment()" "common_env = Environment(ENV=os.environ)"
'';
preBuild = ''
mkdir -p tools/FsLexYacc/{FsLexYacc.6.1.0/build,FsLexYacc.Runtime.6.1.0/lib/net40}
cp -r ${FsLexYacc}/lib/dotnet/FsLexYacc/* tools/FsLexYacc/FsLexYacc.6.1.0/build/
cp -r ${FsLexYaccRuntime}/lib/dotnet/FsLexYacc.Runtime/* tools/FsLexYacc/FsLexYacc.Runtime.6.1.0/lib/net40/
'';
buildInputs = [FsLexYacc fsharp mono scons];
enableParallelBuilding = true;
installPhase = ''
mkdir -p $out/bin
cp bin/* $out/bin
cp -r . $out
for target in vale importFStarTypes; do
echo "$DOTNET_JSON_CONF" > $out/bin/$target.runtimeconfig.json
done
'';
dontFixup = true;
DOTNET_JSON_CONF = ''
{
"runtimeOptions": {
"framework": {
"name": "Microsoft.NETCore.App",
"version": "${dotnet-runtime.version}"
}
}
}
'';
};
in
vale
================================================
FILE: .scripts/memhogs.sh
================================================
#!/bin/bash
echo "MEMHOGS := "
# Find all runlim files, extract consumed memory and output files in order of increasing memory
find . -name '*.runlim' | while read fn; do
M=$(sed -n 's/.*space:[[:space:]]*\([0-9]*\) MB.*/\1/p' $fn)
echo "$fn $M"
done | sort -nk2 | tail -n 20 | awk ' { print $1 } ' | while read fn; do
# remove ./ prefix if there, since make doesn't canonicalize paths
fn=${fn#./}
echo " $fn \\"
done
echo ""
================================================
FILE: .scripts/remove_stale_hints.sh
================================================
#!/bin/bash
set -eu
declare -A files # Store all basenames in repo
declare -A hints # Store all paths of hints in repo
trap 'RC=$?; rm -f .filelist; exit $RC' EXIT INT
# Find all (normal) files, not descending into .git, and store in
# the array. Using a pipe here would be better, but a pipe creates a
# subshell, so changes to the variables won't have any effect in the
# parent.
find . -name '.git' -prune -o \( -type f \) > .filelist
while read f0; do
f="$(basename "${f0}")"
files[$f]=1;
if [[ "$f0" == *.hints ]]; then
hints[$f0]=1
fi
done < .filelist
rm -f .filelist
for h0 in "${!hints[@]}"; do
h="$(basename "${h0}")"
h="${h%.hints}"
# Given a/b/c/Foo.Bar.fst.hints, if there is no Foo.Bar.fst
# anywhere, then delete the hint file.
if ! [ -v "files[$h]" ]; then
echo "DELETING HINT $h0"
rm -f "${h0}"
fi
done
================================================
FILE: CHANGES.md
================================================
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
Each change begins with a version (if applicable) and a timestamp, and then a set of changes, categorized by type:
- Added for new features.
- Changed for changes in existing functionality.
- Deprecated for soon-to-be removed features.
- Removed for now removed features.
- Fixed for any bug fixes.
- Security in case of vulnerabilities.
## 2023-11-21
- Changed the API for more clarity and consistency. Heavy renaming of modules,
functions and arguments as well as changes in the order of arguments. Blake2,
MD5, SHA-1, SHA-2, SHA-3, Poly1305 and EverCrypt are concerned. See
https://github.com/hacl-star/hacl-star/pull/789 for a detailed list of the
changes.
## 2023-05-22
- Change the return code of the Hacl_Streaming_XXX_update family of functions. These
functions previously returned uint32_t, with 0 to indicating success, and 1
indicating a maximum length exceeded error. These functions have now switched
to an error code shared with other streaming API functions, of type
uint8_t, wherein Hacl_Streaming_Types_Success indicates success, and
Hacl_Streaming_Types_MaximumLengthExceeded conveys the same error as before.
The Success case is defined as 0, meaning that clients that previously did
`if (!Hacl_Streaming_XXX_update(...))` do not need any change in their code.
- Removal of Hacl_Streaming_SHA2.h -- all of the functions are now to be found
in Hacl_Hash_SHA2.h, which brings SHA2 in alignment with other primitives.
- Renamings: Hacl_Hash_SHA2_hash_XXX becomes Hacl_Streaming_SHA2_hash_XXX
(subject to change in the very near future, see #789)
- Renamings: Hacl_Streaming_SHA2_shaXXX becomes Hacl_Streaming_SHA2_hash_XXX
(subject to change in the very near future, see #789)
## 2023-02-20
- Removed OCaml and JS bindings
## 2022-12-19
- Added JS bindings for secp256k1
- Added an OCaml API for secp256k1
## 2022-12-14
- Align the APIs in Hacl_Hash_SHA2 and Hacl_Streaming_SHA2 for full hashes. The
latter now observes the argument order of the former.
## 2022-12-07
- Added secret_to_public for secp256k1
## 2022-12-06
- Tighten the `EverCrypt_Hash` header file to only expose the one-shot and
"streaming" APIs.
## 2022-12-01
### Added
- Initialized CHANGES.md file with changelog template
================================================
FILE: CODEOWNERS
================================================
* @hacl-star/Maintainers
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, religion, or sexual identity
and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the
overall community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or
advances of any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
[community-moderation](mailto:hacl-star-community-moderation@inria.fr).
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series
of actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or
permanent ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within
the community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.0, available at
https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
Community Impact Guidelines were inspired by [Mozilla's code of conduct
enforcement ladder](https://github.com/mozilla/diversity).
[homepage]: https://www.contributor-covenant.org
For answers to common questions about this code of conduct, see the FAQ at
https://www.contributor-covenant.org/faq. Translations are available at
https://www.contributor-covenant.org/translations.
================================================
FILE: GOVERNANCE.md
================================================
# Governance Policy
This document provides the governance policy for the Project. Maintainers agree to this policy and to abide by all Project polices, including the [code of conduct](./CODE_OF_CONDUCT.md), by adding their name to the [maintainers.md file](./MAINTAINERS.md).
## 1. Roles.
This project may include the following roles. Additional roles may be adopted and documented by the Project.
**1.1. Maintainers**. Maintainers are responsible for organizing activities around developing, maintaining, and updating the Project. Maintainers are also responsible for determining consensus. This Project may add or remove Maintainers with the approval of the current Maintainers.
**1.2. Contributors**. Contributors are those that have made contributions to the Project.
## 2. Decisions.
**2.1. Consensus-Based Decision Making**. Projects make decisions through consensus of the Maintainers. While explicit agreement of all Maintainers is preferred, it is not required for consensus. Rather, the Maintainers will determine consensus based on their good faith consideration of a number of factors, including the dominant view of the Contributors and nature of support and objections. The Maintainers will document evidence of consensus in accordance with these requirements.
**2.2. Appeal Process**. Decisions may be appealed by opening an issue and that appeal will be considered by the Maintainers in good faith, who will respond in writing within a reasonable time. If the Maintainers deny the appeal, the appeal may be brought before the Organization Steering Committee, who will also respond in writing in a reasonable time.
## 3. How We Work.
**3.1. Openness**. Participation is open to anyone who is directly and materially affected by the activity in question. There shall be no undue financial barriers to participation.
**3.2. Balance**. The development process should balance the interests of Contributors and other stakeholders. Contributors from diverse interest categories shall be sought with the objective of achieving balance.
**3.3. Coordination and Harmonization**. Good faith efforts shall be made to resolve potential conflicts or incompatibility between releases in this Project.
**3.4. Consideration of Views and Objections**. Prompt consideration shall be given to the written views and objections of all Contributors.
**3.5. Written procedures**. This governance document and other materials documenting this project's development process shall be available to any interested person.
## 4. No Confidentiality.
Information disclosed in connection with any Project activity, including but not limited to meetings, contributions, and submissions, is not confidential, regardless of any markings or statements to the contrary.
## 5. Trademarks.
Any names, trademarks, logos, or goodwill developed by and associated with the Project (the "Marks") are controlled by the Organization. Maintainers may only use these Marks in accordance with the Organization's trademark policy. If a Maintainer resigns or is removed, any rights the Maintainer may have in the Marks revert to the Organization.
## 6. Amendments.
Amendments to this governance policy may be made by affirmative vote of 2/3 of all Maintainers, with approval by the Organization's Steering Committee.
---
Part of MVG-0.1-beta.
Made with love by GitHub. Licensed under the [CC-BY 4.0 License](https://creativecommons.org/licenses/by-sa/4.0/).
================================================
FILE: Hacl.fst.config.json
================================================
{
"fstar_exe": "fstar.exe",
"options": [
"--use_hints",
"--use_hint_hashes",
"--record_hints",
"--odir", "obj",
"--cmi",
"--already_cached", "Prims FStar LowStar C Spec.Loops TestLib WasmSupport",
"--warn_error", "@240+241@247-272-274@319@328@331@332@337",
"--trivial_pre_for_unannotated_effectful_fns", "false",
"--hint_dir", "hints",
"--z3version", "4.8.5"
],
"include_dirs": [
"lib",
"specs",
"specs/lemmas",
"specs/tests",
"specs/drbg",
"specs/frodo",
"specs/tests/p256",
"code/hash",
"code/hmac",
"code/hkdf",
"code/drbg",
"code/hpke",
"code/sha3",
"code/sha2-mb",
"code/ecdsap256",
"code/poly1305",
"code/streaming",
"code/blake2",
"code/chacha20",
"code/chacha20poly1305",
"code/curve25519",
"code/tests",
"code/ed25519",
"code/salsa20",
"code/nacl-box",
"code/meta",
"code/frodo",
"code/fallback",
"code/bignum",
"code/rsapss",
"code/ffdhe",
"code/k256",
"vale/code/arch",
"vale/code/arch/x64",
"vale/code/arch/x64/interop",
"vale/code/arch/ppc64le",
"vale/code/crypto/aes",
"vale/code/crypto/aes/x64",
"vale/code/crypto/aes/ppc64le",
"vale/code/crypto/bignum",
"vale/code/crypto/ecc/curve25519",
"vale/code/crypto/poly1305",
"vale/code/crypto/poly1305/x64",
"vale/code/crypto/sha",
"vale/code/lib/collections",
"vale/code/lib/math",
"vale/code/lib/util",
"vale/code/lib/util/x64",
"vale/code/lib/util/x64/stdcalls",
"vale/code/lib/transformers",
"vale/code/test",
"vale/code/thirdPartyPorts/Intel/aes/x64",
"vale/code/thirdPartyPorts/OpenSSL/aes",
"vale/code/thirdPartyPorts/OpenSSL/poly1305/x64",
"vale/code/thirdPartyPorts/OpenSSL/sha",
"vale/code/thirdPartyPorts/rfc7748/curve25519/x64",
"vale/code/thirdPartyPorts/SymCrypt/bignum",
"vale/specs/crypto",
"vale/specs/defs",
"vale/specs/hardware",
"vale/specs/interop",
"vale/specs/math",
"providers/evercrypt",
"providers/evercrypt/fst",
"providers/test",
"providers/test/vectors",
"obj",
"${KRML_HOME}/runtime",
"${KRML_HOME}/krmllib/obj",
"${KRML_HOME}/krmllib"
]
}
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright {yyyy} {name of copyright owner}
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: MAINTAINERS.md
================================================
# Maintainers
This document lists the Maintainers of the Project. Maintainers may be added once approved by the existing maintainers as described in the [Governance document](./GOVERNANCE.md). By adding your name to this list you are agreeing to abide by the Project governance documents and to abide by all of the Organization's polices, including the [code of conduct](./CODE_OF_CONDUCT.md). If you are participating because of your affiliation with another organization (designated below), you represent that you have the authority to bind that organization to these policies.
| **NAME** | **Organization** |
| --- | --- |
| Karthikeyan Bhargavan | Inria |
| Aymeric Fromherz | Inria |
| Marina Polubelova | Nomadic Labs |
| Jonathan Protzenko | Microsoft Research |
---
Part of MVG-0.1-beta.
Made with love by GitHub. Licensed under the [CC-BY 4.0 License](https://creativecommons.org/licenses/by-sa/4.0/).
================================================
FILE: Makefile
================================================
# This Makefile covers all of the present repository (HACL* + Vale + EverCrypt)
#
# From a high-level perspective, the coarse-grained dependency graph is:
#
# evercrypt
# / \
# code vale
# / \ /
# lib specs
#
# This Makefile honors the following variables:
# - NOSHORTLOG=1 disables pretty (short) logs
# - NODEPEND=1 disables .depend re-generation (use for debugging only)
# - SKIPDEPEND=1 disables even *including* .depend files (not meant for end users)
# - NOOPENSSLCHECK=1 disables OpenSSL libcrypto.a checks (useful for verifying files
# only, or for non-OpenSSL configurations)
# - RESOURCEMONITOR=1 will create .runlim files with runtime and memory usage
# information. The results can then be tallied with the res_summary.sh script.
#
# This is a staged Makefile, because we first need to generate .fst files out of
# .vaf files in order to get a full dependency graph for the .fst files. So,
# this Makefile exposes the following targets to the end user:
# - all: staged target for the entire build (default)
# - test: staged
# - vale-fst: the minimum needed to compile .vaf files to .fst files
# - vale-verify: properly staged target for re-verifying all the vale files
# - vale-asm: re-generation of the Vale assemblies in dist/vale
# - hacl-verify: staged target for verifying HACL* files
# curve25519-verify poly1305-verify chacha20-verify spec-verify
# code-verify: subsets of hacl-verify (each staged)
#
# To generate a Makefile for the interactive mode, use:
# - make foo/bar/Makefile
#
# CI targets:
# - ci: staged, runs all + test, without short logs (this repository's CI)
# - min-test: staged, runs only a subset of verification for the purposes of
# F*'s extended CI
include Makefile.common
#########################
# Catching setup errors #
#########################
ifeq (3.81,$(MAKE_VERSION))
$(error You seem to be using the OSX antiquated Make version. Hint: brew \
install make, then invoke gmake instead of make)
endif
# Better error early.
ifeq (,$(NOVALE))
ifneq (hacl-verify,$(MAKECMDGOALS))
ifeq (,$(wildcard $(VALE_HOME)))
$(error The directory $$VALE_HOME does not exist$(newline)(VALE_HOME=$(VALE_HOME)).$(newline)Hint: ./tools/get_vale.sh if you don't have Vale, yet)
endif
ifeq (,$(wildcard $(VALE_HOME)/bin/vale.exe))
$(error $$VALE_HOME/bin/vale.exe does not exist$(newline)(VALE_HOME=$(VALE_HOME)).$(newline)Hint: ./tools/get_vale.sh if you don't have Vale, yet)
endif
ifeq (,$(wildcard $(VALE_HOME)/bin/vale.runtimeconfig.json))
$(error $$VALE_HOME/bin/vale.runtimeconfig.json does not exist$(newline)(VALE_HOME=$(VALE_HOME)).$(newline)Hint: ./tools/get_vale.sh if you don't have Vale, yet)
endif
ifeq (,$(wildcard $(VALE_HOME)/bin/importFStarTypes.runtimeconfig.json))
$(error $$VALE_HOME/bin/importFStarTypes.runtimeconfig.json does not exist$(newline)(VALE_HOME=$(VALE_HOME)).$(newline)Hint: ./tools/get_vale.sh if you don't have Vale, yet)
endif
ifneq ($(shell cat $(VALE_HOME)/bin/.vale_version | tr -d '\r'),$(shell cat vale/.vale_version | tr -d '\r'))
$(error this repository wants Vale $(shell cat vale/.vale_version) but in \
$$VALE_HOME I found $(shell cat $(VALE_HOME)/bin/.vale_version).$(newline)(VALE_HOME=$(VALE_HOME))$(newline)Hint: ./tools/get_vale.sh)
endif
endif
endif
ifeq (,$(NOOPENSSLCHECK))
include Makefile.openssl
endif
ifneq (,$(HACL_HOME))
ifeq (Windows_NT,$(OS))
HACL_HOME := $(shell cygpath -m $(HACL_HOME))
endif
endif
##########################
# Top-level entry points #
##########################
all: all-staged
all-unstaged: compile-gcc-compatible compile-msvc-compatible \
compile-portable-gcc-compatible dist/wasm/Makefile.basic \
obj/libhaclml.cmxa
# Mozilla does not want to run the configure script, so this means that the
# build of Mozilla will break on platforms other than x86-64
ifeq ($(shell uname -m),x86_64)
all-unstaged: package-compile-mozilla
endif
# Automatic staging.
%-staged: .last_vale_version
@echo "[STAGE1] Vale to F*"
$(MAKE) vale-fst
@echo "[STAGE2] Main target: $*"
FSTAR_DEPEND_FLAGS="--warn_error +285" $(MAKE) $*-unstaged
.last_vale_version: vale/.vale_version
@if [[ -f $@ && $$(cat $@) != $$(cat $<) ]]; then \
echo ℹ️ Vale tool upgrade detected; \
find vale -name '*.vaf' -exec touch {} \; ; \
fi
cp $< $@
test: test-staged
test-unstaged: test-handwritten test-c test-ml test-hpke
ifeq ($(shell uname -m),x86_64)
test-unstaged: vale_testInline
endif
# Any file in code/tests is taken to contain an `int main()` function.
# Test should be renamed into Test.EverCrypt
test-c: $(subst .,_,$(patsubst %.fst,test-c-%,$(notdir $(wildcard code/tests/*.fst)))) \
test-c-Test
cp dist/Makefile.test dist/test/c/Makefile
# Any file in specs/tests is taken to contain a `val test: unit -> bool` function.
test-ml: $(subst .,_,$(patsubst %.fst,test-ml-%,$(notdir $(wildcard specs/tests/*.fst))))
test-hpke: specs/tests/hpke/test_hpke.exe
$<
specs/tests/hpke/test_hpke.exe: obj/libhaclml.cmxa specs/tests/hpke/Test_Spec_Agile_HPKE.ml
$(OCAMLOPT) $^ -o $@
# Not reusing the -staged automatic target so as to export NOSHORTLOG
ci:
USE_FLOCK=1 NOSHORTLOG=1 $(MAKE) vale-fst
FSTAR_DEPEND_FLAGS="--warn_error +285" USE_FLOCK=1 NOSHORTLOG=1 $(MAKE) all-unstaged test-unstaged
./tools/sloccount.sh
# Not reusing the -staged automatic target so as to export MIN_TEST
min-test:
MIN_TEST=1 NOSHORTLOG=1 $(MAKE) vale-fst
MIN_TEST=1 FSTAR_DEPEND_FLAGS="--warn_error +285" NOSHORTLOG=1 \
$(MAKE) min-test-unstaged
# So that this Makefile can also clean the previous directory layout. In the
# long run, TO_CLEAN should be able to go.
TO_CLEAN=$(foreach ext,checked checked.lax out cmd err time dump types.vaf krml cmx cmo cmi o d a,-or -iname '*.$(ext)')
clean:
find . -iname '.depend*' $(TO_CLEAN) -delete
find obj -maxdepth 1 -mindepth 1 -not -name .gitignore -delete
#################
# Configuration #
#################
IMPORT_FSTAR_TYPES := $(VALE_HOME)/bin/importFStarTypes.exe
PYTHON3 ?= $(shell tools/findpython3.sh)
ifeq ($(OS),Windows_NT)
DOTNET =
else
DOTNET = dotnet
endif
ifeq ($(shell uname -s),Darwin)
ifeq (,$(shell which gsed))
$(error gsed not found; try brew install gnu-sed)
endif
SED := gsed -i
ifeq (,$(shell which gtime))
$(error gtime not found; try brew install gnu-time)
endif
TIME := gtime -q -f '%E'
else ifeq ($(shell uname -s),FreeBSD)
SED := sed -i ''
TIME := /usr/bin/time
else
ifeq ($(shell which time),)
$(error 'time' not found, try apt-get install time)
endif
SED := sed -i
TIME := $(shell which time) -q -f '%E'
endif
ifneq ($(OS),Windows_NT)
ifneq ($(shell realpath $$(pwd)),$(shell realpath $(HACL_HOME)))
$(error HACL_HOME, currently set to $(HACL_HOME), does not seem to point to the current directory)
endif
endif
##########################
# Pretty-printing helper #
##########################
SHELL:=$(shell which bash)
# Passing RESOURCEMONITOR=1 to this Makefile will create .runlim files
# throughout the tree with resource information. The $(RUNLIM) variable
# can also be defined directly if so desired.
ifneq ($(RESOURCEMONITOR),)
RUNLIM = runlim -p -o $@.runlim
endif
# The WRAP variable is an optional command wrapper which can be
# customized for each target. If USE_FLOCK is set (which it is during
# CI) we set WRAP to `flock .top.lk` for files with heavy memory
# consumption, to avoid running them in parallel. This is of course not
# ideal since the machine may in fact have tons of memory, but make does
# not provide a way to prevent parallelism according to memory usage.
#
# You can regenerate this list by running .scripts/memhogs.sh after a full
# build with RESOURCEMONITOR=1.
ifneq ($(USE_FLOCK),)
LOCK=flock .top.lk
MEMHOGS := \
obj/Hacl_Test_ECDSA.krml \
obj/Hacl_Test_ECDSA.krml \
obj/Vale.AES.PPC64LE.GCTR.fst.checked \
obj/Hacl.Test.HMAC_DRBG.fst.checked \
obj/Test.Vectors.fst.checked \
obj/Vale.Transformers.InstructionReorder.fst.checked \
obj/Test.krml \
obj/Vale.AES.PPC64LE.GCMdecrypt.fst.checked \
obj/Spec.Frodo.Test.fst.checked \
obj/Vale.AES.X64.AESGCM.fst.checked \
obj/Hacl.Hash.SHA2.fst.checked \
obj/Vale.Wrapper.X64.GCMencryptOpt.fst.checked \
obj/Vale.Wrapper.X64.GCMencryptOpt256.fst.checked \
obj/Vale.Wrapper.X64.GCMdecryptOpt.fst.checked \
obj/Hacl.Impl.SHA2.Core.fst.checked \
obj/Vale.Wrapper.X64.GCMdecryptOpt256.fst.checked \
obj/Vale.AES.X64.GCMdecryptOpt.fst.checked \
obj/Vale.AES.X64.GCMencryptOpt.fst.checked \
obj/Vale.AES.PPC64LE.GCMencrypt.fst.checked \
obj/EverCrypt_Hash_Incremental.krml \
obj/Test.Vectors.Chacha20Poly1305.fst.checked \
# If the target ($@) is in MEMHOGS, wrap with LOCK. Note this relies on
# lazy evaluation of WRAP.
WRAP=$(if $(filter $@,$(MEMHOGS)),$(LOCK),)
endif
# A helper to generate pretty logs, callable as:
# $(call run-with-log,CMD,TXT,STEM)
#
# Arguments:
# CMD: command to execute (may contain double quotes, but not escaped)
# TXT: readable text to print out once the command terminates
# STEM: path stem for the logs, stdout will be in STEM.out, stderr in STEM.err, CMD in STEM.cmd
ifeq (,$(NOSHORTLOG))
run-with-log = \
@echo "$(subst ",\",$1)" > $3.cmd; \
$(WRAP) \
$(RUNLIM) \
$(TIME) -o $3.time sh -c "$(subst ",\",$1)" > $3.out 2> >( tee $3.err 1>&2 ); \
ret=$$?; \
time=$$(cat $3.time); \
if [ $$ret -eq 0 ]; then \
echo "$2, $$time"; \
else \
echo "<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"; \
echo -e "\033[31mFatal error while running\033[0m: $1"; \
echo -e "\033[31mFailed after\033[0m: $$time"; \
echo -e "\033[36mFull log is in $3.{out,err}, see excerpt below\033[0m:"; \
tail -n 20 $3.err; \
echo "<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"; \
false; \
fi
else
run-with-log = $(WRAP) $(RUNLIM) $1
endif
####################################################
# Dependency graphs for Vale, then F* source files #
####################################################
# Transforms any foo/bar/baz.qux into obj/baz.qux
to-obj-dir = $(addprefix obj/,$(notdir $1))
# The set of .vaf files we want to translate to F*.
VALE_ROOTS = $(wildcard $(addsuffix /*.vaf,$(VALE_DIRS)))
# Target F* files stemming from Vale files
VAF_AS_FSTS = $(patsubst %.vaf,%.fsti,$(VALE_ROOTS)) $(patsubst %.vaf,%.fst,$(VALE_ROOTS))
VALE_FSTS = $(call to-obj-dir,$(VAF_AS_FSTS))
.PRECIOUS: %.fst %.fsti
# Find this file in the library. We could also just call F* with
# 'LowStar.Endianness.fst' in the invocation below since F* tries to
# find files in the command line in its include path.
LowStar_Endianness_fst := $(shell $(FSTAR_EXE) --locate_file LowStar.Endianness.fst)
# The complete set of F* files, both hand-written and Vale-generated. Note that
# this is only correct in the second stage of the build.
FSTAR_ROOTS = $(wildcard $(addsuffix /*.fsti,$(ALL_HACL_SOURCE_DIRS)) \
$(addsuffix /*.fst,$(ALL_HACL_SOURCE_DIRS))) \
$(LowStar_Endianness_fst) \
$(wildcard $(VALE_FSTS)) # empty during the first stage
# We currently force regeneration of three depend files. This is long.
# If were are debugging (i.e. the files exist already); or within a restarting
# (NOT recursive) make invocation, meaning we are in the process of
# re-generating such files; then don't provide recipes for generating .depend
# files. (In the latter case, this would send make into an infinite loop.)
ifndef NODEPEND
ifndef MAKE_RESTARTS
# Note that the --extract 'OCaml:...' argument controls what is extracted for OCaml,
# meaning we can eliminate large chunks of the dependency graph, since we only
# need to run: Vale stuff, and HACL spec tests.
# For KaRaMeL, we use --extract 'krml:*' to extract everything and let krml
# decide what to keep based on reachability and bundling
# When calling `fstar --dep` or `krml`, the length of the list of
# arguments often exceeds a Windows-imposed limit. Thus, it is
# necessary to save long lists of arguments into a response (`.rsp`)
# file and pass the response file with `@` to said executables.
# The `sed` invocation is currently necessary because, even though all
# paths are absolute (HACL_HOME, FSTAR_EXE, etc.), F* still generates
# dependency trees containing things like bin/../ulib (or
# bin/../lib/fstar if F* is installed from opam or from `make
# install`) We need to remove such detours by hand, which is done by
# that `sed` invocation below
.fstar-depend-%: .FORCE
@if ! [ -f .didhelp ]; then echo "ℹ️ This is F* version $(shell $(FSTAR_NO_FLAGS) --version)"; touch .didhelp; fi
@if ! [ -f .didhelp ]; then echo "💡 Did you know? If your dependency graph didn't change (e.g. no files added or removed, no reference to a new module in your code), run NODEPEND=1 make <your-target> to skip dependency graph regeneration!"; touch .didhelp; fi
@rm -f $@.rsp
@for f in $(notdir $(FSTAR_ROOTS)) ; do echo $$f ; done > $@.rsp
$(call run-with-log,\
$(FSTAR_NO_FLAGS) --dep $* @$@.rsp --warn_error '-285' $(FSTAR_DEPEND_FLAGS) \
--extract 'krml:* -FStar.Tactics -FStar.Reflection -FStar.Stubs' \
--extract 'OCaml:-* +Vale.Arch +Vale.X64 -Vale.X64.MemoryAdapters +Vale.Def +Vale.Lib +Vale.Bignum.X64 -Vale.Lib.Tactics +Vale.Math +Vale.Transformers +Vale.AES +Vale.Interop +Vale.Arch.Types +Vale.Arch.BufferFriend +Vale.Lib.X64 +Vale.SHA.X64 +Vale.SHA.SHA_helpers +Vale.SHA2.Wrapper +Vale.SHA.PPC64LE.SHA_helpers +Vale.PPC64LE +Vale.SHA.PPC64LE +Vale.Curve25519.X64 +Vale.Poly1305.X64 +Vale.Inline +Vale.AsLowStar +Vale.Test +Spec +Lib -Lib.IntVector -Lib.Memzero0 -Lib.Buffer -Lib.MultiBuffer +C -C.String -C.Failure' > $@.tmp && \
$(SED) 's!$(HACL_HOME)/obj/\(.*.checked\)!obj/\1!;s!/bin/\.\./!/!g' $@.tmp && mv $@.tmp $@ \
,[FSTAR-DEPEND ($*)],$(call to-obj-dir,$@))
.vale-depend: .fstar-depend-make .FORCE
$(call run-with-log,\
"$(PYTHON3)" tools/valedepend.py \
$(addprefix -include ,$(VALE_INCLUDES)) \
$(addprefix -in ,$(VALE_ROOTS)) \
-dep $< \
> $@ && \
$(SED) 's!$(HACL_HOME)/obj/\(.*.checked\)!obj/\1!g' $@ \
,[VALE-DEPEND],$(call to-obj-dir,$@))
.PHONY: .FORCE
.FORCE:
endif
endif
# If invoking a known, staged target, then don't include these files, so as not
# to trigger their re-generation (will be done later through recursive (NOT
# restarting)) make invocations.
ifeq ($(MAKECMDGOALS),clean)
SKIPDEPEND=1
else ifeq ($(MAKECMDGOALS),)
SKIPDEPEND=1
else ifeq ($(MAKECMDGOALS),test)
SKIPDEPEND=1
else ifeq ($(MAKECMDGOALS),all)
SKIPDEPEND=1
else ifeq (,$(filter-out %-staged,$(MAKECMDGOALS)))
SKIPDEPEND=1
else ifeq (,$(filter-out %-verify,$(MAKECMDGOALS)))
SKIPDEPEND=1
else ifeq ($(MAKECMDGOALS),ci)
SKIPDEPEND=1
else ifeq ($(MAKECMDGOALS),min-test)
SKIPDEPEND=1
else ifeq (,$(filter-out %/Makefile,$(MAKECMDGOALS)))
SKIPDEPEND=1
endif
ifndef SKIPDEPEND
include .fstar-depend-full
include .vale-depend
endif
#################################################
# First stage: compiling vaf files to fst files #
#################################################
%.dump:
$(call run-with-log,\
$(FSTAR) --dump_module $(basename $(notdir $*)) \
--print_implicits --print_universes --print_effect_args --print_full_names \
--print_bound_var_types --ugly --admit_smt_queries true \
--hint_dir hints/ \
$(notdir $*) > $@ \
,[DUMP] $(notdir $(patsubst %.fst,%,$*)),$(call to-obj-dir,$@))
%.types.vaf:
$(call run-with-log,\
$(DOTNET) $(IMPORT_FSTAR_TYPES) $(addprefix -in ,$^) -out $@ \
,[VALE-TYPES] $(notdir $*),$(call to-obj-dir,$@))
# Always pass Vale.Lib.Operator.vaf as an -include to Vale, except for the file itself.
VALE_FLAGS = -include $(HACL_HOME)/vale/code/lib/util/Vale.Lib.Operator.vaf
obj/Vale.Lib.Operator.fst: VALE_FLAGS=
# Since valedepend generates "foo.fsti: foo.fst", ensure that the fsti is
# more recent than the fst (we don't know in what order vale.exe writes
# the files). (Actually, we know, hence this extra touch.)
%.fst:
$(call run-with-log,\
$(DOTNET) $(VALE_HOME)/bin/vale.exe -fstarText \
-include $*.types.vaf \
$(VALE_FLAGS) \
-in $< -out $@ -outi $@i && touch -c $@i \
,[VALE] $(notdir $*),$(call to-obj-dir,$@))
# A pseudo-target for the first stage.
vale-fst: $(VALE_FSTS)
################################################
# Verifying F* files to produce .checked files #
################################################
# $(call only-for,<filter>) retains all the checked files that match <filter>,
# taken from the source directories, then returns the corresponding set of
# targets in obj/. For instance, $(call only-for,$(HACL_HOME)/code/%.checked)
# returns obj/Hacl.Hash.Definitions.fst.checked, and all the other targets that
# originate from source files in code/.
#
# With this macro, we no longer rely on pattern rules for file-specific options,
# meaning we also no longer rely on the shortest stem rule. Many of the rules
# below match the same file multiple times (as we the case in the original
# SConstruct). The last match has precedence and overrides previous variable
# assignments.
only-for = $(call to-obj-dir,$(filter $1,$(addsuffix .checked,$(FSTAR_ROOTS) $(VAF_AS_FSTS))))
$(call only-for,$(HACL_HOME)/vale/%.checked): \
FSTAR_FLAGS=$(VALE_FSTAR_FLAGS)
$(call only-for,$(HACL_HOME)/vale/specs/%.checked): \
FSTAR_FLAGS=$(VALE_FSTAR_FLAGS)
$(call only-for,$(HACL_HOME)/vale/code/%.checked): \
FSTAR_FLAGS=$(VALE_FSTAR_FLAGS)
$(addsuffix .checked,$(VALE_FSTS)): \
FSTAR_FLAGS=$(VALE_FSTAR_FLAGS)
hints:
mkdir -p $@
# The actual default invocation. Note that the FSTAR_FLAGS= definition allows
# making sure prerequisites of a given rule (e.g. CanonCommMonoid) don't inherit
# the variable assignment of their parent rule.
%.checked: FSTAR_FLAGS=
%.checked: | hints
$(call run-with-log,\
$(FSTAR) $(FSTAR_FLAGS) \
--hint_dir hints \
--cache_checked_modules $< -o $@ \
&& \
touch -c $@ \
,[VERIFY] $(notdir $*),$(call to-obj-dir,$@))
%-verify: %-verify-staged
@
vale-verify-unstaged: \
$(addsuffix .checked,$(VALE_FSTS)) \
$(call only-for,$(HACL_HOME)/vale/%.checked) \
# Overriding the pattern rule and making this one unstaged.
code-verify-unstaged: $(call only-for,$(HACL_HOME)/code/%)
spec-verify-unstaged: $(call only-for,$(HACL_HOME)/specs/%)
lib-verify-unstaged: $(call only-for,$(HACL_HOME)/lib/%)
curve25519-verify-unstaged: $(call only-for,$(HACL_HOME)/code/curve25519/%)
poly1305-verify-unstaged: $(call only-for,$(HACL_HOME)/code/poly1305/%)
chacha20-verify-unstaged: $(call only-for,$(HACL_HOME)/code/chacha20/%)
salsa20-verify-unstaged: $(call only-for,$(HACL_HOME)/code/salsa20/%)
verify-hacl: code-verify-unstaged spec-verify-unstaged lib-verify-unstaged
############
# min-test #
############
min-test-unstaged: $(filter-out \
obj/X64.Vale.InsSha.% \
$(call only-for,$(HACL_HOME)/vale/code/arch/x64/interop/%)\
,\
$(call only-for, $(addprefix $(HACL_HOME)/vale/,\
code/arch/% code/lib/% code/crypto/poly1305/% \
code/thirdPartyPorts/OpenSSL/poly1305/% specs/%))) \
obj/Hacl.Hash.MD.fst.checked
@echo "<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"
@echo MIN_TEST summary: verified the following modules
@echo $^
@echo "<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>"
####################################################
# Tactic (not covered by --extract, intentionally) #
####################################################
obj/Meta_Interface.ml: CODEGEN = Plugin
obj/Meta_Interface.ml: obj/Meta.Interface.fst.checked
# If fstar.exe was changed in the slightest, this object
# must be recompiled
obj/Meta_Interface.cmxs: obj/Meta_Interface.ml $(FSTAR_EXE)
$(OCAMLSHARED) $< -o $@
obj/Test_Lowstarize.ml: CODEGEN = Plugin
obj/Test_Lowstarize.ml: obj/Test.Lowstarize.fst.checked
obj/Test_Lowstarize.cmxs: obj/Test_Lowstarize.ml $(FSTAR_EXE)
$(OCAMLSHARED) $< -o $@
# IMPORTANT NOTE: we cannot let F* compile the cmxs for several reasons.
# First, it won't detect out-of-date .ml files and won't recompile the cmxs.
# Second, it will race because several Hacl.Meta.%.checked targets might be
# scheduled in parallel.
# So, we don't trust F* to compile the tactic and add it as a step of the
# dependency graph. Note that local Makefiles don't bother.
obj/Hacl.Meta.%.checked: FSTAR_FLAGS += --load Meta.Interface
$(filter obj/Hacl.Meta.%.checked,$(call to-obj-dir,$(ALL_CHECKED_FILES))): obj/Meta_Interface.cmxs
obj/Hacl.Test.%.checked: FSTAR_FLAGS += --load Test.Lowstarize
$(filter obj/Hacl.Test.%.checked,$(call to-obj-dir,$(ALL_CHECKED_FILES))): obj/Test_Lowstarize.cmxs
obj/Test.Vectors.checked: FSTAR_FLAGS += --load Test.Lowstarize
obj/Test.Vectors.checked: obj/Test_Lowstarize.cmxs
obj/Test.Vectors.%.checked: FSTAR_FLAGS += --load Test.Lowstarize
$(filter obj/Test.Vectors.%.checked,$(call to-obj-dir,$(ALL_CHECKED_FILES))): obj/Test_Lowstarize.cmxs
###############################################################################
# Extracting (checked files) to OCaml, producing executables, running them to #
# print ASM files #
###############################################################################
.PRECIOUS: obj/%.cmx
obj/%.cmx: obj/%.ml
$(call run-with-log,\
$(OCAMLOPT) -c $< -o $@ \
,[OCAMLOPT-CMX] $(notdir $*),$(call to-obj-dir,$@))
obj/%.ml: CODEGEN=OCaml
obj/%.ml:
$(call run-with-log,\
$(FSTAR) $< --codegen $(CODEGEN) \
,[EXTRACT-ML] $(notdir $*),$(call to-obj-dir,$@))
dist/vale:
mkdir -p $@
dist/vale/%-x86_64-mingw.S: obj/vale-%.exe | dist/vale
$(call run-with-log,\
$< GCC Win > $@ \
,[VALE-CODEGEN-GCC-WIN] $(notdir $*),$(call to-obj-dir,$@))
dist/vale/%-x86_64-msvc.asm: obj/vale-%.exe | dist/vale
$(call run-with-log,\
$< MASM Win > $@ \
,[VALE-CODEGEN-MASM-WIN] $(notdir $*),$(call to-obj-dir,$@))
dist/vale/%-x86_64-linux.S: obj/vale-%.exe | dist/vale
$(call run-with-log,\
$< GCC Linux > $@ \
,[VALE-CODEGEN-GCC-LINUX] $(notdir $*),$(call to-obj-dir,$@))
dist/vale/%-x86_64-darwin.S: obj/vale-%.exe | dist/vale
$(call run-with-log,\
$< GCC MacOS > $@ \
,[VALE-CODEGEN-GCC-MACOS] $(notdir $*),$(call to-obj-dir,$@))
dist/vale/%-inline.h: obj/inline-vale-%.exe | dist/vale
$(call run-with-log,\
$< > $@ \
,[VALE-CODEGEN-INLINE] $(notdir $*),$(call to-obj-dir,$@))
dist/vale/%-ppc64le.S: obj/vale-%-ppc64le.exe | dist/vale
$(call run-with-log,\
$< > $@ \
,[VALE-CODEGEN-PPC] $(notdir $*),$(call to-obj-dir,$@))
obj/vale-cpuid.exe: vale/code/lib/util/x64/CpuidMain.ml
obj/vale-aesgcm.exe: vale/code/crypto/aes/x64/Main.ml
obj/vale-sha256.exe: vale/code/crypto/sha/ShaMain.ml
obj/vale-sha256-ppc64le.exe: vale/code/crypto/sha/ShaMainPPC64LE.ml
obj/vale-aesgcm-ppc64le.exe: vale/code/crypto/aes/ppc64le/Main.ml
obj/vale-curve25519.exe: vale/code/crypto/ecc/curve25519/Main25519.ml
obj/vale-poly1305.exe: vale/code/crypto/poly1305/x64/PolyMain.ml
obj/inline-vale-curve25519.exe: vale/code/crypto/ecc/curve25519/Inline25519.ml
obj/inline-vale-testInline.exe: vale/code/test/TestInlineMain.ml
obj/vale_testInline.h: obj/inline-vale-testInline.exe
$(call run-with-log,\
$< > $@ \
,[VALE-CODEGEN-INLINE] $(notdir $*),$(call to-obj-dir, $@))
obj/CmdLineParser.ml: vale/code/lib/util/CmdLineParser.ml
cp $< $@
obj/CmdLineParser.cmx: $(ALL_CMX_FILES)
obj/inline-vale-%.exe: $(ALL_CMX_FILES)
$(call run-with-log,\
$(OCAMLOPT) $^ -o $@ \
,[OCAMLOPT-EXE] $(notdir $*),$@)
obj/vale-%.exe: $(ALL_CMX_FILES) obj/CmdLineParser.cmx
$(call run-with-log,\
$(OCAMLOPT) $^ -o $@ \
,[OCAMLOPT-EXE] $(notdir $*),$@)
# The ones in secure_api are legacy and should go.
VALE_ASMS = $(foreach P,cpuid aesgcm sha256 curve25519 poly1305,\
$(addprefix dist/vale/,$P-x86_64-mingw.S $P-x86_64-msvc.asm $P-x86_64-linux.S $P-x86_64-darwin.S)) \
dist/vale/curve25519-inline.h dist/vale/sha256-ppc64le.S dist/vale/aesgcm-ppc64le.S
# A pseudo-target for generating just Vale assemblies
vale-asm: $(VALE_ASMS)
###########################################################################
# Extracting (checked files) to krml, then running karamel to generate C. #
###########################################################################
.PRECIOUS: %.krml
obj/%.krml:
$(call run-with-log,\
$(FSTAR) --codegen krml \
--extract_module $(basename $(notdir $(subst .checked,,$<))) \
$< && \
touch -c $@ \
,[EXTRACT-KRML] $*,$@)
########################################
# Distributions of EverCrypt and HACL* #
########################################
# A series of definitions that both collect the files that go into a
# distribution, and control the shape of the generated code. All of these
# variables (except for REQUIRED_FLAGS) are intended to be overridden with
# target-specific values (see GNU Make Manual 6.11 "Target-specific Variable Values").
HAND_WRITTEN_C = Lib.PrintBuffer Lib.RandomBuffer.System
# Always copied into the destination directory, always passed to karamel.
HAND_WRITTEN_FILES = $(wildcard $(LIB_DIR)/c/*.c)
# Always copied into the destination directory, not passed to karamel.
HAND_WRITTEN_H_FILES = $(filter-out $(LIB_DIR)/c/libintvector_debug.h, \
$(wildcard $(LIB_DIR)/c/*.h))
# Flags that we always include. These are not meant to be overridden and
# provide: -library (for vale interop); -no-prefix (for correct vale interop
# names; for correct function names used by C tests); -bundle (to
# eliminate spec files where definitions are not marked noextract); -drop (for
# intrinsics, see note below); -add-include (for curve's inline header); -fX for
# codegen customiations; -static-header (so that instead of extern declarations
# we get static inline declarations for inlined Vale routines); and a few other
# tweaks.
#
# Note: I am using the deprecated -drop option, but it's ok because the dropped
# module ends up in another bundle. Maybe the semantics of -drop should be
# changed to just drop the declarations from a given module and then rely on
# karamel's empty-module removal.
#
# When extracting our libraries, we purposely don't distribute tests
#
# See Makefile.include for the definition of VALE_BUNDLES
REQUIRED_BUNDLES = \
-bundle Hacl.Poly1305.Field32xN.Lemmas[rename=Hacl_Lemmas] \
-bundle EverCrypt.BCrypt \
-bundle EverCrypt.OpenSSL \
$(VALE_BUNDLES) \
-bundle Hacl.Impl.Poly1305.Fields \
-bundle 'EverCrypt.Spec.*' \
-bundle EverCrypt.Error
REQUIRED_DROP = \
-library EverCrypt.TargetConfig
REQUIRED_FLAGS = \
$(REQUIRED_BUNDLES) \
$(REQUIRED_DROP) \
-library 'Vale.Stdcalls.*' \
-no-prefix 'Vale.Stdcalls.*' \
-static-header 'Vale.Inline.*' \
-library 'Vale.Inline.X64.Fadd_inline' \
-library 'Vale.Inline.X64.Fmul_inline' \
-library 'Vale.Inline.X64.Fswap_inline' \
-library 'Vale.Inline.X64.Fsqr_inline' \
-no-prefix 'Vale.Inline.X64.Fadd_inline' \
-no-prefix 'Vale.Inline.X64.Fmul_inline' \
-no-prefix 'Vale.Inline.X64.Fswap_inline' \
-no-prefix 'Vale.Inline.X64.Fsqr_inline' \
-no-prefix 'EverCrypt.Vale' \
-no-prefix 'EverCrypt.Hash.Incremental.Macros' \
-add-include 'Hacl_Curve25519_64.c:"curve25519-inline.h"' \
-library EverCrypt.AutoConfig \
-static-header 'EverCrypt.TargetConfig' \
-no-prefix 'EverCrypt.TargetConfig' \
-add-include 'EverCrypt_DRBG.c:"lib_memzero0.h"' \
-add-include 'Hacl_Frodo1344.c:"lib_memzero0.h"' \
-add-include 'Hacl_Frodo64.c:"lib_memzero0.h"' \
-add-include 'Hacl_Frodo640.c:"lib_memzero0.h"' \
-add-include 'Hacl_Frodo976.c:"lib_memzero0.h"' \
-add-include 'Hacl_Hash_Blake2b.c:"lib_memzero0.h"' \
-add-include 'Hacl_Hash_Blake2s.c:"lib_memzero0.h"' \
-add-include 'Hacl_Hash_Blake2b_Simd256.c:"lib_memzero0.h"' \
-add-include 'Hacl_Hash_Blake2s_Simd128.c:"lib_memzero0.h"' \
$(BASE_FLAGS)
TARGET_H_INCLUDE = -add-early-include '"krml/internal/target.h"'
# Note: we include libintvector.h in C files whenever possible, but fall back to
# including this header in .h when the public API of a given algorithm (e.g.
# Poly1305/256) directly refers to a LibIntVector type.
# Note: due to backwards-compat, the syntax for the option is not super great...
# it's `-add-include 'Foo:"bar.h"'` (include added to Foo.h) and
# `-add-include 'Foo.c:"bar.h"'` (include added to Foo.c). Note how the former
# doesn't have the file extension while the latter does.
# Note: the syntax got worse, now Foo.h:"bar.h" means the INTERNAL header internal/Foo.h includes
# bar.h
# Note: we would like to maintain the invariant (as of Feb 2025) that we NEVER include libintvector.h from a
# public header. See https://github.com/python/cpython/issues/130213
# FIXME: Sha3_Simd256 does *not* have an internal header so we can't enforce the invariant here
INTRINSIC_FLAGS = \
-add-include 'Hacl_P256.c:"lib_intrinsics.h"' \
\
-add-include 'Hacl_AEAD_Chacha20Poly1305_Simd128.c:"libintvector.h"' \
-add-include 'Hacl_Chacha20_Vec128.c:"libintvector.h"' \
-add-include 'Hacl_SHA2_Vec128.c:"libintvector.h"' \
\
-add-include 'Hacl_Hash_Blake2s_Simd128.h:"libintvector.h"' \
-add-include 'Hacl_MAC_Poly1305_Simd128.h:"libintvector.h"' \
\
-add-include 'Hacl_AEAD_Chacha20Poly1305_Simd256.c:"libintvector.h"' \
-add-include 'Hacl_Chacha20_Vec256.c:"libintvector.h"' \
-add-include 'Hacl_SHA2_Vec256.c:"libintvector.h"' \
\
-add-include 'Hacl_Hash_Blake2b_Simd256.h:"libintvector.h"' \
-add-include 'Hacl_MAC_Poly1305_Simd256.h:"libintvector.h"' \
\
-add-include 'Hacl_Hash_SHA3_Simd256:"libintvector.h"' \
-add-include 'Vale.h:"libintvector.h"' \
-add-include 'Vale.h:<inttypes.h>' \
-add-include 'EverCrypt_Hash.h:"libintvector.h"' \
-add-include 'Hacl_Streaming_HMAC.h:"libintvector-shim.h"'
# Disabled for distributions that don't include code based on intrinsics.
INTRINSIC_INT_FLAGS = \
-add-include 'Hacl_P256:"lib_intrinsics.h"' \
-add-include 'Hacl_Bignum:"lib_intrinsics.h"' \
-add-include 'Hacl_Bignum_Base.h:"lib_intrinsics.h"' \
-add-include 'Hacl_K256_ECDSA:"lib_intrinsics.h"'
# Disables tests; overriden in Wasm where tests indicate what can be compiled.
TEST_FLAGS = -bundle Test,Test.*,Hacl.Test.*
# Ensures that Lib_RandomBuffer_System.h and Lib_PrintBuffer.h have a constant name
# (and are not subject to bundling). Erased by distributions that don't need
# those files.
HAND_WRITTEN_LIB_FLAGS = -bundle Lib.RandomBuffer.System= -bundle Lib.PrintBuffer= -bundle Lib.Memzero0=
TARGETCONFIG_FLAGS = \
-add-include 'Hacl_Curve25519_64.c:"config.h"' \
-add-include 'EverCrypt_AEAD.c:"config.h"' \
-add-include 'EverCrypt_AutoConfig2.c:"evercrypt_targetconfig.h"' \
-add-include 'EverCrypt_CTR.c:"config.h"' \
-add-include 'EverCrypt_Chacha20Poly1305.c:"config.h"' \
-add-include 'EverCrypt_Curve25519.c:"config.h"' \
-add-include 'EverCrypt_Hash.c:"config.h"' \
-add-include 'EverCrypt_Poly1305.c:"config.h"'
# By default, we strive to do one file per algorithm for HACL, and one file for
# logical unit for EverCrypt (e.g. E_HASH_BUNDLE).
#
# All of these bundles that have something on the left-hand side. They demand
# that a particular feature be enabled. For a distribution to disable the
# corresponding feature, one of these variables needs to be overridden.
E_HASH_BUNDLE=-bundle EverCrypt.Hash.Incremental+EverCrypt.Hash.Incremental.Macros=EverCrypt.Hash[rename=EverCrypt_Hash]
CTR_BUNDLE=-bundle EverCrypt.CTR.*
WASMSUPPORT_BUNDLE = -bundle WasmSupport
LEGACY_BUNDLE = -bundle EverCrypt[rename=EverCrypt_Legacy]
BUNDLE_FLAGS =\
$(BLAKE2_BUNDLE) \
$(HMAC_BUNDLE) \
$(SHA3_BUNDLE) \
$(SHA3_SIMD256_BUNDLE) \
$(HASH_BUNDLE) \
$(E_HASH_BUNDLE) \
$(SHA2MB_BUNDLE) \
$(CHACHA20_BUNDLE) \
$(SALSA20_BUNDLE) \
$(BIGNUM_BUNDLE) \
$(CURVE_BUNDLE) \
$(CHACHAPOLY_BUNDLE) \
$(ED_BUNDLE) \
$(POLY_BUNDLE) \
$(NACLBOX_BUNDLE) \
$(WASMSUPPORT_BUNDLE) \
$(CTR_BUNDLE) \
$(P256_BUNDLE) \
$(K256_BUNDLE) \
$(FRODO_BUNDLE) \
$(HPKE_BUNDLE) \
$(STREAMING_BUNDLE) \
$(INTTYPES_BUNDLE) \
$(INTTYPES_128_BUNDLE) \
$(RSAPSS_BUNDLE) \
$(FFDHE_BUNDLE) \
$(LEGACY_BUNDLE)
DEFAULT_FLAGS = \
$(HAND_WRITTEN_LIB_FLAGS) \
$(TARGETCONFIG_FLAGS) \
$(TEST_FLAGS) \
$(INTRINSIC_INT_FLAGS) \
$(INTRINSIC_FLAGS) \
$(BUNDLE_FLAGS) \
$(REQUIRED_FLAGS) \
$(TARGET_H_INCLUDE)
# WASM distribution
# -----------------
#
# We disable anything that is not pure Low*; no intrinsics; no EverCrypt
# TODO: the way externals are handled in Wasm is nuts and they should be in a
# single module rather than require clients to do their surgical bundling.
WASM_STANDALONE=Prims LowStar.Endianness C.Endianness C.String TestLib
WASM_FLAGS =\
$(patsubst %,-bundle %,$(WASM_STANDALONE)) \
-bundle FStar.* \
-bundle LowStar.* \
-bundle Lib.RandomBuffer.System \
-bundle Lib.Memzero \
-minimal -wasm \
./test.js
dist/wasm/Makefile.basic: VALE_ASMS =
dist/wasm/Makefile.basic: HAND_WRITTEN_OPTIONAL_FILES =
dist/wasm/Makefile.basic: HAND_WRITTEN_H_FILES =
dist/wasm/Makefile.basic: HAND_WRITTEN_FILES =
dist/wasm/Makefile.basic: TARGETCONFIG_FLAGS =
dist/wasm/Makefile.basic: INTRINSIC_FLAGS =
# Must appear early on because of the left-to-right semantics of -bundle flags.
dist/wasm/Makefile.basic: HAND_WRITTEN_LIB_FLAGS = $(WASM_FLAGS)
# Doesn't work in WASM because un-materialized externals for AES128
dist/wasm/Makefile.basic: FRODO_BUNDLE = -bundle Hacl.Frodo.KEM,Hacl.Impl.Frodo.*,Hacl.Impl.Matrix,Hacl.Frodo.*,Hacl.Keccak,Hacl.AES128,Hacl.Frodo64,Hacl.Frodo640,Hacl.Frodo976,Hacl.Frodo1344
dist/wasm/Makefile.basic: INTTYPES_128_BUNDLE = -bundle Hacl.IntTypes.Intrinsics_128
# No Vale Curve64 no "Local" or "Slow" Curve64, only Curve51 (local Makefile hack)
dist/wasm/Makefile.basic: CURVE_BUNDLE_SLOW =
dist/wasm/Makefile.basic: CURVE_BUNDLE = \
$(CURVE_BUNDLE_BASE) \
-bundle 'Hacl.Curve25519_64_Slow' \
-bundle 'Hacl.Curve25519_64' \
-bundle 'Hacl.Curve25519_64_Local'
# Most HPKE variants don't work in Wasm, since they are either using Curve64,
# P256 or vectorized chacha-poly, none of which are available in Wasm.
dist/wasm/Makefile.basic: HPKE_BUNDLE += \
-bundle Hacl.HPKE.Curve51_CP32_SHA256= \
-bundle Hacl.HPKE.Curve51_CP32_SHA512= \
-bundle 'Hacl.HPKE.*'
# Disabling vectorized stuff
dist/wasm/Makefile.basic: CHACHA20_BUNDLE += \
-bundle Hacl.Chacha20_Vec128,Hacl.Chacha20_Vec256
dist/wasm/Makefile.basic: CHACHAPOLY_BUNDLE += \
-bundle Hacl.Chacha20Poly1305_128,Hacl.Chacha20Poly1305_256
dist/wasm/Makefile.basic: POLY_BUNDLE = \
-bundle 'Hacl.Streaming.Poly1305_32=Hacl.Poly1305_32,Hacl.Impl.Poly1305.Field32xN_32'[rename=Hacl_MAC_Poly1305,rename-prefix] \
-bundle 'Hacl.Poly1305_128,Hacl.Poly1305_256,Hacl.Impl.Poly1305.*' \
-bundle 'Hacl.Streaming.Poly1305_128,Hacl.Streaming.Poly1305_256'
dist/wasm/Makefile.basic: CTR_BUNDLE =
dist/wasm/Makefile.basic: RSAPSS_BUNDLE = -bundle Hacl.RSAPSS,Hacl.Impl.RSAPSS.*,Hacl.Impl.RSAPSS
dist/wasm/Makefile.basic: FFDHE_BUNDLE = -bundle Hacl.FFDHE,Hacl.Impl.FFDHE.*,Hacl.Impl.FFDHE
dist/wasm/Makefile.basic: DEFAULT_FLAGS += -bundle EverCrypt.TargetConfig \
-bundle 'EverCrypt.*'
dist/wasm/Makefile.basic: REQUIRED_DROP =
# Compact distributions
# ---------------------
#
# Our default, flagship distribution with everything. Some slightly different
# variants depending on whether we are compatible with x86, or MSVC, etc. (see
# README.EverCrypt.md)
# Customizations for regular, msvc and gcc flavors.
dist/gcc-compatible/Makefile.basic: DEFAULT_FLAGS += \
-ctypes EverCrypt.*,Hacl.* #-funroll-loops 16
dist/gcc-compatible/Makefile.basic: HAND_WRITTEN_ML_GEN += \
$(wildcard lib/ml/*_gen.ml)
dist/gcc-compatible/Makefile.basic: HAND_WRITTEN_OPTIONAL_FILES += \
dist/META dist/hacl-star-raw.opam dist/configure
dist/msvc-compatible/Makefile.basic: DEFAULT_FLAGS += -falloca -ftail-calls
# Portable distribution
# ---------------------
#
# Binary objects not optimized for the host (possibly CI) machine, meaning that
# someone can download them onto their machine for debugging. Also enforces that
# we don't have bundle errors where, say, an sse2-required function ends up in a
# file that is *NOT* known to require sse2.
dist/portable-gcc-compatible/Makefile.basic: DEFAULT_FLAGS += -rst-snippets
# Actual KaRaMeL invocations
# --------------------------
.PRECIOUS: dist/%/Makefile.basic
dist/%/Makefile.basic: $(ALL_KRML_FILES) dist/LICENSE.txt $(HAND_WRITTEN_FILES) $(HAND_WRITTEN_H_FILES) $(HAND_WRITTEN_OPTIONAL_FILES) $(VALE_ASMS)
mkdir -p $(dir $@)
[ x"$(HAND_WRITTEN_FILES)$(HAND_WRITTEN_H_FILES)$(HAND_WRITTEN_OPTIONAL_FILES)" != x ] && cp $(HAND_WRITTEN_FILES) $(HAND_WRITTEN_H_FILES) $(HAND_WRITTEN_OPTIONAL_FILES) $(dir $@) || true
[ x"$(HAND_WRITTEN_ML_GEN)" != x ] && mkdir -p $(dir $@)/lib_gen && cp $(HAND_WRITTEN_ML_GEN) $(dir $@)lib_gen/ || true
[ x"$(VALE_ASMS)" != x ] && cp $(VALE_ASMS) $(dir $@) || true
rm -f $@.rsp
for f in $(filter %.krml,$^) ; do echo $$f ; done > $@.rsp
$(KRML) -fstar $(FSTAR_EXE) $(DEFAULT_FLAGS) \
-tmpdir $(dir $@) -skip-compilation \
@$@.rsp \
-silent \
-ccopt -Wno-unused \
-warn-error @2@4-6@15@18@21+22 \
-fparentheses \
-fcast-allocations \
-fextern-c \
$(notdir $(HAND_WRITTEN_FILES)) \
-o libevercrypt.a
echo "This code was generated with the following toolchain." > $(dir $@)/INFO.txt
echo "F* version: $(shell $(FSTAR_EXE) --version | tr '\n' ' ')" >> $(dir $@)/INFO.txt
echo "KaRaMeL version: $(shell cd $(KRML_HOME) && git rev-parse HEAD)" >> $(dir $@)/INFO.txt
echo "Vale version: $(shell cat $(VALE_HOME)/bin/.vale_version)" >> $(dir $@)/INFO.txt
if [ "$*" == "wasm" ]; then touch $@; fi
# Auto-generates a single C test file. Note that this rule will trigger multiple
# times, for multiple KaRaMeL invocations in the test/ directory -- this may
# cause races on shared files (e.g. Makefile.basic, etc.) -- to be investigated.
# In the meanwhile, we at least try to copy the header for intrinsics just once.
#
# NOTE: can't use -library Hacl.* because that would cover the test, too... so
# the C file for the test still contains too much stuff, perhaps
.PRECIOUS: dist/test/c/%.c
dist/test/c/%.c: $(ALL_KRML_FILES)
$(KRML) -silent -fstar $(FSTAR_EXE) \
-tmpdir $(dir $@) -skip-compilation \
-header $(HACL_HOME)/dist/LICENSE.txt \
-no-prefix $(subst Hacl_Test_,Hacl.Test.,$*) \
-library Hacl.P256,Hacl.K256.*,Hacl.Impl.*,EverCrypt.* \
-add-include '"internal/Hacl_Hash_SHA2.h"' \
-static-header Hacl.Impl.SHA2.Generic \
-fparentheses -fcurly-braces -fno-shadow \
-minimal -add-include '"krmllib.h"' \
-add-include '"libintvector.h"' \
-bundle '*[rename=$*]' $(KRML_EXTRA) $(filter %.krml,$^) \
-add-include '"clients/krmlrenamings.h"'
dist/test/c/Test.c: KRML_EXTRA=-add-early-include '"krml/internal/compat.h"'
dist/test/c/Hacl_Test_ECDSA.c: KRML_EXTRA=-drop Lib.IntTypes.Intrinsics -add-include '"lib_intrinsics.h"'
dist/test/c/Hacl_Test_K256.c: KRML_EXTRA=-drop Lib.IntTypes.Intrinsics -add-include '"lib_intrinsics.h"'
###################################################################################
# C Compilation (recursive make invocation relying on KaRaMeL-generated Makefile) #
###################################################################################
copy-krmllib:
mkdir -p dist/karamel
(cd $(KRML_HOME) && tar cvf - krmllib/dist/minimal $$(find include -type f -and -not -name 'steel_types.h')) | (cd dist/karamel && tar xf -)
package-compile-mozilla: dist/mozilla/libevercrypt.a
.PHONY: dist/mozilla/libevercrypt.a
dist/mozilla/libevercrypt.a: compile-gcc-compatible
cd dist && ./package-mozilla.sh
$(MAKE) -C dist/mozilla
compile-%: dist/Makefile.tmpl dist/configure dist/%/Makefile.basic | copy-krmllib
cp $< dist/$*/Makefile
(if [ -f dist/$*/libintvector.h ]; then cp dist/configure dist/$*/configure; fi;)
$(MAKE) -C dist/$*
###########################
# C tests (from F* files) #
###########################
CFLAGS += -Wall -Wextra -g \
-Wno-int-conversion -Wno-unused-parameter \
-O3 -I$(KRML_HOME)/krmllib/dist/minimal \
-I$(KRML_HOME)/include -Idist/gcc-compatible
ifneq ($(shell uname -m),arm64)
CFLAGS += -march=native -mtune=native
endif
# The C test files need the extracted headers to compile
dist/test/c/%.o: dist/test/c/%.c | compile-gcc-compatible
$(call run-with-log,\
$(CC) $(CFLAGS) $< -c -o $@,[CC $*],$(call to-obj-dir,$@))
# FIXME there's a karamel error that generates a void* -- can't use -Werror
# Need the libraries to be present and compiled.
# Linking with full krmllib since tests may use TestLib, etc.
.PRECIOUS: %.exe
%.exe: %.o | compile-gcc-compatible
$(call run-with-log,\
$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ \
dist/gcc-compatible/libevercrypt.a -lcrypto $(LDFLAGS) \
$(KRML_HOME)/krmllib/dist/generic/libkrmllib.a \
,[LD $*],$(call to-obj-dir,$@))
.PHONY: %.test
%.test: %.exe
$(LD_EXTRA) $<
test-c-%: dist/test/c/%.test
@
##########################
# C tests (from C files) #
##########################
test-handwritten: compile-gcc-compatible
$(LD_EXTRA) KRML_HOME="$(KRML_HOME)" \
LDFLAGS="$(LDFLAGS)" CFLAGS="$(CFLAGS)" \
$(MAKE) -C tests test
obj/vale_testInline.exe: vale/code/test/TestInline.c obj/vale_testInline.h
$(CC) $(CFLAGS) $(LDFLAGS) $< -Iobj -o $@
vale_testInline: obj/vale_testInline.exe
@echo "Testing Vale inline assembly printer"
$<
#######################
# OCaml tests (specs) #
#######################
.PRECIOUS: dist/test/ml/%_AutoTest.ml
dist/test/ml/%_AutoTest.ml:
mkdir -p $(dir $@)
echo "if not ($*.test ()) then (print_endline \"$* failed\"; exit 1)" > $@
# Relying on the --extract argument of fstar --dep to have a reasonable
# over-approximation.
.PRECIOUS: dist/test/ml/%.exe
dist/test/ml/%.exe: $(ALL_CMX_FILES) dist/test/ml/%_AutoTest.ml
$(OCAMLOPT) $^ -o $@
test-ml-%: dist/test/ml/%.exe
$<
#################
# OCaml library #
#################
# This is good for users of HACL* who want to extract specs and link them
# against HACL*-extracted-to-ML
obj/libhaclml.cmxa: $(filter-out $(HACL_HOME)/obj/Meta_Interface.cmx,$(ALL_CMX_FILES))
# JP: doesn't work because a PPX is prepended for some reason
# ocamlfind mklib -o haclml -package fstar.lib -g -I $(HACL_HOME)/obj $(addprefix $(HACL_HOME)/obj/*.,cmo cmx ml o)
$(call run-with-log,\
eval "$(FSTAR_OCAMLENV)" && ocamlfind opt -thread -a -o $@ -package fstar.lib -g -I $(HACL_HOME)/obj $^ \
,[OCAMLOPT-CMXA] libhaclml,$(call to-obj-dir,$@))
########
# Misc #
########
%/Makefile:
echo "HACL_HOME=$(shell realpath . --relative-to $(dir $@))" > $@
echo "include \$$(HACL_HOME)/Makefile.common" >> $@
================================================
FILE: Makefile.common
================================================
# This Makefile can be safely included from sub-directories for the purposes of
# defining the .fst-in targets, as long as the sub-directory defines HACL_HOME.
# Define a newline variable for error messages.
# The two empty lines are needed.
define newline
endef
ifndef HACL_HOME
HACL_HOME := $(shell pwd)
endif
# Put your local configuration (e.g. HACL_HOME, KRML_HOME, etc.) in
# Makefile.config
-include $(HACL_HOME)/Makefile.config
# Essentially FSTAR_EXE ?= fstar.exe, but we want to
# 1) Make it absolute
# 2) Fail early if not found
ifndef FSTAR_EXE
FSTAR_EXE := $(shell which fstar.exe)
ifneq ($(.SHELLSTATUS),0)
$(error "Did not find F* in PATH, add it or set FSTAR_EXE")
endif
endif
ifndef KRML_HOME
# assuming an Everest source tree
KRML_HOME := $(HACL_HOME)/../karamel
endif
# Check that the relevant homes and executables at least exist.
mustexist = \
$(if $(wildcard $(value $(strip $1))),, \
$(error $1 ($(value $(strip $1))) does not exist))
# eval $(FSTAR_OCAMLENV) extends the environment so we can
# find fstar's ocaml libraries.
FSTAR_OCAMLENV := $(shell $(FSTAR_EXE) --ocamlenv)
# We also extend this variable to reduce warnings.
FSTAR_OCAMLENV += OCAMLFIND_IGNORE_DUPS_IN='$(shell ocamlc -where)/compiler-libs:$(OCAMLFIND_IGNORE_DUPS_IN)';
FSTAR_OCAMLENV += export OCAMLFIND_IGNORE_DUPS_IN;
$(call mustexist, FSTAR_EXE)
$(call mustexist, KRML_HOME)
# Find the location of the checked files in F*'s library, for the
# vale-depend call. Note: we still rely on the fact this directory is
# flat.
FSTAR_ULIB_CHECKED := $(dir $(shell $(FSTAR_EXE) --locate_file Prims.fst.checked))
ifndef VALE_HOME
# assuming an Everest source tree
VALE_HOME := $(HACL_HOME)/../vale
endif
# Make all paths absolute, so that `make` only sees a single view of
# each file name, especially when generating dependency trees. On
# Cygwin, we additionally need to use Windows paths instead of Cygwin
# paths.
ifeq ($(OS),Windows_NT)
maybe_cygpath=$(shell cygpath -m $(1))
else
maybe_cygpath=$(1)
endif
sanitize_path=$(call maybe_cygpath,$(realpath $(1)))
HACL_HOME := $(call sanitize_path,$(HACL_HOME))
KRML_HOME := $(call sanitize_path,$(KRML_HOME))
FSTAR_ULIB_CHECKED := $(call sanitize_path,$(FSTAR_ULIB_CHECKED))
VALE_HOME := $(call sanitize_path,$(VALE_HOME))
include $(HACL_HOME)/Makefile.include
INCLUDES = \
$(ALL_HACL_DIRS) \
$(KRML_HOME)/krmllib/obj \
$(KRML_HOME)/krmllib
# $(FSTAR_ULIB_CHECKED) necessary for vale-depend
VALE_INCLUDES = \
$(INCLUDES) \
$(FSTAR_ULIB_CHECKED)
# 0. Vale
# Please keep this in sync with vale/Hacl.Vale.fst.config.json
# so the vscode extension works seamlessly.
VALE_FSTAR_FLAGS=--z3cliopt smt.arith.nl=false \
--z3cliopt smt.QI.EAGER_THRESHOLD=100 --z3cliopt smt.CASE_SPLIT=3 \
--max_fuel 1 --max_ifuel 1 --initial_ifuel 0 \
--smtencoding.elim_box true --smtencoding.l_arith_repr native \
--smtencoding.nl_arith_repr wrapped
# 1. FStar
OUTPUT_DIR ?= obj
FSTAR_INCLUDES = $(addprefix --include ,$(INCLUDES))
# NB: F* will not record hints if we happen to be admitting queries.
FSTAR_HINTS ?= --use_hints --use_hint_hashes --record_hints
# --trivial_pre_for_unannotated_effectful_fns false
# to not enforce trivial preconditions
# for top-level unannotated effectful functions
# 240: admitting declaration without definition
# 241: corrupt cache file AND stale cache file (argh!) we wish to make the
# former fatal, and the latter non-fatal if it's the file we're about to
# verify... see https://github.com/FStarLang/FStar/issues/1652
# 247: checked file not written because some of its dependencies...
# 272: top-level bindings must be total
# 274: shadowing
# 319: effectful argument, consider let binding it
# 328: definition is recursive but not used in its body
# 331: name is being ignored
# 332: abstract keyword
# 337: special treatment of @ is deprecated + Multiple decreases clauses on definition
#
# Please keep this in sync with Hacl.fst.config.json
# so the vscode extension works seamlessly.
FSTAR_NO_FLAGS = $(FSTAR_EXE) $(FSTAR_HINTS) \
--odir $(OUTPUT_DIR) $(FSTAR_INCLUDES) --cmi \
--already_cached 'Prims FStar LowStar C Spec.Loops TestLib WasmSupport' \
--warn_error '@240+241@247-272-274@319@328@331@332@337' \
--cache_dir $(OUTPUT_DIR) --trivial_pre_for_unannotated_effectful_fns false
# Use 4.8.5 in this repo until performance problems with
# newer versions are addressed.
FSTAR_NO_FLAGS += --z3version 4.8.5
FSTAR = $(FSTAR_NO_FLAGS) $(OTHERFLAGS)
%.fst-in %.fsti-in:
@echo $(FSTAR_INCLUDES)
# 2. KaRaMeL
KRML := $(KRML_HOME)/krml
$(call mustexist, KRML)
BASE_FLAGS = \
-no-prefix 'Hacl.Frodo.Random' \
-bundle Hacl.Spec.*,Spec.*[rename=Hacl_Spec] \
-bundle Lib.*[rename=Hacl_Lib] \
-drop Lib.IntVector.Intrinsics \
-drop Lib.IntTypes.Intrinsics \
-drop Lib.IntTypes.Intrinsics_128 \
-fparentheses -fno-shadow -fcurly-braces -fnoreturn-else \
-bundle Prims,C.Failure,C,C.String,C.Loops,Spec.Loops,C.Endianness,FStar.*,LowStar.*[rename=Hacl_Krmllib] \
-bundle 'Meta.*' \
-minimal \
-add-early-include '<string.h>' \
-add-early-include '"krml/internal/types.h"' \
-add-early-include '"krml/lowstar_endianness.h"' \
-header $(HACL_HOME)/dist/LICENSE.txt \
-funroll-loops 16 \
-record-renamings
CURVE_BUNDLE_SLOW= \
-bundle Hacl.Curve25519_64_Slow
CURVE_BUNDLE_BASE= \
$(CURVE_BUNDLE_SLOW) \
-bundle Hacl.Impl.Curve25519.Field51[rename=Hacl_Bignum25519_51] -static-header Hacl.Impl.Curve25519.Field51 \
-bundle Hacl.Curve25519_51=Hacl.Impl.Curve25519.Field51 \
-bundle 'Hacl.Impl.Curve25519.\*[rename=Hacl_Curve_Leftovers]'
CURVE_BUNDLE_LOCAL=-bundle Hacl.Curve25519_64_Local=Hacl.Impl.Curve25519.Field64.Local[rename=Hacl_Curve25519_64] \
$(CURVE_BUNDLE_BASE)
CURVE_BUNDLE=-bundle Hacl.Curve25519_64=Hacl.Impl.Curve25519.Field64.Vale \
$(CURVE_BUNDLE_BASE) -bundle Hacl.Curve25519_64_Local
# First, match the Blake2 stuff
BLAKE2_BUNDLE_BASE= \
-bundle Hacl.Impl.Blake2.Constants -static-header Hacl.Impl.Blake2.Constants \
-bundle 'Hacl.Streaming.Blake2b_32=Hacl.Blake2b_32,Hacl.Hash.Blake2b_32,Hacl.Impl.Blake2.\*,Hacl.Hash.Core.Blake2,Hacl.Streaming.Blake2.Params,Hacl.Streaming.Blake2.Common[rename=Hacl_Hash_Blake2b,rename-prefix]' \
-bundle 'Hacl.Streaming.Blake2s_32=Hacl.Blake2s_32,Hacl.Hash.Blake2s_32[rename=Hacl_Hash_Blake2s,rename-prefix]'
BLAKE2_BUNDLE= $(BLAKE2_BUNDLE_BASE) \
-bundle Hacl.Streaming.Blake2b_256=Hacl.Blake2b_256,Hacl.Hash.Blake2b_256[rename=Hacl_Hash_Blake2b_Simd256,rename-prefix] \
-bundle Hacl.Streaming.Blake2s_128=Hacl.Blake2s_128,Hacl.Hash.Blake2s_128[rename=Hacl_Hash_Blake2s_Simd128,rename-prefix]
# NOTE: code/hash re-exports internal Blake2 operations with the hash signature,
# but really, these should be thin wrappers that defer to the actual
# repeati-based implementation in code/blake2, as opposed to re-generating a
# copy of the code for the sole purpose of HMAC.
# TODO: make Hacl.Hash.Blake2* just inline_for_extraction wrappers that call the
# underlying implementation in code/blake2
HMAC_BUNDLE=-bundle Hacl.HMAC= \
-bundle Hacl.HMAC.Blake2s_128= \
-bundle Hacl.HMAC.Blake2b_256=
# Note: Hacl_Hash_SHA2 is legacy SHA2 here, will eventually go away, there's a proper
# bundle in STREAMING_BUNDLE, below
HASH_BUNDLE= \
-bundle Hacl.Streaming.Types+Hacl.Streaming.MD=Spec.Hash.Definitions[rename=Hacl_Streaming_Types] \
-bundle Hacl.Streaming.MD5=Hacl.Hash.MD5,Hacl.Hash.Core.MD5[rename=Hacl_Hash_MD5,rename-prefix] \
-bundle Hacl.Streaming.SHA1=Hacl.Hash.SHA1,Hacl.Hash.Core.SHA1[rename=Hacl_Hash_SHA1,rename-prefix] \
-bundle Hacl.Impl.SHA2.Types=[rename=Hacl_SHA2_Types] \
-static-header Hacl.Impl.SHA2.Generic \
-bundle Hacl.Streaming.SHA2=Hacl.Hash.SHA2,Hacl.Hash.Core.SHA2,Hacl.Impl.SHA2.*,Hacl.SHA2.Scalar32[rename=Hacl_Hash_SHA2,rename-prefix] \
-bundle Hacl.Hash.Definitions=Hacl.Hash.*[rename=Hacl_Hash_Base]
# TODO: for some reason, the CSHAKE and SHA3 tests use the internal API and
# therefore Hacl.Impl.SHA3 cannot be put on the right-hand side of the bundle
# (which would eliminate internal helpers not used otherwise, such as absorb or
# squeeze)
SHA3_BUNDLE=-bundle Hacl.Streaming.Keccak+Hacl.Hash.SHA3.Scalar=Hacl.Hash.SHA3,Hacl.Impl.SHA3.Vec[rename=Hacl_Hash_SHA3,rename-prefix]
SHA3_SIMD256_BUNDLE=-bundle Hacl.Hash.SHA3.Simd256=Hacl.Impl.SHA3.Vec
CHACHA20_BUNDLE=-bundle Hacl.Chacha20=Hacl.Impl.Chacha20,Hacl.Impl.Chacha20.*
SALSA20_BUNDLE=-bundle Hacl.Salsa20=Hacl.Impl.Salsa20,Hacl.Impl.Salsa20.*,Hacl.Impl.HSalsa20
CHACHAPOLY_BUNDLE=-bundle Hacl.Impl.Chacha20Poly1305 \
-bundle Hacl.Chacha20Poly1305_32=[rename=Hacl_AEAD_Chacha20Poly1305,rename-prefix] \
-bundle Hacl.Chacha20Poly1305_128=[rename=Hacl_AEAD_Chacha20Poly1305_Simd128,rename-prefix] \
-bundle Hacl.Chacha20Poly1305_256=[rename=Hacl_AEAD_Chacha20Poly1305_Simd256,rename-prefix]
ED_BUNDLE= \
-bundle Hacl.Ed25519.PrecompTable -static-header Hacl.Ed25519.PrecompTable \
-bundle 'Hacl.Ed25519=Hacl.Impl.Ed25519.*,Hacl.Impl.BignumQ.Mul,Hacl.Impl.Load56,Hacl.Impl.SHA512.ModQ,Hacl.Impl.Store56,Hacl.Bignum25519'
POLY_BUNDLE=-bundle 'Hacl.Streaming.Poly1305_32=Hacl.Poly1305_32,Hacl.Impl.Poly1305.Field32xN_32[rename=Hacl_MAC_Poly1305,rename-prefix]' \
-bundle 'Hacl.Streaming.Poly1305_128=Hacl.Poly1305_128,Hacl.Impl.Poly1305.Field32xN_128[rename=Hacl_MAC_Poly1305_Simd128,rename-prefix]' \
-bundle 'Hacl.Streaming.Poly1305_256=Hacl.Poly1305_256,Hacl.Impl.Poly1305.Field32xN_256[rename=Hacl_MAC_Poly1305_Simd256,rename-prefix]'
NACLBOX_BUNDLE=-bundle Hacl.NaCl=Hacl.Impl.SecretBox,Hacl.Impl.Box
P256_BUNDLE= \
-bundle Hacl.P256.PrecompTable -static-header Hacl.P256.PrecompTable \
-bundle Hacl.P256=Hacl.Impl.P256.*,Hacl.Spec.P256.*[rename=Hacl_P256]
K256_BUNDLE= \
-bundle Hacl.K256.Field,Hacl.Impl.K256.Finv[rename=Hacl_Bignum_K256] -static-header Hacl.K256.Field,Hacl.Impl.K256.Finv \
-bundle Hacl.K256.PrecompTable -static-header Hacl.K256.PrecompTable \
-bundle Hacl.K256.ECDSA=Hacl.Impl.K256.*,Hacl.K256.*
FRODO_BUNDLE=-bundle 'Hacl.Frodo.KEM=Hacl.Impl.Frodo.*,Hacl.Impl.Matrix,Hacl.Frodo.*,Hacl.Keccak' -static-header Hacl.Frodo.KEM,Hacl.Impl.Frodo.*,Hacl.Impl.Matrix,Hacl.Keccak
# The only functions not marked as noextract should be in each of the Hacl.HPKE.{variants}
# Each of these module should be extracted to a different file. Therefore, this variable
# should remain empty, and overriden only when we do not want extraction of variants
HPKE_BUNDLE=-bundle Hacl.HPKE.Interface.*,Hacl.Impl.HPKE,Hacl.Meta.HPKE
STREAMING_BUNDLE=-bundle Hacl.Streaming.Interface,Hacl.Streaming.Lemmas \
-bundle Hacl.Streaming.HMAC=Hacl.Streaming.HMAC.*,Hacl.Agile.Hash
INTTYPES_BUNDLE=-bundle Hacl.IntTypes.Intrinsics= -static-header Hacl.IntTypes.Intrinsics
INTTYPES_128_BUNDLE=-bundle Hacl.IntTypes.Intrinsics_128= -static-header Hacl.IntTypes.Intrinsics_128
RSAPSS_BUNDLE=-bundle Hacl.RSAPSS=Hacl.Impl.RSAPSS.*,Hacl.Impl.RSAPSS[rename=Hacl_RSAPSS]
FFDHE_BUNDLE=-bundle Hacl.Impl.FFDHE.Constants -static-header Hacl.Impl.FFDHE.Constants -bundle Hacl.FFDHE=Hacl.Impl.FFDHE[rename=Hacl_FFDHE]
BIGNUM_BUNDLE= \
-bundle Hacl.Bignum.Base,Hacl.Bignum.Addition,Hacl.Bignum.Convert,Hacl.Bignum.Lib,Hacl.Bignum.Multiplication[rename=Hacl_Bignum_Base] \
-static-header Hacl.Bignum.Base,Hacl.Bignum.Addition,Hacl.Bignum.Convert,Hacl.Bignum.Lib,Hacl.Bignum.Multiplication \
-bundle Hacl.Bignum,Hacl.Bignum.*[rename=Hacl_Bignum]
# 3. OCaml
TAC = $(shell which tac >/dev/null 2>&1 && echo "tac" || echo "tail -r")
ALL_CMX_FILES = $(subst obj/Lib_Buffer.cmx,obj/Lib_Memzero0.cmx obj/Lib_Buffer.cmx,$(patsubst %.ml,%.cmx,$(shell echo $(ALL_ML_FILES) | $(TAC))))
# Warning 8: this pattern-matching is not exhaustive.
# Warning 20: this argument will not be used by the function.
# Warning 26: unused variable
OCAMLOPT = eval "$(FSTAR_OCAMLENV)" && ocamlfind opt -package fstar.lib -linkpkg -thread -g -I $(HACL_HOME)/obj -w -8-20-26
OCAMLSHARED = eval "$(FSTAR_OCAMLENV)" && ocamlfind opt -shared -package fstar.pluginlib -thread -g -I $(HACL_HOME)/obj -w -8-20-26
================================================
FILE: Makefile.include
================================================
# This Makefile can be included by client projects; it exports the set of
# include directories relative to HACL_HOME and exports the set of needed
# karamel flags to successfully extract Vale.
VALE_BUNDLES=\
-bundle 'Vale.Stdcalls.*,Vale.Interop,Vale.Interop.*,Vale.Wrapper.X64.*[rename=Vale]' \
-bundle 'Vale.Inline.X64.*[rename=Vale_Inline]' \
-bundle Vale.*[rename=Unused2]
# NOTE: Please keep this list of directories in sync with
# Hacl.fst.config.json and vale/Hacl.Vale.fst.config.json so the vscode
# extension works seamlessly.
# TODO: no more separate variable definitions?
LIB_DIR = $(HACL_HOME)/lib
SPECS_DIR = $(HACL_HOME)/specs $(addprefix $(HACL_HOME)/specs/,lemmas tests drbg frodo tests/p256)
CODE_DIRS = $(addprefix $(HACL_HOME)/code/,hash hmac hkdf drbg hpke sha3 sha2-mb ecdsap256 poly1305 streaming \
blake2 chacha20 chacha20poly1305 curve25519 tests ed25519 salsa20 nacl-box meta frodo fallback bignum rsapss ffdhe k256)
EVERCRYPT_DIRS = $(addprefix $(HACL_HOME)/providers/,evercrypt evercrypt/fst test test/vectors)
# Vale dirs also include directories that only contain .vaf files
# (for a in $(find vale -iname '*.fst' -or -iname '*.fsti' -or -iname '*.vaf'); do dirname $a; done) | sort | uniq
VALE_DIRS = \
$(HACL_HOME)/vale/code/arch \
$(HACL_HOME)/vale/code/arch/x64 \
$(HACL_HOME)/vale/code/arch/x64/interop \
$(HACL_HOME)/vale/code/arch/ppc64le \
$(HACL_HOME)/vale/code/crypto/aes \
$(HACL_HOME)/vale/code/crypto/aes/x64 \
$(HACL_HOME)/vale/code/crypto/aes/ppc64le \
$(HACL_HOME)/vale/code/crypto/bignum \
$(HACL_HOME)/vale/code/crypto/ecc/curve25519 \
$(HACL_HOME)/vale/code/crypto/poly1305 \
$(HACL_HOME)/vale/code/crypto/poly1305/x64 \
$(HACL_HOME)/vale/code/crypto/sha \
$(HACL_HOME)/vale/code/lib/collections \
$(HACL_HOME)/vale/code/lib/math \
$(HACL_HOME)/vale/code/lib/util \
$(HACL_HOME)/vale/code/lib/util/x64 \
$(HACL_HOME)/vale/code/lib/util/x64/stdcalls \
$(HACL_HOME)/vale/code/lib/transformers \
$(HACL_HOME)/vale/code/test \
$(HACL_HOME)/vale/code/thirdPartyPorts/Intel/aes/x64 \
$(HACL_HOME)/vale/code/thirdPartyPorts/OpenSSL/aes \
$(HACL_HOME)/vale/code/thirdPartyPorts/OpenSSL/poly1305/x64 \
$(HACL_HOME)/vale/code/thirdPartyPorts/OpenSSL/sha \
$(HACL_HOME)/vale/code/thirdPartyPorts/rfc7748/curve25519/x64 \
$(HACL_HOME)/vale/code/thirdPartyPorts/SymCrypt/bignum \
$(HACL_HOME)/vale/specs/crypto \
$(HACL_HOME)/vale/specs/defs \
$(HACL_HOME)/vale/specs/hardware \
$(HACL_HOME)/vale/specs/interop \
$(HACL_HOME)/vale/specs/math
ALL_HACL_SOURCE_DIRS = \
$(LIB_DIR) $(SPECS_DIR) $(CODE_DIRS) $(VALE_DIRS) \
$(EVERCRYPT_DIRS) \
$(KRML_HOME)/runtime
ALL_HACL_DIRS ?= $(ALL_HACL_SOURCE_DIRS) $(HACL_HOME)/obj
================================================
FILE: Makefile.local
================================================
# A shared set of local definitions for local Makefiles. See curve25519/Makefile
# for comments.
ifeq (,$(filter %-in,$(MAKECMDGOALS)))
ifeq (3.81,$(MAKE_VERSION))
$(error You seem to be using the OSX antiquated Make version. Hint: brew \
install make, then invoke gmake instead of make)
endif
endif
HACL_HOME ?= .
