summaryrefslogtreecommitdiffstats
path: root/security/nss
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:13:27 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 01:13:27 +0000
commit40a355a42d4a9444dc753c04c6608dade2f06a23 (patch)
tree871fc667d2de662f171103ce5ec067014ef85e61 /security/nss
parentAdding upstream version 124.0.1. (diff)
downloadfirefox-40a355a42d4a9444dc753c04c6608dade2f06a23.tar.xz
firefox-40a355a42d4a9444dc753c04c6608dade2f06a23.zip
Adding upstream version 125.0.1.upstream/125.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss')
-rw-r--r--security/nss/TAG-INFO2
-rw-r--r--security/nss/automation/abi-check/expected-report-libnss3.so.txt15
-rw-r--r--security/nss/automation/abi-check/expected-report-libnssutil3.so.txt15
-rw-r--r--security/nss/automation/abi-check/expected-report-libsmime3.so.txt49
-rw-r--r--security/nss/automation/abi-check/previous-nss-release2
-rw-r--r--security/nss/automation/taskcluster/docker-acvp/Dockerfile3
-rw-r--r--security/nss/automation/taskcluster/graph/src/extend.js1
-rw-r--r--security/nss/automation/taskcluster/graph/src/try_syntax.js2
-rw-r--r--security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch50
-rw-r--r--security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch2
-rw-r--r--security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch2
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/run_hacl.sh62
-rw-r--r--security/nss/cmd/lib/basicutil.c90
-rw-r--r--security/nss/cmd/lib/pk11table.c3
-rw-r--r--security/nss/doc/rst/releases/index.rst39
-rw-r--r--security/nss/doc/rst/releases/nss_3_99.rst62
-rw-r--r--security/nss/gtests/common/testvectors_base/test-structs.h8
-rw-r--r--security/nss/gtests/common/wycheproof/source_vectors/eddsa_test.json2262
-rw-r--r--security/nss/gtests/freebl_gtest/ed25519_unittest.cc148
-rw-r--r--security/nss/gtests/freebl_gtest/freebl_gtest.gyp1
-rw-r--r--security/nss/gtests/pk11_gtest/manifest.mn2
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_eddsa_unittest.cc177
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_eddsa_vectors.h164
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_gtest.gyp2
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_import_unittest.cc1
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_keygen.cc7
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_pbe_unittest.cc69
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_signature_test.cc25
-rw-r--r--security/nss/gtests/pk11_gtest/pk11_signature_test.h24
-rw-r--r--security/nss/lib/cryptohi/keythi.h1
-rw-r--r--security/nss/lib/cryptohi/seckey.c129
-rw-r--r--security/nss/lib/cryptohi/secvfy.c2
-rw-r--r--security/nss/lib/freebl/Hacl_Hash_SHA2_shim.h38
-rw-r--r--security/nss/lib/freebl/Makefile3
-rw-r--r--security/nss/lib/freebl/blapi.h21
-rw-r--r--security/nss/lib/freebl/blapit.h5
-rw-r--r--security/nss/lib/freebl/ec.c142
-rw-r--r--security/nss/lib/freebl/ec.h4
-rw-r--r--security/nss/lib/freebl/ecdecode.c15
-rw-r--r--security/nss/lib/freebl/ecl/ecl-curve.h10
-rw-r--r--security/nss/lib/freebl/ecl/ecl-exp.h1
-rw-r--r--security/nss/lib/freebl/freebl_base.gypi2
-rw-r--r--security/nss/lib/freebl/ldvector.c5
-rw-r--r--security/nss/lib/freebl/loader.c28
-rw-r--r--security/nss/lib/freebl/loader.h7
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c6
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c6
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Curve25519_64.c18
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Ed25519.c1853
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Ed25519.h114
-rw-r--r--security/nss/lib/freebl/verified/Hacl_Hash_SHA3.c7
-rw-r--r--security/nss/lib/freebl/verified/internal/Hacl_Bignum25519_51.h4
-rw-r--r--security/nss/lib/freebl/verified/internal/Hacl_Ed25519.h73
-rw-r--r--security/nss/lib/freebl/verified/internal/Hacl_Ed25519_PrecompTable.h687
-rw-r--r--security/nss/lib/freebl/verified/karamel/include/krml/internal/target.h8
-rw-r--r--security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h4
-rw-r--r--security/nss/lib/nss/nss.h4
-rw-r--r--security/nss/lib/pk11wrap/pk11akey.c61
-rw-r--r--security/nss/lib/pk11wrap/pk11cert.c4
-rw-r--r--security/nss/lib/pk11wrap/pk11mech.c9
-rw-r--r--security/nss/lib/pk11wrap/pk11obj.c2
-rw-r--r--security/nss/lib/pk11wrap/pk11pars.c2
-rw-r--r--security/nss/lib/pk11wrap/pk11pk12.c80
-rw-r--r--security/nss/lib/pk11wrap/pk11skey.c5
-rw-r--r--security/nss/lib/pk11wrap/pk11slot.c3
-rw-r--r--security/nss/lib/smime/cms.h3
-rw-r--r--security/nss/lib/smime/cmsrecinfo.c24
-rw-r--r--security/nss/lib/smime/smime.def6
-rw-r--r--security/nss/lib/softoken/lowkey.c19
-rw-r--r--security/nss/lib/softoken/lowpbe.c17
-rw-r--r--security/nss/lib/softoken/pkcs11.c21
-rw-r--r--security/nss/lib/softoken/pkcs11c.c167
-rw-r--r--security/nss/lib/softoken/softkver.h4
-rw-r--r--security/nss/lib/ssl/ssl3ext.h10
-rw-r--r--security/nss/lib/ssl/sslexp.h8
-rw-r--r--security/nss/lib/ssl/sslimpl.h15
-rw-r--r--security/nss/lib/ssl/sslsock.c1
-rw-r--r--security/nss/lib/ssl/sslt.h17
-rw-r--r--security/nss/lib/util/nssutil.h4
-rw-r--r--security/nss/lib/util/secoid.c30
-rw-r--r--security/nss/lib/util/secoidt.h3
81 files changed, 6765 insertions, 236 deletions
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
index c663d860ac..13e8ce1547 100644
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_98_RTM \ No newline at end of file
+NSS_3_99_RTM \ No newline at end of file
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
index e69de29bb2..582afe387f 100644
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -0,0 +1,15 @@
+
+1 function with some indirect sub-type change:
+
+ [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes:
+ parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+ type size hasn't changed
+ 2 enumerator insertions:
+ '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373'
+ '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374'
+
+ 1 enumerator change:
+ '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1
+
+
diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
index e69de29bb2..ed076df300 100644
--- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -0,0 +1,15 @@
+
+1 function with some indirect sub-type change:
+
+ [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2291:1 has some indirect sub-type changes:
+ parameter 1 of type 'typedef SECOidTag' has sub-type changes:
+ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+ type size hasn't changed
+ 2 enumerator insertions:
+ '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373'
+ '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374'
+
+ 1 enumerator change:
+ '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1
+
+
diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
index e69de29bb2..69cd2ae3a9 100644
--- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
@@ -0,0 +1,49 @@
+
+1 Added function:
+
+ 'function PRBool NSS_CMSRecipient_IsSupported(CERTCertificate*)' {NSS_CMSRecipient_IsSupported@@NSS_3.99}
+
+1 function with some indirect sub-type change:
+
+ [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes:
+ parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+ in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+ underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+ type size hasn't changed
+ 1 data member changes (2 filtered):
+ type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+ underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+ type size hasn't changed
+ 1 data member changes (3 filtered):
+ type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+ in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+ underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
+ type size hasn't changed
+ 1 data member changes (1 filtered):
+ type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+ in pointed to type 'NSSCMSAttribute*':
+ in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+ underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
+ type size hasn't changed
+ 1 data member change:
+ type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+ in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+ underlying type 'struct SECOidDataStr' at secoidt.h:536:1 changed:
+ type size hasn't changed
+ 1 data member change:
+ type of 'SECOidTag SECOidDataStr::offset' changed:
+ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+ type size hasn't changed
+ 2 enumerator insertions:
+ '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373'
+ '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374'
+
+ 1 enumerator change:
+ '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1
+
+
+
+
+
+
+
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
index b99c3e7670..0dea1b7b74 100644
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1 +1 @@
-NSS_3_97_BRANCH
+NSS_3_98_BRANCH
diff --git a/security/nss/automation/taskcluster/docker-acvp/Dockerfile b/security/nss/automation/taskcluster/docker-acvp/Dockerfile
index 5012bc4209..af2a0e25fa 100644
--- a/security/nss/automation/taskcluster/docker-acvp/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-acvp/Dockerfile
@@ -1,5 +1,5 @@
# Minimal image with clang-format 3.9.
-FROM rust:1.70
+FROM rust:1.74
LABEL maintainer="iaroslav.gridin@tuni.fi"
# for new clang/llvm
@@ -11,7 +11,6 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/
python-dev-is-python3 \
mercurial \
python3-pip \
- python-setuptools \
build-essential \
cargo \
rustc \
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index 599bed5a4b..318d935b16 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -1146,7 +1146,6 @@ async function scheduleTools() {
]
}));
-
queue.scheduleTask(merge(base, {
symbol: "scan-build",
name: "scan-build",
diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js
index b93dbabd15..591cea6c18 100644
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -57,7 +57,7 @@ function parseOptions(opts) {
}
// Parse tools.
- let allTools = ["clang-format", "scan-build", "hacl", "ecckiila", "saw", "abi", "coverage"];
+ let allTools = ["clang-format", "scan-build", "hacl", "acvp", "ecckiila", "saw", "abi", "coverage"];
let tools = intersect(opts.tools.split(/\s*,\s*/), allTools);
// If the given value is "all" run all tools.
diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch
new file mode 100644
index 0000000000..dc2ffc04a7
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch
@@ -0,0 +1,50 @@
+28d27
+< #include "internal/Hacl_Hash_SHA2.h"
+33a33,34
+> #include "../Hacl_Hash_SHA2_shim.h"
+>
+1670,1713d1670
+< }
+<
+< static inline void
+< sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input)
+< {
+< uint8_t buf[128U] = { 0U };
+< uint64_t block_state[8U] = { 0U };
+< Hacl_Streaming_MD_state_64
+< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
+< Hacl_Streaming_MD_state_64 p = s;
+< Hacl_SHA2_Scalar32_sha512_init(block_state);
+< Hacl_Streaming_MD_state_64 *st = &p;
+< Hacl_Streaming_Types_error_code
+< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
+< Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len);
+< KRML_HOST_IGNORE(err0);
+< KRML_HOST_IGNORE(err1);
+< Hacl_Streaming_SHA2_finish_512(st, hash);
+< }
+<
+< static inline void
+< sha512_pre_pre2_msg(
+< uint8_t *hash,
+< uint8_t *prefix,
+< uint8_t *prefix2,
+< uint32_t len,
+< uint8_t *input)
+< {
+< uint8_t buf[128U] = { 0U };
+< uint64_t block_state[8U] = { 0U };
+< Hacl_Streaming_MD_state_64
+< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
+< Hacl_Streaming_MD_state_64 p = s;
+< Hacl_SHA2_Scalar32_sha512_init(block_state);
+< Hacl_Streaming_MD_state_64 *st = &p;
+< Hacl_Streaming_Types_error_code
+< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
+< Hacl_Streaming_Types_error_code
+< err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U);
+< Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len);
+< KRML_HOST_IGNORE(err0);
+< KRML_HOST_IGNORE(err1);
+< KRML_HOST_IGNORE(err2);
+< Hacl_Streaming_SHA2_finish_512(st, hash);
diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch
new file mode 100644
index 0000000000..f79016fcf9
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch
@@ -0,0 +1,2 @@
+38d37
+< #include "internal/Hacl_Hash_SHA2.h"
diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch
new file mode 100644
index 0000000000..781bde532e
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch
@@ -0,0 +1,2 @@
+39d38
+< #include "Hacl_Hash_SHA2.h"
diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh
index f9831d24fd..f2c20a0ae3 100755
--- a/security/nss/automation/taskcluster/scripts/run_hacl.sh
+++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh
@@ -12,7 +12,7 @@ set -e -x -v
# Get the HACL* source, containing a snapshot of the C code, extracted on the
# HACL CI.
git clone -q "https://github.com/hacl-star/hacl-star" ~/hacl-star
-git -C ~/hacl-star checkout -q 72f9d0c783cb716add714344604d591106dfbf7f
+git -C ~/hacl-star checkout -q 0f136f28935822579c244f287e1d2a1908a7e552
# Format the C snapshot.
cd ~/hacl-star/dist/mozilla
@@ -33,6 +33,11 @@ files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/internal/ -type f -name $file_name))
+ if [ $file_name == "Hacl_Ed25519.h" \
+ -o $file_name == "Hacl_Ed25519_PrecompTable.h" ]
+ then
+ continue;
+ fi
diff $hacl_file $f
done
@@ -49,5 +54,60 @@ for f in "${files[@]}"; do
then
continue;
fi
+
+ if [ $file_name == "Hacl_Ed25519.h" \
+ -o $file_name == "Hacl_Ed25519.c" ]
+ then
+ continue;
+ fi
diff $hacl_file $f
done
+
+# Here we process the code that's not located in /hacl-star/dist/mozilla/ but
+# /hacl-star/dist/gcc-compatible.
+
+cd ~/hacl-star/dist/gcc-compatible
+cp ~/nss/.clang-format .
+find . -type f -name '*.[ch]' -exec clang-format -i {} \+
+
+patches=($(find ~/nss/automation/taskcluster/scripts/patches/ -type f -name '*.patch'))
+for f in "${patches[@]}"; do
+ file_name=$(basename "$f")
+ file_name="${file_name%.*}"
+ if_internal="${file_name##*.}"
+ if [ $if_internal == "internal" ]
+ then
+ file_name="${file_name%.*}"
+ patch_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name))
+ else
+ patch_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*"))
+ fi
+ if [ ! -z "$patch_file" ]
+ then
+ patch $patch_file $f
+ fi
+done
+
+files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
+for f in "${files[@]}"; do
+ file_name=$(basename "$f")
+ hacl_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name))
+ if [ $file_name != "Hacl_Ed25519.h" \
+ -a $file_name != "Hacl_Ed25519_PrecompTable.h" ]
+ then
+ continue;
+ fi
+ diff $hacl_file $f
+done
+
+files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*"))
+for f in "${files[@]}"; do
+ file_name=$(basename "$f")
+ hacl_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*"))
+ if [ $file_name != "Hacl_Ed25519.h" \
+ -a $file_name != "Hacl_Ed25519.c" ]
+ then
+ continue;
+ fi
+ diff $hacl_file $f
+done \ No newline at end of file
diff --git a/security/nss/cmd/lib/basicutil.c b/security/nss/cmd/lib/basicutil.c
index 3ccacd7356..bc1bb0584d 100644
--- a/security/nss/cmd/lib/basicutil.c
+++ b/security/nss/cmd/lib/basicutil.c
@@ -777,77 +777,35 @@ SECU_HexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
return item;
}
-/* mapping between ECCurveName enum and SECOidTags */
-static SECOidTag ecCurve_oid_map[] = {
- SEC_OID_UNKNOWN, /* ECCurve_noName */
- SEC_OID_ANSIX962_EC_PRIME192V1, /* ECCurve_NIST_P192 */
- SEC_OID_SECG_EC_SECP224R1, /* ECCurve_NIST_P224 */
- SEC_OID_ANSIX962_EC_PRIME256V1, /* ECCurve_NIST_P256 */
- SEC_OID_SECG_EC_SECP384R1, /* ECCurve_NIST_P384 */
- SEC_OID_SECG_EC_SECP521R1, /* ECCurve_NIST_P521 */
- SEC_OID_SECG_EC_SECT163K1, /* ECCurve_NIST_K163 */
- SEC_OID_SECG_EC_SECT163R1, /* ECCurve_NIST_B163 */
- SEC_OID_SECG_EC_SECT233K1, /* ECCurve_NIST_K233 */
- SEC_OID_SECG_EC_SECT233R1, /* ECCurve_NIST_B233 */
- SEC_OID_SECG_EC_SECT283K1, /* ECCurve_NIST_K283 */
- SEC_OID_SECG_EC_SECT283R1, /* ECCurve_NIST_B283 */
- SEC_OID_SECG_EC_SECT409K1, /* ECCurve_NIST_K409 */
- SEC_OID_SECG_EC_SECT409R1, /* ECCurve_NIST_B409 */
- SEC_OID_SECG_EC_SECT571K1, /* ECCurve_NIST_K571 */
- SEC_OID_SECG_EC_SECT571R1, /* ECCurve_NIST_B571 */
- SEC_OID_ANSIX962_EC_PRIME192V2,
- SEC_OID_ANSIX962_EC_PRIME192V3,
- SEC_OID_ANSIX962_EC_PRIME239V1,
- SEC_OID_ANSIX962_EC_PRIME239V2,
- SEC_OID_ANSIX962_EC_PRIME239V3,
- SEC_OID_ANSIX962_EC_C2PNB163V1,
- SEC_OID_ANSIX962_EC_C2PNB163V2,
- SEC_OID_ANSIX962_EC_C2PNB163V3,
- SEC_OID_ANSIX962_EC_C2PNB176V1,
- SEC_OID_ANSIX962_EC_C2TNB191V1,
- SEC_OID_ANSIX962_EC_C2TNB191V2,
- SEC_OID_ANSIX962_EC_C2TNB191V3,
- SEC_OID_ANSIX962_EC_C2PNB208W1,
- SEC_OID_ANSIX962_EC_C2TNB239V1,
- SEC_OID_ANSIX962_EC_C2TNB239V2,
- SEC_OID_ANSIX962_EC_C2TNB239V3,
- SEC_OID_ANSIX962_EC_C2PNB272W1,
- SEC_OID_ANSIX962_EC_C2PNB304W1,
- SEC_OID_ANSIX962_EC_C2TNB359V1,
- SEC_OID_ANSIX962_EC_C2PNB368W1,
- SEC_OID_ANSIX962_EC_C2TNB431R1,
- SEC_OID_SECG_EC_SECP112R1,
- SEC_OID_SECG_EC_SECP112R2,
- SEC_OID_SECG_EC_SECP128R1,
- SEC_OID_SECG_EC_SECP128R2,
- SEC_OID_SECG_EC_SECP160K1,
- SEC_OID_SECG_EC_SECP160R1,
- SEC_OID_SECG_EC_SECP160R2,
- SEC_OID_SECG_EC_SECP192K1,
- SEC_OID_SECG_EC_SECP224K1,
- SEC_OID_SECG_EC_SECP256K1,
- SEC_OID_SECG_EC_SECT113R1,
- SEC_OID_SECG_EC_SECT113R2,
- SEC_OID_SECG_EC_SECT131R1,
- SEC_OID_SECG_EC_SECT131R2,
- SEC_OID_SECG_EC_SECT163R1,
- SEC_OID_SECG_EC_SECT193R1,
- SEC_OID_SECG_EC_SECT193R2,
- SEC_OID_SECG_EC_SECT239K1,
- SEC_OID_UNKNOWN, /* ECCurve_WTLS_1 */
- SEC_OID_UNKNOWN, /* ECCurve_WTLS_8 */
- SEC_OID_UNKNOWN, /* ECCurve_WTLS_9 */
- SEC_OID_CURVE25519,
- SEC_OID_UNKNOWN /* ECCurve_pastLastCurve */
-};
-
SECStatus
SECU_ecName2params(ECCurveName curve, SECItem *params)
{
+ SECOidTag oidTag;
SECOidData *oidData = NULL;
- if ((curve < ECCurve_noName) || (curve > ECCurve_pastLastCurve) ||
- ((oidData = SECOID_FindOIDByTag(ecCurve_oid_map[curve])) == NULL)) {
+ switch (curve) {
+ case ECCurve_NIST_P256:
+ oidTag = SEC_OID_ANSIX962_EC_PRIME256V1;
+ break;
+ case ECCurve_NIST_P384:
+ oidTag = SEC_OID_SECG_EC_SECP384R1;
+ break;
+ case ECCurve_NIST_P521:
+ oidTag = SEC_OID_SECG_EC_SECP521R1;
+ break;
+ case ECCurve25519:
+ oidTag = SEC_OID_CURVE25519;
+ break;
+ case ECCurve_Ed25519:
+ oidTag = SEC_OID_ED25519_PUBLIC_KEY;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
+ }
+
+ oidData = SECOID_FindOIDByTag(oidTag);
+ if (oidData == NULL) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
diff --git a/security/nss/cmd/lib/pk11table.c b/security/nss/cmd/lib/pk11table.c
index 06f7591394..887ed79b93 100644
--- a/security/nss/cmd/lib/pk11table.c
+++ b/security/nss/cmd/lib/pk11table.c
@@ -141,6 +141,7 @@ const Constant _consts[] = {
mkEntry(CKK_DH, KeyType),
mkEntry(CKK_ECDSA, KeyType),
mkEntry(CKK_EC, KeyType),
+ mkEntry(CKK_EC_EDWARDS, KeyType),
mkEntry(CKK_X9_42_DH, KeyType),
mkEntry(CKK_KEA, KeyType),
mkEntry(CKK_GENERIC_SECRET, KeyType),
@@ -440,6 +441,8 @@ const Constant _consts[] = {
mkEntry(CKM_ECDSA_SHA1, Mechanism),
mkEntry(CKM_ECDH1_DERIVE, Mechanism),
mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism),
+ mkEntry(CKM_EC_EDWARDS_KEY_PAIR_GEN, Mechanism),
+ mkEntry(CKM_EDDSA, Mechanism),
mkEntry(CKM_ECMQV_DERIVE, Mechanism),
mkEntry(CKM_JUNIPER_KEY_GEN, Mechanism),
mkEntry(CKM_JUNIPER_ECB128, Mechanism),
diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst
index 5ac6cb4bb0..865aad277a 100644
--- a/security/nss/doc/rst/releases/index.rst
+++ b/security/nss/doc/rst/releases/index.rst
@@ -8,6 +8,7 @@ Releases
:glob:
:hidden:
+ nss_3_99.rst
nss_3_98.rst
nss_3_97.rst
nss_3_96_1.rst
@@ -63,37 +64,23 @@ Releases
.. note::
- **NSS 3.98** is the latest version of NSS.
- Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_98_release_notes`
+ **NSS 3.99** is the latest version of NSS.
+ Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_99_release_notes`
**NSS 3.90.2 (ESR)** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_2_release_notes`
.. container::
- Changes in 3.98 included in this release:
+ Changes in 3.99 included in this release:
- - Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS.
- - Bug 1879513 - Certificate Compression: enabling the check that the compression was advertised.
- - Bug 1831552 - Move Windows workers to nss-1/b-win2022-alpha.
- - Bug 1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA.
- - Bug 1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`.
- - Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression.
- - Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation.
- - Bug 1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests.
- - Bug 1870673 - Set nssckbi version number to 2.66.
- - Bug 1874017 - Add Telekom Security roots.
- - Bug 1873095 - Add D-Trust 2022 S/MIME roots.
- - Bug 1865450 - Remove expired Security Communication RootCA1 root.