OUTPUT_DIR=$(HACL_HOME)/obj
CFLAGS += -DHACL_CAN_COMPILE_INTRINSICS -DHACL_CAN_COMPILE_VALE -DHACL_CAN_COMPILE_INLINE_ASM -DHACL_CAN_COMPILE_VEC128 -DHACL_CAN_COMPILE_VEC256
# This uses the definition of ALL_HACL_DIRS, and transitively includes
# Makefile.include
include $(HACL_HOME)/Makefile.common
# All the files in the current directory ought to be verified.
FSTAR_ROOTS?=$(wildcard *.fst *.fsti)
# This is the right way to ensure the .depend file always gets re-built.
ifeq (,$(filter %-in,$(MAKECMDGOALS)))
ifndef NODEPEND
ifndef MAKE_RESTARTS
.depend: .FORCE
$(FSTAR_NO_FLAGS) --dep full $(notdir $(FSTAR_ROOTS)) \
--extract 'krml:*' \
--extract 'OCaml:-* +Vale.Arch +Vale.X64 -Vale.X64.MemoryAdapters +Vale.Def +Vale.Lib +Vale.Bignum.X64 -Vale.Lib.Tactics +Vale.Math +Vale.Transformers +Vale.AES +Vale.Interop +Vale.Arch.Types +Vale.Arch.BufferFriend +Vale.Lib.X64 +Vale.SHA.X64 +Vale.SHA.SHA_helpers +Vale.SHA2.Wrapper +Vale.SHA.PPC64LE.SHA_helpers +Vale.PPC64LE +Vale.SHA.PPC64LE +Vale.Curve25519.X64 +Vale.Poly1305.X64 +Vale.Inline +Vale.AsLowStar +Vale.Test +Spec +Lib -Lib.IntVector +C' \
> $@
.PHONY: .FORCE
.FORCE:
endif
endif
include .depend
endif
%.checked: FSTAR_FLAGS=
$(OUTPUT_DIR)/Vale.%.checked: FSTAR_FLAGS=$(VALE_FSTAR_FLAGS)
# Producing .checked and .krml.
%.checked:
$(FSTAR) $(FSTAR_FLAGS) $< --hint_dir $(HACL_HOME)/hints/ && \
touch -c $@
%.krml:
$(FSTAR) --codegen krml \
--extract_module $(basename $(notdir $(subst .checked,,$<))) \
$<
CODEGEN=OCaml
%.ml:
$(FSTAR) --codegen $(CODEGEN) $<
%.cmx: %.ml
$(OCAMLOPT) -c $< -o $@
# Useful definitions for C compilation
CFLAGS += -Idist -I$(KRML_HOME)/include -I$(KRML_HOME)/krmllib/dist/minimal
%.exe:
$(CC) $^ -o $@
# Tactic; sadly not shareable because obj vs. $(HACL_HOME)/obj
$(HACL_HOME)/obj/Meta_Interface.ml: CODEGEN = Plugin
$(HACL_HOME)/obj/Meta_Interface.ml: $(HACL_HOME)/obj/Meta.Interface.fst.checked
$(HACL_HOME)/obj/Hacl.Meta.%.checked: FSTAR_FLAGS += --load Meta.Interface
ifneq (,$(wildcard Hacl.Meta.*.fst))
$(patsubst %,$(HACL_HOME)/obj/%.checked,$(wildcard Hacl.Meta.*.fst)): $(HACL_HOME)/obj/Meta_Interface.ml
endif
================================================
FILE: Makefile.openssl
================================================
# Exporting proper linking flags -- used by Makefile and tests/Makefile
ifeq ($(shell uname),Darwin)
OPENSSL_ROOT=$(shell which brew >/dev/null && brew info --quiet openssl | egrep '^/' | cut -f 1 -d ' ' | tail -n 1)
ifneq (,$(OPENSSL_ROOT))
CFLAGS := -I$(OPENSSL_ROOT)/include/ $(CFLAGS)
LDFLAGS:= -L$(OPENSSL_ROOT)/lib $(LDFLAGS)
endif
endif
================================================
FILE: PULL_REQUEST.md
================================================
How to submit a pull request with minimal amounts of noise
==========================================================
This guide will show you how to:
- make sure you have no diff in dist/ or hints/, and therefore can safely merge
origin/main
- add only the hints that you need to get a green
- add only the dist/ diff that is relevant for your PR.
Basics
------
Make sure you have the latest F\* and karamel, and the code works locally.
Discarding your local changes to dist/ and hints/
-------------------------------------------------
This first step allows merging upstream without conflicts.
```
git fetch
# You now have in your local git tree all the most recent refs for remote origin
git reset origin/main hints dist/*/*
# Both directories are now, in the staging area, the same as origin/main, but
# they have not changed in your working tree
git checkout hints dist/*/*
# The local modifications vis à vis the staging area have now been discarded:
# both your working tree and the staging area are the same as origin/main
```
At this stage, commit:
```
git commit -am "Reset hints and dist to be the same as main"
```
You can now merge main without fear of conflicts:
```
git merge origin/main
```
Fixing up the build
-------------------
Your working directory is now up-to-date with origin/main. To be 100% sure your
PR is going to get a green, restart from a clean build.
```
git clean -fdx dist hints
```
Now, run the build both locally and on CI. It's highly likely that some source
files will need fixes to verify again. If your new files do not pass CI at this
stage, rework your proofs to be more stable, e.g. fuel/ifuel 0, calc, etc. etc.
If some other files cause difficulties and you have no other choice (e.g.
discrepancy between platforms with no access to another platform), *selectively*
add hint files, and make sure to mention these problems in your pull request:
```
git add hints/Hacl.Poly1305.UnstableLemmas.fst.hints
git commit -m "Selected hints for failing files"
```
Push again and verify that you pass CI. Don't use `git commit -a`!
Adding the generated C code
---------------------------
By now all of your files should verify successfully. It is time to see if you
forgot to tweak some bundles. Use `git status` to see what's up. Iterate as
follows:
```
rm -rf dist/*/Makefile.basic && git clean -fdx dist && NODEPEND=1 make -j
```
This will force just the regeneration of the snapshots.
NOTE: if the problem is with Mozilla, you need to edit dist/package-mozilla.sh
and run `NODEPEND=1 make -j package-compile-mozilla` instead.
Once you have a successful local build, review the diff in `dist`:
```
git diff dist
```
If you see a million small-ish changes, maybe F\*/KaRaMeL are out of date.
At this stage, assess the situation, but in almost all cases, you can get away
with submitting JUST the diff for dist/gcc-compatible (unless you're
specifically working on MSVC-related stuff).
```
git add dist/gcc-compatible
git commit -m "Add changes to the C files as part of this PR"
```
Push and check that it passes CI.
Document the changes
--------------------
If your changes add a new algorithm or feature, or affect performance,
or change any public APIs, please add an entry to `CHANGES.md`.
You do not need to add an entry for proof fixes and improvements.
Opening the pull request
------------------------
To open a PR, you will need to follow the PR template in `pull_request_template.md`.
Once the PR is open, the HACL\* maintainers and other users will interact with you
on the PR and the PR will be merged once it has two approving reviews (including
one from the maintainers) and all CI checks pass.
All interactions are governed by the HACL\* code of conduct documented in `CODE_OF_CONDUCT.md`.
================================================
FILE: README.md
================================================
# A High-Assurance Cryptographic Library
This repository contains verified code for a library of modern
cryptographic algorithms, including Curve25519, Ed25519, AES-GCM,
Chacha20, Poly1305, SHA-2, SHA-3, HMAC, and HKDF. This set of algorithms
is enough to support the full NaCl API and several TLS 1.3 ciphersuites.
The code for all of these algorithms is formally verified using the
[F\*](https://fstar-lang.org/) verification framework for memory
safety, functional correctness, and secret independence (resistance to
some types of timing side-channels).
## Status
*Warning*: This is the research home of HACL\*. If you are looking for
documentation, releases, language bindings and code that can be satisfactorily
integrated into a production project, please check out [HACL
packages](https://github.com/cryspen/hacl-packages/).
The code in this repository is divided into three closely-related sub-projects,
all developed as part of [Project Everest](https://project-everest.github.io/).
We are actively developing and integrating our code on the
[main](https://github.com/project-everest/hacl-star/tree/main/)
branch, which tracks F\*'s `master` branch.
## HACL\*
[HACL\*](code/) is a formally verified library
of modern cryptographic algorithms written in a subset of
[F\*](https://fstarlang.github.io) called Low\* and compiled to C
using a compiler called
[KaRaMeL](https://github.com/FStarLang/karamel). The Low\* source code
for each primitive is verified for memory safety, functional
correctness, and secret independence. The compiler generates
efficient, readable, standalone C code for each algorithm that
can be easily integrated into any C project. We include the current C code for various HACL\*
algorithms in the [dist](dist/) directory. HACL\* can also be compiled to WebAssembly.
## ValeCrypt
[ValeCrypt](vale/) provides formally verified high-performance
cryptographic code for selected primitives in assembly language. It relies on the
[Vale tool](https://github.com/project-everest/vale) to produce
code and proofs in [F\*](https://github.com/FStarLang/FStar). Vale supports
multiple platforms and proves that its implementations are memory safe,
functionally correct, and that timing and memory accesses are secret
independent.
## EverCrypt
[EverCrypt](providers/evercrypt/) is a high-performance, cross-platform, formally
verified modern cryptographic provider that packages implementations from
HACL\* and ValeCrypt, and automatically picks the fastest one available,
depending on processor support and the target execution environment
(*multiplexing*). Furthermore, EverCrypt offers an (*agile*) API that makes it
simple to switch between algorithms (e.g., from SHA2 to SHA3).
## Citing HACL*
If you want to cite HACL\* in a research publication, here is some guidance to
make sure you pick the right publications.
- For HACL* in its current incarnation, including SIMD versions of algorithms: CCS'20.
```
@inproceedings{polubelova2020haclxn,
title={{HACLxN}: Verified generic {SIMD} crypto (for all your favourite platforms)},
author={Polubelova, Marina and Bhargavan, Karthikeyan and Protzenko, Jonathan and Beurdouche, Benjamin and Fromherz, Aymeric and Kulatova, Natalia and Zanella-B{\'e}guelin, Santiago},
booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security},
pages={899--918},
year={2020}
}
```
- For HACL* in general (discouraged, since none of that code exists anymore): CCS'17
```
@inproceedings{zinzindohoue2017hacl,
title={{HACL*}: A verified modern cryptographic library},
author={Zinzindohou{\'e}, Jean-Karim and Bhargavan, Karthikeyan and Protzenko, Jonathan and Beurdouche, Benjamin},
booktitle={Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
pages={1789--1806},
year={2017}
}
```
- For EverCrypt, the agile, multiplexing, CPU-detecting API on top of HACL\*: S&P'20
```
@inproceedings{protzenko2020evercrypt,
title={Evercrypt: A fast, verified, cross-platform cryptographic provider},
author={Protzenko, Jonathan and Parno, Bryan and Fromherz, Aymeric and Hawblitzel, Chris and Polubelova, Marina and Bhargavan, Karthikeyan and Beurdouche, Benjamin and Choi, Joonwon and Delignat-Lavaud, Antoine and Fournet, C{\'e}dric and others},
booktitle={2020 IEEE Symposium on Security and Privacy (SP)},
pages={983--1002},
year={2020},
organization={IEEE}
}
```
- For HACL-WASM, the WebAssembly backend of HACL\*: S&P'19
```
@inproceedings{protzenko2019formally,
title={Formally verified cryptographic web applications in {WebAssembly}},
author={Protzenko, Jonathan and Beurdouche, Benjamin and Merigoux, Denis and Bhargavan, Karthikeyan},
booktitle={2019 IEEE Symposium on Security and Privacy (SP)},
pages={1256--1274},
year={2019},
organization={IEEE}
}
```
- For the HACL streaming APIs with heap-allocated state and internal buffering (hashes, MACs): ICFP'23
```
@article{ho2023modularity,
title={Modularity, Code Specialization, and Zero-Cost Abstractions for Program Verification},
author={Ho, Son and Fromherz, Aymeric and Protzenko, Jonathan},
journal={Proceedings of the ACM on Programming Languages},
volume={7},
number={ICFP},
pages={385--416},
year={2023},
publisher={ACM New York, NY, USA}
}
```
## License
All the code in this repository is released under an Apache 2.0 license.
The generated C code from HACL\* is also released under an MIT license.
Contact the maintainers if you have other licensing requirements.
## Contact or Contribute
This repository contains contributions from many students and researchers at INRIA, Microsoft Research, and Carnegie Mellon University,
and it is under active development. The primary authors of each verified algorithm are noted in the corresponding AUTHORS.md file.
For questions and comments, or if you want to contribute to the project, contact the current maintainers at hacl-star-maintainers@inria.fr.
================================================
FILE: SECURITY.md
================================================
# Security Policy
## Verification
The main branch contains the latest verified code for the HACL* library and includes some unverified C code for low-level platform features such as compiler intrinsics for SIMD instructions. All this code is routinely tested on several platforms, but it is quite possible that our unverified code makes incorrect assumptions and/or fails. Furthermore, HACL* only protects against remote timing attacks and so it is possible that there are side-channel leaks in the compiled code. To better understand the verification guarantees, see https://hacl-star.github.io/Overview.html#what-is-verified-software. We welcome any security reports on this library and commit to fixing them as soon as possible.
## Reporting a Vulnerability
Please use the GitHub [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) feature.
================================================
FILE: build_local.sh
================================================
#!/usr/bin/env bash
set -e
# Look for config.json file
FILE=${1:-".docker/build/config.json"}
if [[ ! -f $FILE ]]; then
echo "File $FILE does not exist."
fi
# In case you want to build windows, change agentOS here to windows-nt if OSTYPE is not working
agentOS=linux
if [[ "$OSTYPE" == "cygwin" ]]; then
agentOS=linux #windows-nt
fi
DOCKERFILE=$(jq -c -r ".DockerFile" "$FILE")
DOCKERFILE=$( echo ${DOCKERFILE} | sed "s/{agentOS}/${agentOS}/g" )
ARTIFACTPATH=$(jq -c -r ".ArtifactPath" "$FILE")
DOCKERCOMMAND=$(jq -c -r ".DockerCommand" "$FILE")
# Copy dockerfile to root
cp $DOCKERFILE ./Dockerfile
# Copy dependencies
DEPFILES=$(jq -c -r ".DependencyFiles[]" "$FILE")
cp -r $DEPFILES .
PROJECTNAME=$(jq -c -r ".ProjectName" "$FILE" | awk '{print tolower($0)}')
BUILDTARGET=$(jq -c -r ".CIBuildTarget" "$FILE")
LOCALBRANCHNAME=$(git branch | grep \* | cut -d ' ' -f2)
#Find commit id.
REQUESTEDBRANCHNAME=$(jq -c -r ".BranchName" "$FILE")
REQUESTEDCOMMITID=$(jq -c -r ".BaseContainerImageTagOrCommitId" "$FILE")
COMMITURL=$(jq -c -r ".GithubCommitUrl" "$FILE")/$REQUESTEDBRANCHNAME
if [[ $(jq -c -r ".BaseContainerImageTagOrCommitId" "$FILE") -ne "latest" ]]; then
COMMITURL=$(jq -c -r ".GithubCommitUrl" "$FILE")/$REQUESTEDCOMMITID
fi
LINE="$( git ls-remote ${COMMITURL%"/commit/master"} HEAD)"
FULLCOMMITID="$( echo ${LINE} | cut -f1 )"
COMMITID=${FULLCOMMITID:0:12}
# create fake files ssh key, commitinfofilename.json, etc
echo "fake" > id_rsa
echo "fake" > commitinfofilename.json
# build container
$DOCKERCOMMAND build --file Dockerfile --build-arg BUILDLOGFILE="buildlogfile.txt" --build-arg MAXTHREADS="8" --build-arg BUILDTARGET="$BUILDTARGET" --build-arg BRANCHNAME="$LOCALBRANCHNAME" --build-arg COMMITID="$COMMITID" --build-arg DOCKERHUBPROJECT="projecteverest/" --tag "$PROJECTNAME:local" .
if [[ -n "$ARTIFACTPATH" ]]; then
$DOCKERCOMMAND run -v $PWD:/mnt/hacl-star-host/ --rm -t hacl-star:local cp -r /home/everest/hacl-star/dist/ /mnt/hacl-star-host/$ARTIFACTPATH
fi
# delete fake files
rm -f id_rsa
rm -f commitinfofilename.json
# Remove dep files.
for f in $DEPFILES; do rm -f $(basename $f); done
# delete dockerfile
rm -f Dockerfile
================================================
FILE: code/bignum/AUTHORS.md
================================================
This code was primarily written by Marina Polubelova (INRIA).
Jonathan Protzenko contributed the design of the type classes hierarchy.
================================================
FILE: code/bignum/Hacl.Bignum.Addition.fst
================================================
module Hacl.Bignum.Addition
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Hacl.Bignum.Definitions
open Hacl.Bignum.Base
open Hacl.Impl.Lib
open Lib.IntTypes
open Lib.Buffer
module ST = FStar.HyperStack.ST
module B = LowStar.Buffer
module S = Hacl.Spec.Bignum.Addition
module LSeq = Lib.Sequence
module SL = Hacl.Spec.Lib
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
inline_for_extraction noextract
val bn_sub_carry:
#t:limb_t
-> aLen:size_t
-> a:lbignum t aLen
-> c_in:carry t
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h -> live h a /\ live h res /\ eq_or_disjoint a res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = S.bn_sub_carry (as_seq h0 a) c_in in
c_out == c /\ as_seq h1 res == r))
let bn_sub_carry #t aLen a c_in res =
push_frame ();
let c = create 1ul c_in in
[@inline_let]
let refl h i = LSeq.index (as_seq h c) 0 in
[@inline_let]
let footprint (i:size_nat{i <= v aLen}) : GTot (l:B.loc{B.loc_disjoint l (loc res) /\
B.address_liveness_insensitive_locs `B.loc_includes` l}) = loc c in
[@inline_let]
let spec h = S.bn_sub_carry_f (as_seq h a) in
let h0 = ST.get () in
fill_elems4 h0 aLen res refl footprint spec
(fun i ->
let h1 = ST.get () in
let t1 = a.(i) in
let res_i = sub res i 1ul in
c.(0ul) <- subborrow_st c.(0ul) t1 (uint #t 0) res_i;
lemma_eq_disjoint aLen aLen 1ul res a c i h0 h1
);
let res = c.(0ul) in
pop_frame ();
res
inline_for_extraction noextract
let bn_sub_eq_len_st (t:limb_t) (aLen:size_t) =
a:lbignum t aLen
-> b:lbignum t aLen
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h ->
live h a /\ live h b /\ live h res /\
eq_or_disjoint a b /\ eq_or_disjoint a res /\ eq_or_disjoint b res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = SL.generate_elems (v aLen) (v aLen) (S.bn_sub_f (as_seq h0 a) (as_seq h0 b)) (uint #t 0) in
c_out == c /\ as_seq h1 res == r))
inline_for_extraction noextract
val bn_sub_eq_len: #t:limb_t -> aLen:size_t -> bn_sub_eq_len_st t aLen
let bn_sub_eq_len #t aLen a b res =
push_frame ();
let c = create 1ul (uint #t 0) in
[@inline_let]
let refl h i = LSeq.index (as_seq h c) 0 in
[@inline_let]
let footprint (i:size_nat{i <= v aLen}) : GTot (l:B.loc{B.loc_disjoint l (loc res) /\
B.address_liveness_insensitive_locs `B.loc_includes` l}) = loc c in
[@inline_let]
let spec h = S.bn_sub_f (as_seq h a) (as_seq h b) in
let h0 = ST.get () in
fill_elems4 h0 aLen res refl footprint spec
(fun i ->
let h1 = ST.get () in
let t1 = a.(i) in
let t2 = b.(i) in
let res_i = sub res i 1ul in
c.(0ul) <- subborrow_st c.(0ul) t1 t2 res_i;
lemma_eq_disjoint aLen aLen 1ul res a c i h0 h1;
lemma_eq_disjoint aLen aLen 1ul res b c i h0 h1
);
let res = c.(0ul) in
pop_frame ();
res
let bn_sub_eq_len_u32 (aLen:size_t) : bn_sub_eq_len_st U32 aLen = bn_sub_eq_len aLen
let bn_sub_eq_len_u64 (aLen:size_t) : bn_sub_eq_len_st U64 aLen = bn_sub_eq_len aLen
inline_for_extraction noextract
let bn_sub_eq_len_u (#t:limb_t) (aLen:size_t) : bn_sub_eq_len_st t aLen =
match t with
| U32 -> bn_sub_eq_len_u32 aLen
| U64 -> bn_sub_eq_len_u64 aLen
inline_for_extraction noextract
val bn_sub:
#t:limb_t
-> aLen:size_t
-> a:lbignum t aLen
-> bLen:size_t{v bLen <= v aLen}
-> b:lbignum t bLen
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h ->
live h a /\ live h b /\ live h res /\
disjoint a b /\ eq_or_disjoint a res /\ disjoint b res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = S.bn_sub (as_seq h0 a) (as_seq h0 b) in
c_out == c /\ as_seq h1 res == r))
let bn_sub #t aLen a bLen b res =
let h0 = ST.get () in
let a0 = sub a 0ul bLen in
let res0 = sub res 0ul bLen in
let h1 = ST.get () in
let c0 = bn_sub_eq_len bLen a0 b res0 in
let h1 = ST.get () in
if bLen <. aLen then begin
[@inline_let] let rLen = aLen -! bLen in
let a1 = sub a bLen rLen in
let res1 = sub res bLen rLen in
let c1 = bn_sub_carry rLen a1 c0 res1 in
let h2 = ST.get () in
LSeq.lemma_concat2 (v bLen) (as_seq h1 res0) (v rLen) (as_seq h2 res1) (as_seq h2 res);
c1 end
else c0
inline_for_extraction noextract
val bn_sub1:
#t:limb_t
-> aLen:size_t{0 < v aLen}
-> a:lbignum t aLen
-> b1:limb t
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h ->
live h a /\ live h res /\ eq_or_disjoint a res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = S.bn_sub1 (as_seq h0 a) b1 in
c_out == c /\ as_seq h1 res == r))
let bn_sub1 #t aLen a b1 res =
let c0 = subborrow_st (uint #t 0) a.(0ul) b1 (sub res 0ul 1ul) in
let h0 = ST.get () in
LSeq.eq_intro (LSeq.sub (as_seq h0 res) 0 1) (LSeq.create 1 (LSeq.index (as_seq h0 res) 0));
if 1ul <. aLen then begin
[@inline_let] let rLen = aLen -! 1ul in
let a1 = sub a 1ul rLen in
let res1 = sub res 1ul rLen in
let c1 = bn_sub_carry rLen a1 c0 res1 in
let h = ST.get () in
LSeq.lemma_concat2 1 (LSeq.sub (as_seq h0 res) 0 1) (v rLen) (as_seq h res1) (as_seq h res);
c1 end
else c0
inline_for_extraction noextract
val bn_add_carry:
#t:limb_t
-> aLen:size_t
-> a:lbignum t aLen
-> c_in:carry t
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h -> live h a /\ live h res /\ eq_or_disjoint a res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = S.bn_add_carry (as_seq h0 a) c_in in
c_out == c /\ as_seq h1 res == r))
let bn_add_carry #t aLen a c_in res =
push_frame ();
let c = create 1ul c_in in
[@inline_let]
let refl h i = LSeq.index (as_seq h c) 0 in
[@inline_let]
let footprint (i:size_nat{i <= v aLen}) : GTot (l:B.loc{B.loc_disjoint l (loc res) /\
B.address_liveness_insensitive_locs `B.loc_includes` l}) = loc c in
[@inline_let]
let spec h = S.bn_add_carry_f (as_seq h a) in
let h0 = ST.get () in
fill_elems4 h0 aLen res refl footprint spec
(fun i ->
let h1 = ST.get () in
let t1 = a.(i) in
let res_i = sub res i 1ul in
c.(0ul) <- addcarry_st c.(0ul) t1 (uint #t 0) res_i;
lemma_eq_disjoint aLen aLen 1ul res a c i h0 h1
);
let res = c.(0ul) in
pop_frame ();
res
inline_for_extraction noextract
let bn_add_eq_len_st (t:limb_t) (aLen:size_t) =
a:lbignum t aLen
-> b:lbignum t aLen
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h ->
live h a /\ live h b /\ live h res /\
eq_or_disjoint a b /\ eq_or_disjoint a res /\ eq_or_disjoint b res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = SL.generate_elems (v aLen) (v aLen) (S.bn_add_f (as_seq h0 a) (as_seq h0 b)) (uint #t 0) in
c_out == c /\ as_seq h1 res == r))
inline_for_extraction noextract
val bn_add_eq_len: #t:limb_t -> aLen:size_t -> bn_add_eq_len_st t aLen
let bn_add_eq_len #t aLen a b res =
push_frame ();
let c = create 1ul (uint #t 0) in
[@inline_let]
let refl h i = LSeq.index (as_seq h c) 0 in
[@inline_let]
let footprint (i:size_nat{i <= v aLen}) : GTot (l:B.loc{B.loc_disjoint l (loc res) /\
B.address_liveness_insensitive_locs `B.loc_includes` l}) = loc c in
[@inline_let]
let spec h = S.bn_add_f (as_seq h a) (as_seq h b) in
let h0 = ST.get () in
fill_elems4 h0 aLen res refl footprint spec
(fun i ->
let h1 = ST.get () in
let t1 = a.(i) in
let t2 = b.(i) in
let res_i = sub res i 1ul in
c.(0ul) <- addcarry_st c.(0ul) t1 t2 res_i;
lemma_eq_disjoint aLen aLen 1ul res a c i h0 h1;
lemma_eq_disjoint aLen aLen 1ul res b c i h0 h1
);
let res = c.(0ul) in
pop_frame ();
res
let bn_add_eq_len_u32 (aLen:size_t) : bn_add_eq_len_st U32 aLen = bn_add_eq_len aLen
let bn_add_eq_len_u64 (aLen:size_t) : bn_add_eq_len_st U64 aLen = bn_add_eq_len aLen
inline_for_extraction noextract
let bn_add_eq_len_u (#t:limb_t) (aLen:size_t) : bn_add_eq_len_st t aLen =
match t with
| U32 -> bn_add_eq_len_u32 aLen
| U64 -> bn_add_eq_len_u64 aLen
inline_for_extraction noextract
val bn_add:
#t:limb_t
-> aLen:size_t
-> a:lbignum t aLen
-> bLen:size_t{v bLen <= v aLen}
-> b:lbignum t bLen
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h ->
live h a /\ live h b /\ live h res /\
disjoint a b /\ eq_or_disjoint a res /\ disjoint b res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = S.bn_add (as_seq h0 a) (as_seq h0 b) in
c_out == c /\ as_seq h1 res == r))
let bn_add #t aLen a bLen b res =
let h0 = ST.get () in
let a0 = sub a 0ul bLen in
let res0 = sub res 0ul bLen in
let c0 = bn_add_eq_len bLen a0 b res0 in
let h1 = ST.get () in
if bLen <. aLen then begin
[@inline_let] let rLen = aLen -! bLen in
let a1 = sub a bLen rLen in
let res1 = sub res bLen rLen in
let c1 = bn_add_carry rLen a1 c0 res1 in
let h2 = ST.get () in
LSeq.lemma_concat2 (v bLen) (as_seq h1 res0) (v rLen) (as_seq h2 res1) (as_seq h2 res);
c1 end
else c0
inline_for_extraction noextract
val bn_add1:
#t:limb_t
-> aLen:size_t{0 < v aLen}
-> a:lbignum t aLen
-> b1:limb t
-> res:lbignum t aLen ->
Stack (carry t)
(requires fun h ->
live h a /\ live h res /\ eq_or_disjoint a res)
(ensures fun h0 c_out h1 -> modifies (loc res) h0 h1 /\
(let c, r = S.bn_add1 (as_seq h0 a) b1 in
c_out == c /\ as_seq h1 res == r))
let bn_add1 #t aLen a b1 res =
let c0 = addcarry_st (uint #t 0) a.(0ul) b1 (sub res 0ul 1ul) in
let h0 = ST.get () in
LSeq.eq_intro (LSeq.sub (as_seq h0 res) 0 1) (LSeq.create 1 (LSeq.index (as_seq h0 res) 0));
if 1ul <. aLen then begin
[@inline_let] let rLen = aLen -! 1ul in
let a1 = sub a 1ul rLen in
let res1 = sub res 1ul rLen in
let c1 = bn_add_carry rLen a1 c0 res1 in
let h = ST.get () in
LSeq.lemma_concat2 1 (LSeq.sub (as_seq h0 res) 0 1) (v rLen) (as_seq h res1) (as_seq h res);
c1 end
else c0
================================================
FILE: code/bignum/Hacl.Bignum.AlmostMontExponentiation.fst
================================================
module Hacl.Bignum.AlmostMontExponentiation
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Definitions
module ST = FStar.HyperStack.ST
module LSeq = Lib.Sequence
module BD = Hacl.Spec.Bignum.Definitions
module SN = Hacl.Spec.Bignum
module SM = Hacl.Spec.Bignum.Montgomery
module SA = Hacl.Spec.Bignum.AlmostMontgomery
module BN = Hacl.Bignum
module BM = Hacl.Bignum.Montgomery
module AM = Hacl.Bignum.AlmostMontgomery
module LE = Lib.Exponentiation
module BE = Hacl.Impl.Exponentiation
module E = Hacl.Spec.Exponentiation.Lemmas
module A = Hacl.Spec.AlmostMontgomery.Lemmas
module M = Hacl.Spec.Montgomery.Lemmas
module ME = Hacl.Spec.Bignum.MontExponentiation
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
inline_for_extraction noextract
let a_spec (#t:limb_t) (#len:SN.bn_len t) (n:BD.lbignum t len{0 < BD.bn_v n}) =
Lib.NatMod.nat_mod (BD.bn_v n)
inline_for_extraction noextract
let linv (#t:limb_t) (#len:SN.bn_len t) (n:BD.lbignum t len) (a:BD.lbignum t len) : Type0 =
BD.bn_v a < pow2 (bits t * len)
inline_for_extraction noextract
let refl (#t:limb_t) (#len:SN.bn_len t) (n:BD.lbignum t len{0 < BD.bn_v n}) (a:BD.lbignum t len{linv n a}) : a_spec n =
BD.bn_v a % BD.bn_v n
inline_for_extraction noextract
let linv_ctx (#t:limb_t) (#len:SN.bn_len t) (n:BD.lbignum t len) (ctx:BD.lbignum t (len + len)) : Type0 =
let ctx_n = LSeq.sub ctx 0 len in
let ctx_r2 = LSeq.sub ctx len len in
ctx_n == n /\
0 < BD.bn_v n /\ BD.bn_v ctx_r2 = pow2 (2 * bits t * len) % BD.bn_v n
inline_for_extraction noextract
let mk_to_nat_mont_ll_comm_monoid
(t:limb_t)
(len:BN.meta_len t)
(n:BD.lbignum t (v len))
(mu:limb t{SM.bn_mont_pre n mu})
: BE.to_comm_monoid t len (len +! len) =
{
BE.a_spec = a_spec n;
BE.comm_monoid = E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (BD.bn_v n) (v mu);
BE.linv_ctx = linv_ctx n;
BE.linv = linv n;
BE.refl = refl n;
}
inline_for_extraction noextract
val bn_almost_mont_one:
#t:limb_t
-> k:AM.almost_mont t
-> n:Ghost.erased (BD.lbignum t (v k.AM.bn.BN.len))
-> mu:limb t{SM.bn_mont_pre n mu} ->
BE.lone_st t k.AM.bn.BN.len (k.AM.bn.BN.len +! k.AM.bn.BN.len)
(mk_to_nat_mont_ll_comm_monoid t k.AM.bn.BN.len n mu)
let bn_almost_mont_one #t k n mu ctx oneM =
[@inline_let] let len = k.AM.bn.BN.len in
let k1 = Ghost.hide (E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (BD.bn_v n) (v mu)) in
let ctx_n = sub ctx 0ul len in
let ctx_r2 = sub ctx len len in
let h0 = ST.get () in
BM.bn_mont_one len k.AM.from ctx_n mu ctx_r2 oneM;
let h1 = ST.get () in
SM.bn_mont_one_lemma n mu (as_seq h0 ctx_r2);
assert (BD.bn_v (as_seq h1 oneM) == M.mont_one (bits t) (v len) (BD.bn_v n) (v mu));
assert (BD.bn_v (as_seq h1 oneM) < BD.bn_v n);
BD.bn_eval_bound n (v len);
assert (linv n (as_seq h1 oneM));
Math.Lemmas.small_mod (BD.bn_v (as_seq h1 oneM)) (BD.bn_v n);
assert (BD.bn_v (as_seq h1 oneM) % BD.bn_v n ==
E.mont_one_ll (bits t) (v len) (BD.bn_v n) (v mu))
inline_for_extraction noextract
val bn_almost_mont_mul:
#t:limb_t
-> k:AM.almost_mont t
-> n:Ghost.erased (BD.lbignum t (v k.AM.bn.BN.len))
-> mu:limb t{SM.bn_mont_pre n mu} ->
BE.lmul_st t k.AM.bn.BN.len (k.AM.bn.BN.len +! k.AM.bn.BN.len)
(mk_to_nat_mont_ll_comm_monoid t k.AM.bn.BN.len n mu)
let bn_almost_mont_mul #t k n mu ctx aM bM resM =
let h0 = ST.get () in
SA.bn_almost_mont_mul_lemma n mu (as_seq h0 aM) (as_seq h0 bM);
A.almost_mont_mul_is_mont_mul_lemma (bits t) (v k.AM.bn.BN.len) (BD.bn_v n) (v mu) (bn_v h0 aM) (bn_v h0 bM);
let ctx_n = sub ctx 0ul k.AM.bn.BN.len in
k.AM.mul ctx_n mu aM bM resM
inline_for_extraction noextract
val bn_almost_mont_sqr:
#t:limb_t
-> k:AM.almost_mont t
-> n:Ghost.erased (BD.lbignum t (v k.AM.bn.BN.len))
-> mu:limb t{SM.bn_mont_pre n mu} ->
BE.lsqr_st t k.AM.bn.BN.len (k.AM.bn.BN.len +! k.AM.bn.BN.len)
(mk_to_nat_mont_ll_comm_monoid t k.AM.bn.BN.len n mu)
let bn_almost_mont_sqr #t k n mu ctx aM resM =
let h0 = ST.get () in
SA.bn_almost_mont_sqr_lemma n mu (as_seq h0 aM);
SA.bn_almost_mont_mul_lemma n mu (as_seq h0 aM) (as_seq h0 aM);
A.almost_mont_mul_is_mont_mul_lemma (bits t) (v k.AM.bn.BN.len) (BD.bn_v n) (v mu) (bn_v h0 aM) (bn_v h0 aM);
let ctx_n = sub ctx 0ul k.AM.bn.BN.len in
k.AM.sqr ctx_n mu aM resM
inline_for_extraction noextract
let mk_bn_almost_mont_concrete_ops
(t:limb_t)
(k:AM.almost_mont t)
(n:Ghost.erased (BD.lbignum t (v k.AM.bn.BN.len)))
(mu:limb t{SM.bn_mont_pre n mu}) :
BE.concrete_ops t k.AM.bn.BN.len (k.AM.bn.BN.len +! k.AM.bn.BN.len) =
{
BE.to = mk_to_nat_mont_ll_comm_monoid t k.AM.bn.BN.len n mu;
BE.lone = bn_almost_mont_one k n mu;
BE.lmul = bn_almost_mont_mul k n mu;
BE.lsqr = bn_almost_mont_sqr k n mu;
}
///////////////////////////////////////////////////////////////////////
inline_for_extraction noextract
val mk_ctx:
#t:limb_t
-> len:BN.meta_len t
-> n:lbignum t len
-> r2:lbignum t len
-> ctx:lbignum t (len +! len) ->
Stack unit
(requires fun h ->
live h n /\ live h r2 /\ live h ctx /\
disjoint n ctx /\ disjoint r2 ctx /\
0 < bn_v h n /\ bn_v h r2 == pow2 (2 * bits t * v len) % bn_v h n)
(ensures fun h0 _ h1 -> modifies (loc ctx) h0 h1 /\
linv_ctx (as_seq h0 n) (as_seq h1 ctx))
let mk_ctx #t len n r2 ctx =
let h0 = ST.get () in
update_sub ctx 0ul len n;
let h1 = ST.get () in
assert (LSeq.sub (as_seq h1 ctx) 0 (v len) == as_seq h0 n);
update_sub ctx len len r2;
let h2 = ST.get () in
LSeq.eq_intro
(LSeq.sub (as_seq h2 ctx) 0 (v len))
(LSeq.sub (as_seq h1 ctx) 0 (v len));
assert (LSeq.sub (as_seq h2 ctx) 0 (v len) == as_seq h0 n);
assert (LSeq.sub (as_seq h2 ctx) (v len) (v len) == as_seq h0 r2)
noextract
let bn_exp_almost_mont_pre
(#t:limb_t)
(#len:SN.bn_len t)
(n:BD.lbignum t len)
(mu:limb t)
(r2:BD.lbignum t len)
(aM:BD.lbignum t len)
(bBits:size_nat)
(b:BD.lbignum t (BD.blocks0 bBits (bits t)))
=
SM.bn_mont_pre n mu /\
BD.bn_v r2 == pow2 (2 * bits t * len) % BD.bn_v n /\
BD.bn_v b < pow2 bBits /\
BD.bn_v aM < BD.bn_v n
inline_for_extraction noextract
let bn_exp_almost_mont_st (t:limb_t) (len:BN.meta_len t) =
n:lbignum t len
-> mu:limb t
-> r2:lbignum t len
-> aM:lbignum t len
-> bBits:size_t
-> b:lbignum t (blocks0 bBits (size (bits t)))
-> resM:lbignum t len ->
Stack unit
(requires fun h ->
live h n /\ live h aM /\ live h b /\ live h resM /\ live h r2 /\
disjoint resM aM /\ disjoint resM b /\ disjoint resM n /\ disjoint n aM /\
disjoint resM r2 /\ disjoint aM r2 /\ disjoint n r2 /\ disjoint aM b /\
bn_exp_almost_mont_pre (as_seq h n) mu (as_seq h r2) (as_seq h aM) (v bBits) (as_seq h b))
(ensures fun h0 _ h1 -> modifies (loc aM |+| loc resM) h0 h1 /\
(let k1 = E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (bn_v h0 n) (v mu) in
bn_v h1 resM % bn_v h0 n == LE.pow k1 (bn_v h0 aM) (bn_v h0 b)))
// This function is *NOT* constant-time on the exponent b.
inline_for_extraction noextract
val bn_exp_almost_mont_bm_vartime: #t:limb_t -> k:AM.almost_mont t -> bn_exp_almost_mont_st t k.AM.bn.BN.len
let bn_exp_almost_mont_bm_vartime #t k n mu r2 aM bBits b resM =
push_frame ();
let h0 = ST.get () in
[@inline_let] let len = k.AM.bn.BN.len in
[@inline_let] let bLen = blocks0 bBits (size (bits t)) in
let k1 = Ghost.hide (E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (bn_v h0 n) (v mu)) in
let ctx = create (len +! len) (uint #t #SEC 0) in
mk_ctx #t len n r2 ctx;
BD.bn_eval_bound (as_seq h0 aM) (v len);
BE.lexp_rl_vartime len (len +! len) (mk_bn_almost_mont_concrete_ops t k (as_seq h0 n) mu) ctx aM bLen bBits b resM;
LE.exp_rl_lemma k1 (bn_v h0 aM % bn_v h0 n) (v bBits) (bn_v h0 b);
E.pow_nat_mont_ll_mod_base (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 aM) (bn_v h0 b);
pop_frame ()
// This function is constant-time on the exponent b.
inline_for_extraction noextract
val bn_exp_almost_mont_bm_consttime: #t:limb_t -> k:AM.almost_mont t -> bn_exp_almost_mont_st t k.AM.bn.BN.len
let bn_exp_almost_mont_bm_consttime #t k n mu r2 aM bBits b resM =
push_frame ();
let h0 = ST.get () in
[@inline_let] let len = k.AM.bn.BN.len in
[@inline_let] let bLen = blocks0 bBits (size (bits t)) in
let k1 = Ghost.hide (E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (bn_v h0 n) (v mu)) in
let ctx = create (len +! len) (uint #t #SEC 0) in
mk_ctx #t len n r2 ctx;
BE.lexp_mont_ladder_swap_consttime len (len +! len) (mk_bn_almost_mont_concrete_ops t k (as_seq h0 n) mu) ctx aM bLen bBits b resM;
LE.exp_mont_ladder_swap_lemma k1 (bn_v h0 aM % bn_v h0 n) (v bBits) (bn_v h0 b);
LE.exp_mont_ladder_lemma k1 (bn_v h0 aM % bn_v h0 n) (v bBits) (bn_v h0 b);
E.pow_nat_mont_ll_mod_base (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 aM) (bn_v h0 b);
pop_frame ()
// This function is *NOT* constant-time on the exponent b.
inline_for_extraction noextract
val bn_exp_almost_mont_fw_vartime:
#t:limb_t
-> k:AM.almost_mont t
-> l:size_t{0 < v l /\ v l < bits U32 /\ pow2 (v l) * v k.AM.bn.BN.len <= max_size_t} ->
bn_exp_almost_mont_st t k.AM.bn.BN.len
let bn_exp_almost_mont_fw_vartime #t k l n mu r2 aM bBits b resM =
push_frame ();
let h0 = ST.get () in
[@inline_let] let len = k.AM.bn.BN.len in
let bLen = blocks0 bBits (size (bits t)) in
let k1 = Ghost.hide (E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (bn_v h0 n) (v mu)) in
let ctx = create (len +! len) (uint #t #SEC 0) in
mk_ctx #t len n r2 ctx;
BE.lexp_fw_vartime len (len +! len) (mk_bn_almost_mont_concrete_ops t k (as_seq h0 n) mu) l ctx aM bLen bBits b resM;
LE.exp_fw_lemma k1 (bn_v h0 aM % bn_v h0 n) (v bBits) (bn_v h0 b) (v l);
E.pow_nat_mont_ll_mod_base (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 aM) (bn_v h0 b);
pop_frame ()
// This function is constant-time on the exponent b.
inline_for_extraction noextract
val bn_exp_almost_mont_fw_consttime:
#t:limb_t
-> k:AM.almost_mont t
-> l:size_t{0 < v l /\ v l < bits U32 /\ pow2 (v l) * v k.AM.bn.BN.len <= max_size_t} ->
bn_exp_almost_mont_st t k.AM.bn.BN.len
let bn_exp_almost_mont_fw_consttime #t k l n mu r2 aM bBits b resM =
push_frame ();
let h0 = ST.get () in
[@inline_let] let len = k.AM.bn.BN.len in
let bLen = blocks0 bBits (size (bits t)) in
let k1 = Ghost.hide (E.mk_nat_mont_ll_comm_monoid (bits t) (v len) (bn_v h0 n) (v mu)) in
let ctx = create (len +! len) (uint #t #SEC 0) in
mk_ctx #t len n r2 ctx;
BE.lexp_fw_consttime len (len +! len) (mk_bn_almost_mont_concrete_ops t k (as_seq h0 n) mu) l ctx aM bLen bBits b resM;
LE.exp_fw_lemma k1 (bn_v h0 aM % bn_v h0 n) (v bBits) (bn_v h0 b) (v l);
E.pow_nat_mont_ll_mod_base (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 aM) (bn_v h0 b);
pop_frame ()
///////////////////////////////////////////////
// This function is *NOT* constant-time on the exponent b.
inline_for_extraction noextract
val bn_exp_almost_mont_vartime: #t:limb_t -> k:AM.almost_mont t -> bn_exp_almost_mont_st t k.AM.bn.BN.len
let bn_exp_almost_mont_vartime #t k n mu r2 aM bBits b resM =
if bBits <. size ME.bn_exp_mont_vartime_threshold then
bn_exp_almost_mont_bm_vartime k n mu r2 aM bBits b resM
else
bn_exp_almost_mont_fw_vartime k 4ul n mu r2 aM bBits b resM
// This function is constant-time on the exponent b.
inline_for_extraction noextract
val bn_exp_almost_mont_consttime: #t:limb_t -> k:AM.almost_mont t -> bn_exp_almost_mont_st t k.AM.bn.BN.len
let bn_exp_almost_mont_consttime #t k n mu r2 aM bBits b resM =
if bBits <. size ME.bn_exp_mont_consttime_threshold then
bn_exp_almost_mont_bm_consttime k n mu r2 aM bBits b resM
else
bn_exp_almost_mont_fw_consttime k 4ul n mu r2 aM bBits b resM
================================================
FILE: code/bignum/Hacl.Bignum.AlmostMontgomery.fst
================================================
module Hacl.Bignum.AlmostMontgomery
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Definitions
open Hacl.Bignum.Base
module BN = Hacl.Bignum
module BM = Hacl.Bignum.Montgomery
friend Hacl.Spec.Bignum.AlmostMontgomery
friend Hacl.Bignum.Montgomery
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
let bn_almost_mont_reduction #t k n nInv c res =
[@inline_let] let len = k.BN.len in
push_frame ();
let c0 = BM.bn_mont_reduction_loop_div_r #t k n nInv c res in
let tmp = create len (uint #t #SEC 0) in
let c1 = k.BN.sub res n tmp in
LowStar.Ignore.ignore c1;
let m = uint #t 0 -. c0 in
map2T len res (mask_select m) tmp res;
pop_frame ()
let bn_almost_mont_mul #t k almost_mont_reduction n nInv_u64 aM bM resM =
[@inline_let] let len = k.BN.len in
push_frame ();
let c = create (len +! len) (uint #t 0) in
k.BN.mul aM bM c;
almost_mont_reduction n nInv_u64 c resM;
pop_frame ()
let bn_almost_mont_sqr #t k almost_mont_reduction n nInv_u64 aM resM =
[@inline_let] let len = k.BN.len in
push_frame ();
let c = create (len +! len) (uint #t 0) in
k.BN.sqr aM c;
almost_mont_reduction n nInv_u64 c resM;
pop_frame ()
let bn_almost_mont_reduction_u32 (len:BN.meta_len U32) : bn_almost_mont_reduction_st U32 len =
bn_almost_mont_reduction (BN.mk_runtime_bn U32 len)
let bn_almost_mont_mul_u32 (len:BN.meta_len U32) : bn_almost_mont_mul_st U32 len =
bn_almost_mont_mul (BN.mk_runtime_bn U32 len) (bn_almost_mont_reduction_u32 len)
let bn_almost_mont_sqr_u32 (len:BN.meta_len U32) : bn_almost_mont_sqr_st U32 len =
bn_almost_mont_sqr (BN.mk_runtime_bn U32 len) (bn_almost_mont_reduction_u32 len)
inline_for_extraction noextract
let mk_runtime_almost_mont_u32 (len:BN.meta_len U32) : almost_mont U32 = {
bn = BN.mk_runtime_bn U32 len;
mont_check = BM.bn_check_modulus_u32 len;
precomp = BM.bn_precomp_r2_mod_n_u32 len;
reduction = bn_almost_mont_reduction_u32 len;
to = BM.bn_to_mont_u32 len;
from = BM.bn_from_mont_u32 len;
mul = bn_almost_mont_mul_u32 len;
sqr = bn_almost_mont_sqr_u32 len;
}
let bn_almost_mont_reduction_u64 (len:BN.meta_len U64) : bn_almost_mont_reduction_st U64 len =
bn_almost_mont_reduction (BN.mk_runtime_bn U64 len)
let bn_almost_mont_mul_u64 (len:BN.meta_len U64) : bn_almost_mont_mul_st U64 len =
bn_almost_mont_mul (BN.mk_runtime_bn U64 len) (bn_almost_mont_reduction_u64 len)
let bn_almost_mont_sqr_u64 (len:BN.meta_len U64) : bn_almost_mont_sqr_st U64 len =
bn_almost_mont_sqr (BN.mk_runtime_bn U64 len) (bn_almost_mont_reduction_u64 len)
inline_for_extraction noextract
let mk_runtime_almost_mont_u64 (len:BN.meta_len U64) : almost_mont U64 = {
bn = BN.mk_runtime_bn U64 len;
mont_check = BM.bn_check_modulus_u64 len;
precomp = BM.bn_precomp_r2_mod_n_u64 len;
reduction = bn_almost_mont_reduction_u64 len;
to = BM.bn_to_mont_u64 len;
from = BM.bn_from_mont_u64 len;
mul = bn_almost_mont_mul_u64 len;
sqr = bn_almost_mont_sqr_u64 len;
}
let mk_runtime_almost_mont (#t:limb_t) (len:BN.meta_len t) : almost_mont t =
match t with
| U32 -> mk_runtime_almost_mont_u32 len
| U64 -> mk_runtime_almost_mont_u64 len
let mk_runtime_almost_mont_len_lemma #t len = ()
================================================
FILE: code/bignum/Hacl.Bignum.AlmostMontgomery.fsti
================================================
module Hacl.Bignum.AlmostMontgomery
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Definitions
module S = Hacl.Spec.Bignum.AlmostMontgomery
module BN = Hacl.Bignum
module BM = Hacl.Bignum.Montgomery
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
/// Almost Montgomery Multiplication
inline_for_extraction noextract
let bn_almost_mont_reduction_st (t:limb_t) (len:size_t{0 < v len /\ v len + v len <= max_size_t}) =
n:lbignum t len
-> mu:limb t
-> c:lbignum t (len +! len)
-> res:lbignum t len ->
Stack unit
(requires fun h ->
live h n /\ live h c /\ live h res /\
disjoint res n /\ disjoint res c /\ disjoint n c)
(ensures fun h0 _ h1 -> modifies (loc res |+| loc c) h0 h1 /\
as_seq h1 res == S.bn_almost_mont_reduction (as_seq h0 n) mu (as_seq h0 c))
inline_for_extraction noextract
val bn_almost_mont_reduction: #t:limb_t -> k:BN.bn t -> bn_almost_mont_reduction_st t k.BN.len
inline_for_extraction noextract
let bn_almost_mont_mul_st (t:limb_t) (len:BN.meta_len t) =
n:lbignum t len
-> mu:limb t
-> aM:lbignum t len
-> bM:lbignum t len
-> resM:lbignum t len ->
Stack unit
(requires fun h ->
live h aM /\ live h bM /\ live h resM /\ live h n /\
disjoint resM n /\ eq_or_disjoint aM bM /\
eq_or_disjoint aM resM /\ eq_or_disjoint bM resM)
(ensures fun h0 _ h1 -> modifies (loc resM) h0 h1 /\
as_seq h1 resM == S.bn_almost_mont_mul (as_seq h0 n) mu (as_seq h0 aM) (as_seq h0 bM))
inline_for_extraction noextract
val bn_almost_mont_mul:
#t:limb_t
-> k:BN.bn t
-> mr:bn_almost_mont_reduction_st t k.BN.len ->
bn_almost_mont_mul_st t k.BN.len
inline_for_extraction noextract
let bn_almost_mont_sqr_st (t:limb_t) (len:BN.meta_len t) =
n:lbignum t len
-> mu:limb t
-> aM:lbignum t len
-> resM:lbignum t len ->
Stack unit
(requires fun h ->
live h aM /\ live h resM /\ live h n /\
disjoint resM n /\ eq_or_disjoint aM resM)
(ensures fun h0 _ h1 -> modifies (loc resM) h0 h1 /\
as_seq h1 resM == S.bn_almost_mont_sqr (as_seq h0 n) mu (as_seq h0 aM))
inline_for_extraction noextract
val bn_almost_mont_sqr:
#t:limb_t
-> k:BN.bn t
-> mr:bn_almost_mont_reduction_st t k.BN.len ->
bn_almost_mont_sqr_st t k.BN.len
inline_for_extraction noextract
class almost_mont (t:limb_t) = {
bn: BN.bn t;
mont_check: BM.bn_check_modulus_st t bn.BN.len;
precomp: BM.bn_precomp_r2_mod_n_st t bn.BN.len;
reduction: bn_almost_mont_reduction_st t bn.BN.len;
to: BM.bn_to_mont_st t bn.BN.len;
from: BM.bn_from_mont_st t bn.BN.len;
mul: bn_almost_mont_mul_st t bn.BN.len;
sqr: bn_almost_mont_sqr_st t bn.BN.len;
}
inline_for_extraction noextract
val mk_runtime_almost_mont: #t:limb_t -> len:BN.meta_len t -> almost_mont t
val mk_runtime_almost_mont_len_lemma: #t:limb_t -> len:BN.meta_len t ->
Lemma ((mk_runtime_almost_mont #t len).bn.BN.len == len) [SMTPat (mk_runtime_almost_mont #t len)]
================================================
FILE: code/bignum/Hacl.Bignum.Base.fst
================================================
module Hacl.Bignum.Base
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Definitions
include Hacl.Spec.Bignum.Base
module LSeq = Lib.Sequence
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
(**
unsigned char _addcarry_u64 (unsigned char c_in, unsigned __int64 a, unsigned __int64 b, unsigned __int64 * out)
Description
Add unsigned 64-bit integers a and b with unsigned 8-bit carry-in c_in (carry flag),
and store the unsigned 64-bit result in out, and the carry-out in dst (carry or overflow flag).
*)
inline_for_extraction noextract
val addcarry_st: #t:limb_t -> c_in:carry t -> a:limb t -> b:limb t -> out:lbuffer (limb t) 1ul ->
Stack (carry t)
(requires fun h -> live h out)
(ensures fun h0 c_out h1 -> modifies (loc out) h0 h1 /\
(c_out, LSeq.index (as_seq h1 out) 0) == addcarry c_in a b)
let addcarry_st #t c_in a b out =
Lib.IntTypes.Intrinsics.add_carry c_in a b out
(**
unsigned char _subborrow_u64 (unsigned char b_in, unsigned __int64 a, unsigned __int64 b, unsigned __int64 * out)
Description
Add unsigned 8-bit borrow b_in (carry flag) to unsigned 64-bit integer b, and subtract the result from
unsigned 64-bit integer a. Store the unsigned 64-bit result in out, and the carry-out in dst (carry or overflow flag).
*)
inline_for_extraction noextract
val subborrow_st: #t:limb_t -> c_in:carry t -> a:limb t -> b:limb t -> out:lbuffer (limb t) 1ul ->
Stack (carry t)
(requires fun h -> live h out)
(ensures fun h0 c_out h1 -> modifies (loc out) h0 h1 /\
(c_out, LSeq.index (as_seq h1 out) 0) == subborrow c_in a b)
let subborrow_st c_in a b out =
Lib.IntTypes.Intrinsics.sub_borrow c_in a b out
inline_for_extraction noextract
let mul_wide_add_t (t:limb_t) =
a:limb t
-> b:limb t
-> c_in:limb t
-> out:lbuffer (limb t) 1ul ->
Stack (limb t)
(requires fun h -> live h out)
(ensures fun h0 c_out h1 -> modifies (loc out) h0 h1 /\
(c_out, LSeq.index (as_seq h1 out) 0) == mul_wide_add a b c_in)
val mul_wide_add_u32: mul_wide_add_t U32
[@CInline]
let mul_wide_add_u32 a b c_in out =
lemma_mul_wide_add a b c_in (u32 0);
let res = to_u64 a *! to_u64 b +! to_u64 c_in in
out.(0ul) <- to_u32 res;
to_u32 (res >>. 32ul)
val mul_wide_add_u64: mul_wide_add_t U64
[@CInline]
let mul_wide_add_u64 a b c_in out =
lemma_mul_wide_add a b c_in (u64 0);
let res = mul64_wide a b +! to_u128 c_in in
out.(0ul) <- to_u64 res;
to_u64 (res >>. 64ul)
inline_for_extraction noextract
val mul_wide_add_st: #t:limb_t -> mul_wide_add_t t
let mul_wide_add_st #t =
match t with
| U32 -> mul_wide_add_u32
| U64 -> mul_wide_add_u64
inline_for_extraction noextract
let mul_wide_add2_t (t:limb_t) =
a:limb t
-> b:limb t
-> c_in:limb t
-> out:lbuffer (limb t) 1ul ->
Stack (limb t)
(requires fun h -> live h out)
(ensures fun h0 c_out h1 -> modifies (loc out) h0 h1 /\
(c_out, LSeq.index (as_seq h1 out) 0) == mul_wide_add2 a b c_in (LSeq.index (as_seq h0 out) 0))
val mul_wide_add2_u32: mul_wide_add2_t U32
[@CInline]
let mul_wide_add2_u32 a b c_in out =
let out0 = out.(0ul) in
lemma_mul_wide_add a b c_in out0;
let res = to_u64 a *! to_u64 b +! to_u64 c_in +! to_u64 out0 in
out.(0ul) <- to_u32 res;
to_u32 (res >>. 32ul)
val mul_wide_add2_u64: mul_wide_add2_t U64
[@CInline]
let mul_wide_add2_u64 a b c_in out =
let out0 = out.(0ul) in
lemma_mul_wide_add a b c_in out0;
let res = mul64_wide a b +! to_u128 c_in +! to_u128 out0 in
out.(0ul) <- to_u64 res;
to_u64 (res >>. 64ul)
inline_for_extraction noextract
val mul_wide_add2_st: #t:limb_t -> mul_wide_add2_t t
let mul_wide_add2_st #t =
match t with
| U32 -> mul_wide_add2_u32
| U64 -> mul_wide_add2_u64
================================================
FILE: code/bignum/Hacl.Bignum.Comparison.fst
================================================
module Hacl.Bignum.Comparison
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Base
open Hacl.Bignum.Definitions
open Hacl.Bignum.Lib
module S = Hacl.Spec.Bignum.Comparison
module ST = FStar.HyperStack.ST
module Loops = Lib.LoopCombinators
#set-options "--z3rlimit 50 --fuel 0 --ifuel 0"
///
/// Bignum comparison and test functions
///
inline_for_extraction noextract
val bn_is_odd:
#t:limb_t
-> len:size_t{v len > 0}
-> a:lbignum t len ->
Stack (limb t)
(requires fun h -> live h a)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_is_odd (as_seq h0 a))
let bn_is_odd #t len a = a.(0ul) &. uint #t 1
inline_for_extraction noextract
val bn_eq_mask:
#t:limb_t
-> len:size_t
-> a:lbignum t len
-> b:lbignum t len ->
Stack (limb t)
(requires fun h -> live h a /\ live h b)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_eq_mask (as_seq h0 a) (as_seq h0 b))
let bn_eq_mask #t len a b =
push_frame ();
let mask = create 1ul (ones t SEC) in
let mask = Lib.ByteBuffer.buf_eq_mask a b len mask in
pop_frame ();
mask
inline_for_extraction noextract
val bn_is_zero_mask:
#t:limb_t
-> len:size_t{v len > 0}
-> a:lbignum t len ->
Stack (limb t)
(requires fun h -> live h a)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_is_zero_mask (as_seq h0 a))
let bn_is_zero_mask #t len b =
push_frame ();
let bn_zero = create len (uint #t 0) in
let res = bn_eq_mask len b bn_zero in
pop_frame ();
res
inline_for_extraction noextract
val bn_lt_mask:
#t:limb_t
-> len:size_t
-> a:lbignum t len
-> b:lbignum t len ->
Stack (limb t)
(requires fun h -> live h a /\ live h b)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_lt_mask (as_seq h0 a) (as_seq h0 b))
let bn_lt_mask #t len a b =
push_frame ();
let acc = create 1ul (uint #t 0) in
[@inline_let]
let refl h i : GTot (limb t) = Lib.Sequence.index (as_seq h acc) 0 in
[@inline_let]
let footprint i = loc acc in
[@inline_let]
let spec h = S.bn_lt_mask_f (as_seq h a) (as_seq h b) in
let h0 = ST.get () in
loop h0 len (S.bn_lt_mask_t t (v len)) refl footprint spec
(fun i ->
Loops.unfold_repeat_gen (v len) (S.bn_lt_mask_t t (v len)) (spec h0) (refl h0 0) (v i);
let beq = eq_mask a.(i) b.(i) in
let blt = lt_mask a.(i) b.(i) in
mask_select_lemma2 blt;
acc.(0ul) <- mask_select beq acc.(0ul) blt
);
let mask = acc.(0ul) in
pop_frame ();
mask
inline_for_extraction noextract
val bn_lt_pow2_mask:
#t:limb_t
-> len:size_t{0 < v len /\ bits t * v len <= max_size_t}
-> b:lbignum t len
-> x:size_t{v x < bits t * v len} ->
Stack (limb t)
(requires fun h -> live h b)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_lt_pow2_mask (as_seq h0 b) (v x))
let bn_lt_pow2_mask #t len b x =
push_frame ();
let b2 = create len (uint #t 0) in
bn_set_ith_bit len b2 x;
let res = bn_lt_mask len b b2 in
pop_frame ();
res
inline_for_extraction noextract
val bn_gt_pow2_mask:
#t:limb_t
-> len:size_t{0 < v len /\ bits t * v len <= max_size_t}
-> b:lbignum t len
-> x:size_t{v x < bits t * v len} ->
Stack (limb t)
(requires fun h -> live h b)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_gt_pow2_mask (as_seq h0 b) (v x))
let bn_gt_pow2_mask #t len b x =
push_frame ();
let b2 = create len (uint #t 0) in
bn_set_ith_bit len b2 x;
let res = bn_lt_mask len b2 b in
pop_frame ();
res
================================================
FILE: code/bignum/Hacl.Bignum.Convert.fst
================================================
module Hacl.Bignum.Convert
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Lib.ByteBuffer
open Hacl.Bignum.Definitions
module ST = FStar.HyperStack.ST
module S = Hacl.Spec.Bignum.Convert
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
inline_for_extraction noextract
val bn_from_uint:
#t:limb_t
-> len:size_t{0 < v len}
-> x:limb t
-> b:lbignum t len ->
Stack unit
(requires fun h -> live h b)
(ensures fun h0 _ h1 -> modifies (loc b) h0 h1 /\
as_seq h1 b == S.bn_from_uint (v len) x)
let bn_from_uint #t len x b =
memset b (uint #t 0) len;
b.(0ul) <- x
inline_for_extraction noextract
val bn_from_bytes_be_:
#t:limb_t
-> len:size_t{numbytes t * v len <= max_size_t}
-> b:lbuffer uint8 (size (numbytes t) *! len)
-> res:lbignum t len ->
Stack unit
(requires fun h -> live h b /\ live h res /\ disjoint res b)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
as_seq h1 res == S.bn_from_bytes_be_ (v len) (as_seq h0 b))
let bn_from_bytes_be_ #t len b res =
let h0 = ST.get () in
[@inline_let]
let spec h = S.bn_from_bytes_be_f (v len) (as_seq h b) in
fill h0 len res spec
(fun j -> uint_from_bytes_be (sub b ((len -! j -! 1ul) *! (size (numbytes t))) (size (numbytes t))))
inline_for_extraction noextract
let bn_from_bytes_be_st (t:limb_t) =
len:size_t{0 < v len /\ numbytes t * v (blocks len (size (numbytes t))) <= max_size_t}
-> b:lbuffer uint8 len
-> res:lbignum t (blocks len (size (numbytes t))) ->
Stack unit
(requires fun h -> live h b /\ live h res /\ disjoint res b)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
as_seq h1 res == S.bn_from_bytes_be (v len) (as_seq h0 b))
inline_for_extraction noextract
val mk_bn_from_bytes_be: #t:limb_t -> is_known_len:bool -> bn_from_bytes_be_st t
let mk_bn_from_bytes_be #t is_known_len len b res =
push_frame ();
if is_known_len then begin
[@inline_let] let numb = size (numbytes t) in
[@inline_let] let bnLen = blocks len numb in
[@inline_let] let tmpLen = numb *! bnLen in
if tmpLen =. len then
bn_from_bytes_be_ bnLen b res
else begin
let tmp = create tmpLen (u8 0) in
update_sub tmp (tmpLen -! len) len b;
bn_from_bytes_be_ bnLen tmp res end end
else begin
[@inline_let] let numb = size (numbytes t) in
let bnLen = blocks len numb in
let tmpLen = numb *! bnLen in
let tmp = create tmpLen (u8 0) in
update_sub tmp (tmpLen -! len) len b;
bn_from_bytes_be_ bnLen tmp res end;
pop_frame ()
[@CInline]
let bn_from_bytes_be_uint32 : bn_from_bytes_be_st U32 = mk_bn_from_bytes_be #U32 false
let bn_from_bytes_be_uint64 : bn_from_bytes_be_st U64 = mk_bn_from_bytes_be #U64 false
inline_for_extraction noextract
val bn_from_bytes_be: #t:limb_t -> bn_from_bytes_be_st t
let bn_from_bytes_be #t =
match t with
| U32 -> bn_from_bytes_be_uint32
| U64 -> bn_from_bytes_be_uint64
inline_for_extraction noextract
let bn_from_bytes_le_st (t:limb_t) =
len:size_t{0 < v len /\ numbytes t * v (blocks len (size (numbytes t))) <= max_size_t}
-> b:lbuffer uint8 len
-> res:lbignum t (blocks len (size (numbytes t))) ->
Stack unit
(requires fun h -> live h b /\ live h res /\ disjoint res b)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
as_seq h1 res == S.bn_from_bytes_le (v len) (as_seq h0 b))
inline_for_extraction noextract
val mk_bn_from_bytes_le: #t:limb_t -> is_known_len:bool -> bn_from_bytes_le_st t
let mk_bn_from_bytes_le #t is_known_len len b res =
push_frame ();
if is_known_len then begin
[@inline_let] let numb = size (numbytes t) in
[@inline_let] let bnLen = blocks len numb in
[@inline_let] let tmpLen = numb *! bnLen in
if tmpLen =. len then
uints_from_bytes_le res b
else begin
let tmp = create tmpLen (u8 0) in
update_sub tmp 0ul len b;
uints_from_bytes_le res tmp end end
else begin
[@inline_let] let numb = size (numbytes t) in
let bnLen = blocks len numb in
let tmpLen = numb *! bnLen in
let tmp = create tmpLen (u8 0) in
update_sub tmp 0ul len b;
uints_from_bytes_le res tmp end;
pop_frame ()
[@CInline]
let bn_from_bytes_le_uint32 : bn_from_bytes_le_st U32 = mk_bn_from_bytes_le #U32 false
[@CInline]
let bn_from_bytes_le_uint64 : bn_from_bytes_le_st U64 = mk_bn_from_bytes_le #U64 false
inline_for_extraction noextract
val bn_from_bytes_le: #t:limb_t -> bn_from_bytes_le_st t
let bn_from_bytes_le #t =
match t with
| U32 -> bn_from_bytes_le_uint32
| U64 -> bn_from_bytes_le_uint64
inline_for_extraction noextract
val bn_to_bytes_be_:
#t:limb_t
-> len:size_t{numbytes t * v len <= max_size_t}
-> b:lbignum t len
-> res:lbuffer uint8 (size (numbytes t) *! len) ->
Stack unit
(requires fun h -> live h b /\ live h res /\ disjoint res b)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
as_seq h1 res == S.bn_to_bytes_be_ (v len) (as_seq h0 b))
let bn_to_bytes_be_ #t len b res =
[@inline_let] let numb = size (numbytes t) in
let h0 = ST.get () in
[@ inline_let]
let a_spec (i:nat{i <= v len}) = unit in
[@ inline_let]
let spec (h:mem) = S.bn_to_bytes_be_f (v len) (as_seq h b) in
fill_blocks h0 numb len res a_spec (fun _ _ -> ()) (fun _ -> LowStar.Buffer.loc_none) spec
(fun j -> uint_to_bytes_be (sub res (j *! numb) numb) b.(len -! j -! 1ul));
norm_spec [delta_only [`%S.bn_to_bytes_be_]] (S.bn_to_bytes_be_ (v len) (as_seq h0 b))
inline_for_extraction noextract
let bn_to_bytes_be_st (t:limb_t) (len:size_t{0 < v len /\ numbytes t * v (blocks len (size (numbytes t))) <= max_size_t}) =
b:lbignum t (blocks len (size (numbytes t)))
-> res:lbuffer uint8 len ->
Stack unit
(requires fun h ->
live h b /\ live h res /\ disjoint res b)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
as_seq h1 res == S.bn_to_bytes_be (v len) (as_seq h0 b))
inline_for_extraction noextract
val mk_bn_to_bytes_be:
#t:limb_t
-> is_known_len:bool
-> len:size_t{0 < v len /\ numbytes t * v (blocks len (size (numbytes t))) <= max_size_t} ->
bn_to_bytes_be_st t len
let mk_bn_to_bytes_be #t is_known_len len b res =
push_frame ();
if is_known_len then begin
[@inline_let] let numb = size (numbytes t) in
[@inline_let] let bnLen = blocks len numb in
[@inline_let] let tmpLen = numb *! bnLen in
let tmp = create tmpLen (u8 0) in
if tmpLen =. len then begin
LowStar.Ignore.ignore tmp;
bn_to_bytes_be_ bnLen b res end
else begin
HyperStack.ST.break_vc ();
bn_to_bytes_be_ bnLen b tmp;
copy res (sub tmp (tmpLen -! len) len) end end
else begin
[@inline_let] let numb = size (numbytes t) in
let bnLen = blocks len numb in
let tmpLen = numb *! bnLen in
let tmp = create tmpLen (u8 0) in
bn_to_bytes_be_ bnLen b tmp;
copy res (sub tmp (tmpLen -! len) len) end;
pop_frame ()
[@CInline]
let bn_to_bytes_be_uint32 len : bn_to_bytes_be_st U32 len = mk_bn_to_bytes_be #U32 false len
let bn_to_bytes_be_uint64 len : bn_to_bytes_be_st U64 len = mk_bn_to_bytes_be #U64 false len
inline_for_extraction noextract
val bn_to_bytes_be: #t:_ -> len:_ -> bn_to_bytes_be_st t len
let bn_to_bytes_be #t =
match t with
| U32 -> bn_to_bytes_be_uint32
| U64 -> bn_to_bytes_be_uint64
inline_for_extraction noextract
let bn_to_bytes_le_st (t:limb_t) (len:size_t{0 < v len /\ numbytes t * v (blocks len (size (numbytes t))) <= max_size_t}) =
b:lbignum t (blocks len (size (numbytes t)))
-> res:lbuffer uint8 len ->
Stack unit
(requires fun h ->
live h b /\ live h res /\ disjoint res b)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
as_seq h1 res == S.bn_to_bytes_le (v len) (as_seq h0 b))
inline_for_extraction noextract
val mk_bn_to_bytes_le:
#t:limb_t
-> is_known_len:bool
-> len:size_t{0 < v len /\ numbytes t * v (blocks len (size (numbytes t))) <= max_size_t} ->
bn_to_bytes_le_st t len
let mk_bn_to_bytes_le #t is_known_len len b res =
push_frame ();
if is_known_len then begin
[@inline_let] let numb = size (numbytes t) in
[@inline_let] let bnLen = blocks len numb in
[@inline_let] let tmpLen = numb *! bnLen in
let tmp = create tmpLen (u8 0) in
if tmpLen =. len then begin
LowStar.Ignore.ignore tmp;
uints_to_bytes_le bnLen res b end
else begin
uints_to_bytes_le bnLen tmp b;
copy res (sub tmp 0ul len) end end
else begin
[@inline_let] let numb = size (numbytes t) in
let bnLen = blocks len numb in
let tmpLen = numb *! bnLen in
let tmp = create tmpLen (u8 0) in
uints_to_bytes_le bnLen tmp b;
copy res (sub tmp 0ul len) end;
pop_frame ()
[@CInline]
let bn_to_bytes_le_uint32 len : bn_to_bytes_le_st U32 len = mk_bn_to_bytes_le #U32 false len
[@CInline]
let bn_to_bytes_le_uint64 len : bn_to_bytes_le_st U64 len = mk_bn_to_bytes_le #U64 false len
inline_for_extraction noextract
val bn_to_bytes_le: #t:_ -> len:_ -> bn_to_bytes_le_st t len
let bn_to_bytes_le #t =
match t with
| U32 -> bn_to_bytes_le_uint32
| U64 -> bn_to_bytes_le_uint64
================================================
FILE: code/bignum/Hacl.Bignum.Definitions.fst
================================================
module Hacl.Bignum.Definitions
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
module S = Hacl.Spec.Bignum.Definitions
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
inline_for_extraction noextract
val blocks: x:size_t{v x > 0} -> m:size_t{v m > 0} -> r:size_t{v r == S.blocks (v x) (v m)}
let blocks x m = (x -. 1ul) /. m +. 1ul
inline_for_extraction noextract
val blocks0: x:size_t -> m:size_t{v m > 0} -> r:size_t{v r == S.blocks0 (v x) (v m)}
let blocks0 x m = if x =. 0ul then 1ul else (x -. 1ul) /. m +. 1ul
inline_for_extraction noextract
let limb_t = S.limb_t
inline_for_extraction noextract
let limb (t:limb_t) = S.limb t
inline_for_extraction noextract
let lbignum (t:limb_t) len = lbuffer (limb t) len
noextract
val bn_v: #t:limb_t -> #len:size_t -> h:mem -> b:lbignum t len -> GTot nat
let bn_v #t #len h b = S.bn_v #t #(v len) (as_seq h b)
================================================
FILE: code/bignum/Hacl.Bignum.Exponentiation.fst
================================================
module Hacl.Bignum.Exponentiation
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Definitions
module ST = FStar.HyperStack.ST
module BD = Hacl.Spec.Bignum.Definitions
module SM = Hacl.Spec.Bignum.Montgomery
module BN = Hacl.Bignum
module BM = Hacl.Bignum.Montgomery
module AM = Hacl.Bignum.AlmostMontgomery
module ME = Hacl.Bignum.MontExponentiation
module AE = Hacl.Bignum.AlmostMontExponentiation
module E = Hacl.Spec.Exponentiation.Lemmas
module M = Hacl.Spec.Montgomery.Lemmas
module SE = Hacl.Spec.Bignum.MontExponentiation
friend Hacl.Spec.Bignum.Exponentiation
friend Hacl.Bignum.Montgomery
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
let bn_check_mod_exp #t len n a bBits b =
let m0 = BM.bn_check_modulus n in
let bLen = blocks0 bBits (size (bits t)) in
let m1 =
if bBits <. size (bits t) *! bLen
then BN.bn_lt_pow2_mask bLen b bBits
else ones t SEC in
let m2 = BN.bn_lt_mask len a n in
let m = m1 &. m2 in
m0 &. m
inline_for_extraction noextract
val mk_bn_mod_exp_precomp_mont:
#t:limb_t
-> k:BM.mont t
-> bn_exp_mont: ME.bn_exp_mont_st t k.BM.bn.BN.len ->
bn_mod_exp_precomp_st t k.BM.bn.BN.len
let mk_bn_mod_exp_precomp_mont #t k bn_exp_mont n mu r2 a bBits b res =
let h0 = ST.get () in
[@inline_let] let len = k.BM.bn.BN.len in
push_frame ();
BD.bn_eval_bound (as_seq h0 n) (v len);
let aM = create len (uint #t #SEC 0) in
BM.to n mu r2 a aM;
SM.bn_to_mont_lemma (as_seq h0 n) mu (as_seq h0 r2) (as_seq h0 a);
let resM = create len (uint #t #SEC 0) in
bn_exp_mont n mu r2 aM bBits b resM;
BM.from n mu resM res;
let h1 = ST.get () in
SM.bn_from_mont_lemma (as_seq h0 n) mu (as_seq h1 resM);
E.mod_exp_mont_ll_lemma (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 a) (bn_v h0 b);
assert (bn_v h1 res == Lib.NatMod.pow_mod #(bn_v h0 n) (bn_v h0 a) (bn_v h0 b));
pop_frame ()
inline_for_extraction noextract
val mk_bn_mod_exp_precomp_amont:
#t:limb_t
-> k:AM.almost_mont t
-> bn_exp_amont: AE.bn_exp_almost_mont_st t k.AM.bn.BN.len ->
bn_mod_exp_precomp_st t k.AM.bn.BN.len
let mk_bn_mod_exp_precomp_amont #t k bn_exp_amont n mu r2 a bBits b res =
let h0 = ST.get () in
[@inline_let] let len = k.AM.bn.BN.len in
push_frame ();
BD.bn_eval_bound (as_seq h0 n) (v len);
let aM = create len (uint #t #SEC 0) in
AM.to n mu r2 a aM;
SM.bn_to_mont_lemma (as_seq h0 n) mu (as_seq h0 r2) (as_seq h0 a);
M.to_mont_lemma (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 a);
let resM = create len (uint #t #SEC 0) in
bn_exp_amont n mu r2 aM bBits b resM;
AM.from n mu resM res;
let h1 = ST.get () in
SM.bn_from_mont_lemma (as_seq h0 n) mu (as_seq h1 resM);
BD.bn_eval_bound (as_seq h1 resM) (v len);
E.mod_exp_mont_ll_mod_lemma (bits t) (v len) (bn_v h0 n) (v mu) (bn_v h0 a) (bn_v h0 b) (bn_v h1 resM);
assert (bn_v h1 res == Lib.NatMod.pow_mod #(bn_v h0 n) (bn_v h0 a) (bn_v h0 b));
pop_frame ()
let bn_mod_exp_bm_vartime_precomp #t k n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_mont #t k (ME.bn_exp_mont_bm_vartime #t k) n mu r2 a bBits b res
let bn_mod_exp_bm_consttime_precomp #t k n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_mont #t k (ME.bn_exp_mont_bm_consttime #t k) n mu r2 a bBits b res
let bn_mod_exp_fw_vartime_precomp #t k l n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_mont #t k (ME.bn_exp_mont_fw_vartime #t k l) n mu r2 a bBits b res
let bn_mod_exp_fw_consttime_precomp #t k l n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_mont #t k (ME.bn_exp_mont_fw_consttime #t k l) n mu r2 a bBits b res
let bn_mod_exp_amm_bm_vartime_precomp #t k n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_amont #t k (AE.bn_exp_almost_mont_bm_vartime #t k) n mu r2 a bBits b res
let bn_mod_exp_amm_bm_consttime_precomp #t k n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_amont #t k (AE.bn_exp_almost_mont_bm_consttime #t k) n mu r2 a bBits b res
let bn_mod_exp_amm_fw_vartime_precomp #t k l n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_amont #t k (AE.bn_exp_almost_mont_fw_vartime #t k l) n mu r2 a bBits b res
let bn_mod_exp_amm_fw_consttime_precomp #t k l n mu r2 a bBits b res =
mk_bn_mod_exp_precomp_amont #t k (AE.bn_exp_almost_mont_fw_consttime #t k l) n mu r2 a bBits b res
let bn_mod_exp_consttime_precomp #t len bn_mod_exp_bm_consttime_precomp bn_mod_exp_fw_consttime_precomp n mu r2 a bBits b res =
if bBits <. size SE.bn_exp_mont_consttime_threshold then
bn_mod_exp_bm_consttime_precomp n mu r2 a bBits b res
else
bn_mod_exp_fw_consttime_precomp n mu r2 a bBits b res
let bn_mod_exp_vartime_precomp #t len bn_mod_exp_bm_vartime_precomp bn_mod_exp_fw_vartime_precomp n mu r2 a bBits b res =
if bBits <. size SE.bn_exp_mont_vartime_threshold then
bn_mod_exp_bm_vartime_precomp n mu r2 a bBits b res
else
bn_mod_exp_fw_vartime_precomp n mu r2 a bBits b res
let mk_bn_mod_exp_precompr2 #t len bn_mod_exp_precomp n r2 a bBits b res =
let h0 = ST.get () in
let mu = BM.mod_inv_limb n.(0ul) in // n * mu = 1 (mod (pow2 64))
Hacl.Spec.Bignum.ModInvLimb.bn_mod_inv_limb_lemma (as_seq h0 n);
bn_mod_exp_precomp n mu r2 a bBits b res
let mk_bn_mod_exp #t len precomp_r2 bn_mod_exp_precomp nBits n a bBits b res =
push_frame ();
let r2 = create len (uint #t #SEC 0) in
let mu = BM.bn_mont_precomp len precomp_r2 nBits n r2 in
bn_mod_exp_precomp n mu r2 a bBits b res;
pop_frame ()
///////////////////////////////////////////////
/// A fully runtime implementation of modular exponentiation.
let bn_check_mod_exp_u32 (len:BN.meta_len U32) : bn_check_mod_exp_st U32 len =
bn_check_mod_exp len
let bn_mod_exp_vartime_precomp_u32 (len:BN.meta_len U32) : bn_mod_exp_precomp_st U32 len =
[@inline_let]
let km = AM.mk_runtime_almost_mont len in
bn_mod_exp_vartime_precomp len
(bn_mod_exp_amm_bm_vartime_precomp km)
(bn_mod_exp_amm_fw_vartime_precomp km 4ul)
let bn_mod_exp_consttime_precomp_u32 (len:BN.meta_len U32) : bn_mod_exp_precomp_st U32 len =
[@inline_let]
let km = AM.mk_runtime_almost_mont len in
bn_mod_exp_consttime_precomp len
(bn_mod_exp_amm_bm_consttime_precomp km)
(bn_mod_exp_amm_fw_consttime_precomp km 4ul)
let bn_mod_exp_vartime_u32 (len:BN.meta_len U32) : bn_mod_exp_st U32 len =
mk_bn_mod_exp len (BM.bn_precomp_r2_mod_n_u32 len) (bn_mod_exp_vartime_precomp_u32 len)
let bn_mod_exp_consttime_u32 (len:BN.meta_len U32) : bn_mod_exp_st U32 len =
mk_bn_mod_exp len (BM.bn_precomp_r2_mod_n_u32 len) (bn_mod_exp_consttime_precomp_u32 len)
inline_for_extraction noextract
let mk_runtime_exp_u32 (len:BN.meta_len U32) : exp U32 = {
bn = BN.mk_runtime_bn U32 len;
mod_check = BM.bn_check_modulus;
exp_check = bn_check_mod_exp_u32 len;
precompr2 = BM.bn_precomp_r2_mod_n_u32 len;
exp_vt_precomp = bn_mod_exp_vartime_precomp_u32 len;
exp_ct_precomp = bn_mod_exp_consttime_precomp_u32 len;
exp_vt = bn_mod_exp_vartime_u32 len;
exp_ct = bn_mod_exp_consttime_u32 len;
}
let bn_check_mod_exp_u64 (len:BN.meta_len U64) : bn_check_mod_exp_st U64 len =
bn_check_mod_exp len
let bn_mod_exp_vartime_precomp_u64 (len:BN.meta_len U64) : bn_mod_exp_precomp_st U64 len =
[@inline_let]
let km = AM.mk_runtime_almost_mont len in
bn_mod_exp_vartime_precomp len
(bn_mod_exp_amm_bm_vartime_precomp km)
(bn_mod_exp_amm_fw_vartime_precomp km 4ul)
let bn_mod_exp_consttime_precomp_u64 (len:BN.meta_len U64) : bn_mod_exp_precomp_st U64 len =
[@inline_let]
let km = AM.mk_runtime_almost_mont len in
bn_mod_exp_consttime_precomp len
(bn_mod_exp_amm_bm_consttime_precomp km)
(bn_mod_exp_amm_fw_consttime_precomp km 4ul)
let bn_mod_exp_vartime_u64 (len:BN.meta_len U64) : bn_mod_exp_st U64 len =
mk_bn_mod_exp len (BM.bn_precomp_r2_mod_n_u64 len) (bn_mod_exp_vartime_precomp_u64 len)
let bn_mod_exp_consttime_u64 (len:BN.meta_len U64) : bn_mod_exp_st U64 len =
mk_bn_mod_exp len (BM.bn_precomp_r2_mod_n_u64 len) (bn_mod_exp_consttime_precomp_u64 len)
inline_for_extraction noextract
let mk_runtime_exp_u64 (len:BN.meta_len U64) : exp U64 = {
bn = BN.mk_runtime_bn U64 len;
mod_check = BM.bn_check_modulus;
exp_check = bn_check_mod_exp_u64 len;
precompr2 = BM.bn_precomp_r2_mod_n_u64 len;
exp_vt_precomp = bn_mod_exp_vartime_precomp_u64 len;
exp_ct_precomp = bn_mod_exp_consttime_precomp_u64 len;
exp_vt = bn_mod_exp_vartime_u64 len;
exp_ct = bn_mod_exp_consttime_u64 len;
}
let mk_runtime_exp (#t:limb_t) (len:BN.meta_len t) : exp t =
match t with
| U32 -> mk_runtime_exp_u32 len
| U64 -> mk_runtime_exp_u64 len
let mk_runtime_exp_len_lemma #t len =
BM.mk_runtime_mont_len_lemma #t len
================================================
FILE: code/bignum/Hacl.Bignum.Exponentiation.fsti
================================================
module Hacl.Bignum.Exponentiation
open FStar.HyperStack
open FStar.HyperStack.ST
open FStar.Mul
open Lib.IntTypes
open Lib.Buffer
open Hacl.Bignum.Definitions
module S = Hacl.Spec.Bignum.Exponentiation
module BN = Hacl.Bignum
module BM = Hacl.Bignum.Montgomery
module AM = Hacl.Bignum.AlmostMontgomery
#reset-options "--z3rlimit 50 --fuel 0 --ifuel 0"
inline_for_extraction noextract
let bn_check_mod_exp_st (t:limb_t) (len:BN.meta_len t) =
n:lbignum t len
-> a:lbignum t len
-> bBits:size_t{bits t * v (blocks0 bBits (size (bits t))) <= max_size_t}
-> b:lbignum t (blocks0 bBits (size (bits t))) ->
Stack (limb t)
(requires fun h ->
live h n /\ live h a /\ live h b)
(ensures fun h0 r h1 -> modifies0 h0 h1 /\
r == S.bn_check_mod_exp (as_seq h0 n) (as_seq h0 a) (v bBits) (as_seq h0 b))
inline_for_extraction noextract
val bn_check_mod_exp: #t:limb_t -> len:BN.meta_len t -> bn_check_mod_exp_st t len
inline_for_extraction noextract
let bn_mod_exp_precomp_st (t:limb_t) (len:BN.meta_len t) =
n:lbignum t len
-> mu:limb t
-> r2:lbignum t len
-> a:lbignum t len
-> bBits:size_t
-> b:lbignum t (blocks0 bBits (size (bits t)))
-> res:lbignum t len ->
Stack unit
(requires fun h ->
live h n /\ live h a /\ live h b /\ live h res /\ live h r2 /\
disjoint res a /\ disjoint res b /\ disjoint res n /\ disjoint n a /\
disjoint res r2 /\ disjoint a r2 /\ disjoint n r2 /\
S.bn_mod_exp_pre (as_seq h n) (as_seq h a) (v bBits) (as_seq h b) /\
bn_v h r2 == pow2 (2 * bits t * v len) % bn_v h n /\
(1 + bn_v h n * v mu) % pow2 (bits t) == 0)
(ensures fun h0 _ h1 -> modifies (loc res) h0 h1 /\
S.bn_mod_exp_post (as_seq h0 n) (as_seq h0 a) (v bBits) (as_seq h0 b) (as_seq h1 res))
inline_for_extraction noextract
val bn_mod_exp_bm_vartime_precomp: #t:limb_t -> k:BM.mont t -> bn_mod_exp_precomp_st t k.BM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_bm_consttime_precomp: #t:limb_t -> k:BM.mont t -> bn_mod_exp_precomp_st t k.BM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_fw_vartime_precomp:
#t:limb_t
-> k:BM.mont t
-> l:size_t{0 < v l /\ v l < bits U32 /\ pow2 (v l) * v k.BM.bn.BN.len <= max_size_t} ->
bn_mod_exp_precomp_st t k.BM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_fw_consttime_precomp:
#t:limb_t
-> k:BM.mont t
-> l:size_t{0 < v l /\ v l < bits U32 /\ pow2 (v l) * v k.BM.bn.BN.len <= max_size_t} ->
bn_mod_exp_precomp_st t k.BM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_amm_bm_vartime_precomp: #t:limb_t -> k:AM.almost_mont t -> bn_mod_exp_precomp_st t k.AM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_amm_bm_consttime_precomp: #t:limb_t -> k:AM.almost_mont t -> bn_mod_exp_precomp_st t k.AM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_amm_fw_vartime_precomp:
#t:limb_t
-> k:AM.almost_mont t
-> l:size_t{0 < v l /\ v l < bits U32 /\ pow2 (v l) * v k.AM.bn.BN.len <= max_size_t} ->
bn_mod_exp_precomp_st t k.AM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_amm_fw_consttime_precomp:
#t:limb_t
-> k:AM.almost_mont t
-> l:size_t{0 < v l /\ v l < bits U32 /\ pow2 (v l) * v k.AM.bn.BN.len <= max_size_t} ->
bn_mod_exp_precomp_st t k.AM.bn.BN.len
inline_for_extraction noextract
val bn_mod_exp_consttime_precomp:
#t:limb_t
-> len:BN.meta_len t
-> bn_mod_exp_bm_consttime_precomp:bn_mod_exp_precomp_st t len
-> bn_mod_exp_fw_consttime_precomp:bn_mod_exp_precomp_st t len ->
bn_mod_exp_precomp_st t len
inline_for_extraction noextract
val bn_mod_exp_vartime_precomp:
#t:limb_t
-> len:BN.meta_len t
-> bn_mod_exp_bm_vartime_precomp:bn_mod_exp_precomp_st t len
-> bn_mod_exp_fw_vartime_precomp:bn_mod_exp_precomp_st t len ->
bn_mod_exp_precomp_st t len
inline_for_extrac
gitextract_a7f9amyb/
├── .ci/
│ ├── script.bat
│ └── script.sh
├── .docker/
│ └── build/
│ ├── build.sh
│ ├── build_helper.sh
│ ├── config.json
│ ├── linux/
│ │ └── Dockerfile
│ └── windows-nt/
│ └── Dockerfile
├── .drone.yml
├── .gitattributes
├── .github/
│ ├── ISSUE_TEMPLATE/
│ │ ├── bug-report.md
│ │ ├── feature_request.md
│ │ ├── performance-issue.md
│ │ └── proof-issue.md
│ └── workflows/
│ ├── dist.yml
│ ├── hacl-packages-create-branch.yml
│ ├── hacl-packages-delete-branch.yml
│ ├── hintsanddist.yml
│ └── nix.yml
├── .gitignore
├── .nix/
│ ├── hacl.nix
│ └── vale.nix
├── .scripts/
│ ├── memhogs.sh
│ └── remove_stale_hints.sh
├── CHANGES.md
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── GOVERNANCE.md
├── Hacl.fst.config.json
├── LICENSE
├── MAINTAINERS.md
├── Makefile
├── Makefile.common
├── Makefile.include
├── Makefile.local
├── Makefile.openssl
├── PULL_REQUEST.md
├── README.md
├── SECURITY.md
├── build_local.sh
├── code/
│ ├── bignum/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Bignum.Addition.fst
│ │ ├── Hacl.Bignum.AlmostMontExponentiation.fst
│ │ ├── Hacl.Bignum.AlmostMontgomery.fst
│ │ ├── Hacl.Bignum.AlmostMontgomery.fsti
│ │ ├── Hacl.Bignum.Base.fst
│ │ ├── Hacl.Bignum.Comparison.fst
│ │ ├── Hacl.Bignum.Convert.fst
│ │ ├── Hacl.Bignum.Definitions.fst
│ │ ├── Hacl.Bignum.Exponentiation.fst
│ │ ├── Hacl.Bignum.Exponentiation.fsti
│ │ ├── Hacl.Bignum.Karatsuba.fst
│ │ ├── Hacl.Bignum.Lib.fst
│ │ ├── Hacl.Bignum.ModInv.fst
│ │ ├── Hacl.Bignum.ModInvLimb.fst
│ │ ├── Hacl.Bignum.ModInvLimb.fsti
│ │ ├── Hacl.Bignum.ModReduction.fst
│ │ ├── Hacl.Bignum.MontArithmetic.fst
│ │ ├── Hacl.Bignum.MontArithmetic.fsti
│ │ ├── Hacl.Bignum.MontExponentiation.fst
│ │ ├── Hacl.Bignum.Montgomery.fst
│ │ ├── Hacl.Bignum.Montgomery.fsti
│ │ ├── Hacl.Bignum.Multiplication.fst
│ │ ├── Hacl.Bignum.SafeAPI.fst
│ │ ├── Hacl.Bignum.fst
│ │ ├── Hacl.Bignum.fsti
│ │ ├── Hacl.Bignum256.fst
│ │ ├── Hacl.Bignum256.fsti
│ │ ├── Hacl.Bignum256_32.fst
│ │ ├── Hacl.Bignum256_32.fsti
│ │ ├── Hacl.Bignum32.fst
│ │ ├── Hacl.Bignum32.fsti
│ │ ├── Hacl.Bignum4096.fst
│ │ ├── Hacl.Bignum4096.fsti
│ │ ├── Hacl.Bignum4096_32.fst
│ │ ├── Hacl.Bignum4096_32.fsti
│ │ ├── Hacl.Bignum64.fst
│ │ ├── Hacl.Bignum64.fsti
│ │ ├── Hacl.GenericField32.fst
│ │ ├── Hacl.GenericField32.fsti
│ │ ├── Hacl.GenericField64.fst
│ │ ├── Hacl.GenericField64.fsti
│ │ ├── Hacl.Impl.Exponentiation.Definitions.fst
│ │ ├── Hacl.Impl.Exponentiation.fst
│ │ ├── Hacl.Impl.Exponentiation.fsti
│ │ ├── Hacl.Impl.Lib.fst
│ │ ├── Hacl.Impl.MultiExponentiation.fst
│ │ ├── Hacl.Impl.MultiExponentiation.fsti
│ │ ├── Hacl.Impl.PrecompTable.fst
│ │ ├── Hacl.Impl.PrecompTable.fsti
│ │ ├── Hacl.Spec.AlmostMontgomery.Lemmas.fst
│ │ ├── Hacl.Spec.Bignum.Addition.fst
│ │ ├── Hacl.Spec.Bignum.AlmostMontExponentiation.fst
│ │ ├── Hacl.Spec.Bignum.AlmostMontgomery.fst
│ │ ├── Hacl.Spec.Bignum.AlmostMontgomery.fsti
│ │ ├── Hacl.Spec.Bignum.Base.fst
│ │ ├── Hacl.Spec.Bignum.Comparison.fst
│ │ ├── Hacl.Spec.Bignum.Convert.fst
│ │ ├── Hacl.Spec.Bignum.Definitions.fst
│ │ ├── Hacl.Spec.Bignum.Exponentiation.fst
│ │ ├── Hacl.Spec.Bignum.Exponentiation.fsti
│ │ ├── Hacl.Spec.Bignum.Karatsuba.fst
│ │ ├── Hacl.Spec.Bignum.Lib.fst
│ │ ├── Hacl.Spec.Bignum.ModInv.fst
│ │ ├── Hacl.Spec.Bignum.ModInvLimb.fst
│ │ ├── Hacl.Spec.Bignum.ModInvLimb.fsti
│ │ ├── Hacl.Spec.Bignum.ModReduction.fst
│ │ ├── Hacl.Spec.Bignum.MontArithmetic.fst
│ │ ├── Hacl.Spec.Bignum.MontArithmetic.fsti
│ │ ├── Hacl.Spec.Bignum.MontExponentiation.fst
│ │ ├── Hacl.Spec.Bignum.Montgomery.fst
│ │ ├── Hacl.Spec.Bignum.Montgomery.fsti
│ │ ├── Hacl.Spec.Bignum.Multiplication.fst
│ │ ├── Hacl.Spec.Bignum.Squaring.fst
│ │ ├── Hacl.Spec.Bignum.fst
│ │ ├── Hacl.Spec.Bignum.fsti
│ │ ├── Hacl.Spec.Exponentiation.Lemmas.fst
│ │ ├── Hacl.Spec.Karatsuba.Lemmas.fst
│ │ ├── Hacl.Spec.Lib.fst
│ │ ├── Hacl.Spec.Montgomery.Lemmas.fst
│ │ ├── Hacl.Spec.PrecompBaseTable.fst
│ │ ├── Hacl.Spec.PrecompBaseTable.fsti
│ │ ├── Hacl.Spec.PrecompBaseTable256.fst
│ │ ├── Hacl.Spec.PrecompBaseTable256.fsti
│ │ ├── Hacl.Spec.PrecompTable.fst
│ │ ├── Makefile
│ │ └── README.md
│ ├── blake2/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Blake2b_256.fst
│ │ ├── Hacl.Blake2b_32.fst
│ │ ├── Hacl.Blake2s_128.fst
│ │ ├── Hacl.Blake2s_32.fst
│ │ ├── Hacl.Impl.Blake2.Constants.fst
│ │ ├── Hacl.Impl.Blake2.Core.fst
│ │ ├── Hacl.Impl.Blake2.Core.fsti
│ │ ├── Hacl.Impl.Blake2.Generic.fst
│ │ └── Makefile
│ ├── chacha20/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Chacha20.Vec128.fst
│ │ ├── Hacl.Chacha20.Vec256.fst
│ │ ├── Hacl.Chacha20.Vec32.fst
│ │ ├── Hacl.Chacha20.fst
│ │ ├── Hacl.Impl.Chacha20.Core32.fst
│ │ ├── Hacl.Impl.Chacha20.Core32xN.fst
│ │ ├── Hacl.Impl.Chacha20.Vec.fst
│ │ ├── Hacl.Impl.Chacha20.fst
│ │ ├── Hacl.Meta.Chacha20.Vec.fst
│ │ ├── Hacl.Spec.Chacha20.Equiv.fst
│ │ ├── Hacl.Spec.Chacha20.Lemmas.fst
│ │ ├── Hacl.Spec.Chacha20.Vec.fst
│ │ └── Makefile
│ ├── chacha20poly1305/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Chacha20Poly1305_128.fst
│ │ ├── Hacl.Chacha20Poly1305_256.fst
│ │ ├── Hacl.Chacha20Poly1305_32.fst
│ │ ├── Hacl.Impl.Chacha20Poly1305.PolyCore.fst
│ │ ├── Hacl.Impl.Chacha20Poly1305.fst
│ │ ├── Hacl.Meta.Chacha20Poly1305.fst
│ │ └── Makefile
│ ├── curve25519/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Curve25519_51.fst
│ │ ├── Hacl.Curve25519_51.fsti
│ │ ├── Hacl.Curve25519_64.fst
│ │ ├── Hacl.Curve25519_64.fsti
│ │ ├── Hacl.Curve25519_64_Local.fst
│ │ ├── Hacl.Curve25519_64_Local.fsti
│ │ ├── Hacl.Curve25519_64_Slow.fst
│ │ ├── Hacl.Curve25519_64_Slow.fsti
│ │ ├── Hacl.Impl.Curve25519.AddAndDouble.fst
│ │ ├── Hacl.Impl.Curve25519.Field51.fst
│ │ ├── Hacl.Impl.Curve25519.Field64.Hacl.fst
│ │ ├── Hacl.Impl.Curve25519.Field64.Hacl.fsti
│ │ ├── Hacl.Impl.Curve25519.Field64.Local.fsti
│ │ ├── Hacl.Impl.Curve25519.Field64.Vale.fst
│ │ ├── Hacl.Impl.Curve25519.Field64.Vale.fsti
│ │ ├── Hacl.Impl.Curve25519.Field64.fst
│ │ ├── Hacl.Impl.Curve25519.Fields.Core.fsti
│ │ ├── Hacl.Impl.Curve25519.Fields.fst
│ │ ├── Hacl.Impl.Curve25519.Finv.fst
│ │ ├── Hacl.Impl.Curve25519.Generic.fst
│ │ ├── Hacl.Impl.Curve25519.Generic.fsti
│ │ ├── Hacl.Impl.Curve25519.Lemmas.fst
│ │ ├── Hacl.Meta.Curve25519.fst
│ │ ├── Hacl.Meta.Curve25519.fsti
│ │ ├── Hacl.Spec.Curve25519.AddAndDouble.fst
│ │ ├── Hacl.Spec.Curve25519.Field51.Definition.fst
│ │ ├── Hacl.Spec.Curve25519.Field51.Lemmas.fst
│ │ ├── Hacl.Spec.Curve25519.Field51.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.Core.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.Definition.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.Lemmas.fst
│ │ ├── Hacl.Spec.Curve25519.Field64.fst
│ │ ├── Hacl.Spec.Curve25519.Finv.fst
│ │ └── Makefile
│ ├── drbg/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.HMAC_DRBG.fst
│ │ ├── Hacl.HMAC_DRBG.fsti
│ │ └── Makefile
│ ├── ecdsap256/
│ │ ├── Hacl.Impl.P256.Bignum.fst
│ │ ├── Hacl.Impl.P256.Bignum.fsti
│ │ ├── Hacl.Impl.P256.Compression.fst
│ │ ├── Hacl.Impl.P256.Compression.fsti
│ │ ├── Hacl.Impl.P256.Constants.fst
│ │ ├── Hacl.Impl.P256.DH.fst
│ │ ├── Hacl.Impl.P256.DH.fsti
│ │ ├── Hacl.Impl.P256.Field.fst
│ │ ├── Hacl.Impl.P256.Field.fsti
│ │ ├── Hacl.Impl.P256.Finv.fst
│ │ ├── Hacl.Impl.P256.Finv.fsti
│ │ ├── Hacl.Impl.P256.Group.fst
│ │ ├── Hacl.Impl.P256.Point.fst
│ │ ├── Hacl.Impl.P256.Point.fsti
│ │ ├── Hacl.Impl.P256.PointAdd.fst
│ │ ├── Hacl.Impl.P256.PointAdd.fsti
│ │ ├── Hacl.Impl.P256.PointDouble.fst
│ │ ├── Hacl.Impl.P256.PointDouble.fsti
│ │ ├── Hacl.Impl.P256.PointMul.fst
│ │ ├── Hacl.Impl.P256.PointMul.fsti
│ │ ├── Hacl.Impl.P256.Qinv.fst
│ │ ├── Hacl.Impl.P256.Qinv.fsti
│ │ ├── Hacl.Impl.P256.Scalar.fst
│ │ ├── Hacl.Impl.P256.Scalar.fsti
│ │ ├── Hacl.Impl.P256.Sign.fst
│ │ ├── Hacl.Impl.P256.Verify.fst
│ │ ├── Hacl.P256.PrecompTable.fst
│ │ ├── Hacl.P256.PrecompTable.fsti
│ │ ├── Hacl.P256.fst
│ │ ├── Hacl.P256.fsti
│ │ ├── Hacl.Spec.P256.Finv.fst
│ │ ├── Hacl.Spec.P256.Montgomery.fst
│ │ ├── Hacl.Spec.P256.Montgomery.fsti
│ │ ├── Hacl.Spec.P256.PrecompTable.fst
│ │ ├── Hacl.Spec.P256.PrecompTable.fsti
│ │ ├── Hacl.Spec.P256.Qinv.fst
│ │ └── Makefile
│ ├── ed25519/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Benchmark.Ed25519.c
│ │ ├── Hacl.Bignum25519.fst
│ │ ├── Hacl.Bignum25519.fsti
│ │ ├── Hacl.EC.Ed25519.fst
│ │ ├── Hacl.Ed25519.PrecompTable.fst
│ │ ├── Hacl.Ed25519.PrecompTable.fsti
│ │ ├── Hacl.Ed25519.fst
│ │ ├── Hacl.Ed25519.fsti
│ │ ├── Hacl.Impl.BignumQ.Mul.fst
│ │ ├── Hacl.Impl.BignumQ.Mul.fsti
│ │ ├── Hacl.Impl.Ed25519.Field51.fst
│ │ ├── Hacl.Impl.Ed25519.Group.fst
│ │ ├── Hacl.Impl.Ed25519.Ladder.fst
│ │ ├── Hacl.Impl.Ed25519.Ladder.fsti
│ │ ├── Hacl.Impl.Ed25519.PointAdd.fst
│ │ ├── Hacl.Impl.Ed25519.PointCompress.fst
│ │ ├── Hacl.Impl.Ed25519.PointConstants.fst
│ │ ├── Hacl.Impl.Ed25519.PointDecompress.fst
│ │ ├── Hacl.Impl.Ed25519.PointDouble.fst
│ │ ├── Hacl.Impl.Ed25519.PointEqual.fst
│ │ ├── Hacl.Impl.Ed25519.PointNegate.fst
│ │ ├── Hacl.Impl.Ed25519.Pow2_252m2.fst
│ │ ├── Hacl.Impl.Ed25519.RecoverX.fst
│ │ ├── Hacl.Impl.Ed25519.Sign.fst
│ │ ├── Hacl.Impl.Ed25519.Verify.fst
│ │ ├── Hacl.Impl.Load56.fst
│ │ ├── Hacl.Impl.SHA512.ModQ.fst
│ │ ├── Hacl.Impl.Store56.fst
│ │ ├── Hacl.Spec.BignumQ.Definitions.fst
│ │ ├── Hacl.Spec.BignumQ.Lemmas.fst
│ │ ├── Hacl.Spec.BignumQ.Mul.fst
│ │ ├── Hacl.Spec.Ed25519.PrecompTable.fst
│ │ ├── Hacl.Spec.Ed25519.PrecompTable.fsti
│ │ ├── Hacl.Test.Ed25519.fst
│ │ └── Makefile
│ ├── fallback/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.IntTypes.Intrinsics.fst
│ │ ├── Hacl.IntTypes.Intrinsics_128.fst
│ │ ├── Makefile
│ │ └── README.md
│ ├── ffdhe/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.FFDHE.fst
│ │ ├── Hacl.Impl.FFDHE.Constants.fst
│ │ ├── Hacl.Impl.FFDHE.fst
│ │ ├── Hacl.Spec.FFDHE.Lemmas.fst
│ │ └── Makefile
│ ├── frodo/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.AES128.fsti
│ │ ├── Hacl.Frodo.KEM.fst
│ │ ├── Hacl.Frodo.Random.fst
│ │ ├── Hacl.Frodo.Random.fsti
│ │ ├── Hacl.Frodo1344.fst
│ │ ├── Hacl.Frodo64.fst
│ │ ├── Hacl.Frodo640.fst
│ │ ├── Hacl.Frodo976.fst
│ │ ├── Hacl.Impl.Frodo.Encode.fst
│ │ ├── Hacl.Impl.Frodo.Gen.fst
│ │ ├── Hacl.Impl.Frodo.KEM.Decaps.fst
│ │ ├── Hacl.Impl.Frodo.KEM.Encaps.fst
│ │ ├── Hacl.Impl.Frodo.KEM.KeyGen.fst
│ │ ├── Hacl.Impl.Frodo.KEM.fst
│ │ ├── Hacl.Impl.Frodo.Pack.fst
│ │ ├── Hacl.Impl.Frodo.Params.fst
│ │ ├── Hacl.Impl.Frodo.Sample.fst
│ │ ├── Hacl.Impl.Matrix.fst
│ │ ├── Hacl.Keccak.fst
│ │ ├── Hacl.Keccak.fsti
│ │ └── Makefile
│ ├── hash/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Hash.Blake2b_256.fst
│ │ ├── Hacl.Hash.Blake2b_256.fsti
│ │ ├── Hacl.Hash.Blake2b_32.fst
│ │ ├── Hacl.Hash.Blake2b_32.fsti
│ │ ├── Hacl.Hash.Blake2s_128.fst
│ │ ├── Hacl.Hash.Blake2s_128.fsti
│ │ ├── Hacl.Hash.Blake2s_32.fst
│ │ ├── Hacl.Hash.Blake2s_32.fsti
│ │ ├── Hacl.Hash.Core.MD5.fst
│ │ ├── Hacl.Hash.Core.MD5.fsti
│ │ ├── Hacl.Hash.Core.SHA1.fst
│ │ ├── Hacl.Hash.Core.SHA1.fsti
│ │ ├── Hacl.Hash.Definitions.fst
│ │ ├── Hacl.Hash.Lemmas.fst
│ │ ├── Hacl.Hash.MD.fst
│ │ ├── Hacl.Hash.MD.fsti
│ │ ├── Hacl.Hash.MD5.fst
│ │ ├── Hacl.Hash.MD5.fsti
│ │ ├── Hacl.Hash.PadFinish.fst
│ │ ├── Hacl.Hash.PadFinish.fsti
│ │ ├── Hacl.Hash.SHA1.fst
│ │ ├── Hacl.Hash.SHA1.fsti
│ │ ├── Hacl.Hash.SHA2.fst
│ │ ├── Hacl.Hash.SHA2.fsti
│ │ ├── Hacl.Hash.SHA3.fst
│ │ ├── Hacl.Hash.SHA3.fsti
│ │ ├── Makefile
│ │ └── README.md
│ ├── hkdf/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.HKDF.Blake2b_256.fst
│ │ ├── Hacl.HKDF.Blake2s_128.fst
│ │ ├── Hacl.HKDF.fst
│ │ ├── Hacl.HKDF.fsti
│ │ └── Makefile
│ ├── hmac/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.HMAC.Blake2b_256.fst
│ │ ├── Hacl.HMAC.Blake2s_128.fst
│ │ ├── Hacl.HMAC.fst
│ │ ├── Hacl.HMAC.fsti
│ │ └── Makefile
│ ├── hpke/
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA256.fst
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA512.fst
│ │ ├── Hacl.HPKE.Curve51_CP128_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA256.fst
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA512.fst
│ │ ├── Hacl.HPKE.Curve51_CP256_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA256.fst
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA512.fst
│ │ ├── Hacl.HPKE.Curve51_CP32_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA256.fst
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA512.fst
│ │ ├── Hacl.HPKE.Curve64_CP128_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA256.fst
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA512.fst
│ │ ├── Hacl.HPKE.Curve64_CP256_SHA512.fsti
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA256.fst
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA256.fsti
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA512.fst
│ │ ├── Hacl.HPKE.Curve64_CP32_SHA512.fsti
│ │ ├── Hacl.HPKE.Interface.AEAD.fst
│ │ ├── Hacl.HPKE.Interface.AEAD.fsti
│ │ ├── Hacl.HPKE.Interface.DH.fst
│ │ ├── Hacl.HPKE.Interface.HKDF.fst
│ │ ├── Hacl.HPKE.Interface.Hash.fst
│ │ ├── Hacl.HPKE.P256_CP128_SHA256.fst
│ │ ├── Hacl.HPKE.P256_CP128_SHA256.fsti
│ │ ├── Hacl.HPKE.P256_CP256_SHA256.fst
│ │ ├── Hacl.HPKE.P256_CP256_SHA256.fsti
│ │ ├── Hacl.HPKE.P256_CP32_SHA256.fst
│ │ ├── Hacl.HPKE.P256_CP32_SHA256.fsti
│ │ ├── Hacl.Impl.HPKE.fst
│ │ ├── Hacl.Impl.HPKE.fsti
│ │ ├── Hacl.Meta.HPKE.fst
│ │ ├── Hacl.Meta.HPKE.fsti
│ │ └── Makefile
│ ├── k256/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.EC.K256.fst
│ │ ├── Hacl.Impl.K256.Finv.fst
│ │ ├── Hacl.Impl.K256.GLV.Constants.fst
│ │ ├── Hacl.Impl.K256.GLV.Constants.fsti
│ │ ├── Hacl.Impl.K256.GLV.fst
│ │ ├── Hacl.Impl.K256.GLV.fsti
│ │ ├── Hacl.Impl.K256.Group.fst
│ │ ├── Hacl.Impl.K256.Point.fst
│ │ ├── Hacl.Impl.K256.Point.fsti
│ │ ├── Hacl.Impl.K256.PointAdd.fst
│ │ ├── Hacl.Impl.K256.PointDouble.fst
│ │ ├── Hacl.Impl.K256.PointMul.fst
│ │ ├── Hacl.Impl.K256.PointMul.fsti
│ │ ├── Hacl.Impl.K256.Qinv.fst
│ │ ├── Hacl.Impl.K256.Sign.fst
│ │ ├── Hacl.Impl.K256.Verify.fst
│ │ ├── Hacl.K256.ECDSA.fst
│ │ ├── Hacl.K256.ECDSA.fsti
│ │ ├── Hacl.K256.Field.fst
│ │ ├── Hacl.K256.Field.fsti
│ │ ├── Hacl.K256.PrecompTable.fst
│ │ ├── Hacl.K256.PrecompTable.fsti
│ │ ├── Hacl.K256.Scalar.fst
│ │ ├── Hacl.K256.Scalar.fsti
│ │ ├── Hacl.Spec.K256.ECSM.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Field52.Definitions.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Field52.Definitions.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas.fsti
│ │ ├── Hacl.Spec.K256.Field52.Lemmas1.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas2.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas3.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas4.fst
│ │ ├── Hacl.Spec.K256.Field52.Lemmas5.fst
│ │ ├── Hacl.Spec.K256.Field52.fst
│ │ ├── Hacl.Spec.K256.Finv.fst
│ │ ├── Hacl.Spec.K256.GLV.Lemmas.fst
│ │ ├── Hacl.Spec.K256.GLV.fst
│ │ ├── Hacl.Spec.K256.MathLemmas.fst
│ │ ├── Hacl.Spec.K256.PrecompTable.fst
│ │ ├── Hacl.Spec.K256.PrecompTable.fsti
│ │ ├── Hacl.Spec.K256.Qinv.fst
│ │ ├── Hacl.Spec.K256.Scalar.Lemmas.fst
│ │ ├── Hacl.Spec.K256.Scalar.fst
│ │ └── Makefile
│ ├── meta/
│ │ ├── AUTHORS.md
│ │ ├── DOCUMENTATION.md
│ │ ├── Makefile
│ │ ├── Meta.Attribute.fst
│ │ ├── Meta.Interface.fst
│ │ └── example/
│ │ ├── Client.fst
│ │ ├── Device.fst
│ │ ├── Example.fst
│ │ ├── Example.fst.hints
│ │ ├── Interface.fsti
│ │ └── Makefile
│ ├── nacl-box/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.Box.fst
│ │ ├── Hacl.Impl.SecretBox.fst
│ │ ├── Hacl.NaCl.fst
│ │ └── Makefile
│ ├── poly1305/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.Poly1305.Bignum128.fst
│ │ ├── Hacl.Impl.Poly1305.Bignum128.fsti
│ │ ├── Hacl.Impl.Poly1305.Field32xN.fst
│ │ ├── Hacl.Impl.Poly1305.Field32xN_128.fst
│ │ ├── Hacl.Impl.Poly1305.Field32xN_256.fst
│ │ ├── Hacl.Impl.Poly1305.Field32xN_32.fst
│ │ ├── Hacl.Impl.Poly1305.Fields.fst
│ │ ├── Hacl.Impl.Poly1305.Lemmas.fst
│ │ ├── Hacl.Impl.Poly1305.Lemmas.fsti
│ │ ├── Hacl.Impl.Poly1305.fst
│ │ ├── Hacl.Impl.Poly1305.fsti
│ │ ├── Hacl.Meta.Poly1305.fst
│ │ ├── Hacl.Meta.Poly1305.fsti
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas0.fst
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas0.fsti
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas1.fst
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas1.fsti
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas2.fst
│ │ ├── Hacl.Poly1305.Field32xN.Lemmas2.fsti
│ │ ├── Hacl.Poly1305_128.fst
│ │ ├── Hacl.Poly1305_128.fsti
│ │ ├── Hacl.Poly1305_256.fst
│ │ ├── Hacl.Poly1305_256.fsti
│ │ ├── Hacl.Poly1305_32.fst
│ │ ├── Hacl.Poly1305_32.fsti
│ │ ├── Hacl.Spec.Poly1305.Equiv.fst
│ │ ├── Hacl.Spec.Poly1305.Equiv.fsti
│ │ ├── Hacl.Spec.Poly1305.Field32xN.Lemmas.fst
│ │ ├── Hacl.Spec.Poly1305.Field32xN.fst
│ │ ├── Hacl.Spec.Poly1305.Lemmas.fst
│ │ ├── Hacl.Spec.Poly1305.Vec.fst
│ │ └── Makefile
│ ├── rsapss/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.RSAPSS.Keys.fst
│ │ ├── Hacl.Impl.RSAPSS.MGF.fst
│ │ ├── Hacl.Impl.RSAPSS.Padding.fst
│ │ ├── Hacl.Impl.RSAPSS.fst
│ │ ├── Hacl.RSAPSS.fst
│ │ ├── Hacl.Spec.RSAPSS.fst
│ │ └── Makefile
│ ├── salsa20/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Impl.HSalsa20.fst
│ │ ├── Hacl.Impl.Salsa20.Core32.fst
│ │ ├── Hacl.Impl.Salsa20.fst
│ │ ├── Hacl.Salsa20.fst
│ │ └── Makefile
│ ├── sha2-mb/
│ │ ├── Hacl.Impl.SHA2.Core.fst
│ │ ├── Hacl.Impl.SHA2.Generic.fst
│ │ ├── Hacl.Impl.SHA2.Types.fst
│ │ ├── Hacl.SHA2.Scalar32.Lemmas.fst
│ │ ├── Hacl.SHA2.Scalar32.fst
│ │ ├── Hacl.SHA2.Vec128.fst
│ │ ├── Hacl.SHA2.Vec256.fst
│ │ ├── Hacl.Spec.SHA2.Equiv.fst
│ │ ├── Hacl.Spec.SHA2.EquivScalar.fst
│ │ ├── Hacl.Spec.SHA2.EquivScalar.fsti
│ │ ├── Hacl.Spec.SHA2.Lemmas.fst
│ │ ├── Hacl.Spec.SHA2.Vec.fst
│ │ ├── Hacl.Spec.SHA2.fst
│ │ └── Makefile
│ ├── sha3/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Hash.SHA3.Scalar.fst
│ │ ├── Hacl.Hash.SHA3.Simd256.fst
│ │ ├── Hacl.Impl.SHA3.Vec.fst
│ │ ├── Hacl.Impl.SHA3.Vec.fsti
│ │ ├── Hacl.Spec.SHA3.Equiv.fst
│ │ ├── Hacl.Spec.SHA3.Equiv.fsti
│ │ ├── Hacl.Spec.SHA3.Lemmas.fst
│ │ ├── Hacl.Spec.SHA3.Vec.Common.fst
│ │ ├── Hacl.Spec.SHA3.Vec.fst
│ │ └── Makefile
│ ├── streaming/
│ │ ├── AUTHORS.md
│ │ ├── Hacl.Agile.Hash.fst
│ │ ├── Hacl.Agile.Hash.fsti
│ │ ├── Hacl.Streaming.Blake2.Common.fst
│ │ ├── Hacl.Streaming.Blake2.Params.fst
│ │ ├── Hacl.Streaming.Blake2.Params.fsti
│ │ ├── Hacl.Streaming.Blake2b_256.fst
│ │ ├── Hacl.Streaming.Blake2b_32.fst
│ │ ├── Hacl.Streaming.Blake2s_128.fst
│ │ ├── Hacl.Streaming.Blake2s_32.fst
│ │ ├── Hacl.Streaming.Functor.fst
│ │ ├── Hacl.Streaming.Functor.fsti
│ │ ├── Hacl.Streaming.HMAC.Definitions.fst
│ │ ├── Hacl.Streaming.HMAC.Definitions.fsti
│ │ ├── Hacl.Streaming.HMAC.fst
│ │ ├── Hacl.Streaming.Interface.fsti
│ │ ├── Hacl.Streaming.Keccak.fst
│ │ ├── Hacl.Streaming.MD.fst
│ │ ├── Hacl.Streaming.MD5.fst
│ │ ├── Hacl.Streaming.Poly1305.fst
│ │ ├── Hacl.Streaming.Poly1305_128.fst
│ │ ├── Hacl.Streaming.Poly1305_128.fsti
│ │ ├── Hacl.Streaming.Poly1305_256.fst
│ │ ├── Hacl.Streaming.Poly1305_256.fsti
│ │ ├── Hacl.Streaming.Poly1305_32.fst
│ │ ├── Hacl.Streaming.Poly1305_32.fsti
│ │ ├── Hacl.Streaming.SHA1.fst
│ │ ├── Hacl.Streaming.SHA2.fst
│ │ ├── Hacl.Streaming.Spec.fst
│ │ ├── Hacl.Streaming.Types.fst
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── nohup.out
│ └── tests/
│ ├── Hacl.Benchmark.Ed25519.c
│ ├── Hacl.Test.ECDSA.fst
│ ├── Hacl.Test.HMAC_DRBG.fst
│ ├── Hacl.Test.K256.fst
│ ├── Hacl.Test.SHA2.fst
│ ├── Hacl.Test.SHA3.fst
│ └── Makefile
├── dist/
│ ├── LICENSE.txt
│ ├── META
│ ├── Makefile.test
│ ├── Makefile.tmpl
│ ├── configure
│ ├── gcc-compatible/
│ │ ├── EverCrypt_AEAD.c
│ │ ├── EverCrypt_AEAD.h
│ │ ├── EverCrypt_AutoConfig2.c
│ │ ├── EverCrypt_AutoConfig2.h
│ │ ├── EverCrypt_Chacha20Poly1305.c
│ │ ├── EverCrypt_Chacha20Poly1305.h
│ │ ├── EverCrypt_Cipher.c
│ │ ├── EverCrypt_Cipher.h
│ │ ├── EverCrypt_Curve25519.c
│ │ ├── EverCrypt_Curve25519.h
│ │ ├── EverCrypt_DRBG.c
│ │ ├── EverCrypt_DRBG.h
│ │ ├── EverCrypt_Ed25519.c
│ │ ├── EverCrypt_Ed25519.h
│ │ ├── EverCrypt_Error.h
│ │ ├── EverCrypt_HKDF.c
│ │ ├── EverCrypt_HKDF.h
│ │ ├── EverCrypt_HMAC.c
│ │ ├── EverCrypt_HMAC.h
│ │ ├── EverCrypt_Hash.c
│ │ ├── EverCrypt_Hash.h
│ │ ├── EverCrypt_Poly1305.c
│ │ ├── EverCrypt_Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_AES128.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Bignum256.c
│ │ ├── Hacl_Bignum256.h
│ │ ├── Hacl_Bignum256_32.c
│ │ ├── Hacl_Bignum256_32.h
│ │ ├── Hacl_Bignum32.c
│ │ ├── Hacl_Bignum32.h
│ │ ├── Hacl_Bignum4096.c
│ │ ├── Hacl_Bignum4096.h
│ │ ├── Hacl_Bignum4096_32.c
│ │ ├── Hacl_Bignum4096_32.h
│ │ ├── Hacl_Bignum64.c
│ │ ├── Hacl_Bignum64.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Chacha20_Vec32.c
│ │ ├── Hacl_Chacha20_Vec32.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_EC_Ed25519.c
│ │ ├── Hacl_EC_Ed25519.h
│ │ ├── Hacl_EC_K256.c
│ │ ├── Hacl_EC_K256.h
│ │ ├── Hacl_Ed25519.c
│ │ ├── Hacl_Ed25519.h
│ │ ├── Hacl_FFDHE.c
│ │ ├── Hacl_FFDHE.h
│ │ ├── Hacl_Frodo1344.c
│ │ ├── Hacl_Frodo1344.h
│ │ ├── Hacl_Frodo64.c
│ │ ├── Hacl_Frodo64.h
│ │ ├── Hacl_Frodo640.c
│ │ ├── Hacl_Frodo640.h
│ │ ├── Hacl_Frodo976.c
│ │ ├── Hacl_Frodo976.h
│ │ ├── Hacl_Frodo_KEM.c
│ │ ├── Hacl_GenericField32.c
│ │ ├── Hacl_GenericField32.h
│ │ ├── Hacl_GenericField64.c
│ │ ├── Hacl_GenericField64.h
│ │ ├── Hacl_HKDF.c
│ │ ├── Hacl_HKDF.h
│ │ ├── Hacl_HKDF_Blake2b_256.c
│ │ ├── Hacl_HKDF_Blake2b_256.h
│ │ ├── Hacl_HKDF_Blake2s_128.c
│ │ ├── Hacl_HKDF_Blake2s_128.h
│ │ ├── Hacl_HMAC.c
│ │ ├── Hacl_HMAC.h
│ │ ├── Hacl_HMAC_Blake2b_256.c
│ │ ├── Hacl_HMAC_Blake2b_256.h
│ │ ├── Hacl_HMAC_Blake2s_128.c
│ │ ├── Hacl_HMAC_Blake2s_128.h
│ │ ├── Hacl_HMAC_DRBG.c
│ │ ├── Hacl_HMAC_DRBG.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.h
│ │ ├── Hacl_Hash_Base.c
│ │ ├── Hacl_Hash_Base.h
│ │ ├── Hacl_Hash_Blake2b.c
│ │ ├── Hacl_Hash_Blake2b.h
│ │ ├── Hacl_Hash_Blake2b_Simd256.c
│ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ ├── Hacl_Hash_Blake2s.c
│ │ ├── Hacl_Hash_Blake2s.h
│ │ ├── Hacl_Hash_Blake2s_Simd128.c
│ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ ├── Hacl_Hash_MD5.c
│ │ ├── Hacl_Hash_MD5.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_Hash_SHA3_Simd256.c
│ │ ├── Hacl_Hash_SHA3_Simd256.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_K256_ECDSA.c
│ │ ├── Hacl_K256_ECDSA.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_NaCl.c
│ │ ├── Hacl_NaCl.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_SHA2_Vec128.c
│ │ ├── Hacl_SHA2_Vec128.h
│ │ ├── Hacl_SHA2_Vec256.c
│ │ ├── Hacl_SHA2_Vec256.h
│ │ ├── Hacl_Salsa20.c
│ │ ├── Hacl_Salsa20.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_HMAC.c
│ │ ├── Hacl_Streaming_HMAC.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_PrintBuffer.h
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── Lib_RandomBuffer_System.h
│ │ ├── META
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── clients/
│ │ │ └── krmlrenamings.h
│ │ ├── configure
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── ctypes.depend
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── evercrypt_targetconfig.h
│ │ ├── internal/
│ │ │ ├── EverCrypt_AEAD.h
│ │ │ ├── EverCrypt_DRBG.h
│ │ │ ├── EverCrypt_HMAC.h
│ │ │ ├── EverCrypt_Hash.h
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Bignum_K256.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Ed25519.h
│ │ │ ├── Hacl_Ed25519_PrecompTable.h
│ │ │ ├── Hacl_Frodo_KEM.h
│ │ │ ├── Hacl_HMAC.h
│ │ │ ├── Hacl_Hash_Blake2b.h
│ │ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ │ ├── Hacl_Hash_Blake2s.h
│ │ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ │ ├── Hacl_Hash_MD5.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Impl_Blake2_Constants.h
│ │ │ ├── Hacl_Impl_FFDHE_Constants.h
│ │ │ ├── Hacl_K256_ECDSA.h
│ │ │ ├── Hacl_K256_PrecompTable.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_HMAC.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib/
│ │ │ ├── EverCrypt_AEAD_bindings.ml
│ │ │ ├── EverCrypt_AutoConfig2_bindings.ml
│ │ │ ├── EverCrypt_Chacha20Poly1305_bindings.ml
│ │ │ ├── EverCrypt_Cipher_bindings.ml
│ │ │ ├── EverCrypt_Curve25519_bindings.ml
│ │ │ ├── EverCrypt_DRBG_bindings.ml
│ │ │ ├── EverCrypt_Ed25519_bindings.ml
│ │ │ ├── EverCrypt_Error_bindings.ml
│ │ │ ├── EverCrypt_HKDF_bindings.ml
│ │ │ ├── EverCrypt_HMAC_bindings.ml
│ │ │ ├── EverCrypt_Hash_bindings.ml
│ │ │ ├── EverCrypt_Poly1305_bindings.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128_bindings.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256_bindings.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_bindings.ml
│ │ │ ├── Hacl_Bignum25519_51_bindings.ml
│ │ │ ├── Hacl_Bignum256_32_bindings.ml
│ │ │ ├── Hacl_Bignum256_bindings.ml
│ │ │ ├── Hacl_Bignum32_bindings.ml
│ │ │ ├── Hacl_Bignum4096_32_bindings.ml
│ │ │ ├── Hacl_Bignum4096_bindings.ml
│ │ │ ├── Hacl_Bignum64_bindings.ml
│ │ │ ├── Hacl_Bignum_Base_bindings.ml
│ │ │ ├── Hacl_Bignum_K256_bindings.ml
│ │ │ ├── Hacl_Bignum_bindings.ml
│ │ │ ├── Hacl_Chacha20_Vec128_bindings.ml
│ │ │ ├── Hacl_Chacha20_Vec256_bindings.ml
│ │ │ ├── Hacl_Chacha20_Vec32_bindings.ml
│ │ │ ├── Hacl_Chacha20_bindings.ml
│ │ │ ├── Hacl_Curve25519_51_bindings.ml
│ │ │ ├── Hacl_Curve25519_64_bindings.ml
│ │ │ ├── Hacl_EC_Ed25519_bindings.ml
│ │ │ ├── Hacl_EC_K256_bindings.ml
│ │ │ ├── Hacl_Ed25519_bindings.ml
│ │ │ ├── Hacl_FFDHE_bindings.ml
│ │ │ ├── Hacl_Frodo1344_bindings.ml
│ │ │ ├── Hacl_Frodo640_bindings.ml
│ │ │ ├── Hacl_Frodo64_bindings.ml
│ │ │ ├── Hacl_Frodo976_bindings.ml
│ │ │ ├── Hacl_Frodo_KEM_bindings.ml
│ │ │ ├── Hacl_GenericField32_bindings.ml
│ │ │ ├── Hacl_GenericField64_bindings.ml
│ │ │ ├── Hacl_HKDF_Blake2b_256_bindings.ml
│ │ │ ├── Hacl_HKDF_Blake2s_128_bindings.ml
│ │ │ ├── Hacl_HKDF_bindings.ml
│ │ │ ├── Hacl_HMAC_Blake2b_256_bindings.ml
│ │ │ ├── Hacl_HMAC_Blake2s_128_bindings.ml
│ │ │ ├── Hacl_HMAC_DRBG_bindings.ml
│ │ │ ├── Hacl_HMAC_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA512_bindings.ml
│ │ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_bindings.ml
│ │ │ ├── Hacl_HPKE_P256_CP128_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_P256_CP256_SHA256_bindings.ml
│ │ │ ├── Hacl_HPKE_P256_CP32_SHA256_bindings.ml
│ │ │ ├── Hacl_Hash_Base_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2b_Simd256_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2b_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2s_Simd128_bindings.ml
│ │ │ ├── Hacl_Hash_Blake2s_bindings.ml
│ │ │ ├── Hacl_Hash_MD5_bindings.ml
│ │ │ ├── Hacl_Hash_SHA1_bindings.ml
│ │ │ ├── Hacl_Hash_SHA2_bindings.ml
│ │ │ ├── Hacl_Hash_SHA3_Simd256_bindings.ml
│ │ │ ├── Hacl_Hash_SHA3_bindings.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_128_bindings.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_bindings.ml
│ │ │ ├── Hacl_K256_ECDSA_bindings.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd128_bindings.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd256_bindings.ml
│ │ │ ├── Hacl_MAC_Poly1305_bindings.ml
│ │ │ ├── Hacl_NaCl_bindings.ml
│ │ │ ├── Hacl_P256_bindings.ml
│ │ │ ├── Hacl_RSAPSS_bindings.ml
│ │ │ ├── Hacl_SHA2_Types_bindings.ml
│ │ │ ├── Hacl_SHA2_Vec128_bindings.ml
│ │ │ ├── Hacl_SHA2_Vec256_bindings.ml
│ │ │ ├── Hacl_Salsa20_bindings.ml
│ │ │ ├── Hacl_Spec_bindings.ml
│ │ │ ├── Hacl_Streaming_HMAC_bindings.ml
│ │ │ └── Hacl_Streaming_Types_bindings.ml
│ │ ├── lib_gen/
│ │ │ ├── EverCrypt_AEAD_gen.ml
│ │ │ ├── EverCrypt_AutoConfig2_gen.ml
│ │ │ ├── EverCrypt_Chacha20Poly1305_gen.ml
│ │ │ ├── EverCrypt_Cipher_gen.ml
│ │ │ ├── EverCrypt_Curve25519_gen.ml
│ │ │ ├── EverCrypt_DRBG_gen.ml
│ │ │ ├── EverCrypt_Ed25519_gen.ml
│ │ │ ├── EverCrypt_Error_gen.ml
│ │ │ ├── EverCrypt_HKDF_gen.ml
│ │ │ ├── EverCrypt_HMAC_gen.ml
│ │ │ ├── EverCrypt_Hash_gen.ml
│ │ │ ├── EverCrypt_Poly1305_gen.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128_gen.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256_gen.ml
│ │ │ ├── Hacl_AEAD_Chacha20Poly1305_gen.ml
│ │ │ ├── Hacl_Bignum25519_51_gen.ml
│ │ │ ├── Hacl_Bignum256_32_gen.ml
│ │ │ ├── Hacl_Bignum256_gen.ml
│ │ │ ├── Hacl_Bignum32_gen.ml
│ │ │ ├── Hacl_Bignum4096_32_gen.ml
│ │ │ ├── Hacl_Bignum4096_gen.ml
│ │ │ ├── Hacl_Bignum64_gen.ml
│ │ │ ├── Hacl_Bignum_Base_gen.ml
│ │ │ ├── Hacl_Bignum_K256_gen.ml
│ │ │ ├── Hacl_Bignum_gen.ml
│ │ │ ├── Hacl_Chacha20_Vec128_gen.ml
│ │ │ ├── Hacl_Chacha20_Vec256_gen.ml
│ │ │ ├── Hacl_Chacha20_Vec32_gen.ml
│ │ │ ├── Hacl_Chacha20_gen.ml
│ │ │ ├── Hacl_Curve25519_51_gen.ml
│ │ │ ├── Hacl_Curve25519_64_gen.ml
│ │ │ ├── Hacl_EC_Ed25519_gen.ml
│ │ │ ├── Hacl_EC_K256_gen.ml
│ │ │ ├── Hacl_Ed25519_gen.ml
│ │ │ ├── Hacl_FFDHE_gen.ml
│ │ │ ├── Hacl_Frodo1344_gen.ml
│ │ │ ├── Hacl_Frodo640_gen.ml
│ │ │ ├── Hacl_Frodo64_gen.ml
│ │ │ ├── Hacl_Frodo976_gen.ml
│ │ │ ├── Hacl_Frodo_KEM_gen.ml
│ │ │ ├── Hacl_GenericField32_gen.ml
│ │ │ ├── Hacl_GenericField64_gen.ml
│ │ │ ├── Hacl_HKDF_Blake2b_256_gen.ml
│ │ │ ├── Hacl_HKDF_Blake2s_128_gen.ml
│ │ │ ├── Hacl_HKDF_gen.ml
│ │ │ ├── Hacl_HMAC_Blake2b_256_gen.ml
│ │ │ ├── Hacl_HMAC_Blake2s_128_gen.ml
│ │ │ ├── Hacl_HMAC_DRBG_gen.ml
│ │ │ ├── Hacl_HMAC_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP128_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP256_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve51_CP32_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP128_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP256_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_Curve64_CP32_SHA512_gen.ml
│ │ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE_gen.ml
│ │ │ ├── Hacl_HPKE_P256_CP128_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_P256_CP256_SHA256_gen.ml
│ │ │ ├── Hacl_HPKE_P256_CP32_SHA256_gen.ml
│ │ │ ├── Hacl_Hash_Base_gen.ml
│ │ │ ├── Hacl_Hash_Blake2b_Simd256_gen.ml
│ │ │ ├── Hacl_Hash_Blake2b_gen.ml
│ │ │ ├── Hacl_Hash_Blake2s_Simd128_gen.ml
│ │ │ ├── Hacl_Hash_Blake2s_gen.ml
│ │ │ ├── Hacl_Hash_MD5_gen.ml
│ │ │ ├── Hacl_Hash_SHA1_gen.ml
│ │ │ ├── Hacl_Hash_SHA2_gen.ml
│ │ │ ├── Hacl_Hash_SHA3_Simd256_gen.ml
│ │ │ ├── Hacl_Hash_SHA3_gen.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_128_gen.ml
│ │ │ ├── Hacl_IntTypes_Intrinsics_gen.ml
│ │ │ ├── Hacl_K256_ECDSA_gen.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd128_gen.ml
│ │ │ ├── Hacl_MAC_Poly1305_Simd256_gen.ml
│ │ │ ├── Hacl_MAC_Poly1305_gen.ml
│ │ │ ├── Hacl_NaCl_gen.ml
│ │ │ ├── Hacl_P256_gen.ml
│ │ │ ├── Hacl_RSAPSS_gen.ml
│ │ │ ├── Hacl_SHA2_Types_gen.ml
│ │ │ ├── Hacl_SHA2_Vec128_gen.ml
│ │ │ ├── Hacl_SHA2_Vec256_gen.ml
│ │ │ ├── Hacl_Salsa20_gen.ml
│ │ │ ├── Hacl_Spec_gen.ml
│ │ │ ├── Hacl_Streaming_HMAC_gen.ml
│ │ │ ├── Hacl_Streaming_Types_gen.ml
│ │ │ └── Lib_RandomBuffer_System_gen.ml
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libevercrypt.def
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ ├── karamel/
│ │ ├── include/
│ │ │ ├── krml/
│ │ │ │ ├── c_endianness.h
│ │ │ │ ├── fstar_int.h
│ │ │ │ ├── internal/
│ │ │ │ │ ├── builtin.h
│ │ │ │ │ ├── callconv.h
│ │ │ │ │ ├── compat.h
│ │ │ │ │ ├── debug.h
│ │ │ │ │ ├── target.h
│ │ │ │ │ ├── types.h
│ │ │ │ │ └── wasmsupport.h
│ │ │ │ └── lowstar_endianness.h
│ │ │ └── krmllib.h
│ │ └── krmllib/
│ │ └── dist/
│ │ └── minimal/
│ │ ├── FStar_UInt128.h
│ │ ├── FStar_UInt128_Verified.h
│ │ ├── FStar_UInt_8_16_32_64.h
│ │ ├── LowStar_Endianness.h
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── fstar_uint128_gcc64.h
│ │ ├── fstar_uint128_msvc.h
│ │ ├── fstar_uint128_struct_endianness.h
│ │ └── libkrmllib.def
│ ├── mozilla/
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── configure
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── internal/
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ └── libintvector.h
│ ├── msvc-compatible/
│ │ ├── EverCrypt_AEAD.c
│ │ ├── EverCrypt_AEAD.h
│ │ ├── EverCrypt_AutoConfig2.c
│ │ ├── EverCrypt_AutoConfig2.h
│ │ ├── EverCrypt_Chacha20Poly1305.c
│ │ ├── EverCrypt_Chacha20Poly1305.h
│ │ ├── EverCrypt_Cipher.c
│ │ ├── EverCrypt_Cipher.h
│ │ ├── EverCrypt_Curve25519.c
│ │ ├── EverCrypt_Curve25519.h
│ │ ├── EverCrypt_DRBG.c
│ │ ├── EverCrypt_DRBG.h
│ │ ├── EverCrypt_Ed25519.c
│ │ ├── EverCrypt_Ed25519.h
│ │ ├── EverCrypt_Error.h
│ │ ├── EverCrypt_HKDF.c
│ │ ├── EverCrypt_HKDF.h
│ │ ├── EverCrypt_HMAC.c
│ │ ├── EverCrypt_HMAC.h
│ │ ├── EverCrypt_Hash.c
│ │ ├── EverCrypt_Hash.h
│ │ ├── EverCrypt_Poly1305.c
│ │ ├── EverCrypt_Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_AES128.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Bignum256.c
│ │ ├── Hacl_Bignum256.h
│ │ ├── Hacl_Bignum256_32.c
│ │ ├── Hacl_Bignum256_32.h
│ │ ├── Hacl_Bignum32.c
│ │ ├── Hacl_Bignum32.h
│ │ ├── Hacl_Bignum4096.c
│ │ ├── Hacl_Bignum4096.h
│ │ ├── Hacl_Bignum4096_32.c
│ │ ├── Hacl_Bignum4096_32.h
│ │ ├── Hacl_Bignum64.c
│ │ ├── Hacl_Bignum64.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Chacha20_Vec32.c
│ │ ├── Hacl_Chacha20_Vec32.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_EC_Ed25519.c
│ │ ├── Hacl_EC_Ed25519.h
│ │ ├── Hacl_EC_K256.c
│ │ ├── Hacl_EC_K256.h
│ │ ├── Hacl_Ed25519.c
│ │ ├── Hacl_Ed25519.h
│ │ ├── Hacl_FFDHE.c
│ │ ├── Hacl_FFDHE.h
│ │ ├── Hacl_Frodo1344.c
│ │ ├── Hacl_Frodo1344.h
│ │ ├── Hacl_Frodo64.c
│ │ ├── Hacl_Frodo64.h
│ │ ├── Hacl_Frodo640.c
│ │ ├── Hacl_Frodo640.h
│ │ ├── Hacl_Frodo976.c
│ │ ├── Hacl_Frodo976.h
│ │ ├── Hacl_Frodo_KEM.c
│ │ ├── Hacl_GenericField32.c
│ │ ├── Hacl_GenericField32.h
│ │ ├── Hacl_GenericField64.c
│ │ ├── Hacl_GenericField64.h
│ │ ├── Hacl_HKDF.c
│ │ ├── Hacl_HKDF.h
│ │ ├── Hacl_HKDF_Blake2b_256.c
│ │ ├── Hacl_HKDF_Blake2b_256.h
│ │ ├── Hacl_HKDF_Blake2s_128.c
│ │ ├── Hacl_HKDF_Blake2s_128.h
│ │ ├── Hacl_HMAC.c
│ │ ├── Hacl_HMAC.h
│ │ ├── Hacl_HMAC_Blake2b_256.c
│ │ ├── Hacl_HMAC_Blake2b_256.h
│ │ ├── Hacl_HMAC_Blake2s_128.c
│ │ ├── Hacl_HMAC_Blake2s_128.h
│ │ ├── Hacl_HMAC_DRBG.c
│ │ ├── Hacl_HMAC_DRBG.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.h
│ │ ├── Hacl_Hash_Base.c
│ │ ├── Hacl_Hash_Base.h
│ │ ├── Hacl_Hash_Blake2b.c
│ │ ├── Hacl_Hash_Blake2b.h
│ │ ├── Hacl_Hash_Blake2b_Simd256.c
│ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ ├── Hacl_Hash_Blake2s.c
│ │ ├── Hacl_Hash_Blake2s.h
│ │ ├── Hacl_Hash_Blake2s_Simd128.c
│ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ ├── Hacl_Hash_MD5.c
│ │ ├── Hacl_Hash_MD5.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_Hash_SHA3_Simd256.c
│ │ ├── Hacl_Hash_SHA3_Simd256.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_K256_ECDSA.c
│ │ ├── Hacl_K256_ECDSA.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_NaCl.c
│ │ ├── Hacl_NaCl.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_SHA2_Vec128.c
│ │ ├── Hacl_SHA2_Vec128.h
│ │ ├── Hacl_SHA2_Vec256.c
│ │ ├── Hacl_SHA2_Vec256.h
│ │ ├── Hacl_Salsa20.c
│ │ ├── Hacl_Salsa20.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_HMAC.c
│ │ ├── Hacl_Streaming_HMAC.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_PrintBuffer.h
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── Lib_RandomBuffer_System.h
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── clients/
│ │ │ └── krmlrenamings.h
│ │ ├── configure
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── evercrypt_targetconfig.h
│ │ ├── internal/
│ │ │ ├── EverCrypt_AEAD.h
│ │ │ ├── EverCrypt_DRBG.h
│ │ │ ├── EverCrypt_HMAC.h
│ │ │ ├── EverCrypt_Hash.h
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Bignum_K256.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Ed25519.h
│ │ │ ├── Hacl_Ed25519_PrecompTable.h
│ │ │ ├── Hacl_Frodo_KEM.h
│ │ │ ├── Hacl_HMAC.h
│ │ │ ├── Hacl_Hash_Blake2b.h
│ │ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ │ ├── Hacl_Hash_Blake2s.h
│ │ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ │ ├── Hacl_Hash_MD5.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Impl_Blake2_Constants.h
│ │ │ ├── Hacl_Impl_FFDHE_Constants.h
│ │ │ ├── Hacl_K256_ECDSA.h
│ │ │ ├── Hacl_K256_PrecompTable.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_HMAC.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libevercrypt.def
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ ├── package-mozilla.sh
│ ├── portable-gcc-compatible/
│ │ ├── EverCrypt_AEAD.c
│ │ ├── EverCrypt_AEAD.h
│ │ ├── EverCrypt_AutoConfig2.c
│ │ ├── EverCrypt_AutoConfig2.h
│ │ ├── EverCrypt_Chacha20Poly1305.c
│ │ ├── EverCrypt_Chacha20Poly1305.h
│ │ ├── EverCrypt_Cipher.c
│ │ ├── EverCrypt_Cipher.h
│ │ ├── EverCrypt_Curve25519.c
│ │ ├── EverCrypt_Curve25519.h
│ │ ├── EverCrypt_DRBG.c
│ │ ├── EverCrypt_DRBG.h
│ │ ├── EverCrypt_Ed25519.c
│ │ ├── EverCrypt_Ed25519.h
│ │ ├── EverCrypt_Error.h
│ │ ├── EverCrypt_HKDF.c
│ │ ├── EverCrypt_HKDF.h
│ │ ├── EverCrypt_HMAC.c
│ │ ├── EverCrypt_HMAC.h
│ │ ├── EverCrypt_Hash.c
│ │ ├── EverCrypt_Hash.h
│ │ ├── EverCrypt_Poly1305.c
│ │ ├── EverCrypt_Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.h
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.c
│ │ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.h
│ │ ├── Hacl_AES128.h
│ │ ├── Hacl_Bignum.c
│ │ ├── Hacl_Bignum.h
│ │ ├── Hacl_Bignum256.c
│ │ ├── Hacl_Bignum256.h
│ │ ├── Hacl_Bignum256_32.c
│ │ ├── Hacl_Bignum256_32.h
│ │ ├── Hacl_Bignum32.c
│ │ ├── Hacl_Bignum32.h
│ │ ├── Hacl_Bignum4096.c
│ │ ├── Hacl_Bignum4096.h
│ │ ├── Hacl_Bignum4096_32.c
│ │ ├── Hacl_Bignum4096_32.h
│ │ ├── Hacl_Bignum64.c
│ │ ├── Hacl_Bignum64.h
│ │ ├── Hacl_Chacha20.c
│ │ ├── Hacl_Chacha20.h
│ │ ├── Hacl_Chacha20_Vec128.c
│ │ ├── Hacl_Chacha20_Vec128.h
│ │ ├── Hacl_Chacha20_Vec256.c
│ │ ├── Hacl_Chacha20_Vec256.h
│ │ ├── Hacl_Chacha20_Vec32.c
│ │ ├── Hacl_Chacha20_Vec32.h
│ │ ├── Hacl_Curve25519_51.c
│ │ ├── Hacl_Curve25519_51.h
│ │ ├── Hacl_Curve25519_64.c
│ │ ├── Hacl_Curve25519_64.h
│ │ ├── Hacl_EC_Ed25519.c
│ │ ├── Hacl_EC_Ed25519.h
│ │ ├── Hacl_EC_K256.c
│ │ ├── Hacl_EC_K256.h
│ │ ├── Hacl_Ed25519.c
│ │ ├── Hacl_Ed25519.h
│ │ ├── Hacl_FFDHE.c
│ │ ├── Hacl_FFDHE.h
│ │ ├── Hacl_Frodo1344.c
│ │ ├── Hacl_Frodo1344.h
│ │ ├── Hacl_Frodo64.c
│ │ ├── Hacl_Frodo64.h
│ │ ├── Hacl_Frodo640.c
│ │ ├── Hacl_Frodo640.h
│ │ ├── Hacl_Frodo976.c
│ │ ├── Hacl_Frodo976.h
│ │ ├── Hacl_Frodo_KEM.c
│ │ ├── Hacl_GenericField32.c
│ │ ├── Hacl_GenericField32.h
│ │ ├── Hacl_GenericField64.c
│ │ ├── Hacl_GenericField64.h
│ │ ├── Hacl_HKDF.c
│ │ ├── Hacl_HKDF.h
│ │ ├── Hacl_HKDF_Blake2b_256.c
│ │ ├── Hacl_HKDF_Blake2b_256.h
│ │ ├── Hacl_HKDF_Blake2s_128.c
│ │ ├── Hacl_HKDF_Blake2s_128.h
│ │ ├── Hacl_HMAC.c
│ │ ├── Hacl_HMAC.h
│ │ ├── Hacl_HMAC_Blake2b_256.c
│ │ ├── Hacl_HMAC_Blake2b_256.h
│ │ ├── Hacl_HMAC_Blake2s_128.c
│ │ ├── Hacl_HMAC_Blake2s_128.h
│ │ ├── Hacl_HMAC_DRBG.c
│ │ ├── Hacl_HMAC_DRBG.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve51_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP128_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP256_SHA512.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA256.h
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.c
│ │ ├── Hacl_HPKE_Curve64_CP32_SHA512.h
│ │ ├── Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP128_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP256_SHA256.h
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.c
│ │ ├── Hacl_HPKE_P256_CP32_SHA256.h
│ │ ├── Hacl_Hash_Base.c
│ │ ├── Hacl_Hash_Base.h
│ │ ├── Hacl_Hash_Blake2b.c
│ │ ├── Hacl_Hash_Blake2b.h
│ │ ├── Hacl_Hash_Blake2b_Simd256.c
│ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ ├── Hacl_Hash_Blake2s.c
│ │ ├── Hacl_Hash_Blake2s.h
│ │ ├── Hacl_Hash_Blake2s_Simd128.c
│ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ ├── Hacl_Hash_MD5.c
│ │ ├── Hacl_Hash_MD5.h
│ │ ├── Hacl_Hash_SHA1.c
│ │ ├── Hacl_Hash_SHA1.h
│ │ ├── Hacl_Hash_SHA2.c
│ │ ├── Hacl_Hash_SHA2.h
│ │ ├── Hacl_Hash_SHA3.c
│ │ ├── Hacl_Hash_SHA3.h
│ │ ├── Hacl_Hash_SHA3_Simd256.c
│ │ ├── Hacl_Hash_SHA3_Simd256.h
│ │ ├── Hacl_IntTypes_Intrinsics.h
│ │ ├── Hacl_IntTypes_Intrinsics_128.h
│ │ ├── Hacl_K256_ECDSA.c
│ │ ├── Hacl_K256_ECDSA.h
│ │ ├── Hacl_Krmllib.h
│ │ ├── Hacl_MAC_Poly1305.c
│ │ ├── Hacl_MAC_Poly1305.h
│ │ ├── Hacl_MAC_Poly1305_Simd128.c
│ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ ├── Hacl_MAC_Poly1305_Simd256.c
│ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ ├── Hacl_NaCl.c
│ │ ├── Hacl_NaCl.h
│ │ ├── Hacl_P256.c
│ │ ├── Hacl_P256.h
│ │ ├── Hacl_RSAPSS.c
│ │ ├── Hacl_RSAPSS.h
│ │ ├── Hacl_SHA2_Types.h
│ │ ├── Hacl_SHA2_Vec128.c
│ │ ├── Hacl_SHA2_Vec128.h
│ │ ├── Hacl_SHA2_Vec256.c
│ │ ├── Hacl_SHA2_Vec256.h
│ │ ├── Hacl_Salsa20.c
│ │ ├── Hacl_Salsa20.h
│ │ ├── Hacl_Spec.h
│ │ ├── Hacl_Streaming_HMAC.c
│ │ ├── Hacl_Streaming_HMAC.h
│ │ ├── Hacl_Streaming_Types.h
│ │ ├── INFO.txt
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_PrintBuffer.h
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── Lib_RandomBuffer_System.h
│ │ ├── Makefile
│ │ ├── Makefile.basic
│ │ ├── Makefile.include
│ │ ├── TestLib.h
│ │ ├── Vale.c
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── clients/
│ │ │ └── krmlrenamings.h
│ │ ├── configure
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── evercrypt_targetconfig.h
│ │ ├── internal/
│ │ │ ├── EverCrypt_AEAD.h
│ │ │ ├── EverCrypt_DRBG.h
│ │ │ ├── EverCrypt_HMAC.h
│ │ │ ├── EverCrypt_Hash.h
│ │ │ ├── Hacl_Bignum.h
│ │ │ ├── Hacl_Bignum25519_51.h
│ │ │ ├── Hacl_Bignum_Base.h
│ │ │ ├── Hacl_Bignum_K256.h
│ │ │ ├── Hacl_Chacha20.h
│ │ │ ├── Hacl_Curve25519_51.h
│ │ │ ├── Hacl_Ed25519.h
│ │ │ ├── Hacl_Ed25519_PrecompTable.h
│ │ │ ├── Hacl_Frodo_KEM.h
│ │ │ ├── Hacl_HMAC.h
│ │ │ ├── Hacl_Hash_Blake2b.h
│ │ │ ├── Hacl_Hash_Blake2b_Simd256.h
│ │ │ ├── Hacl_Hash_Blake2s.h
│ │ │ ├── Hacl_Hash_Blake2s_Simd128.h
│ │ │ ├── Hacl_Hash_MD5.h