- - Bug 1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys.
- - Bug 1876800 - remove unmaintained tls-interop tests.
- - Bug 1874937 - bogo: add support for the -ipv6 and -shim-id shim flags.
- - Bug 1874937 - bogo: add support for the -curves shim flag and update Kyber expectations.
- - Bug 1874937 - bogo: adjust expectation for a key usage bit test.
- - Bug 1757758 - mozpkix: add option to ignore invalid subject alternative names.
- - Bug 1841029 - Fix selfserv not stripping `publicname:` from -X value.
- - Bug 1876390 - take ownership of ecckilla shims.
- - Bug 1874458 - add valgrind annotations to freebl/ec.c.
- - Bug 864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip.
- - Bug 1875965 - Update zlib to 1.3.1.
+ - Bug 1325335 - Removing check for message len in ed25519
+ - Bug 1884276 - add ed25519 to SECU_ecName2params.
+ - Bug 1325335 - add EdDSA wycheproof tests.
+ - Bug 1325335 - nss/lib layer code for EDDSA.
+ - Bug 1325335 - Adding EdDSA implementation.
+ - Bug 1881027 - Exporting Certificate Compression types
+ - Bug 1880857 - Updating ACVP docker to rust 1.74
+ - Bug 1325335 - Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552
+ - Bug 1877730 - Add NSS_CMSRecipient_IsSupported.
diff --git a/security/nss/doc/rst/releases/nss_3_99.rst b/security/nss/doc/rst/releases/nss_3_99.rst
new file mode 100644
index 0000000000..e4107700cf
--- /dev/null
+++ b/security/nss/doc/rst/releases/nss_3_99.rst
@@ -0,0 +1,62 @@
+.. _mozilla_projects_nss_nss_3_99_release_notes:
+
+NSS 3.99 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.99 was released on *15th March 2024**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_99_RTM. NSS 3.99 requires NSPR 4.35 or newer.
+
+ NSS 3.99 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_99_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.99:
+
+`Changes in NSS 3.99 <#changes_in_nss_3.99>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - Bug 1325335 - Removing check for message len in ed25519
+ - Bug 1884276 - add ed25519 to SECU_ecName2params.
+ - Bug 1325335 - add EdDSA wycheproof tests.
+ - Bug 1325335 - nss/lib layer code for EDDSA.
+ - Bug 1325335 - Adding EdDSA implementation.
+ - Bug 1881027 - Exporting Certificate Compression types
+ - Bug 1880857 - Updating ACVP docker to rust 1.74
+ - Bug 1325335 - Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552
+ - Bug 1877730 - Add NSS_CMSRecipient_IsSupported.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+ NSS 3.99 shared libraries are backwards-compatible with all older NSS 3.x shared
+ libraries. A program linked with older NSS 3.x shared libraries will work with
+ this new version of the shared libraries without recompiling or
+ relinking. Furthermore, applications that restrict their use of NSS APIs to the
+ functions listed in NSS Public Functions will remain compatible with future
+ versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+ Bugs discovered should be reported by filing a bug report on
+ `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
diff --git a/security/nss/gtests/common/testvectors_base/test-structs.h b/security/nss/gtests/common/testvectors_base/test-structs.h
index 1ed227da50..ca8c39b7bd 100644
--- a/security/nss/gtests/common/testvectors_base/test-structs.h
+++ b/security/nss/gtests/common/testvectors_base/test-structs.h
@@ -69,6 +69,14 @@ typedef struct EcdsaTestVectorStr {
typedef EcdsaTestVector DsaTestVector;
+typedef struct EddsaTestVectorStr {
+ uint32_t id;
+ std::vector<uint8_t> sig;
+ std::vector<uint8_t> public_key;
+ std::vector<uint8_t> msg;
+ bool valid;
+} EddsaTestVector;
+
typedef struct EcdhTestVectorStr {
uint64_t id;
std::vector<uint8_t> private_key;
diff --git a/security/nss/gtests/common/wycheproof/source_vectors/eddsa_test.json b/security/nss/gtests/common/wycheproof/source_vectors/eddsa_test.json
new file mode 100644
index 0000000000..e2a1ae4f28
--- /dev/null
+++ b/security/nss/gtests/common/wycheproof/source_vectors/eddsa_test.json
@@ -0,0 +1,2262 @@
+{
+ "algorithm" : "EDDSA",
+ "generatorVersion" : "0.8rc16",
+ "numberOfTests" : 145,
+ "header" : [
+ "Test vectors of type EddsaVerify are intended for testing",
+ "the verification of Eddsa signatures."
+ ],
+ "notes" : {
+ "SignatureMalleability" : "EdDSA signatures are non-malleable, if implemented accordingly. Failing to check the range of S allows to modify signatures. See RFC 8032, Section 5.2.7 and Section 8.4."
+ },
+ "schema" : "eddsa_verify_schema.json",
+ "testGroups" : [
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "rdS7gQN4W6-axTQljoqvZfXxrbXvXz3xm7gKuYnE1ks",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "fU0Of2FTpptiQrUiq77mhf2kQg-INLEIw72uNp71Sfo"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa",
+ "sk" : "add4bb8103785baf9ac534258e8aaf65f5f1adb5ef5f3df19bb80ab989c4d64b",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321007d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAfU0Of2FTpptiQrUiq77mhf2kQg+INLEIw72uNp71Sfo=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 1,
+ "comment" : "",
+ "msg" : "",
+ "sig" : "d4fbdb52bfa726b44d1786a8c0d171c3e62ca83c9e5bbe63de0bb2483f8fd6cc1429ab72cafc41ab56af02ff8fcc43b99bfe4c7ae940f60f38ebaa9d311c4007",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 2,
+ "comment" : "",
+ "msg" : "78",
+ "sig" : "d80737358ede548acb173ef7e0399f83392fe8125b2ce877de7975d8b726ef5b1e76632280ee38afad12125ea44b961bf92f1178c9fa819d020869975bcbe109",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 3,
+ "comment" : "",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 4,
+ "comment" : "",
+ "msg" : "48656c6c6f",
+ "sig" : "1c1ad976cbaae3b31dee07971cf92c928ce2091a85f5899f5e11ecec90fc9f8e93df18c5037ec9b29c07195ad284e63d548cd0a6fe358cc775bd6c1608d2c905",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 5,
+ "comment" : "",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bf0cf5b3a289976458a1be6277a5055545253b45b07dcc1abd96c8b989c00f301",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 6,
+ "comment" : "",
+ "msg" : "000000000000000000000000",
+ "sig" : "d46543bfb892f84ec124dcdfc847034c19363bf3fc2fa89b1267833a14856e52e60736918783f950b6f1dd8d40dc343247cd43ce054c2d68ef974f7ed0f3c60f",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 7,
+ "comment" : "",
+ "msg" : "6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161",
+ "sig" : "879350045543bc14ed2c08939b68c30d22251d83e018cacbaf0c9d7a48db577e80bdf76ce99e5926762bc13b7b3483260a5ef63d07e34b58eb9c14621ac92f00",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 8,
+ "comment" : "",
+ "msg" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f60",
+ "sig" : "7bdc3f9919a05f1d5db4a3ada896094f6871c1f37afc75db82ec3147d84d6f237b7e5ecc26b59cfea0c7eaf1052dc427b0f724615be9c3d3e01356c65b9b5109",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 9,
+ "comment" : "",
+ "msg" : "ffffffffffffffffffffffffffffffff",
+ "sig" : "5dbd7360e55aa38e855d6ad48c34bd35b7871628508906861a7c4776765ed7d1e13d910faabd689ec8618b78295c8ab8f0e19c8b4b43eb8685778499e943ae04",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 10,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 11,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "00000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 12,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "0000000000000000000000000000000000000000000000000000000000000000ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 13,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "0000000000000000000000000000000000000000000000000000000000000000edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 14,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "0000000000000000000000000000000000000000000000000000000000000000edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 15,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 16,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "01000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 17,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "0100000000000000000000000000000000000000000000000000000000000000ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 18,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "0100000000000000000000000000000000000000000000000000000000000000edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 19,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "0100000000000000000000000000000000000000000000000000000000000000edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 20,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edd3f55c1a631258d69cf7a2def9de14000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 21,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edd3f55c1a631258d69cf7a2def9de14000000000000000000000000000000100100000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 22,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010ecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 23,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 24,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 25,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0000000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 26,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f0100000000000000000000000000000000000000000000000000000000000000",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 27,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fecd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 28,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fedd3f55c1a631258d69cf7a2def9de1400000000000000000000000000000010",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 29,
+ "comment" : "special values for r and s",
+ "msg" : "3f",
+ "sig" : "edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7fedffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 30,
+ "comment" : "empty signature",
+ "msg" : "54657374",
+ "sig" : "",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 31,
+ "comment" : "s missing",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 32,
+ "comment" : "signature too short",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 33,
+ "comment" : "signature too long",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d2020",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 34,
+ "comment" : "include pk in signature",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d7d4d0e7f6153a69b6242b522abbee685fda4420f8834b108c3bdae369ef549fa",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 35,
+ "comment" : "prepending 0 byte to signature",
+ "msg" : "54657374",
+ "sig" : "007c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 36,
+ "comment" : "prepending 0 byte to s",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0007a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 37,
+ "comment" : "appending 0 byte to signature",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b30d00",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 38,
+ "comment" : "removing 0 byte from signature",
+ "msg" : "546573743137",
+ "sig" : "93de3ca252426c95f735cb9edd92e83321ac62372d5aa5b379786bae111ab6b17251330e8f9a7c30d6993137c596007d7b001409287535ac4804e662bc58a3",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 39,
+ "comment" : "removing 0 byte from signature",
+ "msg" : "54657374313236",
+ "sig" : "dffed33a7f420b62bb1731cfd03be805affd18a281ec02b1067ba6e9d20826569e742347df59c88ae96db1f1969fb189b0ec34381d85633e1889da48d95e0e",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 40,
+ "comment" : "removing leading 0 byte from signature",
+ "msg" : "546573743530",
+ "sig" : "6e170c719577c25e0e1e8b8aa7a6346f8b109f37385cc2e85dc3b4c0f46a9c6bcafd67f52324c5dbaf40a1b673fb29c4a56052d2d6999d0838a8337bccb502",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 41,
+ "comment" : "dropping byte from signature",
+ "msg" : "54657374333437",
+ "sig" : "b0928b46e99fbbad3f5cb502d2cd309d94a7e86cfd4d84b1fcf4cea18075a9c36993c0582dba1e9e519fae5a8654f454201ae0c3cb397c37b8f4f8eef18400",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 42,
+ "comment" : "modified bit 0 in R",
+ "msg" : "313233343030",
+ "sig" : "647c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b1d125e5538f38afbcc1c84e489521083041d24bc6240767029da063271a1ff0c",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 43,
+ "comment" : "modified bit 1 in R",
+ "msg" : "313233343030",
+ "sig" : "677c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bc108ca4b87a49c9ed2cf383aecad8f54a962b2899da891e12004d7993a627e01",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 44,
+ "comment" : "modified bit 2 in R",
+ "msg" : "313233343030",
+ "sig" : "617c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b9ce23fc6213ed5b87912e9bbf92f5e2c780eae26d15c50a112d1e97d2ea33c06",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 45,
+ "comment" : "modified bit 7 in R",
+ "msg" : "313233343030",
+ "sig" : "e57c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bbb3eb51cd98dddb235a5f46f2bded6af184a58d09cce928bda43f41d69118a03",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 46,
+ "comment" : "modified bit 8 in R",
+ "msg" : "313233343030",
+ "sig" : "657d1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bcd237dda9a116501f67a5705a854b9adc304f34720803a91b324f2c13e0f5a09",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 47,
+ "comment" : "modified bit 16 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1592402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b6b167bbdc0d881cc04d28905552c1876f3709851abc5007376940cc8a435c300",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 48,
+ "comment" : "modified bit 31 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1412402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b7fd2ac7da14afffcceeb13f2a0d6b887941cb1a5eb57a52f3cb131a16cce7b0e",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 49,
+ "comment" : "modified bit 32 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492412ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2b7373ba13ebbef99cd2a8ead55ce735c987d85a35320925a8e871702dc7c5c40d",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 50,
+ "comment" : "modified bit 63 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab54e03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bd35bd331c03f0855504ca1cab87b83c36a028425a3cf007ede4f4254c261cb00",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 51,
+ "comment" : "modified bit 64 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce02e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2bcb35101f73cf467deac8c1a03b6c3dc35af544132734b7e57ab20c89b2e4750d",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 52,
+ "comment" : "modified bit 97 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f2384d051b9cf3570f1207fc78c1bcc98c281c2bb58d2e8878290bff8d3355fdd4ea381924ee578752354eb6dee678ab4011c301",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 53,
+ "comment" : "modified bit 127 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d851b9cf3570f1207fc78c1bcc98c281c2bb978c866187ffb1cc7b29a0b4045aefc08768df65717194ff0c6e63f4dea0d02",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 54,
+ "comment" : "modified bit 240 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281d2b0576ecf8eaf675f00f3dfbe19f75b83b7607a6c96414f6821af920a2498d0305",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 55,
+ "comment" : "modified bit 247 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c289c2be5241a345c7b5428054c74b7c382fa10d4a5f1e8f8b79a71d3fdea2254f1ff0e",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 56,
+ "comment" : "modified bit 248 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c2a63950c85cd6dc96364e768de50ff7732b538f8a0b1615d799190ab600849230e",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 57,
+ "comment" : "modified bit 253 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c0b543bd3da0a56a8c9c152f59c9fec12f31fa66434d48b817b30d90cb4efa8b501",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 58,
+ "comment" : "modified bit 254 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281c6b8da07efd07a6dafb015ed6a32fe136319a972ffbc341f3a0beae97ccf8136505",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 59,
+ "comment" : "modified bit 255 in R",
+ "msg" : "313233343030",
+ "sig" : "657c1492402ab5ce03e2c3a7f0384d051b9cf3570f1207fc78c1bcc98c281cab227aedf259f910f0f3a759a335062665217925d019173b88917eae294f75d40f",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 60,
+ "comment" : "R==0",
+ "msg" : "313233343030",
+ "sig" : "0000000000000000000000000000000000000000000000000000000000000000e0b8e7770d51c7a36375d006c5bffd6af43ff54aaf47e4330dc118c71d61ec02",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 61,
+ "comment" : "invalid R",
+ "msg" : "313233343030",
+ "sig" : "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff463a1908382e7eb7693acef9884f7cf931a215e0791876be22c631a59881fd0e",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 62,
+ "comment" : "all bits flipped in R",
+ "msg" : "313233343030",
+ "sig" : "9a83eb6dbfd54a31fc1d3c580fc7b2fae4630ca8f0edf803873e433673d7e3d40e94254586cb6188c5386c3febed477cb9a6cb29e3979adc4cb27cf5278fb70a",
+ "result" : "invalid",
+ "flags" : []
+ },
+ {
+ "tcId" : 63,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab067654bce3832c2d76f8f6f5dafc08d9339d4eef676573336a5c51eb6f946b31d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 64,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab05439412b5395d42f462c67008eba6ca839d4eef676573336a5c51eb6f946b32d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 65,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab02ee12ce5875bf9dff26556464bae2ad239d4eef676573336a5c51eb6f946b34d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 66,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0e2300459f1e742404cd934d2c595a6253ad4eef676573336a5c51eb6f946b38d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 67,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b32d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 68,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b34d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 69,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab07a9155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ },
+ {
+ "tcId" : 70,
+ "comment" : "checking malleability ",
+ "msg" : "54657374",
+ "sig" : "7c38e026f29e14aabd059a0f2db8b0cd783040609a8be684db12f82a27774ab0679155711ecfaf7f99f277bad0c6ae7e39d4eef676573336a5c51eb6f946b38d",
+ "result" : "invalid",
+ "flags" : [
+ "SignatureMalleability"
+ ]
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "CiOiAHKJEjeqCGS1dlE5UUkIeHh4zXcTWgBZiB0xPwA",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "oSwr63cmXyqslTtQCTSdlBVaA62kFqrUUTGUgOmDykw"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "a12c2beb77265f2aac953b5009349d94155a03ada416aad451319480e983ca4c",
+ "sk" : "0a23a20072891237aa0864b5765139514908787878cd77135a0059881d313f00",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100a12c2beb77265f2aac953b5009349d94155a03ada416aad451319480e983ca4c",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAoSwr63cmXyqslTtQCTSdlBVaA62kFqrUUTGUgOmDykw=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 71,
+ "comment" : "",
+ "msg" : "",
+ "sig" : "5056325d2ab440bf30bbf0f7173199aa8b4e6fbc091cf3eb6bc6cf87cd73d992ffc216c85e4ab5b8a0bbc7e9a6e9f8d33b7f6e5ac0ffdc22d9fcaf784af84302",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 72,
+ "comment" : "",
+ "msg" : "78",
+ "sig" : "481fafbf4364d7b682475282f517a3ac0538c9a6b6a562e99a3d8e5afb4f90a559b056b9f07af023905753b02d95eb329a35c77f154b79abbcd291615ce42f02",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 73,
+ "comment" : "",
+ "msg" : "54657374",
+ "sig" : "8a9bb4c465a3863abc9fd0dd35d80bb28f7d33d37d74679802d63f82b20da114b8d765a1206b3e9ad7cf2b2d8d778bb8651f1fa992db293c0039eacb6161480f",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 74,
+ "comment" : "",
+ "msg" : "48656c6c6f",
+ "sig" : "d839c20abfda1fd429531831c64f813f84b913e9928540310cf060b44c3dbf9457d44a7721fdc0d67724ff81cb450dd39b10cfb65db15dda4b8bf09d26bd3801",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 75,
+ "comment" : "",
+ "msg" : "313233343030",
+ "sig" : "9bbb1052dcfa8ad2715c2eb716ae4f1902dea353d42ee09fd4c0b4fcb8b52b5219e2200016e1199d0061891c263e31b0bc3b55673c19610c4e0fa5408004160b",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 76,
+ "comment" : "",
+ "msg" : "000000000000000000000000",
+ "sig" : "f63b5c0667c7897fc283296416f7f60e84bbde9cbd832e56be463ed9f568069702b17a2f7c341ebf590706a6388ac76ac613c1675ec0f2c7118f2573422a500b",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 77,
+ "comment" : "",
+ "msg" : "6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161",