│ │ │ ├── Hacl_Hash_SHA1.h
│ │ │ ├── Hacl_Hash_SHA2.h
│ │ │ ├── Hacl_Hash_SHA3.h
│ │ │ ├── Hacl_Impl_Blake2_Constants.h
│ │ │ ├── Hacl_Impl_FFDHE_Constants.h
│ │ │ ├── Hacl_K256_ECDSA.h
│ │ │ ├── Hacl_K256_PrecompTable.h
│ │ │ ├── Hacl_Krmllib.h
│ │ │ ├── Hacl_MAC_Poly1305.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd128.h
│ │ │ ├── Hacl_MAC_Poly1305_Simd256.h
│ │ │ ├── Hacl_P256.h
│ │ │ ├── Hacl_P256_PrecompTable.h
│ │ │ ├── Hacl_SHA2_Types.h
│ │ │ ├── Hacl_Spec.h
│ │ │ ├── Hacl_Streaming_HMAC.h
│ │ │ ├── Hacl_Streaming_Types.h
│ │ │ └── Vale.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libevercrypt.def
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ ├── test/
│ │ ├── c/
│ │ │ ├── Hacl_Test_ECDSA.c
│ │ │ ├── Hacl_Test_ECDSA.h
│ │ │ ├── Hacl_Test_HMAC_DRBG.c
│ │ │ ├── Hacl_Test_HMAC_DRBG.h
│ │ │ ├── Hacl_Test_K256.c
│ │ │ ├── Hacl_Test_K256.h
│ │ │ ├── Hacl_Test_SHA2.c
│ │ │ ├── Hacl_Test_SHA2.h
│ │ │ ├── Hacl_Test_SHA3.c
│ │ │ ├── Hacl_Test_SHA3.h
│ │ │ ├── Makefile
│ │ │ ├── Makefile.basic
│ │ │ ├── Makefile.include
│ │ │ ├── Test.c
│ │ │ ├── Test.h
│ │ │ └── internal/
│ │ │ └── Test.h
│ │ └── ml/
│ │ ├── Spec_AES_Test_AutoTest.ml
│ │ ├── Spec_Blake2_Test_AutoTest.ml
│ │ ├── Spec_Box_Test_AutoTest.ml
│ │ ├── Spec_Chacha20Poly1305_Test_AutoTest.ml
│ │ ├── Spec_Chacha20_Test_AutoTest.ml
│ │ ├── Spec_Curve25519_Test_AutoTest.ml
│ │ ├── Spec_Ed25519_Test_AutoTest.ml
│ │ ├── Spec_Frodo_Test_AutoTest.ml
│ │ ├── Spec_HKDF_Test_AutoTest.ml
│ │ ├── Spec_HMAC_DRBG_Test_AutoTest.ml
│ │ ├── Spec_HMAC_Test_AutoTest.ml
│ │ ├── Spec_Hash_Test_AutoTest.ml
│ │ ├── Spec_K256_Test_AutoTest.ml
│ │ ├── Spec_P256_Test_AutoTest.ml
│ │ ├── Spec_Poly1305_Test_AutoTest.ml
│ │ ├── Spec_SHA3_Test_AutoTest.ml
│ │ ├── Spec_Salsa20_Test_AutoTest.ml
│ │ └── Spec_SecretBox_Test_AutoTest.ml
│ ├── vale/
│ │ ├── aesgcm-ppc64le.S
│ │ ├── aesgcm-x86_64-darwin.S
│ │ ├── aesgcm-x86_64-linux.S
│ │ ├── aesgcm-x86_64-mingw.S
│ │ ├── aesgcm-x86_64-msvc.asm
│ │ ├── cpuid-x86_64-darwin.S
│ │ ├── cpuid-x86_64-linux.S
│ │ ├── cpuid-x86_64-mingw.S
│ │ ├── cpuid-x86_64-msvc.asm
│ │ ├── curve25519-inline.h
│ │ ├── curve25519-x86_64-darwin.S
│ │ ├── curve25519-x86_64-linux.S
│ │ ├── curve25519-x86_64-mingw.S
│ │ ├── curve25519-x86_64-msvc.asm
│ │ ├── poly1305-x86_64-darwin.S
│ │ ├── poly1305-x86_64-linux.S
│ │ ├── poly1305-x86_64-mingw.S
│ │ ├── poly1305-x86_64-msvc.asm
│ │ ├── sha256-ppc64le.S
│ │ ├── sha256-x86_64-darwin.S
│ │ ├── sha256-x86_64-linux.S
│ │ ├── sha256-x86_64-mingw.S
│ │ └── sha256-x86_64-msvc.asm
│ └── wasm/
│ ├── EverCrypt.wasm
│ ├── EverCrypt_Hash.wasm
│ ├── EverCrypt_TargetConfig.wasm
│ ├── FStar.wasm
│ ├── Hacl_AEAD_Chacha20Poly1305.wasm
│ ├── Hacl_AEAD_Chacha20Poly1305_Simd128.wasm
│ ├── Hacl_AEAD_Chacha20Poly1305_Simd256.wasm
│ ├── Hacl_Bignum.wasm
│ ├── Hacl_Bignum25519_51.wasm
│ ├── Hacl_Bignum256.wasm
│ ├── Hacl_Bignum256_32.wasm
│ ├── Hacl_Bignum32.wasm
│ ├── Hacl_Bignum4096.wasm
│ ├── Hacl_Bignum4096_32.wasm
│ ├── Hacl_Bignum64.wasm
│ ├── Hacl_Bignum_Base.wasm
│ ├── Hacl_Bignum_K256.wasm
│ ├── Hacl_Chacha20.wasm
│ ├── Hacl_Chacha20_Vec128_Hacl_Chacha20_Vec256.wasm
│ ├── Hacl_Chacha20_Vec32.wasm
│ ├── Hacl_Curve25519_51.wasm
│ ├── Hacl_EC_Ed25519.wasm
│ ├── Hacl_EC_K256.wasm
│ ├── Hacl_Ed25519.wasm
│ ├── Hacl_Ed25519_PrecompTable.wasm
│ ├── Hacl_GenericField32.wasm
│ ├── Hacl_GenericField64.wasm
│ ├── Hacl_HKDF.wasm
│ ├── Hacl_HKDF_Blake2b_256.wasm
│ ├── Hacl_HKDF_Blake2s_128.wasm
│ ├── Hacl_HMAC.wasm
│ ├── Hacl_HMAC_Blake2b_256.wasm
│ ├── Hacl_HMAC_Blake2s_128.wasm
│ ├── Hacl_HMAC_DRBG.wasm
│ ├── Hacl_HPKE_Curve51_CP32_SHA256.wasm
│ ├── Hacl_HPKE_Curve51_CP32_SHA512.wasm
│ ├── Hacl_Hash_Base.wasm
│ ├── Hacl_Hash_Blake2b.wasm
│ ├── Hacl_Hash_Blake2b_Simd256.wasm
│ ├── Hacl_Hash_Blake2s.wasm
│ ├── Hacl_Hash_Blake2s_Simd128.wasm
│ ├── Hacl_Hash_MD5.wasm
│ ├── Hacl_Hash_SHA1.wasm
│ ├── Hacl_Hash_SHA2.wasm
│ ├── Hacl_Hash_SHA3.wasm
│ ├── Hacl_Hash_SHA3_Simd256.wasm
│ ├── Hacl_Impl_Blake2_Constants.wasm
│ ├── Hacl_IntTypes_Intrinsics.wasm
│ ├── Hacl_K256_ECDSA.wasm
│ ├── Hacl_K256_PrecompTable.wasm
│ ├── Hacl_Lib.wasm
│ ├── Hacl_MAC_Poly1305.wasm
│ ├── Hacl_NaCl.wasm
│ ├── Hacl_P256.wasm
│ ├── Hacl_P256_PrecompTable.wasm
│ ├── Hacl_Poly1305_128_Hacl_Poly1305_256_Hacl_Impl_Poly1305.wasm
│ ├── Hacl_SHA2_Vec128.wasm
│ ├── Hacl_SHA2_Vec256.wasm
│ ├── Hacl_Salsa20.wasm
│ ├── Hacl_Streaming_HMAC.wasm
│ ├── INFO.txt
│ ├── LowStar_Endianness.wasm
│ ├── Makefile.basic
│ ├── README
│ ├── Vale.wasm
│ ├── WasmSupport.wasm
│ ├── browser.js
│ ├── layouts.json
│ ├── loader.js
│ ├── main.html
│ ├── main.js
│ └── shell.js
├── doc/
│ ├── API.rst
│ ├── Applications.rst
│ ├── EverCryptAEAD.rst
│ ├── EverCryptAutoConfig.rst
│ ├── EverCryptCTR.rst
│ ├── EverCryptDRBG.rst
│ ├── EverCryptDeprecated.rst
│ ├── EverCryptDoc.rst
│ ├── EverCryptHKDF.rst
│ ├── EverCryptHMAC.rst
│ ├── EverCryptHash.rst
│ ├── EverCryptNonAgile.rst
│ ├── General.rst
│ ├── HaclAEAD.rst
│ ├── HaclDoc.rst
│ ├── HaclECDH.rst
│ ├── HaclHash.rst
│ ├── HaclNaCl.rst
│ ├── HaclSig.rst
│ ├── HaclValeEverCrypt.rst
│ ├── Makefile
│ ├── Obtaining.rst
│ ├── Overview.rst
│ ├── README.md
│ ├── Randomness.rst
│ ├── Supported.rst
│ ├── _static/
│ │ └── .gitignore
│ ├── _templates/
│ │ └── layout.html
│ ├── ci.sh
│ ├── conf.py
│ └── index.rst
├── flake.nix
├── hints/
│ ├── EverCrypt.AEAD.fst.hints
│ ├── EverCrypt.AEAD.fsti.hints
│ ├── EverCrypt.AutoConfig2.fst.hints
│ ├── EverCrypt.AutoConfig2.fsti.hints
│ ├── EverCrypt.CTR.Keys.fst.hints
│ ├── EverCrypt.CTR.Keys.fsti.hints
│ ├── EverCrypt.Chacha20Poly1305.fst.hints
│ ├── EverCrypt.Chacha20Poly1305.fsti.hints
│ ├── EverCrypt.Cipher.fst.hints
│ ├── EverCrypt.Cipher.fsti.hints
│ ├── EverCrypt.Curve25519.fst.hints
│ ├── EverCrypt.Curve25519.fsti.hints
│ ├── EverCrypt.DRBG.fst.hints
│ ├── EverCrypt.DRBG.fsti.hints
│ ├── EverCrypt.Ed25519.fst.hints
│ ├── EverCrypt.Ed25519.fsti.hints
│ ├── EverCrypt.Error.fsti.hints
│ ├── EverCrypt.HKDF.fst.hints
│ ├── EverCrypt.HKDF.fsti.hints
│ ├── EverCrypt.HMAC.fst.hints
│ ├── EverCrypt.HMAC.fsti.hints
│ ├── EverCrypt.Hash.Incremental.Macros.fst.hints
│ ├── EverCrypt.Hash.Incremental.fst.hints
│ ├── EverCrypt.Hash.fst.hints
│ ├── EverCrypt.Hash.fsti.hints
│ ├── EverCrypt.Helpers.fsti.hints
│ ├── EverCrypt.Poly1305.fst.hints
│ ├── EverCrypt.Poly1305.fsti.hints
│ ├── EverCrypt.TargetConfig.fsti.hints
│ ├── Hacl.AES128.fsti.hints
│ ├── Hacl.Agile.Hash.fst.hints
│ ├── Hacl.Agile.Hash.fsti.hints
│ ├── Hacl.Bignum.Addition.fst.hints
│ ├── Hacl.Bignum.AlmostMontExponentiation.fst.hints
│ ├── Hacl.Bignum.AlmostMontgomery.fst.hints
│ ├── Hacl.Bignum.AlmostMontgomery.fsti.hints
│ ├── Hacl.Bignum.Base.fst.hints
│ ├── Hacl.Bignum.Comparison.fst.hints
│ ├── Hacl.Bignum.Convert.fst.hints
│ ├── Hacl.Bignum.Definitions.fst.hints
│ ├── Hacl.Bignum.Exponentiation.fst.hints
│ ├── Hacl.Bignum.Exponentiation.fsti.hints
│ ├── Hacl.Bignum.Karatsuba.fst.hints
│ ├── Hacl.Bignum.Lib.fst.hints
│ ├── Hacl.Bignum.ModInv.fst.hints
│ ├── Hacl.Bignum.ModInvLimb.fst.hints
│ ├── Hacl.Bignum.ModInvLimb.fsti.hints
│ ├── Hacl.Bignum.ModReduction.fst.hints
│ ├── Hacl.Bignum.MontArithmetic.fst.hints
│ ├── Hacl.Bignum.MontArithmetic.fsti.hints
│ ├── Hacl.Bignum.MontExponentiation.fst.hints
│ ├── Hacl.Bignum.Montgomery.fst.hints
│ ├── Hacl.Bignum.Montgomery.fsti.hints
│ ├── Hacl.Bignum.Multiplication.fst.hints
│ ├── Hacl.Bignum.SafeAPI.fst.hints
│ ├── Hacl.Bignum.fst.hints
│ ├── Hacl.Bignum.fsti.hints
│ ├── Hacl.Bignum25519.fst.hints
│ ├── Hacl.Bignum25519.fsti.hints
│ ├── Hacl.Bignum256.fst.hints
│ ├── Hacl.Bignum256.fsti.hints
│ ├── Hacl.Bignum256_32.fst.hints
│ ├── Hacl.Bignum256_32.fsti.hints
│ ├── Hacl.Bignum32.fst.hints
│ ├── Hacl.Bignum32.fsti.hints
│ ├── Hacl.Bignum4096.fst.hints
│ ├── Hacl.Bignum4096.fsti.hints
│ ├── Hacl.Bignum4096_32.fst.hints
│ ├── Hacl.Bignum4096_32.fsti.hints
│ ├── Hacl.Bignum64.fst.hints
│ ├── Hacl.Bignum64.fsti.hints
│ ├── Hacl.Blake2b_256.fst.hints
│ ├── Hacl.Blake2b_32.fst.hints
│ ├── Hacl.Blake2s_128.fst.hints
│ ├── Hacl.Blake2s_32.fst.hints
│ ├── Hacl.Chacha20.Vec128.fst.hints
│ ├── Hacl.Chacha20.Vec256.fst.hints
│ ├── Hacl.Chacha20.Vec32.fst.hints
│ ├── Hacl.Chacha20.fst.hints
│ ├── Hacl.Chacha20Poly1305_128.fst.hints
│ ├── Hacl.Chacha20Poly1305_256.fst.hints
│ ├── Hacl.Chacha20Poly1305_32.fst.hints
│ ├── Hacl.Curve25519_51.fst.hints
│ ├── Hacl.Curve25519_51.fsti.hints
│ ├── Hacl.Curve25519_64.fst.hints
│ ├── Hacl.Curve25519_64.fsti.hints
│ ├── Hacl.Curve25519_64_Local.fst.hints
│ ├── Hacl.Curve25519_64_Local.fsti.hints
│ ├── Hacl.Curve25519_64_Slow.fst.hints
│ ├── Hacl.Curve25519_64_Slow.fsti.hints
│ ├── Hacl.EC.Ed25519.fst.hints
│ ├── Hacl.EC.K256.fst.hints
│ ├── Hacl.Ed25519.PrecompTable.fst.hints
│ ├── Hacl.Ed25519.PrecompTable.fsti.hints
│ ├── Hacl.Ed25519.fst.hints
│ ├── Hacl.Ed25519.fsti.hints
│ ├── Hacl.FFDHE.fst.hints
│ ├── Hacl.Frodo.KEM.fst.hints
│ ├── Hacl.Frodo.Random.fst.hints
│ ├── Hacl.Frodo.Random.fsti.hints
│ ├── Hacl.Frodo1344.fst.hints
│ ├── Hacl.Frodo64.fst.hints
│ ├── Hacl.Frodo640.fst.hints
│ ├── Hacl.Frodo976.fst.hints
│ ├── Hacl.GenericField32.fst.hints
│ ├── Hacl.GenericField32.fsti.hints
│ ├── Hacl.GenericField64.fst.hints
│ ├── Hacl.GenericField64.fsti.hints
│ ├── Hacl.HKDF.Blake2b_256.fst.hints
│ ├── Hacl.HKDF.Blake2s_128.fst.hints
│ ├── Hacl.HKDF.fst.hints
│ ├── Hacl.HKDF.fsti.hints
│ ├── Hacl.HMAC.Blake2b_256.fst.hints
│ ├── Hacl.HMAC.Blake2s_128.fst.hints
│ ├── Hacl.HMAC.fst.hints
│ ├── Hacl.HMAC.fsti.hints
│ ├── Hacl.HMAC_DRBG.fst.hints
│ ├── Hacl.HMAC_DRBG.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve51_CP128_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve51_CP256_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve51_CP32_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve64_CP128_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve64_CP256_SHA512.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA256.fst.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA256.fsti.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA512.fst.hints
│ ├── Hacl.HPKE.Curve64_CP32_SHA512.fsti.hints
│ ├── Hacl.HPKE.Interface.AEAD.fst.hints
│ ├── Hacl.HPKE.Interface.AEAD.fsti.hints
│ ├── Hacl.HPKE.Interface.DH.fst.hints
│ ├── Hacl.HPKE.Interface.HKDF.fst.hints
│ ├── Hacl.HPKE.Interface.Hash.fst.hints
│ ├── Hacl.HPKE.P256_CP128_SHA256.fst.hints
│ ├── Hacl.HPKE.P256_CP128_SHA256.fsti.hints
│ ├── Hacl.HPKE.P256_CP256_SHA256.fst.hints
│ ├── Hacl.HPKE.P256_CP256_SHA256.fsti.hints
│ ├── Hacl.HPKE.P256_CP32_SHA256.fst.hints
│ ├── Hacl.HPKE.P256_CP32_SHA256.fsti.hints
│ ├── Hacl.Hash.Blake2b_256.fst.hints
│ ├── Hacl.Hash.Blake2b_256.fsti.hints
│ ├── Hacl.Hash.Blake2b_32.fst.hints
│ ├── Hacl.Hash.Blake2b_32.fsti.hints
│ ├── Hacl.Hash.Blake2s_128.fst.hints
│ ├── Hacl.Hash.Blake2s_128.fsti.hints
│ ├── Hacl.Hash.Blake2s_32.fst.hints
│ ├── Hacl.Hash.Blake2s_32.fsti.hints
│ ├── Hacl.Hash.Core.MD5.fst.hints
│ ├── Hacl.Hash.Core.MD5.fsti.hints
│ ├── Hacl.Hash.Core.SHA1.fst.hints
│ ├── Hacl.Hash.Core.SHA1.fsti.hints
│ ├── Hacl.Hash.Definitions.fst.hints
│ ├── Hacl.Hash.Lemmas.fst.hints
│ ├── Hacl.Hash.MD.fst.hints
│ ├── Hacl.Hash.MD.fsti.hints
│ ├── Hacl.Hash.MD5.fst.hints
│ ├── Hacl.Hash.MD5.fsti.hints
│ ├── Hacl.Hash.PadFinish.fst.hints
│ ├── Hacl.Hash.PadFinish.fsti.hints
│ ├── Hacl.Hash.SHA1.fst.hints
│ ├── Hacl.Hash.SHA1.fsti.hints
│ ├── Hacl.Hash.SHA2.fst.hints
│ ├── Hacl.Hash.SHA2.fsti.hints
│ ├── Hacl.Hash.SHA3.Scalar.fst.hints
│ ├── Hacl.Hash.SHA3.Simd256.fst.hints
│ ├── Hacl.Hash.SHA3.fst.hints
│ ├── Hacl.Hash.SHA3.fsti.hints
│ ├── Hacl.Impl.BignumQ.Mul.fst.hints
│ ├── Hacl.Impl.BignumQ.Mul.fsti.hints
│ ├── Hacl.Impl.Blake2.Constants.fst.hints
│ ├── Hacl.Impl.Blake2.Core.fst.hints
│ ├── Hacl.Impl.Blake2.Core.fsti.hints
│ ├── Hacl.Impl.Blake2.Generic.fst.hints
│ ├── Hacl.Impl.Box.fst.hints
│ ├── Hacl.Impl.Chacha20.Core32.fst.hints
│ ├── Hacl.Impl.Chacha20.Core32xN.fst.hints
│ ├── Hacl.Impl.Chacha20.Vec.fst.hints
│ ├── Hacl.Impl.Chacha20.fst.hints
│ ├── Hacl.Impl.Chacha20Poly1305.PolyCore.fst.hints
│ ├── Hacl.Impl.Chacha20Poly1305.fst.hints
│ ├── Hacl.Impl.Curve25519.AddAndDouble.fst.hints
│ ├── Hacl.Impl.Curve25519.Field51.fst.hints
│ ├── Hacl.Impl.Curve25519.Field64.Hacl.fst.hints
│ ├── Hacl.Impl.Curve25519.Field64.Hacl.fsti.hints
│ ├── Hacl.Impl.Curve25519.Field64.Local.fsti.hints
│ ├── Hacl.Impl.Curve25519.Field64.Vale.fst.hints
│ ├── Hacl.Impl.Curve25519.Field64.Vale.fsti.hints
│ ├── Hacl.Impl.Curve25519.Field64.fst.hints
│ ├── Hacl.Impl.Curve25519.Fields.Core.fsti.hints
│ ├── Hacl.Impl.Curve25519.Fields.fst.hints
│ ├── Hacl.Impl.Curve25519.Finv.fst.hints
│ ├── Hacl.Impl.Curve25519.Generic.fst.hints
│ ├── Hacl.Impl.Curve25519.Generic.fsti.hints
│ ├── Hacl.Impl.Curve25519.Lemmas.fst.hints
│ ├── Hacl.Impl.Ed25519.Field51.fst.hints
│ ├── Hacl.Impl.Ed25519.Group.fst.hints
│ ├── Hacl.Impl.Ed25519.Ladder.fst.hints
│ ├── Hacl.Impl.Ed25519.Ladder.fsti.hints
│ ├── Hacl.Impl.Ed25519.PointAdd.fst.hints
│ ├── Hacl.Impl.Ed25519.PointCompress.fst.hints
│ ├── Hacl.Impl.Ed25519.PointConstants.fst.hints
│ ├── Hacl.Impl.Ed25519.PointDecompress.fst.hints
│ ├── Hacl.Impl.Ed25519.PointDouble.fst.hints
│ ├── Hacl.Impl.Ed25519.PointEqual.fst.hints
│ ├── Hacl.Impl.Ed25519.PointNegate.fst.hints
│ ├── Hacl.Impl.Ed25519.Pow2_252m2.fst.hints
│ ├── Hacl.Impl.Ed25519.RecoverX.fst.hints
│ ├── Hacl.Impl.Ed25519.Sign.fst.hints
│ ├── Hacl.Impl.Ed25519.Verify.fst.hints
│ ├── Hacl.Impl.Exponentiation.Definitions.fst.hints
│ ├── Hacl.Impl.Exponentiation.fst.hints
│ ├── Hacl.Impl.Exponentiation.fsti.hints
│ ├── Hacl.Impl.FFDHE.Constants.fst.hints
│ ├── Hacl.Impl.FFDHE.fst.hints
│ ├── Hacl.Impl.Frodo.Encode.fst.hints
│ ├── Hacl.Impl.Frodo.Gen.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.Decaps.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.Encaps.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.KeyGen.fst.hints
│ ├── Hacl.Impl.Frodo.KEM.fst.hints
│ ├── Hacl.Impl.Frodo.Pack.fst.hints
│ ├── Hacl.Impl.Frodo.Params.fst.hints
│ ├── Hacl.Impl.Frodo.Sample.fst.hints
│ ├── Hacl.Impl.HPKE.fst.hints
│ ├── Hacl.Impl.HPKE.fsti.hints
│ ├── Hacl.Impl.HSalsa20.fst.hints
│ ├── Hacl.Impl.K256.Finv.fst.hints
│ ├── Hacl.Impl.K256.GLV.Constants.fst.hints
│ ├── Hacl.Impl.K256.GLV.Constants.fsti.hints
│ ├── Hacl.Impl.K256.GLV.fst.hints
│ ├── Hacl.Impl.K256.GLV.fsti.hints
│ ├── Hacl.Impl.K256.Group.fst.hints
│ ├── Hacl.Impl.K256.Point.fst.hints
│ ├── Hacl.Impl.K256.Point.fsti.hints
│ ├── Hacl.Impl.K256.PointAdd.fst.hints
│ ├── Hacl.Impl.K256.PointDouble.fst.hints
│ ├── Hacl.Impl.K256.PointMul.fst.hints
│ ├── Hacl.Impl.K256.PointMul.fsti.hints
│ ├── Hacl.Impl.K256.Qinv.fst.hints
│ ├── Hacl.Impl.K256.Sign.fst.hints
│ ├── Hacl.Impl.K256.Verify.fst.hints
│ ├── Hacl.Impl.Lib.fst.hints
│ ├── Hacl.Impl.Load56.fst.hints
│ ├── Hacl.Impl.Matrix.fst.hints
│ ├── Hacl.Impl.MultiExponentiation.fst.hints
│ ├── Hacl.Impl.MultiExponentiation.fsti.hints
│ ├── Hacl.Impl.P256.Bignum.fst.hints
│ ├── Hacl.Impl.P256.Bignum.fsti.hints
│ ├── Hacl.Impl.P256.Compression.fst.hints
│ ├── Hacl.Impl.P256.Compression.fsti.hints
│ ├── Hacl.Impl.P256.Constants.fst.hints
│ ├── Hacl.Impl.P256.DH.fst.hints
│ ├── Hacl.Impl.P256.DH.fsti.hints
│ ├── Hacl.Impl.P256.Field.fst.hints
│ ├── Hacl.Impl.P256.Field.fsti.hints
│ ├── Hacl.Impl.P256.Finv.fst.hints
│ ├── Hacl.Impl.P256.Finv.fsti.hints
│ ├── Hacl.Impl.P256.Group.fst.hints
│ ├── Hacl.Impl.P256.Point.fst.hints
│ ├── Hacl.Impl.P256.Point.fsti.hints
│ ├── Hacl.Impl.P256.PointAdd.fst.hints
│ ├── Hacl.Impl.P256.PointAdd.fsti.hints
│ ├── Hacl.Impl.P256.PointDouble.fst.hints
│ ├── Hacl.Impl.P256.PointDouble.fsti.hints
│ ├── Hacl.Impl.P256.PointMul.fst.hints
│ ├── Hacl.Impl.P256.PointMul.fsti.hints
│ ├── Hacl.Impl.P256.Qinv.fst.hints
│ ├── Hacl.Impl.P256.Qinv.fsti.hints
│ ├── Hacl.Impl.P256.Scalar.fst.hints
│ ├── Hacl.Impl.P256.Scalar.fsti.hints
│ ├── Hacl.Impl.P256.Sign.fst.hints
│ ├── Hacl.Impl.P256.Verify.fst.hints
│ ├── Hacl.Impl.Poly1305.Bignum128.fst.hints
│ ├── Hacl.Impl.Poly1305.Bignum128.fsti.hints
│ ├── Hacl.Impl.Poly1305.Field32xN.fst.hints
│ ├── Hacl.Impl.Poly1305.Field32xN_128.fst.hints
│ ├── Hacl.Impl.Poly1305.Field32xN_256.fst.hints
│ ├── Hacl.Impl.Poly1305.Field32xN_32.fst.hints
│ ├── Hacl.Impl.Poly1305.Fields.fst.hints
│ ├── Hacl.Impl.Poly1305.Lemmas.fst.hints
│ ├── Hacl.Impl.Poly1305.Lemmas.fsti.hints
│ ├── Hacl.Impl.Poly1305.fst.hints
│ ├── Hacl.Impl.Poly1305.fsti.hints
│ ├── Hacl.Impl.PrecompTable.fst.hints
│ ├── Hacl.Impl.PrecompTable.fsti.hints
│ ├── Hacl.Impl.RSAPSS.Keys.fst.hints
│ ├── Hacl.Impl.RSAPSS.MGF.fst.hints
│ ├── Hacl.Impl.RSAPSS.Padding.fst.hints
│ ├── Hacl.Impl.RSAPSS.fst.hints
│ ├── Hacl.Impl.SHA2.Core.fst.hints
│ ├── Hacl.Impl.SHA2.Generic.fst.hints
│ ├── Hacl.Impl.SHA2.Types.fst.hints
│ ├── Hacl.Impl.SHA3.Vec.fst.hints
│ ├── Hacl.Impl.SHA3.Vec.fsti.hints
│ ├── Hacl.Impl.SHA512.ModQ.fst.hints
│ ├── Hacl.Impl.Salsa20.Core32.fst.hints
│ ├── Hacl.Impl.Salsa20.fst.hints
│ ├── Hacl.Impl.SecretBox.fst.hints
│ ├── Hacl.Impl.Store56.fst.hints
│ ├── Hacl.IntTypes.Intrinsics.fst.hints
│ ├── Hacl.IntTypes.Intrinsics_128.fst.hints
│ ├── Hacl.K256.ECDSA.fst.hints
│ ├── Hacl.K256.ECDSA.fsti.hints
│ ├── Hacl.K256.Field.fst.hints
│ ├── Hacl.K256.Field.fsti.hints
│ ├── Hacl.K256.PrecompTable.fst.hints
│ ├── Hacl.K256.PrecompTable.fsti.hints
│ ├── Hacl.K256.Scalar.fst.hints
│ ├── Hacl.K256.Scalar.fsti.hints
│ ├── Hacl.Keccak.fst.hints
│ ├── Hacl.Keccak.fsti.hints
│ ├── Hacl.Meta.Chacha20.Vec.fst.hints
│ ├── Hacl.Meta.Chacha20Poly1305.fst.hints
│ ├── Hacl.Meta.Curve25519.fst.hints
│ ├── Hacl.Meta.Curve25519.fsti.hints
│ ├── Hacl.Meta.HPKE.fst.hints
│ ├── Hacl.Meta.HPKE.fsti.hints
│ ├── Hacl.Meta.Poly1305.fst.hints
│ ├── Hacl.Meta.Poly1305.fsti.hints
│ ├── Hacl.NaCl.fst.hints
│ ├── Hacl.P256.PrecompTable.fst.hints
│ ├── Hacl.P256.PrecompTable.fsti.hints
│ ├── Hacl.P256.fst.hints
│ ├── Hacl.P256.fsti.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas0.fst.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas0.fsti.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas1.fst.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas1.fsti.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas2.fst.hints
│ ├── Hacl.Poly1305.Field32xN.Lemmas2.fsti.hints
│ ├── Hacl.Poly1305_128.fst.hints
│ ├── Hacl.Poly1305_128.fsti.hints
│ ├── Hacl.Poly1305_256.fst.hints
│ ├── Hacl.Poly1305_256.fsti.hints
│ ├── Hacl.Poly1305_32.fst.hints
│ ├── Hacl.Poly1305_32.fsti.hints
│ ├── Hacl.RSAPSS.fst.hints
│ ├── Hacl.SHA2.Scalar32.Lemmas.fst.hints
│ ├── Hacl.SHA2.Scalar32.fst.hints
│ ├── Hacl.SHA2.Vec128.fst.hints
│ ├── Hacl.SHA2.Vec256.fst.hints
│ ├── Hacl.Salsa20.fst.hints
│ ├── Hacl.Spec.AlmostMontgomery.Lemmas.fst.hints
│ ├── Hacl.Spec.Bignum.Addition.fst.hints
│ ├── Hacl.Spec.Bignum.AlmostMontExponentiation.fst.hints
│ ├── Hacl.Spec.Bignum.AlmostMontgomery.fst.hints
│ ├── Hacl.Spec.Bignum.AlmostMontgomery.fsti.hints
│ ├── Hacl.Spec.Bignum.Base.fst.hints
│ ├── Hacl.Spec.Bignum.Comparison.fst.hints
│ ├── Hacl.Spec.Bignum.Convert.fst.hints
│ ├── Hacl.Spec.Bignum.Definitions.fst.hints
│ ├── Hacl.Spec.Bignum.Exponentiation.fst.hints
│ ├── Hacl.Spec.Bignum.Exponentiation.fsti.hints
│ ├── Hacl.Spec.Bignum.Karatsuba.fst.hints
│ ├── Hacl.Spec.Bignum.Lib.fst.hints
│ ├── Hacl.Spec.Bignum.ModInv.fst.hints
│ ├── Hacl.Spec.Bignum.ModInvLimb.fst.hints
│ ├── Hacl.Spec.Bignum.ModInvLimb.fsti.hints
│ ├── Hacl.Spec.Bignum.ModReduction.fst.hints
│ ├── Hacl.Spec.Bignum.MontArithmetic.fst.hints
│ ├── Hacl.Spec.Bignum.MontArithmetic.fsti.hints
│ ├── Hacl.Spec.Bignum.MontExponentiation.fst.hints
│ ├── Hacl.Spec.Bignum.Montgomery.fst.hints
│ ├── Hacl.Spec.Bignum.Montgomery.fsti.hints
│ ├── Hacl.Spec.Bignum.Multiplication.fst.hints
│ ├── Hacl.Spec.Bignum.Squaring.fst.hints
│ ├── Hacl.Spec.Bignum.fst.hints
│ ├── Hacl.Spec.Bignum.fsti.hints
│ ├── Hacl.Spec.BignumQ.Definitions.fst.hints
│ ├── Hacl.Spec.BignumQ.Lemmas.fst.hints
│ ├── Hacl.Spec.BignumQ.Mul.fst.hints
│ ├── Hacl.Spec.Chacha20.Equiv.fst.hints
│ ├── Hacl.Spec.Chacha20.Lemmas.fst.hints
│ ├── Hacl.Spec.Chacha20.Vec.fst.hints
│ ├── Hacl.Spec.Curve25519.AddAndDouble.fst.hints
│ ├── Hacl.Spec.Curve25519.Field51.Definition.fst.hints
│ ├── Hacl.Spec.Curve25519.Field51.Lemmas.fst.hints
│ ├── Hacl.Spec.Curve25519.Field51.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.Core.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.Definition.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.Lemmas.fst.hints
│ ├── Hacl.Spec.Curve25519.Field64.fst.hints
│ ├── Hacl.Spec.Curve25519.Finv.fst.hints
│ ├── Hacl.Spec.Ed25519.PrecompTable.fst.hints
│ ├── Hacl.Spec.Ed25519.PrecompTable.fsti.hints
│ ├── Hacl.Spec.Exponentiation.Lemmas.fst.hints
│ ├── Hacl.Spec.FFDHE.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.ECSM.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Field52.Definitions.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Field52.Definitions.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas.fsti.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas1.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas2.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas3.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas4.fst.hints
│ ├── Hacl.Spec.K256.Field52.Lemmas5.fst.hints
│ ├── Hacl.Spec.K256.Field52.fst.hints
│ ├── Hacl.Spec.K256.Finv.fst.hints
│ ├── Hacl.Spec.K256.GLV.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.GLV.fst.hints
│ ├── Hacl.Spec.K256.MathLemmas.fst.hints
│ ├── Hacl.Spec.K256.PrecompTable.fst.hints
│ ├── Hacl.Spec.K256.PrecompTable.fsti.hints
│ ├── Hacl.Spec.K256.Qinv.fst.hints
│ ├── Hacl.Spec.K256.Scalar.Lemmas.fst.hints
│ ├── Hacl.Spec.K256.Scalar.fst.hints
│ ├── Hacl.Spec.Karatsuba.Lemmas.fst.hints
│ ├── Hacl.Spec.Lib.fst.hints
│ ├── Hacl.Spec.Montgomery.Lemmas.fst.hints
│ ├── Hacl.Spec.P256.Finv.fst.hints
│ ├── Hacl.Spec.P256.Montgomery.fst.hints
│ ├── Hacl.Spec.P256.Montgomery.fsti.hints
│ ├── Hacl.Spec.P256.PrecompTable.fst.hints
│ ├── Hacl.Spec.P256.PrecompTable.fsti.hints
│ ├── Hacl.Spec.P256.Qinv.fst.hints
│ ├── Hacl.Spec.Poly1305.Equiv.fst.hints
│ ├── Hacl.Spec.Poly1305.Equiv.fsti.hints
│ ├── Hacl.Spec.Poly1305.Field32xN.Lemmas.fst.hints
│ ├── Hacl.Spec.Poly1305.Field32xN.fst.hints
│ ├── Hacl.Spec.Poly1305.Lemmas.fst.hints
│ ├── Hacl.Spec.Poly1305.Vec.fst.hints
│ ├── Hacl.Spec.PrecompBaseTable.fst.hints
│ ├── Hacl.Spec.PrecompBaseTable.fsti.hints
│ ├── Hacl.Spec.PrecompBaseTable256.fst.hints
│ ├── Hacl.Spec.PrecompBaseTable256.fsti.hints
│ ├── Hacl.Spec.PrecompTable.fst.hints
│ ├── Hacl.Spec.RSAPSS.fst.hints
│ ├── Hacl.Spec.SHA2.Equiv.fst.hints
│ ├── Hacl.Spec.SHA2.EquivScalar.fst.hints
│ ├── Hacl.Spec.SHA2.EquivScalar.fsti.hints
│ ├── Hacl.Spec.SHA2.Lemmas.fst.hints
│ ├── Hacl.Spec.SHA2.Vec.fst.hints
│ ├── Hacl.Spec.SHA2.fst.hints
│ ├── Hacl.Spec.SHA3.Equiv.fst.hints
│ ├── Hacl.Spec.SHA3.Equiv.fsti.hints
│ ├── Hacl.Spec.SHA3.Lemmas.fst.hints
│ ├── Hacl.Spec.SHA3.Vec.Common.fst.hints
│ ├── Hacl.Spec.SHA3.Vec.fst.hints
│ ├── Hacl.Streaming.Blake2.Common.fst.hints
│ ├── Hacl.Streaming.Blake2.Params.fst.hints
│ ├── Hacl.Streaming.Blake2.Params.fsti.hints
│ ├── Hacl.Streaming.Blake2b_256.fst.hints
│ ├── Hacl.Streaming.Blake2b_32.fst.hints
│ ├── Hacl.Streaming.Blake2s_128.fst.hints
│ ├── Hacl.Streaming.Blake2s_32.fst.hints
│ ├── Hacl.Streaming.Functor.fst.hints
│ ├── Hacl.Streaming.Functor.fsti.hints
│ ├── Hacl.Streaming.HMAC.Definitions.fst.hints
│ ├── Hacl.Streaming.HMAC.Definitions.fsti.hints
│ ├── Hacl.Streaming.HMAC.fst.hints
│ ├── Hacl.Streaming.Interface.fsti.hints
│ ├── Hacl.Streaming.Keccak.fst.hints
│ ├── Hacl.Streaming.MD.fst.hints
│ ├── Hacl.Streaming.MD5.fst.hints
│ ├── Hacl.Streaming.Poly1305.fst.hints
│ ├── Hacl.Streaming.Poly1305_128.fst.hints
│ ├── Hacl.Streaming.Poly1305_128.fsti.hints
│ ├── Hacl.Streaming.Poly1305_256.fst.hints
│ ├── Hacl.Streaming.Poly1305_256.fsti.hints
│ ├── Hacl.Streaming.Poly1305_32.fst.hints
│ ├── Hacl.Streaming.Poly1305_32.fsti.hints
│ ├── Hacl.Streaming.SHA1.fst.hints
│ ├── Hacl.Streaming.SHA2.fst.hints
│ ├── Hacl.Streaming.Spec.fst.hints
│ ├── Hacl.Streaming.Types.fst.hints
│ ├── Hacl.Test.ECDSA.fst.hints
│ ├── Hacl.Test.Ed25519.fst.hints
│ ├── Hacl.Test.HMAC_DRBG.fst.hints
│ ├── Hacl.Test.K256.fst.hints
│ ├── Hacl.Test.SHA2.fst.hints
│ ├── Hacl.Test.SHA3.fst.hints
│ ├── Lib.Buffer.fst.hints
│ ├── Lib.Buffer.fsti.hints
│ ├── Lib.ByteBuffer.fst.hints
│ ├── Lib.ByteBuffer.fsti.hints
│ ├── Lib.ByteSequence.fst.hints
│ ├── Lib.ByteSequence.fsti.hints
│ ├── Lib.Exponentiation.Definition.fst.hints
│ ├── Lib.Exponentiation.Definition.fsti.hints
│ ├── Lib.Exponentiation.fst.hints
│ ├── Lib.Exponentiation.fsti.hints
│ ├── Lib.IntTypes.Compatibility.fst.hints
│ ├── Lib.IntTypes.Intrinsics.fsti.hints
│ ├── Lib.IntTypes.fst.hints
│ ├── Lib.IntTypes.fsti.hints
│ ├── Lib.IntVector.Intrinsics.fsti.hints
│ ├── Lib.IntVector.Serialize.fst.hints
│ ├── Lib.IntVector.Serialize.fsti.hints
│ ├── Lib.IntVector.Transpose.fst.hints
│ ├── Lib.IntVector.Transpose.fsti.hints
│ ├── Lib.IntVector.fst.hints
│ ├── Lib.IntVector.fsti.hints
│ ├── Lib.LoopCombinators.fst.hints
│ ├── Lib.LoopCombinators.fsti.hints
│ ├── Lib.Loops.fst.hints
│ ├── Lib.Loops.fsti.hints
│ ├── Lib.Memzero0.fsti.hints
│ ├── Lib.Meta.fst.hints
│ ├── Lib.MultiBuffer.fst.hints
│ ├── Lib.NTuple.fst.hints
│ ├── Lib.NTuple.fsti.hints
│ ├── Lib.NatMod.fst.hints
│ ├── Lib.NatMod.fsti.hints
│ ├── Lib.PrintBuffer.fsti.hints
│ ├── Lib.PrintSequence.fst.hints
│ ├── Lib.PrintSequence.fsti.hints
│ ├── Lib.RandomBuffer.System.fsti.hints
│ ├── Lib.RandomSequence.fsti.hints
│ ├── Lib.RawIntTypes.fst.hints
│ ├── Lib.RawIntTypes.fsti.hints
│ ├── Lib.Sequence.Lemmas.fst.hints
│ ├── Lib.Sequence.Lemmas.fsti.hints
│ ├── Lib.Sequence.fst.hints
│ ├── Lib.Sequence.fsti.hints
│ ├── Lib.UpdateMulti.Lemmas.fst.hints
│ ├── Lib.UpdateMulti.Lemmas.fsti.hints
│ ├── Lib.UpdateMulti.fst.hints
│ ├── Lib.Vec.Lemmas.fst.hints
│ ├── Lib.Vec.Lemmas.fsti.hints
│ ├── Meta.Attribute.fst.hints
│ ├── Meta.Interface.fst.hints
│ ├── Spec.AES.Test.fst.hints
│ ├── Spec.AES.fst.hints
│ ├── Spec.Agile.AEAD.fst.hints
│ ├── Spec.Agile.AEAD.fsti.hints
│ ├── Spec.Agile.CTR.fst.hints
│ ├── Spec.Agile.Cipher.fst.hints
│ ├── Spec.Agile.Cipher.fsti.hints
│ ├── Spec.Agile.DH.fst.hints
│ ├── Spec.Agile.HKDF.fst.hints
│ ├── Spec.Agile.HKDF.fsti.hints
│ ├── Spec.Agile.HMAC.fst.hints
│ ├── Spec.Agile.HMAC.fsti.hints
│ ├── Spec.Agile.HPKE.fst.hints
│ ├── Spec.Agile.HPKE.fsti.hints
│ ├── Spec.Agile.Hash.fst.hints
│ ├── Spec.Agile.Hash.fsti.hints
│ ├── Spec.Blake2.Alternative.fst.hints
│ ├── Spec.Blake2.Alternative.fsti.hints
│ ├── Spec.Blake2.Definitions.fst.hints
│ ├── Spec.Blake2.Incremental.fst.hints
│ ├── Spec.Blake2.Incremental.fsti.hints
│ ├── Spec.Blake2.Test.fst.hints
│ ├── Spec.Blake2.fst.hints
│ ├── Spec.Box.Test.fst.hints
│ ├── Spec.Box.fst.hints
│ ├── Spec.Chacha20.Test.fst.hints
│ ├── Spec.Chacha20.fst.hints
│ ├── Spec.Chacha20Poly1305.Test.fst.hints
│ ├── Spec.Chacha20Poly1305.fst.hints
│ ├── Spec.Cipher.Expansion.fst.hints
│ ├── Spec.Cipher.Expansion.fsti.hints
│ ├── Spec.Curve25519.Lemmas.fst.hints
│ ├── Spec.Curve25519.Test.fst.hints
│ ├── Spec.Curve25519.fst.hints
│ ├── Spec.ECDSA.Test.Vectors.fst.hints
│ ├── Spec.Ed25519.Lemmas.fst.hints
│ ├── Spec.Ed25519.Lemmas.fsti.hints
│ ├── Spec.Ed25519.PointOps.fst.hints
│ ├── Spec.Ed25519.Test.fst.hints
│ ├── Spec.Ed25519.fst.hints
│ ├── Spec.Exponentiation.fst.hints
│ ├── Spec.Exponentiation.fsti.hints
│ ├── Spec.FFDHE.fst.hints
│ ├── Spec.Frodo.Encode.fst.hints
│ ├── Spec.Frodo.Gen.fst.hints
│ ├── Spec.Frodo.KEM.Decaps.fst.hints
│ ├── Spec.Frodo.KEM.Encaps.fst.hints
│ ├── Spec.Frodo.KEM.KeyGen.fst.hints
│ ├── Spec.Frodo.KEM.fst.hints
│ ├── Spec.Frodo.Lemmas.fst.hints
│ ├── Spec.Frodo.Pack.fst.hints
│ ├── Spec.Frodo.Params.fst.hints
│ ├── Spec.Frodo.Random.fst.hints
│ ├── Spec.Frodo.Sample.fst.hints
│ ├── Spec.Frodo.Test.fst.hints
│ ├── Spec.GaloisField.fst.hints
│ ├── Spec.HKDF.Test.fst.hints
│ ├── Spec.HMAC.Incremental.fst.hints
│ ├── Spec.HMAC.Incremental.fsti.hints
│ ├── Spec.HMAC.Test.fst.hints
│ ├── Spec.HMAC_DRBG.Test.Vectors.fst.hints
│ ├── Spec.HMAC_DRBG.Test.fst.hints
│ ├── Spec.HMAC_DRBG.fst.hints
│ ├── Spec.HMAC_DRBG.fsti.hints
│ ├── Spec.Hash.Definitions.fst.hints
│ ├── Spec.Hash.Incremental.Definitions.fst.hints
│ ├── Spec.Hash.Incremental.fst.hints
│ ├── Spec.Hash.Incremental.fsti.hints
│ ├── Spec.Hash.Lemmas.fst.hints
│ ├── Spec.Hash.Lemmas.fsti.hints
│ ├── Spec.Hash.MD.fst.hints
│ ├── Spec.Hash.Test.fst.hints
│ ├── Spec.K256.Lemmas.fst.hints
│ ├── Spec.K256.Lemmas.fsti.hints
│ ├── Spec.K256.PointOps.fst.hints
│ ├── Spec.K256.Test.fst.hints
│ ├── Spec.K256.fst.hints
│ ├── Spec.MD.Incremental.fst.hints
│ ├── Spec.MD.Incremental.fsti.hints
│ ├── Spec.MD5.fst.hints
│ ├── Spec.MD5.fsti.hints
│ ├── Spec.Matrix.fst.hints
│ ├── Spec.P256.Lemmas.fst.hints
│ ├── Spec.P256.Lemmas.fsti.hints
│ ├── Spec.P256.PointOps.fst.hints
│ ├── Spec.P256.Test.fst.hints
│ ├── Spec.P256.fst.hints
│ ├── Spec.Poly1305.Test.fst.hints
│ ├── Spec.Poly1305.fst.hints
│ ├── Spec.RSAPSS.fst.hints
│ ├── Spec.SHA1.fst.hints
│ ├── Spec.SHA1.fsti.hints
│ ├── Spec.SHA2.Constants.fst.hints
│ ├── Spec.SHA2.Lemmas.fst.hints
│ ├── Spec.SHA2.Lemmas.fsti.hints
│ ├── Spec.SHA2.fst.hints
│ ├── Spec.SHA2.fsti.hints
│ ├── Spec.SHA3.Constants.fst.hints
│ ├── Spec.SHA3.Equivalence.fst.hints
│ ├── Spec.SHA3.Incremental.fst.hints
│ ├── Spec.SHA3.Incremental.fsti.hints
│ ├── Spec.SHA3.Test.fst.hints
│ ├── Spec.SHA3.fst.hints
│ ├── Spec.Salsa20.Test.fst.hints
│ ├── Spec.Salsa20.fst.hints
│ ├── Spec.SecretBox.Test.fst.hints
│ ├── Spec.SecretBox.fst.hints
│ ├── Test.Hash.fst.hints
│ ├── Test.Lowstarize.fst.hints
│ ├── Test.NoHeap.fst.hints
│ ├── Test.NoHeap.fsti.hints
│ ├── Test.Vectors.Aes128.fst.hints
│ ├── Test.Vectors.Aes128Gcm.fst.hints
│ ├── Test.Vectors.Chacha20Poly1305.fst.hints
│ ├── Test.Vectors.Curve25519.fst.hints
│ ├── Test.Vectors.Poly1305.fst.hints
│ ├── Test.Vectors.fst.hints
│ ├── Test.fst.hints
│ ├── Test.fsti.hints
│ ├── Vale.AES.AES256_helpers.fst.hints
│ ├── Vale.AES.AES256_helpers.fsti.hints
│ ├── Vale.AES.AES256_helpers_BE.fst.hints
│ ├── Vale.AES.AES256_helpers_BE.fsti.hints
│ ├── Vale.AES.AES_BE_s.fst.hints
│ ├── Vale.AES.AES_common_s.fst.hints
│ ├── Vale.AES.AES_helpers.fst.hints
│ ├── Vale.AES.AES_helpers.fsti.hints
│ ├── Vale.AES.AES_helpers_BE.fst.hints
│ ├── Vale.AES.AES_helpers_BE.fsti.hints
│ ├── Vale.AES.AES_s.fst.hints
│ ├── Vale.AES.GCM.fst.hints
│ ├── Vale.AES.GCM.fsti.hints
│ ├── Vale.AES.GCM_BE.fst.hints
│ ├── Vale.AES.GCM_BE.fsti.hints
│ ├── Vale.AES.GCM_BE_s.fst.hints
│ ├── Vale.AES.GCM_helpers.fst.hints
│ ├── Vale.AES.GCM_helpers.fsti.hints
│ ├── Vale.AES.GCM_helpers_BE.fst.hints
│ ├── Vale.AES.GCM_helpers_BE.fsti.hints
│ ├── Vale.AES.GCM_s.fst.hints
│ ├── Vale.AES.GCTR.fst.hints
│ ├── Vale.AES.GCTR.fsti.hints
│ ├── Vale.AES.GCTR_BE.fst.hints
│ ├── Vale.AES.GCTR_BE.fsti.hints
│ ├── Vale.AES.GCTR_BE_s.fst.hints
│ ├── Vale.AES.GCTR_s.fst.hints
│ ├── Vale.AES.GF128.fst.hints
│ ├── Vale.AES.GF128.fsti.hints
│ ├── Vale.AES.GF128_s.fst.hints
│ ├── Vale.AES.GF128_s.fsti.hints
│ ├── Vale.AES.GHash.fst.hints
│ ├── Vale.AES.GHash.fsti.hints
│ ├── Vale.AES.GHash_BE.fst.hints
│ ├── Vale.AES.GHash_BE.fsti.hints
│ ├── Vale.AES.GHash_BE_s.fst.hints
│ ├── Vale.AES.GHash_s.fst.hints
│ ├── Vale.AES.Gcm_simplify.fst.hints
│ ├── Vale.AES.Gcm_simplify.fsti.hints
│ ├── Vale.AES.OptPublic.fst.hints
│ ├── Vale.AES.OptPublic.fsti.hints
│ ├── Vale.AES.OptPublic_BE.fst.hints
│ ├── Vale.AES.OptPublic_BE.fsti.hints
│ ├── Vale.AES.PPC64LE.AES.fst.hints
│ ├── Vale.AES.PPC64LE.AES.fsti.hints
│ ├── Vale.AES.PPC64LE.AES128.fst.hints
│ ├── Vale.AES.PPC64LE.AES128.fsti.hints
│ ├── Vale.AES.PPC64LE.AES256.fst.hints
│ ├── Vale.AES.PPC64LE.AES256.fsti.hints
│ ├── Vale.AES.PPC64LE.GCMdecrypt.fst.hints
│ ├── Vale.AES.PPC64LE.GCMdecrypt.fsti.hints
│ ├── Vale.AES.PPC64LE.GCMencrypt.fst.hints
│ ├── Vale.AES.PPC64LE.GCMencrypt.fsti.hints
│ ├── Vale.AES.PPC64LE.GCTR.fst.hints
│ ├── Vale.AES.PPC64LE.GCTR.fsti.hints
│ ├── Vale.AES.PPC64LE.GF128_Init.fst.hints
│ ├── Vale.AES.PPC64LE.GF128_Init.fsti.hints
│ ├── Vale.AES.PPC64LE.GF128_Mul.fst.hints
│ ├── Vale.AES.PPC64LE.GF128_Mul.fsti.hints
│ ├── Vale.AES.PPC64LE.GHash.fst.hints
│ ├── Vale.AES.PPC64LE.GHash.fsti.hints
│ ├── Vale.AES.PPC64LE.PolyOps.fst.hints
│ ├── Vale.AES.PPC64LE.PolyOps.fsti.hints
│ ├── Vale.AES.Types_helpers.fst.hints
│ ├── Vale.AES.Types_helpers.fsti.hints
│ ├── Vale.AES.X64.AES.fst.hints
│ ├── Vale.AES.X64.AES.fsti.hints
│ ├── Vale.AES.X64.AES128.fst.hints
│ ├── Vale.AES.X64.AES128.fsti.hints
│ ├── Vale.AES.X64.AES256.fst.hints
│ ├── Vale.AES.X64.AES256.fsti.hints
│ ├── Vale.AES.X64.AESCTR.fst.hints
│ ├── Vale.AES.X64.AESCTR.fsti.hints
│ ├── Vale.AES.X64.AESCTRplain.fst.hints
│ ├── Vale.AES.X64.AESCTRplain.fsti.hints
│ ├── Vale.AES.X64.AESGCM.fst.hints
│ ├── Vale.AES.X64.AESGCM.fsti.hints
│ ├── Vale.AES.X64.AESGCM_expected_code.fst.hints
│ ├── Vale.AES.X64.AESGCM_expected_code.fsti.hints
│ ├── Vale.AES.X64.AESopt.fst.hints
│ ├── Vale.AES.X64.AESopt.fsti.hints
│ ├── Vale.AES.X64.AESopt2.fst.hints
│ ├── Vale.AES.X64.AESopt2.fsti.hints
│ ├── Vale.AES.X64.GCMdecryptOpt.fst.hints
│ ├── Vale.AES.X64.GCMdecryptOpt.fsti.hints
│ ├── Vale.AES.X64.GCMencryptOpt.fst.hints
│ ├── Vale.AES.X64.GCMencryptOpt.fsti.hints
│ ├── Vale.AES.X64.GCTR.fst.hints
│ ├── Vale.AES.X64.GCTR.fsti.hints
│ ├── Vale.AES.X64.GF128_Init.fst.hints
│ ├── Vale.AES.X64.GF128_Init.fsti.hints
│ ├── Vale.AES.X64.GF128_Mul.fst.hints
│ ├── Vale.AES.X64.GF128_Mul.fsti.hints
│ ├── Vale.AES.X64.GHash.fst.hints
│ ├── Vale.AES.X64.GHash.fsti.hints
│ ├── Vale.AES.X64.PolyOps.fst.hints
│ ├── Vale.AES.X64.PolyOps.fsti.hints
│ ├── Vale.Arch.BufferFriend.fst.hints
│ ├── Vale.Arch.BufferFriend.fsti.hints
│ ├── Vale.Arch.Heap.fst.hints
│ ├── Vale.Arch.Heap.fsti.hints
│ ├── Vale.Arch.HeapImpl.fst.hints
│ ├── Vale.Arch.HeapImpl.fsti.hints
│ ├── Vale.Arch.HeapLemmas.fst.hints
│ ├── Vale.Arch.HeapLemmas.fsti.hints
│ ├── Vale.Arch.HeapTypes_s.fst.hints
│ ├── Vale.Arch.MachineHeap.fst.hints
│ ├── Vale.Arch.MachineHeap.fsti.hints
│ ├── Vale.Arch.MachineHeap_s.fst.hints
│ ├── Vale.Arch.Types.fst.hints
│ ├── Vale.Arch.Types.fsti.hints
│ ├── Vale.Arch.TypesNative.fst.hints
│ ├── Vale.Arch.TypesNative.fsti.hints
│ ├── Vale.AsLowStar.LowStarSig.fst.hints
│ ├── Vale.AsLowStar.MemoryHelpers.fst.hints
│ ├── Vale.AsLowStar.MemoryHelpers.fsti.hints
│ ├── Vale.AsLowStar.Test.fst.hints
│ ├── Vale.AsLowStar.ValeSig.fst.hints
│ ├── Vale.AsLowStar.Wrapper.fst.hints
│ ├── Vale.AsLowStar.Wrapper.fsti.hints
│ ├── Vale.Bignum.Defs.fst.hints
│ ├── Vale.Bignum.Defs.fsti.hints
│ ├── Vale.Bignum.Lemmas.fst.hints
│ ├── Vale.Bignum.Lemmas.fsti.hints
│ ├── Vale.Bignum.X64.fst.hints
│ ├── Vale.Bignum.X64.fsti.hints
│ ├── Vale.Curve25519.FastHybrid_helpers.fst.hints
│ ├── Vale.Curve25519.FastHybrid_helpers.fsti.hints
│ ├── Vale.Curve25519.FastMul_helpers.fst.hints
│ ├── Vale.Curve25519.FastMul_helpers.fsti.hints
│ ├── Vale.Curve25519.FastSqr_helpers.fst.hints
│ ├── Vale.Curve25519.FastSqr_helpers.fsti.hints
│ ├── Vale.Curve25519.FastUtil_helpers.fst.hints
│ ├── Vale.Curve25519.FastUtil_helpers.fsti.hints
│ ├── Vale.Curve25519.Fast_defs.fst.hints
│ ├── Vale.Curve25519.Fast_lemmas_external.fst.hints
│ ├── Vale.Curve25519.Fast_lemmas_external.fsti.hints
│ ├── Vale.Curve25519.Fast_lemmas_internal.fst.hints
│ ├── Vale.Curve25519.Fast_lemmas_internal.fsti.hints
│ ├── Vale.Curve25519.X64.FastHybrid.fst.hints
│ ├── Vale.Curve25519.X64.FastHybrid.fsti.hints
│ ├── Vale.Curve25519.X64.FastMul.fst.hints
│ ├── Vale.Curve25519.X64.FastMul.fsti.hints
│ ├── Vale.Curve25519.X64.FastSqr.fst.hints
│ ├── Vale.Curve25519.X64.FastSqr.fsti.hints
│ ├── Vale.Curve25519.X64.FastUtil.fst.hints
│ ├── Vale.Curve25519.X64.FastUtil.fsti.hints
│ ├── Vale.Curve25519.X64.FastWide.fst.hints
│ ├── Vale.Curve25519.X64.FastWide.fsti.hints
│ ├── Vale.Def.Opaque_s.fst.hints
│ ├── Vale.Def.Opaque_s.fsti.hints
│ ├── Vale.Def.PossiblyMonad.fst.hints
│ ├── Vale.Def.Prop_s.fst.hints
│ ├── Vale.Def.Sel.fst.hints
│ ├── Vale.Def.TypesNative_s.fst.hints
│ ├── Vale.Def.Types_s.fst.hints
│ ├── Vale.Def.Words.Four_s.fst.hints
│ ├── Vale.Def.Words.Four_s.fsti.hints
│ ├── Vale.Def.Words.Seq.fst.hints
│ ├── Vale.Def.Words.Seq.fsti.hints
│ ├── Vale.Def.Words.Seq_s.fst.hints
│ ├── Vale.Def.Words.Seq_s.fsti.hints
│ ├── Vale.Def.Words.Two.fst.hints
│ ├── Vale.Def.Words.Two.fsti.hints
│ ├── Vale.Def.Words.Two_s.fst.hints
│ ├── Vale.Def.Words.Two_s.fsti.hints
│ ├── Vale.Def.Words_s.fst.hints
│ ├── Vale.Def.Words_s.fsti.hints
│ ├── Vale.FDefMulx.X64.fst.hints
│ ├── Vale.FDefMulx.X64.fsti.hints
│ ├── Vale.Inline.X64.Fadd_inline.fst.hints
│ ├── Vale.Inline.X64.Fadd_inline.fsti.hints
│ ├── Vale.Inline.X64.Fmul_inline.fst.hints
│ ├── Vale.Inline.X64.Fmul_inline.fsti.hints
│ ├── Vale.Inline.X64.Fsqr_inline.fst.hints
│ ├── Vale.Inline.X64.Fsqr_inline.fsti.hints
│ ├── Vale.Inline.X64.Fswap_inline.fst.hints
│ ├── Vale.Inline.X64.Fswap_inline.fsti.hints
│ ├── Vale.Interop.Assumptions.fst.hints
│ ├── Vale.Interop.Base.fst.hints
│ ├── Vale.Interop.Heap_s.fst.hints
│ ├── Vale.Interop.Types.fst.hints
│ ├── Vale.Interop.Views.fst.hints
│ ├── Vale.Interop.Views.fsti.hints
│ ├── Vale.Interop.X64.fst.hints
│ ├── Vale.Interop.X64.fsti.hints
│ ├── Vale.Interop.fst.hints
│ ├── Vale.Interop.fsti.hints
│ ├── Vale.Lib.Basic.fst.hints
│ ├── Vale.Lib.Basic.fsti.hints
│ ├── Vale.Lib.BufferViewHelpers.fst.hints
│ ├── Vale.Lib.Bv_s.fst.hints
│ ├── Vale.Lib.Lists.fst.hints
│ ├── Vale.Lib.Lists.fsti.hints
│ ├── Vale.Lib.Map16.fst.hints
│ ├── Vale.Lib.Map16.fsti.hints
│ ├── Vale.Lib.MapTree.fst.hints
│ ├── Vale.Lib.MapTree.fsti.hints
│ ├── Vale.Lib.Meta.fst.hints
│ ├── Vale.Lib.Meta.fsti.hints
│ ├── Vale.Lib.Operator.fst.hints
│ ├── Vale.Lib.Operator.fsti.hints
│ ├── Vale.Lib.Seqs.fst.hints
│ ├── Vale.Lib.Seqs.fsti.hints
│ ├── Vale.Lib.Seqs_s.fst.hints
│ ├── Vale.Lib.Set.fst.hints
│ ├── Vale.Lib.Set.fsti.hints
│ ├── Vale.Lib.Tactics.fst.hints
│ ├── Vale.Lib.X64.Cpuid.fst.hints
│ ├── Vale.Lib.X64.Cpuid.fsti.hints
│ ├── Vale.Lib.X64.Cpuidstdcall.fst.hints
│ ├── Vale.Lib.X64.Cpuidstdcall.fsti.hints
│ ├── Vale.Math.Bits.fst.hints
│ ├── Vale.Math.Bits.fsti.hints
│ ├── Vale.Math.Lemmas.Int.fst.hints
│ ├── Vale.Math.Lemmas.Int.fsti.hints
│ ├── Vale.Math.Poly2.Bits.fst.hints
│ ├── Vale.Math.Poly2.Bits.fsti.hints
│ ├── Vale.Math.Poly2.Bits_s.fst.hints
│ ├── Vale.Math.Poly2.Bits_s.fsti.hints
│ ├── Vale.Math.Poly2.Defs.fst.hints
│ ├── Vale.Math.Poly2.Defs_s.fst.hints
│ ├── Vale.Math.Poly2.Galois.IntTypes.fst.hints
│ ├── Vale.Math.Poly2.Galois.IntTypes.fsti.hints
│ ├── Vale.Math.Poly2.Galois.Lemmas.fst.hints
│ ├── Vale.Math.Poly2.Galois.Lemmas.fsti.hints
│ ├── Vale.Math.Poly2.Galois.fst.hints
│ ├── Vale.Math.Poly2.Galois.fsti.hints
│ ├── Vale.Math.Poly2.Lemmas.fst.hints
│ ├── Vale.Math.Poly2.Lemmas.fsti.hints
│ ├── Vale.Math.Poly2.Words.fst.hints
│ ├── Vale.Math.Poly2.Words.fsti.hints
│ ├── Vale.Math.Poly2.fst.hints
│ ├── Vale.Math.Poly2.fsti.hints
│ ├── Vale.Math.Poly2_s.fst.hints
│ ├── Vale.Math.Poly2_s.fsti.hints
│ ├── Vale.PPC64LE.Decls.fst.hints
│ ├── Vale.PPC64LE.Decls.fsti.hints
│ ├── Vale.PPC64LE.InsBasic.fst.hints
│ ├── Vale.PPC64LE.InsBasic.fsti.hints
│ ├── Vale.PPC64LE.InsMem.fst.hints
│ ├── Vale.PPC64LE.InsMem.fsti.hints
│ ├── Vale.PPC64LE.InsStack.fst.hints
│ ├── Vale.PPC64LE.InsStack.fsti.hints
│ ├── Vale.PPC64LE.InsVector.fst.hints
│ ├── Vale.PPC64LE.InsVector.fsti.hints
│ ├── Vale.PPC64LE.Lemmas.fst.hints
│ ├── Vale.PPC64LE.Lemmas.fsti.hints
│ ├── Vale.PPC64LE.Machine_s.fst.hints
│ ├── Vale.PPC64LE.Memory.fst.hints
│ ├── Vale.PPC64LE.Memory.fsti.hints
│ ├── Vale.PPC64LE.Memory_Sems.fst.hints
│ ├── Vale.PPC64LE.Memory_Sems.fsti.hints
│ ├── Vale.PPC64LE.Print_s.fst.hints
│ ├── Vale.PPC64LE.QuickCode.fst.hints
│ ├── Vale.PPC64LE.QuickCodes.fst.hints
│ ├── Vale.PPC64LE.QuickCodes.fsti.hints
│ ├── Vale.PPC64LE.Regs.fst.hints
│ ├── Vale.PPC64LE.Regs.fsti.hints
│ ├── Vale.PPC64LE.Semantics_s.fst.hints
│ ├── Vale.PPC64LE.Stack_Sems.fst.hints
│ ├── Vale.PPC64LE.Stack_Sems.fsti.hints
│ ├── Vale.PPC64LE.Stack_i.fst.hints
│ ├── Vale.PPC64LE.Stack_i.fsti.hints
│ ├── Vale.PPC64LE.State.fst.hints
│ ├── Vale.PPC64LE.State.fsti.hints
│ ├── Vale.PPC64LE.StateLemmas.fst.hints
│ ├── Vale.PPC64LE.StateLemmas.fsti.hints
│ ├── Vale.PPC64LE.Vecs.fst.hints
│ ├── Vale.PPC64LE.Vecs.fsti.hints
│ ├── Vale.Poly1305.Bitvectors.fst.hints
│ ├── Vale.Poly1305.Bitvectors.fsti.hints
│ ├── Vale.Poly1305.CallingFromLowStar.fst.hints
│ ├── Vale.Poly1305.CallingFromLowStar.fsti.hints
│ ├── Vale.Poly1305.Equiv.fst.hints
│ ├── Vale.Poly1305.Equiv.fsti.hints
│ ├── Vale.Poly1305.Math.fst.hints
│ ├── Vale.Poly1305.Math.fsti.hints
│ ├── Vale.Poly1305.Spec_s.fst.hints
│ ├── Vale.Poly1305.Util.fst.hints
│ ├── Vale.Poly1305.Util.fsti.hints
│ ├── Vale.Poly1305.X64.fst.hints
│ ├── Vale.Poly1305.X64.fsti.hints
│ ├── Vale.SHA.PPC64LE.Loop.fst.hints
│ ├── Vale.SHA.PPC64LE.Loop.fsti.hints
│ ├── Vale.SHA.PPC64LE.Rounds.Core.fst.hints
│ ├── Vale.SHA.PPC64LE.Rounds.Core.fsti.hints
│ ├── Vale.SHA.PPC64LE.Rounds.fst.hints
│ ├── Vale.SHA.PPC64LE.Rounds.fsti.hints
│ ├── Vale.SHA.PPC64LE.SHA_helpers.fst.hints
│ ├── Vale.SHA.PPC64LE.SHA_helpers.fsti.hints
│ ├── Vale.SHA.PPC64LE.fst.hints
│ ├── Vale.SHA.PPC64LE.fsti.hints
│ ├── Vale.SHA.SHA_helpers.fst.hints
│ ├── Vale.SHA.SHA_helpers.fsti.hints
│ ├── Vale.SHA.Simplify_Sha.fst.hints
│ ├── Vale.SHA.Simplify_Sha.fsti.hints
│ ├── Vale.SHA.X64.fst.hints
│ ├── Vale.SHA.X64.fsti.hints
│ ├── Vale.SHA2.Wrapper.fst.hints
│ ├── Vale.SHA2.Wrapper.fsti.hints
│ ├── Vale.Stdcalls.X64.Aes.fst.hints
│ ├── Vale.Stdcalls.X64.Aes.fsti.hints
│ ├── Vale.Stdcalls.X64.AesHash.fst.hints
│ ├── Vale.Stdcalls.X64.Cpuid.fst.hints
│ ├── Vale.Stdcalls.X64.Cpuid.fsti.hints
│ ├── Vale.Stdcalls.X64.Fadd.fst.hints
│ ├── Vale.Stdcalls.X64.Fadd.fsti.hints
│ ├── Vale.Stdcalls.X64.Fmul.fst.hints
│ ├── Vale.Stdcalls.X64.Fmul.fsti.hints
│ ├── Vale.Stdcalls.X64.Fsqr.fst.hints
│ ├── Vale.Stdcalls.X64.Fsqr.fsti.hints
│ ├── Vale.Stdcalls.X64.Fsub.fst.hints
│ ├── Vale.Stdcalls.X64.Fsub.fsti.hints
│ ├── Vale.Stdcalls.X64.Fswap.fst.hints
│ ├── Vale.Stdcalls.X64.Fswap.fsti.hints
│ ├── Vale.Stdcalls.X64.GCM_IV.fst.hints
│ ├── Vale.Stdcalls.X64.GCMdecryptOpt.fst.hints
│ ├── Vale.Stdcalls.X64.GCMencryptOpt.fst.hints
│ ├── Vale.Stdcalls.X64.GCTR.fst.hints
│ ├── Vale.Stdcalls.X64.Poly.fst.hints
│ ├── Vale.Stdcalls.X64.Poly.fsti.hints
│ ├── Vale.Stdcalls.X64.Sha.fst.hints
│ ├── Vale.Stdcalls.X64.Sha.fsti.hints
│ ├── Vale.Test.TestInline.fst.hints
│ ├── Vale.Test.X64.Args.fst.hints
│ ├── Vale.Test.X64.Args.fsti.hints
│ ├── Vale.Test.X64.Memcpy.fst.hints
│ ├── Vale.Test.X64.Memcpy.fsti.hints
│ ├── Vale.Test.X64.Vale_memcpy.fst.hints
│ ├── Vale.Test.X64.Vale_memcpy.fsti.hints
│ ├── Vale.Transformers.BoundedInstructionEffects.fst.hints
│ ├── Vale.Transformers.BoundedInstructionEffects.fsti.hints
│ ├── Vale.Transformers.Common.fst.hints
│ ├── Vale.Transformers.Common.fsti.hints
│ ├── Vale.Transformers.DebugPrint.fst.hints
│ ├── Vale.Transformers.InstructionReorder.fst.hints
│ ├── Vale.Transformers.InstructionReorderSanityChecks.fst.hints
│ ├── Vale.Transformers.InstructionReorderSanityChecks.fsti.hints
│ ├── Vale.Transformers.Locations.fst.hints
│ ├── Vale.Transformers.Locations.fsti.hints
│ ├── Vale.Transformers.MovMovElim.fst.hints
│ ├── Vale.Transformers.MovbeElim.fst.hints
│ ├── Vale.Transformers.PeepHole.fst.hints
│ ├── Vale.Transformers.PeepHole.fsti.hints
│ ├── Vale.Transformers.PrefetchElim.fst.hints
│ ├── Vale.Transformers.Transform.fst.hints
│ ├── Vale.Transformers.Transform.fsti.hints
│ ├── Vale.Wrapper.X64.AES.fst.hints
│ ├── Vale.Wrapper.X64.AES.fsti.hints
│ ├── Vale.Wrapper.X64.AEShash.fst.hints
│ ├── Vale.Wrapper.X64.AEShash.fsti.hints
│ ├── Vale.Wrapper.X64.Cpuid.fst.hints
│ ├── Vale.Wrapper.X64.Cpuid.fsti.hints
│ ├── Vale.Wrapper.X64.Fadd.fst.hints
│ ├── Vale.Wrapper.X64.Fadd.fsti.hints
│ ├── Vale.Wrapper.X64.Fmul.fst.hints
│ ├── Vale.Wrapper.X64.Fmul.fsti.hints
│ ├── Vale.Wrapper.X64.Fsqr.fst.hints
│ ├── Vale.Wrapper.X64.Fsqr.fsti.hints
│ ├── Vale.Wrapper.X64.Fsub.fst.hints
│ ├── Vale.Wrapper.X64.Fsub.fsti.hints
│ ├── Vale.Wrapper.X64.Fswap.fst.hints
│ ├── Vale.Wrapper.X64.Fswap.fsti.hints
│ ├── Vale.Wrapper.X64.GCM_IV.fst.hints
│ ├── Vale.Wrapper.X64.GCM_IV.fsti.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt.fst.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt.fsti.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fst.hints
│ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fsti.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt.fst.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt.fsti.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt256.fst.hints
│ ├── Vale.Wrapper.X64.GCMencryptOpt256.fsti.hints
│ ├── Vale.Wrapper.X64.GCTR.fst.hints
│ ├── Vale.Wrapper.X64.GCTR.fsti.hints
│ ├── Vale.Wrapper.X64.Poly.fst.hints
│ ├── Vale.Wrapper.X64.Poly.fsti.hints
│ ├── Vale.Wrapper.X64.Sha.fst.hints
│ ├── Vale.Wrapper.X64.Sha.fsti.hints
│ ├── Vale.X64.BufferViewStore.fst.hints
│ ├── Vale.X64.BufferViewStore.fsti.hints
│ ├── Vale.X64.Bytes_Code_s.fst.hints
│ ├── Vale.X64.Bytes_Semantics.fst.hints
│ ├── Vale.X64.Bytes_Semantics.fsti.hints
│ ├── Vale.X64.CPU_Features_s.fst.hints
│ ├── Vale.X64.CryptoInstructions_s.fst.hints
│ ├── Vale.X64.CryptoInstructions_s.fsti.hints
│ ├── Vale.X64.Decls.fst.hints
│ ├── Vale.X64.Decls.fsti.hints
│ ├── Vale.X64.Flags.fst.hints
│ ├── Vale.X64.Flags.fsti.hints
│ ├── Vale.X64.InsAes.fst.hints
│ ├── Vale.X64.InsAes.fsti.hints
│ ├── Vale.X64.InsBasic.fst.hints
│ ├── Vale.X64.InsBasic.fsti.hints
│ ├── Vale.X64.InsLemmas.fst.hints
│ ├── Vale.X64.InsLemmas.fsti.hints
│ ├── Vale.X64.InsMem.fst.hints
│ ├── Vale.X64.InsMem.fsti.hints
│ ├── Vale.X64.InsSha.fst.hints
│ ├── Vale.X64.InsSha.fsti.hints
│ ├── Vale.X64.InsStack.fst.hints
│ ├── Vale.X64.InsStack.fsti.hints
│ ├── Vale.X64.InsVector.fst.hints
│ ├── Vale.X64.InsVector.fsti.hints
│ ├── Vale.X64.Instruction_s.fst.hints
│ ├── Vale.X64.Instruction_s.fsti.hints
│ ├── Vale.X64.Instructions_s.fst.hints
│ ├── Vale.X64.Instructions_s.fsti.hints
│ ├── Vale.X64.Leakage.fst.hints
│ ├── Vale.X64.Leakage.fsti.hints
│ ├── Vale.X64.Leakage_Helpers.fst.hints
│ ├── Vale.X64.Leakage_Ins.fst.hints
│ ├── Vale.X64.Leakage_Ins.fsti.hints
│ ├── Vale.X64.Leakage_s.fst.hints
│ ├── Vale.X64.Lemmas.fst.hints
│ ├── Vale.X64.Lemmas.fsti.hints
│ ├── Vale.X64.Machine_Semantics_s.fst.hints
│ ├── Vale.X64.Machine_s.fst.hints
│ ├── Vale.X64.Memory.fst.hints
│ ├── Vale.X64.Memory.fsti.hints
│ ├── Vale.X64.MemoryAdapters.fst.hints
│ ├── Vale.X64.MemoryAdapters.fsti.hints
│ ├── Vale.X64.Memory_Sems.fst.hints
│ ├── Vale.X64.Memory_Sems.fsti.hints
│ ├── Vale.X64.Print_Inline_s.fst.hints
│ ├── Vale.X64.Print_s.fst.hints
│ ├── Vale.X64.QuickCode.fst.hints
│ ├── Vale.X64.QuickCodes.fst.hints
│ ├── Vale.X64.QuickCodes.fsti.hints
│ ├── Vale.X64.Regs.fst.hints
│ ├── Vale.X64.Regs.fsti.hints
│ ├── Vale.X64.Stack.fst.hints
│ ├── Vale.X64.Stack.fsti.hints
│ ├── Vale.X64.Stack_Sems.fst.hints
│ ├── Vale.X64.Stack_Sems.fsti.hints
│ ├── Vale.X64.Stack_i.fst.hints
│ ├── Vale.X64.Stack_i.fsti.hints
│ ├── Vale.X64.State.fst.hints
│ ├── Vale.X64.State.fsti.hints
│ ├── Vale.X64.StateLemmas.fst.hints
│ ├── Vale.X64.StateLemmas.fsti.hints
│ ├── Vale.X64.Taint_Semantics.fst.hints
│ ├── Vale.X64.Xmms.fst.hints
│ └── Vale.X64.Xmms.fsti.hints
├── lib/
│ ├── Lib.Buffer.fst
│ ├── Lib.Buffer.fsti
│ ├── Lib.ByteBuffer.fst
│ ├── Lib.ByteBuffer.fsti
│ ├── Lib.ByteSequence.fst
│ ├── Lib.ByteSequence.fsti
│ ├── Lib.Exponentiation.Definition.fst
│ ├── Lib.Exponentiation.Definition.fsti
│ ├── Lib.Exponentiation.fst
│ ├── Lib.Exponentiation.fsti
│ ├── Lib.IntTypes.Compatibility.fst
│ ├── Lib.IntTypes.Intrinsics.fsti
│ ├── Lib.IntTypes.fst
│ ├── Lib.IntTypes.fsti
│ ├── Lib.IntVector.Intrinsics.fsti
│ ├── Lib.IntVector.Serialize.fst
│ ├── Lib.IntVector.Serialize.fsti
│ ├── Lib.IntVector.Transpose.fst
│ ├── Lib.IntVector.Transpose.fsti
│ ├── Lib.IntVector.fst
│ ├── Lib.IntVector.fsti
│ ├── Lib.LoopCombinators.fst
│ ├── Lib.LoopCombinators.fsti
│ ├── Lib.Loops.fst
│ ├── Lib.Loops.fsti
│ ├── Lib.Memzero0.fsti
│ ├── Lib.Meta.fst
│ ├── Lib.MultiBuffer.fst
│ ├── Lib.NTuple.fst
│ ├── Lib.NTuple.fsti
│ ├── Lib.NatMod.fst
│ ├── Lib.NatMod.fsti
│ ├── Lib.PrintBuffer.fsti
│ ├── Lib.PrintSequence.fst
│ ├── Lib.PrintSequence.fsti
│ ├── Lib.RandomBuffer.System.fsti