+ "sig" : "1bc44d7001e6b5b9090fef34b2ca480f9786bbefa7d279353e5881e8dfb91b803ccd46500e270ef0109bfd741037558832120bc2a4f20fbe7b5fb3c3aaf23e08",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 78,
+ "comment" : "",
+ "msg" : "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f60",
+ "sig" : "ea8e22143b02372e76e99aece3ed36aec529768a27e2bb49bdc135d44378061e1f62d1ac518f33ebf37b2ee8cc6dde68a4bd7d4a2f4d6cb77f015f71ca9fc30d",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 79,
+ "comment" : "",
+ "msg" : "ffffffffffffffffffffffffffffffff",
+ "sig" : "8acd679e1a914fc45d5fa83d3021f0509c805c8d271df54e52f43cfbd00cb6222bf81d58fe1de2de378df67ee9f453786626961fe50a9b05f12b6f0899ebdd0a",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "nWGxne_9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+ "sk" : "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 80,
+ "comment" : "draft-josefsson-eddsa-ed25519-02: Test 1",
+ "msg" : "",
+ "sig" : "e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "TM0Imyj_ltqdtsNG7BFOD1uKMZ81q6Yk2oz27U-4pvs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "PUAXw-hDiVqStwqnTRt-vJyYLM8uxJaMwM1V8Sr0Zgw"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+ "sk" : "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321003d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAPUAXw+hDiVqStwqnTRt+vJyYLM8uxJaMwM1V8Sr0Zgw=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 81,
+ "comment" : "draft-josefsson-eddsa-ed25519-02: Test 2",
+ "msg" : "72",
+ "sig" : "92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "xaqN9D-fg3vtt0QvMdy3sWbThTUHbwlLhc46LgtEWPc",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "_FHNjmIYoaONpH7QAjDwWAgW7RO6MwOsXeuRFUiQgCU"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+ "sk" : "c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA/FHNjmIYoaONpH7QAjDwWAgW7RO6MwOsXeuRFUiQgCU=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 82,
+ "comment" : "draft-josefsson-eddsa-ed25519-02: Test 3",
+ "msg" : "af82",
+ "sig" : "6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "9eV2fPFTMZUXYw8iaHa4bIFgzFg7wBN0TGvyVfXMDuU",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "J4EX_BRMcjQPZ9DyMW6Dhs7_vyskKMnFH-98WX8dQm4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+ "sk" : "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAJ4EX/BRMcjQPZ9DyMW6Dhs7/vyskKMnFH+98WX8dQm4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 83,
+ "comment" : "draft-josefsson-eddsa-ed25519-02: Test 1024",
+ "msg" : "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0",
+ "sig" : "0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "160_H2u-BHfDw1eoBqGetBrj-UAlA1vIfygfjun8DjQ",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "j9ZZt3tVjtk4gsEVdDhFCshuxi1CHVaOmO4jbzgQKVo"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "8fd659b77b558ed93882c1157438450ac86ec62d421d568e98ee236f3810295a",
+ "sk" : "d7ad3f1f6bbe0477c3c357a806a19eb41ae3f94025035bc87f281f8ee9fc0e34",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321008fd659b77b558ed93882c1157438450ac86ec62d421d568e98ee236f3810295a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAj9ZZt3tVjtk4gsEVdDhFCshuxi1CHVaOmO4jbzgQKVo=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 84,
+ "comment" : "Random test failure 1",
+ "msg" : "b0729a713593a92e46b56eaa66b9e435f7a09a8e7de03b078f6f282285276635f301e7aaafe42187c45d6f5b13f9f16b11195cc125c05b90d24dfe4c",
+ "sig" : "7db17557ac470c0eda4eedaabce99197ab62565653cf911f632ee8be0e5ffcfc88fb94276b42e0798fd3aa2f0318be7fc6a29fae75f70c3dcdc414a0ad866601",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "rZsieTM2_NrBDhNsTe6lmb4Yejju-Rwc98ek7IhN2gg",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "KmBr9nrHcMYHA4sAQQGzJe21ae_TQT0tHyw-a05uMII"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "2a606bf67ac770c607038b004101b325edb569efd3413d2d1f2c3e6b4e6e3082",
+ "sk" : "ad9b22793336fcdac10e136c4deea599be187a38eef91c1cf7c7a4ec884dda08",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321002a606bf67ac770c607038b004101b325edb569efd3413d2d1f2c3e6b4e6e3082",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAKmBr9nrHcMYHA4sAQQGzJe21ae/TQT0tHyw+a05uMII=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 85,
+ "comment" : "Random test failure 2",
+ "msg" : "a8546e50ba31cae3234310d32672447be213fad91a227a19669c53d309b959782b0e6b71f8791fdb470043b58122003157d2d96a43a6cbd7d3a8d86bf4c97391883e268d50af80e1e6e12939c2bd50ca746cdadfad4edf1bda875299740724148efb1ebe73fb60088cda890317658627a5f7ab5a0c075d9d8f3f97b6492b35519e50ff6b38377432a7081f9176bb1c29a862deac1336ca20b097a47829cec10a6a7cec178eda2d12f6dc6c87f910454af0123555ba184e68804d9cced60fd5c8c90943e56599c8f0ba59a38491ba5e5a53460682474c07e40ca142983314fd762856bb1093f359da6eb0a756bd93a3160c10dd8feea6b97e7c6a17cb54bd5d7649c05c66d7bdee056671dfdaf689fa3945bb8e29a429f4bd5d355dce9687b06f01d5e33e3999f0e8",
+ "sig" : "67d84d4c3945aaf06e06d524be63acbfb5dbb1988c4aea96a5ee9f7a9b9eecc29df4f66b8aa1d9e8607a58fb1ef0c2ad69aac005b4f58e34103344a9c8871a09",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 86,
+ "comment" : "Random test failure 24",
+ "msg" : "b477b0480bb84642608b908d29a51cf2fce63f24ee95",
+ "sig" : "28fafbb62b4d688fa79e1ac92851f46e319b161f801d4dc09acc21fdd6780a2c4292b8c1003c61c2bcebe7f3f88ccc4bb26d407387c5f27cb8c94cf6ce810405",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "BKZVPWipuu94ohda83VFjqoBzbdzUMYeKC718McRZZk",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "yclGy8VUSsdO70kfB8WIHBb69-wxzkqpG7YK57RTkFE"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "c9c946cbc5544ac74eef491f07c5881c16faf7ec31ce4aa91bb60ae7b4539051",
+ "sk" : "04a6553d68a9baef78a2175af375458eaa01cdb77350c61e282ef5f0c7116599",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100c9c946cbc5544ac74eef491f07c5881c16faf7ec31ce4aa91bb60ae7b4539051",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAyclGy8VUSsdO70kfB8WIHBb69+wxzkqpG7YK57RTkFE=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 87,
+ "comment" : "Random test failure 3",
+ "msg" : "cd2212eddb0706f62c995cef958634f0cb7793444cbf4d30e81c27c41ebea6cb02607510131f9c015692dfd521b148841e9a2d3564d20ac401f6cb8e40f520fe0cafbeaa88840b83013369d879f013463fe52a13267aa0c8c59c45cde9399cd1e6be8cc64cf48315ac2eb31a1c567a4fb7d601746d1f63b5ac020712adbbe07519bded6f",
+ "sig" : "24087d47f3e20af51b9668ae0a88ce76586802d0ec75d8c0f28fc30962b5e1d1a1d509571a1624ed125a8df92a6e963728d6b5de99200b8e285f70feb6f05207",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 88,
+ "comment" : "Random test failure 20",
+ "msg" : "27d465bc632743522aefa23c",
+ "sig" : "c2656951e2a0285585a51ff0eda7e9a23c2dfd2ffa273aee7808f4604e8f9a8c8ea49e9fce4eb2d8d75d36b7238fe6fc13b6c5d9427dd58f8c6615d033c0bd0f",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "w2fI0uvu7NcMHomFtww4CLdWV_JDshuk8yJ5JUDpIlc",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "Mq0Cb2k9DSr-f0OI2RxMlkQm_LnjZlw-vYZQAJuBXI4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "32ad026f693d0d2afe7f4388d91c4c964426fcb9e3665c3ebd8650009b815c8e",
+ "sk" : "c367c8d2ebeeecd70c1e8985b70c3808b75657f243b21ba4f322792540e92257",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b657003210032ad026f693d0d2afe7f4388d91c4c964426fcb9e3665c3ebd8650009b815c8e",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAMq0Cb2k9DSr+f0OI2RxMlkQm/LnjZlw+vYZQAJuBXI4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 89,
+ "comment" : "Random test failure 4",
+ "msg" : "ec5c7cb078",
+ "sig" : "d920d421a5956b69bfe1ba834c025e2babb6c7a6d78c97de1d9bb1116dfdd1185147b2887e34e15578172e150774275ea2aad9e02106f7e8ca1caa669a066f0c",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 90,
+ "comment" : "Random test failure 5",
+ "msg" : "4668c6a76f0e482190a7175b9f3806a5fe4314a004fa69f988373f7a",
+ "sig" : "4f62daf7f7c162038552ad7d306e195baa37ecf6ca7604142679d7d1128e1f8af52e4cb3545748c44ef1ff1c64e877e4f4d248259b7f6eb56e3ef72097dc8e0c",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 91,
+ "comment" : "Random test failure 8",
+ "msg" : "5dc9bb87eb11621a93f92abe53515697d2611b2eef73",
+ "sig" : "deecafb6f2ede73fec91a6f10e45b9c1c61c4b9bfbe6b6147e2de0b1df6938971f7896c3ab83851fb5d9e537037bff0fca0ccb4a3cc38f056f91f7d7a0557e08",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 92,
+ "comment" : "Random test failure 10",
+ "msg" : "7dcfe60f881e1285676f35b68a1b2dbcdd7be6f719a288ababc28d36e3a42ac3010a1ca54b32760e74",
+ "sig" : "7f8663cf98cbd39d5ff553f00bcf3d0d520605794f8866ce75714d77cc51e66c91818b657d7b0dae430a68353506edc4a714c345f5ddb5c8b958ba3d035f7a01",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 93,
+ "comment" : "Random test failure 12",
+ "msg" : "58e456064dff471109def4ca27fa8310a1df32739655b624f27e6418d34b7f007173f3faa5",
+ "sig" : "6aab49e5c0bc309b783378ee03ffda282f0185cdf94c847701ff307a6ee8d0865411c44e0a8206f6a5f606107451940c2593af790ce1860f4c14ab25b2deae08",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 94,
+ "comment" : "Random test failure 15",
+ "msg" : "a1",
+ "sig" : "1a74ed2cbdc7d8f3827014e8e6ecf8fd2698ac8f86833acccdd400df710fe0d6b0543c9cfa00d52bf024ab7ce0d91981944097233ec134d5c7abbd44bfd32d0d",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 95,
+ "comment" : "Random test failure 19",
+ "msg" : "11cb1eafa4c42a8402c4193c4696f7b2e6d4585e4b42dcf1a8b67a80b2da80bc9d4b649fb2f35eaf1f56c426fd0b",
+ "sig" : "14ceb2eaf4688d995d482f44852d71ad878cd7c77b41e60b0065fd01a59b054ee74759224187dbde9e59a763a70277c960892ef89fba997aba2576b2c54ba608",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 96,
+ "comment" : "Random test failure 25",
+ "msg" : "aa365b442d12b7f3c925",
+ "sig" : "83c40ce13d483cc58ff65844875862d93df4bd367af77efa469ec06a8ed9e6d7905a04879535708ddf225567a815c9b941d405c98e918fd0c151165cea7fb101",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 97,
+ "comment" : "Random test failure 28",
+ "msg" : "475f",
+ "sig" : "71a4a06a34075f2fd47bc3abf4714d46db7e97b08cb6180d3f1539ac50b18ce51f8af8ae95ed21d4fa0daab7235925631ecea1fd9d0d8a2ba7a7583fd04b900c",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "VsHiLWFsu23qhpKItLHAK7mGllg8L25lABOgPhcEnGI",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "wp7BiU4G0ntOQEhrT6UGPWanRsf5wyOxIgPAO3K4t4o"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "c29ec1894e06d27b4e40486b4fa5063d66a746c7f9c323b12203c03b72b8b78a",
+ "sk" : "56c1e22d616cbb6dea869288b4b1c02bb98696583c2f6e650013a03e17049c62",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100c29ec1894e06d27b4e40486b4fa5063d66a746c7f9c323b12203c03b72b8b78a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAwp7BiU4G0ntOQEhrT6UGPWanRsf5wyOxIgPAO3K4t4o=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 98,
+ "comment" : "Random test failure 6",
+ "msg" : "0f325ffd87e58131ffa23c05ea4579513b287fdba87b44",
+ "sig" : "6669acf94667c5b541afe5307bde9476b13ae7e0e6058a772101ac8eb0a94331428eb4db0a2c68a9b6c1763b8624dab259b0876cdcfaeacc17b21a18e3fc010a",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 99,
+ "comment" : "Random test failure 21",
+ "msg" : "5ffa",
+ "sig" : "931e5152fcef078c22cc5d6a3a65f06e396289f6f5f2d1efa6340254a53526ef5dc6874eeddf35c3f50991c53cd02bf06313e37d93ee1f7022128ffa3b8f300b",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "t9L2QnbfQX_tJ9jhW06Q9v2T2s5wcpTDOL0yvEu9j9s",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "z9pbiZ41dkxSKeWSlf4SIrfdzhdmQ2l8KeRuy7oQzxA"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "cfda5b899e35764c5229e59295fe1222b7ddce176643697c29e46ecbba10cf10",
+ "sk" : "b7d2f64276df417fed27d8e15b4e90f6fd93dace707294c338bd32bc4bbd8fdb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100cfda5b899e35764c5229e59295fe1222b7ddce176643697c29e46ecbba10cf10",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAz9pbiZ41dkxSKeWSlf4SIrfdzhdmQ2l8KeRuy7oQzxA=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 100,
+ "comment" : "Random test failure 7",
+ "msg" : "ec5c7cb078",
+ "sig" : "30490c28f806298225df62103521dcee047153912c33ab8ab8bbdd1ffabd70fd4fdb360f05be535b067d1cf4e78c2cb432206bf280aab3bd21aaa1cb894c5b06",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 101,
+ "comment" : "Random test failure 9",
+ "msg" : "67484059b2490b1a0a4f8dee77979e26",
+ "sig" : "4cd4f77ed473a6647387f3163541c67a1708a3c3bd1673247cb87f0cb68b3c56f04bfa72970c8a483efe659c87009ab4020b590b6641316b3deddb5450544e02",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 102,
+ "comment" : "Random test failure 11",
+ "msg" : "a020a4381dc9141f47ee508871ab7a8b5a3648727c4281ae9932376f23a8e1bcda0626b7129197d864178631ec89c4332dbb18",
+ "sig" : "1e41a24fe732bd7cab14c2a2f5134ee8c87fcbd2e987e60957ed9239e5c32404d56977e1b4282871896cb10625a1937468e4dc266e16a9c1b8e9891177eca802",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 103,
+ "comment" : "Random test failure 14",
+ "msg" : "a25176b3afea318b2ec11ddacb10caf7179c0b3f8eabbfa2895581138d3c1e0e",
+ "sig" : "2a833aadecd9f28235cb5896bf3781521dc71f28af2e91dbe1735a61dce3e31ac15ca24b3fc47817a59d386bbbb2ce60a6adc0a2703bb2bdea8f70f91051f706",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 104,
+ "comment" : "Random test failure 18",
+ "msg" : "a9e6d94870a67a9fe1cf13b1e6f9150cdd407bf6480ec841ea586ae3935e9787163cf419c1",
+ "sig" : "c97e3190f83bae7729ba473ad46b420b8aad735f0808ea42c0f898ccfe6addd4fd9d9fa3355d5e67ee21ab7e1f805cd07f1fce980e307f4d7ad36cc924eef00c",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "fVl8O3KDkp0H7Y8B8x0lloI-XkarImx75CNNGp3K7zc",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "UpkZyceAmFqEHEK6bBgP8tZ6J2zPvigQgOR6txp1j1Y"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "529919c9c780985a841c42ba6c180ff2d67a276ccfbe281080e47ab71a758f56",
+ "sk" : "7d597c3b7283929d07ed8f01f31d2596823e5e46ab226c7be4234d1a9dcaef37",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100529919c9c780985a841c42ba6c180ff2d67a276ccfbe281080e47ab71a758f56",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAUpkZyceAmFqEHEK6bBgP8tZ6J2zPvigQgOR6txp1j1Y=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 105,
+ "comment" : "Random test failure 13",
+ "msg" : "e1cbf2d86827825613fb7a85811d",
+ "sig" : "01abfa4d6bbc726b196928ec84fd03f0c953a4fa2b228249562ff1442a4f63a7150b064f3712b51c2af768d2c2711a71aabf8d186833e941a0301b82f0502905",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 106,
+ "comment" : "Random test failure 22",
+ "msg" : "25",
+ "sig" : "e4ae21f7a8f4b3b325c161a8c6e53e2edd7005b9c2f8a2e3b0ac4ba94aa80be6f2ee22ac8d4a96b9a3eb73a825e7bb5aff4a3393bf5b4a38119e9c9b1b041106",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "9AHO5L-xcy8Om42Lp5RpVlwxFSlhQdvffpwxGgrBgjs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "IlKz1Xx0y_i8Rg3C4IKEeSa8Ai8Jq2rpV1Y2K_0RZ8E"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "2252b3d57c74cbf8bc460dc2e082847926bc022f09ab6ae95756362bfd1167c1",
+ "sk" : "f401cee4bfb1732f0e9b8d8ba79469565c3115296141dbdf7e9c311a0ac1823b",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321002252b3d57c74cbf8bc460dc2e082847926bc022f09ab6ae95756362bfd1167c1",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAIlKz1Xx0y/i8Rg3C4IKEeSa8Ai8Jq2rpV1Y2K/0RZ8E=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 107,
+ "comment" : "Random test failure 16",
+ "msg" : "975ef941710071a9e1e6325a0c860becd7c695b5117c3107b686e330e5",
+ "sig" : "af0fd9dda7e03e12313410d8d8844ebb6fe6b7f65141f22d7bcba5695a25414a9e54326fb44d59fb14707899a8aae70857b23d4080d7ab2c396ef3a36d45ce02",
+ "result" : "valid",
+ "flags" : []
+ },
+ {
+ "tcId" : 108,
+ "comment" : "Random test failure 23",
+ "msg" : "80fdd6218f29c8c8f6bd820945f9b0854e3a8824",
+ "sig" : "e097e0bd0370bff5bde359175a11b728ee9639095d5df8eda496395565616edfe079977f7d4dc8c75d6113a83d6a55e6e1676408c0967a2906339b43337dcb01",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "PWWJVkEDd9BkRnbSWZVCQSpPOw5Orft_P4NmFfQrGLw",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "wKdzEQ-XXeNzI1W7fsfwxBwJHAJSlmBwIFUWaTuZKko"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "c0a773110f975de3732355bb7ec7f0c41c091c0252966070205516693b992a4a",
+ "sk" : "3d658956410377d0644676d2599542412a4f3b0e4eadfb7f3f836615f42b18bc",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100c0a773110f975de3732355bb7ec7f0c41c091c0252966070205516693b992a4a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAwKdzEQ+XXeNzI1W7fsfwxBwJHAJSlmBwIFUWaTuZKko=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 109,
+ "comment" : "Random test failure 17",
+ "msg" : "",
+ "sig" : "0280427e713378f49d478df6373c6cac847b622b567daa2376c839e7ac10e22c380ab0fa8617c9dcfe76c4d9db5459b21dc1413726e46cc8f387d359e344f407",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "vMthMjhAwqlvw29-VOpsjlX50iH38FeR7WACXgYGRDk",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "VM2mIyRXWa1tQ-YgpgaQi-_GM9YHkrx3mER6DvOOcxE"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "54cda623245759ad6d43e620a606908befc633d60792bc7798447a0ef38e7311",
+ "sk" : "bccb61323840c2a96fc36f7e54ea6c8e55f9d221f7f05791ed60025e06064439",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b657003210054cda623245759ad6d43e620a606908befc633d60792bc7798447a0ef38e7311",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAVM2mIyRXWa1tQ+YgpgaQi+/GM9YHkrx3mER6DvOOcxE=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 110,
+ "comment" : "Random test failure 26",
+ "msg" : "27e792b28b2f1702",
+ "sig" : "14d9b497c19b91d43481c55bb6f5056de252d9ecb637575c807e58e9b4c5eac8b284089d97e2192dc242014363208e2c9a3435edf8928fb1d893553e9be4c703",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "8tMCO5wZ4kF0i8QDmnpDxZVwHyNnVQUBUhOooqAnTBs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "I2K6xRTV-tM4AmQul5oegt5utvG8v2pbME8rsCueV_4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "2362bac514d5fad33802642e979a1e82de6eb6f1bcbf6a5b304f2bb02b9e57fe",
+ "sk" : "f2d3023b9c19e241748bc4039a7a43c595701f23675505015213a8a2a0274c1b",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321002362bac514d5fad33802642e979a1e82de6eb6f1bcbf6a5b304f2bb02b9e57fe",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAI2K6xRTV+tM4AmQul5oegt5utvG8v2pbME8rsCueV/4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 111,
+ "comment" : "Random test failure 27",
+ "msg" : "eef3bb0f617c17d0420c115c21c28e3762edc7b7fb048529b84a9c2bc6",
+ "sig" : "242ddb3a5d938d07af690b1b0ef0fa75842c5f9549bf39c8750f75614c712e7cbaf2e37cc0799db38b858d41aec5b9dd2fca6a3c8e082c10408e2cf3932b9d08",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "EvwxxA1aevceBUJGI7qXC2cM9uy0TNphICEOY3AkXds",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "A3tVtCfcjaoPgPzrrwhGkCMJ-KbPGLRlwM6bZTlimsg"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "037b55b427dc8daa0f80fcebaf0846902309f8a6cf18b465c0ce9b6539629ac8",
+ "sk" : "12fc31c40d5a7af71e05424623ba970b670cf6ecb44cda6120210e6370245ddb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100037b55b427dc8daa0f80fcebaf0846902309f8a6cf18b465c0ce9b6539629ac8",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAA3tVtCfcjaoPgPzrrwhGkCMJ+KbPGLRlwM6bZTlimsg=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 112,
+ "comment" : "Test case for overflow in signature generation",
+ "msg" : "01234567",
+ "sig" : "c964e100033ce8888b23466677da4f4aea29923f642ae508f9d0888d788150636ab9b2c3765e91bbb05153801114d9e52dc700df377212222bb766be4b8c020d",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "5UvMTOldtIByx7SVdWF90flAOwchBSWcoG2NAVMNB_s",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "nAAHaY8XeZinZmx895c-K4jpxJRuM4BKe76JaNI5Sy4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "9c0007698f177998a7666c7cf7973e2b88e9c4946e33804a7bbe8968d2394b2e",
+ "sk" : "e54bcc4ce95db48072c7b49575617dd1f9403b072105259ca06d8d01530d07fb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321009c0007698f177998a7666c7cf7973e2b88e9c4946e33804a7bbe8968d2394b2e",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAnAAHaY8XeZinZmx895c+K4jpxJRuM4BKe76JaNI5Sy4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 113,
+ "comment" : "Test case for overflow in signature generation",
+ "msg" : "9399a6db9433d2a28d2b0c11c8794ab7d108c95b",
+ "sig" : "176065c6d64a136a2227687d77f61f3fca3b16122c966276fd9a8b14a1a2cea4c33b3533d11101717016684e3810efbea63bb23773f7cc480174199abd734f08",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "3n8rsSuHWnnMsFc0Syhnou2yXbwez8jLB8aeLdPfPgI",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "7TpvlyHclynB92Y1vPCA1wNuHC8CKGVMy74ec4wXuWM"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "ed3a6f9721dc9729c1f76635bcf080d7036e1c2f0228654ccbbe1e738c17b963",
+ "sk" : "de7f2bb12b875a79ccb057344b2867a2edb25dbc1ecfc8cb07c69e2dd3df3e02",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100ed3a6f9721dc9729c1f76635bcf080d7036e1c2f0228654ccbbe1e738c17b963",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA7TpvlyHclynB92Y1vPCA1wNuHC8CKGVMy74ec4wXuWM=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 114,
+ "comment" : "Test case for overflow in signature generation",
+ "msg" : "7af783afbbd44c1833ab7237ecaf63b94ffdd003",