│ ├── Lib.RandomSequence.fsti
│ ├── Lib.RawIntTypes.fst
│ ├── Lib.RawIntTypes.fsti
│ ├── Lib.Sequence.Lemmas.fst
│ ├── Lib.Sequence.Lemmas.fsti
│ ├── Lib.Sequence.fst
│ ├── Lib.Sequence.fsti
│ ├── Lib.UpdateMulti.Lemmas.fst
│ ├── Lib.UpdateMulti.Lemmas.fsti
│ ├── Lib.UpdateMulti.fst
│ ├── Lib.Vec.Lemmas.fst
│ ├── Lib.Vec.Lemmas.fsti
│ ├── Makefile
│ ├── c/
│ │ ├── Lib_Memzero0.c
│ │ ├── Lib_PrintBuffer.c
│ │ ├── Lib_RandomBuffer_System.c
│ │ ├── evercrypt_targetconfig.h
│ │ ├── lib_intrinsics.h
│ │ ├── lib_memzero0.h
│ │ ├── libintvector-shim.h
│ │ ├── libintvector.h
│ │ └── libintvector_debug.h
│ └── ml/
│ ├── Lib_RandomBuffer_System_bindings.ml
│ └── Lib_RandomBuffer_System_gen.ml
├── obj/
│ └── .gitignore
├── providers/
│ ├── Changes.md
│ ├── Documentation.md
│ ├── evercrypt/
│ │ ├── EverCrypt.AEAD.fsti
│ │ ├── EverCrypt.AutoConfig2.fsti
│ │ ├── EverCrypt.CTR.Keys.fsti
│ │ ├── EverCrypt.Chacha20Poly1305.fsti
│ │ ├── EverCrypt.Cipher.fsti
│ │ ├── EverCrypt.Curve25519.fsti
│ │ ├── EverCrypt.DRBG.fsti
│ │ ├── EverCrypt.Ed25519.fsti
│ │ ├── EverCrypt.Error.fsti
│ │ ├── EverCrypt.HKDF.fsti
│ │ ├── EverCrypt.HMAC.fsti
│ │ ├── EverCrypt.Hash.fsti
│ │ ├── EverCrypt.Helpers.fsti
│ │ ├── EverCrypt.Poly1305.fsti
│ │ ├── EverCrypt.TargetConfig.fsti
│ │ ├── Makefile
│ │ ├── README.md
│ │ └── fst/
│ │ ├── EverCrypt.AEAD.fst
│ │ ├── EverCrypt.AutoConfig2.fst
│ │ ├── EverCrypt.CTR.Keys.fst
│ │ ├── EverCrypt.Chacha20Poly1305.fst
│ │ ├── EverCrypt.Cipher.fst
│ │ ├── EverCrypt.Curve25519.fst
│ │ ├── EverCrypt.DRBG.fst
│ │ ├── EverCrypt.Ed25519.fst
│ │ ├── EverCrypt.HKDF.fst
│ │ ├── EverCrypt.HMAC.fst
│ │ ├── EverCrypt.Hash.Incremental.Macros.fst
│ │ ├── EverCrypt.Hash.Incremental.fst
│ │ ├── EverCrypt.Hash.fst
│ │ ├── EverCrypt.Poly1305.fst
│ │ └── Makefile
│ ├── include/
│ │ └── README.md
│ └── test/
│ ├── Makefile
│ ├── Test.Hash.fst
│ ├── Test.Lowstarize.fst
│ ├── Test.NoHeap.fst
│ ├── Test.NoHeap.fsti
│ ├── Test.Vectors.fst
│ ├── Test.fst
│ ├── Test.fsti
│ └── vectors/
│ ├── .merlin
│ ├── Test.Vectors.Aes128.fst
│ ├── Test.Vectors.Aes128Gcm.fst
│ ├── Test.Vectors.Chacha20Poly1305.fst
│ ├── Test.Vectors.Curve25519.fst
│ ├── Test.Vectors.Poly1305.fst
│ ├── aead_aes128gcm_test_vectors.json
│ ├── aead_chacha20poly1305_test_vectors.json
│ ├── aes128_test_vectors.json
│ ├── curve25519_test_vectors.json
│ ├── gen.ml
│ └── poly1305_test_vectors.json
├── pull_request_template.md
├── runtimeconfig.json
├── specs/
│ ├── Makefile
│ ├── README.md
│ ├── Spec.AES.fst
│ ├── Spec.Agile.AEAD.fst
│ ├── Spec.Agile.AEAD.fsti
│ ├── Spec.Agile.CTR.fst
│ ├── Spec.Agile.Cipher.fst
│ ├── Spec.Agile.Cipher.fsti
│ ├── Spec.Agile.DH.fst
│ ├── Spec.Agile.HKDF.fst
│ ├── Spec.Agile.HKDF.fsti
│ ├── Spec.Agile.HMAC.fst
│ ├── Spec.Agile.HMAC.fsti
│ ├── Spec.Agile.HPKE.fst
│ ├── Spec.Agile.HPKE.fsti
│ ├── Spec.Agile.Hash.fst
│ ├── Spec.Agile.Hash.fsti
│ ├── Spec.Blake2.Definitions.fst
│ ├── Spec.Blake2.fst
│ ├── Spec.Box.fst
│ ├── Spec.Chacha20.fst
│ ├── Spec.Chacha20Poly1305.fst
│ ├── Spec.Cipher.Expansion.fst
│ ├── Spec.Cipher.Expansion.fsti
│ ├── Spec.Curve25519.fst
│ ├── Spec.Ed25519.PointOps.fst
│ ├── Spec.Ed25519.fst
│ ├── Spec.Exponentiation.fst
│ ├── Spec.Exponentiation.fsti
│ ├── Spec.FFDHE.fst
│ ├── Spec.GaloisField.fst
│ ├── Spec.Hash.Definitions.fst
│ ├── Spec.Hash.MD.fst
│ ├── Spec.K256.PointOps.fst
│ ├── Spec.K256.fst
│ ├── Spec.MD5.fst
│ ├── Spec.MD5.fsti
│ ├── Spec.P256.PointOps.fst
│ ├── Spec.P256.fst
│ ├── Spec.Poly1305.fst
│ ├── Spec.RSAPSS.fst
│ ├── Spec.SHA1.fst
│ ├── Spec.SHA1.fsti
│ ├── Spec.SHA2.Constants.fst
│ ├── Spec.SHA2.fst
│ ├── Spec.SHA2.fsti
│ ├── Spec.SHA3.Constants.fst
│ ├── Spec.SHA3.fst
│ ├── Spec.Salsa20.fst
│ ├── Spec.SecretBox.fst
│ ├── drbg/
│ │ ├── Makefile
│ │ ├── Spec.HMAC_DRBG.Test.Vectors.fst
│ │ ├── Spec.HMAC_DRBG.Test.Vectors.fstp
│ │ ├── Spec.HMAC_DRBG.fst
│ │ ├── Spec.HMAC_DRBG.fsti
│ │ └── cavp_parse.py
│ ├── frodo/
│ │ ├── AUTHORS.md
│ │ ├── Makefile
│ │ ├── Spec.Frodo.Encode.fst
│ │ ├── Spec.Frodo.Gen.fst
│ │ ├── Spec.Frodo.KEM.Decaps.fst
│ │ ├── Spec.Frodo.KEM.Encaps.fst
│ │ ├── Spec.Frodo.KEM.KeyGen.fst
│ │ ├── Spec.Frodo.KEM.fst
│ │ ├── Spec.Frodo.Lemmas.fst
│ │ ├── Spec.Frodo.Pack.fst
│ │ ├── Spec.Frodo.Params.fst
│ │ ├── Spec.Frodo.Random.fst
│ │ ├── Spec.Frodo.Sample.fst
│ │ └── Spec.Matrix.fst
│ ├── lemmas/
│ │ ├── Makefile
│ │ ├── Spec.Blake2.Alternative.fst
│ │ ├── Spec.Blake2.Alternative.fsti
│ │ ├── Spec.Blake2.Incremental.fst
│ │ ├── Spec.Blake2.Incremental.fsti
│ │ ├── Spec.Curve25519.Lemmas.fst
│ │ ├── Spec.Ed25519.Lemmas.fst
│ │ ├── Spec.Ed25519.Lemmas.fsti
│ │ ├── Spec.HMAC.Incremental.fst
│ │ ├── Spec.HMAC.Incremental.fsti
│ │ ├── Spec.Hash.Incremental.Definitions.fst
│ │ ├── Spec.Hash.Incremental.fst
│ │ ├── Spec.Hash.Incremental.fsti
│ │ ├── Spec.Hash.Lemmas.fst
│ │ ├── Spec.Hash.Lemmas.fsti
│ │ ├── Spec.K256.Lemmas.fst
│ │ ├── Spec.K256.Lemmas.fsti
│ │ ├── Spec.MD.Incremental.fst
│ │ ├── Spec.MD.Incremental.fsti
│ │ ├── Spec.P256.Lemmas.fst
│ │ ├── Spec.P256.Lemmas.fsti
│ │ ├── Spec.SHA2.Lemmas.fst
│ │ ├── Spec.SHA2.Lemmas.fsti
│ │ ├── Spec.SHA3.Equivalence.fst
│ │ ├── Spec.SHA3.Incremental.fst
│ │ └── Spec.SHA3.Incremental.fsti
│ ├── make_hpke_constants.py
│ ├── make_md5_tests.sh
│ ├── make_sha1_tests.sh
│ └── tests/
│ ├── Makefile
│ ├── Spec.AES.Test.fst
│ ├── Spec.Blake2.Test.fst
│ ├── Spec.Box.Test.fst
│ ├── Spec.Chacha20.Test.fst
│ ├── Spec.Chacha20Poly1305.Test.fst
│ ├── Spec.Curve25519.Test.fst
│ ├── Spec.Ed25519.Test.fst
│ ├── Spec.Frodo.Test.fst
│ ├── Spec.HKDF.Test.fst
│ ├── Spec.HMAC.Test.fst
│ ├── Spec.HMAC_DRBG.Test.fst
│ ├── Spec.Hash.Test.fst
│ ├── Spec.K256.Test.fst
│ ├── Spec.P256.Test.fst
│ ├── Spec.Poly1305.Test.fst
│ ├── Spec.SHA3.Test.fst
│ ├── Spec.Salsa20.Test.fst
│ ├── Spec.SecretBox.Test.fst
│ ├── hpke/
│ │ ├── Test_Spec_Agile_HPKE.ml
│ │ ├── test-vectors-final-pp.json
│ │ └── test-vectors-supported.json
│ └── p256/
│ ├── Makefile
│ ├── SigGen.txt
│ ├── SigVer.rsp
│ ├── Spec.ECDSA.Test.Vectors.fst
│ ├── Spec.ECDSA.Test.Vectors.fstp
│ └── cavp_parse.py
├── tests/
│ ├── FrodoKEM-64-test.c
│ ├── FrodoKEM-64_vectors.h
│ ├── Makefile
│ ├── README
│ ├── bignum4096-test.c
│ ├── bignum4096_vectors.h
│ ├── blake2-32-test.c
│ ├── blake2_vectors.h
│ ├── blake2b-256-test-streaming.c
│ ├── blake2b-256-test.c
│ ├── blake2b-32-test-streaming.c
│ ├── blake2s-128-test-streaming.c
│ ├── blake2s-128-test.c
│ ├── blake2s-32-test-streaming.c
│ ├── chacha20-test.c
│ ├── chacha20-vec-test.c
│ ├── chacha20_vectors.h
│ ├── chacha20poly1305-128-test.c
│ ├── chacha20poly1305-256-test.c
│ ├── chacha20poly1305-32-test.c
│ ├── chacha20poly1305_vectors.h
│ ├── curve25519_vectors.h
│ ├── curve51-ours.c
│ ├── curve64-ours.c
│ ├── curve64-rfc.c
│ ├── ecdhp256-test.c
│ ├── ecdhp256-tvs.h
│ ├── ecdhp256_tv_w.h
│ ├── ecdsap256_tv_w.h
│ ├── ed25519-test.c
│ ├── ffdhe-test.c
│ ├── ffdhe_vectors.h
│ ├── gen_vectors/
│ │ └── gen_uint128_intrinsics_vectors.py
│ ├── k256-ecdsa-test.c
│ ├── k256-ecdsa_vectors.h
│ ├── naclbox-test.c
│ ├── naclbox_vectors.h
│ ├── p256-test.c
│ ├── poly1305-128-test-streaming.c
│ ├── poly1305-128-test.c
│ ├── poly1305-256-test-streaming.c
│ ├── poly1305-256-test.c
│ ├── poly1305-32-test-streaming.c
│ ├── poly1305-32-test.c
│ ├── poly1305_vectors.h
│ ├── rfc7748_src/
│ │ ├── fp25519_x64.c
│ │ ├── fp25519_x64.h
│ │ ├── fp448_x64.c
│ │ ├── fp448_x64.h
│ │ ├── rfc7748_precomputed.h
│ │ ├── table_ladder_x25519.h
│ │ ├── table_ladder_x448.h
│ │ ├── x25519_x64.c
│ │ └── x448_x64.c
│ ├── rsapss-test.c
│ ├── rsapss_vectors.h
│ ├── salsa20-test.c
│ ├── sha2-mb-test.c
│ ├── sha2-test-streaming.c
│ ├── sha2-test.c
│ ├── sha2_vectors.h
│ ├── sha2mb_vectors.h
│ ├── sha3-streaming-test.c
│ ├── test_helpers.h
│ ├── tests-openssl/
│ │ ├── chacha20-vec-test.c
│ │ ├── jasmin-chacha-avx2/
│ │ │ ├── Makefile
│ │ │ ├── api.h
│ │ │ ├── chacha20.japp
│ │ │ ├── chacha20.jazz
│ │ │ ├── chacha20.s
│ │ │ ├── chacha20_jazz.c
│ │ │ └── impl.h
│ │ ├── jasmin-poly-avx2/
│ │ │ ├── Makefile
│ │ │ ├── api.h
│ │ │ ├── auth_jazz.c
│ │ │ ├── impl.h
│ │ │ ├── poly1305.japp
│ │ │ ├── poly1305.jazz
│ │ │ ├── poly1305.s
│ │ │ └── verify_jazz.c
│ │ └── poly1305-test.c
│ ├── uint128-intrinsics-test.c
│ ├── uint128-intrinsics_vectors.h
│ └── vec-128-test.c
├── tools/
│ ├── findpython3.sh
│ ├── get_vale.sh
│ ├── sloccount.sh
│ └── valedepend.py
└── vale/
├── .gitignore
├── .tested_fstar_version
├── .tested_z3_version
├── .vale_version
├── CODE.md
├── Hacl.Vale.fst.config.json
├── INSTALL.md
├── LICENSE
├── Makefile
├── README.md
├── SConstruct
├── code/
│ ├── .gitattributes
│ ├── arch/
│ │ ├── Makefile
│ │ ├── Vale.Arch.BufferFriend.fst
│ │ ├── Vale.Arch.BufferFriend.fsti
│ │ ├── Vale.Arch.Heap.fst
│ │ ├── Vale.Arch.HeapImpl.fst
│ │ ├── Vale.Arch.HeapImpl.fsti
│ │ ├── Vale.Arch.HeapLemmas.fst
│ │ ├── Vale.Arch.HeapLemmas.fsti
│ │ ├── Vale.Arch.MachineHeap.fst
│ │ ├── Vale.Arch.MachineHeap.fsti
│ │ ├── Vale.Arch.Types.fst
│ │ ├── Vale.Arch.Types.fsti
│ │ ├── Vale.Arch.TypesNative.fst
│ │ ├── Vale.Arch.TypesNative.fsti
│ │ ├── ppc64le/
│ │ │ ├── Makefile
│ │ │ ├── Vale.PPC64LE.Decls.fst
│ │ │ ├── Vale.PPC64LE.Decls.fsti
│ │ │ ├── Vale.PPC64LE.InsBasic.vaf
│ │ │ ├── Vale.PPC64LE.InsMem.vaf
│ │ │ ├── Vale.PPC64LE.InsStack.vaf
│ │ │ ├── Vale.PPC64LE.InsVector.vaf
│ │ │ ├── Vale.PPC64LE.Lemmas.fst
│ │ │ ├── Vale.PPC64LE.Lemmas.fsti
│ │ │ ├── Vale.PPC64LE.Memory.fst
│ │ │ ├── Vale.PPC64LE.Memory.fsti
│ │ │ ├── Vale.PPC64LE.Memory_Sems.fst
│ │ │ ├── Vale.PPC64LE.Memory_Sems.fsti
│ │ │ ├── Vale.PPC64LE.QuickCode.fst
│ │ │ ├── Vale.PPC64LE.QuickCodes.fst
│ │ │ ├── Vale.PPC64LE.QuickCodes.fsti
│ │ │ ├── Vale.PPC64LE.Regs.fst
│ │ │ ├── Vale.PPC64LE.Regs.fsti
│ │ │ ├── Vale.PPC64LE.Stack_Sems.fst
│ │ │ ├── Vale.PPC64LE.Stack_Sems.fsti
│ │ │ ├── Vale.PPC64LE.Stack_i.fst
│ │ │ ├── Vale.PPC64LE.Stack_i.fsti
│ │ │ ├── Vale.PPC64LE.State.fst
│ │ │ ├── Vale.PPC64LE.State.fsti
│ │ │ ├── Vale.PPC64LE.StateLemmas.fst
│ │ │ ├── Vale.PPC64LE.StateLemmas.fsti
│ │ │ ├── Vale.PPC64LE.Vecs.fst
│ │ │ └── Vale.PPC64LE.Vecs.fsti
│ │ └── x64/
│ │ ├── Makefile
│ │ ├── Vale.Interop.fst
│ │ ├── Vale.Interop.fsti
│ │ ├── Vale.X64.BufferViewStore.fst
│ │ ├── Vale.X64.BufferViewStore.fsti
│ │ ├── Vale.X64.Bytes_Semantics.fst
│ │ ├── Vale.X64.Bytes_Semantics.fsti
│ │ ├── Vale.X64.Decls.fst
│ │ ├── Vale.X64.Decls.fsti
│ │ ├── Vale.X64.Flags.fst
│ │ ├── Vale.X64.Flags.fsti
│ │ ├── Vale.X64.InsAes.vaf
│ │ ├── Vale.X64.InsBasic.vaf
│ │ ├── Vale.X64.InsLemmas.fst
│ │ ├── Vale.X64.InsLemmas.fsti
│ │ ├── Vale.X64.InsMem.vaf
│ │ ├── Vale.X64.InsSha.vaf
│ │ ├── Vale.X64.InsStack.vaf
│ │ ├── Vale.X64.InsVector.vaf
│ │ ├── Vale.X64.Leakage.fst
│ │ ├── Vale.X64.Leakage.fsti
│ │ ├── Vale.X64.Leakage_Helpers.fst
│ │ ├── Vale.X64.Leakage_Ins.fst
│ │ ├── Vale.X64.Leakage_Ins.fsti
│ │ ├── Vale.X64.Lemmas.fst
│ │ ├── Vale.X64.Lemmas.fsti
│ │ ├── Vale.X64.Memory.fst
│ │ ├── Vale.X64.Memory.fsti
│ │ ├── Vale.X64.Memory_Sems.fst
│ │ ├── Vale.X64.Memory_Sems.fsti
│ │ ├── Vale.X64.QuickCode.fst
│ │ ├── Vale.X64.QuickCodes.fst
│ │ ├── Vale.X64.QuickCodes.fsti
│ │ ├── Vale.X64.Regs.fst
│ │ ├── Vale.X64.Regs.fsti
│ │ ├── Vale.X64.Stack_Sems.fst
│ │ ├── Vale.X64.Stack_Sems.fsti
│ │ ├── Vale.X64.Stack_i.fst
│ │ ├── Vale.X64.Stack_i.fsti
│ │ ├── Vale.X64.State.fst
│ │ ├── Vale.X64.State.fsti
│ │ ├── Vale.X64.StateLemmas.fst
│ │ ├── Vale.X64.StateLemmas.fsti
│ │ ├── Vale.X64.Taint_Semantics.fst
│ │ ├── Vale.X64.Xmms.fst
│ │ ├── Vale.X64.Xmms.fsti
│ │ └── interop/
│ │ ├── Makefile
│ │ ├── Vale.AES.Gcm_simplify.fst
│ │ ├── Vale.AES.Gcm_simplify.fsti
│ │ ├── Vale.AsLowStar.LowStarSig.fst
│ │ ├── Vale.AsLowStar.MemoryHelpers.fst
│ │ ├── Vale.AsLowStar.MemoryHelpers.fsti
│ │ ├── Vale.AsLowStar.Test.fst
│ │ ├── Vale.AsLowStar.ValeSig.fst
│ │ ├── Vale.AsLowStar.Wrapper.fst
│ │ ├── Vale.AsLowStar.Wrapper.fsti
│ │ ├── Vale.Inline.X64.Fadd_inline.fst
│ │ ├── Vale.Inline.X64.Fadd_inline.fsti
│ │ ├── Vale.Inline.X64.Fmul_inline.fst
│ │ ├── Vale.Inline.X64.Fmul_inline.fsti
│ │ ├── Vale.Inline.X64.Fsqr_inline.fst
│ │ ├── Vale.Inline.X64.Fsqr_inline.fsti
│ │ ├── Vale.Inline.X64.Fswap_inline.fst
│ │ ├── Vale.Inline.X64.Fswap_inline.fsti
│ │ ├── Vale.SHA.Simplify_Sha.fst
│ │ ├── Vale.SHA.Simplify_Sha.fsti
│ │ ├── Vale.Stdcalls.X64.Aes.fst
│ │ ├── Vale.Stdcalls.X64.Aes.fsti
│ │ ├── Vale.Stdcalls.X64.AesHash.fst
│ │ ├── Vale.Stdcalls.X64.Cpuid.fst
│ │ ├── Vale.Stdcalls.X64.Cpuid.fsti
│ │ ├── Vale.Stdcalls.X64.Fadd.fst
│ │ ├── Vale.Stdcalls.X64.Fadd.fsti
│ │ ├── Vale.Stdcalls.X64.Fmul.fst
│ │ ├── Vale.Stdcalls.X64.Fmul.fsti
│ │ ├── Vale.Stdcalls.X64.Fsqr.fst
│ │ ├── Vale.Stdcalls.X64.Fsqr.fsti
│ │ ├── Vale.Stdcalls.X64.Fsub.fst
│ │ ├── Vale.Stdcalls.X64.Fsub.fsti
│ │ ├── Vale.Stdcalls.X64.Fswap.fst
│ │ ├── Vale.Stdcalls.X64.Fswap.fsti
│ │ ├── Vale.Stdcalls.X64.GCM_IV.fst
│ │ ├── Vale.Stdcalls.X64.GCMdecryptOpt.fst
│ │ ├── Vale.Stdcalls.X64.GCMencryptOpt.fst
│ │ ├── Vale.Stdcalls.X64.GCTR.fst
│ │ ├── Vale.Stdcalls.X64.Poly.fst
│ │ ├── Vale.Stdcalls.X64.Poly.fsti
│ │ ├── Vale.Stdcalls.X64.Sha.fst
│ │ ├── Vale.Stdcalls.X64.Sha.fsti
│ │ ├── Vale.Wrapper.X64.AES.fst
│ │ ├── Vale.Wrapper.X64.AES.fsti
│ │ ├── Vale.Wrapper.X64.AEShash.fst
│ │ ├── Vale.Wrapper.X64.AEShash.fsti
│ │ ├── Vale.Wrapper.X64.Cpuid.fst
│ │ ├── Vale.Wrapper.X64.Cpuid.fsti
│ │ ├── Vale.Wrapper.X64.Fadd.fst
│ │ ├── Vale.Wrapper.X64.Fadd.fsti
│ │ ├── Vale.Wrapper.X64.Fmul.fst
│ │ ├── Vale.Wrapper.X64.Fmul.fsti
│ │ ├── Vale.Wrapper.X64.Fsqr.fst
│ │ ├── Vale.Wrapper.X64.Fsqr.fsti
│ │ ├── Vale.Wrapper.X64.Fsub.fst
│ │ ├── Vale.Wrapper.X64.Fsub.fsti
│ │ ├── Vale.Wrapper.X64.Fswap.fst
│ │ ├── Vale.Wrapper.X64.Fswap.fsti
│ │ ├── Vale.Wrapper.X64.GCM_IV.fst
│ │ ├── Vale.Wrapper.X64.GCM_IV.fsti
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt.fst
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt.fsti
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fst
│ │ ├── Vale.Wrapper.X64.GCMdecryptOpt256.fsti
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt.fst
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt.fsti
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt256.fst
│ │ ├── Vale.Wrapper.X64.GCMencryptOpt256.fsti
│ │ ├── Vale.Wrapper.X64.GCTR.fst
│ │ ├── Vale.Wrapper.X64.GCTR.fsti
│ │ ├── Vale.Wrapper.X64.Poly.fst
│ │ ├── Vale.Wrapper.X64.Poly.fsti
│ │ ├── Vale.Wrapper.X64.Sha.fst
│ │ ├── Vale.Wrapper.X64.Sha.fsti
│ │ ├── Vale.X64.MemoryAdapters.fst
│ │ └── Vale.X64.MemoryAdapters.fsti
│ ├── crypto/
│ │ ├── aes/
│ │ │ ├── Makefile
│ │ │ ├── Vale.AES.AES256_helpers.fst
│ │ │ ├── Vale.AES.AES256_helpers.fsti
│ │ │ ├── Vale.AES.AES256_helpers_BE.fst
│ │ │ ├── Vale.AES.AES256_helpers_BE.fsti
│ │ │ ├── Vale.AES.AES_helpers.fst
│ │ │ ├── Vale.AES.AES_helpers.fsti
│ │ │ ├── Vale.AES.AES_helpers_BE.fst
│ │ │ ├── Vale.AES.AES_helpers_BE.fsti
│ │ │ ├── Vale.AES.GCM.fst
│ │ │ ├── Vale.AES.GCM.fsti
│ │ │ ├── Vale.AES.GCM_BE.fst
│ │ │ ├── Vale.AES.GCM_BE.fsti
│ │ │ ├── Vale.AES.GCM_helpers.fst
│ │ │ ├── Vale.AES.GCM_helpers.fsti
│ │ │ ├── Vale.AES.GCM_helpers_BE.fst
│ │ │ ├── Vale.AES.GCM_helpers_BE.fsti
│ │ │ ├── Vale.AES.GCTR.fst
│ │ │ ├── Vale.AES.GCTR.fsti
│ │ │ ├── Vale.AES.GCTR_BE.fst
│ │ │ ├── Vale.AES.GCTR_BE.fsti
│ │ │ ├── Vale.AES.GF128.fst
│ │ │ ├── Vale.AES.GF128.fsti
│ │ │ ├── Vale.AES.GHash.fst
│ │ │ ├── Vale.AES.GHash.fsti
│ │ │ ├── Vale.AES.GHash_BE.fst
│ │ │ ├── Vale.AES.GHash_BE.fsti
│ │ │ ├── Vale.AES.OptPublic.fst
│ │ │ ├── Vale.AES.OptPublic.fsti
│ │ │ ├── Vale.AES.OptPublic_BE.fst
│ │ │ ├── Vale.AES.OptPublic_BE.fsti
│ │ │ ├── Vale.AES.Types_helpers.fst
│ │ │ ├── Vale.AES.Types_helpers.fsti
│ │ │ ├── aes.h
│ │ │ ├── ppc64le/
│ │ │ │ ├── Main.ml
│ │ │ │ ├── TestAesGcm.cpp
│ │ │ │ ├── Vale.AES.PPC64LE.AES.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.AES128.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.AES256.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GCMdecrypt.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GCMencrypt.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GCTR.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GF128_Init.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GF128_Mul.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.GHash.vaf
│ │ │ │ ├── Vale.AES.PPC64LE.PolyOps.vaf
│ │ │ │ └── aes-gcm.h
│ │ │ ├── testaes.c
│ │ │ └── x64/
│ │ │ ├── Main.ml
│ │ │ ├── TestAesGcm.cpp
│ │ │ ├── Vale.AES.X64.AES.vaf
│ │ │ ├── Vale.AES.X64.AES128.vaf
│ │ │ ├── Vale.AES.X64.AES256.vaf
│ │ │ ├── Vale.AES.X64.GCMdecryptOpt.vaf
│ │ │ ├── Vale.AES.X64.GCMencryptOpt.vaf
│ │ │ ├── Vale.AES.X64.GCTR.vaf
│ │ │ ├── Vale.AES.X64.GF128_Init.vaf
│ │ │ ├── Vale.AES.X64.GF128_Mul.vaf
│ │ │ ├── Vale.AES.X64.GHash.vaf
│ │ │ ├── Vale.AES.X64.PolyOps.vaf
│ │ │ └── aes-gcm.h
│ │ ├── bignum/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Bignum.Defs.fst
│ │ │ ├── Vale.Bignum.Defs.fsti
│ │ │ ├── Vale.Bignum.Lemmas.fst
│ │ │ ├── Vale.Bignum.Lemmas.fsti
│ │ │ └── Vale.Bignum.X64.vaf
│ │ ├── ecc/
│ │ │ └── curve25519/
│ │ │ ├── Inline25519.ml
│ │ │ ├── Main25519.ml
│ │ │ ├── Makefile
│ │ │ ├── Vale.Curve25519.FastHybrid_helpers.fst
│ │ │ ├── Vale.Curve25519.FastHybrid_helpers.fsti
│ │ │ ├── Vale.Curve25519.FastMul_helpers.fst
│ │ │ ├── Vale.Curve25519.FastMul_helpers.fsti
│ │ │ ├── Vale.Curve25519.FastSqr_helpers.fst
│ │ │ ├── Vale.Curve25519.FastSqr_helpers.fsti
│ │ │ ├── Vale.Curve25519.FastUtil_helpers.fst
│ │ │ ├── Vale.Curve25519.FastUtil_helpers.fsti
│ │ │ ├── Vale.Curve25519.Fast_defs.fst
│ │ │ ├── Vale.Curve25519.Fast_lemmas_external.fst
│ │ │ ├── Vale.Curve25519.Fast_lemmas_external.fsti
│ │ │ ├── Vale.Curve25519.Fast_lemmas_internal.fst
│ │ │ ├── Vale.Curve25519.Fast_lemmas_internal.fsti
│ │ │ └── test_ecc.c
│ │ ├── poly1305/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Poly1305.Equiv.fst
│ │ │ ├── Vale.Poly1305.Equiv.fsti
│ │ │ ├── testpoly1305.c
│ │ │ └── x64/
│ │ │ ├── Makefile
│ │ │ ├── PolyMain.ml
│ │ │ ├── Vale.Poly1305.Bitvectors.fst
│ │ │ ├── Vale.Poly1305.Bitvectors.fsti
│ │ │ ├── Vale.Poly1305.CallingFromLowStar.fst
│ │ │ ├── Vale.Poly1305.CallingFromLowStar.fsti
│ │ │ ├── Vale.Poly1305.Math.fst
│ │ │ ├── Vale.Poly1305.Math.fsti
│ │ │ ├── Vale.Poly1305.Util.fst
│ │ │ └── Vale.Poly1305.Util.fsti
│ │ └── sha/
│ │ ├── Makefile
│ │ ├── ShaMain.ml
│ │ ├── ShaMainPPC64LE.ml
│ │ ├── TestSha.cpp
│ │ ├── TestShaPPC64LE.cpp
│ │ ├── Vale.SHA.PPC64LE.SHA_helpers.fst
│ │ ├── Vale.SHA.PPC64LE.SHA_helpers.fsti
│ │ ├── Vale.SHA.SHA_helpers.fst
│ │ └── Vale.SHA.SHA_helpers.fsti
│ ├── lib/
│ │ ├── collections/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Lib.Lists.fst
│ │ │ ├── Vale.Lib.Lists.fsti
│ │ │ ├── Vale.Lib.Map16.fst
│ │ │ ├── Vale.Lib.Map16.fsti
│ │ │ ├── Vale.Lib.MapTree.fst
│ │ │ ├── Vale.Lib.MapTree.fsti
│ │ │ ├── Vale.Lib.Seqs.fst
│ │ │ └── Vale.Lib.Seqs.fsti
│ │ ├── math/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Math.Bits.fst
│ │ │ ├── Vale.Math.Bits.fsti
│ │ │ ├── Vale.Math.Lemmas.Int.fst
│ │ │ ├── Vale.Math.Lemmas.Int.fsti
│ │ │ ├── Vale.Math.Poly2.Bits.fst
│ │ │ ├── Vale.Math.Poly2.Bits.fsti
│ │ │ ├── Vale.Math.Poly2.Defs.fst
│ │ │ ├── Vale.Math.Poly2.Galois.IntTypes.fst
│ │ │ ├── Vale.Math.Poly2.Galois.IntTypes.fsti
│ │ │ ├── Vale.Math.Poly2.Galois.Lemmas.fst
│ │ │ ├── Vale.Math.Poly2.Galois.Lemmas.fsti
│ │ │ ├── Vale.Math.Poly2.Galois.fst
│ │ │ ├── Vale.Math.Poly2.Galois.fsti
│ │ │ ├── Vale.Math.Poly2.Lemmas.fst
│ │ │ ├── Vale.Math.Poly2.Lemmas.fsti
│ │ │ ├── Vale.Math.Poly2.Words.fst
│ │ │ ├── Vale.Math.Poly2.Words.fsti
│ │ │ ├── Vale.Math.Poly2.fst
│ │ │ └── Vale.Math.Poly2.fsti
│ │ ├── transformers/
│ │ │ ├── Makefile
│ │ │ ├── Vale.Transformers.BoundedInstructionEffects.fst
│ │ │ ├── Vale.Transformers.BoundedInstructionEffects.fsti
│ │ │ ├── Vale.Transformers.Common.fst
│ │ │ ├── Vale.Transformers.Common.fsti
│ │ │ ├── Vale.Transformers.DebugPrint.fst
│ │ │ ├── Vale.Transformers.InstructionReorder.fst
│ │ │ ├── Vale.Transformers.InstructionReorderSanityChecks.fst
│ │ │ ├── Vale.Transformers.InstructionReorderSanityChecks.fsti
│ │ │ ├── Vale.Transformers.Locations.fst
│ │ │ ├── Vale.Transformers.Locations.fsti
│ │ │ ├── Vale.Transformers.MovMovElim.fst
│ │ │ ├── Vale.Transformers.MovbeElim.fst
│ │ │ ├── Vale.Transformers.PeepHole.fst
│ │ │ ├── Vale.Transformers.PeepHole.fsti
│ │ │ ├── Vale.Transformers.PrefetchElim.fst
│ │ │ ├── Vale.Transformers.Transform.fst
│ │ │ └── Vale.Transformers.Transform.fsti
│ │ └── util/
│ │ ├── CmdLineParser.ml
│ │ ├── Makefile
│ │ ├── Vale.Def.Words.Seq.fst
│ │ ├── Vale.Def.Words.Seq.fsti
│ │ ├── Vale.Def.Words.Two.fst
│ │ ├── Vale.Def.Words.Two.fsti
│ │ ├── Vale.Lib.Basic.vaf
│ │ ├── Vale.Lib.BufferViewHelpers.fst
│ │ ├── Vale.Lib.Meta.fst
│ │ ├── Vale.Lib.Meta.fsti
│ │ ├── Vale.Lib.Operator.vaf
│ │ ├── Vale.Lib.Tactics.fst
│ │ └── x64/
│ │ ├── CpuidMain.ml
│ │ ├── Vale.Lib.X64.Cpuid.vaf
│ │ ├── Vale.X64.Stack.vaf
│ │ └── stdcalls/
│ │ └── Vale.Lib.X64.Cpuidstdcall.vaf
│ ├── test/
│ │ ├── Makefile
│ │ ├── TestInline.c
│ │ ├── TestInlineMain.ml
│ │ ├── Vale.Test.TestInline.fst
│ │ ├── Vale.Test.X64.Args.vaf
│ │ ├── Vale.Test.X64.Memcpy.vaf
│ │ └── Vale.Test.X64.Vale_memcpy.vaf
│ └── thirdPartyPorts/
│ ├── Intel/
│ │ ├── README.md
│ │ └── aes/
│ │ └── x64/
│ │ ├── Vale.AES.X64.AESCTR.vaf
│ │ └── Vale.AES.X64.AESCTRplain.vaf
│ ├── OpenSSL/
│ │ ├── README.md
│ │ ├── aes/
│ │ │ ├── Vale.AES.X64.AESGCM.vaf
│ │ │ ├── Vale.AES.X64.AESGCM_expected_code.vaf
│ │ │ ├── Vale.AES.X64.AESopt.vaf
│ │ │ └── Vale.AES.X64.AESopt2.vaf
│ │ ├── poly1305/
│ │ │ └── x64/
│ │ │ └── Vale.Poly1305.X64.vaf
│ │ └── sha/
│ │ ├── Vale.SHA.PPC64LE.Loop.vaf
│ │ ├── Vale.SHA.PPC64LE.Rounds.Core.vaf
│ │ ├── Vale.SHA.PPC64LE.Rounds.vaf
│ │ ├── Vale.SHA.PPC64LE.vaf
│ │ └── Vale.SHA.X64.vaf
│ ├── SymCrypt/
│ │ ├── README.md
│ │ └── bignum/
│ │ └── Vale.FDefMulx.X64.vaf
│ └── rfc7748/
│ ├── README.md
│ └── curve25519/
│ └── x64/
│ ├── Vale.Curve25519.X64.FastHybrid.vaf
│ ├── Vale.Curve25519.X64.FastMul.vaf
│ ├── Vale.Curve25519.X64.FastSqr.vaf
│ ├── Vale.Curve25519.X64.FastUtil.vaf
│ └── Vale.Curve25519.X64.FastWide.vaf
├── doc/
│ ├── .gitattributes
│ └── compilation.txt
├── run_scons.sh
├── scons_cygwin.sh
├── scripts/
│ └── ingest-openssl-perl.py
└── specs/
├── crypto/
│ ├── Makefile
│ ├── Vale.AES.AES_BE_s.fst
│ ├── Vale.AES.AES_common_s.fst
│ ├── Vale.AES.AES_s.fst
│ ├── Vale.AES.GCM_BE_s.fst
│ ├── Vale.AES.GCM_s.fst
│ ├── Vale.AES.GCTR_BE_s.fst
│ ├── Vale.AES.GCTR_s.fst
│ ├── Vale.AES.GF128_s.fst
│ ├── Vale.AES.GF128_s.fsti
│ ├── Vale.AES.GHash_BE_s.fst
│ ├── Vale.AES.GHash_s.fst
│ ├── Vale.Poly1305.Spec_s.fst
│ ├── Vale.SHA2.Wrapper.fst
│ └── Vale.SHA2.Wrapper.fsti
├── defs/
│ ├── Makefile
│ ├── Vale.Def.Opaque_s.fst
│ ├── Vale.Def.Opaque_s.fsti
│ ├── Vale.Def.PossiblyMonad.fst
│ ├── Vale.Def.Prop_s.fst
│ ├── Vale.Def.Sel.fst
│ ├── Vale.Def.TypesNative_s.fst
│ ├── Vale.Def.Types_s.fst
│ ├── Vale.Def.Words.Four_s.fst
│ ├── Vale.Def.Words.Four_s.fsti
│ ├── Vale.Def.Words.Seq_s.fst
│ ├── Vale.Def.Words.Seq_s.fsti
│ ├── Vale.Def.Words.Two_s.fst
│ ├── Vale.Def.Words.Two_s.fsti
│ ├── Vale.Def.Words_s.fst
│ ├── Vale.Def.Words_s.fsti
│ ├── Vale.Lib.Bv_s.fst
│ ├── Vale.Lib.Seqs_s.fst
│ ├── Vale.Lib.Set.fst
│ └── Vale.Lib.Set.fsti
├── hardware/
│ ├── Makefile
│ ├── Vale.Arch.Heap.fsti
│ ├── Vale.Arch.HeapTypes_s.fst
│ ├── Vale.Arch.MachineHeap_s.fst
│ ├── Vale.PPC64LE.Machine_s.fst
│ ├── Vale.PPC64LE.Print_s.fst
│ ├── Vale.PPC64LE.Semantics_s.fst
│ ├── Vale.X64.Bytes_Code_s.fst
│ ├── Vale.X64.CPU_Features_s.fst
│ ├── Vale.X64.CryptoInstructions_s.fst
│ ├── Vale.X64.CryptoInstructions_s.fsti
│ ├── Vale.X64.Instruction_s.fst
│ ├── Vale.X64.Instruction_s.fsti
│ ├── Vale.X64.Instructions_s.fst
│ ├── Vale.X64.Instructions_s.fsti
│ ├── Vale.X64.Leakage_s.fst
│ ├── Vale.X64.Machine_Semantics_s.fst
│ ├── Vale.X64.Machine_s.fst
│ ├── Vale.X64.Print_Inline_s.fst
│ └── Vale.X64.Print_s.fst
├── interop/
│ ├── Makefile
│ ├── Vale.Interop.Assumptions.fst
│ ├── Vale.Interop.Base.fst
│ ├── Vale.Interop.Heap_s.fst
│ ├── Vale.Interop.Types.fst
│ ├── Vale.Interop.Views.fst
│ ├── Vale.Interop.Views.fsti
│ ├── Vale.Interop.X64.fst
│ └── Vale.Interop.X64.fsti
└── math/
├── Makefile
├── Vale.Math.Poly2.Bits_s.fst
├── Vale.Math.Poly2.Bits_s.fsti
├── Vale.Math.Poly2.Defs_s.fst
├── Vale.Math.Poly2_s.fst
└── Vale.Math.Poly2_s.fsti
Showing preview only (519K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (5337 symbols across 566 files)
FILE: code/ed25519/Hacl.Benchmark.Ed25519.c
type LONGLONG (line 6) | typedef LONGLONG TIME;
function get_time (line 8) | void get_time(TIME *t)
function time_diff_in_secs (line 15) | double time_diff_in_secs(TIME *before, TIME *after)
type TIME (line 27) | typedef struct timespec TIME;
function get_time (line 29) | void get_time(TIME *t)
function time_diff_in_secs (line 34) | double time_diff_in_secs(TIME *from, TIME *to)
function main (line 44) | int main(void)
FILE: code/tests/Hacl.Benchmark.Ed25519.c
type LONGLONG (line 6) | typedef LONGLONG TIME;
function get_time (line 8) | void get_time(TIME *t)
function time_diff_in_secs (line 15) | double time_diff_in_secs(TIME *before, TIME *after)
type TIME (line 27) | typedef struct timespec TIME;
function get_time (line 29) | void get_time(TIME *t)
function time_diff_in_secs (line 34) | double time_diff_in_secs(TIME *from, TIME *to)
function main (line 44) | int main(void)
FILE: dist/gcc-compatible/EverCrypt_AEAD.c
function EverCrypt_AEAD_uu___is_Ek (line 40) | bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_sta...
function Spec_Agile_AEAD_alg (line 54) | Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s)
function EverCrypt_Error_error_code (line 79) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 94) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 127) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 176) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 200) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 323) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 465) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 520) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 664) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 800) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 941) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1082) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1105) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1168) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1303) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1438) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1500) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1548) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1698) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1840) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1987) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 2134) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 2156) | EverCrypt_Error_error_code
function EverCrypt_AEAD_free (line 2224) | void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s)
FILE: dist/gcc-compatible/EverCrypt_AEAD.h
type EverCrypt_AEAD_state_s (line 41) | typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s;
FILE: dist/gcc-compatible/EverCrypt_AutoConfig2.c
function EverCrypt_AutoConfig2_has_shaext (line 53) | bool EverCrypt_AutoConfig2_has_shaext(void)
function EverCrypt_AutoConfig2_has_aesni (line 58) | bool EverCrypt_AutoConfig2_has_aesni(void)
function EverCrypt_AutoConfig2_has_pclmulqdq (line 63) | bool EverCrypt_AutoConfig2_has_pclmulqdq(void)
function EverCrypt_AutoConfig2_has_avx2 (line 68) | bool EverCrypt_AutoConfig2_has_avx2(void)
function EverCrypt_AutoConfig2_has_avx (line 73) | bool EverCrypt_AutoConfig2_has_avx(void)
function EverCrypt_AutoConfig2_has_bmi2 (line 78) | bool EverCrypt_AutoConfig2_has_bmi2(void)
function EverCrypt_AutoConfig2_has_adx (line 83) | bool EverCrypt_AutoConfig2_has_adx(void)
function EverCrypt_AutoConfig2_has_sse (line 88) | bool EverCrypt_AutoConfig2_has_sse(void)
function EverCrypt_AutoConfig2_has_movbe (line 93) | bool EverCrypt_AutoConfig2_has_movbe(void)
function EverCrypt_AutoConfig2_has_rdrand (line 98) | bool EverCrypt_AutoConfig2_has_rdrand(void)
function EverCrypt_AutoConfig2_has_avx512 (line 103) | bool EverCrypt_AutoConfig2_has_avx512(void)
function EverCrypt_AutoConfig2_recall (line 108) | void EverCrypt_AutoConfig2_recall(void)
function EverCrypt_AutoConfig2_init (line 113) | void EverCrypt_AutoConfig2_init(void)
function EverCrypt_AutoConfig2_disable_avx2 (line 182) | void EverCrypt_AutoConfig2_disable_avx2(void)
function EverCrypt_AutoConfig2_disable_avx (line 187) | void EverCrypt_AutoConfig2_disable_avx(void)
function EverCrypt_AutoConfig2_disable_bmi2 (line 192) | void EverCrypt_AutoConfig2_disable_bmi2(void)
function EverCrypt_AutoConfig2_disable_adx (line 197) | void EverCrypt_AutoConfig2_disable_adx(void)
function EverCrypt_AutoConfig2_disable_shaext (line 202) | void EverCrypt_AutoConfig2_disable_shaext(void)
function EverCrypt_AutoConfig2_disable_aesni (line 207) | void EverCrypt_AutoConfig2_disable_aesni(void)
function EverCrypt_AutoConfig2_disable_pclmulqdq (line 212) | void EverCrypt_AutoConfig2_disable_pclmulqdq(void)
function EverCrypt_AutoConfig2_disable_sse (line 217) | void EverCrypt_AutoConfig2_disable_sse(void)
function EverCrypt_AutoConfig2_disable_movbe (line 222) | void EverCrypt_AutoConfig2_disable_movbe(void)
function EverCrypt_AutoConfig2_disable_rdrand (line 227) | void EverCrypt_AutoConfig2_disable_rdrand(void)
function EverCrypt_AutoConfig2_disable_avx512 (line 232) | void EverCrypt_AutoConfig2_disable_avx512(void)
function EverCrypt_AutoConfig2_has_vec128 (line 237) | bool EverCrypt_AutoConfig2_has_vec128(void)
function EverCrypt_AutoConfig2_has_vec256 (line 244) | bool EverCrypt_AutoConfig2_has_vec256(void)
FILE: dist/gcc-compatible/EverCrypt_Chacha20Poly1305.c
function EverCrypt_Chacha20Poly1305_aead_encrypt (line 34) | void
function EverCrypt_Chacha20Poly1305_aead_decrypt (line 69) | uint32_t
FILE: dist/gcc-compatible/EverCrypt_Cipher.c
function EverCrypt_Cipher_chacha20 (line 30) | void
FILE: dist/gcc-compatible/EverCrypt_Curve25519.c
function EverCrypt_Curve25519_secret_to_public (line 41) | void EverCrypt_Curve25519_secret_to_public(uint8_t *pub, uint8_t *priv)
function EverCrypt_Curve25519_scalarmult (line 64) | void EverCrypt_Curve25519_scalarmult(uint8_t *shared, uint8_t *my_priv, ...
function EverCrypt_Curve25519_ecdh (line 87) | bool EverCrypt_Curve25519_ecdh(uint8_t *shared, uint8_t *my_priv, uint8_...
FILE: dist/gcc-compatible/EverCrypt_DRBG.c
function EverCrypt_DRBG_min_length (line 44) | uint32_t EverCrypt_DRBG_min_length(Spec_Hash_Definitions_hash_alg a)
function EverCrypt_DRBG_uu___is_SHA1_s (line 72) | bool
function EverCrypt_DRBG_uu___is_SHA2_256_s (line 86) | bool
function EverCrypt_DRBG_uu___is_SHA2_384_s (line 100) | bool
function EverCrypt_DRBG_uu___is_SHA2_512_s (line 114) | bool
function EverCrypt_DRBG_state_s (line 128) | EverCrypt_DRBG_state_s *EverCrypt_DRBG_create_in(Spec_Hash_Definitions_h...
function EverCrypt_DRBG_state_s (line 231) | EverCrypt_DRBG_state_s *EverCrypt_DRBG_create(Spec_Hash_Definitions_hash...
function instantiate_sha1 (line 236) | static bool
function instantiate_sha2_256 (line 324) | static bool
function instantiate_sha2_384 (line 412) | static bool
function instantiate_sha2_512 (line 500) | static bool
function reseed_sha1 (line 588) | static bool
function reseed_sha2_256 (line 667) | static bool
function reseed_sha2_384 (line 746) | static bool
function reseed_sha2_512 (line 825) | static bool
function generate_sha1 (line 904) | static bool
function generate_sha2_256 (line 1116) | static bool
function generate_sha2_384 (line 1328) | static bool
function generate_sha2_512 (line 1540) | static bool
function uninstantiate_sha1 (line 1752) | static void uninstantiate_sha1(EverCrypt_DRBG_state_s *st)
function uninstantiate_sha2_256 (line 1776) | static void uninstantiate_sha2_256(EverCrypt_DRBG_state_s *st)
function uninstantiate_sha2_384 (line 1800) | static void uninstantiate_sha2_384(EverCrypt_DRBG_state_s *st)
function uninstantiate_sha2_512 (line 1824) | static void uninstantiate_sha2_512(EverCrypt_DRBG_state_s *st)
function EverCrypt_DRBG_instantiate (line 1857) | bool
function EverCrypt_DRBG_reseed (line 1897) | bool
function EverCrypt_DRBG_generate (line 1939) | bool
function EverCrypt_DRBG_uninstantiate (line 1977) | void EverCrypt_DRBG_uninstantiate(EverCrypt_DRBG_state_s *st)
FILE: dist/gcc-compatible/EverCrypt_DRBG.h
type Spec_Hash_Definitions_hash_alg (line 40) | typedef Spec_Hash_Definitions_hash_alg EverCrypt_DRBG_supported_alg;
type EverCrypt_DRBG_state_s (line 54) | typedef struct EverCrypt_DRBG_state_s_s EverCrypt_DRBG_state_s;
FILE: dist/gcc-compatible/EverCrypt_Ed25519.c
function EverCrypt_Ed25519_secret_to_public (line 30) | void EverCrypt_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *pr...
function EverCrypt_Ed25519_expand_keys (line 35) | void EverCrypt_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *priv...
function EverCrypt_Ed25519_sign_expanded (line 40) | void
function EverCrypt_Ed25519_sign (line 51) | void
function EverCrypt_Ed25519_verify (line 62) | bool
FILE: dist/gcc-compatible/EverCrypt_Error.h
type EverCrypt_Error_error_code (line 46) | typedef uint8_t EverCrypt_Error_error_code;
FILE: dist/gcc-compatible/EverCrypt_HKDF.c
function expand_sha1 (line 31) | static void
function extract_sha1 (line 80) | static void
function expand_sha2_256 (line 86) | static void
function extract_sha2_256 (line 135) | static void
function expand_sha2_384 (line 141) | static void
function extract_sha2_384 (line 190) | static void
function expand_sha2_512 (line 196) | static void
function extract_sha2_512 (line 245) | static void
function expand_blake2s (line 251) | static void
function extract_blake2s (line 300) | static void
function expand_blake2b (line 306) | static void
function extract_blake2b (line 355) | static void
function EverCrypt_HKDF_expand (line 372) | void
function EverCrypt_HKDF_extract (line 440) | void
FILE: dist/gcc-compatible/EverCrypt_HMAC.c
function EverCrypt_HMAC_is_supported_alg (line 41) | bool EverCrypt_HMAC_is_supported_alg(Spec_Hash_Definitions_hash_alg uu___)
function EverCrypt_HMAC_compute_sha1 (line 76) | void
function EverCrypt_HMAC_compute_sha2_256 (line 180) | void
function EverCrypt_HMAC_compute_sha2_384 (line 298) | void
function EverCrypt_HMAC_compute_sha2_512 (line 424) | void
function EverCrypt_HMAC_compute_blake2s (line 550) | void
function EverCrypt_HMAC_compute_blake2b (line 685) | void
function EverCrypt_HMAC_compute (line 828) | void
FILE: dist/gcc-compatible/EverCrypt_HMAC.h
type Spec_Hash_Definitions_hash_alg (line 42) | typedef Spec_Hash_Definitions_hash_alg EverCrypt_HMAC_supported_alg;
FILE: dist/gcc-compatible/EverCrypt_Hash.c
function Spec_Hash_Definitions_hash_alg (line 51) | static Spec_Hash_Definitions_hash_alg alg_of_state(EverCrypt_Hash_state_...
function EverCrypt_Hash_state_s (line 117) | static EverCrypt_Hash_state_s *malloc_(Spec_Hash_Definitions_hash_alg a)
type option___EverCrypt_Hash_state_s_ (line 533) | typedef struct option___EverCrypt_Hash_state_s__s
function option___EverCrypt_Hash_state_s_ (line 540) | static option___EverCrypt_Hash_state_s_ create_in(Spec_Hash_Definitions_...
function init (line 550) | static void init(EverCrypt_Hash_state_s *s)
function EverCrypt_Hash_update_multi_256 (line 669) | void EverCrypt_Hash_update_multi_256(uint32_t *s, uint8_t *blocks, uint3...
function update_multi (line 687) | static void
function update_last (line 820) | static void
function finish (line 949) | static void finish(EverCrypt_Hash_state_s *s, uint8_t *dst)
function free_ (line 1085) | static void free_(EverCrypt_Hash_state_s *s)
function copy (line 1169) | static void copy(EverCrypt_Hash_state_s *s_src, EverCrypt_Hash_state_s *...
function EverCrypt_Hash_Incremental_hash_len (line 1447) | uint32_t EverCrypt_Hash_Incremental_hash_len(Spec_Hash_Definitions_hash_...
function block_len (line 1507) | static uint32_t block_len(Spec_Hash_Definitions_hash_alg a)
function EverCrypt_Hash_Incremental_state_t (line 1581) | EverCrypt_Hash_Incremental_state_t
function EverCrypt_Hash_Incremental_reset (line 1646) | void EverCrypt_Hash_Incremental_reset(EverCrypt_Hash_Incremental_state_t...
function EverCrypt_Error_error_code (line 1666) | EverCrypt_Error_error_code
function digest_md5 (line 1942) | static void digest_md5(EverCrypt_Hash_Incremental_state_t *state, uint8_...
function digest_sha1 (line 1980) | static void digest_sha1(EverCrypt_Hash_Incremental_state_t *state, uint8...
function digest_sha224 (line 2018) | static void digest_sha224(EverCrypt_Hash_Incremental_state_t *state, uin...
function digest_sha256 (line 2057) | static void digest_sha256(EverCrypt_Hash_Incremental_state_t *state, uin...
function digest_sha3_224 (line 2096) | static void digest_sha3_224(EverCrypt_Hash_Incremental_state_t *state, u...
function digest_sha3_256 (line 2135) | static void digest_sha3_256(EverCrypt_Hash_Incremental_state_t *state, u...
function digest_sha3_384 (line 2174) | static void digest_sha3_384(EverCrypt_Hash_Incremental_state_t *state, u...
function digest_sha3_512 (line 2213) | static void digest_sha3_512(EverCrypt_Hash_Incremental_state_t *state, u...
function digest_sha384 (line 2252) | static void digest_sha384(EverCrypt_Hash_Incremental_state_t *state, uin...
function digest_sha512 (line 2291) | static void digest_sha512(EverCrypt_Hash_Incremental_state_t *state, uin...
function digest_blake2s (line 2330) | static void digest_blake2s(EverCrypt_Hash_Incremental_state_t *state, ui...
function digest_blake2b (line 2389) | static void digest_blake2b(EverCrypt_Hash_Incremental_state_t *state, ui...
function Spec_Hash_Definitions_hash_alg (line 2451) | Spec_Hash_Definitions_hash_alg
function EverCrypt_Hash_Incremental_digest (line 2466) | void
function EverCrypt_Hash_Incremental_free (line 2543) | void EverCrypt_Hash_Incremental_free(EverCrypt_Hash_Incremental_state_t ...
function EverCrypt_Hash_Incremental_hash_256 (line 2556) | void EverCrypt_Hash_Incremental_hash_256(uint8_t *output, uint8_t *input...
function hash_224 (line 2594) | static void hash_224(uint8_t *output, uint8_t *input, uint32_t input_len)
function EverCrypt_Hash_Incremental_hash (line 2639) | void
FILE: dist/gcc-compatible/EverCrypt_Hash.h
type EverCrypt_Hash_state_s (line 41) | typedef struct EverCrypt_Hash_state_s_s EverCrypt_Hash_state_s;
type EverCrypt_Hash_Incremental_state_t (line 45) | typedef struct EverCrypt_Hash_Incremental_state_t_s EverCrypt_Hash_Incre...
FILE: dist/gcc-compatible/EverCrypt_Poly1305.c
function KRML_MAYBE_UNUSED (line 35) | KRML_MAYBE_UNUSED static void
function EverCrypt_Poly1305_mac (line 65) | void EverCrypt_Poly1305_mac(uint8_t *output, uint8_t *input, uint32_t in...
FILE: dist/gcc-compatible/Hacl_AEAD_Chacha20Poly1305.c
function poly1305_padded_32 (line 32) | static inline void poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8...
function poly1305_do_32 (line 410) | static inline void
function Hacl_AEAD_Chacha20Poly1305_encrypt (line 569) | void
function Hacl_AEAD_Chacha20Poly1305_decrypt (line 608) | uint32_t
FILE: dist/gcc-compatible/Hacl_AEAD_Chacha20Poly1305_Simd128.c
function poly1305_padded_128 (line 33) | static inline void
function poly1305_do_128 (line 852) | static inline void
function Hacl_AEAD_Chacha20Poly1305_Simd128_encrypt (line 1085) | void
function Hacl_AEAD_Chacha20Poly1305_Simd128_decrypt (line 1124) | uint32_t
FILE: dist/gcc-compatible/Hacl_AEAD_Chacha20Poly1305_Simd256.c
function poly1305_padded_256 (line 33) | static inline void
function poly1305_do_256 (line 853) | static inline void
function Hacl_AEAD_Chacha20Poly1305_Simd256_encrypt (line 1086) | void
function Hacl_AEAD_Chacha20Poly1305_Simd256_decrypt (line 1125) | uint32_t
FILE: dist/gcc-compatible/Hacl_Bignum.c
function Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32 (line 32) | void
function Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64 (line 153) | void
function Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32 (line 274) | void
function Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64 (line 370) | void
function Hacl_Bignum_bn_add_mod_n_u32 (line 466) | void
function Hacl_Bignum_bn_add_mod_n_u64 (line 543) | void
function Hacl_Bignum_bn_sub_mod_n_u32 (line 620) | void
function Hacl_Bignum_bn_sub_mod_n_u64 (line 698) | void
function Hacl_Bignum_ModInvLimb_mod_inv_uint32 (line 776) | uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0)
function Hacl_Bignum_ModInvLimb_mod_inv_uint64 (line 797) | uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0)
function Hacl_Bignum_Montgomery_bn_check_modulus_u32 (line 818) | uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint3...
function Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32 (line 838) | void
function bn_mont_reduction_u32 (line 856) | static void
function Hacl_Bignum_Montgomery_bn_to_mont_u32 (line 934) | void
function Hacl_Bignum_Montgomery_bn_from_mont_u32 (line 954) | void
function Hacl_Bignum_Montgomery_bn_mont_mul_u32 (line 970) | void
function Hacl_Bignum_Montgomery_bn_mont_sqr_u32 (line 990) | void
function Hacl_Bignum_Montgomery_bn_check_modulus_u64 (line 1009) | uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint6...
function Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64 (line 1029) | void
function bn_mont_reduction_u64 (line 1047) | static void
function Hacl_Bignum_Montgomery_bn_to_mont_u64 (line 1125) | void
function Hacl_Bignum_Montgomery_bn_from_mont_u64 (line 1145) | void
function Hacl_Bignum_Montgomery_bn_mont_mul_u64 (line 1161) | void
function Hacl_Bignum_Montgomery_bn_mont_sqr_u64 (line 1181) | void
function Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u32 (line 1200) | void
function bn_almost_mont_mul_u32 (line 1258) | static void
function bn_almost_mont_sqr_u32 (line 1278) | static void
function Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u64 (line 1297) | void
function bn_almost_mont_mul_u64 (line 1355) | static void
function bn_almost_mont_sqr_u64 (line 1375) | static void
function Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32 (line 1394) | uint32_t
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32 (line 1463) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32 (line 1590) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32 (line 1750) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32 (line 1769) | void
function Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64 (line 1788) | uint64_t
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64 (line 1857) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64 (line 1984) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64 (line 2144) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64 (line 2163) | void
FILE: dist/gcc-compatible/Hacl_Bignum.h
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 40) | typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 49) | typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_s
FILE: dist/gcc-compatible/Hacl_Bignum256.c
function Hacl_Bignum256_add (line 63) | uint64_t Hacl_Bignum256_add(uint64_t *a, uint64_t *b, uint64_t *res)
function Hacl_Bignum256_sub (line 94) | uint64_t Hacl_Bignum256_sub(uint64_t *a, uint64_t *b, uint64_t *res)
function Hacl_Bignum256_add_mod (line 128) | void Hacl_Bignum256_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint6...
function Hacl_Bignum256_sub_mod (line 191) | void Hacl_Bignum256_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint6...
function Hacl_Bignum256_mul (line 251) | void Hacl_Bignum256_mul(uint64_t *a, uint64_t *b, uint64_t *res)
function Hacl_Bignum256_sqr (line 285) | void Hacl_Bignum256_sqr(uint64_t *a, uint64_t *res)
function precompr2 (line 335) | static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res)
function reduction (line 347) | static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, ui...
function to (line 409) | static inline void to(uint64_t *n, uint64_t nInv, uint64_t *r2, uint64_t...
function from (line 416) | static inline void from(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, ui...
function areduction (line 423) | static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, u...
function amont_mul (line 467) | static inline void
function amont_sqr (line 475) | static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *a...
function bn_slow_precomp (line 482) | static inline void
function Hacl_Bignum256_mod (line 503) | bool Hacl_Bignum256_mod(uint64_t *n, uint64_t *a, uint64_t *res)
function exp_check (line 535) | static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint...
function exp_vartime_precomp (line 597) | static inline void
function exp_consttime_precomp (line 705) | static inline void
function exp_vartime (line 850) | static inline void
function exp_consttime (line 866) | static inline void
function Hacl_Bignum256_mod_exp_vartime (line 902) | bool
function Hacl_Bignum256_mod_exp_consttime (line 944) | bool
function Hacl_Bignum256_mod_inv_prime_vartime (line 981) | bool Hacl_Bignum256_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uint...
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 1065) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum256_mont_ctx_init...
function Hacl_Bignum256_mont_ctx_free (line 1093) | void Hacl_Bignum256_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx...
function Hacl_Bignum256_mod_precomp (line 1110) | void
function Hacl_Bignum256_mod_exp_vartime_precomp (line 1140) | void
function Hacl_Bignum256_mod_exp_consttime_precomp (line 1172) | void
function Hacl_Bignum256_mod_inv_prime_vartime_precomp (line 1197) | void
function Hacl_Bignum256_bn_to_bytes_be (line 1319) | void Hacl_Bignum256_bn_to_bytes_be(uint64_t *b, uint8_t *res)
function Hacl_Bignum256_bn_to_bytes_le (line 1332) | void Hacl_Bignum256_bn_to_bytes_le(uint64_t *b, uint8_t *res)
function Hacl_Bignum256_lt_mask (line 1350) | uint64_t Hacl_Bignum256_lt_mask(uint64_t *a, uint64_t *b)
function Hacl_Bignum256_eq_mask (line 1368) | uint64_t Hacl_Bignum256_eq_mask(uint64_t *a, uint64_t *b)
FILE: dist/gcc-compatible/Hacl_Bignum256_32.c
function Hacl_Bignum256_32_add (line 62) | uint32_t Hacl_Bignum256_32_add(uint32_t *a, uint32_t *b, uint32_t *res)
function Hacl_Bignum256_32_sub (line 95) | uint32_t Hacl_Bignum256_32_sub(uint32_t *a, uint32_t *b, uint32_t *res)
function Hacl_Bignum256_32_add_mod (line 131) | void Hacl_Bignum256_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, ui...
function Hacl_Bignum256_32_sub_mod (line 198) | void Hacl_Bignum256_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, ui...
function Hacl_Bignum256_32_mul (line 262) | void Hacl_Bignum256_32_mul(uint32_t *a, uint32_t *b, uint32_t *res)
function Hacl_Bignum256_32_sqr (line 298) | void Hacl_Bignum256_32_sqr(uint32_t *a, uint32_t *res)
function precompr2 (line 348) | static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res)
function reduction (line 360) | static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, ui...
function to (line 426) | static inline void to(uint32_t *n, uint32_t nInv, uint32_t *r2, uint32_t...
function from (line 433) | static inline void from(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, ui...
function areduction (line 440) | static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, u...
function amont_mul (line 486) | static inline void
function amont_sqr (line 494) | static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *a...
function bn_slow_precomp (line 501) | static inline void
function Hacl_Bignum256_32_mod (line 522) | bool Hacl_Bignum256_32_mod(uint32_t *n, uint32_t *a, uint32_t *res)
function exp_check (line 554) | static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint...
function exp_vartime_precomp (line 616) | static inline void
function exp_consttime_precomp (line 724) | static inline void
function exp_vartime (line 869) | static inline void
function exp_consttime (line 885) | static inline void
function Hacl_Bignum256_32_mod_exp_vartime (line 921) | bool
function Hacl_Bignum256_32_mod_exp_consttime (line 963) | bool
function Hacl_Bignum256_32_mod_inv_prime_vartime (line 1000) | bool Hacl_Bignum256_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, u...