+ "sig" : "7ca69331eec8610d38f00e2cdbd46966cb359dcde98a257ac6f362cc00c8f4fe85c02285fe4d66e31a44cadb2bf474e1a7957609eb4fe95a71473fe6699aa70d",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "6nkrep1CC_dPaoKnjliizJTzqz65MScGEbH42nXD1gs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "Sr-1NTE3BaZXABhEDN7Bo64z5R81IRL6asvQxrw-qFk"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "4abfb535313705a6570018440cdec1a3ae33e51f352112fa6acbd0c6bc3ea859",
+ "sk" : "ea792b7a9d420bf74f6a82a78e58a2cc94f3ab3eb931270611b1f8da75c3d60b",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321004abfb535313705a6570018440cdec1a3ae33e51f352112fa6acbd0c6bc3ea859",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEASr+1NTE3BaZXABhEDN7Bo64z5R81IRL6asvQxrw+qFk=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 115,
+ "comment" : "Test case for overflow in signature generation",
+ "msg" : "321b5f663c19e30ee7bbb85e48ecf44db9d3f512",
+ "sig" : "f296715e855d8aecccba782b670163dedc4458fe4eb509a856bcac450920fd2e95a3a3eb212d2d9ccaf948c39ae46a2548af125f8e2ad9b77bd18f92d59f9200",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "7KKGRfY2Rlde4uS9s29Rg4FCziR0ZkwrZu8FSzevYSQ",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "TyFi5r8DpxLbDvpBi35wBuI4cdnX7FVaMTiFxK_ZY4U"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "4f2162e6bf03a712db0efa418b7e7006e23871d9d7ec555a313885c4afd96385",
+ "sk" : "eca28645f63646575ee2e4bdb36f51838142ce2474664c2b66ef054b37af6124",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321004f2162e6bf03a712db0efa418b7e7006e23871d9d7ec555a313885c4afd96385",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEATyFi5r8DpxLbDvpBi35wBuI4cdnX7FVaMTiFxK/ZY4U=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 116,
+ "comment" : "Test case for overflow in signature generation",
+ "msg" : "c48890e92aeeb3af04858a8dc1d34f16a4347b91",
+ "sig" : "367d07253a9d5a77d054b9c1a82d3c0a448a51905343320b3559325ef41839608aa45564978da1b2968c556cfb23b0c98a9be83e594d5e769d69d1156e1b1506",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "coI4YCt-Z1Oz9J6w_EzeOMe7FKtY3crvJTcnWxPpndM",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "BxfXXOJ-oYHtWjDmRWxkm1z0U6a0wSzT-f0Wsx4MJc0"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "0717d75ce27ea181ed5a30e6456c649b5cf453a6b4c12cd3f9fd16b31e0c25cd",
+ "sk" : "728238602b7e6753b3f49eb0fc4cde38c7bb14ab58ddcaef2537275b13e99dd3",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321000717d75ce27ea181ed5a30e6456c649b5cf453a6b4c12cd3f9fd16b31e0c25cd",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEABxfXXOJ+oYHtWjDmRWxkm1z0U6a0wSzT+f0Wsx4MJc0=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 117,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "26d5f0631f49106db58c4cfc903691134811b33c",
+ "sig" : "9588e02bc815649d359ce710cdc69814556dd8c8bab1c468f40a49ebefb7f0de7ed49725edfd1b708fa1bad277c35d6c1b9c5ec25990997645780f9203d7dd08",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "3ECS14CcawcPKAjENCZ7ZpdCj0qx5GJqtWowWWQ75Dw",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "21ueq36E5aE1BYZfpxHJyJbImGCfwR_JvB5VAo-Ult8"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "db5b9eab7e84e5a13505865fa711c9c896c898609fc11fc9bc1e55028f9496df",
+ "sk" : "dc4092d7809c6b070f2808c434267b6697428f4ab1e4626ab56a3059643be43c",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100db5b9eab7e84e5a13505865fa711c9c896c898609fc11fc9bc1e55028f9496df",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA21ueq36E5aE1BYZfpxHJyJbImGCfwR/JvB5VAo+Ult8=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 118,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "2a71f064af982a3a1103a75cef898732d7881981",
+ "sig" : "2217a0be57dd0d6c0090641496bcb65e37213f02a0df50aff0368ee2808e1376504f37b37494132dfc4d4887f58b9e86eff924040db3925ee4f8e1428c4c500e",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "OHZbiexWg26kGQ_JV4ArakcWf5te-ULpJlKAO33mq_0",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "e6wY9tJiXTkV8jNDTNo4pXckenMypRcLNxQqNGRBReA"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "7bac18f6d2625d3915f233434cda38a577247a7332a5170b37142a34644145e0",
+ "sk" : "38765b89ec56836ea4190fc957802b6a47167f9b5ef942e92652803b7de6abfd",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321007bac18f6d2625d3915f233434cda38a577247a7332a5170b37142a34644145e0",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAe6wY9tJiXTkV8jNDTNo4pXckenMypRcLNxQqNGRBReA=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 119,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "bf26796cef4ddafcf5033c8d105057db0210b6ad",
+ "sig" : "1fda6dd4519fdbefb515bfa39e8e5911f4a0a8aa65f40ef0c542b8b34b87f9c249dc57f320718ff457ed5915c4d0fc352affc1287724d3f3a9de1ff777a02e01",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "l1dTCKSQrwwUVBHdFtUZoHPvA8LkoKHNa13i6IHl6r4",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "OOrTBGJKvr8-KzHiDlYpUx4_xlkAiIfJEG9eVa27xio"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "38ead304624abebf3e2b31e20e5629531e3fc659008887c9106f5e55adbbc62a",
+ "sk" : "97575308a490af0c145411dd16d519a073ef03c2e4a0a1cd6b5de2e881e5eabe",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b657003210038ead304624abebf3e2b31e20e5629531e3fc659008887c9106f5e55adbbc62a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAOOrTBGJKvr8+KzHiDlYpUx4/xlkAiIfJEG9eVa27xio=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 120,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "ae03da6997e40cea67935020152d3a9a365cc055",
+ "sig" : "068eafdc2f36b97f9bae7fbda88b530d16b0e35054d3a351e3a4c914b22854c711505e49682e1a447e10a69e3b04d0759c859897b64f71137acf355b63faf100",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "rRKeieDuyQjfUa3CJ8jEkIqAlddWIVNsiijcpLPDDbs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "6byVBJr35IF7F8QCJpul52e3NIdXrIAC_sngg5DAqc8"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "e9bc95049af7e4817b17c402269ba5e767b7348757ac8002fec9e08390c0a9cf",
+ "sk" : "ad129e89e0eec908df51adc227c8c4908a8095d75621536c8a28dca4b3c30dbb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100e9bc95049af7e4817b17c402269ba5e767b7348757ac8002fec9e08390c0a9cf",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA6byVBJr35IF7F8QCJpul52e3NIdXrIAC/sngg5DAqc8=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 121,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "489d473f7fb83c7f6823baf65482517bccd8f4ea",
+ "sig" : "43670abc9f09a8a415e76f4a21c6a46156f066b5a37b3c1e867cf67248c7b927e8d13a763e37abf936f5f27f7a8aa290539d21f740efd26b65fd5ad27085f400",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "A85kPW00G3BlvJ5w2oGTRRz4PKf_WoZA_QevCUZANlo",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "7oFVyk6P57xbylmSBE6rf4w8ahPbEXb0L0bCnaWwZPQ"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "ee8155ca4e8fe7bc5bca5992044eab7f8c3c6a13db1176f42f46c29da5b064f4",
+ "sk" : "03ce643d6d341b7065bc9e70da8193451cf83ca7ff5a8640fd07af094640365a",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100ee8155ca4e8fe7bc5bca5992044eab7f8c3c6a13db1176f42f46c29da5b064f4",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA7oFVyk6P57xbylmSBE6rf4w8ahPbEXb0L0bCnaWwZPQ=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 122,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "1b704d6692d60a07ad1e1d047b65e105a80d3459",
+ "sig" : "56388f2228893b14ce4f2a5e0cc626591061de3a57c50a5ecab7b9d5bb2caeea191560a1cf2344c75fdb4a085444aa68d727b39f498169eaa82cf64a31f59803",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "WB9ZOlzZRZTcD13RQgJqQ2qTDlczkbeu6mqCU-7vbOs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "21B7_MlXY5P3FXuzYFMrBcX88udktpDMZpikow00kJU"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "db507bfcc9576393f7157bb360532b05c5fcf2e764b690cc6698a4a30d349095",
+ "sk" : "581f593a5cd94594dc0f5dd142026a436a930e573391b7aeea6a8253eeef6ceb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100db507bfcc9576393f7157bb360532b05c5fcf2e764b690cc6698a4a30d349095",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA21B7/MlXY5P3FXuzYFMrBcX88udktpDMZpikow00kJU=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 123,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "dc87030862c4c32f56261e93a367caf458c6be27",
+ "sig" : "553e5845fc480a577da6544e602caadaa00ae3e5aa3dce9ef332b1541b6d5f21bdf1d01e98baf80b8435f9932f89b3eb70f02da24787aac8e77279e797d0bd0b",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "byB9yUuETU3HH5gtqNnzrgs3tGI-RB7KdbpiYhxSTZg",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "mU6vAzCdatnZWmVrwXROKIbwKQI6N1CzTzUIazxyJ_g"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "994eaf03309d6ad9d95a656bc1744e2886f029023a3750b34f35086b3c7227f8",
+ "sk" : "6f207dc94b844d4dc71f982da8d9f3ae0b37b4623e441eca75ba62621c524d98",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100994eaf03309d6ad9d95a656bc1744e2886f029023a3750b34f35086b3c7227f8",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAmU6vAzCdatnZWmVrwXROKIbwKQI6N1CzTzUIazxyJ/g=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 124,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "7f41ef68508343ef18813cb2fb332445ec6480cd",
+ "sig" : "bc10f88081b7be1f2505b6e76c5c82e358cf21ec11b7df1f334fb587bada465b53d9f7b4d4fec964432ee91ead1bc32ed3c82f2167da1c834a37515df7fe130e",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "3qm7ufsgUS-mfuppav14bzkoJl9SCK6rpjjzF30Ntw4",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "En035Abg2D5LVaCeIej1D7iK9H5KQ_AYzev_wZSHV_A"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "127d37e406e0d83e4b55a09e21e8f50fb88af47e4a43f018cdebffc1948757f0",
+ "sk" : "dea9bbb9fb20512fa67eea696afd786f3928265f5208aeaba638f3177d0db70e",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100127d37e406e0d83e4b55a09e21e8f50fb88af47e4a43f018cdebffc1948757f0",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAEn035Abg2D5LVaCeIej1D7iK9H5KQ/AYzev/wZSHV/A=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 125,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "e1ce107971534bc46a42ac609a1a37b4ca65791d",
+ "sig" : "00c11e76b5866b7c37528b0670188c1a0473fb93c33b72ae604a8865a7d6e094ff722e8ede3cb18389685ff3c4086c29006047466f81e71a329711e0b9294709",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "yZxSrh5h98eaFk7kkQ_cqgKUYlnqVEP2iyPXIdBHL2M",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "2DuoTt-0vsSfKb4x2Apkt8C1pQJDjNsdDdHg4-VXht4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "d83ba84edfb4bec49f29be31d80a64b7c0b5a502438cdb1d0dd1e0e3e55786de",
+ "sk" : "c99c52ae1e61f7c79a164ee4910fdcaa02946259ea5443f68b23d721d0472f63",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100d83ba84edfb4bec49f29be31d80a64b7c0b5a502438cdb1d0dd1e0e3e55786de",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA2DuoTt+0vsSfKb4x2Apkt8C1pQJDjNsdDdHg4+VXht4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 126,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "869a827397c585cf35acf88a8728833ab1c8c81e",
+ "sig" : "0a6f0ac47ea136cb3ff00f7a96638e4984048999ee2da0af6e5c86bffb0e70bb97406b6ad5a4b764f7c99ebb6ec0fd434b8efe253b0423ef876c037998e8ab07",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "2KqtB0nbFZVppotGBIs9PoJm4RAVAlHEKAbwdSqE6Vs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "08mqLz1u8hehZuiuQD7UNsN_rLvjvs63jfbrQ5-PoEo"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "d3c9aa2f3d6ef217a166e8ae403ed436c37facbbe3beceb78df6eb439f8fa04a",
+ "sk" : "d8aaad0749db159569a68b46048b3d3e8266e110150251c42806f0752a84e95b",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100d3c9aa2f3d6ef217a166e8ae403ed436c37facbbe3beceb78df6eb439f8fa04a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA08mqLz1u8hehZuiuQD7UNsN/rLvjvs63jfbrQ5+PoEo=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 127,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "619d8c4f2c93104be01cd574a385ceca08c33a9e",
+ "sig" : "b7cbb942a6661e2312f79548224f3e44f5841c6e880c68340756a00ce94a914e8404858265985e6bb97ef01d2d7e5e41340309606bfc43c8c6a8f925126b3d09",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "540mq1tybJ1N-x9jQIKr3tkEMqL9GAicfIUlOl0vx9A",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "1TKANnwcC5WsQRIhi5LGpxxR-2MSzmaN4ZbH1SoTYVU"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "d53280367c1c0b95ac4112218b92c6a71c51fb6312ce668de196c7d52a136155",
+ "sk" : "e78d26ab5b726c9d4dfb1f634082abded90432a2fd18089c7c85253a5d2fc7d0",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100d53280367c1c0b95ac4112218b92c6a71c51fb6312ce668de196c7d52a136155",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA1TKANnwcC5WsQRIhi5LGpxxR+2MSzmaN4ZbH1SoTYVU=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 128,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "5257a0bae8326d259a6ce97420c65e6c2794afe2",
+ "sig" : "27a4f24009e579173ff3064a6eff2a4d20224f8f85fdec982a9cf2e6a3b51537348a1d7851a3a932128a923a393ea84e6b35eb3473c32dceb9d7e9cab03a0f0d",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "jnylbgfxQ4rDYV_Z7HeuY2edDsBZtFlf6_QL5Z2XagU",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "lKwjNrqXpHb7TJ8rVWPkFnyiksbpnkIjUKkRrjFywxU"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "94ac2336ba97a476fb4c9f2b5563e4167ca292c6e99e422350a911ae3172c315",
+ "sk" : "8e7ca56e07f1438ac3615fd9ec77ae63679d0ec059b4595febf40be59d976a05",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b657003210094ac2336ba97a476fb4c9f2b5563e4167ca292c6e99e422350a911ae3172c315",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAlKwjNrqXpHb7TJ8rVWPkFnyiksbpnkIjUKkRrjFywxU=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 129,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "5acb6afc9b368f7acac0e71f6a4831c72d628405",
+ "sig" : "985b605fe3f449f68081197a68c714da0bfbf6ac2ab9abb0508b6384ea4999cb8d79af98e86f589409e8d2609a8f8bd7e80aaa8d92a84e7737fbe8dcef41920a",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "53Ulr1hWq531q7ZOUxJXa0mMwn9h8mbiHzguBSbU5vs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "4ecxbSMffydb30AzYDBNoVCf3xrx_SXKIU6qwKKJOY8"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "e1e7316d231f7f275bdf403360304da1509fdf1af1fd25ca214eaac0a289398f",
+ "sk" : "e77525af5856ab9df5abb64e5312576b498cc27f61f266e21f382e0526d4e6fb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100e1e7316d231f7f275bdf403360304da1509fdf1af1fd25ca214eaac0a289398f",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA4ecxbSMffydb30AzYDBNoVCf3xrx/SXKIU6qwKKJOY8=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 130,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "3c87b3453277b353941591fc7eaa7dd37604b42a",
+ "sig" : "1c8fbda3d39e2b441f06da6071c13115cb4115c7c3341704cf6513324d4cf1ef4a1dd7678a048b0dde84e48994d080befcd70854079d44b6a0b0f9fa002d130c",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "H0MjWtcW8b63VKsPVG36k0SI_fdHK0k9fMPGA1MAXSQ",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "__vupxIV76-YiP7CzGjts3A_8Rpm_WKbU8vaXqvBh1A"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "fffbeea71215efaf9888fec2cc68edb3703ff11a66fd629b53cbda5eabc18750",
+ "sk" : "1f43235ad716f1beb754ab0f546dfa934488fdf7472b493d7cc3c60353005d24",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100fffbeea71215efaf9888fec2cc68edb3703ff11a66fd629b53cbda5eabc18750",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA//vupxIV76+YiP7CzGjts3A/8Rpm/WKbU8vaXqvBh1A=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 131,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "0a68e27ef6847bfd9e398b328a0ded3679d4649d",
+ "sig" : "59097233eb141ed948b4f3c28a9496b9a7eca77454ecfe7e46737d1449a0b76b15aacf77cf48af27a668aa4434cfa26c504d75a2bcc4feac46465446234c0508",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "OXd4W5-MUyDlGjoW-MwixPfmSFdhf5VQFH-jXWhco08",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "GczAUnWZywMuC0xNdOYPE5AXaKmd8EHDvBv2wO8nEWk"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "19ccc0527599cb032e0b4c4d74e60f13901768a99df041c3bc1bf6c0ef271169",
+ "sk" : "3977785b9f8c5320e51a3a16f8cc22c4f7e64857617f9550147fa35d685ca34f",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b657003210019ccc0527599cb032e0b4c4d74e60f13901768a99df041c3bc1bf6c0ef271169",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAGczAUnWZywMuC0xNdOYPE5AXaKmd8EHDvBv2wO8nEWk=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 132,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "4e9bef60737c7d4dd10bd52567e1473a36d3573d",
+ "sig" : "519105608508fe2f1b6da4cc8b23e39798b1d18d25972beed0404cec722e01ba1b6a0f85e99e092cca8076b101b60d4ac5035684357f4d0daacdc642da742a06",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "GqRBXF2wExvsb6GI0MI9SaZb95VlcVP66Ud34_Gbz1Q",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "DnJuJwR1Y6oKGpwuCF2NJq8qy6Ep0IacZQMePmysMpo"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "0e726e27047563aa0a1a9c2e085d8d26af2acba129d0869c65031e3e6cac329a",
+ "sk" : "1aa4415c5db0131bec6fa188d0c23d49a65bf795657153fae94777e3f19bcf54",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321000e726e27047563aa0a1a9c2e085d8d26af2acba129d0869c65031e3e6cac329a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEADnJuJwR1Y6oKGpwuCF2NJq8qy6Ep0IacZQMePmysMpo=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 133,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "cc82b3163efda3ba7e9240e765112caa69113694",
+ "sig" : "d8b03ee579e73f16477527fc9dc37a72eaac0748a733772c483ba013944f01ef64fb4ec5e3a95021dc22f4ae282baff6e9b9cc8433c6b6710d82e7397d72ef04",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "D7doClDT8pQAd-pN_LfrBAoSXE9LXc76FtOvlo_I5d4",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "53cXtUorXlvOW8y48MX9tf1993rCVAIPyRINwNTfQXg"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "e77717b54a2b5e5bce5bccb8f0c5fdb5fd7df77ac254020fc9120dc0d4df4178",
+ "sk" : "0fb7680a50d3f2940077ea4dfcb7eb040a125c4f4b5dcefa16d3af968fc8e5de",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100e77717b54a2b5e5bce5bccb8f0c5fdb5fd7df77ac254020fc9120dc0d4df4178",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA53cXtUorXlvOW8y48MX9tf1993rCVAIPyRINwNTfQXg=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 134,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "923a5c9e7b5635bb6c32c5a408a4a15b652450eb",
+ "sig" : "26da61fdfd38e6d01792813f27840c8b4766b0faaed39d0ee898cb450d94a5d5f57e58b6a003d7f9b56b20561954c6edcf66492d116b8b5e91f205a3a6449d0b",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "4iLERNa8ikeWoNWi1x0ZuYhFzFbjnKr4Iz6kxrBwTwk",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "YiCXLT99FQs2eQ19UiOEh21k1kDNmRMYaBXhYpWC7TY"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "6220972d3f7d150b36790d7d522384876d64d640cd9913186815e1629582ed36",
+ "sk" : "e222c444d6bc8a4796a0d5a2d71d19b98845cc56e39caaf8233ea4c6b0704f09",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321006220972d3f7d150b36790d7d522384876d64d640cd9913186815e1629582ed36",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAYiCXLT99FQs2eQ19UiOEh21k1kDNmRMYaBXhYpWC7TY=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 135,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "6f2f0245de4587062979d0422d349f93ccdc3af2",
+ "sig" : "4adeaff7a58c5010a5a067feea0ae504d37b0c6a76c6c153e222f13409dff2df0fab69bc5059b97d925dc1b89e9851d7c627cb82d65585f9fd976124553f8902",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "qJ6hhHa5rZDLFLix_yR3fk69AVvIEKYHhakVTazzvlI",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "e2SijFDsdnipDj4aIVIuMKydt7UhWuor-zO-oDfquYc"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "7b64a28c50ec7678a90e3e1a21522e30ac9db7b5215aea2bfb33bea037eab987",
+ "sk" : "a89ea18476b9ad90cb14b8b1ff24777e4ebd015bc810a60785a9154dacf3be52",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321007b64a28c50ec7678a90e3e1a21522e30ac9db7b5215aea2bfb33bea037eab987",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAe2SijFDsdnipDj4aIVIuMKydt7UhWuor+zO+oDfquYc=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 136,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "6e911edb27a170b983d4dee1110554f804330f41",
+ "sig" : "4204d620cde0c3008c0b2901f5d6b44f88f0e3cb4f4d62252bf6f3cb37c1fb150a9ccb296afe5e7c75f65b5c8edd13dc4910ffe1e1265b3707c59042cf9a5902",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "abHaVs3o0WdsKowOf5XH0L9gc579EwTdLMsCcp0Xoiw",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "ckRSIQqeTJlIGSKb8Sv4TpV2ijqXwI2Nj1-TmkytNMU"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "724452210a9e4c994819229bf12bf84e95768a3a97c08d8d8f5f939a4cad34c5",
+ "sk" : "69b1da56cde8d1676c2a8c0e7f95c7d0bf60739efd1304dd2ccb02729d17a22c",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100724452210a9e4c994819229bf12bf84e95768a3a97c08d8d8f5f939a4cad34c5",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAckRSIQqeTJlIGSKb8Sv4TpV2ijqXwI2Nj1+TmkytNMU=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 137,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "b8cf807eea809aaf739aa091f3b7a3f2fd39fb51",
+ "sig" : "f8a69d3fd8c2ff0a9dec41e4c6b43675ce08366a35e220b1185ffc246c339e22c20ac661e866f52054015efd04f42eca2adcee6834c4df923b4a62576e4dff0e",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "szImXPlVlfDJAiFZO1orPFdNYNxjTd_2GG8O7XmAo4M",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "utJlspTtL0IstqFBaUCGI4-_6YdXGqdl2LTzokEFqgE"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "bad265b294ed2f422cb6a141694086238fbfe987571aa765d8b4f3a24105aa01",
+ "sk" : "b332265cf95595f0c90221593b5a2b3c574d60dc634ddff6186f0eed7980a383",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100bad265b294ed2f422cb6a141694086238fbfe987571aa765d8b4f3a24105aa01",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAutJlspTtL0IstqFBaUCGI4+/6YdXGqdl2LTzokEFqgE=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 138,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "01a2b5f7fee813b4e9bd7fc25137648004795010",
+ "sig" : "61792c9442bc6338ac41fd42a40bee9b02ec1836503d60ff725128c63d72808880c36e6190b7da525cbee5d12900aa043547dd14a2709ef9e49d628f37f6b70c",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "-uyXZLNp3w7xCJDdAixQLlUaMiK0PoQpRVSWx2_upF0",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "Cq7ktyPbm1G6fSLrI-uKdqWsAvT8ndBvd76kLh037Fo"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "0aaee4b723db9b51ba7d22eb23eb8a76a5ac02f4fc9dd06f77bea42e1d37ec5a",
+ "sk" : "faec9764b369df0ef10890dd022c502e551a3222b43e8429455496c76feea45d",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321000aaee4b723db9b51ba7d22eb23eb8a76a5ac02f4fc9dd06f77bea42e1d37ec5a",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEACq7ktyPbm1G6fSLrI+uKdqWsAvT8ndBvd76kLh037Fo=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 139,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "0fbf5d47cb5d498feace8f98f1896208da38a885",
+ "sig" : "fa3cd41e3a8c00b19eecd404a63c3cb787cd30de0dfc936966cff2117f5aff18db6bef80fcfd8856f3fb2e9c3dc47593e9471103032af918feee638a33d40505",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "TrGeJ496MKBqfVXkLER3X0qBt6RcBRKq4CYmLnF3Daw",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "gSNErxWpG6g8LJHpbxcnrA88TEE4W5-oTvo5mtpRaL4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "812344af15a91ba83c2c91e96f1727ac0f3c4c41385b9fa84efa399ada5168be",
+ "sk" : "4eb19e278f7a30a06a7d55e42c44775f4a81b7a45c0512aae026262e71770dac",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100812344af15a91ba83c2c91e96f1727ac0f3c4c41385b9fa84efa399ada5168be",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAgSNErxWpG6g8LJHpbxcnrA88TEE4W5+oTvo5mtpRaL4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 140,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "36e67c1939750bffb3e4ba6cb85562612275e862",
+ "sig" : "97fbbcd7a1d0eb42d2f8c42448ef35a2c2472740556b645547865330d6c57068af377fced08aaf810c08cd3c43d296f1975710312e9334c98b485f831efa4103",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "GZjVlJyrNloA-Cjn0XsGxwjTP-8AMdNTpOFb9yIqc7A",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "DuXLVZf7343MxIsBSF45szqhM7UtMNI3QCdyZ8_sPj4"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "0ee5cb5597fbdf8dccc48b01485e39b33aa133b52d30d23740277267cfec3e3e",
+ "sk" : "1998d5949cab365a00f828e7d17b06c708d33fef0031d353a4e15bf7222a73b0",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321000ee5cb5597fbdf8dccc48b01485e39b33aa133b52d30d23740277267cfec3e3e",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEADuXLVZf7343MxIsBSF45szqhM7UtMNI3QCdyZ8/sPj4=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 141,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "13945c894c1d3fe8562e8b20e5f0efaa26ade8e3",
+ "sig" : "d7dbaa337ffd2a5fd8d5fd8ad5aeccc0c0f83795c2c59fe62a40b87903b1ae62ed748a8df5af4d32f9f822a65d0e498b6f40eaf369a9342a1164ee7d08b58103",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "YWRnYRTGa9mIfaw0HGYgncWHzPDMXNm6_9-skpWgDEo",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "n7od6StgtbRwMIl2PQ1vkSXk3X765B8IoiiCrvloksQ"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "9fba1de92b60b5b4703089763d0d6f9125e4dd7efae41f08a22882aef96892c4",
+ "sk" : "6164676114c66bd9887dac341c66209dc587ccf0cc5cd9baffdfac9295a00c4a",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321009fba1de92b60b5b4703089763d0d6f9125e4dd7efae41f08a22882aef96892c4",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAn7od6StgtbRwMIl2PQ1vkSXk3X765B8IoiiCrvloksQ=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 142,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "4de142af4b8402f80a47fa812df84f42e283cee7",
+ "sig" : "09a2ed303a2fa7027a1dd7c3b0d25121eeed2b644a2fbc17aa0c8aea4524071ede7e7dd7a536d5497f8165d29e4e1b63200f74bbae39fbbbccb29889c62c1f09",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "SwvQOgOyAGnMvMIUp0SEc_TnpJH6fOtI3b4kyDxKpLs",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "dYKrG1LhMW5cE2cfQ7Oco2soEzzQgygxvN3QsPIzmMs"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "7582ab1b52e1316e5c13671f43b39ca36b28133cd0832831bcddd0b0f23398cb",
+ "sk" : "4b0bd03a03b20069ccbcc214a7448473f4e7a491fa7ceb48ddbe24c83c4aa4bb",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b65700321007582ab1b52e1316e5c13671f43b39ca36b28133cd0832831bcddd0b0f23398cb",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAdYKrG1LhMW5cE2cfQ7Oco2soEzzQgygxvN3QsPIzmMs=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 143,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "563357f41b8b23b1d83f19f5667177a67da20b18",
+ "sig" : "e6884a6e6b2e60a0b5862251c001e7c79d581d777d6fc11d218d0aecd79f26a30e2ca22cc7c4674f8b72655bc4ee5cb5494ca07c05177656142ac55cc9d33e02",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "L854cL4fOS0h-x0jUOx4d9uKqZs1n-W91TOP81p5HRw",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "3S1ni64iLz-26CePCMyeGmYznJJsKawKFvlxf17hjNg"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "dd2d678bae222f3fb6e8278f08cc9e1a66339c926c29ac0a16f9717f5ee18cd8",
+ "sk" : "2fce7870be1f392d21fb1d2350ec7877db8aa99b359fe5bdd5338ff35a791d1c",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100dd2d678bae222f3fb6e8278f08cc9e1a66339c926c29ac0a16f9717f5ee18cd8",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA3S1ni64iLz+26CePCMyeGmYznJJsKawKFvlxf17hjNg=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 144,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "931bbf9c877a6571cf7d4609fc3eb867edd43f51",
+ "sig" : "6124c206d864507ea5d984b363b4cf583314db6856a45ded5e61eebff4d5e337e0b4c82b445ae2e52d549d2d961eace2ea01f81158e09a9686baa040db65ad08",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ },
+ {
+ "jwk" : {
+ "crv" : "Ed25519",
+ "d" : "qazkIZXduzoW82ayTdnTeooEPtLmAB9UZSKWdQN5Nn0",
+ "kid" : "none",
+ "kty" : "OKP",
+ "x" : "zL58suS8IVzuL4heHSL34NWCsru9eCwQTlSLFS0m_Gk"
+ },
+ "key" : {
+ "curve" : "edwards25519",
+ "keySize" : 255,
+ "pk" : "ccbe7cb2e4bc215cee2f885e1d22f7e0d582b2bbbd782c104e548b152d26fc69",
+ "sk" : "a9ace42195ddbb3a16f366b24dd9d37a8a043ed2e6001f54652296750379367d",
+ "type" : "EDDSAKeyPair"
+ },
+ "keyDer" : "302a300506032b6570032100ccbe7cb2e4bc215cee2f885e1d22f7e0d582b2bbbd782c104e548b152d26fc69",
+ "keyPem" : "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAzL58suS8IVzuL4heHSL34NWCsru9eCwQTlSLFS0m/Gk=\n-----END PUBLIC KEY-----\n",
+ "type" : "EddsaVerify",
+ "tests" : [
+ {
+ "tcId" : 145,
+ "comment" : "regression test for arithmetic error",
+ "msg" : "44530b0b34f598767a7b875b0caee3c7b9c502d1",
+ "sig" : "cfbd450a2c83cb8436c348822fe3ee347d4ee937b7f2ea11ed755cc52852407c9eec2c1fa30d2f9aef90e89b2cc3bcef2b1b9ca59f712110d19894a9cf6a2802",
+ "result" : "valid",
+ "flags" : []
+ }
+ ]
+ }
+ ]
+}
diff --git a/security/nss/gtests/freebl_gtest/ed25519_unittest.cc b/security/nss/gtests/freebl_gtest/ed25519_unittest.cc
new file mode 100644
index 0000000000..e1dad02839
--- /dev/null
+++ b/security/nss/gtests/freebl_gtest/ed25519_unittest.cc
@@ -0,0 +1,148 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#include "gtest/gtest.h"
+
+#include <stdint.h>
+
+#include "blapi.h"
+#include "nss_scoped_ptrs.h"
+#include "secerr.h"
+
+namespace nss_test {
+
+class EDDSATest : public ::testing::Test {
+ protected:
+ std::vector<uint8_t> hexStringToBytes(std::string s) {
+ std::vector<uint8_t> bytes;
+ for (size_t i = 0; i < s.length(); i += 2) {
+ bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));
+ }
+ return bytes;
+ }
+ std::string bytesToHexString(std::vector<uint8_t> bytes) {
+ std::stringstream s;
+ for (auto b : bytes) {
+ s << std::setfill('0') << std::setw(2) << std::uppercase << std::hex
+ << static_cast<int>(b);
+ }
+ return s.str();
+ }
+
+ void TestEd25519_Sign(const std::string secret, const std::string p,
+ const std::string msg, const std::string signature) {
+ std::vector<uint8_t> secret_bytes = hexStringToBytes(secret);
+ ASSERT_GT(secret_bytes.size(), 0U);
+ SECItem secret_value = {siBuffer, secret_bytes.data(),
+ static_cast<unsigned int>(secret_bytes.size())};
+
+ std::vector<uint8_t> msg_bytes = hexStringToBytes(msg);
+ const SECItem msg_value = {siBuffer, msg_bytes.data(),
+ static_cast<unsigned int>(msg_bytes.size())};
+
+ std::vector<uint8_t> public_bytes = hexStringToBytes(p);
+ const SECItem public_value = {
+ siBuffer, public_bytes.data(),
+ static_cast<unsigned int>(public_bytes.size())};
+
+ ScopedSECItem signature_item(
+ SECITEM_AllocItem(nullptr, nullptr, ED25519_SIGN_LEN));
+
+ ECPrivateKey key;
+ key.privateValue = secret_value;
+
+ ECParams ecParams = {0};
+
+ ScopedSECItem ecEncodedParams(SECITEM_AllocItem(nullptr, nullptr, 0U));
+ ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ ASSERT_TRUE(arena && ecEncodedParams);
+
+ ecParams.name = ECCurve_Ed25519;
+ key.ecParams = ecParams;
+
+ SECStatus rv = ED_SignMessage(&key, signature_item.get(), &msg_value);
+ ASSERT_EQ(SECSuccess, rv);
+
+ ECPublicKey public_key;
+ public_key.publicValue = public_value;
+ public_key.ecParams = ecParams;
+
+ rv = ED_VerifyMessage(&public_key, signature_item.get(), &msg_value);
+ ASSERT_EQ(SECSuccess, rv);
+
+ std::string signature_result = bytesToHexString(std::vector<uint8_t>(
+ signature_item->data, signature_item->data + signature_item->len));
+ EXPECT_EQ(signature_result, signature);
+ }
+};
+
+TEST_F(EDDSATest, TestEd25519_Sign) {
+ TestEd25519_Sign(
+ "4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb",
+ "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c", "72",
+ "92A009A9F0D4CAB8720E820B5F642540A2B27B5416503F8FB3762223EBDB69DA085AC1E4"
+ "3E15996E458F3613D0F11D8C387B2EAEB4302AEEB00D291612BB0C00");
+}
+TEST_F(EDDSATest, TestEd25519_Sign2) {
+ TestEd25519_Sign(
+ "9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60",
+ "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a", "",
+ "E5564300C360AC729086E2CC806E828A84877F1EB8E5D974D873E065224901555FB88215"
+ "90A33BACC61E39701CF9B46BD25BF5F0595BBE24655141438E7A100B");
+}
+TEST_F(EDDSATest, TestEd25519_Sign3) {
+ TestEd25519_Sign(
+ "c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7",
+ "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+ "af82",
+ "6291D657DEEC24024827E69C3ABE01A30CE548A284743A445E3680D7DB5AC3AC18FF9B53"
+ "8D16F290AE67F760984DC6594A7C15E9716ED28DC027BECEEA1EC40A");
+}
+TEST_F(EDDSATest, TestEd25519_Sign4) {
+ TestEd25519_Sign(
+ "f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5",
+ "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+ "08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264b"
+ "f09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996"
+ "d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432"
+ "826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a"
+ "7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da9"
+ "03401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628"
+ "c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206b"
+ "e6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1"
+ "85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70e"
+ "b6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6"
+ "079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c6"
+ "5adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089b"
+ "eccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80"
+ "c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22"
+ "f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2"
+ "af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7"
+ "51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30"
+ "c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb"
+ "3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1d"
+ "c54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7"
+ "984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276c"
+ "d419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d"
+ "5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504cc"
+ "c493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f"
+ "b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba7"
+ "7c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45"
+ "a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcd"
+ "d306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8ca"
+ "c60c905c15fc910840b94c00a0b9d0",
+ "0AAB4C900501B3E24D7CDF4663326A3A87DF5E4843B2CBDB67CBF6E460FEC350AA5371B1"
+ "508F9F4528ECEA23C436D94B5E8FCD4F681E30A6AC00A9704A188A03");
+}
+TEST_F(EDDSATest, TestEd25519_Sign5) {
+ TestEd25519_Sign(
+ "833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42",
+ "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf",
+ "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a"
+ "274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f",
+ "DC2A4459E7369633A52B1BF277839A00201009A3EFBF3ECB69BEA2186C26B58909351FC9"
+ "AC90B3ECFDFBC7C66431E0303DCA179C138AC17AD9BEF1177331A704");
+}
+
+} // namespace nss_test
diff --git a/security/nss/gtests/freebl_gtest/freebl_gtest.gyp b/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
index ed1a557172..c7988776db 100644
--- a/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
+++ b/security/nss/gtests/freebl_gtest/freebl_gtest.gyp
@@ -40,6 +40,7 @@
'mpi_unittest.cc',
'prng_kat_unittest.cc',
'rsa_unittest.cc',
+ 'ed25519_unittest.cc',
'<(DEPTH)/gtests/common/gtests.cc'
],
'dependencies': [
diff --git a/security/nss/gtests/pk11_gtest/manifest.mn b/security/nss/gtests/pk11_gtest/manifest.mn
index 7bfcb82f58..f9efc25e70 100644
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -19,6 +19,7 @@ CPPSRCS = \
pk11_des_unittest.cc \
pk11_dsa_unittest.cc \
pk11_ecdsa_unittest.cc \
+ pk11_eddsa_unittest.cc \
pk11_ecdh_unittest.cc \
pk11_encrypt_derive_unittest.cc \
pk11_export_unittest.cc \
@@ -33,6 +34,7 @@ CPPSRCS = \
pk11_keygen.cc \
pk11_key_unittest.cc \
pk11_module_unittest.cc \
+ pk11_pbe_unittest.cc \
pk11_pbkdf2_unittest.cc \
pk11_prf_unittest.cc \
pk11_prng_unittest.cc \
diff --git a/security/nss/gtests/pk11_gtest/pk11_eddsa_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_eddsa_unittest.cc
new file mode 100644
index 0000000000..669ac75243
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_eddsa_unittest.cc
@@ -0,0 +1,177 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+#include "sechash.h"
+#include "cryptohi.h"
+
+#include "cpputil.h"
+#include "json_reader.h"
+#include "nss_scoped_ptrs.h"
+#include "testvectors_base/test-structs.h"
+
+#include "pk11_eddsa_vectors.h"
+#include "pk11_signature_test.h"
+#include "pk11_keygen.h"
+
+namespace nss_test {
+static const Pkcs11SignatureTestParams kEddsaVectors[] = {
+ {DataBuffer(kEd25519Pkcs8_1, sizeof(kEd25519Pkcs8_1)),
+ DataBuffer(kEd25519Spki_1, sizeof(kEd25519Spki_1)),
+ DataBuffer(kEd25519Message_1, sizeof(kEd25519Message_1)),
+ DataBuffer(kEd25519Signature_1, sizeof(kEd25519Signature_1))},
+
+ {DataBuffer(kEd25519Pkcs8_2, sizeof(kEd25519Pkcs8_2)),
+ DataBuffer(kEd25519Spki_2, sizeof(kEd25519Spki_2)),
+ DataBuffer(kEd25519Message_2, sizeof(kEd25519Message_2)),
+ DataBuffer(kEd25519Signature_2, sizeof(kEd25519Signature_2))},
+
+ {DataBuffer(kEd25519Pkcs8_3, sizeof(kEd25519Pkcs8_3)),
+ DataBuffer(kEd25519Spki_3, sizeof(kEd25519Spki_3)),
+ DataBuffer(kEd25519Message_3, sizeof(kEd25519Message_3)),
+ DataBuffer(kEd25519Signature_3, sizeof(kEd25519Signature_3))}};
+
+class Pkcs11EddsaTest
+ : public Pk11SignatureTest,
+ public ::testing::WithParamInterface<Pkcs11SignatureTestParams> {
+ protected:
+ Pkcs11EddsaTest() : Pk11SignatureTest(CKM_EDDSA) {}
+};
+
+TEST_P(Pkcs11EddsaTest, SignAndVerify) { SignAndVerifyRaw(GetParam()); }
+
+TEST_P(Pkcs11EddsaTest, ImportExport) { ImportExport(GetParam().pkcs8_); }
+
+TEST_P(Pkcs11EddsaTest, ImportConvertToPublic) {
+ ScopedSECKEYPrivateKey privKey(ImportPrivateKey(GetParam().pkcs8_));
+ ASSERT_TRUE(privKey);
+
+ ScopedSECKEYPublicKey pubKey(SECKEY_ConvertToPublicKey(privKey.get()));
+ ASSERT_TRUE(pubKey);
+}
+
+TEST_P(Pkcs11EddsaTest, ImportPublicCreateSubjectPKInfo) {
+ ScopedSECKEYPrivateKey privKey(ImportPrivateKey(GetParam().pkcs8_));
+ ASSERT_TRUE(privKey);
+
+ ScopedSECKEYPublicKey pubKey(
+ (SECKEYPublicKey*)SECKEY_ConvertToPublicKey(privKey.get()));
+ ASSERT_TRUE(pubKey);
+
+ ScopedSECItem der_spki(SECKEY_EncodeDERSubjectPublicKeyInfo(pubKey.get()));
+ ASSERT_TRUE(der_spki);
+ ASSERT_EQ(der_spki->len, GetParam().spki_.len());
+ ASSERT_EQ(0, memcmp(der_spki->data, GetParam().spki_.data(), der_spki->len));
+}
+
+INSTANTIATE_TEST_SUITE_P(EddsaSignVerify, Pkcs11EddsaTest,
+ ::testing::ValuesIn(kEddsaVectors));
+
+class Pkcs11EddsaRoundtripTest
+ : public Pk11SignatureTest,
+ public ::testing::WithParamInterface<Pkcs11SignatureTestParams> {
+ protected:
+ Pkcs11EddsaRoundtripTest() : Pk11SignatureTest(CKM_EDDSA) {}
+
+ protected:
+ void GenerateExportImportSignVerify(Pkcs11SignatureTestParams params) {
+ Pkcs11KeyPairGenerator generator(CKM_EC_EDWARDS_KEY_PAIR_GEN);
+ ScopedSECKEYPrivateKey priv;
+ ScopedSECKEYPublicKey pub;
+ generator.GenerateKey(&priv, &pub, false);
+
+ DataBuffer exported;
+ ExportPrivateKey(&priv, exported);
+
+ ScopedSECKEYPrivateKey privKey(ImportPrivateKey(exported));
+ ASSERT_NE(privKey, nullptr);
+ DataBuffer sig;
+
+ SignRaw(privKey, params.data_, &sig);
+ Verify(pub, params.data_, sig);
+ }
+};
+
+TEST_P(Pkcs11EddsaRoundtripTest, GenerateExportImportSignVerify) {
+ GenerateExportImportSignVerify(GetParam());
+}
+
+INSTANTIATE_TEST_SUITE_P(EddsaRound, Pkcs11EddsaRoundtripTest,
+ ::testing::ValuesIn(kEddsaVectors));
+
+class Pkcs11EddsaWycheproofTest : public ::testing::Test {
+ protected:
+ void Run(const std::string& name) {
+ WycheproofHeader(name, "EDDSA", "eddsa_verify_schema.json",
+ [this](JsonReader& r) { RunGroup(r); });
+ }
+
+ private:
+ void RunGroup(JsonReader& r) {
+ std::vector<EddsaTestVector> tests;
+ std::vector<uint8_t> public_key;
+
+ while (r.NextItem()) {
+ std::string n = r.ReadLabel();
+ if (n == "") {
+ break;
+ }
+
+ if (n == "jwk" || n == "key" || n == "keyPem") {
+ r.SkipValue();
+ } else if (n == "keyDer") {
+ public_key = r.ReadHex();
+ } else if (n == "type") {
+ ASSERT_EQ("EddsaVerify", r.ReadString());
+ } else if (n == "tests") {
+ WycheproofReadTests(r, &tests, ReadTestAttr);
+ } else {
+ FAIL() << "unknown label in group: " << n;
+ }
+ }
+
+ for (auto& t : tests) {
+ std::cout << "Running test " << t.id << std::endl;
+ t.public_key = public_key;
+ Derive(t);
+ }
+ }
+
+ static void ReadTestAttr(EddsaTestVector& t, const std::string& n,
+ JsonReader& r) {
+ if (n == "msg") {
+ t.msg = r.ReadHex();
+ } else if (n == "sig") {
+ t.sig = r.ReadHex();
+ } else {
+ FAIL() << "unknown test key: " << n;
+ }
+ }
+
+ void Derive(const EddsaTestVector& vec) {
+ SECItem spki_item = {siBuffer, toUcharPtr(vec.public_key.data()),
+ static_cast<unsigned int>(vec.public_key.size())};
+ SECItem sig_item = {siBuffer, toUcharPtr(vec.sig.data()),
+ static_cast<unsigned int>(vec.sig.size())};
+ SECItem msg_item = {siBuffer, toUcharPtr(vec.msg.data()),
+ static_cast<unsigned int>(vec.msg.size())};
+
+ ScopedCERTSubjectPublicKeyInfo cert_spki(
+ SECKEY_DecodeDERSubjectPublicKeyInfo(&spki_item));
+ ASSERT_TRUE(cert_spki);
+
+ ScopedSECKEYPublicKey pub_key(SECKEY_ExtractPublicKey(cert_spki.get()));
+ ASSERT_TRUE(pub_key);
+
+ SECStatus rv = PK11_VerifyWithMechanism(pub_key.get(), CKM_EDDSA, nullptr,
+ &sig_item, &msg_item, nullptr);
+ EXPECT_EQ(rv, vec.valid ? SECSuccess : SECFailure);
+ };
+};
+
+TEST_F(Pkcs11EddsaWycheproofTest, Ed25519) { Run("eddsa"); }
+
+} // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_eddsa_vectors.h b/security/nss/gtests/pk11_gtest/pk11_eddsa_vectors.h
new file mode 100644
index 0000000000..896906ad50
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_eddsa_vectors.h
@@ -0,0 +1,164 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+namespace nss_test {
+/* The test vectors are coming from
+ * https://tools.ietf.org/html/rfc8032#section-7.
+ * The first TV is skipped, as NSS does not support signing empty messages.