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 1098) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum256_32_mont_ctx_i...
function Hacl_Bignum256_32_mont_ctx_free (line 1126) | void Hacl_Bignum256_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_...
function Hacl_Bignum256_32_mod_precomp (line 1143) | void
function Hacl_Bignum256_32_mod_exp_vartime_precomp (line 1173) | void
function Hacl_Bignum256_32_mod_exp_consttime_precomp (line 1205) | void
function Hacl_Bignum256_32_mod_inv_prime_vartime_precomp (line 1230) | void
function Hacl_Bignum256_32_bn_to_bytes_be (line 1366) | void Hacl_Bignum256_32_bn_to_bytes_be(uint32_t *b, uint8_t *res)
function Hacl_Bignum256_32_bn_to_bytes_le (line 1379) | void Hacl_Bignum256_32_bn_to_bytes_le(uint32_t *b, uint8_t *res)
function Hacl_Bignum256_32_lt_mask (line 1397) | uint32_t Hacl_Bignum256_32_lt_mask(uint32_t *a, uint32_t *b)
function Hacl_Bignum256_32_eq_mask (line 1415) | uint32_t Hacl_Bignum256_32_eq_mask(uint32_t *a, uint32_t *b)
FILE: dist/gcc-compatible/Hacl_Bignum32.c
function Hacl_Bignum32_add (line 63) | uint32_t Hacl_Bignum32_add(uint32_t len, uint32_t *a, uint32_t *b, uint3...
function Hacl_Bignum32_sub (line 84) | uint32_t Hacl_Bignum32_sub(uint32_t len, uint32_t *a, uint32_t *b, uint3...
function Hacl_Bignum32_add_mod (line 110) | void Hacl_Bignum32_add_mod(uint32_t len, uint32_t *n, uint32_t *a, uint3...
function Hacl_Bignum32_sub_mod (line 136) | void Hacl_Bignum32_sub_mod(uint32_t len, uint32_t *n, uint32_t *a, uint3...
function Hacl_Bignum32_mul (line 152) | void Hacl_Bignum32_mul(uint32_t len, uint32_t *a, uint32_t *b, uint32_t ...
function Hacl_Bignum32_sqr (line 168) | void Hacl_Bignum32_sqr(uint32_t len, uint32_t *a, uint32_t *res)
function bn_slow_precomp (line 176) | static inline void
function Hacl_Bignum32_mod (line 214) | bool Hacl_Bignum32_mod(uint32_t len, uint32_t *n, uint32_t *a, uint32_t ...
function Hacl_Bignum32_mod_exp_vartime (line 277) | bool
function Hacl_Bignum32_mod_exp_consttime (line 328) | bool
function Hacl_Bignum32_mod_inv_prime_vartime (line 372) | bool Hacl_Bignum32_mod_inv_prime_vartime(uint32_t len, uint32_t *n, uint...
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 482) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32
function Hacl_Bignum32_mont_ctx_free (line 513) | void Hacl_Bignum32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_...
function Hacl_Bignum32_mod_precomp (line 532) | void
function Hacl_Bignum32_mod_exp_vartime_precomp (line 568) | void
function Hacl_Bignum32_mod_exp_consttime_precomp (line 613) | void
function Hacl_Bignum32_mod_inv_prime_vartime_precomp (line 650) | void
function Hacl_Bignum32_bn_to_bytes_be (line 808) | void Hacl_Bignum32_bn_to_bytes_be(uint32_t len, uint32_t *b, uint8_t *res)
function Hacl_Bignum32_bn_to_bytes_le (line 831) | void Hacl_Bignum32_bn_to_bytes_le(uint32_t len, uint32_t *b, uint8_t *res)
function Hacl_Bignum32_lt_mask (line 860) | uint32_t Hacl_Bignum32_lt_mask(uint32_t len, uint32_t *a, uint32_t *b)
function Hacl_Bignum32_eq_mask (line 881) | uint32_t Hacl_Bignum32_eq_mask(uint32_t len, uint32_t *a, uint32_t *b)
FILE: dist/gcc-compatible/Hacl_Bignum32.h
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 40) | typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum32_pbn_mo...
FILE: dist/gcc-compatible/Hacl_Bignum4096.c
function Hacl_Bignum4096_add (line 66) | uint64_t Hacl_Bignum4096_add(uint64_t *a, uint64_t *b, uint64_t *res)
function Hacl_Bignum4096_sub (line 99) | uint64_t Hacl_Bignum4096_sub(uint64_t *a, uint64_t *b, uint64_t *res)
function Hacl_Bignum4096_add_mod (line 135) | void Hacl_Bignum4096_add_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint...
function Hacl_Bignum4096_sub_mod (line 201) | void Hacl_Bignum4096_sub_mod(uint64_t *n, uint64_t *a, uint64_t *b, uint...
function Hacl_Bignum4096_mul (line 264) | void Hacl_Bignum4096_mul(uint64_t *a, uint64_t *b, uint64_t *res)
function Hacl_Bignum4096_sqr (line 276) | void Hacl_Bignum4096_sqr(uint64_t *a, uint64_t *res)
function precompr2 (line 282) | static inline void precompr2(uint32_t nBits, uint64_t *n, uint64_t *res)
function reduction (line 294) | static inline void reduction(uint64_t *n, uint64_t nInv, uint64_t *c, ui...
function to (line 358) | static inline void to(uint64_t *n, uint64_t nInv, uint64_t *r2, uint64_t...
function from (line 365) | static inline void from(uint64_t *n, uint64_t nInv_u64, uint64_t *aM, ui...
function areduction (line 372) | static inline void areduction(uint64_t *n, uint64_t nInv, uint64_t *c, u...
function amont_mul (line 416) | static inline void
function amont_sqr (line 424) | static inline void amont_sqr(uint64_t *n, uint64_t nInv_u64, uint64_t *a...
function bn_slow_precomp (line 431) | static inline void
function Hacl_Bignum4096_mod (line 452) | bool Hacl_Bignum4096_mod(uint64_t *n, uint64_t *a, uint64_t *res)
function exp_check (line 483) | static uint64_t exp_check(uint64_t *n, uint64_t *a, uint32_t bBits, uint...
function exp_vartime_precomp (line 543) | static inline void
function exp_consttime_precomp (line 651) | static inline void
function exp_vartime (line 792) | static inline void
function exp_consttime (line 808) | static inline void
function Hacl_Bignum4096_mod_exp_vartime (line 844) | bool
function Hacl_Bignum4096_mod_exp_consttime (line 886) | bool
function Hacl_Bignum4096_mod_inv_prime_vartime (line 923) | bool Hacl_Bignum4096_mod_inv_prime_vartime(uint64_t *n, uint64_t *a, uin...
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 1020) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum4096_mont_ctx_ini...
function Hacl_Bignum4096_mont_ctx_free (line 1048) | void Hacl_Bignum4096_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ct...
function Hacl_Bignum4096_mod_precomp (line 1065) | void
function Hacl_Bignum4096_mod_exp_vartime_precomp (line 1095) | void
function Hacl_Bignum4096_mod_exp_consttime_precomp (line 1127) | void
function Hacl_Bignum4096_mod_inv_prime_vartime_precomp (line 1152) | void
function Hacl_Bignum4096_bn_to_bytes_be (line 1290) | void Hacl_Bignum4096_bn_to_bytes_be(uint64_t *b, uint8_t *res)
function Hacl_Bignum4096_bn_to_bytes_le (line 1306) | void Hacl_Bignum4096_bn_to_bytes_le(uint64_t *b, uint8_t *res)
function Hacl_Bignum4096_lt_mask (line 1327) | uint64_t Hacl_Bignum4096_lt_mask(uint64_t *a, uint64_t *b)
function Hacl_Bignum4096_eq_mask (line 1344) | uint64_t Hacl_Bignum4096_eq_mask(uint64_t *a, uint64_t *b)
FILE: dist/gcc-compatible/Hacl_Bignum4096_32.c
function Hacl_Bignum4096_32_add (line 66) | uint32_t Hacl_Bignum4096_32_add(uint32_t *a, uint32_t *b, uint32_t *res)
function Hacl_Bignum4096_32_sub (line 98) | uint32_t Hacl_Bignum4096_32_sub(uint32_t *a, uint32_t *b, uint32_t *res)
function Hacl_Bignum4096_32_add_mod (line 133) | void Hacl_Bignum4096_32_add_mod(uint32_t *n, uint32_t *a, uint32_t *b, u...
function Hacl_Bignum4096_32_sub_mod (line 197) | void Hacl_Bignum4096_32_sub_mod(uint32_t *n, uint32_t *a, uint32_t *b, u...
function Hacl_Bignum4096_32_mul (line 258) | void Hacl_Bignum4096_32_mul(uint32_t *a, uint32_t *b, uint32_t *res)
function Hacl_Bignum4096_32_sqr (line 270) | void Hacl_Bignum4096_32_sqr(uint32_t *a, uint32_t *res)
function precompr2 (line 276) | static inline void precompr2(uint32_t nBits, uint32_t *n, uint32_t *res)
function reduction (line 288) | static inline void reduction(uint32_t *n, uint32_t nInv, uint32_t *c, ui...
function to (line 350) | static inline void to(uint32_t *n, uint32_t nInv, uint32_t *r2, uint32_t...
function from (line 357) | static inline void from(uint32_t *n, uint32_t nInv_u64, uint32_t *aM, ui...
function areduction (line 364) | static inline void areduction(uint32_t *n, uint32_t nInv, uint32_t *c, u...
function amont_mul (line 407) | static inline void
function amont_sqr (line 415) | static inline void amont_sqr(uint32_t *n, uint32_t nInv_u64, uint32_t *a...
function bn_slow_precomp (line 422) | static inline void
function Hacl_Bignum4096_32_mod (line 443) | bool Hacl_Bignum4096_32_mod(uint32_t *n, uint32_t *a, uint32_t *res)
function exp_check (line 474) | static uint32_t exp_check(uint32_t *n, uint32_t *a, uint32_t bBits, uint...
function exp_vartime_precomp (line 534) | static inline void
function exp_consttime_precomp (line 642) | static inline void
function exp_vartime (line 783) | static inline void
function exp_consttime (line 799) | static inline void
function Hacl_Bignum4096_32_mod_exp_vartime (line 835) | bool
function Hacl_Bignum4096_32_mod_exp_consttime (line 877) | bool
function Hacl_Bignum4096_32_mod_inv_prime_vartime (line 914) | bool Hacl_Bignum4096_32_mod_inv_prime_vartime(uint32_t *n, uint32_t *a, ...
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 1010) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_Bignum4096_32_mont_ctx_...
function Hacl_Bignum4096_32_mont_ctx_free (line 1039) | void Hacl_Bignum4096_32_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont...
function Hacl_Bignum4096_32_mod_precomp (line 1056) | void
function Hacl_Bignum4096_32_mod_exp_vartime_precomp (line 1086) | void
function Hacl_Bignum4096_32_mod_exp_consttime_precomp (line 1118) | void
function Hacl_Bignum4096_32_mod_inv_prime_vartime_precomp (line 1143) | void
function Hacl_Bignum4096_32_bn_to_bytes_be (line 1280) | void Hacl_Bignum4096_32_bn_to_bytes_be(uint32_t *b, uint8_t *res)
function Hacl_Bignum4096_32_bn_to_bytes_le (line 1296) | void Hacl_Bignum4096_32_bn_to_bytes_le(uint32_t *b, uint8_t *res)
function Hacl_Bignum4096_32_lt_mask (line 1317) | uint32_t Hacl_Bignum4096_32_lt_mask(uint32_t *a, uint32_t *b)
function Hacl_Bignum4096_32_eq_mask (line 1334) | uint32_t Hacl_Bignum4096_32_eq_mask(uint32_t *a, uint32_t *b)
FILE: dist/gcc-compatible/Hacl_Bignum64.c
function Hacl_Bignum64_add (line 54) | uint64_t Hacl_Bignum64_add(uint32_t len, uint64_t *a, uint64_t *b, uint6...
function Hacl_Bignum64_sub (line 66) | uint64_t Hacl_Bignum64_sub(uint32_t len, uint64_t *a, uint64_t *b, uint6...
function Hacl_Bignum64_add_mod (line 81) | void Hacl_Bignum64_add_mod(uint32_t len, uint64_t *n, uint64_t *a, uint6...
function Hacl_Bignum64_sub_mod (line 96) | void Hacl_Bignum64_sub_mod(uint32_t len, uint64_t *n, uint64_t *a, uint6...
function Hacl_Bignum64_mul (line 107) | void Hacl_Bignum64_mul(uint32_t len, uint64_t *a, uint64_t *b, uint64_t ...
function Hacl_Bignum64_sqr (line 121) | void Hacl_Bignum64_sqr(uint32_t len, uint64_t *a, uint64_t *res)
function bn_slow_precomp (line 129) | static inline void
function Hacl_Bignum64_mod (line 161) | bool Hacl_Bignum64_mod(uint32_t len, uint64_t *n, uint64_t *a, uint64_t ...
function Hacl_Bignum64_mod_exp_vartime (line 216) | bool
function Hacl_Bignum64_mod_exp_consttime (line 259) | bool
function Hacl_Bignum64_mod_inv_prime_vartime (line 298) | bool Hacl_Bignum64_mod_inv_prime_vartime(uint32_t len, uint64_t *n, uint...
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 407) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64
function Hacl_Bignum64_mont_ctx_free (line 438) | void Hacl_Bignum64_mont_ctx_free(Hacl_Bignum_MontArithmetic_bn_mont_ctx_...
function Hacl_Bignum64_mod_precomp (line 455) | void
function Hacl_Bignum64_mod_exp_vartime_precomp (line 487) | void
function Hacl_Bignum64_mod_exp_consttime_precomp (line 528) | void
function Hacl_Bignum64_mod_inv_prime_vartime_precomp (line 562) | void
function Hacl_Bignum64_bn_to_bytes_be (line 717) | void Hacl_Bignum64_bn_to_bytes_be(uint32_t len, uint64_t *b, uint8_t *res)
function Hacl_Bignum64_bn_to_bytes_le (line 737) | void Hacl_Bignum64_bn_to_bytes_le(uint32_t len, uint64_t *b, uint8_t *res)
function Hacl_Bignum64_lt_mask (line 762) | uint64_t Hacl_Bignum64_lt_mask(uint32_t len, uint64_t *a, uint64_t *b)
function Hacl_Bignum64_eq_mask (line 779) | uint64_t Hacl_Bignum64_eq_mask(uint32_t len, uint64_t *a, uint64_t *b)
FILE: dist/gcc-compatible/Hacl_Bignum64.h
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 40) | typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_Bignum64_pbn_mo...
FILE: dist/gcc-compatible/Hacl_Chacha20.c
function quarter_round (line 33) | static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, u...
function double_round (line 69) | static inline void double_round(uint32_t *st)
function rounds (line 81) | static inline void rounds(uint32_t *st)
function chacha20_core (line 95) | static inline void chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
function Hacl_Impl_Chacha20_chacha20_init (line 115) | void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t...
function chacha20_encrypt_block (line 147) | static void chacha20_encrypt_block(uint32_t *ctx, uint8_t *out, uint32_t...
function chacha20_encrypt_last (line 172) | static inline void
function Hacl_Impl_Chacha20_chacha20_update (line 181) | void
function Hacl_Chacha20_chacha20_encrypt (line 197) | void
function Hacl_Chacha20_chacha20_decrypt (line 212) | void
FILE: dist/gcc-compatible/Hacl_Chacha20_Vec128.c
function double_round_128 (line 31) | static inline void double_round_128(Lib_IntVector_Intrinsics_vec128 *st)
function chacha20_core_128 (line 131) | static inline void
function chacha20_init_128 (line 162) | static inline void
function Hacl_Chacha20_Vec128_chacha20_encrypt_128 (line 207) | void
function Hacl_Chacha20_Vec128_chacha20_decrypt_128 (line 512) | void
FILE: dist/gcc-compatible/Hacl_Chacha20_Vec256.c
function double_round_256 (line 31) | static inline void double_round_256(Lib_IntVector_Intrinsics_vec256 *st)
function chacha20_core_256 (line 131) | static inline void
function chacha20_init_256 (line 162) | static inline void
function Hacl_Chacha20_Vec256_chacha20_encrypt_256 (line 208) | void
function Hacl_Chacha20_Vec256_chacha20_decrypt_256 (line 705) | void
FILE: dist/gcc-compatible/Hacl_Chacha20_Vec32.c
function double_round_32 (line 30) | static inline void double_round_32(uint32_t *st)
function chacha20_core_32 (line 130) | static inline void chacha20_core_32(uint32_t *k, uint32_t *ctx, uint32_t...
function chacha20_init_32 (line 156) | static inline void chacha20_init_32(uint32_t *ctx, uint8_t *k, uint8_t *...
function Hacl_Chacha20_Vec32_chacha20_encrypt_32 (line 199) | void
function Hacl_Chacha20_Vec32_chacha20_decrypt_32 (line 248) | void
FILE: dist/gcc-compatible/Hacl_Curve25519_51.c
function point_add_and_double (line 34) | static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_...
function point_double (line 78) | static void point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uin...
function montgomery_ladder (line 102) | static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init)
function Hacl_Curve25519_51_fsquare_times (line 155) | void
function Hacl_Curve25519_51_finv (line 170) | void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uin...
function encode_point (line 211) | static void encode_point(uint8_t *o, uint64_t *i)
function Hacl_Curve25519_51_scalarmult (line 233) | void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t ...
function Hacl_Curve25519_51_secret_to_public (line 281) | void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv)
function Hacl_Curve25519_51_ecdh (line 300) | bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub)
FILE: dist/gcc-compatible/Hacl_Curve25519_64.c
function add_scalar0 (line 34) | static inline void add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2)
function fadd0 (line 43) | static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2)
function fsub0 (line 52) | static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2)
function fmul0 (line 61) | static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint...
function fmul20 (line 70) | static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uin...
function fmul_scalar0 (line 79) | static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2)
function fsqr0 (line 88) | static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp)
function fsqr20 (line 97) | static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp)
function cswap20 (line 106) | static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2)
function point_add_and_double (line 117) | static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, uint64...
function point_double (line 160) | static void point_double(uint64_t *nq, uint64_t *tmp1, uint64_t *tmp2)
function montgomery_ladder (line 183) | static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init)
function fsquare_times (line 232) | static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uin...
function finv (line 241) | static void finv(uint64_t *o, uint64_t *i, uint64_t *tmp)
function store_felem (line 282) | static void store_felem(uint64_t *b, uint64_t *f)
function encode_point (line 315) | static void encode_point(uint8_t *o, uint64_t *i)
function Hacl_Curve25519_64_scalarmult (line 335) | void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t ...
function Hacl_Curve25519_64_secret_to_public (line 373) | void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv)
function Hacl_Curve25519_64_ecdh (line 392) | bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub)
FILE: dist/gcc-compatible/Hacl_EC_Ed25519.c
function Hacl_EC_Ed25519_mk_felem_zero (line 45) | void Hacl_EC_Ed25519_mk_felem_zero(uint64_t *b)
function Hacl_EC_Ed25519_mk_felem_one (line 59) | void Hacl_EC_Ed25519_mk_felem_one(uint64_t *b)
function Hacl_EC_Ed25519_felem_add (line 77) | void Hacl_EC_Ed25519_felem_add(uint64_t *a, uint64_t *b, uint64_t *out)
function Hacl_EC_Ed25519_felem_sub (line 92) | void Hacl_EC_Ed25519_felem_sub(uint64_t *a, uint64_t *b, uint64_t *out)
function Hacl_EC_Ed25519_felem_mul (line 107) | void Hacl_EC_Ed25519_felem_mul(uint64_t *a, uint64_t *b, uint64_t *out)
function Hacl_EC_Ed25519_felem_sqr (line 124) | void Hacl_EC_Ed25519_felem_sqr(uint64_t *a, uint64_t *out)
function Hacl_EC_Ed25519_felem_inv (line 143) | void Hacl_EC_Ed25519_felem_inv(uint64_t *a, uint64_t *out)
function Hacl_EC_Ed25519_felem_load (line 161) | void Hacl_EC_Ed25519_felem_load(uint8_t *b, uint64_t *out)
function Hacl_EC_Ed25519_felem_store (line 176) | void Hacl_EC_Ed25519_felem_store(uint64_t *a, uint8_t *out)
function Hacl_EC_Ed25519_mk_point_at_inf (line 196) | void Hacl_EC_Ed25519_mk_point_at_inf(uint64_t *p)
function Hacl_EC_Ed25519_mk_base_point (line 206) | void Hacl_EC_Ed25519_mk_base_point(uint64_t *p)
function Hacl_EC_Ed25519_point_negate (line 243) | void Hacl_EC_Ed25519_point_negate(uint64_t *p, uint64_t *out)
function Hacl_EC_Ed25519_point_add (line 257) | void Hacl_EC_Ed25519_point_add(uint64_t *p, uint64_t *q, uint64_t *out)
function Hacl_EC_Ed25519_point_double (line 271) | void Hacl_EC_Ed25519_point_double(uint64_t *p, uint64_t *out)
function Hacl_EC_Ed25519_point_mul (line 289) | void Hacl_EC_Ed25519_point_mul(uint8_t *scalar, uint64_t *p, uint64_t *out)
function Hacl_EC_Ed25519_point_eq (line 305) | bool Hacl_EC_Ed25519_point_eq(uint64_t *p, uint64_t *q)
function Hacl_EC_Ed25519_point_compress (line 323) | void Hacl_EC_Ed25519_point_compress(uint64_t *p, uint8_t *out)
function Hacl_EC_Ed25519_point_decompress (line 341) | bool Hacl_EC_Ed25519_point_decompress(uint8_t *s, uint64_t *out)
FILE: dist/gcc-compatible/Hacl_EC_K256.c
function Hacl_EC_K256_mk_felem_zero (line 44) | void Hacl_EC_K256_mk_felem_zero(uint64_t *f)
function Hacl_EC_K256_mk_felem_one (line 54) | void Hacl_EC_K256_mk_felem_one(uint64_t *f)
function Hacl_EC_K256_felem_add (line 69) | void Hacl_EC_K256_felem_add(uint64_t *a, uint64_t *b, uint64_t *out)
function Hacl_EC_K256_felem_sub (line 84) | void Hacl_EC_K256_felem_sub(uint64_t *a, uint64_t *b, uint64_t *out)
function Hacl_EC_K256_felem_mul (line 99) | void Hacl_EC_K256_felem_mul(uint64_t *a, uint64_t *b, uint64_t *out)
function Hacl_EC_K256_felem_sqr (line 113) | void Hacl_EC_K256_felem_sqr(uint64_t *a, uint64_t *out)
function Hacl_EC_K256_felem_inv (line 129) | void Hacl_EC_K256_felem_inv(uint64_t *a, uint64_t *out)
function Hacl_EC_K256_felem_load (line 144) | void Hacl_EC_K256_felem_load(uint8_t *b, uint64_t *out)
function Hacl_EC_K256_felem_store (line 159) | void Hacl_EC_K256_felem_store(uint64_t *a, uint8_t *out)
function Hacl_EC_K256_mk_point_at_inf (line 179) | void Hacl_EC_K256_mk_point_at_inf(uint64_t *p)
function Hacl_EC_K256_mk_base_point (line 189) | void Hacl_EC_K256_mk_base_point(uint64_t *p)
function Hacl_EC_K256_point_negate (line 217) | void Hacl_EC_K256_point_negate(uint64_t *p, uint64_t *out)
function Hacl_EC_K256_point_add (line 231) | void Hacl_EC_K256_point_add(uint64_t *p, uint64_t *q, uint64_t *out)
function Hacl_EC_K256_point_double (line 245) | void Hacl_EC_K256_point_double(uint64_t *p, uint64_t *out)
function Hacl_EC_K256_point_mul (line 263) | void Hacl_EC_K256_point_mul(uint8_t *scalar, uint64_t *p, uint64_t *out)
function Hacl_EC_K256_point_store (line 290) | void Hacl_EC_K256_point_store(uint64_t *p, uint8_t *out)
function Hacl_EC_K256_point_load (line 306) | void Hacl_EC_K256_point_load(uint8_t *b, uint64_t *out)
function Hacl_EC_K256_is_point_valid (line 339) | bool Hacl_EC_K256_is_point_valid(uint8_t *b)
FILE: dist/gcc-compatible/Hacl_Ed25519.c
function fsum (line 39) | static inline void fsum(uint64_t *out, uint64_t *a, uint64_t *b)
function fdifference (line 44) | static inline void fdifference(uint64_t *out, uint64_t *a, uint64_t *b)
function Hacl_Bignum25519_reduce_513 (line 49) | void Hacl_Bignum25519_reduce_513(uint64_t *a)
function fmul0 (line 81) | static inline void fmul0(uint64_t *output, uint64_t *input, uint64_t *in...
function times_2 (line 89) | static inline void times_2(uint64_t *out, uint64_t *a)
function times_d (line 108) | static inline void times_d(uint64_t *out, uint64_t *a)
function times_2d (line 119) | static inline void times_2d(uint64_t *out, uint64_t *a)
function fsquare (line 130) | static inline void fsquare(uint64_t *out, uint64_t *a)
function fsquare_times (line 138) | static inline void fsquare_times(uint64_t *output, uint64_t *input, uint...
function fsquare_times_inplace (line 146) | static inline void fsquare_times_inplace(uint64_t *output, uint32_t count)
function Hacl_Bignum25519_inverse (line 154) | void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a)
function reduce (line 162) | static inline void reduce(uint64_t *out)
function Hacl_Bignum25519_load_51 (line 215) | void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input)
function Hacl_Bignum25519_store_51 (line 237) | void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input)
function Hacl_Impl_Ed25519_PointDouble_point_double (line 244) | void Hacl_Impl_Ed25519_PointDouble_point_double(uint64_t *out, uint64_t *p)
function Hacl_Impl_Ed25519_PointAdd_point_add (line 287) | void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, ui...
function Hacl_Impl_Ed25519_PointConstants_make_point_inf (line 336) | void Hacl_Impl_Ed25519_PointConstants_make_point_inf(uint64_t *b)
function pow2_252m2 (line 364) | static inline void pow2_252m2(uint64_t *out, uint64_t *z)
function is_0 (line 400) | static inline bool is_0(uint64_t *x)
function mul_modp_sqrt_m1 (line 410) | static inline void mul_modp_sqrt_m1(uint64_t *x)
function recover_x (line 421) | static inline bool recover_x(uint64_t *x, uint64_t *y, uint64_t sign)
function Hacl_Impl_Ed25519_PointDecompress_point_decompress (line 544) | bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, u...
function Hacl_Impl_Ed25519_PointCompress_point_compress (line 579) | void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t...
function barrett_reduction (line 603) | static inline void barrett_reduction(uint64_t *z, uint64_t *t)
function mul_modq (line 925) | static inline void mul_modq(uint64_t *out, uint64_t *x, uint64_t *y)
function add_modq (line 1052) | static inline void add_modq(uint64_t *out, uint64_t *x, uint64_t *y)
function gte_q (line 1139) | static inline bool gte_q(uint64_t *s)
function eq (line 1173) | static inline bool eq(uint64_t *a, uint64_t *b)
function Hacl_Impl_Ed25519_PointEqual_point_equal (line 1188) | bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q)
function Hacl_Impl_Ed25519_PointNegate_point_negate (line 1211) | void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out)
function Hacl_Impl_Ed25519_Ladder_point_mul (line 1235) | void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *out, uint8_t *scalar, ...
function precomp_get_consttime (line 1288) | static inline void precomp_get_consttime(const uint64_t *table, uint64_t...
function point_mul_g (line 1305) | static inline void point_mul_g(uint64_t *out, uint8_t *scalar)
function point_mul_g_double_vartime (line 1402) | static inline void
function point_negate_mul_double_g_vartime (line 1504) | static inline void
function store_56 (line 1517) | static inline void store_56(uint8_t *out, uint64_t *b)
function load_64_bytes (line 1536) | static inline void load_64_bytes(uint64_t *out, uint8_t *b)
function load_32_bytes (line 1588) | static inline void load_32_bytes(uint64_t *out, uint8_t *b)
function sha512_pre_msg (line 1616) | static inline void sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32...
function sha512_pre_pre2_msg (line 1632) | static inline void
function sha512_modq_pre (line 1657) | static inline void
function sha512_modq_pre_pre2 (line 1667) | static inline void
function point_mul_g_compress (line 1683) | static inline void point_mul_g_compress(uint8_t *out, uint8_t *s)
function secret_expand (line 1690) | static inline void secret_expand(uint8_t *expanded, uint8_t *secret)
function Hacl_Ed25519_secret_to_public (line 1711) | void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private...
function Hacl_Ed25519_expand_keys (line 1728) | void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key)
function Hacl_Ed25519_sign_expanded (line 1748) | void
function Hacl_Ed25519_sign (line 1788) | void
function Hacl_Ed25519_verify (line 1806) | bool
FILE: dist/gcc-compatible/Hacl_FFDHE.c
function ffdhe_len (line 34) | static inline uint32_t ffdhe_len(Spec_FFDHE_ffdhe_alg a)
function ffdhe_precomp_p (line 66) | static inline void ffdhe_precomp_p(Spec_FFDHE_ffdhe_alg a, uint64_t *p_r...
function ffdhe_check_pk (line 156) | static inline uint64_t ffdhe_check_pk(Spec_FFDHE_ffdhe_alg a, uint64_t *...
function ffdhe_compute_exp (line 224) | static inline void
function Hacl_FFDHE_ffdhe_len (line 251) | uint32_t Hacl_FFDHE_ffdhe_len(Spec_FFDHE_ffdhe_alg a)
function Hacl_FFDHE_ffdhe_secret_to_public_precomp (line 271) | void
function Hacl_FFDHE_ffdhe_secret_to_public (line 298) | void Hacl_FFDHE_ffdhe_secret_to_public(Spec_FFDHE_ffdhe_alg a, uint8_t *...
function Hacl_FFDHE_ffdhe_shared_secret_precomp (line 309) | uint64_t
function Hacl_FFDHE_ffdhe_shared_secret (line 337) | uint64_t
FILE: dist/gcc-compatible/Hacl_Frodo1344.c
function Hacl_Frodo1344_crypto_kem_keypair (line 41) | uint32_t Hacl_Frodo1344_crypto_kem_keypair(uint8_t *pk, uint8_t *sk)
function Hacl_Frodo1344_crypto_kem_enc (line 81) | uint32_t Hacl_Frodo1344_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t...
function Hacl_Frodo1344_crypto_kem_dec (line 142) | uint32_t Hacl_Frodo1344_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t...
FILE: dist/gcc-compatible/Hacl_Frodo64.c
function Hacl_Frodo64_crypto_kem_keypair (line 46) | uint32_t Hacl_Frodo64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk)
function Hacl_Frodo64_crypto_kem_enc (line 85) | uint32_t Hacl_Frodo64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t *pk)
function Hacl_Frodo64_crypto_kem_dec (line 145) | uint32_t Hacl_Frodo64_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t *sk)
FILE: dist/gcc-compatible/Hacl_Frodo640.c
function Hacl_Frodo640_crypto_kem_keypair (line 41) | uint32_t Hacl_Frodo640_crypto_kem_keypair(uint8_t *pk, uint8_t *sk)
function Hacl_Frodo640_crypto_kem_enc (line 81) | uint32_t Hacl_Frodo640_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t ...
function Hacl_Frodo640_crypto_kem_dec (line 142) | uint32_t Hacl_Frodo640_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t ...
FILE: dist/gcc-compatible/Hacl_Frodo976.c
function Hacl_Frodo976_crypto_kem_keypair (line 41) | uint32_t Hacl_Frodo976_crypto_kem_keypair(uint8_t *pk, uint8_t *sk)
function Hacl_Frodo976_crypto_kem_enc (line 81) | uint32_t Hacl_Frodo976_crypto_kem_enc(uint8_t *ct, uint8_t *ss, uint8_t ...
function Hacl_Frodo976_crypto_kem_dec (line 142) | uint32_t Hacl_Frodo976_crypto_kem_dec(uint8_t *ss, uint8_t *ct, uint8_t ...
FILE: dist/gcc-compatible/Hacl_Frodo_KEM.c
function randombytes_ (line 34) | void randombytes_(uint32_t len, uint8_t *res)
FILE: dist/gcc-compatible/Hacl_GenericField32.c
function Hacl_GenericField32_field_modulus_check (line 57) | bool Hacl_GenericField32_field_modulus_check(uint32_t len, uint32_t *n)
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 76) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32
function Hacl_GenericField32_field_free (line 107) | void Hacl_GenericField32_field_free(Hacl_Bignum_MontArithmetic_bn_mont_c...
function Hacl_GenericField32_field_get_len (line 122) | uint32_t Hacl_GenericField32_field_get_len(Hacl_Bignum_MontArithmetic_bn...
function Hacl_GenericField32_to_field (line 136) | void
function Hacl_GenericField32_from_field (line 157) | void
function Hacl_GenericField32_add (line 175) | void
function Hacl_GenericField32_sub (line 194) | void
function Hacl_GenericField32_mul (line 213) | void
function Hacl_GenericField32_sqr (line 232) | void
function Hacl_GenericField32_one (line 250) | void Hacl_GenericField32_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 ...
function Hacl_GenericField32_exp_consttime (line 275) | void
function Hacl_GenericField32_exp_vartime (line 442) | void
function Hacl_GenericField32_inverse (line 569) | void
FILE: dist/gcc-compatible/Hacl_GenericField32.h
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 40) | typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 *Hacl_GenericField32_...
FILE: dist/gcc-compatible/Hacl_GenericField64.c
function Hacl_GenericField64_field_modulus_check (line 57) | bool Hacl_GenericField64_field_modulus_check(uint32_t len, uint64_t *n)
function Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 76) | Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64
function Hacl_GenericField64_field_free (line 107) | void Hacl_GenericField64_field_free(Hacl_Bignum_MontArithmetic_bn_mont_c...
function Hacl_GenericField64_field_get_len (line 122) | uint32_t Hacl_GenericField64_field_get_len(Hacl_Bignum_MontArithmetic_bn...
function Hacl_GenericField64_to_field (line 136) | void
function Hacl_GenericField64_from_field (line 157) | void
function Hacl_GenericField64_add (line 175) | void
function Hacl_GenericField64_sub (line 194) | void
function Hacl_GenericField64_mul (line 213) | void
function Hacl_GenericField64_sqr (line 232) | void
function Hacl_GenericField64_one (line 250) | void Hacl_GenericField64_one(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 ...
function Hacl_GenericField64_exp_consttime (line 275) | void
function Hacl_GenericField64_exp_vartime (line 442) | void
function Hacl_GenericField64_inverse (line 569) | void
FILE: dist/gcc-compatible/Hacl_GenericField64.h
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 40) | typedef Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *Hacl_GenericField64_...
FILE: dist/gcc-compatible/Hacl_HKDF.c
function Hacl_HKDF_expand_sha2_256 (line 40) | void
function Hacl_HKDF_extract_sha2_256 (line 98) | void
function Hacl_HKDF_expand_sha2_384 (line 120) | void
function Hacl_HKDF_extract_sha2_384 (line 178) | void
function Hacl_HKDF_expand_sha2_512 (line 200) | void
function Hacl_HKDF_extract_sha2_512 (line 258) | void
function Hacl_HKDF_expand_blake2s_32 (line 280) | void
function Hacl_HKDF_extract_blake2s_32 (line 338) | void
function Hacl_HKDF_expand_blake2b_32 (line 360) | void
function Hacl_HKDF_extract_blake2b_32 (line 418) | void
FILE: dist/gcc-compatible/Hacl_HKDF_Blake2b_256.c
function Hacl_HKDF_Blake2b_256_expand_blake2b_256 (line 40) | void
function Hacl_HKDF_Blake2b_256_extract_blake2b_256 (line 98) | void
FILE: dist/gcc-compatible/Hacl_HKDF_Blake2s_128.c
function Hacl_HKDF_Blake2s_128_expand_blake2s_128 (line 40) | void
function Hacl_HKDF_Blake2s_128_extract_blake2s_128 (line 98) | void
FILE: dist/gcc-compatible/Hacl_HMAC.c
function Hacl_HMAC_compute_md5 (line 48) | void
function Hacl_HMAC_compute_sha1 (line 158) | void
function Hacl_HMAC_compute_sha2_224 (line 268) | void
function Hacl_HMAC_compute_sha2_256 (line 392) | void
function Hacl_HMAC_compute_sha2_384 (line 516) | void
function Hacl_HMAC_compute_sha2_512 (line 648) | void
function Hacl_HMAC_compute_sha3_224 (line 780) | void
function Hacl_HMAC_compute_sha3_256 (line 906) | void
function Hacl_HMAC_compute_sha3_384 (line 1032) | void
function Hacl_HMAC_compute_sha3_512 (line 1158) | void
function Hacl_HMAC_compute_blake2s_32 (line 1284) | void
function Hacl_HMAC_compute_blake2b_32 (line 1425) | void
FILE: dist/gcc-compatible/Hacl_HMAC_Blake2b_256.c
function Hacl_HMAC_Blake2b_256_compute_blake2b_256 (line 40) | void
FILE: dist/gcc-compatible/Hacl_HMAC_Blake2s_128.c
function Hacl_HMAC_Blake2s_128_compute_blake2s_128 (line 38) | void
FILE: dist/gcc-compatible/Hacl_HMAC_DRBG.c
function Hacl_HMAC_DRBG_min_length (line 46) | uint32_t Hacl_HMAC_DRBG_min_length(Spec_Hash_Definitions_hash_alg a)
function Hacl_HMAC_DRBG_uu___is_State (line 74) | bool
function Hacl_HMAC_DRBG_state (line 91) | Hacl_HMAC_DRBG_state Hacl_HMAC_DRBG_create_in(Spec_Hash_Definitions_hash...
function Hacl_HMAC_DRBG_instantiate (line 179) | void
function Hacl_HMAC_DRBG_reseed (line 435) | void
function Hacl_HMAC_DRBG_generate (line 673) | bool
function Hacl_HMAC_DRBG_free (line 1061) | void Hacl_HMAC_DRBG_free(Spec_Hash_Definitions_hash_alg uu___, Hacl_HMAC...
FILE: dist/gcc-compatible/Hacl_HMAC_DRBG.h
type Spec_Hash_Definitions_hash_alg (line 40) | typedef Spec_Hash_Definitions_hash_alg Hacl_HMAC_DRBG_supported_alg;
type Hacl_HMAC_DRBG_state (line 59) | typedef struct Hacl_HMAC_DRBG_state_s
FILE: dist/gcc-compatible/Hacl_HPKE_Curve51_CP128_SHA256.c
function Hacl_HPKE_Curve51_CP128_SHA256_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve51_CP128_SHA256_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve51_CP128_SHA256_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve51_CP128_SHA256_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve51_CP128_SHA512.c
function Hacl_HPKE_Curve51_CP128_SHA512_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve51_CP128_SHA512_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve51_CP128_SHA512_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve51_CP128_SHA512_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve51_CP256_SHA256.c
function Hacl_HPKE_Curve51_CP256_SHA256_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve51_CP256_SHA256_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve51_CP256_SHA256_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve51_CP256_SHA256_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve51_CP256_SHA512.c
function Hacl_HPKE_Curve51_CP256_SHA512_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve51_CP256_SHA512_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve51_CP256_SHA512_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve51_CP256_SHA512_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve51_CP32_SHA256.c
function Hacl_HPKE_Curve51_CP32_SHA256_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve51_CP32_SHA256_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve51_CP32_SHA256_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve51_CP32_SHA256_openBase (line 600) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve51_CP32_SHA512.c
function Hacl_HPKE_Curve51_CP32_SHA512_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve51_CP32_SHA512_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve51_CP32_SHA512_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve51_CP32_SHA512_openBase (line 600) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve64_CP128_SHA256.c
function Hacl_HPKE_Curve64_CP128_SHA256_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve64_CP128_SHA256_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve64_CP128_SHA256_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve64_CP128_SHA256_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve64_CP128_SHA512.c
function Hacl_HPKE_Curve64_CP128_SHA512_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve64_CP128_SHA512_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve64_CP128_SHA512_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve64_CP128_SHA512_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve64_CP256_SHA256.c
function Hacl_HPKE_Curve64_CP256_SHA256_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve64_CP256_SHA256_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve64_CP256_SHA256_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve64_CP256_SHA256_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve64_CP256_SHA512.c
function Hacl_HPKE_Curve64_CP256_SHA512_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve64_CP256_SHA512_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve64_CP256_SHA512_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve64_CP256_SHA512_openBase (line 601) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve64_CP32_SHA256.c
function Hacl_HPKE_Curve64_CP32_SHA256_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve64_CP32_SHA256_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve64_CP32_SHA256_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve64_CP32_SHA256_openBase (line 600) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Curve64_CP32_SHA512.c
function Hacl_HPKE_Curve64_CP32_SHA512_setupBaseS (line 34) | uint32_t
function Hacl_HPKE_Curve64_CP32_SHA512_setupBaseR (line 280) | uint32_t
function Hacl_HPKE_Curve64_CP32_SHA512_sealBase (line 532) | uint32_t
function Hacl_HPKE_Curve64_CP32_SHA512_openBase (line 600) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_Interface_Hacl_Impl_HPKE_Hacl_Meta_HPKE.h
type Hacl_Impl_HPKE_context_s (line 38) | typedef struct Hacl_Impl_HPKE_context_s_s
FILE: dist/gcc-compatible/Hacl_HPKE_P256_CP128_SHA256.c
function Hacl_HPKE_P256_CP128_SHA256_setupBaseS (line 33) | uint32_t
function Hacl_HPKE_P256_CP128_SHA256_setupBaseR (line 282) | uint32_t
function Hacl_HPKE_P256_CP128_SHA256_sealBase (line 544) | uint32_t
function Hacl_HPKE_P256_CP128_SHA256_openBase (line 612) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_P256_CP256_SHA256.c
function Hacl_HPKE_P256_CP256_SHA256_setupBaseS (line 33) | uint32_t
function Hacl_HPKE_P256_CP256_SHA256_setupBaseR (line 282) | uint32_t
function Hacl_HPKE_P256_CP256_SHA256_sealBase (line 544) | uint32_t
function Hacl_HPKE_P256_CP256_SHA256_openBase (line 612) | uint32_t
FILE: dist/gcc-compatible/Hacl_HPKE_P256_CP32_SHA256.c
function Hacl_HPKE_P256_CP32_SHA256_setupBaseS (line 33) | uint32_t
function Hacl_HPKE_P256_CP32_SHA256_setupBaseR (line 282) | uint32_t
function Hacl_HPKE_P256_CP32_SHA256_sealBase (line 544) | uint32_t
function Hacl_HPKE_P256_CP32_SHA256_openBase (line 612) | uint32_t
FILE: dist/gcc-compatible/Hacl_Hash_Base.c
function Hacl_Hash_Definitions_word_len (line 30) | uint32_t Hacl_Hash_Definitions_word_len(Spec_Hash_Definitions_hash_alg a)
function Hacl_Hash_Definitions_block_len (line 66) | uint32_t Hacl_Hash_Definitions_block_len(Spec_Hash_Definitions_hash_alg a)
function Hacl_Hash_Definitions_hash_word_len (line 134) | uint32_t Hacl_Hash_Definitions_hash_word_len(Spec_Hash_Definitions_hash_...
function Hacl_Hash_Definitions_hash_len (line 170) | uint32_t Hacl_Hash_Definitions_hash_len(Spec_Hash_Definitions_hash_alg a)
FILE: dist/gcc-compatible/Hacl_Hash_Blake2b.c
function update_block (line 34) | static void
function Hacl_Hash_Blake2b_init (line 493) | void Hacl_Hash_Blake2b_init(uint64_t *hash, uint32_t kk, uint32_t nn)
function update_key (line 579) | static void update_key(uint64_t *wv, uint64_t *hash, uint32_t kk, uint8_...
function Hacl_Hash_Blake2b_update_multi (line 595) | void
function Hacl_Hash_Blake2b_update_last (line 617) | void
function update_blocks (line 637) | static void
function update (line 670) | static inline void
function Hacl_Hash_Blake2b_finish (line 687) | void Hacl_Hash_Blake2b_finish(uint32_t nn, uint8_t *output, uint64_t *hash)
type option___uint8_t___uint8_t___bool_____uint64_t_____uint64_t___ (line 701) | typedef struct option___uint8_t___uint8_t___bool_____uint64_t_____uint64...
function Hacl_Hash_Blake2b_state_t (line 708) | static Hacl_Hash_Blake2b_state_t
function Hacl_Hash_Blake2b_state_t (line 923) | Hacl_Hash_Blake2b_state_t
function Hacl_Hash_Blake2b_state_t (line 947) | Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc_with_key(uint8_t *k,...
function Hacl_Hash_Blake2b_state_t (line 970) | Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_malloc(void)
function Hacl_Hash_Blake2b_index (line 975) | static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_state_t *s)
function reset_raw (line 985) | static void reset_raw(Hacl_Hash_Blake2b_state_t *state, Hacl_Hash_Blake2...
function Hacl_Hash_Blake2b_reset_with_key_and_params (line 1108) | void
function Hacl_Hash_Blake2b_reset_with_key (line 1127) | void Hacl_Hash_Blake2b_reset_with_key(Hacl_Hash_Blake2b_state_t *s, uint...
function Hacl_Hash_Blake2b_reset (line 1151) | void Hacl_Hash_Blake2b_reset(Hacl_Hash_Blake2b_state_t *s)
function Hacl_Streaming_Types_error_code (line 1159) | Hacl_Streaming_Types_error_code
function Hacl_Hash_Blake2b_digest (line 1374) | uint8_t Hacl_Hash_Blake2b_digest(Hacl_Hash_Blake2b_state_t *s, uint8_t *...
function Hacl_Hash_Blake2b_index (line 1453) | Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_info(Hacl_Hash_Blake2b_state_t...
function Hacl_Hash_Blake2b_free (line 1466) | void Hacl_Hash_Blake2b_free(Hacl_Hash_Blake2b_state_t *state)
function Hacl_Hash_Blake2b_state_t (line 1482) | Hacl_Hash_Blake2b_state_t *Hacl_Hash_Blake2b_copy(Hacl_Hash_Blake2b_stat...
function Hacl_Hash_Blake2b_hash_with_key (line 1601) | void
function Hacl_Hash_Blake2b_hash_with_key_and_params (line 1626) | void
FILE: dist/gcc-compatible/Hacl_Hash_Blake2b.h
type Hacl_Hash_Blake2b_blake2_params (line 40) | typedef struct Hacl_Hash_Blake2b_blake2_params_s
type Hacl_Hash_Blake2b_index (line 55) | typedef struct Hacl_Hash_Blake2b_index_s
type Hacl_Hash_Blake2b_block_state_t (line 73) | typedef struct Hacl_Hash_Blake2b_block_state_t_s Hacl_Hash_Blake2b_block...
type Hacl_Hash_Blake2b_state_t (line 75) | typedef struct Hacl_Hash_Blake2b_state_t_s Hacl_Hash_Blake2b_state_t;
FILE: dist/gcc-compatible/Hacl_Hash_Blake2b_Simd256.c
function update_block (line 36) | static inline void
function Hacl_Hash_Blake2b_Simd256_init (line 228) | void
function update_key (line 303) | static void
function Hacl_Hash_Blake2b_Simd256_update_multi (line 326) | void
function Hacl_Hash_Blake2b_Simd256_update_last (line 348) | void
function update_blocks (line 368) | static inline void
function update (line 401) | static inline void
function Hacl_Hash_Blake2b_Simd256_finish (line 425) | void
function Hacl_Hash_Blake2b_Simd256_load_state256b_from_state32 (line 444) | void
function Hacl_Hash_Blake2b_Simd256_store_state256b_to_state32 (line 464) | void
function Lib_IntVector_Intrinsics_vec256 (line 528) | Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_Blake2b_Simd256_malloc_intern...
function Hacl_Hash_Blake2b_Simd256_update_multi_no_inline (line 541) | void
function Hacl_Hash_Blake2b_Simd256_update_last_no_inline (line 553) | void
function Hacl_Hash_Blake2b_Simd256_copy_internal_state (line 565) | void
type option___uint8_t___uint8_t___bool_____Lib_IntVector_Intrinsics_vec256_____Lib_IntVector_Intrinsics_vec256___ (line 574) | typedef struct
function Hacl_Hash_Blake2b_Simd256_state_t (line 582) | static Hacl_Hash_Blake2b_Simd256_state_t
function Hacl_Hash_Blake2b_Simd256_state_t (line 803) | Hacl_Hash_Blake2b_Simd256_state_t
function Hacl_Hash_Blake2b_Simd256_state_t (line 827) | Hacl_Hash_Blake2b_Simd256_state_t
function Hacl_Hash_Blake2b_Simd256_state_t (line 852) | Hacl_Hash_Blake2b_Simd256_state_t *Hacl_Hash_Blake2b_Simd256_malloc(void)
function Hacl_Hash_Blake2b_index (line 857) | static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2b_Simd256_...
function reset_raw (line 867) | static void
function Hacl_Hash_Blake2b_Simd256_reset_with_key_and_params (line 979) | void
function Hacl_Hash_Blake2b_Simd256_reset_with_key (line 998) | void Hacl_Hash_Blake2b_Simd256_reset_with_key(Hacl_Hash_Blake2b_Simd256_...
function Hacl_Hash_Blake2b_Simd256_reset (line 1022) | void Hacl_Hash_Blake2b_Simd256_reset(Hacl_Hash_Blake2b_Simd256_state_t *s)
function Hacl_Streaming_Types_error_code (line 1030) | Hacl_Streaming_Types_error_code
function Hacl_Hash_Blake2b_Simd256_digest (line 1249) | uint8_t Hacl_Hash_Blake2b_Simd256_digest(Hacl_Hash_Blake2b_Simd256_state...
function Hacl_Hash_Blake2b_index (line 1328) | Hacl_Hash_Blake2b_index Hacl_Hash_Blake2b_Simd256_info(Hacl_Hash_Blake2b...
function Hacl_Hash_Blake2b_Simd256_free (line 1341) | void Hacl_Hash_Blake2b_Simd256_free(Hacl_Hash_Blake2b_Simd256_state_t *s...
function Hacl_Hash_Blake2b_Simd256_state_t (line 1357) | Hacl_Hash_Blake2b_Simd256_state_t
function Hacl_Hash_Blake2b_Simd256_hash_with_key (line 1495) | void
function Hacl_Hash_Blake2b_Simd256_hash_with_key_and_params (line 1520) | void
FILE: dist/gcc-compatible/Hacl_Hash_Blake2b_Simd256.h
type Hacl_Hash_Blake2b_Simd256_block_state_t (line 51) | typedef struct Hacl_Hash_Blake2b_Simd256_block_state_t_s
type Hacl_Hash_Blake2b_Simd256_state_t (line 54) | typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s Hacl_Hash_Blake2b_Sim...
FILE: dist/gcc-compatible/Hacl_Hash_Blake2s.c
function update_block (line 35) | static inline void
function Hacl_Hash_Blake2s_init (line 494) | void Hacl_Hash_Blake2s_init(uint32_t *hash, uint32_t kk, uint32_t nn)
function update_key (line 579) | static void update_key(uint32_t *wv, uint32_t *hash, uint32_t kk, uint8_...
function Hacl_Hash_Blake2s_update_multi (line 595) | void
function Hacl_Hash_Blake2s_update_last (line 614) | void
function update_blocks (line 633) | static void
function update (line 660) | static inline void
function Hacl_Hash_Blake2s_finish (line 677) | void Hacl_Hash_Blake2s_finish(uint32_t nn, uint8_t *output, uint32_t *hash)
type option___uint8_t___uint8_t___bool_____uint32_t_____uint32_t___ (line 691) | typedef struct option___uint8_t___uint8_t___bool_____uint32_t_____uint32...
function Hacl_Hash_Blake2s_state_t (line 698) | static Hacl_Hash_Blake2s_state_t
function Hacl_Hash_Blake2s_state_t (line 912) | Hacl_Hash_Blake2s_state_t
function Hacl_Hash_Blake2s_state_t (line 936) | Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc_with_key(uint8_t *k,...
function Hacl_Hash_Blake2s_state_t (line 959) | Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_malloc(void)
function Hacl_Hash_Blake2b_index (line 964) | static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_state_t *s)
function reset_raw (line 974) | static void reset_raw(Hacl_Hash_Blake2s_state_t *state, Hacl_Hash_Blake2...
function Hacl_Hash_Blake2s_reset_with_key_and_params (line 1096) | void
function Hacl_Hash_Blake2s_reset_with_key (line 1115) | void Hacl_Hash_Blake2s_reset_with_key(Hacl_Hash_Blake2s_state_t *s, uint...
function Hacl_Hash_Blake2s_reset (line 1139) | void Hacl_Hash_Blake2s_reset(Hacl_Hash_Blake2s_state_t *s)
function Hacl_Streaming_Types_error_code (line 1147) | Hacl_Streaming_Types_error_code
function Hacl_Hash_Blake2s_digest (line 1342) | uint8_t Hacl_Hash_Blake2s_digest(Hacl_Hash_Blake2s_state_t *s, uint8_t *...
function Hacl_Hash_Blake2b_index (line 1410) | Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_info(Hacl_Hash_Blake2s_state_t...
function Hacl_Hash_Blake2s_free (line 1423) | void Hacl_Hash_Blake2s_free(Hacl_Hash_Blake2s_state_t *state)
function Hacl_Hash_Blake2s_state_t (line 1439) | Hacl_Hash_Blake2s_state_t *Hacl_Hash_Blake2s_copy(Hacl_Hash_Blake2s_stat...
function Hacl_Hash_Blake2s_hash_with_key (line 1558) | void
function Hacl_Hash_Blake2s_hash_with_key_and_params (line 1583) | void
FILE: dist/gcc-compatible/Hacl_Hash_Blake2s.h
type Hacl_Hash_Blake2s_block_state_t (line 51) | typedef struct Hacl_Hash_Blake2s_block_state_t_s Hacl_Hash_Blake2s_block...
type Hacl_Hash_Blake2s_state_t (line 53) | typedef struct Hacl_Hash_Blake2s_state_t_s Hacl_Hash_Blake2s_state_t;
FILE: dist/gcc-compatible/Hacl_Hash_Blake2s_Simd128.c
function update_block (line 35) | static inline void
function Hacl_Hash_Blake2s_Simd128_init (line 227) | void
function update_key (line 301) | static void
function Hacl_Hash_Blake2s_Simd128_update_multi (line 324) | void
function Hacl_Hash_Blake2s_Simd128_update_last (line 343) | void
function update_blocks (line 362) | static inline void
function update (line 395) | static inline void
function Hacl_Hash_Blake2s_Simd128_finish (line 419) | void
function Hacl_Hash_Blake2s_Simd128_store_state128s_to_state32 (line 438) | void
function Hacl_Hash_Blake2s_Simd128_load_state128s_from_state32 (line 502) | void
function Lib_IntVector_Intrinsics_vec128 (line 522) | Lib_IntVector_Intrinsics_vec128 *Hacl_Hash_Blake2s_Simd128_malloc_intern...
function Hacl_Hash_Blake2s_Simd128_update_multi_no_inline (line 535) | void
function Hacl_Hash_Blake2s_Simd128_update_last_no_inline (line 547) | void
function Hacl_Hash_Blake2s_Simd128_copy_internal_state (line 559) | void
type option___uint8_t___uint8_t___bool_____Lib_IntVector_Intrinsics_vec128_____Lib_IntVector_Intrinsics_vec128___ (line 568) | typedef struct
function Hacl_Hash_Blake2s_Simd128_state_t (line 576) | static Hacl_Hash_Blake2s_Simd128_state_t
function Hacl_Hash_Blake2s_Simd128_state_t (line 796) | Hacl_Hash_Blake2s_Simd128_state_t
function Hacl_Hash_Blake2s_Simd128_state_t (line 820) | Hacl_Hash_Blake2s_Simd128_state_t
function Hacl_Hash_Blake2s_Simd128_state_t (line 845) | Hacl_Hash_Blake2s_Simd128_state_t *Hacl_Hash_Blake2s_Simd128_malloc(void)
function Hacl_Hash_Blake2b_index (line 850) | static Hacl_Hash_Blake2b_index index_of_state(Hacl_Hash_Blake2s_Simd128_...
function reset_raw (line 860) | static void
function Hacl_Hash_Blake2s_Simd128_reset_with_key_and_params (line 971) | void
function Hacl_Hash_Blake2s_Simd128_reset_with_key (line 990) | void Hacl_Hash_Blake2s_Simd128_reset_with_key(Hacl_Hash_Blake2s_Simd128_...
function Hacl_Hash_Blake2s_Simd128_reset (line 1014) | void Hacl_Hash_Blake2s_Simd128_reset(Hacl_Hash_Blake2s_Simd128_state_t *s)
function Hacl_Streaming_Types_error_code (line 1022) | Hacl_Streaming_Types_error_code
function Hacl_Hash_Blake2s_Simd128_digest (line 1221) | uint8_t Hacl_Hash_Blake2s_Simd128_digest(Hacl_Hash_Blake2s_Simd128_state...
function Hacl_Hash_Blake2b_index (line 1289) | Hacl_Hash_Blake2b_index Hacl_Hash_Blake2s_Simd128_info(Hacl_Hash_Blake2s...
function Hacl_Hash_Blake2s_Simd128_free (line 1302) | void Hacl_Hash_Blake2s_Simd128_free(Hacl_Hash_Blake2s_Simd128_state_t *s...
function Hacl_Hash_Blake2s_Simd128_state_t (line 1318) | Hacl_Hash_Blake2s_Simd128_state_t
function Hacl_Hash_Blake2s_Simd128_hash_with_key (line 1456) | void
function Hacl_Hash_Blake2s_Simd128_hash_with_key_and_params (line 1481) | void
FILE: dist/gcc-compatible/Hacl_Hash_Blake2s_Simd128.h
type Hacl_Hash_Blake2s_Simd128_block_state_t (line 51) | typedef struct Hacl_Hash_Blake2s_Simd128_block_state_t_s
type Hacl_Hash_Blake2s_Simd128_state_t (line 54) | typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s Hacl_Hash_Blake2s_Sim...
FILE: dist/gcc-compatible/Hacl_Hash_MD5.c
function Hacl_Hash_MD5_init (line 48) | void Hacl_Hash_MD5_init(uint32_t *s)
function update (line 53) | static void update(uint32_t *abcd, uint8_t *x)
function pad (line 964) | static void pad(uint64_t len, uint8_t *dst)
function Hacl_Hash_MD5_finish (line 977) | void Hacl_Hash_MD5_finish(uint32_t *s, uint8_t *dst)
function Hacl_Hash_MD5_update_multi (line 982) | void Hacl_Hash_MD5_update_multi(uint32_t *s, uint8_t *blocks, uint32_t n...
function Hacl_Hash_MD5_update_last (line 992) | void
function Hacl_Hash_MD5_hash_oneshot (line 1013) | void Hacl_Hash_MD5_hash_oneshot(uint8_t *output, uint8_t *input, uint32_...
function Hacl_Streaming_MD_state_32 (line 1040) | Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_malloc(void)
function Hacl_Hash_MD5_reset (line 1106) | void Hacl_Hash_MD5_reset(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 1120) | Hacl_Streaming_Types_error_code
function Hacl_Hash_MD5_digest (line 1286) | void Hacl_Hash_MD5_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *ou...
function Hacl_Hash_MD5_free (line 1321) | void Hacl_Hash_MD5_free(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_MD_state_32 (line 1331) | Hacl_Streaming_MD_state_32 *Hacl_Hash_MD5_copy(Hacl_Streaming_MD_state_3...
function Hacl_Hash_MD5_hash (line 1401) | void Hacl_Hash_MD5_hash(uint8_t *output, uint8_t *input, uint32_t input_...
FILE: dist/gcc-compatible/Hacl_Hash_MD5.h
type Hacl_Streaming_MD_state_32 (line 40) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_MD5_state_t;
FILE: dist/gcc-compatible/Hacl_Hash_SHA1.c
function Hacl_Hash_SHA1_init (line 33) | void Hacl_Hash_SHA1_init(uint32_t *s)
function update (line 38) | static void update(uint32_t *h, uint8_t *l)
function pad (line 126) | static void pad(uint64_t len, uint8_t *dst)
function Hacl_Hash_SHA1_finish (line 139) | void Hacl_Hash_SHA1_finish(uint32_t *s, uint8_t *dst)
function Hacl_Hash_SHA1_update_multi (line 144) | void Hacl_Hash_SHA1_update_multi(uint32_t *s, uint8_t *blocks, uint32_t ...
function Hacl_Hash_SHA1_update_last (line 154) | void
function Hacl_Hash_SHA1_hash_oneshot (line 175) | void Hacl_Hash_SHA1_hash_oneshot(uint8_t *output, uint8_t *input, uint32...
function Hacl_Streaming_MD_state_32 (line 202) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_malloc(void)
function Hacl_Hash_SHA1_reset (line 268) | void Hacl_Hash_SHA1_reset(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 282) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA1_digest (line 448) | void Hacl_Hash_SHA1_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *o...
function Hacl_Hash_SHA1_free (line 483) | void Hacl_Hash_SHA1_free(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_MD_state_32 (line 493) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_copy(Hacl_Streaming_MD_state_...
function Hacl_Hash_SHA1_hash (line 563) | void Hacl_Hash_SHA1_hash(uint8_t *output, uint8_t *input, uint32_t input...
FILE: dist/gcc-compatible/Hacl_Hash_SHA1.h
type Hacl_Streaming_MD_state_32 (line 40) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA1_state_t;
FILE: dist/gcc-compatible/Hacl_Hash_SHA2.c
function Hacl_Hash_SHA2_sha256_init (line 33) | void Hacl_Hash_SHA2_sha256_init(uint32_t *hash)
function sha256_update (line 44) | static inline void sha256_update(uint8_t *b, uint32_t *hash)
function Hacl_Hash_SHA2_sha256_update_nblocks (line 150) | void Hacl_Hash_SHA2_sha256_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha256_update_last (line 161) | void
function Hacl_Hash_SHA2_sha256_finish (line 198) | void Hacl_Hash_SHA2_sha256_finish(uint32_t *st, uint8_t *h)
function Hacl_Hash_SHA2_sha224_init (line 205) | void Hacl_Hash_SHA2_sha224_init(uint32_t *hash)
function Hacl_Hash_SHA2_sha224_update_nblocks (line 216) | void Hacl_Hash_SHA2_sha224_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha224_update_last (line 221) | void Hacl_Hash_SHA2_sha224_update_last(uint64_t totlen, uint32_t len, ui...
function Hacl_Hash_SHA2_sha224_finish (line 226) | void Hacl_Hash_SHA2_sha224_finish(uint32_t *st, uint8_t *h)
function Hacl_Hash_SHA2_sha512_init (line 233) | void Hacl_Hash_SHA2_sha512_init(uint64_t *hash)
function sha512_update (line 244) | static inline void sha512_update(uint8_t *b, uint64_t *hash)
function Hacl_Hash_SHA2_sha512_update_nblocks (line 350) | void Hacl_Hash_SHA2_sha512_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha512_update_last (line 361) | void
function Hacl_Hash_SHA2_sha512_finish (line 403) | void Hacl_Hash_SHA2_sha512_finish(uint64_t *st, uint8_t *h)
function Hacl_Hash_SHA2_sha384_init (line 410) | void Hacl_Hash_SHA2_sha384_init(uint64_t *hash)
function Hacl_Hash_SHA2_sha384_update_nblocks (line 421) | void Hacl_Hash_SHA2_sha384_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha384_update_last (line 426) | void
function Hacl_Hash_SHA2_sha384_finish (line 437) | void Hacl_Hash_SHA2_sha384_finish(uint64_t *st, uint8_t *h)
function Hacl_Streaming_MD_state_32 (line 448) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_256(void)
function Hacl_Streaming_MD_state_32 (line 520) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_st...
function Hacl_Hash_SHA2_reset_256 (line 593) | void Hacl_Hash_SHA2_reset_256(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 604) | static inline Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 777) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_256 (line 793) | void Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 *state, uint8_...
function Hacl_Hash_SHA2_free_256 (line 833) | void Hacl_Hash_SHA2_free_256(Hacl_Streaming_MD_state_32 *state)
function Hacl_Hash_SHA2_hash_256 (line 846) | void Hacl_Hash_SHA2_hash_256(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Streaming_MD_state_32 (line 862) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_224(void)
function Hacl_Hash_SHA2_reset_224 (line 928) | void Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 939) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_224 (line 954) | void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_...
function Hacl_Hash_SHA2_free_224 (line 989) | void Hacl_Hash_SHA2_free_224(Hacl_Streaming_MD_state_32 *state)
function Hacl_Hash_SHA2_hash_224 (line 997) | void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Streaming_MD_state_64 (line 1013) | Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_512(void)
function Hacl_Streaming_MD_state_64 (line 1085) | Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_st...
function Hacl_Hash_SHA2_reset_512 (line 1155) | void Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 *state)
function Hacl_Streaming_Types_error_code (line 1166) | static inline Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 1339) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_512 (line 1355) | void Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 *state, uint8_...
function Hacl_Hash_SHA2_free_512 (line 1399) | void Hacl_Hash_SHA2_free_512(Hacl_Streaming_MD_state_64 *state)
function Hacl_Hash_SHA2_hash_512 (line 1412) | void Hacl_Hash_SHA2_hash_512(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Streaming_MD_state_64 (line 1428) | Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_384(void)
function Hacl_Hash_SHA2_reset_384 (line 1494) | void Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 *state)
function Hacl_Streaming_Types_error_code (line 1505) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_384 (line 1520) | void Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 *state, uint8_...
function Hacl_Hash_SHA2_free_384 (line 1559) | void Hacl_Hash_SHA2_free_384(Hacl_Streaming_MD_state_64 *state)
function Hacl_Hash_SHA2_hash_384 (line 1567) | void Hacl_Hash_SHA2_hash_384(uint8_t *output, uint8_t *input, uint32_t i...
FILE: dist/gcc-compatible/Hacl_Hash_SHA2.h
type Hacl_Streaming_MD_state_32 (line 40) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA2_state_t_224;
type Hacl_Streaming_MD_state_32 (line 42) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA2_state_t_256;
type Hacl_Streaming_MD_state_64 (line 44) | typedef Hacl_Streaming_MD_state_64 Hacl_Hash_SHA2_state_t_384;
type Hacl_Streaming_MD_state_64 (line 46) | typedef Hacl_Streaming_MD_state_64 Hacl_Hash_SHA2_state_t_512;
FILE: dist/gcc-compatible/Hacl_Hash_SHA3.c
function absorb_inner_32 (line 59) | static void absorb_inner_32(uint8_t *b, uint64_t *s)
function block_len (line 176) | static uint32_t block_len(Spec_Hash_Definitions_hash_alg a)
function hash_len (line 212) | static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a)
function Hacl_Hash_SHA3_init_ (line 240) | void Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_hash_alg a, uint64_t *s)
function Hacl_Hash_SHA3_update_multi_sha3 (line 246) | void
function Hacl_Hash_SHA3_update_last_sha3 (line 269) | void
function squeeze (line 557) | static void squeeze(uint64_t *s, uint32_t rateInBytes, uint32_t outputBy...
type hash_buf2 (line 625) | typedef struct hash_buf2_s
function Spec_Hash_Definitions_hash_alg (line 632) | Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_sta...
type option___Spec_Hash_Definitions_hash_alg____uint64_t__ (line 638) | typedef struct option___Spec_Hash_Definitions_hash_alg____uint64_t___s
function Hacl_Hash_SHA3_state_t (line 645) | Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash...
function Hacl_Hash_SHA3_free (line 722) | void Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t *state)
function Hacl_Hash_SHA3_state_t (line 733) | Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state)
function Hacl_Hash_SHA3_reset (line 816) | void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state)
function Hacl_Streaming_Types_error_code (line 831) | Hacl_Streaming_Types_error_code
function digest_ (line 1004) | static void
function Hacl_Streaming_Types_error_code (line 1077) | Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 1089) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA3_block_len (line 1105) | uint32_t Hacl_Hash_SHA3_block_len(Hacl_Hash_SHA3_state_t *s)
function Hacl_Hash_SHA3_hash_len (line 1111) | uint32_t Hacl_Hash_SHA3_hash_len(Hacl_Hash_SHA3_state_t *s)
function Hacl_Hash_SHA3_is_shake (line 1117) | bool Hacl_Hash_SHA3_is_shake(Hacl_Hash_SHA3_state_t *s)
function Hacl_Hash_SHA3_absorb_inner_32 (line 1123) | void Hacl_Hash_SHA3_absorb_inner_32(uint32_t rateInBytes, uint8_t *b, ui...
function Hacl_Hash_SHA3_shake128 (line 1241) | void
function Hacl_Hash_SHA3_shake256 (line 1411) | void
function Hacl_Hash_SHA3_sha3_224 (line 1581) | void Hacl_Hash_SHA3_sha3_224(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_sha3_256 (line 1745) | void Hacl_Hash_SHA3_sha3_256(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_sha3_384 (line 1909) | void Hacl_Hash_SHA3_sha3_384(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_sha3_512 (line 2073) | void Hacl_Hash_SHA3_sha3_512(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_state_free (line 2249) | void Hacl_Hash_SHA3_state_free(uint64_t *s)
function Hacl_Hash_SHA3_shake128_absorb_nblocks (line 2265) | void
function Hacl_Hash_SHA3_shake128_absorb_final (line 2294) | void
function Hacl_Hash_SHA3_shake128_squeeze_nblocks (line 2393) | void
FILE: dist/gcc-compatible/Hacl_Hash_SHA3.h
type Hacl_Hash_SHA3_state_t (line 40) | typedef struct Hacl_Hash_SHA3_state_t_s Hacl_Hash_SHA3_state_t;
FILE: dist/gcc-compatible/Hacl_Hash_SHA3_Simd256.c
function Hacl_Hash_SHA3_Simd256_absorb_inner_256 (line 31) | void
function Hacl_Hash_SHA3_Simd256_shake128 (line 401) | void
function Hacl_Hash_SHA3_Simd256_shake256 (line 1330) | void
function Hacl_Hash_SHA3_Simd256_sha3_224 (line 2259) | void
function Hacl_Hash_SHA3_Simd256_sha3_256 (line 3187) | void
function Hacl_Hash_SHA3_Simd256_sha3_384 (line 4115) | void
function Hacl_Hash_SHA3_Simd256_sha3_512 (line 5043) | void
function Lib_IntVector_Intrinsics_vec256 (line 5974) | Lib_IntVector_Intrinsics_vec256 *Hacl_Hash_SHA3_Simd256_state_malloc(void)
function Hacl_Hash_SHA3_Simd256_state_free (line 5990) | void Hacl_Hash_SHA3_Simd256_state_free(Lib_IntVector_Intrinsics_vec256 *s)
function Hacl_Hash_SHA3_Simd256_shake128_absorb_nblocks (line 6007) | void
function Hacl_Hash_SHA3_Simd256_shake128_absorb_final (line 6057) | void
function Hacl_Hash_SHA3_Simd256_shake128_squeeze_nblocks (line 6388) | void
FILE: dist/gcc-compatible/Hacl_IntTypes_Intrinsics.h
function Hacl_IntTypes_Intrinsics_add_carry_u32 (line 40) | static inline uint32_t
function Hacl_IntTypes_Intrinsics_sub_borrow_u32 (line 49) | static inline uint32_t
function Hacl_IntTypes_Intrinsics_add_carry_u64 (line 58) | static inline uint64_t
function Hacl_IntTypes_Intrinsics_sub_borrow_u64 (line 67) | static inline uint64_t
FILE: dist/gcc-compatible/Hacl_IntTypes_Intrinsics_128.h
function Hacl_IntTypes_Intrinsics_128_add_carry_u64 (line 40) | static inline uint64_t
function Hacl_IntTypes_Intrinsics_128_sub_borrow_u64 (line 53) | static inline uint64_t
FILE: dist/gcc-compatible/Hacl_K256_ECDSA.c
function bn_add (line 35) | static inline uint64_t
function add4 (line 100) | static uint64_t add4(uint64_t *a, uint64_t *b, uint64_t *res)
function add_mod4 (line 124) | static void add_mod4(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res)
function sub_mod4 (line 177) | static void sub_mod4(uint64_t *n, uint64_t *a, uint64_t *b, uint64_t *res)
function mul4 (line 231) | static void mul4(uint64_t *a, uint64_t *b, uint64_t *res)
function sqr4 (line 259) | static void sqr4(uint64_t *a, uint64_t *res)
function is_qelem_zero (line 309) | static inline uint64_t is_qelem_zero(uint64_t *f)
function is_qelem_zero_vartime (line 324) | static inline bool is_qelem_zero_vartime(uint64_t *f)
function load_qelem_check (line 333) | static inline uint64_t load_qelem_check(uint64_t *f, uint8_t *b)
function load_qelem_vartime (line 361) | static inline bool load_qelem_vartime(uint64_t *f, uint8_t *b)
function modq_short (line 400) | static inline void modq_short(uint64_t *out, uint64_t *a)
function load_qelem_modq (line 418) | static inline void load_qelem_modq(uint64_t *f, uint8_t *b)
function store_qelem (line 433) | static inline void store_qelem(uint8_t *b, uint64_t *f)
function qadd (line 440) | static inline void qadd(uint64_t *out, uint64_t *f1, uint64_t *f2)
function mul_pow2_256_minus_q_add (line 450) | static inline uint64_t
function modq (line 500) | static inline void modq(uint64_t *out, uint64_t *a)
function qmul (line 528) | static inline void qmul(uint64_t *out, uint64_t *f1, uint64_t *f2)
function qsqr (line 535) | static inline void qsqr(uint64_t *out, uint64_t *f)
function qnegate_conditional_vartime (line 542) | static inline void qnegate_conditional_vartime(uint64_t *f, bool is_negate)
function is_qelem_le_q_halved_vartime (line 556) | static inline bool is_qelem_le_q_halved_vartime(uint64_t *f)
function qmul_shift_384 (line 581) | static inline void qmul_shift_384(uint64_t *res, uint64_t *a, uint64_t *b)
function qsquare_times_in_place (line 611) | static inline void qsquare_times_in_place(uint64_t *out, uint32_t b)
function qsquare_times (line 619) | static inline void qsquare_times(uint64_t *out, uint64_t *a, uint32_t b)
function qinv (line 628) | static inline void qinv(uint64_t *out, uint64_t *f)
function Hacl_Impl_K256_Point_make_point_at_inf (line 712) | void Hacl_Impl_K256_Point_make_point_at_inf(uint64_t *p)
function to_aff_point (line 723) | static inline void to_aff_point(uint64_t *p_aff, uint64_t *p)
function to_aff_point_x (line 738) | static inline void to_aff_point_x(uint64_t *x, uint64_t *p)
function is_on_curve_vartime (line 748) | static inline bool is_on_curve_vartime(uint64_t *p)
function Hacl_Impl_K256_Point_point_negate (line 771) | void Hacl_Impl_K256_Point_point_negate(uint64_t *out, uint64_t *p)
function point_negate_conditional_vartime (line 812) | static inline void point_negate_conditional_vartime(uint64_t *p, bool is...
function aff_point_store (line 821) | static inline void aff_point_store(uint8_t *out, uint64_t *p)
function Hacl_Impl_K256_Point_point_store (line 829) | void Hacl_Impl_K256_Point_point_store(uint8_t *out, uint64_t *p)
function Hacl_Impl_K256_Point_aff_point_load_vartime (line 836) | bool Hacl_Impl_K256_Point_aff_point_load_vartime(uint64_t *p, uint8_t *b)
function load_point_vartime (line 851) | static inline bool load_point_vartime(uint64_t *p, uint8_t *b)
function aff_point_decompress_vartime (line 870) | static inline bool aff_point_decompress_vartime(uint64_t *x, uint64_t *y...
function Hacl_Impl_K256_PointDouble_point_double (line 914) | void Hacl_Impl_K256_PointDouble_point_double(uint64_t *out, uint64_t *p)
function Hacl_Impl_K256_PointAdd_point_add (line 949) | void Hacl_Impl_K256_PointAdd_point_add(uint64_t *out, uint64_t *p, uint6...
function scalar_split_lambda (line 1011) | static inline void scalar_split_lambda(uint64_t *r1, uint64_t *r2, uint6...
function point_mul_lambda (line 1044) | static inline void point_mul_lambda(uint64_t *res, uint64_t *p)
function point_mul_lambda_inplace (line 1071) | static inline void point_mul_lambda_inplace(uint64_t *res)
type __bool_bool (line 1083) | typedef struct __bool_bool_s
function __bool_bool (line 1090) | static inline __bool_bool
function Hacl_Impl_K256_PointMul_point_mul (line 1114) | void Hacl_Impl_K256_PointMul_point_mul(uint64_t *out, uint64_t *scalar, ...
function precomp_get_consttime (line 1157) | static inline void precomp_get_consttime(const uint64_t *table, uint64_t...
function point_mul_g (line 1175) | static inline void point_mul_g(uint64_t *out, uint64_t *scalar)
function point_mul_g_double_vartime (line 1249) | static inline void
function point_mul_g_double_split_lambda_table (line 1317) | static inline void
function check_ecmult_endo_split (line 1422) | static inline bool
type __bool_bool_bool_bool (line 1440) | typedef struct __bool_bool_bool_bool_s
function point_mul_g_double_split_lambda_vartime (line 1449) | static inline void
function fmul_eq_vartime (line 1515) | static inline bool fmul_eq_vartime(uint64_t *r, uint64_t *z, uint64_t *x)
function Hacl_K256_ECDSA_ecdsa_sign_hashed_msg (line 1551) | bool
function Hacl_K256_ECDSA_ecdsa_sign_sha256 (line 1625) | bool
function Hacl_K256_ECDSA_ecdsa_verify_hashed_msg (line 1652) | bool
function Hacl_K256_ECDSA_ecdsa_verify_sha256 (line 1725) | bool
function Hacl_K256_ECDSA_secp256k1_ecdsa_signature_normalize (line 1746) | bool Hacl_K256_ECDSA_secp256k1_ecdsa_signature_normalize(uint8_t *signat...
function Hacl_K256_ECDSA_secp256k1_ecdsa_is_signature_normalized (line 1768) | bool Hacl_K256_ECDSA_secp256k1_ecdsa_is_signature_normalized(uint8_t *si...
function Hacl_K256_ECDSA_secp256k1_ecdsa_sign_hashed_msg (line 1791) | bool
function Hacl_K256_ECDSA_secp256k1_ecdsa_sign_sha256 (line 1820) | bool
function Hacl_K256_ECDSA_secp256k1_ecdsa_verify_hashed_msg (line 1848) | bool
function Hacl_K256_ECDSA_secp256k1_ecdsa_verify_sha256 (line 1875) | bool
function Hacl_K256_ECDSA_public_key_uncompressed_to_raw (line 1912) | bool Hacl_K256_ECDSA_public_key_uncompressed_to_raw(uint8_t *pk_raw, uin...
function Hacl_K256_ECDSA_public_key_uncompressed_from_raw (line 1931) | void Hacl_K256_ECDSA_public_key_uncompressed_from_raw(uint8_t *pk, uint8...
function Hacl_K256_ECDSA_public_key_compressed_to_raw (line 1947) | bool Hacl_K256_ECDSA_public_key_compressed_to_raw(uint8_t *pk_raw, uint8...
function Hacl_K256_ECDSA_public_key_compressed_from_raw (line 1969) | void Hacl_K256_ECDSA_public_key_compressed_from_raw(uint8_t *pk, uint8_t...
function Hacl_K256_ECDSA_is_public_key_valid (line 2007) | bool Hacl_K256_ECDSA_is_public_key_valid(uint8_t *public_key)
function Hacl_K256_ECDSA_is_private_key_valid (line 2024) | bool Hacl_K256_ECDSA_is_private_key_valid(uint8_t *private_key)
function Hacl_K256_ECDSA_secret_to_public (line 2047) | bool Hacl_K256_ECDSA_secret_to_public(uint8_t *public_key, uint8_t *priv...
function Hacl_K256_ECDSA_ecdh (line 2080) | bool Hacl_K256_ECDSA_ecdh(uint8_t *shared_secret, uint8_t *their_pubkey,...