+ */
+
+const uint8_t kEd25519Pkcs8_1[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
+ 0x04, 0x22, 0x04, 0x20, 0x4c, 0xcd, 0x08, 0x9b, 0x28, 0xff, 0x96, 0xda,
+ 0x9d, 0xb6, 0xc3, 0x46, 0xec, 0x11, 0x4e, 0x0f, 0x5b, 0x8a, 0x31, 0x9f,
+ 0x35, 0xab, 0xa6, 0x24, 0xda, 0x8c, 0xf6, 0xed, 0x4f, 0xb8, 0xa6, 0xfb,
+};
+
+const uint8_t kEd25519Spki_1[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21,
+ 0x00, 0x3d, 0x40, 0x17, 0xc3, 0xe8, 0x43, 0x89, 0x5a, 0x92, 0xb7,
+ 0x0a, 0xa7, 0x4d, 0x1b, 0x7e, 0xbc, 0x9c, 0x98, 0x2c, 0xcf, 0x2e,
+ 0xc4, 0x96, 0x8c, 0xc0, 0xcd, 0x55, 0xf1, 0x2a, 0xf4, 0x66, 0x0c};
+
+const uint8_t kEd25519Message_1[] = {0x72};
+
+const uint8_t kEd25519Signature_1[64] = {
+ 0x92, 0xa0, 0x09, 0xa9, 0xf0, 0xd4, 0xca, 0xb8, 0x72, 0x0e, 0x82,
+ 0x0b, 0x5f, 0x64, 0x25, 0x40, 0xa2, 0xb2, 0x7b, 0x54, 0x16, 0x50,
+ 0x3f, 0x8f, 0xb3, 0x76, 0x22, 0x23, 0xeb, 0xdb, 0x69, 0xda, 0x08,
+ 0x5a, 0xc1, 0xe4, 0x3e, 0x15, 0x99, 0x6e, 0x45, 0x8f, 0x36, 0x13,
+ 0xd0, 0xf1, 0x1d, 0x8c, 0x38, 0x7b, 0x2e, 0xae, 0xb4, 0x30, 0x2a,
+ 0xee, 0xb0, 0x0d, 0x29, 0x16, 0x12, 0xbb, 0x0c, 0x00};
+
+const uint8_t kEd25519Pkcs8_2[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
+ 0x04, 0x22, 0x04, 0x20, 0xc5, 0xaa, 0x8d, 0xf4, 0x3f, 0x9f, 0x83, 0x7b,
+ 0xed, 0xb7, 0x44, 0x2f, 0x31, 0xdc, 0xb7, 0xb1, 0x66, 0xd3, 0x85, 0x35,
+ 0x07, 0x6f, 0x09, 0x4b, 0x85, 0xce, 0x3a, 0x2e, 0x0b, 0x44, 0x58, 0xf7};
+
+const uint8_t kEd25519Spki_2[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21,
+ 0x00, 0xfc, 0x51, 0xcd, 0x8e, 0x62, 0x18, 0xa1, 0xa3, 0x8d, 0xa4,
+ 0x7e, 0xd0, 0x02, 0x30, 0xf0, 0x58, 0x08, 0x16, 0xed, 0x13, 0xba,
+ 0x33, 0x03, 0xac, 0x5d, 0xeb, 0x91, 0x15, 0x48, 0x90, 0x80, 0x25};
+
+const uint8_t kEd25519Message_2[] = {0xaf, 0x82};
+
+const uint8_t kEd25519Signature_2[64] = {
+ 0x62, 0x91, 0xd6, 0x57, 0xde, 0xec, 0x24, 0x02, 0x48, 0x27, 0xe6,
+ 0x9c, 0x3a, 0xbe, 0x01, 0xa3, 0x0c, 0xe5, 0x48, 0xa2, 0x84, 0x74,
+ 0x3a, 0x44, 0x5e, 0x36, 0x80, 0xd7, 0xdb, 0x5a, 0xc3, 0xac, 0x18,
+ 0xff, 0x9b, 0x53, 0x8d, 0x16, 0xf2, 0x90, 0xae, 0x67, 0xf7, 0x60,
+ 0x98, 0x4d, 0xc6, 0x59, 0x4a, 0x7c, 0x15, 0xe9, 0x71, 0x6e, 0xd2,
+ 0x8d, 0xc0, 0x27, 0xbe, 0xce, 0xea, 0x1e, 0xc4, 0x0a};
+
+const uint8_t kEd25519Pkcs8_3[] = {
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
+ 0x04, 0x22, 0x04, 0x20, 0xf5, 0xe5, 0x76, 0x7c, 0xf1, 0x53, 0x31, 0x95,
+ 0x17, 0x63, 0x0f, 0x22, 0x68, 0x76, 0xb8, 0x6c, 0x81, 0x60, 0xcc, 0x58,
+ 0x3b, 0xc0, 0x13, 0x74, 0x4c, 0x6b, 0xf2, 0x55, 0xf5, 0xcc, 0x0e, 0xe5};
+
+const uint8_t kEd25519Spki_3[] = {
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2B, 0x65, 0x70, 0x03, 0x21,
+ 0x00, 0x27, 0x81, 0x17, 0xfc, 0x14, 0x4c, 0x72, 0x34, 0x0f, 0x67,
+ 0xd0, 0xf2, 0x31, 0x6e, 0x83, 0x86, 0xce, 0xff, 0xbf, 0x2b, 0x24,
+ 0x28, 0xc9, 0xc5, 0x1f, 0xef, 0x7c, 0x59, 0x7f, 0x1d, 0x42, 0x6e};
+
+const uint8_t kEd25519Message_3[] = {
+ 0x08, 0xb8, 0xb2, 0xb7, 0x33, 0x42, 0x42, 0x43, 0x76, 0x0f, 0xe4, 0x26,
+ 0xa4, 0xb5, 0x49, 0x08, 0x63, 0x21, 0x10, 0xa6, 0x6c, 0x2f, 0x65, 0x91,
+ 0xea, 0xbd, 0x33, 0x45, 0xe3, 0xe4, 0xeb, 0x98, 0xfa, 0x6e, 0x26, 0x4b,
+ 0xf0, 0x9e, 0xfe, 0x12, 0xee, 0x50, 0xf8, 0xf5, 0x4e, 0x9f, 0x77, 0xb1,
+ 0xe3, 0x55, 0xf6, 0xc5, 0x05, 0x44, 0xe2, 0x3f, 0xb1, 0x43, 0x3d, 0xdf,
+ 0x73, 0xbe, 0x84, 0xd8, 0x79, 0xde, 0x7c, 0x00, 0x46, 0xdc, 0x49, 0x96,
+ 0xd9, 0xe7, 0x73, 0xf4, 0xbc, 0x9e, 0xfe, 0x57, 0x38, 0x82, 0x9a, 0xdb,
+ 0x26, 0xc8, 0x1b, 0x37, 0xc9, 0x3a, 0x1b, 0x27, 0x0b, 0x20, 0x32, 0x9d,
+ 0x65, 0x86, 0x75, 0xfc, 0x6e, 0xa5, 0x34, 0xe0, 0x81, 0x0a, 0x44, 0x32,
+ 0x82, 0x6b, 0xf5, 0x8c, 0x94, 0x1e, 0xfb, 0x65, 0xd5, 0x7a, 0x33, 0x8b,
+ 0xbd, 0x2e, 0x26, 0x64, 0x0f, 0x89, 0xff, 0xbc, 0x1a, 0x85, 0x8e, 0xfc,
+ 0xb8, 0x55, 0x0e, 0xe3, 0xa5, 0xe1, 0x99, 0x8b, 0xd1, 0x77, 0xe9, 0x3a,
+ 0x73, 0x63, 0xc3, 0x44, 0xfe, 0x6b, 0x19, 0x9e, 0xe5, 0xd0, 0x2e, 0x82,
+ 0xd5, 0x22, 0xc4, 0xfe, 0xba, 0x15, 0x45, 0x2f, 0x80, 0x28, 0x8a, 0x82,
+ 0x1a, 0x57, 0x91, 0x16, 0xec, 0x6d, 0xad, 0x2b, 0x3b, 0x31, 0x0d, 0xa9,
+ 0x03, 0x40, 0x1a, 0xa6, 0x21, 0x00, 0xab, 0x5d, 0x1a, 0x36, 0x55, 0x3e,
+ 0x06, 0x20, 0x3b, 0x33, 0x89, 0x0c, 0xc9, 0xb8, 0x32, 0xf7, 0x9e, 0xf8,
+ 0x05, 0x60, 0xcc, 0xb9, 0xa3, 0x9c, 0xe7, 0x67, 0x96, 0x7e, 0xd6, 0x28,
+ 0xc6, 0xad, 0x57, 0x3c, 0xb1, 0x16, 0xdb, 0xef, 0xef, 0xd7, 0x54, 0x99,
+ 0xda, 0x96, 0xbd, 0x68, 0xa8, 0xa9, 0x7b, 0x92, 0x8a, 0x8b, 0xbc, 0x10,
+ 0x3b, 0x66, 0x21, 0xfc, 0xde, 0x2b, 0xec, 0xa1, 0x23, 0x1d, 0x20, 0x6b,
+ 0xe6, 0xcd, 0x9e, 0xc7, 0xaf, 0xf6, 0xf6, 0xc9, 0x4f, 0xcd, 0x72, 0x04,
+ 0xed, 0x34, 0x55, 0xc6, 0x8c, 0x83, 0xf4, 0xa4, 0x1d, 0xa4, 0xaf, 0x2b,
+ 0x74, 0xef, 0x5c, 0x53, 0xf1, 0xd8, 0xac, 0x70, 0xbd, 0xcb, 0x7e, 0xd1,
+ 0x85, 0xce, 0x81, 0xbd, 0x84, 0x35, 0x9d, 0x44, 0x25, 0x4d, 0x95, 0x62,
+ 0x9e, 0x98, 0x55, 0xa9, 0x4a, 0x7c, 0x19, 0x58, 0xd1, 0xf8, 0xad, 0xa5,
+ 0xd0, 0x53, 0x2e, 0xd8, 0xa5, 0xaa, 0x3f, 0xb2, 0xd1, 0x7b, 0xa7, 0x0e,
+ 0xb6, 0x24, 0x8e, 0x59, 0x4e, 0x1a, 0x22, 0x97, 0xac, 0xbb, 0xb3, 0x9d,
+ 0x50, 0x2f, 0x1a, 0x8c, 0x6e, 0xb6, 0xf1, 0xce, 0x22, 0xb3, 0xde, 0x1a,
+ 0x1f, 0x40, 0xcc, 0x24, 0x55, 0x41, 0x19, 0xa8, 0x31, 0xa9, 0xaa, 0xd6,
+ 0x07, 0x9c, 0xad, 0x88, 0x42, 0x5d, 0xe6, 0xbd, 0xe1, 0xa9, 0x18, 0x7e,
+ 0xbb, 0x60, 0x92, 0xcf, 0x67, 0xbf, 0x2b, 0x13, 0xfd, 0x65, 0xf2, 0x70,
+ 0x88, 0xd7, 0x8b, 0x7e, 0x88, 0x3c, 0x87, 0x59, 0xd2, 0xc4, 0xf5, 0xc6,
+ 0x5a, 0xdb, 0x75, 0x53, 0x87, 0x8a, 0xd5, 0x75, 0xf9, 0xfa, 0xd8, 0x78,
+ 0xe8, 0x0a, 0x0c, 0x9b, 0xa6, 0x3b, 0xcb, 0xcc, 0x27, 0x32, 0xe6, 0x94,
+ 0x85, 0xbb, 0xc9, 0xc9, 0x0b, 0xfb, 0xd6, 0x24, 0x81, 0xd9, 0x08, 0x9b,
+ 0xec, 0xcf, 0x80, 0xcf, 0xe2, 0xdf, 0x16, 0xa2, 0xcf, 0x65, 0xbd, 0x92,
+ 0xdd, 0x59, 0x7b, 0x07, 0x07, 0xe0, 0x91, 0x7a, 0xf4, 0x8b, 0xbb, 0x75,
+ 0xfe, 0xd4, 0x13, 0xd2, 0x38, 0xf5, 0x55, 0x5a, 0x7a, 0x56, 0x9d, 0x80,
+ 0xc3, 0x41, 0x4a, 0x8d, 0x08, 0x59, 0xdc, 0x65, 0xa4, 0x61, 0x28, 0xba,
+ 0xb2, 0x7a, 0xf8, 0x7a, 0x71, 0x31, 0x4f, 0x31, 0x8c, 0x78, 0x2b, 0x23,
+ 0xeb, 0xfe, 0x80, 0x8b, 0x82, 0xb0, 0xce, 0x26, 0x40, 0x1d, 0x2e, 0x22,
+ 0xf0, 0x4d, 0x83, 0xd1, 0x25, 0x5d, 0xc5, 0x1a, 0xdd, 0xd3, 0xb7, 0x5a,
+ 0x2b, 0x1a, 0xe0, 0x78, 0x45, 0x04, 0xdf, 0x54, 0x3a, 0xf8, 0x96, 0x9b,
+ 0xe3, 0xea, 0x70, 0x82, 0xff, 0x7f, 0xc9, 0x88, 0x8c, 0x14, 0x4d, 0xa2,
+ 0xaf, 0x58, 0x42, 0x9e, 0xc9, 0x60, 0x31, 0xdb, 0xca, 0xd3, 0xda, 0xd9,
+ 0xaf, 0x0d, 0xcb, 0xaa, 0xaf, 0x26, 0x8c, 0xb8, 0xfc, 0xff, 0xea, 0xd9,
+ 0x4f, 0x3c, 0x7c, 0xa4, 0x95, 0xe0, 0x56, 0xa9, 0xb4, 0x7a, 0xcd, 0xb7,
+ 0x51, 0xfb, 0x73, 0xe6, 0x66, 0xc6, 0xc6, 0x55, 0xad, 0xe8, 0x29, 0x72,
+ 0x97, 0xd0, 0x7a, 0xd1, 0xba, 0x5e, 0x43, 0xf1, 0xbc, 0xa3, 0x23, 0x01,
+ 0x65, 0x13, 0x39, 0xe2, 0x29, 0x04, 0xcc, 0x8c, 0x42, 0xf5, 0x8c, 0x30,
+ 0xc0, 0x4a, 0xaf, 0xdb, 0x03, 0x8d, 0xda, 0x08, 0x47, 0xdd, 0x98, 0x8d,
+ 0xcd, 0xa6, 0xf3, 0xbf, 0xd1, 0x5c, 0x4b, 0x4c, 0x45, 0x25, 0x00, 0x4a,
+ 0xa0, 0x6e, 0xef, 0xf8, 0xca, 0x61, 0x78, 0x3a, 0xac, 0xec, 0x57, 0xfb,
+ 0x3d, 0x1f, 0x92, 0xb0, 0xfe, 0x2f, 0xd1, 0xa8, 0x5f, 0x67, 0x24, 0x51,
+ 0x7b, 0x65, 0xe6, 0x14, 0xad, 0x68, 0x08, 0xd6, 0xf6, 0xee, 0x34, 0xdf,
+ 0xf7, 0x31, 0x0f, 0xdc, 0x82, 0xae, 0xbf, 0xd9, 0x04, 0xb0, 0x1e, 0x1d,
+ 0xc5, 0x4b, 0x29, 0x27, 0x09, 0x4b, 0x2d, 0xb6, 0x8d, 0x6f, 0x90, 0x3b,
+ 0x68, 0x40, 0x1a, 0xde, 0xbf, 0x5a, 0x7e, 0x08, 0xd7, 0x8f, 0xf4, 0xef,
+ 0x5d, 0x63, 0x65, 0x3a, 0x65, 0x04, 0x0c, 0xf9, 0xbf, 0xd4, 0xac, 0xa7,
+ 0x98, 0x4a, 0x74, 0xd3, 0x71, 0x45, 0x98, 0x67, 0x80, 0xfc, 0x0b, 0x16,
+ 0xac, 0x45, 0x16, 0x49, 0xde, 0x61, 0x88, 0xa7, 0xdb, 0xdf, 0x19, 0x1f,
+ 0x64, 0xb5, 0xfc, 0x5e, 0x2a, 0xb4, 0x7b, 0x57, 0xf7, 0xf7, 0x27, 0x6c,
+ 0xd4, 0x19, 0xc1, 0x7a, 0x3c, 0xa8, 0xe1, 0xb9, 0x39, 0xae, 0x49, 0xe4,
+ 0x88, 0xac, 0xba, 0x6b, 0x96, 0x56, 0x10, 0xb5, 0x48, 0x01, 0x09, 0xc8,
+ 0xb1, 0x7b, 0x80, 0xe1, 0xb7, 0xb7, 0x50, 0xdf, 0xc7, 0x59, 0x8d, 0x5d,
+ 0x50, 0x11, 0xfd, 0x2d, 0xcc, 0x56, 0x00, 0xa3, 0x2e, 0xf5, 0xb5, 0x2a,
+ 0x1e, 0xcc, 0x82, 0x0e, 0x30, 0x8a, 0xa3, 0x42, 0x72, 0x1a, 0xac, 0x09,
+ 0x43, 0xbf, 0x66, 0x86, 0xb6, 0x4b, 0x25, 0x79, 0x37, 0x65, 0x04, 0xcc,
+ 0xc4, 0x93, 0xd9, 0x7e, 0x6a, 0xed, 0x3f, 0xb0, 0xf9, 0xcd, 0x71, 0xa4,
+ 0x3d, 0xd4, 0x97, 0xf0, 0x1f, 0x17, 0xc0, 0xe2, 0xcb, 0x37, 0x97, 0xaa,
+ 0x2a, 0x2f, 0x25, 0x66, 0x56, 0x16, 0x8e, 0x6c, 0x49, 0x6a, 0xfc, 0x5f,
+ 0xb9, 0x32, 0x46, 0xf6, 0xb1, 0x11, 0x63, 0x98, 0xa3, 0x46, 0xf1, 0xa6,
+ 0x41, 0xf3, 0xb0, 0x41, 0xe9, 0x89, 0xf7, 0x91, 0x4f, 0x90, 0xcc, 0x2c,
+ 0x7f, 0xff, 0x35, 0x78, 0x76, 0xe5, 0x06, 0xb5, 0x0d, 0x33, 0x4b, 0xa7,
+ 0x7c, 0x22, 0x5b, 0xc3, 0x07, 0xba, 0x53, 0x71, 0x52, 0xf3, 0xf1, 0x61,
+ 0x0e, 0x4e, 0xaf, 0xe5, 0x95, 0xf6, 0xd9, 0xd9, 0x0d, 0x11, 0xfa, 0xa9,
+ 0x33, 0xa1, 0x5e, 0xf1, 0x36, 0x95, 0x46, 0x86, 0x8a, 0x7f, 0x3a, 0x45,
+ 0xa9, 0x67, 0x68, 0xd4, 0x0f, 0xd9, 0xd0, 0x34, 0x12, 0xc0, 0x91, 0xc6,
+ 0x31, 0x5c, 0xf4, 0xfd, 0xe7, 0xcb, 0x68, 0x60, 0x69, 0x37, 0x38, 0x0d,
+ 0xb2, 0xea, 0xaa, 0x70, 0x7b, 0x4c, 0x41, 0x85, 0xc3, 0x2e, 0xdd, 0xcd,
+ 0xd3, 0x06, 0x70, 0x5e, 0x4d, 0xc1, 0xff, 0xc8, 0x72, 0xee, 0xee, 0x47,
+ 0x5a, 0x64, 0xdf, 0xac, 0x86, 0xab, 0xa4, 0x1c, 0x06, 0x18, 0x98, 0x3f,
+ 0x87, 0x41, 0xc5, 0xef, 0x68, 0xd3, 0xa1, 0x01, 0xe8, 0xa3, 0xb8, 0xca,
+ 0xc6, 0x0c, 0x90, 0x5c, 0x15, 0xfc, 0x91, 0x08, 0x40, 0xb9, 0x4c, 0x00,
+ 0xa0, 0xb9, 0xd0};
+
+const uint8_t kEd25519Signature_3[64] = {
+ 0x0a, 0xab, 0x4c, 0x90, 0x05, 0x01, 0xb3, 0xe2, 0x4d, 0x7c, 0xdf,
+ 0x46, 0x63, 0x32, 0x6a, 0x3a, 0x87, 0xdf, 0x5e, 0x48, 0x43, 0xb2,
+ 0xcb, 0xdb, 0x67, 0xcb, 0xf6, 0xe4, 0x60, 0xfe, 0xc3, 0x50, 0xaa,
+ 0x53, 0x71, 0xb1, 0x50, 0x8f, 0x9f, 0x45, 0x28, 0xec, 0xea, 0x23,
+ 0xc4, 0x36, 0xd9, 0x4b, 0x5e, 0x8f, 0xcd, 0x4f, 0x68, 0x1e, 0x30,
+ 0xa6, 0xac, 0x00, 0xa9, 0x70, 0x4a, 0x18, 0x8a, 0x03};
+
+} // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
index 792d6546e4..c14dbf860e 100644
--- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@@ -25,6 +25,7 @@
'pk11_des_unittest.cc',
'pk11_dsa_unittest.cc',
'pk11_ecdsa_unittest.cc',
+ 'pk11_eddsa_unittest.cc',
'pk11_ecdh_unittest.cc',
'pk11_encrypt_derive_unittest.cc',
'pk11_find_certs_unittest.cc',
@@ -38,6 +39,7 @@
'pk11_keygen.cc',
'pk11_key_unittest.cc',
'pk11_module_unittest.cc',
+ 'pk11_pbe_unittest.cc',
'pk11_pbkdf2_unittest.cc',
'pk11_prf_unittest.cc',
'pk11_prng_unittest.cc',
diff --git a/security/nss/gtests/pk11_gtest/pk11_import_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_import_unittest.cc
index 7fcc1cc4d7..6e11477045 100644
--- a/security/nss/gtests/pk11_gtest/pk11_import_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_import_unittest.cc
@@ -88,6 +88,7 @@ class Pk11KeyImportTestBase : public ::testing::Test {
case dhKey:
return pub_key->u.dh.publicValue;
case ecKey:
+ case edKey:
return pub_key->u.ec.publicValue;
case kyberKey:
return pub_key->u.kyber.publicValue;
diff --git a/security/nss/gtests/pk11_gtest/pk11_keygen.cc b/security/nss/gtests/pk11_gtest/pk11_keygen.cc
index 1a300ca4c1..92c8ba7ed8 100644
--- a/security/nss/gtests/pk11_gtest/pk11_keygen.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_keygen.cc
@@ -82,9 +82,11 @@ class DhParamHolder : public PqgParamHolder {
SECKEYDHParams params_;
};
+/* Also used for EdDSA. */
class EcParamHolder : public ParamHolder {
public:
EcParamHolder(SECOidTag curve_oid) {
+ /* For the case of ED curve_oid contains a EdDSA OID. */
SECOidData* curve = SECOID_FindOIDByTag(curve_oid);
EXPECT_NE(nullptr, curve);
@@ -142,6 +144,11 @@ std::unique_ptr<ParamHolder> Pkcs11KeyPairGenerator::MakeParams() const {
return std::unique_ptr<ParamHolder>(new DhParamHolder(pqg_params));
}
+ case CKM_EC_EDWARDS_KEY_PAIR_GEN:
+ std::cerr << "Generate ED pair on " << curve_ << std::endl;
+ return std::unique_ptr<ParamHolder>(
+ new EcParamHolder(SEC_OID_ED25519_PUBLIC_KEY));
+
case CKM_EC_KEY_PAIR_GEN:
std::cerr << "Generate EC pair on " << curve_ << std::endl;
return std::unique_ptr<ParamHolder>(new EcParamHolder(curve_));
diff --git a/security/nss/gtests/pk11_gtest/pk11_pbe_unittest.cc b/security/nss/gtests/pk11_gtest/pk11_pbe_unittest.cc
new file mode 100644
index 0000000000..5e90fd1bc9
--- /dev/null
+++ b/security/nss/gtests/pk11_gtest/pk11_pbe_unittest.cc
@@ -0,0 +1,69 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "gtest/gtest.h"
+#include "nss_scoped_ptrs.h"
+
+namespace nss_test {
+
+static unsigned char* ToUcharPtr(std::string& str) {
+ return const_cast<unsigned char*>(
+ reinterpret_cast<const unsigned char*>(str.c_str()));
+}
+
+class Pkcs11PbeTest : public ::testing::Test {
+ public:
+ void Derive(std::vector<uint8_t>& derived) {
+ // Shared between test vectors.
+ const unsigned int kIterations = 4096;
+ std::string pass("passwordPASSWORDpassword");
+ std::string salt("saltSALTsaltSALTsaltSALTsaltSALTsalt");
+
+ // Derivation must succeed with the right values.
+ EXPECT_TRUE(DeriveBytes(pass, salt, derived, kIterations));
+ }
+
+ private:
+ bool DeriveBytes(std::string& pass, std::string& salt,
+ std::vector<uint8_t>& derived, unsigned int kIterations) {
+ SECItem pass_item = {siBuffer, ToUcharPtr(pass),
+ static_cast<unsigned int>(pass.length())};
+ SECItem salt_item = {siBuffer, ToUcharPtr(salt),
+ static_cast<unsigned int>(salt.length())};
+
+ // Set up PBE params.
+ ScopedSECAlgorithmID alg_id(PK11_CreatePBEAlgorithmID(
+ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC, kIterations,
+ &salt_item));
+
+ // Derive.
+ ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+ ScopedPK11SymKey sym_key(
+ PK11_PBEKeyGen(slot.get(), alg_id.get(), &pass_item, false, nullptr));
+
+ SECStatus rv = PK11_ExtractKeyValue(sym_key.get());
+ EXPECT_EQ(rv, SECSuccess);
+
+ SECItem* key_data = PK11_GetKeyData(sym_key.get());
+
+ return key_data->len == derived.size() &&
+ !memcmp(&derived[0], key_data->data, key_data->len);
+ }
+};
+
+TEST_F(Pkcs11PbeTest, DeriveKnown) {
+ std::vector<uint8_t> derived = {0x86, 0x6b, 0xce, 0xef, 0x26, 0xa4,
+ 0x4f, 0x02, 0x4a, 0x26, 0xcd, 0xd0,
+ 0x4f, 0x7c, 0x19, 0xad};
+
+ Derive(derived);
+}
+
+} // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_signature_test.cc b/security/nss/gtests/pk11_gtest/pk11_signature_test.cc
index c9700707fe..bb029cd3a4 100644
--- a/security/nss/gtests/pk11_gtest/pk11_signature_test.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_signature_test.cc
@@ -54,9 +54,8 @@ ScopedSECKEYPublicKey Pk11SignatureTest::ImportPublicKey(
return ScopedSECKEYPublicKey(SECKEY_ExtractPublicKey(certSpki.get()));
}
-bool Pk11SignatureTest::SignHashedData(ScopedSECKEYPrivateKey& privKey,
- const DataBuffer& hash,
- DataBuffer* sig) {
+bool Pk11SignatureTest::SignRaw(ScopedSECKEYPrivateKey& privKey,
+ const DataBuffer& hash, DataBuffer* sig) {
SECItem hashItem = {siBuffer, toUcharPtr(hash.data()),
static_cast<unsigned int>(hash.len())};
unsigned int sigLen = PK11_SignatureLen(privKey.get());
@@ -70,8 +69,8 @@ bool Pk11SignatureTest::SignHashedData(ScopedSECKEYPrivateKey& privKey,
return rv == SECSuccess;
}
-bool Pk11SignatureTest::SignData(ScopedSECKEYPrivateKey& privKey,
- const DataBuffer& data, DataBuffer* sig) {
+bool Pk11SignatureTest::DigestAndSign(ScopedSECKEYPrivateKey& privKey,
+ const DataBuffer& data, DataBuffer* sig) {
unsigned int sigLen = PK11_SignatureLen(privKey.get());
bool result = true;
EXPECT_LT(0, (int)sigLen);
@@ -123,11 +122,11 @@ bool Pk11SignatureTest::ImportPrivateKeyAndSignHashedData(
ADD_FAILURE() << "Failed to compute hash";
return false;
}
- if (!SignHashedData(privKey, hash, sig)) {
+ if (!SignRaw(privKey, hash, sig)) {
ADD_FAILURE() << "Failed to sign hashed data";
return false;
}
- if (!SignData(privKey, data, sig2)) {
+ if (!DigestAndSign(privKey, data, sig2)) {
/* failure was already added by SignData, with an error message */
return false;
}
@@ -138,11 +137,20 @@ void Pk11SignatureTest::Verify(ScopedSECKEYPublicKey& pubKey,
const DataBuffer& data, const DataBuffer& sig,
bool valid) {
SECStatus rv;
- DataBuffer hash;
SECItem sigItem = {siBuffer, toUcharPtr(sig.data()),
static_cast<unsigned int>(sig.len())};
+ if (skip_digest_) {
+ SECItem dataItem = {siBuffer, toUcharPtr(data.data()),
+ static_cast<unsigned int>(data.len())};
+ rv = PK11_VerifyWithMechanism(pubKey.get(), mechanism_, parameters(),
+ &sigItem, &dataItem, nullptr);
+ EXPECT_EQ(rv, valid ? SECSuccess : SECFailure);
+ return;
+ }
+
+ DataBuffer hash;
/* RSA single shot requires encoding the hash before calling
* VerifyWithMechanism. We already check that mechanism
* with the VFY_ interface, so just do the combined hash/Verify
@@ -175,5 +183,4 @@ void Pk11SignatureTest::Verify(ScopedSECKEYPublicKey& pubKey,
<< "verify failed Error:" << PORT_ErrorToString(PORT_GetError()) << "\n";
PK11_DestroyContext(context, PR_TRUE);
}
-
} // namespace nss_test
diff --git a/security/nss/gtests/pk11_gtest/pk11_signature_test.h b/security/nss/gtests/pk11_gtest/pk11_signature_test.h
index c4a8c52c38..f00a588fff 100644
--- a/security/nss/gtests/pk11_gtest/pk11_signature_test.h
+++ b/security/nss/gtests/pk11_gtest/pk11_signature_test.h
@@ -11,7 +11,6 @@
#include "databuffer.h"
#include "gtest/gtest.h"
-
namespace nss_test {
// For test vectors.
@@ -28,6 +27,11 @@ class Pk11SignatureTest : public ::testing::Test {
CK_MECHANISM_TYPE combo)
: mechanism_(mech), hash_oid_(hash_oid), combo_(combo) {
skip_raw_ = false;
+ skip_digest_ = false;
+ }
+
+ Pk11SignatureTest(CK_MECHANISM_TYPE mech) : mechanism_(mech) {
+ skip_digest_ = true;
}
virtual const SECItem* parameters() const { return nullptr; }
@@ -54,10 +58,10 @@ class Pk11SignatureTest : public ::testing::Test {
return rv == SECSuccess;
}
- bool SignHashedData(ScopedSECKEYPrivateKey& privKey, const DataBuffer& hash,
- DataBuffer* sig);
- bool SignData(ScopedSECKEYPrivateKey& privKey, const DataBuffer& data,
- DataBuffer* sig);
+ bool SignRaw(ScopedSECKEYPrivateKey& privKey, const DataBuffer& hash,
+ DataBuffer* sig);
+ bool DigestAndSign(ScopedSECKEYPrivateKey& privKey, const DataBuffer& data,
+ DataBuffer* sig);
bool ImportPrivateKeyAndSignHashedData(const DataBuffer& pkcs8,
const DataBuffer& data,
DataBuffer* sig, DataBuffer* sig2);
@@ -96,6 +100,15 @@ class Pk11SignatureTest : public ::testing::Test {
Verify(params, sig2, true);
}
+ void SignAndVerifyRaw(const Pkcs11SignatureTestParams& params) {
+ ScopedSECKEYPrivateKey privKey(ImportPrivateKey(params.pkcs8_));
+ ASSERT_NE(privKey, nullptr);
+ DataBuffer sig;
+ SignRaw(privKey, params.data_, &sig);
+ EXPECT_EQ(sig, params.signature_);
+ Verify(params, sig, true);
+ }
+
// Importing a private key in PKCS#8 format and reexporting it should
// result in the same binary representation.
void ImportExport(const DataBuffer& k) {
@@ -110,6 +123,7 @@ class Pk11SignatureTest : public ::testing::Test {
SECOidTag hash_oid_;
CK_MECHANISM_TYPE combo_;
bool skip_raw_;
+ bool skip_digest_;
};
} // namespace nss_test
diff --git a/security/nss/lib/cryptohi/keythi.h b/security/nss/lib/cryptohi/keythi.h
index 1dd8a557c5..086d83ae6b 100644
--- a/security/nss/lib/cryptohi/keythi.h
+++ b/security/nss/lib/cryptohi/keythi.h
@@ -36,6 +36,7 @@ typedef enum {
rsaPssKey = 7,
rsaOaepKey = 8,
kyberKey = 9,
+ edKey = 10,
} KeyType;
/*
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
index 1762c1a143..1a68104978 100644
--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -235,6 +235,33 @@ SECKEY_CreateECPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *c
return (privk);
}
+SECKEYPrivateKey *
+SECKEY_CreateEDPrivateKey(SECKEYECParams *param, SECKEYPublicKey **pubk, void *cx)
+{
+ SECKEYPrivateKey *privk;
+ PK11SlotInfo *slot = PK11_GetBestSlot(CKM_EC_EDWARDS_KEY_PAIR_GEN, cx);
+ if (!slot) {
+ return NULL;
+ }
+
+ privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN,
+ param, pubk,
+ PK11_ATTR_SESSION |
+ PK11_ATTR_INSENSITIVE |
+ PK11_ATTR_PUBLIC,
+ CKF_SIGN, CKF_SIGN, cx);
+ if (!privk)
+ privk = PK11_GenerateKeyPairWithOpFlags(slot, CKM_EC_EDWARDS_KEY_PAIR_GEN,
+ param, pubk,
+ PK11_ATTR_SESSION |
+ PK11_ATTR_SENSITIVE |
+ PK11_ATTR_PRIVATE,
+ CKF_SIGN, CKF_SIGN, cx);
+
+ PK11_FreeSlot(slot);
+ return (privk);
+}
+
void
SECKEY_DestroyPrivateKey(SECKEYPrivateKey *privk)
{
@@ -329,7 +356,7 @@ seckey_UpdateCertPQGChain(CERTCertificate *subjectCert, int count)
*
* Question: do we really need to do this for EC keys. They don't have
* PQG parameters, but they do have parameters. The question is does
- * the child cert inherit thost parameters for EC from the parent, or
+ * the child cert inherit those parameters for EC from the parent, or
* do we always include those parameters in each cert.
*/
@@ -339,6 +366,7 @@ seckey_UpdateCertPQGChain(CERTCertificate *subjectCert, int count)
(tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
(tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
+ (tag != SEC_OID_ED25519_PUBLIC_KEY) &&
(tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
return SECSuccess;
@@ -383,6 +411,7 @@ seckey_UpdateCertPQGChain(CERTCertificate *subjectCert, int count)
(tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
(tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
+ (tag != SEC_OID_ED25519_PUBLIC_KEY) &&
(tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
rv = SECFailure;
goto loser;
@@ -521,6 +550,9 @@ seckey_GetKeyType(SECOidTag tag)
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
keyType = ecKey;
break;
+ case SEC_OID_ED25519_PUBLIC_KEY:
+ keyType = edKey;
+ break;
/* accommodate applications that hand us a signature type when they
* should be handing us a cipher type */
case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
@@ -637,6 +669,37 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
if (rv == SECSuccess)
return pubk;
break;
+ case SEC_OID_ED25519_PUBLIC_KEY:
+ /* A basic consistency check on inputs. */
+ if (newOs.len == 0) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ break;
+ }
+
+ /* Currently supporting only (Pure)Ed25519 .*/
+ if (spki->algorithm.parameters.len != 0) {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ break;
+ }
+
+ pubk->keyType = edKey;
+ pubk->u.ec.size = 0;
+
+ SECOidData *oidEd25519 = SECOID_FindOIDByTag(SEC_OID_ED25519_PUBLIC_KEY);
+
+ if (!SECITEM_AllocItem(arena, &pubk->u.ec.DEREncodedParams, oidEd25519->oid.len + 2)) {
+ rv = SECFailure;
+ break;
+ }
+ pubk->u.ec.DEREncodedParams.data[0] = SEC_ASN1_OBJECT_ID;
+ pubk->u.ec.DEREncodedParams.data[1] = oidEd25519->oid.len;
+ PORT_Memcpy(pubk->u.ec.DEREncodedParams.data + 2, oidEd25519->oid.data, oidEd25519->oid.len);
+
+ rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &newOs);
+ if (rv != SECSuccess) {
+ break;
+ }
+ return pubk;
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
/* A basic sanity check on inputs. */
if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
@@ -811,6 +874,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
return 571;
case SEC_OID_CURVE25519:
+ case SEC_OID_ED25519_PUBLIC_KEY:
return 255;
default:
@@ -961,6 +1025,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
return 570;
case SEC_OID_CURVE25519:
+ case SEC_OID_ED25519_PUBLIC_KEY:
return 255;
default:
@@ -1032,6 +1097,7 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
bitSize = SECKEY_BigIntegerBitLength(&pubk->u.dh.prime);
break;
case ecKey:
+ case edKey:
bitSize = SECKEY_ECParamsToKeySize(&pubk->u.ec.DEREncodedParams);
break;
default:
@@ -1113,6 +1179,7 @@ SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
case dsaKey:
return pubk->u.dsa.params.subPrime.len * 2;
case ecKey:
+ case edKey:
/* Get the base point order length in bits and adjust */
size = SECKEY_ECParamsToBasePointOrderLen(
&pubk->u.ec.DEREncodedParams);
@@ -1239,6 +1306,7 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk)
&pubk->u.dh.publicValue);
break;
case ecKey:
+ case edKey:
copyk->u.ec.size = pubk->u.ec.size;
rv = seckey_HasCurveOID(pubk);
if (rv != SECSuccess) {
@@ -1465,6 +1533,28 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
* overwrite the old value */
pubk->u.ec.publicValue = decodedPoint;
}
+
+ pubk->u.ec.encoding = ECPoint_Undefined;
+ return pubk;
+ case edKey:
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
+ if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) {
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE) {
+ break;
+ }
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
pubk->u.ec.encoding = ECPoint_Undefined;
return pubk;
default:
@@ -1483,6 +1573,7 @@ seckey_CreateSubjectPublicKeyInfo_helper(SECKEYPublicKey *pubk)
CERTSubjectPublicKeyInfo *spki;
PLArenaPool *arena;
SECItem params = { siBuffer, NULL, 0 };
+ SECOidTag tag;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
@@ -1555,14 +1646,41 @@ seckey_CreateSubjectPublicKeyInfo_helper(SECKEYPublicKey *pubk)
case ecKey:
rv = SECITEM_CopyItem(arena, &params,
&pubk->u.ec.DEREncodedParams);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
break;
+ }
+ tag = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
- SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+ tag,
&params);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
+ break;
+ }
+
+ rv = SECITEM_CopyItem(arena, &spki->subjectPublicKey,
+ &pubk->u.ec.publicValue);
+
+ if (rv == SECSuccess) {
+ /*
+ * The stored value is supposed to be a BIT_STRING,
+ * so convert the length.
+ */
+ spki->subjectPublicKey.len <<= 3;
+ /*
+ * We got a good one; return it.
+ */
+ return spki;
+ }
+ break;
+ case edKey:
+ tag = SECKEY_GetECCOid(&pubk->u.ec.DEREncodedParams);
+ rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
+ tag,
+ &params);
+ if (rv != SECSuccess) {
break;
+ }
rv = SECITEM_CopyItem(arena, &spki->subjectPublicKey,
&pubk->u.ec.publicValue);
@@ -1669,8 +1787,9 @@ SECKEY_DecodeDERSubjectPublicKeyInfo(const SECItem *spkider)
rv = SEC_QuickDERDecodeItem(arena, spki,
CERT_SubjectPublicKeyInfoTemplate, &newSpkider);
}
- if (rv == SECSuccess)
+ if (rv == SECSuccess) {
return spki;
+ }
} else {
PORT_SetError(SEC_ERROR_NO_MEMORY);
}
diff --git a/security/nss/lib/cryptohi/secvfy.c b/security/nss/lib/cryptohi/secvfy.c
index 8c9dc2d87d..04c755a001 100644
--- a/security/nss/lib/cryptohi/secvfy.c
+++ b/security/nss/lib/cryptohi/secvfy.c
@@ -306,7 +306,7 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
* encalg: address of a SECOidTag which will be set with the signing alg.
*
* Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
- * algorithm was not found or was not a signing algorithm.
+ * algorithm was not found or was not a signing algorithm.
*/
SECStatus
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
diff --git a/security/nss/lib/freebl/Hacl_Hash_SHA2_shim.h b/security/nss/lib/freebl/Hacl_Hash_SHA2_shim.h
new file mode 100644
index 0000000000..8e510e914d
--- /dev/null
+++ b/security/nss/lib/freebl/Hacl_Hash_SHA2_shim.h
@@ -0,0 +1,38 @@
+#include "blapi.h"
+#include "../pqg.h"
+
+static inline void
+sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input)
+{
+ SHA512Context *ctx = SHA512_NewContext();
+ uint32_t l = SHA512_LENGTH;
+ SHA512_Begin(ctx);
+ SHA512_Update(ctx, prefix, 32);
+ SHA512_Update(ctx, input, len);
+ SHA512_End(ctx, hash, &l, SHA512_LENGTH);
+ SHA512_DestroyContext(ctx, PR_TRUE);
+}
+
+static inline void
+sha512_pre_pre2_msg(
+ uint8_t *hash,
+ uint8_t *prefix,
+ uint8_t *prefix2,
+ uint32_t len,
+ uint8_t *input)
+{
+ SHA512Context *ctx = SHA512_NewContext();
+ uint32_t l = SHA512_LENGTH;
+ SHA512_Begin(ctx);
+ SHA512_Update(ctx, prefix, 32);
+ SHA512_Update(ctx, prefix2, 32);
+ SHA512_Update(ctx, input, len);
+ SHA512_End(ctx, hash, &l, SHA512_LENGTH);
+ SHA512_DestroyContext(ctx, PR_TRUE);
+}
+
+static void
+Hacl_Streaming_SHA2_hash_512(uint8_t *secret, uint32_t len, uint8_t *expanded)
+{
+ SHA512_HashBuf(expanded, secret, len);
+} \ No newline at end of file
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
index eeee90a97f..78dc2621ea 100644
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -608,11 +608,12 @@ ifndef NSS_DISABLE_CHACHAPOLY
endif # NSS_DISABLE_CHACHAPOLY
VERIFIED_SRCS += Hacl_Hash_SHA3.c Hacl_P256.c Hacl_P384.c Hacl_P521.c
+VERIFIED_SRCS += Hacl_Ed25519.c
+VERIFIED_SRCS += Hacl_Curve25519_51.c
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
# All 64-bit architectures get the 64 bit version.
ECL_SRCS += curve25519_64.c
- VERIFIED_SRCS += Hacl_Curve25519_51.c
else
# All other architectures get the generic 32 bit implementation
ECL_SRCS += curve25519_32.c
diff --git a/security/nss/lib/freebl/blapi.h b/security/nss/lib/freebl/blapi.h
index 4b4de66916..b9d0c0a8aa 100644
--- a/security/nss/lib/freebl/blapi.h
+++ b/security/nss/lib/freebl/blapi.h
@@ -1921,6 +1921,27 @@ extern SECStatus Kyber_Encapsulate(KyberParams params, const SECItem *seed, cons
*/
extern SECStatus Kyber_Decapsulate(KyberParams params, const SECItem *privKey, const SECItem *ciphertext, SECItem *secret);
+/* EdDSA (only ed25519)
+** On input, msg == buffer containing message to be signed.
+** key == key to be used for signature.
+** Output, signature == Buffer containing the signature.
+*/
+extern SECStatus ED_SignMessage(ECPrivateKey *key, SECItem *signature,
+ const SECItem *msg);
+
+/* On input, signature == buffer holding the signature.
+** msg == buffer holding the message.
+** key == key used to verify the signature.
+** Output, whether the signature is valid or not.
+*/
+extern SECStatus ED_VerifyMessage(ECPublicKey *key, const SECItem *signature,
+ const SECItem *msg);
+
+/* EdDSA (only ed25519)
+ * Derive the public key `publicKey` from the private key `privateKey`.
+ */
+extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey);
+
SEC_END_PROTOS
#endif /* _BLAPI_H_ */
diff --git a/security/nss/lib/freebl/blapit.h b/security/nss/lib/freebl/blapit.h
index 7b59a812b0..e5300313d6 100644
--- a/security/nss/lib/freebl/blapit.h
+++ b/security/nss/lib/freebl/blapit.h
@@ -29,6 +29,8 @@
#define DES_KEY_LENGTH 8 /* Bytes */
+#define ED25519_SIGN_LEN 64U /* Bytes */
+
/* AES operation modes */
#define NSS_AES 0
#define NSS_AES_CBC 1
@@ -81,6 +83,9 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
#define EC_MAX_KEY_BITS 521 /* in bits */
#define EC_MIN_KEY_BITS 256 /* in bits */
+#define ECD_MAX_KEY_BITS 255 /* in bits */
+#define ECD_MIN_KEY_BITS 255 /* in bits */
+
/* EC point compression format */
#define EC_POINT_FORM_COMPRESSED_Y0 0x02
#define EC_POINT_FORM_COMPRESSED_Y1 0x03
diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
index 35a848395c..cd6a88c7b0 100644
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -18,6 +18,7 @@
#include "verified/Hacl_P384.h"
#include "verified/Hacl_P521.h"
#include "secport.h"
+#include "verified/Hacl_Ed25519.h"
#define EC_DOUBLECHECK PR_FALSE
@@ -65,6 +66,27 @@ ec_secp521r1_scalar_validate(const SECItem *scalar)
return SECSuccess;
}
+SECStatus
+ec_ED25519_pt_validate(const SECItem *px)
+{
+ if (!px || !px->data || px->len != Ed25519_PUBLIC_KEYLEN) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+SECStatus
+ec_ED25519_scalar_validate(const SECItem *scalar)
+{
+ if (!scalar || !scalar->data || scalar->len != Ed25519_PRIVATE_KEYLEN) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
static const ECMethod kMethods[] = {
{ ECCurve25519,
ec_Curve25519_pt_mul,
@@ -96,6 +118,12 @@ static const ECMethod kMethods[] = {
NULL,
NULL,
},
+ { ECCurve_Ed25519,
+ NULL,
+ ec_ED25519_pt_validate,
+ ec_ED25519_scalar_validate,
+ NULL,
+ NULL },
};
static const ECMethod *
@@ -353,6 +381,16 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
/* Compute corresponding public key */
/* Use curve specific code for point multiplication */
+
+ if (ecParams->name == ECCurve_Ed25519) {
+ rv = ED_DerivePublicKey(&key->privateValue, &key->publicValue);
+ if (rv != SECSuccess) {
+ goto cleanup;
+ }
+ NSS_DECLASSIFY(key->publicValue.data, key->publicValue.len); /* Declassifying public key to avoid false positive */
+ goto done;
+ }
+
if (ecParams->fieldID.type == ec_field_plain) {
const ECMethod *method = ec_get_method_from_name(ecParams->name);
if (method == NULL || method->pt_mul == NULL) {
@@ -435,6 +473,7 @@ ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
uint8_t leading_coeff_mask;
switch (ecParams->name) {
+ case ECCurve_Ed25519:
case ECCurve25519:
case ECCurve_NIST_P256:
case ECCurve_NIST_P384:
@@ -490,8 +529,9 @@ EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
goto cleanup;
}
rv = ec_GenerateRandomPrivateKey(ecParams, &privKeyRand);
- if (rv != SECSuccess || privKeyRand.data == NULL)
+ if (rv != SECSuccess || privKeyRand.data == NULL) {
goto cleanup;
+ }
/* generate public key */
CHECK_SEC_OK(ec_NewKey(ecParams, privKey, privKeyRand.data, privKeyRand.len));
@@ -1317,3 +1357,103 @@ done:
return rv;
}
+
+/*EdDSA: Currently only Ed22519 is implemented.*/
+
+/*
+** Computes the EdDSA signature on the message using the given key.