FILE: dist/gcc-compatible/Hacl_MAC_Poly1305.c
function Hacl_MAC_Poly1305_poly1305_init (line 32) | void Hacl_MAC_Poly1305_poly1305_init(uint64_t *ctx, uint8_t *key)
function poly1305_update (line 93) | static void poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text)
function Hacl_MAC_Poly1305_poly1305_finish (line 344) | void Hacl_MAC_Poly1305_poly1305_finish(uint8_t *tag, uint8_t *key, uint6...
function Hacl_MAC_Poly1305_state_t (line 447) | Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key)
function Hacl_MAC_Poly1305_reset (line 541) | void Hacl_MAC_Poly1305_reset(Hacl_MAC_Poly1305_state_t *state, uint8_t *...
function Hacl_Streaming_Types_error_code (line 558) | Hacl_Streaming_Types_error_code
function Hacl_MAC_Poly1305_digest (line 732) | void Hacl_MAC_Poly1305_digest(Hacl_MAC_Poly1305_state_t *state, uint8_t ...
function Hacl_MAC_Poly1305_free (line 770) | void Hacl_MAC_Poly1305_free(Hacl_MAC_Poly1305_state_t *state)
function Hacl_MAC_Poly1305_mac (line 782) | void Hacl_MAC_Poly1305_mac(uint8_t *output, uint8_t *input, uint32_t inp...
FILE: dist/gcc-compatible/Hacl_MAC_Poly1305.h
type Hacl_MAC_Poly1305_state_t (line 40) | typedef struct Hacl_MAC_Poly1305_state_t_s Hacl_MAC_Poly1305_state_t;
FILE: dist/gcc-compatible/Hacl_MAC_Poly1305_Simd128.c
function Hacl_MAC_Poly1305_Simd128_load_acc2 (line 32) | void Hacl_MAC_Poly1305_Simd128_load_acc2(Lib_IntVector_Intrinsics_vec128...
function Hacl_MAC_Poly1305_Simd128_fmul_r2_normalize (line 104) | void
function Hacl_MAC_Poly1305_Simd128_poly1305_init (line 326) | void
function poly1305_update (line 533) | static void poly1305_update(Lib_IntVector_Intrinsics_vec128 *ctx, uint32...
function Hacl_MAC_Poly1305_Simd128_poly1305_finish (line 1150) | void
type option___Lib_IntVector_Intrinsics_vec128_ (line 1308) | typedef struct option___Lib_IntVector_Intrinsics_vec128__s
function Hacl_MAC_Poly1305_Simd128_state_t (line 1315) | Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint...
function Hacl_MAC_Poly1305_Simd128_reset (line 1420) | void Hacl_MAC_Poly1305_Simd128_reset(Hacl_MAC_Poly1305_Simd128_state_t *...
function Hacl_Streaming_Types_error_code (line 1437) | Hacl_Streaming_Types_error_code
function Hacl_MAC_Poly1305_Simd128_digest (line 1615) | void
function Hacl_MAC_Poly1305_Simd128_free (line 1672) | void Hacl_MAC_Poly1305_Simd128_free(Hacl_MAC_Poly1305_Simd128_state_t *s...
function Hacl_MAC_Poly1305_Simd128_mac (line 1684) | void
FILE: dist/gcc-compatible/Hacl_MAC_Poly1305_Simd128.h
type Hacl_MAC_Poly1305_Simd128_state_t (line 40) | typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s Hacl_MAC_Poly1305_Sim...
FILE: dist/gcc-compatible/Hacl_MAC_Poly1305_Simd256.c
function Hacl_MAC_Poly1305_Simd256_load_acc4 (line 32) | void Hacl_MAC_Poly1305_Simd256_load_acc4(Lib_IntVector_Intrinsics_vec256...
function Hacl_MAC_Poly1305_Simd256_fmul_r4_normalize (line 125) | void
function Hacl_MAC_Poly1305_Simd256_poly1305_init (line 624) | void
function poly1305_update (line 983) | static void poly1305_update(Lib_IntVector_Intrinsics_vec256 *ctx, uint32...
function Hacl_MAC_Poly1305_Simd256_poly1305_finish (line 1601) | void
type option___Lib_IntVector_Intrinsics_vec256_ (line 1759) | typedef struct option___Lib_IntVector_Intrinsics_vec256__s
function Hacl_MAC_Poly1305_Simd256_state_t (line 1766) | Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint...
function Hacl_MAC_Poly1305_Simd256_reset (line 1871) | void Hacl_MAC_Poly1305_Simd256_reset(Hacl_MAC_Poly1305_Simd256_state_t *...
function Hacl_Streaming_Types_error_code (line 1888) | Hacl_Streaming_Types_error_code
function Hacl_MAC_Poly1305_Simd256_digest (line 2066) | void
function Hacl_MAC_Poly1305_Simd256_free (line 2123) | void Hacl_MAC_Poly1305_Simd256_free(Hacl_MAC_Poly1305_Simd256_state_t *s...
function Hacl_MAC_Poly1305_Simd256_mac (line 2135) | void
FILE: dist/gcc-compatible/Hacl_MAC_Poly1305_Simd256.h
type Hacl_MAC_Poly1305_Simd256_state_t (line 40) | typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s Hacl_MAC_Poly1305_Sim...
FILE: dist/gcc-compatible/Hacl_NaCl.c
function secretbox_init (line 33) | static void secretbox_init(uint8_t *xkeys, uint8_t *k, uint8_t *n)
function secretbox_detached (line 43) | static void
function secretbox_open_detached (line 79) | static uint32_t
function secretbox_easy (line 136) | static void secretbox_easy(uint32_t mlen, uint8_t *c, uint8_t *k, uint8_...
function secretbox_open_easy (line 143) | static uint32_t
function box_beforenm (line 151) | static inline uint32_t box_beforenm(uint8_t *k, uint8_t *pk, uint8_t *sk)
function box_detached_afternm (line 163) | static inline uint32_t
function box_detached (line 177) | static inline uint32_t
function box_open_detached_afternm (line 197) | static inline uint32_t
function box_open_detached (line 210) | static inline uint32_t
function box_easy_afternm (line 230) | static inline uint32_t
function box_easy (line 239) | static inline uint32_t
function box_open_easy_afternm (line 248) | static inline uint32_t
function box_open_easy (line 256) | static inline uint32_t
function Hacl_NaCl_crypto_secretbox_detached (line 276) | uint32_t
function Hacl_NaCl_crypto_secretbox_open_detached (line 302) | uint32_t
function Hacl_NaCl_crypto_secretbox_easy (line 324) | uint32_t
function Hacl_NaCl_crypto_secretbox_open_easy (line 340) | uint32_t
function Hacl_NaCl_crypto_box_beforenm (line 359) | uint32_t Hacl_NaCl_crypto_box_beforenm(uint8_t *k, uint8_t *pk, uint8_t ...
function Hacl_NaCl_crypto_box_detached_afternm (line 367) | uint32_t
function Hacl_NaCl_crypto_box_detached (line 391) | uint32_t
function Hacl_NaCl_crypto_box_open_detached_afternm (line 408) | uint32_t
function Hacl_NaCl_crypto_box_open_detached (line 432) | uint32_t
function Hacl_NaCl_crypto_box_easy_afternm (line 449) | uint32_t
function Hacl_NaCl_crypto_box_easy (line 471) | uint32_t
function Hacl_NaCl_crypto_box_open_easy_afternm (line 487) | uint32_t
function Hacl_NaCl_crypto_box_open_easy (line 509) | uint32_t
FILE: dist/gcc-compatible/Hacl_P256.c
function bn_is_zero_mask4 (line 35) | static inline uint64_t bn_is_zero_mask4(uint64_t *f)
function bn_is_zero_vartime4 (line 50) | static inline bool bn_is_zero_vartime4(uint64_t *f)
function bn_is_eq_mask4 (line 56) | static inline uint64_t bn_is_eq_mask4(uint64_t *a, uint64_t *b)
function bn_is_eq_vartime4 (line 69) | static inline bool bn_is_eq_vartime4(uint64_t *a, uint64_t *b)
function bn_cmovznz4 (line 75) | static inline void bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x,...
function bn_add_mod4 (line 88) | static inline void bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, ...
function bn_sub4 (line 141) | static inline uint64_t bn_sub4(uint64_t *res, uint64_t *x, uint64_t *y)
function bn_sub_mod4 (line 166) | static inline void bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, ...
function bn_mul4 (line 220) | static inline void bn_mul4(uint64_t *res, uint64_t *x, uint64_t *y)
function bn_sqr4 (line 248) | static inline void bn_sqr4(uint64_t *res, uint64_t *x)
function bn_to_bytes_be4 (line 298) | static inline void bn_to_bytes_be4(uint8_t *res, uint64_t *f)
function bn_from_bytes_be4 (line 305) | static inline void bn_from_bytes_be4(uint64_t *res, uint8_t *b)
function bn2_to_bytes_be4 (line 317) | static inline void bn2_to_bytes_be4(uint8_t *res, uint64_t *x, uint64_t *y)
function make_prime (line 323) | static inline void make_prime(uint64_t *n)
function make_order (line 331) | static inline void make_order(uint64_t *n)
function make_a_coeff (line 339) | static inline void make_a_coeff(uint64_t *a)
function make_b_coeff (line 347) | static inline void make_b_coeff(uint64_t *b)
function make_g_x (line 355) | static inline void make_g_x(uint64_t *n)
function make_g_y (line 363) | static inline void make_g_y(uint64_t *n)
function make_fmont_R2 (line 371) | static inline void make_fmont_R2(uint64_t *n)
function make_fzero (line 379) | static inline void make_fzero(uint64_t *n)
function make_fone (line 387) | static inline void make_fone(uint64_t *n)
function bn_is_lt_prime_mask4 (line 395) | static inline uint64_t bn_is_lt_prime_mask4(uint64_t *f)
function feq_mask (line 403) | static inline uint64_t feq_mask(uint64_t *a, uint64_t *b)
function fadd0 (line 409) | static inline void fadd0(uint64_t *res, uint64_t *x, uint64_t *y)
function fsub0 (line 416) | static inline void fsub0(uint64_t *res, uint64_t *x, uint64_t *y)
function fnegate_conditional_vartime (line 423) | static inline void fnegate_conditional_vartime(uint64_t *f, bool is_negate)
function mont_reduction (line 432) | static inline void mont_reduction(uint64_t *res, uint64_t *x)
function fmul0 (line 496) | static inline void fmul0(uint64_t *res, uint64_t *x, uint64_t *y)
function fsqr0 (line 503) | static inline void fsqr0(uint64_t *res, uint64_t *x)
function from_mont (line 510) | static inline void from_mont(uint64_t *res, uint64_t *a)
function to_mont (line 517) | static inline void to_mont(uint64_t *res, uint64_t *a)
function fmul_by_b_coeff (line 524) | static inline void fmul_by_b_coeff(uint64_t *res, uint64_t *x)
function fcube (line 531) | static inline void fcube(uint64_t *res, uint64_t *x)
function finv (line 537) | static inline void finv(uint64_t *res, uint64_t *a)
function fsqrt (line 595) | static inline void fsqrt(uint64_t *res, uint64_t *a)
function make_base_point (line 635) | static inline void make_base_point(uint64_t *p)
function make_point_at_inf (line 645) | static inline void make_point_at_inf(uint64_t *p)
function is_point_at_inf_vartime (line 655) | static inline bool is_point_at_inf_vartime(uint64_t *p)
function to_aff_point (line 661) | static inline void to_aff_point(uint64_t *res, uint64_t *p)
function to_aff_point_x (line 676) | static inline void to_aff_point_x(uint64_t *res, uint64_t *p)
function to_proj_point (line 686) | static inline void to_proj_point(uint64_t *res, uint64_t *p)
function is_on_curve_vartime (line 698) | static inline bool is_on_curve_vartime(uint64_t *p)
function aff_point_store (line 720) | static inline void aff_point_store(uint8_t *res, uint64_t *p)
function point_store (line 727) | static inline void point_store(uint8_t *res, uint64_t *p)
function aff_point_load_vartime (line 734) | static inline bool aff_point_load_vartime(uint64_t *p, uint8_t *b)
function load_point_vartime (line 755) | static inline bool load_point_vartime(uint64_t *p, uint8_t *b)
function aff_point_decompress_vartime (line 766) | static inline bool aff_point_decompress_vartime(uint64_t *x, uint64_t *y...
function point_double (line 810) | static inline void point_double(uint64_t *res, uint64_t *p)
function point_add (line 862) | static inline void point_add(uint64_t *res, uint64_t *p, uint64_t *q)
function point_mul (line 936) | static inline void point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p)
function precomp_get_consttime (line 979) | static inline void precomp_get_consttime(const uint64_t *table, uint64_t...
function point_mul_g (line 997) | static inline void point_mul_g(uint64_t *res, uint64_t *scalar)
function point_mul_double_g (line 1058) | static inline void
function bn_is_lt_order_mask4 (line 1112) | static inline uint64_t bn_is_lt_order_mask4(uint64_t *f)
function bn_is_lt_order_and_gt_zero_mask4 (line 1120) | static inline uint64_t bn_is_lt_order_and_gt_zero_mask4(uint64_t *f)
function qmod_short (line 1127) | static inline void qmod_short(uint64_t *res, uint64_t *x)
function qadd (line 1135) | static inline void qadd(uint64_t *res, uint64_t *x, uint64_t *y)
function qmont_reduction (line 1142) | static inline void qmont_reduction(uint64_t *res, uint64_t *x)
function from_qmont (line 1206) | static inline void from_qmont(uint64_t *res, uint64_t *x)
function qmul (line 1213) | static inline void qmul(uint64_t *res, uint64_t *x, uint64_t *y)
function qsqr (line 1220) | static inline void qsqr(uint64_t *res, uint64_t *x)
function Hacl_Impl_P256_DH_ecp256dh_i (line 1227) | bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_...
function Hacl_Impl_P256_DH_ecp256dh_r (line 1253) | bool
function qinv (line 1289) | static inline void qinv(uint64_t *res, uint64_t *r)
function qmul_mont (line 1397) | static inline void qmul_mont(uint64_t *sinv, uint64_t *b, uint64_t *res)
function ecdsa_verify_msg_as_qelem (line 1404) | static inline bool
function ecdsa_sign_msg_as_qelem (line 1445) | static inline bool
function Hacl_P256_ecdsa_sign_p256_sha2 (line 1541) | bool
function Hacl_P256_ecdsa_sign_p256_sha384 (line 1574) | bool
function Hacl_P256_ecdsa_sign_p256_sha512 (line 1607) | bool
function Hacl_P256_ecdsa_sign_p256_without_hash (line 1650) | bool
function Hacl_P256_ecdsa_verif_p256_sha2 (line 1686) | bool
function Hacl_P256_ecdsa_verif_p256_sha384 (line 1717) | bool
function Hacl_P256_ecdsa_verif_p256_sha512 (line 1748) | bool
function Hacl_P256_ecdsa_verif_without_hash (line 1784) | bool
function Hacl_P256_validate_public_key (line 1823) | bool Hacl_P256_validate_public_key(uint8_t *public_key)
function Hacl_P256_validate_private_key (line 1840) | bool Hacl_P256_validate_private_key(uint8_t *private_key)
function Hacl_P256_uncompressed_to_raw (line 1871) | bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw)
function Hacl_P256_compressed_to_raw (line 1892) | bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw)
function Hacl_P256_raw_to_uncompressed (line 1914) | void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk)
function Hacl_P256_raw_to_compressed (line 1928) | void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk)
function Hacl_P256_dh_initiator (line 1955) | bool Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key)
function Hacl_P256_dh_responder (line 1972) | bool
FILE: dist/gcc-compatible/Hacl_RSAPSS.c
function hash_len (line 35) | static inline uint32_t hash_len(Spec_Hash_Definitions_hash_alg a)
function hash (line 95) | static inline void
function mgf_hash (line 123) | static inline void
function check_num_bits_u64 (line 155) | static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b)
function check_modulus_u64 (line 179) | static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n)
function check_exponent_u64 (line 203) | static inline uint64_t check_exponent_u64(uint32_t eBits, uint64_t *e)
function pss_encode (line 222) | static inline void
function pss_verify (line 272) | static inline bool
function load_pkey (line 356) | static inline bool
function load_skey (line 374) | static inline bool
function Hacl_RSAPSS_rsapss_sign (line 416) | bool
function Hacl_RSAPSS_rsapss_verify (line 519) | bool
function Hacl_RSAPSS_rsapss_skey_sign (line 778) | bool
function Hacl_RSAPSS_rsapss_pkey_verify (line 839) | bool
function Hacl_RSAPSS_mgf_hash (line 870) | void
FILE: dist/gcc-compatible/Hacl_SHA2_Types.h
type Hacl_Hash_SHA2_uint8_2p (line 38) | typedef struct Hacl_Hash_SHA2_uint8_2p_s
type Hacl_Hash_SHA2_uint8_3p (line 45) | typedef struct Hacl_Hash_SHA2_uint8_3p_s
type Hacl_Hash_SHA2_uint8_4p (line 52) | typedef struct Hacl_Hash_SHA2_uint8_4p_s
type Hacl_Hash_SHA2_uint8_4p (line 61) | typedef Hacl_Hash_SHA2_uint8_4p Hacl_Hash_SHA2_bufx4;
FILE: dist/gcc-compatible/Hacl_SHA2_Vec128.c
function sha224_init4 (line 33) | static inline void sha224_init4(Lib_IntVector_Intrinsics_vec128 *hash)
function sha224_update4 (line 45) | static inline void
function sha224_update_nblocks4 (line 296) | static inline void
function sha224_update_last4 (line 320) | static inline void
function sha224_finish4 (line 393) | static inline void
function Hacl_SHA2_Vec128_sha224_4 (line 476) | void
function sha256_init4 (line 513) | static inline void sha256_init4(Lib_IntVector_Intrinsics_vec128 *hash)
function sha256_update4 (line 525) | static inline void
function sha256_update_nblocks4 (line 776) | static inline void
function sha256_update_last4 (line 800) | static inline void
function sha256_finish4 (line 873) | static inline void
function Hacl_SHA2_Vec128_sha256_4 (line 956) | void
FILE: dist/gcc-compatible/Hacl_SHA2_Vec256.c
function sha224_init8 (line 35) | static inline void sha224_init8(Lib_IntVector_Intrinsics_vec256 *hash)
function sha224_update8 (line 47) | static inline void
function sha224_update_nblocks8 (line 382) | static inline void
function sha224_update_last8 (line 427) | static inline void
function sha224_finish8 (line 562) | static inline void
function Hacl_SHA2_Vec256_sha224_8 (line 689) | void
function sha256_init8 (line 784) | static inline void sha256_init8(Lib_IntVector_Intrinsics_vec256 *hash)
function sha256_update8 (line 796) | static inline void
function sha256_update_nblocks8 (line 1131) | static inline void
function sha256_update_last8 (line 1176) | static inline void
function sha256_finish8 (line 1311) | static inline void
function Hacl_SHA2_Vec256_sha256_8 (line 1438) | void
function sha384_init4 (line 1533) | static inline void sha384_init4(Lib_IntVector_Intrinsics_vec256 *hash)
function sha384_update4 (line 1545) | static inline void
function sha384_update_nblocks4 (line 1780) | static inline void
function sha384_update_last4 (line 1804) | static inline void
function sha384_finish4 (line 1877) | static inline void
function Hacl_SHA2_Vec256_sha384_4 (line 1952) | void
function sha512_init4 (line 1989) | static inline void sha512_init4(Lib_IntVector_Intrinsics_vec256 *hash)
function sha512_update4 (line 2001) | static inline void
function sha512_update_nblocks4 (line 2236) | static inline void
function sha512_update_last4 (line 2260) | static inline void
function sha512_finish4 (line 2333) | static inline void
function Hacl_SHA2_Vec256_sha512_4 (line 2408) | void
FILE: dist/gcc-compatible/Hacl_Salsa20.c
function quarter_round (line 28) | static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, u...
function double_round (line 52) | static inline void double_round(uint32_t *st)
function rounds (line 64) | static inline void rounds(uint32_t *st)
function salsa20_core (line 78) | static inline void salsa20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
function salsa20_key_block0 (line 94) | static inline void salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_...
function salsa20_encrypt (line 135) | static inline void
function salsa20_decrypt (line 240) | static inline void
function hsalsa20 (line 345) | static inline void hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n)
function Hacl_Salsa20_salsa20_encrypt (line 392) | void
function Hacl_Salsa20_salsa20_decrypt (line 405) | void
function Hacl_Salsa20_salsa20_key_block0 (line 418) | void Hacl_Salsa20_salsa20_key_block0(uint8_t *out, uint8_t *key, uint8_t...
function Hacl_Salsa20_hsalsa20 (line 423) | void Hacl_Salsa20_hsalsa20(uint8_t *out, uint8_t *key, uint8_t *n)
FILE: dist/gcc-compatible/Hacl_Spec.h
type Spec_FFDHE_ffdhe_alg (line 44) | typedef uint8_t Spec_FFDHE_ffdhe_alg;
type Spec_Agile_AEAD_alg (line 54) | typedef uint8_t Spec_Agile_AEAD_alg;
FILE: dist/gcc-compatible/Hacl_Streaming_HMAC.c
function Spec_Hash_Definitions_hash_alg (line 47) | static Spec_Hash_Definitions_hash_alg alg_of_impl(Hacl_Agile_Hash_impl i)
function Hacl_Agile_Hash_impl (line 115) | static Hacl_Agile_Hash_impl impl_of_state_s(Hacl_Agile_Hash_state_s s)
function Hacl_Agile_Hash_impl (line 180) | static Hacl_Agile_Hash_impl impl_of_state(Hacl_Agile_Hash_state_s *s)
function Hacl_Agile_Hash_state_s (line 185) | static Hacl_Agile_Hash_state_s *malloc_(Hacl_Agile_Hash_impl a)
function init (line 582) | static void init(Hacl_Agile_Hash_state_s *s)
function update_multi (line 686) | static void
function update_last (line 815) | static void
function finish (line 939) | static void finish(Hacl_Agile_Hash_state_s *s, uint8_t *dst)
function free_ (line 1075) | static void free_(Hacl_Agile_Hash_state_s *s)
function copy (line 1159) | static void copy(Hacl_Agile_Hash_state_s *s_src, Hacl_Agile_Hash_state_s...
function hash (line 1407) | static void hash(Hacl_Agile_Hash_impl i, uint8_t *dst, uint8_t *input, u...
function hash_len (line 1493) | static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a)
function block_len (line 1553) | static uint32_t block_len(Spec_Hash_Definitions_hash_alg a)
function max_input_len64 (line 1621) | static uint64_t max_input_len64(Spec_Hash_Definitions_hash_alg a)
function wrap_key (line 1689) | static void wrap_key(Hacl_Agile_Hash_impl impl, uint8_t *output, uint8_t...
function init0 (line 1715) | static void init0(uint8_t *k, uint8_t *buf, Hacl_Streaming_HMAC_Definiti...
function finish0 (line 1748) | static void finish0(Hacl_Streaming_HMAC_Definitions_two_state s, uint8_t...
function Hacl_Agile_Hash_state_s (line 1759) | Hacl_Agile_Hash_state_s
function Hacl_Agile_Hash_state_s (line 1769) | Hacl_Agile_Hash_state_s
function Hacl_Streaming_HMAC_Definitions_index (line 1779) | Hacl_Streaming_HMAC_Definitions_index
function Hacl_Agile_Hash_impl (line 1788) | static Hacl_Agile_Hash_impl
function Hacl_Agile_Hash_impl (line 1796) | static Hacl_Agile_Hash_impl
function __proj__Mkdtuple2__item___2__Hacl_Agile_Hash_impl_uint32_t (line 1802) | static uint32_t
function dsnd__Hacl_Agile_Hash_impl_uint32_t (line 1810) | static uint32_t dsnd__Hacl_Agile_Hash_impl_uint32_t(Hacl_Streaming_HMAC_...
type option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ (line 1815) | typedef struct option___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agi...
function KRML_MAYBE_UNUSED (line 1822) | KRML_MAYBE_UNUSED static Hacl_Streaming_HMAC_agile_state
function KRML_MAYBE_UNUSED (line 1930) | KRML_MAYBE_UNUSED static bool is_blake2b_256(Hacl_Agile_Hash_impl uu___)
function KRML_MAYBE_UNUSED (line 1945) | KRML_MAYBE_UNUSED static bool is_blake2s_128(Hacl_Agile_Hash_impl uu___)
function Hacl_Streaming_Types_error_code (line 1960) | Hacl_Streaming_Types_error_code
function Hacl_Streaming_HMAC_Definitions_index (line 1995) | Hacl_Streaming_HMAC_Definitions_index
function reset_internal (line 2002) | static void reset_internal(Hacl_Streaming_HMAC_agile_state *state, uint8...
function Hacl_Streaming_Types_error_code (line 2020) | Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 2036) | Hacl_Streaming_Types_error_code
type ___uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s____uint32_t____Hacl_Agile_Hash_state_s_____Hacl_Agile_Hash_state_s__ (line 2275) | typedef struct
function Hacl_Streaming_Types_error_code (line 2283) | Hacl_Streaming_Types_error_code
function Hacl_Streaming_HMAC_free (line 2394) | void Hacl_Streaming_HMAC_free(Hacl_Streaming_HMAC_agile_state *state)
function Hacl_Streaming_HMAC_agile_state (line 2410) | Hacl_Streaming_HMAC_agile_state
FILE: dist/gcc-compatible/Hacl_Streaming_HMAC.h
type Hacl_Agile_Hash_impl (line 55) | typedef uint8_t Hacl_Agile_Hash_impl;
type Hacl_Agile_Hash_state_s (line 57) | typedef struct Hacl_Agile_Hash_state_s_s Hacl_Agile_Hash_state_s;
type Hacl_Streaming_HMAC_Definitions_index (line 59) | typedef struct Hacl_Streaming_HMAC_Definitions_index_s
type Hacl_Streaming_HMAC_Definitions_two_state (line 66) | typedef struct Hacl_Streaming_HMAC_Definitions_two_state_s
type Hacl_Streaming_HMAC_agile_state (line 89) | typedef struct Hacl_Streaming_HMAC_agile_state_s Hacl_Streaming_HMAC_agi...
FILE: dist/gcc-compatible/Hacl_Streaming_Types.h
type Spec_Hash_Definitions_hash_alg (line 53) | typedef uint8_t Spec_Hash_Definitions_hash_alg;
type Hacl_Streaming_Types_error_code (line 61) | typedef uint8_t Hacl_Streaming_Types_error_code;
type Hacl_Streaming_MD_state_32 (line 63) | typedef struct Hacl_Streaming_MD_state_32_s Hacl_Streaming_MD_state_32;
type Hacl_Streaming_MD_state_64 (line 65) | typedef struct Hacl_Streaming_MD_state_64_s Hacl_Streaming_MD_state_64;
FILE: dist/gcc-compatible/Lib_Memzero0.c
function Lib_Memzero0_memzero0 (line 50) | void Lib_Memzero0_memzero0(void *dst, uint64_t len) {
FILE: dist/gcc-compatible/Lib_PrintBuffer.c
function Lib_PrintBuffer_print_bytes (line 6) | void Lib_PrintBuffer_print_bytes(uint32_t len, uint8_t* buffer) {
function Lib_PrintBuffer_print_compare (line 14) | void Lib_PrintBuffer_print_compare(uint32_t len, uint8_t* buffer1, uint8...
function Lib_PrintBuffer_print_compare_display (line 26) | void Lib_PrintBuffer_print_compare_display(uint32_t len, const uint8_t* ...
function Lib_PrintBuffer_result_compare_display (line 41) | bool Lib_PrintBuffer_result_compare_display(uint32_t len, const uint8_t*...
FILE: dist/gcc-compatible/Lib_RandomBuffer_System.c
function read_random_bytes (line 10) | bool read_random_bytes(uint32_t len, uint8_t *buf) {
function read_random_bytes (line 37) | bool read_random_bytes(uint32_t len, uint8_t *buf) {
function Lib_RandomBuffer_System_randombytes (line 57) | bool Lib_RandomBuffer_System_randombytes(uint8_t *x, uint32_t len) {
function Lib_RandomBuffer_System_crypto_random (line 61) | void Lib_RandomBuffer_System_crypto_random(uint8_t *x, uint32_t len) {
FILE: dist/gcc-compatible/Vale.c
type als_ret (line 28) | typedef uint64_t als_ret;
FILE: dist/gcc-compatible/curve25519-inline.h
function add_scalar (line 8) | static inline void add_scalar (uint64_t *out, uint64_t *f1, uint64_t f2)
function fadd (line 37) | static inline void fadd (uint64_t *out, uint64_t *f1, uint64_t *f2)
function fsub (line 79) | static inline void fsub (uint64_t *out, uint64_t *f1, uint64_t *f2)
function fmul (line 123) | static inline void fmul (uint64_t *out, uint64_t *f1, uint64_t *f2, uint...
function fmul2 (line 211) | static inline void fmul2 (uint64_t *out, uint64_t *f1, uint64_t *f2, uin...
function fmul_scalar (line 366) | static inline void fmul_scalar (uint64_t *out, uint64_t *f1, uint64_t f2)
function cswap2 (line 409) | static inline void cswap2 (uint64_t bit, uint64_t *p1, uint64_t *p2)
function fsqr (line 494) | static inline void fsqr (uint64_t *out, uint64_t *f, uint64_t *tmp)
function fsqr2 (line 588) | static inline void fsqr2 (uint64_t *out, uint64_t *f, uint64_t *tmp)
FILE: dist/gcc-compatible/evercrypt_targetconfig.h
function has_vec128_not_avx (line 40) | static inline bool has_vec128_not_avx () {
function has_vec256_not_avx2 (line 48) | static inline bool has_vec256_not_avx2 () {
FILE: dist/gcc-compatible/internal/EverCrypt_AEAD.h
type EverCrypt_AEAD_state_s (line 45) | typedef struct EverCrypt_AEAD_state_s_s
FILE: dist/gcc-compatible/internal/EverCrypt_DRBG.h
type EverCrypt_DRBG_state_s_tags (line 46) | typedef uint8_t EverCrypt_DRBG_state_s_tags;
type EverCrypt_DRBG_state_s (line 48) | typedef struct EverCrypt_DRBG_state_s_s
FILE: dist/gcc-compatible/internal/EverCrypt_Hash.h
type EverCrypt_Hash_state_s_tags (line 56) | typedef uint8_t EverCrypt_Hash_state_s_tags;
type EverCrypt_Hash_state_s (line 58) | typedef struct EverCrypt_Hash_state_s_s
type EverCrypt_Hash_Incremental_state_t (line 83) | typedef struct EverCrypt_Hash_Incremental_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_Bignum25519_51.h
function Hacl_Impl_Curve25519_Field51_fadd (line 41) | static inline void Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint...
function Hacl_Impl_Curve25519_Field51_fsub (line 60) | static inline void Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint...
function Hacl_Impl_Curve25519_Field51_fmul (line 79) | static inline void
function Hacl_Impl_Curve25519_Field51_fmul2 (line 162) | static inline void
function Hacl_Impl_Curve25519_Field51_fmul1 (line 327) | static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uin...
function Hacl_Impl_Curve25519_Field51_fsqr (line 369) | static inline void
function Hacl_Impl_Curve25519_Field51_fsqr2 (line 444) | static inline void
function Hacl_Impl_Curve25519_Field51_store_felem (line 598) | static inline void Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u6...
function Hacl_Impl_Curve25519_Field51_cswap2 (line 658) | static inline void
FILE: dist/gcc-compatible/internal/Hacl_Bignum_Base.h
function Hacl_Bignum_Base_mul_wide_add2_u32 (line 42) | static inline uint32_t
function Hacl_Bignum_Base_mul_wide_add2_u64 (line 51) | static inline uint64_t
function Hacl_Bignum_Convert_bn_from_bytes_be_uint64 (line 64) | static inline void
function Hacl_Bignum_Convert_bn_to_bytes_be_uint64 (line 82) | static inline void
function Hacl_Bignum_Lib_bn_get_top_index_u32 (line 97) | static inline uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len...
function Hacl_Bignum_Lib_bn_get_top_index_u64 (line 108) | static inline uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len...
function Hacl_Bignum_Lib_bn_get_bits_u32 (line 119) | static inline uint32_t
function Hacl_Bignum_Lib_bn_get_bits_u64 (line 137) | static inline uint64_t
function Hacl_Bignum_Addition_bn_sub_eq_len_u32 (line 155) | static inline uint32_t
function Hacl_Bignum_Addition_bn_sub_eq_len_u64 (line 188) | static inline uint64_t
function Hacl_Bignum_Addition_bn_add_eq_len_u32 (line 221) | static inline uint32_t
function Hacl_Bignum_Addition_bn_add_eq_len_u64 (line 254) | static inline uint64_t
function Hacl_Bignum_Multiplication_bn_mul_u32 (line 287) | static inline void
function Hacl_Bignum_Multiplication_bn_mul_u64 (line 328) | static inline void
function Hacl_Bignum_Multiplication_bn_sqr_u32 (line 369) | static inline void
function Hacl_Bignum_Multiplication_bn_sqr_u64 (line 420) | static inline void
FILE: dist/gcc-compatible/internal/Hacl_Bignum_K256.h
function Hacl_K256_Field_is_felem_zero_vartime (line 41) | static inline bool Hacl_K256_Field_is_felem_zero_vartime(uint64_t *f)
function Hacl_K256_Field_is_felem_eq_vartime (line 51) | static inline bool Hacl_K256_Field_is_felem_eq_vartime(uint64_t *f1, uin...
function Hacl_K256_Field_is_felem_lt_prime_minus_order_vartime (line 66) | static inline bool Hacl_K256_Field_is_felem_lt_prime_minus_order_vartime...
function Hacl_K256_Field_load_felem (line 96) | static inline void Hacl_K256_Field_load_felem(uint64_t *f, uint8_t *b)
function Hacl_K256_Field_load_felem_lt_prime_vartime (line 130) | static inline bool Hacl_K256_Field_load_felem_lt_prime_vartime(uint64_t ...
function Hacl_K256_Field_store_felem (line 146) | static inline void Hacl_K256_Field_store_felem(uint8_t *b, uint64_t *f)
function Hacl_K256_Field_fmul_small_num (line 169) | static inline void Hacl_K256_Field_fmul_small_num(uint64_t *out, uint64_...
function Hacl_K256_Field_fadd (line 193) | static inline void Hacl_K256_Field_fadd(uint64_t *out, uint64_t *f1, uin...
function Hacl_K256_Field_fsub (line 222) | static inline void Hacl_K256_Field_fsub(uint64_t *out, uint64_t *f1, uin...
function Hacl_K256_Field_fmul (line 261) | static inline void Hacl_K256_Field_fmul(uint64_t *out, uint64_t *f1, uin...
function Hacl_K256_Field_fsqr (line 365) | static inline void Hacl_K256_Field_fsqr(uint64_t *out, uint64_t *f)
function Hacl_K256_Field_fnormalize_weak (line 448) | static inline void Hacl_K256_Field_fnormalize_weak(uint64_t *out, uint64...
function Hacl_K256_Field_fnormalize (line 484) | static inline void Hacl_K256_Field_fnormalize(uint64_t *out, uint64_t *f)
function Hacl_K256_Field_fnegate_conditional_vartime (line 561) | static inline void Hacl_K256_Field_fnegate_conditional_vartime(uint64_t ...
function Hacl_Impl_K256_Finv_fsquare_times_in_place (line 590) | static inline void Hacl_Impl_K256_Finv_fsquare_times_in_place(uint64_t *...
function Hacl_Impl_K256_Finv_fsquare_times (line 598) | static inline void Hacl_Impl_K256_Finv_fsquare_times(uint64_t *out, uint...
function Hacl_Impl_K256_Finv_fexp_223_23 (line 607) | static inline void Hacl_Impl_K256_Finv_fexp_223_23(uint64_t *out, uint64...
function Hacl_Impl_K256_Finv_finv (line 639) | static inline void Hacl_Impl_K256_Finv_finv(uint64_t *out, uint64_t *f)
function Hacl_Impl_K256_Finv_fsqrt (line 651) | static inline void Hacl_Impl_K256_Finv_fsqrt(uint64_t *out, uint64_t *f)
FILE: dist/gcc-compatible/internal/Hacl_Frodo_KEM.h
function Hacl_Keccak_shake128_4x (line 43) | static inline void
function Hacl_Impl_Matrix_mod_pow2 (line 63) | static inline void
function Hacl_Impl_Matrix_matrix_add (line 79) | static inline void
function Hacl_Impl_Matrix_matrix_sub (line 91) | static inline void
function Hacl_Impl_Matrix_matrix_mul (line 103) | static inline void
function Hacl_Impl_Matrix_matrix_mul_s (line 130) | static inline void
function Hacl_Impl_Matrix_matrix_eq (line 157) | static inline uint16_t
function Hacl_Impl_Matrix_matrix_to_lbytes (line 170) | static inline void
function Hacl_Impl_Matrix_matrix_from_lbytes (line 179) | static inline void
function Hacl_Impl_Frodo_Gen_frodo_gen_matrix_shake_4x (line 191) | static inline void
function Hacl_Impl_Frodo_Params_frodo_gen_matrix (line 245) | static inline void
function Hacl_Impl_Frodo_Sample_frodo_sample_matrix64 (line 286) | static inline void
function Hacl_Impl_Frodo_Sample_frodo_sample_matrix640 (line 319) | static inline void
function Hacl_Impl_Frodo_Sample_frodo_sample_matrix976 (line 352) | static inline void
function Hacl_Impl_Frodo_Sample_frodo_sample_matrix1344 (line 385) | static inline void
function Hacl_Impl_Frodo_Pack_frodo_pack (line 420) | static inline void
function Hacl_Impl_Frodo_Pack_frodo_unpack (line 461) | static inline void
function Hacl_Impl_Frodo_Encode_frodo_key_encode (line 515) | static inline void
function Hacl_Impl_Frodo_Encode_frodo_key_decode (line 541) | static inline void
FILE: dist/gcc-compatible/internal/Hacl_HMAC.h
type K___uint32_t_uint32_t (line 40) | typedef struct K___uint32_t_uint32_t_s
FILE: dist/gcc-compatible/internal/Hacl_Hash_Blake2b.h
type Hacl_Hash_Blake2b_params_and_key (line 41) | typedef struct Hacl_Hash_Blake2b_params_and_key_s
type Hacl_Hash_Blake2b_block_state_t (line 73) | typedef struct Hacl_Hash_Blake2b_block_state_t_s
type Hacl_Hash_Blake2b_state_t (line 82) | typedef struct Hacl_Hash_Blake2b_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_Hash_Blake2b_Simd256.h
type Hacl_Hash_Blake2b_Simd256_two_2b_256 (line 109) | typedef struct Hacl_Hash_Blake2b_Simd256_two_2b_256_s
type Hacl_Hash_Blake2b_Simd256_block_state_t (line 116) | typedef struct Hacl_Hash_Blake2b_Simd256_block_state_t_s
type Hacl_Hash_Blake2b_Simd256_state_t (line 125) | typedef struct Hacl_Hash_Blake2b_Simd256_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_Hash_Blake2s.h
type K____uint32_t___uint32_t_ (line 65) | typedef struct K____uint32_t___uint32_t__s
type Hacl_Hash_Blake2s_block_state_t (line 72) | typedef struct Hacl_Hash_Blake2s_block_state_t_s
type Hacl_Hash_Blake2s_state_t (line 81) | typedef struct Hacl_Hash_Blake2s_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_Hash_Blake2s_Simd128.h
type Hacl_Hash_Blake2s_Simd128_two_2s_128 (line 109) | typedef struct Hacl_Hash_Blake2s_Simd128_two_2s_128_s
type Hacl_Hash_Blake2s_Simd128_block_state_t (line 116) | typedef struct Hacl_Hash_Blake2s_Simd128_block_state_t_s
type Hacl_Hash_Blake2s_Simd128_state_t (line 125) | typedef struct Hacl_Hash_Blake2s_Simd128_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_Hash_SHA3.h
type Hacl_Hash_SHA3_hash_buf (line 65) | typedef struct Hacl_Hash_SHA3_hash_buf_s
type Hacl_Hash_SHA3_state_t (line 72) | typedef struct Hacl_Hash_SHA3_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_MAC_Poly1305.h
type Hacl_MAC_Poly1305_state_t (line 45) | typedef struct Hacl_MAC_Poly1305_state_t_s
type FStar_Pervasives_Native_option___uint8_t_ (line 54) | typedef struct FStar_Pervasives_Native_option___uint8_t__s
FILE: dist/gcc-compatible/internal/Hacl_MAC_Poly1305_Simd128.h
type Hacl_MAC_Poly1305_Simd128_state_t (line 59) | typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_MAC_Poly1305_Simd256.h
type Hacl_MAC_Poly1305_Simd256_state_t (line 59) | typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s
FILE: dist/gcc-compatible/internal/Hacl_SHA2_Types.h
type Hacl_Hash_SHA2_uint8_5p (line 40) | typedef struct Hacl_Hash_SHA2_uint8_5p_s
type Hacl_Hash_SHA2_uint8_6p (line 47) | typedef struct Hacl_Hash_SHA2_uint8_6p_s
type Hacl_Hash_SHA2_uint8_7p (line 54) | typedef struct Hacl_Hash_SHA2_uint8_7p_s
type Hacl_Hash_SHA2_uint8_8p (line 61) | typedef struct Hacl_Hash_SHA2_uint8_8p_s
type Hacl_Hash_SHA2_uint8_2x4p (line 68) | typedef struct Hacl_Hash_SHA2_uint8_2x4p_s
type Hacl_Hash_SHA2_uint8_2x8p (line 75) | typedef struct Hacl_Hash_SHA2_uint8_2x8p_s
FILE: dist/gcc-compatible/internal/Hacl_Spec.h
type Spec_Cipher_Expansion_impl (line 44) | typedef uint8_t Spec_Cipher_Expansion_impl;
type Spec_Frodo_Params_frodo_gen_a (line 49) | typedef uint8_t Spec_Frodo_Params_frodo_gen_a;
FILE: dist/gcc-compatible/internal/Hacl_Streaming_HMAC.h
type Hacl_Agile_Hash_state_s_tags (line 56) | typedef uint8_t Hacl_Agile_Hash_state_s_tags;
type Hacl_Agile_Hash_state_s (line 58) | typedef struct Hacl_Agile_Hash_state_s_s
type Hacl_Streaming_HMAC_agile_state (line 81) | typedef struct Hacl_Streaming_HMAC_agile_state_s
FILE: dist/gcc-compatible/internal/Hacl_Streaming_Types.h
type Hacl_Streaming_Types_optional (line 43) | typedef uint8_t Hacl_Streaming_Types_optional;
type Hacl_Streaming_Types_optional_32 (line 45) | typedef struct Hacl_Streaming_Types_optional_32_s
type Hacl_Streaming_Types_optional_64 (line 52) | typedef struct Hacl_Streaming_Types_optional_64_s
type Hacl_Streaming_Types_two_pointers (line 59) | typedef struct Hacl_Streaming_Types_two_pointers_s
type Hacl_Streaming_MD_state_32 (line 66) | typedef struct Hacl_Streaming_MD_state_32_s
type Hacl_Streaming_MD_state_64 (line 74) | typedef struct Hacl_Streaming_MD_state_64_s
FILE: dist/gcc-compatible/libintvector-shim.h
type Lib_IntVector_Intrinsics_vec128 (line 24) | typedef struct __vec128 Lib_IntVector_Intrinsics_vec128;
type Lib_IntVector_Intrinsics_vec256 (line 25) | typedef struct __vec256 Lib_IntVector_Intrinsics_vec256;
FILE: dist/gcc-compatible/libintvector.h
type __m128i (line 32) | typedef __m128i Lib_IntVector_Intrinsics_vec128;
type __m256i (line 232) | typedef __m256i Lib_IntVector_Intrinsics_vec256;
type uint32x4_t (line 459) | typedef uint32x4_t Lib_IntVector_Intrinsics_vec128;
function Lib_IntVector_Intrinsics_vec128 (line 628) | static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_v...
function Lib_IntVector_Intrinsics_vec128 (line 633) | static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_v...
type vector128_8 (line 664) | typedef unsigned char vector128_8 __attribute__ ((vector_size(16)));
type vector128_32 (line 665) | typedef unsigned int vector128_32 __attribute__ ((vector_size(16)));
type vector128_64 (line 666) | typedef unsigned long long vector128_64 __attribute__ ((vector_size(16)));
type vector128_8 (line 668) | typedef vector128_8 Lib_IntVector_Intrinsics_vec128;
type vector128_8 (line 669) | typedef vector128_8 vector128;
function Lib_IntVector_Intrinsics_vec128_store32_le (line 680) | static inline
function Lib_IntVector_Intrinsics_vec128_store32_be (line 685) | static inline
function Lib_IntVector_Intrinsics_vec128_store64_le (line 690) | static inline
function vector128 (line 789) | static inline
type vector128_8 (line 824) | typedef vector unsigned char vector128_8;
type vector128_32 (line 825) | typedef vector unsigned int vector128_32;
type vector128_64 (line 826) | typedef vector unsigned long long vector128_64;
type vector128_8 (line 828) | typedef vector128_8 Lib_IntVector_Intrinsics_vec128;
type vector128_8 (line 829) | typedef vector128_8 vector128;
FILE: dist/karamel/include/krml/fstar_int.h
function FStar_Int8_shift_arithmetic_right (line 25) | static inline
function FStar_Int16_shift_arithmetic_right (line 33) | static inline
function FStar_Int32_shift_arithmetic_right (line 41) | static inline
function FStar_Int64_shift_arithmetic_right (line 49) | static inline
function FStar_Int8_shift_arithmetic_right (line 59) | static inline
function FStar_Int16_shift_arithmetic_right (line 64) | static inline
function FStar_Int32_shift_arithmetic_right (line 69) | static inline
function FStar_Int64_shift_arithmetic_right (line 74) | static inline
FILE: dist/karamel/include/krml/internal/compat.h
type FStar_Bytes_bytes (line 12) | typedef struct {
type Prims_pos (line 17) | typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int,
FILE: dist/karamel/include/krml/internal/target.h
type float32_t (line 15) | typedef float float32_t;
type float64_t (line 16) | typedef double float64_t;
function krml_time (line 184) | inline static int32_t krml_time(void) {
FILE: dist/karamel/include/krml/internal/types.h
type FStar_UInt64_t (line 16) | typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_;
type FStar_Int64_t (line 17) | typedef int64_t FStar_Int64_t, FStar_Int64_t_;
type FStar_UInt32_t (line 18) | typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_;
type FStar_Int32_t (line 19) | typedef int32_t FStar_Int32_t, FStar_Int32_t_;
type FStar_UInt16_t (line 20) | typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_;
type FStar_Int16_t (line 21) | typedef int16_t FStar_Int16_t, FStar_Int16_t_;
type FStar_UInt8_t (line 22) | typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_;
type FStar_Int8_t (line 23) | typedef int8_t FStar_Int8_t, FStar_Int8_t_;
type FStar_UInt63_t (line 27) | typedef uint64_t FStar_UInt63_t, FStar_UInt63_t_;
type FStar_Int63_t (line 28) | typedef int64_t FStar_Int63_t, FStar_Int63_t_;
type FStar_Float_float (line 30) | typedef double FStar_Float_float;
type FStar_Char_char (line 31) | typedef uint32_t FStar_Char_char;
type FILE (line 32) | typedef FILE *FStar_IO_fd_read, *FStar_IO_fd_write;
type exit_code (line 38) | typedef int exit_code;
type FILE (line 39) | typedef FILE *channel;
type TestLib_cycles (line 41) | typedef unsigned long long TestLib_cycles;
type FStar_Date_dateTime (line 43) | typedef uint64_t FStar_Date_dateTime, FStar_Date_timeSpan;
type __m128i (line 74) | typedef __m128i FStar_UInt128_uint128;
type FStar_UInt128_uint128 (line 76) | typedef unsigned __int128 FStar_UInt128_uint128;
type FStar_UInt128_uint128 (line 78) | typedef struct FStar_UInt128_uint128_s {
type FStar_UInt128_uint128 (line 86) | typedef FStar_UInt128_uint128 FStar_UInt128_t, uint128_t;
FILE: dist/karamel/include/krml/lowstar_endianness.h
function load16 (line 160) | inline static uint16_t load16(uint8_t *b) {
function load32 (line 166) | inline static uint32_t load32(uint8_t *b) {
function load64 (line 172) | inline static uint64_t load64(uint8_t *b) {
function store16 (line 178) | inline static void store16(uint8_t *b, uint16_t i) {
function store32 (line 182) | inline static void store32(uint8_t *b, uint32_t i) {
function store64 (line 186) | inline static void store64(uint8_t *b, uint64_t i) {
FILE: dist/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h
function FStar_UInt128_constant_time_carry (line 16) | static inline uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uin...
function FStar_UInt128_carry (line 21) | static inline uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b)
function FStar_UInt128_uint128 (line 26) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 35) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 44) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 53) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 62) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 71) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 80) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 86) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 95) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 104) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 113) | static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_u...
function FStar_UInt128_add_u64_shift_left (line 123) | static inline uint64_t FStar_UInt128_add_u64_shift_left(uint64_t hi, uin...
function FStar_UInt128_add_u64_shift_left_respec (line 128) | static inline uint64_t
function FStar_UInt128_uint128 (line 134) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 150) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 159) | static inline FStar_UInt128_uint128
function FStar_UInt128_add_u64_shift_right (line 172) | static inline uint64_t FStar_UInt128_add_u64_shift_right(uint64_t hi, ui...
function FStar_UInt128_add_u64_shift_right_respec (line 177) | static inline uint64_t
function FStar_UInt128_uint128 (line 183) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 199) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 208) | static inline FStar_UInt128_uint128
function FStar_UInt128_eq (line 221) | static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt1...
function FStar_UInt128_gt (line 226) | static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt1...
function FStar_UInt128_lt (line 231) | static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt1...
function FStar_UInt128_gte (line 236) | static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt...
function FStar_UInt128_lte (line 241) | static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt...
function FStar_UInt128_uint128 (line 246) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 255) | static inline FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 268) | static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint...
function FStar_UInt128_uint128_to_uint64 (line 276) | static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uin...
function FStar_UInt128_u64_mod_32 (line 281) | static inline uint64_t FStar_UInt128_u64_mod_32(uint64_t a)
function FStar_UInt128_u32_combine (line 288) | static inline uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo)
function FStar_UInt128_uint128 (line 293) | static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint...
function FStar_UInt128_u32_combine_ (line 307) | static inline uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
function FStar_UInt128_uint128 (line 312) | static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, u...
FILE: dist/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h
function KRML_NOINLINE (line 39) | static KRML_NOINLINE uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b)
function KRML_NOINLINE (line 48) | static KRML_NOINLINE uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b)
function KRML_NOINLINE (line 91) | static KRML_NOINLINE uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b)
function KRML_NOINLINE (line 100) | static KRML_NOINLINE uint32_t FStar_UInt32_gte_mask(uint32_t a, uint32_t b)
function KRML_NOINLINE (line 143) | static KRML_NOINLINE uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b)
function KRML_NOINLINE (line 152) | static KRML_NOINLINE uint16_t FStar_UInt16_gte_mask(uint16_t a, uint16_t b)
function KRML_NOINLINE (line 195) | static KRML_NOINLINE uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b)
function KRML_NOINLINE (line 204) | static KRML_NOINLINE uint8_t FStar_UInt8_gte_mask(uint8_t a, uint8_t b)
type FStar_UInt8_byte (line 225) | typedef uint8_t FStar_UInt8_byte;
FILE: dist/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h
function uint128_t (line 32) | inline static uint128_t load128_le(uint8_t *b) {
function store128_le (line 38) | inline static void store128_le(uint8_t *b, uint128_t n) {
function uint128_t (line 43) | inline static uint128_t load128_be(uint8_t *b) {
function store128_be (line 49) | inline static void store128_be(uint8_t *b, uint128_t n) {
function uint128_t (line 54) | inline static uint128_t FStar_UInt128_add(uint128_t x, uint128_t y) {
function uint128_t (line 58) | inline static uint128_t FStar_UInt128_mul(uint128_t x, uint128_t y) {
function uint128_t (line 62) | inline static uint128_t FStar_UInt128_add_mod(uint128_t x, uint128_t y) {
function uint128_t (line 66) | inline static uint128_t FStar_UInt128_sub(uint128_t x, uint128_t y) {
function uint128_t (line 70) | inline static uint128_t FStar_UInt128_sub_mod(uint128_t x, uint128_t y) {
function uint128_t (line 74) | inline static uint128_t FStar_UInt128_logand(uint128_t x, uint128_t y) {
function uint128_t (line 78) | inline static uint128_t FStar_UInt128_logor(uint128_t x, uint128_t y) {
function uint128_t (line 82) | inline static uint128_t FStar_UInt128_logxor(uint128_t x, uint128_t y) {
function uint128_t (line 86) | inline static uint128_t FStar_UInt128_lognot(uint128_t x) {
function uint128_t (line 90) | inline static uint128_t FStar_UInt128_shift_left(uint128_t x, uint32_t y) {
function uint128_t (line 94) | inline static uint128_t FStar_UInt128_shift_right(uint128_t x, uint32_t ...
function uint128_t (line 98) | inline static uint128_t FStar_UInt128_uint64_to_uint128(uint64_t x) {
function FStar_UInt128_uint128_to_uint64 (line 102) | inline static uint64_t FStar_UInt128_uint128_to_uint64(uint128_t x) {
function uint128_t (line 106) | inline static uint128_t FStar_UInt128_mul_wide(uint64_t x, uint64_t y) {
function uint128_t (line 110) | inline static uint128_t FStar_UInt128_eq_mask(uint128_t x, uint128_t y) {
function uint128_t (line 117) | inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) {
function FStar_UInt128___proj__Mkuint128__item__low (line 125) | inline static uint64_t FStar_UInt128___proj__Mkuint128__item__low(uint12...
function FStar_UInt128___proj__Mkuint128__item__high (line 129) | inline static uint64_t FStar_UInt128___proj__Mkuint128__item__high(uint1...
function uint128_t (line 133) | inline static uint128_t FStar_UInt128_add_underspec(uint128_t x, uint128...
function uint128_t (line 137) | inline static uint128_t FStar_UInt128_sub_underspec(uint128_t x, uint128...
function FStar_UInt128_eq (line 141) | inline static bool FStar_UInt128_eq(uint128_t x, uint128_t y) {
function FStar_UInt128_gt (line 145) | inline static bool FStar_UInt128_gt(uint128_t x, uint128_t y) {
function FStar_UInt128_lt (line 149) | inline static bool FStar_UInt128_lt(uint128_t x, uint128_t y) {
function FStar_UInt128_gte (line 153) | inline static bool FStar_UInt128_gte(uint128_t x, uint128_t y) {
function FStar_UInt128_lte (line 157) | inline static bool FStar_UInt128_lte(uint128_t x, uint128_t y) {
function uint128_t (line 161) | inline static uint128_t FStar_UInt128_mul32(uint64_t x, uint32_t y) {
FILE: dist/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h
function FStar_UInt128_uint128 (line 41) | inline static FStar_UInt128_uint128 load128_le(uint8_t *b) {
function store128_le (line 52) | inline static void store128_le(uint8_t *b, FStar_UInt128_uint128 n) {
function FStar_UInt128_uint128 (line 57) | inline static FStar_UInt128_uint128 load128_be(uint8_t *b) {
function store128_be (line 70) | inline static void store128_be(uint8_t *b, uint128_t n) {
function FStar_UInt128_constant_time_carry (line 75) | inline static uint64_t FStar_UInt128_constant_time_carry(uint64_t a, uin...
function FStar_UInt128_carry (line 79) | inline static uint64_t FStar_UInt128_carry(uint64_t a, uint64_t b) {
function FStar_UInt128_uint128 (line 83) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 100) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 112) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 124) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 140) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 152) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 160) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 169) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 181) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 193) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 205) | inline static FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_u...
function FStar_UInt128_add_u64_shift_left (line 218) | inline static uint64_t
function FStar_UInt128_add_u64_shift_left_respec (line 223) | inline static uint64_t
function FStar_UInt128_uint128 (line 228) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 240) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 248) | inline static FStar_UInt128_uint128
function FStar_UInt128_add_u64_shift_right (line 268) | inline static uint64_t
function FStar_UInt128_add_u64_shift_right_respec (line 273) | inline static uint64_t
function FStar_UInt128_uint128 (line 278) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 290) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 298) | inline static FStar_UInt128_uint128
function FStar_UInt128_eq (line 318) | inline static bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt1...
function FStar_UInt128_gt (line 322) | inline static bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt1...
function FStar_UInt128_lt (line 326) | inline static bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt1...
function FStar_UInt128_gte (line 330) | inline static bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt...
function FStar_UInt128_lte (line 334) | inline static bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt...
function FStar_UInt128_uint128 (line 338) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 360) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 405) | inline static FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint...
function FStar_UInt128_uint128_to_uint64 (line 416) | inline static uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uin...
function FStar_UInt128_u64_mod_32 (line 420) | inline static uint64_t FStar_UInt128_u64_mod_32(uint64_t a) {
function FStar_UInt128_u32_combine (line 426) | inline static uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t l...
function FStar_UInt128_uint128 (line 430) | inline static FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint...
type K_quad (line 454) | typedef struct K_quad_s {
function K_quad (line 461) | inline static K_quad
function FStar_UInt128_u32_combine_ (line 474) | static uint64_t FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) {
function FStar_UInt128_uint128 (line 478) | inline static FStar_UInt128_uint128
function FStar_UInt128_uint128 (line 496) | inline static
FILE: dist/karamel/krmllib/dist/minimal/fstar_uint128_struct_endianness.h
function load128_le_ (line 16) | inline static void load128_le_(uint8_t *b, uint128_t *r) {
function store128_le_ (line 21) | inline static void store128_le_(uint8_t *b, uint128_t *n) {
function load128_be_ (line 26) | inline static void load128_be_(uint8_t *b, uint128_t *r) {
function store128_be_ (line 31) | inline static void store128_be_(uint8_t *b, uint128_t *n) {
function uint128_t (line 38) | inline static uint128_t load128_le(uint8_t *b) {
function store128_le (line 44) | inline static void store128_le(uint8_t *b, uint128_t n) {
function uint128_t (line 48) | inline static uint128_t load128_be(uint8_t *b) {
function store128_be (line 54) | inline static void store128_be(uint8_t *b, uint128_t n) {
FILE: dist/mozilla/Hacl_AEAD_Chacha20Poly1305.c
function poly1305_padded_32 (line 32) | static inline void poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8...
function poly1305_do_32 (line 410) | static inline void
function Hacl_AEAD_Chacha20Poly1305_encrypt (line 569) | void
function Hacl_AEAD_Chacha20Poly1305_decrypt (line 608) | uint32_t
FILE: dist/mozilla/Hacl_AEAD_Chacha20Poly1305_Simd256.c
function poly1305_padded_256 (line 33) | static inline void
function poly1305_do_256 (line 853) | static inline void
function Hacl_AEAD_Chacha20Poly1305_Simd256_encrypt (line 1086) | void
function Hacl_AEAD_Chacha20Poly1305_Simd256_decrypt (line 1125) | uint32_t
FILE: dist/mozilla/Hacl_Bignum.c
function Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint32 (line 32) | void
function Hacl_Bignum_Karatsuba_bn_karatsuba_mul_uint64 (line 153) | void
function Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint32 (line 274) | void
function Hacl_Bignum_Karatsuba_bn_karatsuba_sqr_uint64 (line 370) | void
function Hacl_Bignum_bn_add_mod_n_u32 (line 466) | void
function Hacl_Bignum_bn_add_mod_n_u64 (line 543) | void
function Hacl_Bignum_bn_sub_mod_n_u32 (line 620) | void
function Hacl_Bignum_bn_sub_mod_n_u64 (line 698) | void
function Hacl_Bignum_ModInvLimb_mod_inv_uint32 (line 776) | uint32_t Hacl_Bignum_ModInvLimb_mod_inv_uint32(uint32_t n0)
function Hacl_Bignum_ModInvLimb_mod_inv_uint64 (line 797) | uint64_t Hacl_Bignum_ModInvLimb_mod_inv_uint64(uint64_t n0)
function Hacl_Bignum_Montgomery_bn_check_modulus_u32 (line 818) | uint32_t Hacl_Bignum_Montgomery_bn_check_modulus_u32(uint32_t len, uint3...
function Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u32 (line 838) | void
function bn_mont_reduction_u32 (line 856) | static void
function Hacl_Bignum_Montgomery_bn_to_mont_u32 (line 934) | void
function Hacl_Bignum_Montgomery_bn_from_mont_u32 (line 954) | void
function Hacl_Bignum_Montgomery_bn_mont_mul_u32 (line 970) | void
function Hacl_Bignum_Montgomery_bn_mont_sqr_u32 (line 990) | void
function Hacl_Bignum_Montgomery_bn_check_modulus_u64 (line 1009) | uint64_t Hacl_Bignum_Montgomery_bn_check_modulus_u64(uint32_t len, uint6...
function Hacl_Bignum_Montgomery_bn_precomp_r2_mod_n_u64 (line 1029) | void
function bn_mont_reduction_u64 (line 1047) | static void
function Hacl_Bignum_Montgomery_bn_to_mont_u64 (line 1125) | void
function Hacl_Bignum_Montgomery_bn_from_mont_u64 (line 1145) | void
function Hacl_Bignum_Montgomery_bn_mont_mul_u64 (line 1161) | void
function Hacl_Bignum_Montgomery_bn_mont_sqr_u64 (line 1181) | void
function Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u32 (line 1200) | void
function bn_almost_mont_mul_u32 (line 1258) | static void
function bn_almost_mont_sqr_u32 (line 1278) | static void
function Hacl_Bignum_AlmostMontgomery_bn_almost_mont_reduction_u64 (line 1297) | void
function bn_almost_mont_mul_u64 (line 1355) | static void
function bn_almost_mont_sqr_u64 (line 1375) | static void
function Hacl_Bignum_Exponentiation_bn_check_mod_exp_u32 (line 1394) | uint32_t
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u32 (line 1463) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u32 (line 1590) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u32 (line 1750) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u32 (line 1769) | void
function Hacl_Bignum_Exponentiation_bn_check_mod_exp_u64 (line 1788) | uint64_t
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_precomp_u64 (line 1857) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_precomp_u64 (line 1984) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_vartime_u64 (line 2144) | void
function Hacl_Bignum_Exponentiation_bn_mod_exp_consttime_u64 (line 2163) | void
FILE: dist/mozilla/Hacl_Bignum.h
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32 (line 40) | typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u32_s
type Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 (line 49) | typedef struct Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64_s
FILE: dist/mozilla/Hacl_Chacha20.c
function quarter_round (line 33) | static inline void quarter_round(uint32_t *st, uint32_t a, uint32_t b, u...
function double_round (line 69) | static inline void double_round(uint32_t *st)
function rounds (line 81) | static inline void rounds(uint32_t *st)
function chacha20_core (line 95) | static inline void chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
function Hacl_Impl_Chacha20_chacha20_init (line 115) | void Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t...
function chacha20_encrypt_block (line 147) | static void chacha20_encrypt_block(uint32_t *ctx, uint8_t *out, uint32_t...
function chacha20_encrypt_last (line 172) | static inline void
function Hacl_Impl_Chacha20_chacha20_update (line 181) | void
function Hacl_Chacha20_chacha20_encrypt (line 197) | void
function Hacl_Chacha20_chacha20_decrypt (line 212) | void
FILE: dist/mozilla/Hacl_Chacha20_Vec128.c
function double_round_128 (line 31) | static inline void double_round_128(Lib_IntVector_Intrinsics_vec128 *st)
function chacha20_core_128 (line 131) | static inline void
function chacha20_init_128 (line 162) | static inline void
function Hacl_Chacha20_Vec128_chacha20_encrypt_128 (line 207) | void
function Hacl_Chacha20_Vec128_chacha20_decrypt_128 (line 512) | void
FILE: dist/mozilla/Hacl_Chacha20_Vec256.c
function double_round_256 (line 31) | static inline void double_round_256(Lib_IntVector_Intrinsics_vec256 *st)
function chacha20_core_256 (line 131) | static inline void
function chacha20_init_256 (line 162) | static inline void
function Hacl_Chacha20_Vec256_chacha20_encrypt_256 (line 208) | void
function Hacl_Chacha20_Vec256_chacha20_decrypt_256 (line 705) | void
FILE: dist/mozilla/Hacl_Curve25519_51.c
function point_add_and_double (line 34) | static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, FStar_...
function point_double (line 78) | static void point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uin...
function montgomery_ladder (line 102) | static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init)
function Hacl_Curve25519_51_fsquare_times (line 155) | void
function Hacl_Curve25519_51_finv (line 170) | void Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uin...
function encode_point (line 211) | static void encode_point(uint8_t *o, uint64_t *i)
function Hacl_Curve25519_51_scalarmult (line 233) | void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t ...
function Hacl_Curve25519_51_secret_to_public (line 281) | void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv)
function Hacl_Curve25519_51_ecdh (line 300) | bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub)
FILE: dist/mozilla/Hacl_Curve25519_64.c
function add_scalar0 (line 34) | static inline void add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2)
function fadd0 (line 43) | static inline void fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2)
function fsub0 (line 52) | static inline void fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2)
function fmul0 (line 61) | static inline void fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint...
function fmul20 (line 70) | static inline void fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uin...
function fmul_scalar0 (line 79) | static inline void fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2)
function fsqr0 (line 88) | static inline void fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp)
function fsqr20 (line 97) | static inline void fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp)
function cswap20 (line 106) | static inline void cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2)
function point_add_and_double (line 117) | static void point_add_and_double(uint64_t *q, uint64_t *p01_tmp1, uint64...
function point_double (line 160) | static void point_double(uint64_t *nq, uint64_t *tmp1, uint64_t *tmp2)
function montgomery_ladder (line 183) | static void montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init)
function fsquare_times (line 232) | static void fsquare_times(uint64_t *o, uint64_t *inp, uint64_t *tmp, uin...
function finv (line 241) | static void finv(uint64_t *o, uint64_t *i, uint64_t *tmp)
function store_felem (line 282) | static void store_felem(uint64_t *b, uint64_t *f)
function encode_point (line 315) | static void encode_point(uint8_t *o, uint64_t *i)
function Hacl_Curve25519_64_scalarmult (line 335) | void Hacl_Curve25519_64_scalarmult(uint8_t *out, uint8_t *priv, uint8_t ...
function Hacl_Curve25519_64_secret_to_public (line 373) | void Hacl_Curve25519_64_secret_to_public(uint8_t *pub, uint8_t *priv)
function Hacl_Curve25519_64_ecdh (line 392) | bool Hacl_Curve25519_64_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub)
FILE: dist/mozilla/Hacl_Hash_SHA1.c
function Hacl_Hash_SHA1_init (line 33) | void Hacl_Hash_SHA1_init(uint32_t *s)
function update (line 38) | static void update(uint32_t *h, uint8_t *l)
function pad (line 126) | static void pad(uint64_t len, uint8_t *dst)
function Hacl_Hash_SHA1_finish (line 139) | void Hacl_Hash_SHA1_finish(uint32_t *s, uint8_t *dst)
function Hacl_Hash_SHA1_update_multi (line 144) | void Hacl_Hash_SHA1_update_multi(uint32_t *s, uint8_t *blocks, uint32_t ...
function Hacl_Hash_SHA1_update_last (line 154) | void
function Hacl_Hash_SHA1_hash_oneshot (line 175) | void Hacl_Hash_SHA1_hash_oneshot(uint8_t *output, uint8_t *input, uint32...
function Hacl_Streaming_MD_state_32 (line 202) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_malloc(void)
function Hacl_Hash_SHA1_reset (line 268) | void Hacl_Hash_SHA1_reset(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 282) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA1_digest (line 448) | void Hacl_Hash_SHA1_digest(Hacl_Streaming_MD_state_32 *state, uint8_t *o...
function Hacl_Hash_SHA1_free (line 483) | void Hacl_Hash_SHA1_free(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_MD_state_32 (line 493) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA1_copy(Hacl_Streaming_MD_state_...
function Hacl_Hash_SHA1_hash (line 563) | void Hacl_Hash_SHA1_hash(uint8_t *output, uint8_t *input, uint32_t input...
FILE: dist/mozilla/Hacl_Hash_SHA1.h
type Hacl_Streaming_MD_state_32 (line 40) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA1_state_t;
FILE: dist/mozilla/Hacl_Hash_SHA2.c
function Hacl_Hash_SHA2_sha256_init (line 33) | void Hacl_Hash_SHA2_sha256_init(uint32_t *hash)
function sha256_update (line 44) | static inline void sha256_update(uint8_t *b, uint32_t *hash)
function Hacl_Hash_SHA2_sha256_update_nblocks (line 150) | void Hacl_Hash_SHA2_sha256_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha256_update_last (line 161) | void
function Hacl_Hash_SHA2_sha256_finish (line 198) | void Hacl_Hash_SHA2_sha256_finish(uint32_t *st, uint8_t *h)
function Hacl_Hash_SHA2_sha224_init (line 205) | void Hacl_Hash_SHA2_sha224_init(uint32_t *hash)
function Hacl_Hash_SHA2_sha224_update_nblocks (line 216) | void Hacl_Hash_SHA2_sha224_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha224_update_last (line 221) | void Hacl_Hash_SHA2_sha224_update_last(uint64_t totlen, uint32_t len, ui...
function Hacl_Hash_SHA2_sha224_finish (line 226) | void Hacl_Hash_SHA2_sha224_finish(uint32_t *st, uint8_t *h)
function Hacl_Hash_SHA2_sha512_init (line 233) | void Hacl_Hash_SHA2_sha512_init(uint64_t *hash)
function sha512_update (line 244) | static inline void sha512_update(uint8_t *b, uint64_t *hash)
function Hacl_Hash_SHA2_sha512_update_nblocks (line 350) | void Hacl_Hash_SHA2_sha512_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha512_update_last (line 361) | void
function Hacl_Hash_SHA2_sha512_finish (line 403) | void Hacl_Hash_SHA2_sha512_finish(uint64_t *st, uint8_t *h)
function Hacl_Hash_SHA2_sha384_init (line 410) | void Hacl_Hash_SHA2_sha384_init(uint64_t *hash)
function Hacl_Hash_SHA2_sha384_update_nblocks (line 421) | void Hacl_Hash_SHA2_sha384_update_nblocks(uint32_t len, uint8_t *b, uint...
function Hacl_Hash_SHA2_sha384_update_last (line 426) | void
function Hacl_Hash_SHA2_sha384_finish (line 437) | void Hacl_Hash_SHA2_sha384_finish(uint64_t *st, uint8_t *h)
function Hacl_Streaming_MD_state_32 (line 448) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_256(void)
function Hacl_Streaming_MD_state_32 (line 520) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_copy_256(Hacl_Streaming_MD_st...
function Hacl_Hash_SHA2_reset_256 (line 593) | void Hacl_Hash_SHA2_reset_256(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 604) | static inline Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 777) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_256 (line 793) | void Hacl_Hash_SHA2_digest_256(Hacl_Streaming_MD_state_32 *state, uint8_...
function Hacl_Hash_SHA2_free_256 (line 833) | void Hacl_Hash_SHA2_free_256(Hacl_Streaming_MD_state_32 *state)
function Hacl_Hash_SHA2_hash_256 (line 846) | void Hacl_Hash_SHA2_hash_256(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Streaming_MD_state_32 (line 862) | Hacl_Streaming_MD_state_32 *Hacl_Hash_SHA2_malloc_224(void)
function Hacl_Hash_SHA2_reset_224 (line 928) | void Hacl_Hash_SHA2_reset_224(Hacl_Streaming_MD_state_32 *state)
function Hacl_Streaming_Types_error_code (line 939) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_224 (line 954) | void Hacl_Hash_SHA2_digest_224(Hacl_Streaming_MD_state_32 *state, uint8_...
function Hacl_Hash_SHA2_free_224 (line 989) | void Hacl_Hash_SHA2_free_224(Hacl_Streaming_MD_state_32 *state)
function Hacl_Hash_SHA2_hash_224 (line 997) | void Hacl_Hash_SHA2_hash_224(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Streaming_MD_state_64 (line 1013) | Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_512(void)
function Hacl_Streaming_MD_state_64 (line 1085) | Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_copy_512(Hacl_Streaming_MD_st...
function Hacl_Hash_SHA2_reset_512 (line 1155) | void Hacl_Hash_SHA2_reset_512(Hacl_Streaming_MD_state_64 *state)
function Hacl_Streaming_Types_error_code (line 1166) | static inline Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 1339) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_512 (line 1355) | void Hacl_Hash_SHA2_digest_512(Hacl_Streaming_MD_state_64 *state, uint8_...
function Hacl_Hash_SHA2_free_512 (line 1399) | void Hacl_Hash_SHA2_free_512(Hacl_Streaming_MD_state_64 *state)
function Hacl_Hash_SHA2_hash_512 (line 1412) | void Hacl_Hash_SHA2_hash_512(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Streaming_MD_state_64 (line 1428) | Hacl_Streaming_MD_state_64 *Hacl_Hash_SHA2_malloc_384(void)
function Hacl_Hash_SHA2_reset_384 (line 1494) | void Hacl_Hash_SHA2_reset_384(Hacl_Streaming_MD_state_64 *state)
function Hacl_Streaming_Types_error_code (line 1505) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA2_digest_384 (line 1520) | void Hacl_Hash_SHA2_digest_384(Hacl_Streaming_MD_state_64 *state, uint8_...
function Hacl_Hash_SHA2_free_384 (line 1559) | void Hacl_Hash_SHA2_free_384(Hacl_Streaming_MD_state_64 *state)
function Hacl_Hash_SHA2_hash_384 (line 1567) | void Hacl_Hash_SHA2_hash_384(uint8_t *output, uint8_t *input, uint32_t i...
FILE: dist/mozilla/Hacl_Hash_SHA2.h
type Hacl_Streaming_MD_state_32 (line 40) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA2_state_t_224;
type Hacl_Streaming_MD_state_32 (line 42) | typedef Hacl_Streaming_MD_state_32 Hacl_Hash_SHA2_state_t_256;
type Hacl_Streaming_MD_state_64 (line 44) | typedef Hacl_Streaming_MD_state_64 Hacl_Hash_SHA2_state_t_384;
type Hacl_Streaming_MD_state_64 (line 46) | typedef Hacl_Streaming_MD_state_64 Hacl_Hash_SHA2_state_t_512;
FILE: dist/mozilla/Hacl_Hash_SHA3.c
function absorb_inner_32 (line 59) | static void absorb_inner_32(uint8_t *b, uint64_t *s)
function block_len (line 176) | static uint32_t block_len(Spec_Hash_Definitions_hash_alg a)
function hash_len (line 212) | static uint32_t hash_len(Spec_Hash_Definitions_hash_alg a)
function Hacl_Hash_SHA3_init_ (line 240) | void Hacl_Hash_SHA3_init_(Spec_Hash_Definitions_hash_alg a, uint64_t *s)
function Hacl_Hash_SHA3_update_multi_sha3 (line 246) | void
function Hacl_Hash_SHA3_update_last_sha3 (line 269) | void
function squeeze (line 557) | static void squeeze(uint64_t *s, uint32_t rateInBytes, uint32_t outputBy...
type hash_buf2 (line 625) | typedef struct hash_buf2_s
function Spec_Hash_Definitions_hash_alg (line 632) | Spec_Hash_Definitions_hash_alg Hacl_Hash_SHA3_get_alg(Hacl_Hash_SHA3_sta...
type option___Spec_Hash_Definitions_hash_alg____uint64_t__ (line 638) | typedef struct option___Spec_Hash_Definitions_hash_alg____uint64_t___s
function Hacl_Hash_SHA3_state_t (line 645) | Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_malloc(Spec_Hash_Definitions_hash...
function Hacl_Hash_SHA3_free (line 722) | void Hacl_Hash_SHA3_free(Hacl_Hash_SHA3_state_t *state)
function Hacl_Hash_SHA3_state_t (line 733) | Hacl_Hash_SHA3_state_t *Hacl_Hash_SHA3_copy(Hacl_Hash_SHA3_state_t *state)
function Hacl_Hash_SHA3_reset (line 816) | void Hacl_Hash_SHA3_reset(Hacl_Hash_SHA3_state_t *state)
function Hacl_Streaming_Types_error_code (line 831) | Hacl_Streaming_Types_error_code
function digest_ (line 1004) | static void
function Hacl_Streaming_Types_error_code (line 1077) | Hacl_Streaming_Types_error_code
function Hacl_Streaming_Types_error_code (line 1089) | Hacl_Streaming_Types_error_code
function Hacl_Hash_SHA3_block_len (line 1105) | uint32_t Hacl_Hash_SHA3_block_len(Hacl_Hash_SHA3_state_t *s)
function Hacl_Hash_SHA3_hash_len (line 1111) | uint32_t Hacl_Hash_SHA3_hash_len(Hacl_Hash_SHA3_state_t *s)
function Hacl_Hash_SHA3_is_shake (line 1117) | bool Hacl_Hash_SHA3_is_shake(Hacl_Hash_SHA3_state_t *s)
function Hacl_Hash_SHA3_absorb_inner_32 (line 1123) | void Hacl_Hash_SHA3_absorb_inner_32(uint32_t rateInBytes, uint8_t *b, ui...
function Hacl_Hash_SHA3_shake128 (line 1241) | void
function Hacl_Hash_SHA3_shake256 (line 1411) | void
function Hacl_Hash_SHA3_sha3_224 (line 1581) | void Hacl_Hash_SHA3_sha3_224(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_sha3_256 (line 1745) | void Hacl_Hash_SHA3_sha3_256(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_sha3_384 (line 1909) | void Hacl_Hash_SHA3_sha3_384(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_sha3_512 (line 2073) | void Hacl_Hash_SHA3_sha3_512(uint8_t *output, uint8_t *input, uint32_t i...
function Hacl_Hash_SHA3_state_free (line 2249) | void Hacl_Hash_SHA3_state_free(uint64_t *s)
function Hacl_Hash_SHA3_shake128_absorb_nblocks (line 2265) | void
function Hacl_Hash_SHA3_shake128_absorb_final (line 2294) | void
function Hacl_Hash_SHA3_shake128_squeeze_nblocks (line 2393) | void
FILE: dist/mozilla/Hacl_Hash_SHA3.h
type Hacl_Hash_SHA3_state_t (line 40) | typedef struct Hacl_Hash_SHA3_state_t_s Hacl_Hash_SHA3_state_t;
FILE: dist/mozilla/Hacl_IntTypes_Intrinsics.h
function Hacl_IntTypes_Intrinsics_add_carry_u32 (line 40) | static inline uint32_t
function Hacl_IntTypes_Intrinsics_sub_borrow_u32 (line 49) | static inline uint32_t
function Hacl_IntTypes_Intrinsics_add_carry_u64 (line 58) | static inline uint64_t
function Hacl_IntTypes_Intrinsics_sub_borrow_u64 (line 67) | static inline uint64_t
FILE: dist/mozilla/Hacl_IntTypes_Intrinsics_128.h
function Hacl_IntTypes_Intrinsics_128_add_carry_u64 (line 40) | static inline uint64_t
function Hacl_IntTypes_Intrinsics_128_sub_borrow_u64 (line 53) | static inline uint64_t
FILE: dist/mozilla/Hacl_MAC_Poly1305.c
function Hacl_MAC_Poly1305_poly1305_init (line 32) | void Hacl_MAC_Poly1305_poly1305_init(uint64_t *ctx, uint8_t *key)
function poly1305_update (line 93) | static void poly1305_update(uint64_t *ctx, uint32_t len, uint8_t *text)
function Hacl_MAC_Poly1305_poly1305_finish (line 344) | void Hacl_MAC_Poly1305_poly1305_finish(uint8_t *tag, uint8_t *key, uint6...
function Hacl_MAC_Poly1305_state_t (line 447) | Hacl_MAC_Poly1305_state_t *Hacl_MAC_Poly1305_malloc(uint8_t *key)
function Hacl_MAC_Poly1305_reset (line 541) | void Hacl_MAC_Poly1305_reset(Hacl_MAC_Poly1305_state_t *state, uint8_t *...
function Hacl_Streaming_Types_error_code (line 558) | Hacl_Streaming_Types_error_code
function Hacl_MAC_Poly1305_digest (line 732) | void Hacl_MAC_Poly1305_digest(Hacl_MAC_Poly1305_state_t *state, uint8_t ...
function Hacl_MAC_Poly1305_free (line 770) | void Hacl_MAC_Poly1305_free(Hacl_MAC_Poly1305_state_t *state)
function Hacl_MAC_Poly1305_mac (line 782) | void Hacl_MAC_Poly1305_mac(uint8_t *output, uint8_t *input, uint32_t inp...
FILE: dist/mozilla/Hacl_MAC_Poly1305.h
type Hacl_MAC_Poly1305_state_t (line 40) | typedef struct Hacl_MAC_Poly1305_state_t_s Hacl_MAC_Poly1305_state_t;
FILE: dist/mozilla/Hacl_MAC_Poly1305_Simd128.c
function Hacl_MAC_Poly1305_Simd128_load_acc2 (line 32) | void Hacl_MAC_Poly1305_Simd128_load_acc2(Lib_IntVector_Intrinsics_vec128...
function Hacl_MAC_Poly1305_Simd128_fmul_r2_normalize (line 104) | void
function Hacl_MAC_Poly1305_Simd128_poly1305_init (line 326) | void
function poly1305_update (line 533) | static void poly1305_update(Lib_IntVector_Intrinsics_vec128 *ctx, uint32...
function Hacl_MAC_Poly1305_Simd128_poly1305_finish (line 1150) | void
type option___Lib_IntVector_Intrinsics_vec128_ (line 1308) | typedef struct option___Lib_IntVector_Intrinsics_vec128__s
function Hacl_MAC_Poly1305_Simd128_state_t (line 1315) | Hacl_MAC_Poly1305_Simd128_state_t *Hacl_MAC_Poly1305_Simd128_malloc(uint...
function Hacl_MAC_Poly1305_Simd128_reset (line 1420) | void Hacl_MAC_Poly1305_Simd128_reset(Hacl_MAC_Poly1305_Simd128_state_t *...
function Hacl_Streaming_Types_error_code (line 1437) | Hacl_Streaming_Types_error_code
function Hacl_MAC_Poly1305_Simd128_digest (line 1615) | void
function Hacl_MAC_Poly1305_Simd128_free (line 1672) | void Hacl_MAC_Poly1305_Simd128_free(Hacl_MAC_Poly1305_Simd128_state_t *s...
function Hacl_MAC_Poly1305_Simd128_mac (line 1684) | void
FILE: dist/mozilla/Hacl_MAC_Poly1305_Simd128.h
type Hacl_MAC_Poly1305_Simd128_state_t (line 40) | typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s Hacl_MAC_Poly1305_Sim...
FILE: dist/mozilla/Hacl_MAC_Poly1305_Simd256.c
function Hacl_MAC_Poly1305_Simd256_load_acc4 (line 32) | void Hacl_MAC_Poly1305_Simd256_load_acc4(Lib_IntVector_Intrinsics_vec256...
function Hacl_MAC_Poly1305_Simd256_fmul_r4_normalize (line 125) | void
function Hacl_MAC_Poly1305_Simd256_poly1305_init (line 624) | void
function poly1305_update (line 983) | static void poly1305_update(Lib_IntVector_Intrinsics_vec256 *ctx, uint32...
function Hacl_MAC_Poly1305_Simd256_poly1305_finish (line 1601) | void
type option___Lib_IntVector_Intrinsics_vec256_ (line 1759) | typedef struct option___Lib_IntVector_Intrinsics_vec256__s
function Hacl_MAC_Poly1305_Simd256_state_t (line 1766) | Hacl_MAC_Poly1305_Simd256_state_t *Hacl_MAC_Poly1305_Simd256_malloc(uint...
function Hacl_MAC_Poly1305_Simd256_reset (line 1871) | void Hacl_MAC_Poly1305_Simd256_reset(Hacl_MAC_Poly1305_Simd256_state_t *...
function Hacl_Streaming_Types_error_code (line 1888) | Hacl_Streaming_Types_error_code
function Hacl_MAC_Poly1305_Simd256_digest (line 2066) | void
function Hacl_MAC_Poly1305_Simd256_free (line 2123) | void Hacl_MAC_Poly1305_Simd256_free(Hacl_MAC_Poly1305_Simd256_state_t *s...
function Hacl_MAC_Poly1305_Simd256_mac (line 2135) | void
FILE: dist/mozilla/Hacl_MAC_Poly1305_Simd256.h
type Hacl_MAC_Poly1305_Simd256_state_t (line 40) | typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s Hacl_MAC_Poly1305_Sim...
FILE: dist/mozilla/Hacl_P256.c
function bn_is_zero_mask4 (line 35) | static inline uint64_t bn_is_zero_mask4(uint64_t *f)
function bn_is_zero_vartime4 (line 50) | static inline bool bn_is_zero_vartime4(uint64_t *f)
function bn_is_eq_mask4 (line 56) | static inline uint64_t bn_is_eq_mask4(uint64_t *a, uint64_t *b)
function bn_is_eq_vartime4 (line 69) | static inline bool bn_is_eq_vartime4(uint64_t *a, uint64_t *b)
function bn_cmovznz4 (line 75) | static inline void bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x,...
function bn_add_mod4 (line 88) | static inline void bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, ...
function bn_sub4 (line 141) | static inline uint64_t bn_sub4(uint64_t *res, uint64_t *x, uint64_t *y)
function bn_sub_mod4 (line 166) | static inline void bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, ...
function bn_mul4 (line 220) | static inline void bn_mul4(uint64_t *res, uint64_t *x, uint64_t *y)
function bn_sqr4 (line 248) | static inline void bn_sqr4(uint64_t *res, uint64_t *x)
function bn_to_bytes_be4 (line 298) | static inline void bn_to_bytes_be4(uint8_t *res, uint64_t *f)
function bn_from_bytes_be4 (line 305) | static inline void bn_from_bytes_be4(uint64_t *res, uint8_t *b)
function bn2_to_bytes_be4 (line 317) | static inline void bn2_to_bytes_be4(uint8_t *res, uint64_t *x, uint64_t *y)
function make_prime (line 323) | static inline void make_prime(uint64_t *n)
function make_order (line 331) | static inline void make_order(uint64_t *n)
function make_a_coeff (line 339) | static inline void make_a_coeff(uint64_t *a)
function make_b_coeff (line 347) | static inline void make_b_coeff(uint64_t *b)
function make_g_x (line 355) | static inline void make_g_x(uint64_t *n)
function make_g_y (line 363) | static inline void make_g_y(uint64_t *n)
function make_fmont_R2 (line 371) | static inline void make_fmont_R2(uint64_t *n)
function make_fzero (line 379) | static inline void make_fzero(uint64_t *n)
function make_fone (line 387) | static inline void make_fone(uint64_t *n)
function bn_is_lt_prime_mask4 (line 395) | static inline uint64_t bn_is_lt_prime_mask4(uint64_t *f)
function feq_mask (line 403) | static inline uint64_t feq_mask(uint64_t *a, uint64_t *b)
function fadd0 (line 409) | static inline void fadd0(uint64_t *res, uint64_t *x, uint64_t *y)
function fsub0 (line 416) | static inline void fsub0(uint64_t *res, uint64_t *x, uint64_t *y)
function fnegate_conditional_vartime (line 423) | static inline void fnegate_conditional_vartime(uint64_t *f, bool is_negate)
function mont_reduction (line 432) | static inline void mont_reduction(uint64_t *res, uint64_t *x)
function fmul0 (line 496) | static inline void fmul0(uint64_t *res, uint64_t *x, uint64_t *y)
function fsqr0 (line 503) | static inline void fsqr0(uint64_t *res, uint64_t *x)
function from_mont (line 510) | static inline void from_mont(uint64_t *res, uint64_t *a)
function to_mont (line 517) | static inline void to_mont(uint64_t *res, uint64_t *a)
function fmul_by_b_coeff (line 524) | static inline void fmul_by_b_coeff(uint64_t *res, uint64_t *x)
function fcube (line 531) | static inline void fcube(uint64_t *res, uint64_t *x)
function finv (line 537) | static inline void finv(uint64_t *res, uint64_t *a)
function fsqrt (line 595) | static inline void fsqrt(uint64_t *res, uint64_t *a)
function make_base_point (line 635) | static inline void make_base_point(uint64_t *p)
function make_point_at_inf (line 645) | static inline void make_point_at_inf(uint64_t *p)
function is_point_at_inf_vartime (line 655) | static inline bool is_point_at_inf_vartime(uint64_t *p)
function to_aff_point (line 661) | static inline void to_aff_point(uint64_t *res, uint64_t *p)
function to_aff_point_x (line 676) | static inline void to_aff_point_x(uint64_t *res, uint64_t *p)
function to_proj_point (line 686) | static inline void to_proj_point(uint64_t *res, uint64_t *p)
function is_on_curve_vartime (line 698) | static inline bool is_on_curve_vartime(uint64_t *p)
function aff_point_store (line 720) | static inline void aff_point_store(uint8_t *res, uint64_t *p)
function point_store (line 727) | static inline void point_store(uint8_t *res, uint64_t *p)
function aff_point_load_vartime (line 734) | static inline bool aff_point_load_vartime(uint64_t *p, uint8_t *b)
function load_point_vartime (line 755) | static inline bool load_point_vartime(uint64_t *p, uint8_t *b)
function aff_point_decompress_vartime (line 766) | static inline bool aff_point_decompress_vartime(uint64_t *x, uint64_t *y...
function point_double (line 810) | static inline void point_double(uint64_t *res, uint64_t *p)
function point_add (line 862) | static inline void point_add(uint64_t *res, uint64_t *p, uint64_t *q)
function point_mul (line 936) | static inline void point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p)
function precomp_get_consttime (line 979) | static inline void precomp_get_consttime(const uint64_t *table, uint64_t...
function point_mul_g (line 997) | static inline void point_mul_g(uint64_t *res, uint64_t *scalar)
function point_mul_double_g (line 1058) | static inline void
function bn_is_lt_order_mask4 (line 1112) | static inline uint64_t bn_is_lt_order_mask4(uint64_t *f)
function bn_is_lt_order_and_gt_zero_mask4 (line 1120) | static inline uint64_t bn_is_lt_order_and_gt_zero_mask4(uint64_t *f)
function qmod_short (line 1127) | static inline void qmod_short(uint64_t *res, uint64_t *x)
function qadd (line 1135) | static inline void qadd(uint64_t *res, uint64_t *x, uint64_t *y)
function qmont_reduction (line 1142) | static inline void qmont_reduction(uint64_t *res, uint64_t *x)
function from_qmont (line 1206) | static inline void from_qmont(uint64_t *res, uint64_t *x)
function qmul (line 1213) | static inline void qmul(uint64_t *res, uint64_t *x, uint64_t *y)
function qsqr (line 1220) | static inline void qsqr(uint64_t *res, uint64_t *x)
function Hacl_Impl_P256_DH_ecp256dh_i (line 1227) | bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_...
function Hacl_Impl_P256_DH_ecp256dh_r (line 1253) | bool
function qinv (line 1289) | static inline void qinv(uint64_t *res, uint64_t *r)
function qmul_mont (line 1397) | static inline void qmul_mont(uint64_t *sinv, uint64_t *b, uint64_t *res)
function ecdsa_verify_msg_as_qelem (line 1404) | static inline bool
function ecdsa_sign_msg_as_qelem (line 1445) | static inline bool
function Hacl_P256_ecdsa_sign_p256_without_hash (line 1546) | bool
function Hacl_P256_ecdsa_verif_without_hash (line 1587) | bool
function Hacl_P256_validate_public_key (line 1626) | bool Hacl_P256_validate_public_key(uint8_t *public_key)
function Hacl_P256_validate_private_key (line 1643) | bool Hacl_P256_validate_private_key(uint8_t *private_key)
function Hacl_P256_uncompressed_to_raw (line 1674) | bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw)
function Hacl_P256_compressed_to_raw (line 1695) | bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw)
function Hacl_P256_raw_to_uncompressed (line 1717) | void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk)
function Hacl_P256_raw_to_compressed (line 1731) | void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk)
function Hacl_P256_dh_initiator (line 1758) | bool Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key)
function Hacl_P256_dh_responder (line 1775) | bool
FILE: dist/mozilla/Hacl_RSAPSS.c
function hash_len (line 35) | static inline uint32_t hash_len(Spec_Hash_Definitions_hash_alg a)
function hash (line 95) | static inline void
function mgf_hash (line 123) | static inline void
function check_num_bits_u64 (line 155) | static inline uint64_t check_num_bits_u64(uint32_t bs, uint64_t *b)
function check_modulus_u64 (line 179) | static inline uint64_t check_modulus_u64(uint32_t modBits, uint64_t *n)
function check_exponent_u64 (line 203) | static inline uint64_t check_exponent_u64(uint32_t eBits, uint64_t *e)
function pss_encode (line 222) | static inline void
function pss_verify (line 272) | static inline bool
function load_pkey (line 356) | static inline bool
function load_skey (line 374) | static inline bool
function Hacl_RSAPSS_rsapss_sign (line 416) | bool
function Hacl_RSAPSS_rsapss_verify (line 519) | bool
function Hacl_RSAPSS_rsapss_skey_sign (line 778) | bool
function Hacl_RSAPSS_rsapss_pkey_verify (line 842) | bool
function Hacl_RSAPSS_mgf_hash (line 876) | void
FILE: dist/mozilla/Hacl_SHA2_Types.h
type Hacl_Hash_SHA2_uint8_2p (line 38) | typedef struct Hacl_Hash_SHA2_uint8_2p_s
type Hacl_Hash_SHA2_uint8_3p (line 45) | typedef struct Hacl_Hash_SHA2_uint8_3p_s
type Hacl_Hash_SHA2_uint8_4p (line 52) | typedef struct Hacl_Hash_SHA2_uint8_4p_s
type Hacl_Hash_SHA2_uint8_4p (line 61) | typedef Hacl_Hash_SHA2_uint8_4p Hacl_Hash_SHA2_bufx4;
FILE: dist/mozilla/Hacl_Spec.h
type Spec_FFDHE_ffdhe_alg (line 44) | typedef uint8_t Spec_FFDHE_ffdhe_alg;
type Spec_Agile_AEAD_alg (line 54) | typedef uint8_t Spec_Agile_AEAD_alg;
FILE: dist/mozilla/Hacl_Streaming_Types.h
type Spec_Hash_Definitions_hash_alg (line 53) | typedef uint8_t Spec_Hash_Definitions_hash_alg;
type Hacl_Streaming_Types_error_code (line 61) | typedef uint8_t Hacl_Streaming_Types_error_code;
type Hacl_Streaming_MD_state_32 (line 63) | typedef struct Hacl_Streaming_MD_state_32_s Hacl_Streaming_MD_state_32;
type Hacl_Streaming_MD_state_64 (line 65) | typedef struct Hacl_Streaming_MD_state_64_s Hacl_Streaming_MD_state_64;
FILE: dist/mozilla/Lib_Memzero0.c
function Lib_Memzero0_memzero0 (line 50) | void Lib_Memzero0_memzero0(void *dst, uint64_t len) {
FILE: dist/mozilla/Vale.c
type als_ret (line 28) | typedef uint64_t als_ret;
FILE: dist/mozilla/curve25519-inline.h
function add_scalar (line 8) | static inline void add_scalar (uint64_t *out, uint64_t *f1, uint64_t f2)
function fadd (line 37) | static inline void fadd (uint64_t *out, uint64_t *f1, uint64_t *f2)
function fsub (line 79) | static inline void fsub (uint64_t *out, uint64_t *f1, uint64_t *f2)
function fmul (line 123) | static inline void fmul (uint64_t *out, uint64_t *f1, uint64_t *f2, uint...
function fmul2 (line 211) | static inline void fmul2 (uint64_t *out, uint64_t *f1, uint64_t *f2, uin...
function fmul_scalar (line 366) | static inline void fmul_scalar (uint64_t *out, uint64_t *f1, uint64_t f2)
function cswap2 (line 409) | static inline void cswap2 (uint64_t bit, uint64_t *p1, uint64_t *p2)
function fsqr (line 494) | static inline void fsqr (uint64_t *out, uint64_t *f, uint64_t *tmp)
function fsqr2 (line 588) | static inline void fsqr2 (uint64_t *out, uint64_t *f, uint64_t *tmp)
FILE: dist/mozilla/internal/Hacl_Bignum25519_51.h
function Hacl_Impl_Curve25519_Field51_fadd (line 41) | static inline void Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint...
function Hacl_Impl_Curve25519_Field51_fsub (line 60) | static inline void Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint...
function Hacl_Impl_Curve25519_Field51_fmul (line 79) | static inline void
function Hacl_Impl_Curve25519_Field51_fmul2 (line 162) | static inline void
function Hacl_Impl_Curve25519_Field51_fmul1 (line 327) | static inline void Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uin...
function Hacl_Impl_Curve25519_Field51_fsqr (line 369) | static inline void
function Hacl_Impl_Curve25519_Field51_fsqr2 (line 444) | static inline void
function Hacl_Impl_Curve25519_Field51_store_felem (line 598) | static inline void Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u6...
function Hacl_Impl_Curve25519_Field51_cswap2 (line 658) | static inline void
FILE: dist/mozilla/internal/Hacl_Bignum_Base.h
function Hacl_Bignum_Base_mul_wide_add2_u32 (line 43) | static inline uint32_t
function Hacl_Bignum_Base_mul_wide_add2_u64 (line 52) | static inline uint64_t
function Hacl_Bignum_Convert_bn_from_bytes_be_uint64 (line 65) | static inline void
function Hacl_Bignum_Convert_bn_to_bytes_be_uint64 (line 83) | static inline void
function Hacl_Bignum_Lib_bn_get_top_index_u32 (line 98) | static inline uint32_t Hacl_Bignum_Lib_bn_get_top_index_u32(uint32_t len...
function Hacl_Bignum_Lib_bn_get_top_index_u64 (line 109) | static inline uint64_t Hacl_Bignum_Lib_bn_get_top_index_u64(uint32_t len...
function Hacl_Bignum_Lib_bn_get_bits_u32 (line 120) | static inline uint32_t
function Hacl_Bignum_Lib_bn_get_bits_u64 (line 138) | static inline uint64_t
function Hacl_Bignum_Addition_bn_sub_eq_len_u32 (line 156) | static inline uint32_t
function Hacl_Bignum_Addition_bn_sub_eq_len_u64 (line 189) | static inline uint64_t
function Hacl_Bignum_Addition_bn_add_eq_len_u32 (line 222) | static inline uint32_t
function Hacl_Bignum_Addition_bn_add_eq_len_u64 (line 255) | static inline uint64_t
function Hacl_Bignum_Multiplication_bn_mul_u32 (line 288) | static inline void
function Hacl_Bignum_Multiplication_bn_mul_u64 (line 329) | static inline void
function Hacl_Bignum_Multiplication_bn_sqr_u32 (line 370) | static inline void
function Hacl_Bignum_Multiplication_bn_sqr_u64 (line 421) | static inline void
FILE: dist/mozilla/internal/Hacl_Hash_SHA3.h
type Hacl_Hash_SHA3_hash_buf (line 65) | typedef struct Hacl_Hash_SHA3_hash_buf_s
type Hacl_Hash_SHA3_state_t (line 72) | typedef struct Hacl_Hash_SHA3_state_t_s
FILE: dist/mozilla/internal/Hacl_MAC_Poly1305.h
type Hacl_MAC_Poly1305_state_t (line 45) | typedef struct Hacl_MAC_Poly1305_state_t_s
type FStar_Pervasives_Native_option___uint8_t_ (line 54) | typedef struct FStar_Pervasives_Native_option___uint8_t__s
FILE: dist/mozilla/internal/Hacl_MAC_Poly1305_Simd128.h
type Hacl_MAC_Poly1305_Simd128_state_t (line 59) | typedef struct Hacl_MAC_Poly1305_Simd128_state_t_s
FILE: dist/mozilla/internal/Hacl_MAC_Poly1305_Simd256.h
type Hacl_MAC_Poly1305_Simd256_state_t (line 59) | typedef struct Hacl_MAC_Poly1305_Simd256_state_t_s
FILE: dist/mozilla/internal/Hacl_SHA2_Types.h
type Hacl_Hash_SHA2_uint8_5p (line 40) | typedef struct Hacl_Hash_SHA2_uint8_5p_s
type Hacl_Hash_SHA2_uint8_6p (line 47) | typedef struct Hacl_Hash_SHA2_uint8_6p_s
type Hacl_Hash_SHA2_uint8_7p (line 54) | typedef struct Hacl_Hash_SHA2_uint8_7p_s
type Hacl_Hash_SHA2_uint8_8p (line 61) | typedef struct Hacl_Hash_SHA2_uint8_8p_s
type Hacl_Hash_SHA2_uint8_2x4p (line 68) | typedef struct Hacl_Hash_SHA2_uint8_2x4p_s
type Hacl_Hash_SHA2_uint8_2x8p (line 75) | typedef struct Hacl_Hash_SHA2_uint8_2x8p_s
FILE: dist/mozilla/internal/Hacl_Spec.h
type Spec_Cipher_Expansion_impl (line 44) | typedef uint8_t Spec_Cipher_Expansion_impl;
type Spec_Frodo_Params_frodo_gen_a (line 49) | typedef uint8_t Spec_Frodo_Params_frodo_gen_a;
FILE: dist/mozilla/internal/Hacl_Streaming_Types.h
type Hacl_Streaming_Types_optional (line 43) | typedef uint8_t Hacl_Streaming_Types_optional;
type Hacl_Streaming_Types_optional_32 (line 45) | typedef struct Hacl_Streaming_Types_optional_32_s
type Hacl_Streaming_Types_optional_64 (line 52) | typedef struct Hacl_Streaming_Types_optional_64_s
type Hacl_Streaming_Types_two_pointers (line 59) | typedef struct Hacl_Streaming_Types_two_pointers_s
type Hacl_Streaming_MD_state_32 (line 66) | typedef struct Hacl_Streaming_MD_state_32_s
type Hacl_Streaming_MD_state_64 (line 74) | typedef struct Hacl_Streaming_MD_state_64_s
FILE: dist/mozilla/libintvector.h
type __m128i (line 32) | typedef __m128i Lib_IntVector_Intrinsics_vec128;
type __m256i (line 232) | typedef __m256i Lib_IntVector_Intrinsics_vec256;
type uint32x4_t (line 459) | typedef uint32x4_t Lib_IntVector_Intrinsics_vec128;
function Lib_IntVector_Intrinsics_vec128 (line 628) | static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_v...
function Lib_IntVector_Intrinsics_vec128 (line 633) | static inline Lib_IntVector_Intrinsics_vec128 Lib_IntVector_Intrinsics_v...
type vector128_8 (line 664) | typedef unsigned char vector128_8 __attribute__ ((vector_size(16)));
type vector128_32 (line 665) | typedef unsigned int vector128_32 __attribute__ ((vector_size(16)));
type vector128_64 (line 666) | typedef unsigned long long vector128_64 __attribute__ ((vector_size(16)));
type vector128_8 (line 668) | typedef vector128_8 Lib_IntVector_Intrinsics_vec128;
type vector128_8 (line 669) | typedef vector128_8 vector128;
function Lib_IntVector_Intrinsics_vec128_store32_le (line 680) | static inline
function Lib_IntVector_Intrinsics_vec128_store32_be (line 685) | static inline
function Lib_IntVector_Intrinsics_vec128_store64_le (line 690) | static inline
function vector128 (line 789) | static inline
type vector128_8 (line 824) | typedef vector unsigned char vector128_8;
type vector128_32 (line 825) | typedef vector unsigned int vector128_32;
type vector128_64 (line 826) | typedef vector unsigned long long vector128_64;
type vector128_8 (line 828) | typedef vector128_8 Lib_IntVector_Intrinsics_vec128;
type vector128_8 (line 829) | typedef vector128_8 vector128;
FILE: dist/msvc-compatible/EverCrypt_AEAD.c
function EverCrypt_AEAD_uu___is_Ek (line 40) | bool EverCrypt_AEAD_uu___is_Ek(Spec_Agile_AEAD_alg a, EverCrypt_AEAD_sta...
function Spec_Agile_AEAD_alg (line 54) | Spec_Agile_AEAD_alg EverCrypt_AEAD_alg_of_state(EverCrypt_AEAD_state_s *s)
function EverCrypt_Error_error_code (line 79) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 94) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 127) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 176) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 200) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 323) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 465) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 520) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 664) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 800) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 941) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1082) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1105) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1168) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1303) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1438) | static EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1500) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1548) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1698) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1840) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 1987) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 2134) | EverCrypt_Error_error_code
function EverCrypt_Error_error_code (line 2156) | EverCrypt_Error_error_code
function EverCrypt_AEAD_free (line 2224) | void EverCrypt_AEAD_free(EverCrypt_AEAD_state_s *s)
FILE: dist/msvc-compatible/EverCrypt_AEAD.h
type EverCrypt_AEAD_state_s (line 41) | typedef struct EverCrypt_AEAD_state_s_s EverCrypt_AEAD_state_s;
FILE: dist/msvc-compatible/EverCrypt_AutoConfig2.c
function EverCrypt_AutoConfig2_has_shaext (line 53) | bool EverCrypt_AutoConfig2_has_shaext(void)
function EverCrypt_AutoConfig2_has_aesni (line 58) | bool EverCrypt_AutoConfig2_has_aesni(void)
function EverCrypt_AutoConfig2_has_pclmulqdq (line 63) | bool EverCrypt_AutoConfig2_has_pclmulqdq(void)
function EverCrypt_AutoConfig2_has_avx2 (line 68) | bool EverCrypt_AutoConfig2_has_avx2(void)
function EverCrypt_AutoConfig2_has_avx (line 73) | bool EverCrypt_AutoConfig2_has_avx(void)
function EverCrypt_AutoConfig2_has_bmi2 (line 78) | bool EverCrypt_AutoConfig2_has_bmi2(void)
function EverCrypt_AutoConfig2_has_adx (line 83) | bool EverCrypt_
Copy disabled (too large)
Download .json
Condensed preview — 3635 files, each showing path, character count, and a content snippet. Download the .json file for the full structured content (99,021K chars).
[
{
"path": ".ci/script.bat",
"chars": 626,
"preview": "call \"C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\Common7\\Tools\\VsDevCmd.bat\" -host_arch=amd64 -arch=amd64\n"
},
{
"path": ".ci/script.sh",
"chars": 1721,
"preview": "#!/usr/bin/env bash\n\nset -e\nset -o pipefail\n\nif [[ $OS == \"Windows_NT\" ]]; then\n # The usual issue of return codes not "
},
{
"path": ".docker/build/build.sh",
"chars": 9434,
"preview": "#!/usr/bin/env bash\n\n#set -x\n\ntarget=$1\nout_file=$2\nthreads=$3\nbranchname=$4\n\nfunction export_home() {\n local home_pa"
},
{
"path": ".docker/build/build_helper.sh",
"chars": 781,
"preview": "#!/usr/bin/env bash\n\ntarget=$1\nout_file=$2\nthreads=$3\nbranchname=$4\n\nexport FSTAR_EXE=$(pwd)/FStar/bin/fstar.exe\n\neval $"
},
{
"path": ".docker/build/config.json",
"chars": 1172,
"preview": "{\n \"ProjectName\" : \"hacl-star\",\n\n \"BaseContainerIsEverestImage\" : true,\n \"BaseContainerImageName\" : \"fstar\",\n "
},
{
"path": ".docker/build/linux/Dockerfile",
"chars": 1450,
"preview": "# hacl build container\n\n# Define on fstar-version.json what FStar base container image\n# hacl build should use.\n# By def"
},
{
"path": ".docker/build/windows-nt/Dockerfile",
"chars": 1710,
"preview": "# hacl build container\n\n# Define on fstar-version.json what FStar base container image\n# hacl build should use.\n# By def"
},
{
"path": ".drone.yml",
"chars": 390,
"preview": "kind: pipeline\ntype: docker\nname: arm64\n\nplatform:\n arch: arm64\n\nsteps:\n- name: test\n image: rust:latest\n commands:\n "
},
{
"path": ".gitattributes",
"chars": 340,
"preview": "# Linguist\n*.fst linguist-language=FStar\n*.fst linguist-documentation=false\n*.fsti linguist-language=FStar\n*.fsti lingui"
},
{
"path": ".github/ISSUE_TEMPLATE/bug-report.md",
"chars": 646,
"preview": "---\nname: Bug Report\nabout: Create a report to help us improve\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Describe the b"
},
{
"path": ".github/ISSUE_TEMPLATE/feature_request.md",
"chars": 595,
"preview": "---\nname: Feature request\nabout: Suggest an idea for this project\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\n**Is your fea"
},
{
"path": ".github/ISSUE_TEMPLATE/performance-issue.md",
"chars": 360,
"preview": "---\nname: Performance Issue\nabout: Notify performance regression for some algorithm\ntitle: ''\nlabels: ''\nassignees: ''\n\n"
},
{
"path": ".github/ISSUE_TEMPLATE/proof-issue.md",
"chars": 280,
"preview": "---\nname: Proof Issue\nabout: Report proof failures and regressions\ntitle: ''\nlabels: ''\nassignees: ''\n\n---\n\nSetup on whi"
},
{
"path": ".github/workflows/dist.yml",
"chars": 1254,
"preview": "name: Dist CI\n\non:\n push:\n branches: [ main ]\n pull_request:\n branches: [ main ]\n workflow_dispatch:\n\npermissio"
},
{
"path": ".github/workflows/hacl-packages-create-branch.yml",
"chars": 3346,
"preview": "name: Create branch on hacl-packages\n\non:\n pull_request_target:\n branches: [ main ]\n\npermissions:\n pull-requests: w"
},
{
"path": ".github/workflows/hacl-packages-delete-branch.yml",
"chars": 455,
"preview": "name: Delete branch on hacl-packages\n\non:\n pull_request:\n types: [ closed ]\n\npermissions: {}\n\njobs:\n hacl-packages-"
},
{
"path": ".github/workflows/hintsanddist.yml",
"chars": 1354,
"preview": "name: regenerate hints and dist\n\non:\n schedule:\n - cron: '0 0 * * 0'\n workflow_dispatch:\n\npermissions:\n contents: "
},
{
"path": ".github/workflows/nix.yml",
"chars": 1011,
"preview": "name: Nix\n\non:\n push:\n branches-ignore: [ '_**' ]\n pull_request:\n workflow_dispatch:\n\npermissions: {}\n\n# Cancel pr"
},
{
"path": ".gitignore",
"chars": 484,
"preview": "*~\n*.o\n*.d\n*.d.*\n*.cm*\n*.so\n*.dll\n*.a\n*.exe\n*.exe.dSYM\nout.krml\n*.checked\n*.checked.lax\n*.dump\n.extracted\n.*depend*\n.eve"
},
{
"path": ".nix/hacl.nix",
"chars": 5974,
"preview": "{\n bash,\n dotnet-runtime,\n fetchFromGitHub,\n flock,\n fstar,\n fstar-scripts,\n git,\n karamel,\n lib,\n ocamlPackag"
},
{
"path": ".nix/vale.nix",
"chars": 1779,
"preview": "{\n fetchFromGitHub,\n fetchNuGet,\n fsharp,\n mono,\n dotnet-runtime,\n scons,\n stdenv,\n}: let\n FsLexYacc = fetchNuGe"
},
{
"path": ".scripts/memhogs.sh",
"chars": 440,
"preview": "#!/bin/bash\n\necho \"MEMHOGS := \"\n# Find all runlim files, extract consumed memory and output files in order of increasing"
},
{
"path": ".scripts/remove_stale_hints.sh",
"chars": 840,
"preview": "#!/bin/bash\n\nset -eu\n\ndeclare -A files # Store all basenames in repo\ndeclare -A hints # Store all paths of hints in repo"
},
{
"path": "CHANGES.md",
"chars": 2510,
"preview": "# Changelog\n\nAll notable changes to this project will be documented in this file.\n\nThe format is based on [Keep a Change"
},
{
"path": "CODEOWNERS",
"chars": 27,
"preview": "* @hacl-star/Maintainers\n"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 5272,
"preview": "# Contributor Covenant Code of Conduct\n\n## Our Pledge\n\nWe as members, contributors, and leaders pledge to make participa"
},
{
"path": "GOVERNANCE.md",
"chars": 3443,
"preview": "# Governance Policy\n\nThis document provides the governance policy for the Project. Maintainers agree to this policy and "
},
{
"path": "Hacl.fst.config.json",
"chars": 2260,
"preview": "{\n \"fstar_exe\": \"fstar.exe\",\n \"options\": [\n \"--use_hints\",\n \"--use_hint_hashes\",\n \"--record_hints\",\n \"--od"
},
{
"path": "LICENSE",
"chars": 11356,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MAINTAINERS.md",
"chars": 959,
"preview": "# Maintainers\n\nThis document lists the Maintainers of the Project. Maintainers may be added once approved by the existin"
},
{
"path": "Makefile",
"chars": 42671,
"preview": "# This Makefile covers all of the present repository (HACL* + Vale + EverCrypt)\n#\n# From a high-level perspective, the c"
},
{
"path": "Makefile.common",
"chars": 12048,
"preview": "# This Makefile can be safely included from sub-directories for the purposes of\n# defining the .fst-in targets, as long "
},
{
"path": "Makefile.include",
"chars": 2736,
"preview": "# This Makefile can be included by client projects; it exports the set of\n# include directories relative to HACL_HOME an"
},
{
"path": "Makefile.local",
"chars": 2490,
"preview": "# A shared set of local definitions for local Makefiles. See curve25519/Makefile\n# for comments.\n\nifeq (,$(filter %-in,$"
},
{
"path": "Makefile.openssl",
"chars": 345,
"preview": "# Exporting proper linking flags -- used by Makefile and tests/Makefile\n\nifeq ($(shell uname),Darwin)\nOPENSSL_ROOT=$(she"
},
{
"path": "PULL_REQUEST.md",
"chars": 3778,
"preview": "How to submit a pull request with minimal amounts of noise\n==========================================================\n\nT"
},
{
"path": "README.md",
"chars": 5973,
"preview": "# A High-Assurance Cryptographic Library\n\nThis repository contains verified code for a library of modern\ncryptographic a"
},
{
"path": "SECURITY.md",
"chars": 973,
"preview": "# Security Policy\n\n## Verification \n\nThe main branch contains the latest verified code for the HACL* library and include"
},
{
"path": "build_local.sh",
"chars": 2183,
"preview": "#!/usr/bin/env bash\nset -e\n\n# Look for config.json file\nFILE=${1:-\".docker/build/config.json\"}\nif [[ ! -f $FILE ]]; then"
},
{
"path": "code/bignum/AUTHORS.md",
"chars": 134,
"preview": "This code was primarily written by Marina Polubelova (INRIA).\nJonathan Protzenko contributed the design of the type clas"
},
{
"path": "code/bignum/Hacl.Bignum.Addition.fst",
"chars": 10002,
"preview": "module Hacl.Bignum.Addition\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Hacl.Bignum.Definitions"
},
{
"path": "code/bignum/Hacl.Bignum.AlmostMontExponentiation.fst",
"chars": 11777,
"preview": "module Hacl.Bignum.AlmostMontExponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.Int"
},
{
"path": "code/bignum/Hacl.Bignum.AlmostMontgomery.fst",
"chars": 3253,
"preview": "module Hacl.Bignum.AlmostMontgomery\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nop"
},
{
"path": "code/bignum/Hacl.Bignum.AlmostMontgomery.fsti",
"chars": 2985,
"preview": "module Hacl.Bignum.AlmostMontgomery\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nop"
},
{
"path": "code/bignum/Hacl.Bignum.Base.fst",
"chars": 3750,
"preview": "module Hacl.Bignum.Base\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Buffe"
},
{
"path": "code/bignum/Hacl.Bignum.Comparison.fst",
"chars": 3529,
"preview": "module Hacl.Bignum.Comparison\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib"
},
{
"path": "code/bignum/Hacl.Bignum.Convert.fst",
"chars": 9113,
"preview": "module Hacl.Bignum.Convert\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Bu"
},
{
"path": "code/bignum/Hacl.Bignum.Definitions.fst",
"chars": 914,
"preview": "module Hacl.Bignum.Definitions\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Li"
},
{
"path": "code/bignum/Hacl.Bignum.Exponentiation.fst",
"chars": 8650,
"preview": "module Hacl.Bignum.Exponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen"
},
{
"path": "code/bignum/Hacl.Bignum.Exponentiation.fsti",
"chars": 6431,
"preview": "module Hacl.Bignum.Exponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen"
},
{
"path": "code/bignum/Hacl.Bignum.Karatsuba.fst",
"chars": 13151,
"preview": "module Hacl.Bignum.Karatsuba\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib."
},
{
"path": "code/bignum/Hacl.Bignum.Lib.fst",
"chars": 5401,
"preview": "module Hacl.Bignum.Lib\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Buffer"
},
{
"path": "code/bignum/Hacl.Bignum.ModInv.fst",
"chars": 3989,
"preview": "module Hacl.Bignum.ModInv\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Buf"
},
{
"path": "code/bignum/Hacl.Bignum.ModInvLimb.fst",
"chars": 2345,
"preview": "module Hacl.Bignum.ModInvLimb\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib"
},
{
"path": "code/bignum/Hacl.Bignum.ModInvLimb.fsti",
"chars": 532,
"preview": "module Hacl.Bignum.ModInvLimb\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib"
},
{
"path": "code/bignum/Hacl.Bignum.ModReduction.fst",
"chars": 2474,
"preview": "module Hacl.Bignum.ModReduction\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen L"
},
{
"path": "code/bignum/Hacl.Bignum.MontArithmetic.fst",
"chars": 4844,
"preview": "module Hacl.Bignum.MontArithmetic\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen"
},
{
"path": "code/bignum/Hacl.Bignum.MontArithmetic.fsti",
"chars": 13410,
"preview": "module Hacl.Bignum.MontArithmetic\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen"
},
{
"path": "code/bignum/Hacl.Bignum.MontExponentiation.fst",
"chars": 10064,
"preview": "module Hacl.Bignum.MontExponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\n"
},
{
"path": "code/bignum/Hacl.Bignum.Montgomery.fst",
"chars": 8554,
"preview": "module Hacl.Bignum.Montgomery\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib"
},
{
"path": "code/bignum/Hacl.Bignum.Montgomery.fsti",
"chars": 6614,
"preview": "module Hacl.Bignum.Montgomery\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib"
},
{
"path": "code/bignum/Hacl.Bignum.Multiplication.fst",
"chars": 6817,
"preview": "module Hacl.Bignum.Multiplication\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen"
},
{
"path": "code/bignum/Hacl.Bignum.SafeAPI.fst",
"chars": 10562,
"preview": "module Hacl.Bignum.SafeAPI\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Bu"
},
{
"path": "code/bignum/Hacl.Bignum.fst",
"chars": 4913,
"preview": "module Hacl.Bignum\nmodule ST = FStar.HyperStack.ST\n\nfriend Hacl.Spec.Bignum\n\n#reset-options \"--z3rlimit 50 --fuel 0 --if"
},
{
"path": "code/bignum/Hacl.Bignum.fsti",
"chars": 15683,
"preview": "module Hacl.Bignum\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Buffer\n\nop"
},
{
"path": "code/bignum/Hacl.Bignum256.fst",
"chars": 4745,
"preview": "module Hacl.Bignum256\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BM = Hacl.Bignum.Montgomery\nmodule AM = Hacl.Bignu"
},
{
"path": "code/bignum/Hacl.Bignum256.fsti",
"chars": 11030,
"preview": "module Hacl.Bignum256\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BS = Hacl.Bignum.SafeAPI\nmodule MA = Hacl.Bignum.M"
},
{
"path": "code/bignum/Hacl.Bignum256_32.fst",
"chars": 4748,
"preview": "module Hacl.Bignum256_32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BM = Hacl.Bignum.Montgomery\nmodule AM = Hacl.Bi"
},
{
"path": "code/bignum/Hacl.Bignum256_32.fsti",
"chars": 11062,
"preview": "module Hacl.Bignum256_32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BS = Hacl.Bignum.SafeAPI\nmodule MA = Hacl.Bignu"
},
{
"path": "code/bignum/Hacl.Bignum32.fst",
"chars": 2657,
"preview": "module Hacl.Bignum32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BE = Hacl.Bignum.Exponentiation\nmodule BR = Hacl.Bi"
},
{
"path": "code/bignum/Hacl.Bignum32.fsti",
"chars": 17196,
"preview": "module Hacl.Bignum32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BS = Hacl.Bignum.SafeAPI\nmodule MA = Hacl.Bignum.Mo"
},
{
"path": "code/bignum/Hacl.Bignum4096.fst",
"chars": 4814,
"preview": "module Hacl.Bignum4096\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BM = Hacl.Bignum.Montgomery\nmodule AM = Hacl.Bign"
},
{
"path": "code/bignum/Hacl.Bignum4096.fsti",
"chars": 11264,
"preview": "module Hacl.Bignum4096\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BS = Hacl.Bignum.SafeAPI\nmodule MA = Hacl.Bignum."
},
{
"path": "code/bignum/Hacl.Bignum4096_32.fst",
"chars": 4817,
"preview": "module Hacl.Bignum4096_32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BM = Hacl.Bignum.Montgomery\nmodule AM = Hacl.B"
},
{
"path": "code/bignum/Hacl.Bignum4096_32.fsti",
"chars": 11280,
"preview": "module Hacl.Bignum4096_32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BS = Hacl.Bignum.SafeAPI\nmodule MA = Hacl.Bign"
},
{
"path": "code/bignum/Hacl.Bignum64.fst",
"chars": 2657,
"preview": "module Hacl.Bignum64\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BE = Hacl.Bignum.Exponentiation\nmodule BR = Hacl.Bi"
},
{
"path": "code/bignum/Hacl.Bignum64.fsti",
"chars": 10651,
"preview": "module Hacl.Bignum64\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule BS = Hacl.Bignum.SafeAPI\nmodule MA = Hacl.Bignum.Mo"
},
{
"path": "code/bignum/Hacl.GenericField32.fst",
"chars": 1499,
"preview": "module Hacl.GenericField32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule MA = Hacl.Bignum.MontArithmetic\nmodule BM = H"
},
{
"path": "code/bignum/Hacl.GenericField32.fsti",
"chars": 6533,
"preview": "module Hacl.GenericField32\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule MA = Hacl.Bignum.MontArithmetic\n\n#set-options"
},
{
"path": "code/bignum/Hacl.GenericField64.fst",
"chars": 1499,
"preview": "module Hacl.GenericField64\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule MA = Hacl.Bignum.MontArithmetic\nmodule BM = H"
},
{
"path": "code/bignum/Hacl.GenericField64.fsti",
"chars": 6533,
"preview": "module Hacl.GenericField64\n\nopen FStar.Mul\n\nmodule BN = Hacl.Bignum\nmodule MA = Hacl.Bignum.MontArithmetic\n\n#set-options"
},
{
"path": "code/bignum/Hacl.Impl.Exponentiation.Definitions.fst",
"chars": 2869,
"preview": "module Hacl.Impl.Exponentiation.Definitions\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.Int"
},
{
"path": "code/bignum/Hacl.Impl.Exponentiation.fst",
"chars": 19373,
"preview": "module Hacl.Impl.Exponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen L"
},
{
"path": "code/bignum/Hacl.Impl.Exponentiation.fsti",
"chars": 9820,
"preview": "module Hacl.Impl.Exponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen L"
},
{
"path": "code/bignum/Hacl.Impl.Lib.fst",
"chars": 8162,
"preview": "module Hacl.Impl.Lib\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Buffer\n\n"
},
{
"path": "code/bignum/Hacl.Impl.MultiExponentiation.fst",
"chars": 27440,
"preview": "module Hacl.Impl.MultiExponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\no"
},
{
"path": "code/bignum/Hacl.Impl.MultiExponentiation.fsti",
"chars": 8411,
"preview": "module Hacl.Impl.MultiExponentiation\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.IntTypes\no"
},
{
"path": "code/bignum/Hacl.Impl.PrecompTable.fst",
"chars": 20239,
"preview": "module Hacl.Impl.PrecompTable\n\nopen FStar.Mul\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.I"
},
{
"path": "code/bignum/Hacl.Impl.PrecompTable.fsti",
"chars": 4360,
"preview": "module Hacl.Impl.PrecompTable\n\nopen FStar.Mul\n\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\nopen FStar.Mul\n\nopen Lib.I"
},
{
"path": "code/bignum/Hacl.Spec.AlmostMontgomery.Lemmas.fst",
"chars": 3892,
"preview": "module Hacl.Spec.AlmostMontgomery.Lemmas\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.LoopCombinators\n\nmodule M = Hacl.Sp"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Addition.fst",
"chars": 25622,
"preview": "module Hacl.Spec.Bignum.Addition\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Definitions"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.AlmostMontExponentiation.fst",
"chars": 5530,
"preview": "module Hacl.Spec.Bignum.AlmostMontExponentiation\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bi"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.AlmostMontgomery.fst",
"chars": 2466,
"preview": "module Hacl.Spec.Bignum.AlmostMontgomery\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Bas"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.AlmostMontgomery.fsti",
"chars": 1845,
"preview": "module Hacl.Spec.Bignum.AlmostMontgomery\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Def"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Base.fst",
"chars": 7854,
"preview": "module Hacl.Spec.Bignum.Base\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Definitions\n\n#re"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Comparison.fst",
"chars": 7136,
"preview": "module Hacl.Spec.Bignum.Comparison\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Base\nopen"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Convert.fst",
"chars": 18566,
"preview": "module Hacl.Spec.Bignum.Convert\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.ByteSequence\n\nopen Hacl.Sp"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Definitions.fst",
"chars": 13228,
"preview": "module Hacl.Spec.Bignum.Definitions\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\n\n\n#set-options \"--z3rlimit 50 --"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Exponentiation.fst",
"chars": 4734,
"preview": "module Hacl.Spec.Bignum.Exponentiation\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Defin"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Exponentiation.fsti",
"chars": 3163,
"preview": "module Hacl.Spec.Bignum.Exponentiation\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Defin"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Karatsuba.fst",
"chars": 20800,
"preview": "module Hacl.Spec.Bignum.Karatsuba\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.LoopCombinators\n\nopen Ha"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Lib.fst",
"chars": 22832,
"preview": "module Hacl.Spec.Bignum.Lib\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Definitions\n\nmod"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.ModInv.fst",
"chars": 3839,
"preview": "module Hacl.Spec.Bignum.ModInv\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.LoopCombinators\n\nopen Hacl."
},
{
"path": "code/bignum/Hacl.Spec.Bignum.ModInvLimb.fst",
"chars": 11458,
"preview": "module Hacl.Spec.Bignum.ModInvLimb\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.LoopCombinators\nopen Hacl.Spec.Bignum.Def"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.ModInvLimb.fsti",
"chars": 650,
"preview": "module Hacl.Spec.Bignum.ModInvLimb\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Hacl.Spec.Bignum.Definitions\n\n#reset-options "
},
{
"path": "code/bignum/Hacl.Spec.Bignum.ModReduction.fst",
"chars": 2639,
"preview": "module Hacl.Spec.Bignum.ModReduction\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Definit"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.MontArithmetic.fst",
"chars": 4715,
"preview": "module Hacl.Spec.Bignum.MontArithmetic\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Defin"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.MontArithmetic.fsti",
"chars": 3991,
"preview": "module Hacl.Spec.Bignum.MontArithmetic\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Defin"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.MontExponentiation.fst",
"chars": 4539,
"preview": "module Hacl.Spec.Bignum.MontExponentiation\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.D"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Montgomery.fst",
"chars": 18610,
"preview": "module Hacl.Spec.Bignum.Montgomery\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Base\nopen"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Montgomery.fsti",
"chars": 4978,
"preview": "module Hacl.Spec.Bignum.Montgomery\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Definitio"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Multiplication.fst",
"chars": 17486,
"preview": "module Hacl.Spec.Bignum.Multiplication\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.LoopCombinators\n\nop"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.Squaring.fst",
"chars": 15776,
"preview": "module Hacl.Spec.Bignum.Squaring\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.LoopCombinators\n\nopen Hac"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.fst",
"chars": 8022,
"preview": "module Hacl.Spec.Bignum\n\n\n\n#reset-options \"--z3rlimit 50 --fuel 0 --ifuel 0\"\n\nlet bn_add1 #t #aLen a b1 =\n Hacl.Spec.Bi"
},
{
"path": "code/bignum/Hacl.Spec.Bignum.fsti",
"chars": 11093,
"preview": "module Hacl.Spec.Bignum\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Bignum.Base\nopen Hacl.Spec."
},
{
"path": "code/bignum/Hacl.Spec.Exponentiation.Lemmas.fst",
"chars": 12765,
"preview": "module Hacl.Spec.Exponentiation.Lemmas\n\nopen FStar.Mul\nopen Lib.NatMod\nopen Lib.Sequence\n\n\nmodule LE = Lib.Exponentiatio"
},
{
"path": "code/bignum/Hacl.Spec.Karatsuba.Lemmas.fst",
"chars": 6508,
"preview": "module Hacl.Spec.Karatsuba.Lemmas\n\nopen FStar.Mul\nopen Lib.IntTypes\n\n#set-options \"--z3rlimit 50 --fuel 0 --ifuel 0\"\n\nty"
},
{
"path": "code/bignum/Hacl.Spec.Lib.fst",
"chars": 10030,
"preview": "module Hacl.Spec.Lib\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nmodule Loops = Lib.LoopCombinators\nmodule Vec"
},
{
"path": "code/bignum/Hacl.Spec.Montgomery.Lemmas.fst",
"chars": 29507,
"preview": "module Hacl.Spec.Montgomery.Lemmas\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.LoopCombinators\n\n\n(**\nhttps://members.lor"
},
{
"path": "code/bignum/Hacl.Spec.PrecompBaseTable.fst",
"chars": 9300,
"preview": "module Hacl.Spec.PrecompBaseTable\n\nopen FStar.Mul\nopen Lib.IntTypes\n\nmodule FL = FStar.List.Tot\nmodule LSeq = Lib.Sequen"
},
{
"path": "code/bignum/Hacl.Spec.PrecompBaseTable.fsti",
"chars": 3826,
"preview": "module Hacl.Spec.PrecompBaseTable\n\nopen FStar.Mul\nopen Lib.IntTypes\n\nmodule FL = FStar.List.Tot\nmodule LSeq = Lib.Sequen"
},
{
"path": "code/bignum/Hacl.Spec.PrecompBaseTable256.fst",
"chars": 5276,
"preview": "module Hacl.Spec.PrecompBaseTable256\n\nopen FStar.Mul\nopen Lib.IntTypes\n\nmodule LSeq = Lib.Sequence\nmodule Loops = Lib.Lo"
},
{
"path": "code/bignum/Hacl.Spec.PrecompBaseTable256.fsti",
"chars": 2788,
"preview": "module Hacl.Spec.PrecompBaseTable256\n\nopen FStar.Mul\nopen Lib.IntTypes\n\nmodule LSeq = Lib.Sequence\nmodule LE = Lib.Expon"
},
{
"path": "code/bignum/Hacl.Spec.PrecompTable.fst",
"chars": 3920,
"preview": "module Hacl.Spec.PrecompTable\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\n\nmodule Loops = Lib.LoopCombinators\n\nm"
},
{
"path": "code/bignum/Makefile",
"chars": 1063,
"preview": "HACL_HOME=$(realpath ../..)\n\n# CUSTOMIZE HERE: determine what is the main target of this Makefile, e.g. a C\n# test, a Lo"
},
{
"path": "code/bignum/README.md",
"chars": 4833,
"preview": "# A Verified Implementation of Bignum Library\n\n## Bignum representation\n\nIn some sense, we don't provide a *generic* big"
},
{
"path": "code/blake2/AUTHORS.md",
"chars": 96,
"preview": "This code was primarily written by Karthikeyan Bhargavan (INRIA) and Benjamin Beurdouche (INRIA)"
},
{
"path": "code/blake2/Hacl.Blake2b_256.fst",
"chars": 1950,
"preview": "module Hacl.Blake2b_256\n\nmodule Spec = Spec.Blake2\nmodule Impl = Hacl.Impl.Blake2.Generic\nmodule Core = Hacl.Impl.Blake2"
},
{
"path": "code/blake2/Hacl.Blake2b_32.fst",
"chars": 1639,
"preview": "module Hacl.Blake2b_32\n\nmodule Spec = Spec.Blake2\nmodule Impl = Hacl.Impl.Blake2.Generic\nmodule Core = Hacl.Impl.Blake2."
},
{
"path": "code/blake2/Hacl.Blake2s_128.fst",
"chars": 1951,
"preview": "module Hacl.Blake2s_128\n\nmodule Spec = Spec.Blake2\nmodule Impl = Hacl.Impl.Blake2.Generic\nmodule Core = Hacl.Impl.Blake2"
},
{
"path": "code/blake2/Hacl.Blake2s_32.fst",
"chars": 1650,
"preview": "module Hacl.Blake2s_32\n\nmodule Spec = Spec.Blake2\nmodule Impl = Hacl.Impl.Blake2.Generic\nmodule Core = Hacl.Impl.Blake2."
},
{
"path": "code/blake2/Hacl.Impl.Blake2.Constants.fst",
"chars": 1527,
"preview": "module Hacl.Impl.Blake2.Constants\nopen FStar.Mul\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\n\nopen Lib.IntTypes\nopen "
},
{
"path": "code/blake2/Hacl.Impl.Blake2.Core.fst",
"chars": 14177,
"preview": "module Hacl.Impl.Blake2.Core\nmodule ST = FStar.HyperStack.ST\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar."
},
{
"path": "code/blake2/Hacl.Impl.Blake2.Core.fsti",
"chars": 11444,
"preview": "module Hacl.Impl.Blake2.Core\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib."
},
{
"path": "code/blake2/Hacl.Impl.Blake2.Generic.fst",
"chars": 43133,
"preview": "module Hacl.Impl.Blake2.Generic\n\nopen FStar.Mul\nopen FStar.HyperStack\nopen FStar.HyperStack.ST\n\nopen Lib.IntTypes\nopen L"
},
{
"path": "code/blake2/Makefile",
"chars": 1461,
"preview": "HACL_HOME=$(realpath ../..)\n\n# CUSTOMIZE HERE: determine what is the main target of this Makefile, e.g. a C\n# test, a Lo"
},
{
"path": "code/chacha20/AUTHORS.md",
"chars": 162,
"preview": "This code was primarily written by Karthikeyan Bhargavan (INRIA) and Marina Polubelova (INRIA).\nAn earlier version was w"
},
{
"path": "code/chacha20/Hacl.Chacha20.Vec128.fst",
"chars": 512,
"preview": "module Hacl.Chacha20.Vec128\n\nopen Hacl.Meta.Chacha20.Vec\n\n[@CInline]\nprivate\nlet double_round_128 = core32xn_double_roun"
},
{
"path": "code/chacha20/Hacl.Chacha20.Vec256.fst",
"chars": 519,
"preview": "module Hacl.Chacha20.Vec256\n\nopen Hacl.Meta.Chacha20.Vec\n\n[@CInline]\nprivate\nlet double_round_256 = Hacl.Impl.Chacha20.C"
},
{
"path": "code/chacha20/Hacl.Chacha20.Vec32.fst",
"chars": 508,
"preview": "module Hacl.Chacha20.Vec32\n\nopen Hacl.Meta.Chacha20.Vec\n\n[@CInline]\nprivate\nlet double_round_32 = Hacl.Impl.Chacha20.Cor"
},
{
"path": "code/chacha20/Hacl.Chacha20.fst",
"chars": 1240,
"preview": "module Hacl.Chacha20\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen Lib.IntTypes\nopen Lib.Buffer\n\n\nval chacha20_e"
},
{
"path": "code/chacha20/Hacl.Impl.Chacha20.Core32.fst",
"chars": 4525,
"preview": "module Hacl.Impl.Chacha20.Core32\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\n\nopen Lib.IntTypes\nopen Lib.Sequence\no"
},
{
"path": "code/chacha20/Hacl.Impl.Chacha20.Core32xN.fst",
"chars": 6711,
"preview": "module Hacl.Impl.Chacha20.Core32xN\n\nmodule ST = FStar.HyperStack.ST\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen"
},
{
"path": "code/chacha20/Hacl.Impl.Chacha20.Vec.fst",
"chars": 9417,
"preview": "module Hacl.Impl.Chacha20.Vec\n\nmodule ST = FStar.HyperStack.ST\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FSta"
},
{
"path": "code/chacha20/Hacl.Impl.Chacha20.fst",
"chars": 6852,
"preview": "module Hacl.Impl.Chacha20\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Bu"
},
{
"path": "code/chacha20/Hacl.Meta.Chacha20.Vec.fst",
"chars": 374,
"preview": "module Hacl.Meta.Chacha20.Vec\n\n#set-options \"--z3rlimit 250 --fuel 0 --ifuel 0\"\n\n// Somehow miraculously, this works.\n%s"
},
{
"path": "code/chacha20/Hacl.Spec.Chacha20.Equiv.fst",
"chars": 35183,
"preview": "module Hacl.Spec.Chacha20.Equiv\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.ByteSequence\nopen Lib.IntVe"
},
{
"path": "code/chacha20/Hacl.Spec.Chacha20.Lemmas.fst",
"chars": 1426,
"preview": "module Hacl.Spec.Chacha20.Lemmas\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.IntVector\nopen Lib.IntVect"
},
{
"path": "code/chacha20/Hacl.Spec.Chacha20.Vec.fst",
"chars": 6732,
"preview": "module Hacl.Spec.Chacha20.Vec\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.ByteSequence\nopen Lib.LoopCom"
},
{
"path": "code/chacha20/Makefile",
"chars": 1523,
"preview": "HACL_HOME=$(realpath ../..)\n\n# CUSTOMIZE HERE: determine what is the main target of this Makefile, e.g. a C\n# test, a Lo"
},
{
"path": "code/chacha20poly1305/AUTHORS.md",
"chars": 187,
"preview": "This code was primarily written by Aymeric Fromherz (CMU) and Marina Polubelova (INRIA).\nAn earlier version was written "
},
{
"path": "code/chacha20poly1305/Hacl.Chacha20Poly1305_128.fst",
"chars": 2665,
"preview": "module Hacl.Chacha20Poly1305_128\n\n\nopen Hacl.Meta.Chacha20Poly1305\nopen Hacl.Impl.Chacha20Poly1305\nopen Hacl.Impl.Poly13"
},
{
"path": "code/chacha20poly1305/Hacl.Chacha20Poly1305_256.fst",
"chars": 2665,
"preview": "module Hacl.Chacha20Poly1305_256\n\nopen Hacl.Meta.Chacha20Poly1305\nopen Hacl.Impl.Chacha20Poly1305\nopen Hacl.Impl.Poly130"
},
{
"path": "code/chacha20poly1305/Hacl.Chacha20Poly1305_32.fst",
"chars": 2630,
"preview": "module Hacl.Chacha20Poly1305_32\n\nopen Hacl.Meta.Chacha20Poly1305\nopen Hacl.Impl.Chacha20Poly1305\nopen Hacl.Impl.Poly1305"
},
{
"path": "code/chacha20poly1305/Hacl.Impl.Chacha20Poly1305.PolyCore.fst",
"chars": 1641,
"preview": "module Hacl.Impl.Chacha20Poly1305.PolyCore\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.Int"
},
{
"path": "code/chacha20poly1305/Hacl.Impl.Chacha20Poly1305.fst",
"chars": 8336,
"preview": "module Hacl.Impl.Chacha20Poly1305\n\nopen FStar.HyperStack.All\nopen FStar.HyperStack\nopen FStar.Mul\n\nopen Lib.IntTypes\nope"
},
{
"path": "code/chacha20poly1305/Hacl.Meta.Chacha20Poly1305.fst",
"chars": 381,
"preview": "module Hacl.Meta.Chacha20Poly1305\n\n#set-options \"--z3rlimit 350 --fuel 0 --max_ifuel 1\"\n\n%splice[\n chacha20poly1305_pol"
},
{
"path": "code/chacha20poly1305/Makefile",
"chars": 1204,
"preview": "HACL_HOME=$(realpath ../..)\n\n# CUSTOMIZE HERE: determine what is the main target of this Makefile, e.g. a C\n# test, a Lo"
},
{
"path": "code/curve25519/AUTHORS.md",
"chars": 278,
"preview": "This code was primarily written by Karthikeyan Bhargavan (INRIA), Marina Polubelova (INRIA), and uses code\nfrom the Vale"
},
{
"path": "code/curve25519/Hacl.Curve25519_51.fst",
"chars": 1049,
"preview": "module Hacl.Curve25519_51\n\nfriend Hacl.Meta.Curve25519\nopen Hacl.Meta.Curve25519\n\n// The Hacl core.\nmodule C = Hacl.Impl"
},
{
"path": "code/curve25519/Hacl.Curve25519_51.fsti",
"chars": 1234,
"preview": "module Hacl.Curve25519_51\n\nopen Hacl.Impl.Curve25519.Generic\nopen Hacl.Impl.Curve25519.Fields\n\n[@@ Comment \"Compute the "
},
{
"path": "code/curve25519/Hacl.Curve25519_64.fst",
"chars": 1304,
"preview": "module Hacl.Curve25519_64\n\nfriend Hacl.Meta.Curve25519\nopen Hacl.Meta.Curve25519\n\n// The Vale core.\nmodule C = Hacl.Impl"
},
{
"path": "code/curve25519/Hacl.Curve25519_64.fsti",
"chars": 1320,
"preview": "module Hacl.Curve25519_64\n\nopen Hacl.Impl.Curve25519.Generic\nopen Hacl.Impl.Curve25519.Fields\n\ninline_for_extraction noe"
},
{
"path": "code/curve25519/Hacl.Curve25519_64_Local.fst",
"chars": 1306,
"preview": "module Hacl.Curve25519_64_Local\n\nfriend Hacl.Meta.Curve25519\nopen Hacl.Meta.Curve25519\n\n// The assumed core.\nmodule C = "
},
{
"path": "code/curve25519/Hacl.Curve25519_64_Local.fsti",
"chars": 218,
"preview": "module Hacl.Curve25519_64_Local\n\nopen Hacl.Impl.Curve25519.Generic\nopen Hacl.Impl.Curve25519.Fields\n\nval scalarmult: sca"
},
{
"path": "code/curve25519/Hacl.Curve25519_64_Slow.fst",
"chars": 1317,
"preview": "module Hacl.Curve25519_64_Slow\n\nfriend Hacl.Meta.Curve25519\nopen Hacl.Meta.Curve25519\n\n// The Vale core.\nmodule C = Hacl"
},
{
"path": "code/curve25519/Hacl.Curve25519_64_Slow.fsti",
"chars": 1239,
"preview": "module Hacl.Curve25519_64_Slow\n\nopen Hacl.Impl.Curve25519.Generic\nopen Hacl.Impl.Curve25519.Fields\n\n[@@ Comment \"Compute"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.AddAndDouble.fst",
"chars": 9221,
"preview": "module Hacl.Impl.Curve25519.AddAndDouble\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.IntTy"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field51.fst",
"chars": 9668,
"preview": "module Hacl.Impl.Curve25519.Field51\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.Sequence\no"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field64.Hacl.fst",
"chars": 4546,
"preview": "module Hacl.Impl.Curve25519.Field64.Hacl\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.Seque"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field64.Hacl.fsti",
"chars": 330,
"preview": "module Hacl.Impl.Curve25519.Field64.Hacl\n\nopen Hacl.Impl.Curve25519.Fields.Core\n\nval add1_: add1_t True\nval fadd_: fadd_"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field64.Local.fsti",
"chars": 527,
"preview": "module Hacl.Impl.Curve25519.Field64.Local\n\nopen Hacl.Impl.Curve25519.Fields.Core\n\n/// This version is only assumed. We c"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field64.Vale.fst",
"chars": 8638,
"preview": "module Hacl.Impl.Curve25519.Field64.Vale\n\nmodule HS = FStar.HyperStack\nmodule ST = FStar.HyperStack.ST\nopen FStar.Calc\n\n"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field64.Vale.fsti",
"chars": 369,
"preview": "module Hacl.Impl.Curve25519.Field64.Vale\n\nopen Hacl.Impl.Curve25519.Fields.Core\n\nlet p = Vale.X64.CPU_Features_s.(adx_en"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Field64.fst",
"chars": 4637,
"preview": "module Hacl.Impl.Curve25519.Field64\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.Sequence\no"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Fields.Core.fsti",
"chars": 11259,
"preview": "module Hacl.Impl.Curve25519.Fields.Core\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.Sequen"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Fields.fst",
"chars": 2680,
"preview": "module Hacl.Impl.Curve25519.Fields\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.IntTypes\nop"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Finv.fst",
"chars": 10070,
"preview": "module Hacl.Impl.Curve25519.Finv\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Generic.fst",
"chars": 20274,
"preview": "module Hacl.Impl.Curve25519.Generic\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\nopen FStar.Mul\n\nopen Lib.IntTypes\no"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Generic.fsti",
"chars": 1428,
"preview": "module Hacl.Impl.Curve25519.Generic\n\nopen FStar.HyperStack\nopen FStar.HyperStack.All\n\nopen Lib.IntTypes\nopen Lib.Buffer\n"
},
{
"path": "code/curve25519/Hacl.Impl.Curve25519.Lemmas.fst",
"chars": 1173,
"preview": "module Hacl.Impl.Curve25519.Lemmas\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Lib.Sequence\nopen Lib.ByteSequence\n\n#set-optio"
},
{
"path": "code/curve25519/Hacl.Meta.Curve25519.fst",
"chars": 2465,
"preview": "module Hacl.Meta.Curve25519\n\nopen Lib.Buffer\n\n#set-options \"--print_implicits --print_full_names --print_effect_args --z"
},
{
"path": "code/curve25519/Hacl.Meta.Curve25519.fsti",
"chars": 28,
"preview": "module Hacl.Meta.Curve25519\n"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.AddAndDouble.fst",
"chars": 2063,
"preview": "module Hacl.Spec.Curve25519.AddAndDouble\n\nopen FStar.Mul\nopen Lib.IntTypes\nopen Spec.Curve25519\n\nlet add_and_double1_0 a"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field51.Definition.fst",
"chars": 3760,
"preview": "module Hacl.Spec.Curve25519.Field51.Definition\n\nopen Lib.Sequence\nopen Lib.IntTypes\nopen Spec.Curve25519\n\n#reset-options"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field51.Lemmas.fst",
"chars": 45962,
"preview": "module Hacl.Spec.Curve25519.Field51.Lemmas\n\nopen FStar.Mul\nopen Lib.Sequence\nopen Lib.IntTypes\n\nopen FStar.Tactics\nopen "
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field51.fst",
"chars": 19632,
"preview": "module Hacl.Spec.Curve25519.Field51\n\nopen Lib.Sequence\nopen Lib.IntTypes\nopen FStar.Mul\nopen Spec.Curve25519\n\nopen Hacl."
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field64.Core.fst",
"chars": 9093,
"preview": "module Hacl.Spec.Curve25519.Field64.Core\n\nopen FStar.Mul\n\nopen Lib.IntTypes\nopen Lib.Sequence\n\nopen Hacl.Spec.Curve25519"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field64.Definition.fst",
"chars": 939,
"preview": "module Hacl.Spec.Curve25519.Field64.Definition\n\nopen Lib.Sequence\nopen Lib.IntTypes\n\nmodule P = Spec.Curve25519\n\n#reset-"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field64.Lemmas.fst",
"chars": 10607,
"preview": "module Hacl.Spec.Curve25519.Field64.Lemmas\n\nopen FStar.Mul\n\nopen Lib.Sequence\nopen Lib.IntTypes\n\nopen Spec.Curve25519\nop"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Field64.fst",
"chars": 4769,
"preview": "module Hacl.Spec.Curve25519.Field64\n\nopen FStar.Mul\n\nopen Lib.Sequence\nopen Lib.IntTypes\n\nopen Spec.Curve25519\nopen Hacl"
},
{
"path": "code/curve25519/Hacl.Spec.Curve25519.Finv.fst",
"chars": 6070,
"preview": "module Hacl.Spec.Curve25519.Finv\n\nopen FStar.Mul\nopen Spec.Curve25519\nmodule M = Lib.NatMod\nmodule LE = Lib.Exponentiati"
},
{
"path": "code/curve25519/Makefile",
"chars": 1743,
"preview": "HACL_HOME=$(realpath ../..)\n\n# CUSTOMIZE HERE: determine what is the main target of this Makefile, e.g. a C\n# test, a Lo"
},
{
"path": "code/drbg/AUTHORS.md",
"chars": 67,
"preview": "This code was primarily written by Santiago Zanella-Beguelin (MSR)."
},
{
"path": "code/drbg/Hacl.HMAC_DRBG.fst",
"chars": 10671,
"preview": "module Hacl.HMAC_DRBG\n\nopen FStar.HyperStack.ST\nmodule ST = FStar.HyperStack.ST\n\nopen Spec.Hash.Definitions\n\nopen Lib.In"
},
{
"path": "code/drbg/Hacl.HMAC_DRBG.fsti",
"chars": 9413,
"preview": "module Hacl.HMAC_DRBG\n\nopen FStar.HyperStack.ST\n\nopen Spec.Hash.Definitions\n\nopen Lib.IntTypes\nopen Lib.Buffer\n\nmodule H"
},
{
"path": "code/drbg/Makefile",
"chars": 65,
"preview": "HACL_HOME=$(realpath ../..)\ninclude $(HACL_HOME)/Makefile.common\n"
},
{
"path": "code/ecdsap256/Hacl.Impl.P256.Bignum.fst",
"chars": 4908,
"preview": "module Hacl.Impl.P256.Bignum\n\nopen FStar.Mul\nopen FStar.HyperStack.All\nopen FStar.HyperStack\nmodule ST = FStar.HyperStac"
},
{
"path": "code/ecdsap256/Hacl.Impl.P256.Bignum.fsti",
"chars": 6102,
"preview": "module Hacl.Impl.P256.Bignum\n\nopen FStar.Mul\nopen FStar.HyperStack.All\nopen FStar.HyperStack\n\nopen Lib.IntTypes\nopen Lib"
},
{
"path": "code/ecdsap256/Hacl.Impl.P256.Compression.fst",
"chars": 2185,
"preview": "module Hacl.Impl.P256.Compression\n\nopen FStar.Mul\nopen FStar.HyperStack.All\nopen FStar.HyperStack\nmodule ST = FStar.Hype"
}
]
// ... and 3435 more files (download for full content)
About this extraction
This page contains the full source code of the mitls/hacl-star GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 3635 files (89.6 MB), approximately 23.7M tokens, and a symbol index with 5337 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.