+*/
+
+SECStatus
+ec_ED25519_public_key_validate(const ECPublicKey *key)
+{
+ if (!key || !(key->ecParams.name == ECCurve_Ed25519)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ return ec_ED25519_pt_validate(&key->publicValue);
+}
+
+SECStatus
+ec_ED25519_private_key_validate(const ECPrivateKey *key)
+{
+ if (!key || !(key->ecParams.name == ECCurve_Ed25519)) {
+
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ return ec_ED25519_scalar_validate(&key->privateValue);
+}
+
+SECStatus
+ED_SignMessage(ECPrivateKey *key, SECItem *signature, const SECItem *msg)
+{
+ if (!msg || !signature || signature->len != Ed25519_SIGN_LEN) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (ec_ED25519_private_key_validate(key) != SECSuccess) {
+ return SECFailure; /* error code set by ec_ED25519_scalar_validate. */
+ }
+
+ if (signature->data) {
+ Hacl_Ed25519_sign(signature->data, key->privateValue.data, msg->len,
+ msg->data);
+ }
+ signature->len = ED25519_SIGN_LEN;
+ BLAPI_CLEAR_STACK(2048);
+ return SECSuccess;
+}
+
+/*
+** Checks the signature on the given message using the key provided.
+*/
+
+SECStatus
+ED_VerifyMessage(ECPublicKey *key, const SECItem *signature,
+ const SECItem *msg)
+{
+ if (!msg || !signature || !signature->data || signature->len != Ed25519_SIGN_LEN) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (ec_ED25519_public_key_validate(key) != SECSuccess) {
+ return SECFailure; /* error code set by ec_ED25519_pt_validate. */
+ }
+
+ bool rv = Hacl_Ed25519_verify(key->publicValue.data, msg->len, msg->data,
+ signature->data);
+ BLAPI_CLEAR_STACK(2048);
+
+#if EC_DEBUG
+ printf("ED_VerifyMessage returning %s\n",
+ (rv) ? "success" : "failure");
+#endif
+
+ if (rv) {
+ return SECSuccess;
+ }
+
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+}
+
+SECStatus
+ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey)
+{
+ /* Currently supporting only Ed25519.*/
+ if (!privateKey || privateKey->len == 0 || !publicKey || publicKey->len != Ed25519_PUBLIC_KEYLEN) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (ec_ED25519_scalar_validate(privateKey) != SECSuccess) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ Hacl_Ed25519_secret_to_public(publicKey->data, privateKey->data);
+ return SECSuccess;
+} \ No newline at end of file
diff --git a/security/nss/lib/freebl/ec.h b/security/nss/lib/freebl/ec.h
index f4b8ee7334..c38f623d4a 100644
--- a/security/nss/lib/freebl/ec.h
+++ b/security/nss/lib/freebl/ec.h
@@ -10,6 +10,10 @@
#define ANSI_X962_CURVE_OID_TOTAL_LEN 10
#define SECG_CURVE_OID_TOTAL_LEN 7
#define PKIX_NEWCURVES_OID_TOTAL_LEN 11
+#define ED25519_OID_TOTAL_LEN 5
+#define Ed25519_PRIVATE_KEYLEN 32
+#define Ed25519_PUBLIC_KEYLEN 32
+#define Ed25519_SIGN_LEN 64
struct ECMethodStr {
ECCurveName name;
diff --git a/security/nss/lib/freebl/ecdecode.c b/security/nss/lib/freebl/ecdecode.c
index 24ba11f3b1..c78eedf373 100644
--- a/security/nss/lib/freebl/ecdecode.c
+++ b/security/nss/lib/freebl/ecdecode.c
@@ -120,7 +120,8 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
if ((encodedParams->len != ANSI_X962_CURVE_OID_TOTAL_LEN) &&
(encodedParams->len != SECG_CURVE_OID_TOTAL_LEN) &&
- (encodedParams->len != PKIX_NEWCURVES_OID_TOTAL_LEN)) {
+ (encodedParams->len != PKIX_NEWCURVES_OID_TOTAL_LEN) &&
+ (encodedParams->len != ED25519_OID_TOTAL_LEN)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
};
@@ -174,6 +175,13 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
ec_field_GFp, params));
break;
+ case SEC_OID_ED25519_PUBLIC_KEY:
+ params->type = ec_params_edwards_named;
+ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_Ed25519,
+ ec_field_plain, params));
+
+ break;
+
case SEC_OID_CURVE25519:
/* Populate params for Curve25519 */
params->type = ec_params_montgomery_named;
@@ -246,10 +254,11 @@ EC_GetPointSize(const ECParams *params)
int sizeInBytes = (params->fieldID.size + 7) / 8;
return sizeInBytes * 2 + 1;
}
- if (name == ECCurve25519) {
- /* Only X here */
+
+ if (params->type == ec_params_edwards_named || params->type == ec_params_montgomery_named) {
return curveParams->scalarSize;
}
+
return curveParams->pointSize - 1;
}
diff --git a/security/nss/lib/freebl/ecl/ecl-curve.h b/security/nss/lib/freebl/ecl/ecl-curve.h
index dec3ce387d..1c9cb5db53 100644
--- a/security/nss/lib/freebl/ecl/ecl-curve.h
+++ b/security/nss/lib/freebl/ecl/ecl-curve.h
@@ -178,6 +178,13 @@ static const ECCurveBytes ecCurve_25519 = {
KU_KEY_AGREEMENT
};
+static const ECCurveBytes ecCurve_Ed25519 = {
+ "ED25119", ECField_GFp, 255,
+ NULL, NULL, NULL, NULL, NULL, NULL, NULL,
+ 8, 128, 66, 32,
+ KU_DIGITAL_SIGNATURE
+};
+
/* mapping between ECCurveName enum and pointers to ECCurveParams */
static const ECCurveBytes *ecCurve_map[] = {
NULL, /* ECCurve_noName */
@@ -239,7 +246,8 @@ static const ECCurveBytes *ecCurve_map[] = {
NULL, /* ECCurve_WTLS_8 */
NULL, /* ECCurve_WTLS_9 */
&ecCurve_25519, /* ECCurve25519 */
- NULL /* ECCurve_pastLastCurve */
+ &ecCurve_Ed25519,
+ NULL /* ECCurve_pastLastCurve */
};
#endif
diff --git a/security/nss/lib/freebl/ecl/ecl-exp.h b/security/nss/lib/freebl/ecl/ecl-exp.h
index 44adb8a1cd..14263c70f4 100644
--- a/security/nss/lib/freebl/ecl/ecl-exp.h
+++ b/security/nss/lib/freebl/ecl/ecl-exp.h
@@ -132,6 +132,7 @@ typedef enum {
/* ECCurve_WTLS_12 == ECCurve_NIST_P224 */
ECCurve25519,
+ ECCurve_Ed25519,
ECCurve_pastLastCurve
} ECCurveName;
diff --git a/security/nss/lib/freebl/freebl_base.gypi b/security/nss/lib/freebl/freebl_base.gypi
index 8ef46da630..2a6bd5e5c5 100644
--- a/security/nss/lib/freebl/freebl_base.gypi
+++ b/security/nss/lib/freebl/freebl_base.gypi
@@ -73,6 +73,8 @@
'verified/Hacl_Hash_SHA3.c',
'sha3.c',
'shake.c',
+ 'verified/Hacl_Curve25519_51.c',
+ 'verified/Hacl_Ed25519.c',
],
'defines': [
# For kyber-pqcrystals-ref.c. If we ever decide to support Kyber512 or
diff --git a/security/nss/lib/freebl/ldvector.c b/security/nss/lib/freebl/ldvector.c
index 14ecfcaa25..641340b8c7 100644
--- a/security/nss/lib/freebl/ldvector.c
+++ b/security/nss/lib/freebl/ldvector.c
@@ -438,6 +438,11 @@ static const struct FREEBLVectorStr vector = {
Kyber_Decapsulate,
/* End of version 3.027 */
+
+ ED_SignMessage,
+ ED_VerifyMessage,
+ ED_DerivePublicKey,
+ /* End of version 3.028 */
};
const FREEBLVector*
diff --git a/security/nss/lib/freebl/loader.c b/security/nss/lib/freebl/loader.c
index 473169264c..22c468fda7 100644
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@@ -2854,3 +2854,31 @@ Kyber_Decapsulate(KyberParams params, const SECItem *privKey, const SECItem *cip
return SECFailure;
return (vector->p_Kyber_Decapsulate)(params, privKey, ciphertext, secret);
}
+
+/* ============== New for 3.0028 =============================== */
+
+SECStatus
+ED_SignMessage(ECPrivateKey *key, SECItem *signature,
+ const SECItem *msg)
+{
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_ED_SignMessage)(key, signature, msg);
+}
+
+SECStatus
+ED_VerifyMessage(ECPublicKey *key, const SECItem *signature,
+ const SECItem *msg)
+{
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_ED_VerifyMessage)(key, signature, msg);
+}
+
+SECStatus
+ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey)
+{
+ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
+ return SECFailure;
+ return (vector->p_ED_DerivePublicKey)(privateKey, publicKey);
+}
diff --git a/security/nss/lib/freebl/loader.h b/security/nss/lib/freebl/loader.h
index 62159d88c7..5c51f48213 100644
--- a/security/nss/lib/freebl/loader.h
+++ b/security/nss/lib/freebl/loader.h
@@ -918,6 +918,13 @@ struct FREEBLVectorStr {
/* Version 3.027 came to here */
+ SECStatus (*p_ED_SignMessage)(ECPrivateKey *key, SECItem *signature, const SECItem *msg);
+ SECStatus (*p_ED_VerifyMessage)(ECPublicKey *key, const SECItem *signature,
+ const SECItem *msg);
+
+ SECStatus (*p_ED_DerivePublicKey)(const SECItem *privateKey, SECItem *publicKey);
+ /* Version 3.028 came to here */
+
/* Add new function pointers at the end of this struct and bump
* FREEBL_VERSION at the beginning of this file. */
};
diff --git a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
index a15820273c..bf2cc651ce 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
@@ -368,9 +368,8 @@ Hacl_Chacha20_Vec128_chacha20_encrypt_128(
}
if (rem1 > (uint32_t)0U) {
uint8_t *uu____2 = out + nb * (uint32_t)256U;
- uint8_t *uu____3 = text + nb * (uint32_t)256U;
uint8_t plain[256U] = { 0U };
- memcpy(plain, uu____3, rem * sizeof(uint8_t));
+ memcpy(plain, text + nb * (uint32_t)256U, rem * sizeof(uint8_t));
KRML_PRE_ALIGN(16)
Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U };
chacha20_core_128(k, ctx, nb);
@@ -674,9 +673,8 @@ Hacl_Chacha20_Vec128_chacha20_decrypt_128(
}
if (rem1 > (uint32_t)0U) {
uint8_t *uu____2 = out + nb * (uint32_t)256U;
- uint8_t *uu____3 = cipher + nb * (uint32_t)256U;
uint8_t plain[256U] = { 0U };
- memcpy(plain, uu____3, rem * sizeof(uint8_t));
+ memcpy(plain, cipher + nb * (uint32_t)256U, rem * sizeof(uint8_t));
KRML_PRE_ALIGN(16)
Lib_IntVector_Intrinsics_vec128 k[16U] KRML_POST_ALIGN(16) = { 0U };
chacha20_core_128(k, ctx, nb);
diff --git a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c
index e184598e4a..98ff9c346f 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec256.c
@@ -468,9 +468,8 @@ Hacl_Chacha20_Vec256_chacha20_encrypt_256(
}
if (rem1 > (uint32_t)0U) {
uint8_t *uu____2 = out + nb * (uint32_t)512U;
- uint8_t *uu____3 = text + nb * (uint32_t)512U;
uint8_t plain[512U] = { 0U };
- memcpy(plain, uu____3, rem * sizeof(uint8_t));
+ memcpy(plain, text + nb * (uint32_t)512U, rem * sizeof(uint8_t));
KRML_PRE_ALIGN(32)
Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U };
chacha20_core_256(k, ctx, nb);
@@ -966,9 +965,8 @@ Hacl_Chacha20_Vec256_chacha20_decrypt_256(
}
if (rem1 > (uint32_t)0U) {
uint8_t *uu____2 = out + nb * (uint32_t)512U;
- uint8_t *uu____3 = cipher + nb * (uint32_t)512U;
uint8_t plain[512U] = { 0U };
- memcpy(plain, uu____3, rem * sizeof(uint8_t));
+ memcpy(plain, cipher + nb * (uint32_t)512U, rem * sizeof(uint8_t));
KRML_PRE_ALIGN(32)
Lib_IntVector_Intrinsics_vec256 k[16U] KRML_POST_ALIGN(32) = { 0U };
chacha20_core_256(k, ctx, nb);
diff --git a/security/nss/lib/freebl/verified/Hacl_Curve25519_64.c b/security/nss/lib/freebl/verified/Hacl_Curve25519_64.c
index 6dbdf736f9..7ba332cba6 100644
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519_64.c
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519_64.c
@@ -35,7 +35,7 @@ add_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2)
#if HACL_CAN_COMPILE_INLINE_ASM
add_scalar(out, f1, f2);
#else
- uint64_t uu____0 = add_scalar_e(out, f1, f2);
+ KRML_HOST_IGNORE(add_scalar_e(out, f1, f2));
#endif
}
@@ -45,7 +45,7 @@ fadd0(uint64_t *out, uint64_t *f1, uint64_t *f2)
#if HACL_CAN_COMPILE_INLINE_ASM
fadd(out, f1, f2);
#else
- uint64_t uu____0 = fadd_e(out, f1, f2);
+ KRML_HOST_IGNORE(fadd_e(out, f1, f2));
#endif
}
@@ -55,7 +55,7 @@ fsub0(uint64_t *out, uint64_t *f1, uint64_t *f2)
#if HACL_CAN_COMPILE_INLINE_ASM
fsub(out, f1, f2);
#else
- uint64_t uu____0 = fsub_e(out, f1, f2);
+ KRML_HOST_IGNORE(fsub_e(out, f1, f2));
#endif
}
@@ -65,7 +65,7 @@ fmul0(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp)
#if HACL_CAN_COMPILE_INLINE_ASM
fmul(out, f1, f2, tmp);
#else
- uint64_t uu____0 = fmul_e(tmp, f1, out, f2);
+ KRML_HOST_IGNORE(fmul_e(tmp, f1, out, f2));
#endif
}
@@ -75,7 +75,7 @@ fmul20(uint64_t *out, uint64_t *f1, uint64_t *f2, uint64_t *tmp)
#if HACL_CAN_COMPILE_INLINE_ASM
fmul2(out, f1, f2, tmp);
#else
- uint64_t uu____0 = fmul2_e(tmp, f1, out, f2);
+ KRML_HOST_IGNORE(fmul2_e(tmp, f1, out, f2));
#endif
}
@@ -85,7 +85,7 @@ fmul_scalar0(uint64_t *out, uint64_t *f1, uint64_t f2)
#if HACL_CAN_COMPILE_INLINE_ASM
fmul_scalar(out, f1, f2);
#else
- uint64_t uu____0 = fmul_scalar_e(out, f1, f2);
+ KRML_HOST_IGNORE(fmul_scalar_e(out, f1, f2));
#endif
}
@@ -95,7 +95,7 @@ fsqr0(uint64_t *out, uint64_t *f1, uint64_t *tmp)
#if HACL_CAN_COMPILE_INLINE_ASM
fsqr(out, f1, tmp);
#else
- uint64_t uu____0 = fsqr_e(tmp, f1, out);
+ KRML_HOST_IGNORE(fsqr_e(tmp, f1, out));
#endif
}
@@ -105,7 +105,7 @@ fsqr20(uint64_t *out, uint64_t *f, uint64_t *tmp)
#if HACL_CAN_COMPILE_INLINE_ASM
fsqr2(out, f, tmp);
#else
- uint64_t uu____0 = fsqr2_e(tmp, f, out);
+ KRML_HOST_IGNORE(fsqr2_e(tmp, f, out));
#endif
}
@@ -115,7 +115,7 @@ cswap20(uint64_t bit, uint64_t *p1, uint64_t *p2)
#if HACL_CAN_COMPILE_INLINE_ASM
cswap2(bit, p1, p2);
#else
- uint64_t uu____0 = cswap2_e(bit, p1, p2);
+ KRML_HOST_IGNORE(cswap2_e(bit, p1, p2));
#endif
}
diff --git a/security/nss/lib/freebl/verified/Hacl_Ed25519.c b/security/nss/lib/freebl/verified/Hacl_Ed25519.c
new file mode 100644
index 0000000000..f7a5ea6d75
--- /dev/null
+++ b/security/nss/lib/freebl/verified/Hacl_Ed25519.c
@@ -0,0 +1,1853 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "internal/Hacl_Ed25519.h"
+
+#include "internal/Hacl_Krmllib.h"
+#include "internal/Hacl_Ed25519_PrecompTable.h"
+#include "internal/Hacl_Curve25519_51.h"
+#include "internal/Hacl_Bignum_Base.h"
+#include "internal/Hacl_Bignum25519_51.h"
+
+#include "../Hacl_Hash_SHA2_shim.h"
+
+static inline void
+fsum(uint64_t *out, uint64_t *a, uint64_t *b)
+{
+ Hacl_Impl_Curve25519_Field51_fadd(out, a, b);
+}
+
+static inline void
+fdifference(uint64_t *out, uint64_t *a, uint64_t *b)
+{
+ Hacl_Impl_Curve25519_Field51_fsub(out, a, b);
+}
+
+void
+Hacl_Bignum25519_reduce_513(uint64_t *a)
+{
+ uint64_t f0 = a[0U];
+ uint64_t f1 = a[1U];
+ uint64_t f2 = a[2U];
+ uint64_t f3 = a[3U];
+ uint64_t f4 = a[4U];
+ uint64_t l_ = f0 + (uint64_t)0U;
+ uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU;
+ uint64_t c0 = l_ >> (uint32_t)51U;
+ uint64_t l_0 = f1 + c0;
+ uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c1 = l_0 >> (uint32_t)51U;
+ uint64_t l_1 = f2 + c1;
+ uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c2 = l_1 >> (uint32_t)51U;
+ uint64_t l_2 = f3 + c2;
+ uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c3 = l_2 >> (uint32_t)51U;
+ uint64_t l_3 = f4 + c3;
+ uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c4 = l_3 >> (uint32_t)51U;
+ uint64_t l_4 = tmp0 + c4 * (uint64_t)19U;
+ uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c5 = l_4 >> (uint32_t)51U;
+ a[0U] = tmp0_;
+ a[1U] = tmp1 + c5;
+ a[2U] = tmp2;
+ a[3U] = tmp3;
+ a[4U] = tmp4;
+}
+
+static inline void
+fmul0(uint64_t *output, uint64_t *input, uint64_t *input2)
+{
+ FStar_UInt128_uint128 tmp[10U];
+ for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i)
+ tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+ Hacl_Impl_Curve25519_Field51_fmul(output, input, input2, tmp);
+}
+
+static inline void
+times_2(uint64_t *out, uint64_t *a)
+{
+ uint64_t a0 = a[0U];
+ uint64_t a1 = a[1U];
+ uint64_t a2 = a[2U];
+ uint64_t a3 = a[3U];
+ uint64_t a4 = a[4U];
+ uint64_t o0 = (uint64_t)2U * a0;
+ uint64_t o1 = (uint64_t)2U * a1;
+ uint64_t o2 = (uint64_t)2U * a2;
+ uint64_t o3 = (uint64_t)2U * a3;
+ uint64_t o4 = (uint64_t)2U * a4;
+ out[0U] = o0;
+ out[1U] = o1;
+ out[2U] = o2;
+ out[3U] = o3;
+ out[4U] = o4;
+}
+
+static inline void
+times_d(uint64_t *out, uint64_t *a)
+{
+ uint64_t d[5U] = { 0U };
+ d[0U] = (uint64_t)0x00034dca135978a3U;
+ d[1U] = (uint64_t)0x0001a8283b156ebdU;
+ d[2U] = (uint64_t)0x0005e7a26001c029U;
+ d[3U] = (uint64_t)0x000739c663a03cbbU;
+ d[4U] = (uint64_t)0x00052036cee2b6ffU;
+ fmul0(out, d, a);
+}
+
+static inline void
+times_2d(uint64_t *out, uint64_t *a)
+{
+ uint64_t d2[5U] = { 0U };
+ d2[0U] = (uint64_t)0x00069b9426b2f159U;
+ d2[1U] = (uint64_t)0x00035050762add7aU;
+ d2[2U] = (uint64_t)0x0003cf44c0038052U;
+ d2[3U] = (uint64_t)0x0006738cc7407977U;
+ d2[4U] = (uint64_t)0x0002406d9dc56dffU;
+ fmul0(out, d2, a);
+}
+
+static inline void
+fsquare(uint64_t *out, uint64_t *a)
+{
+ FStar_UInt128_uint128 tmp[5U];
+ for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+ tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+ Hacl_Impl_Curve25519_Field51_fsqr(out, a, tmp);
+}
+
+static inline void
+fsquare_times(uint64_t *output, uint64_t *input, uint32_t count)
+{
+ FStar_UInt128_uint128 tmp[5U];
+ for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+ tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+ Hacl_Curve25519_51_fsquare_times(output, input, tmp, count);
+}
+
+static inline void
+fsquare_times_inplace(uint64_t *output, uint32_t count)
+{
+ FStar_UInt128_uint128 tmp[5U];
+ for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+ tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+ Hacl_Curve25519_51_fsquare_times(output, output, tmp, count);
+}
+
+void
+Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a)
+{
+ FStar_UInt128_uint128 tmp[10U];
+ for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i)
+ tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+ Hacl_Curve25519_51_finv(out, a, tmp);
+}
+
+static inline void
+reduce(uint64_t *out)
+{
+ uint64_t o0 = out[0U];
+ uint64_t o1 = out[1U];
+ uint64_t o2 = out[2U];
+ uint64_t o3 = out[3U];
+ uint64_t o4 = out[4U];
+ uint64_t l_ = o0 + (uint64_t)0U;
+ uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU;
+ uint64_t c0 = l_ >> (uint32_t)51U;
+ uint64_t l_0 = o1 + c0;
+ uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c1 = l_0 >> (uint32_t)51U;
+ uint64_t l_1 = o2 + c1;
+ uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c2 = l_1 >> (uint32_t)51U;
+ uint64_t l_2 = o3 + c2;
+ uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c3 = l_2 >> (uint32_t)51U;
+ uint64_t l_3 = o4 + c3;
+ uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c4 = l_3 >> (uint32_t)51U;
+ uint64_t l_4 = tmp0 + c4 * (uint64_t)19U;
+ uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
+ uint64_t c5 = l_4 >> (uint32_t)51U;
+ uint64_t f0 = tmp0_;
+ uint64_t f1 = tmp1 + c5;
+ uint64_t f2 = tmp2;
+ uint64_t f3 = tmp3;
+ uint64_t f4 = tmp4;
+ uint64_t m0 = FStar_UInt64_gte_mask(f0, (uint64_t)0x7ffffffffffedU);
+ uint64_t m1 = FStar_UInt64_eq_mask(f1, (uint64_t)0x7ffffffffffffU);
+ uint64_t m2 = FStar_UInt64_eq_mask(f2, (uint64_t)0x7ffffffffffffU);
+ uint64_t m3 = FStar_UInt64_eq_mask(f3, (uint64_t)0x7ffffffffffffU);
+ uint64_t m4 = FStar_UInt64_eq_mask(f4, (uint64_t)0x7ffffffffffffU);
+ uint64_t mask = (((m0 & m1) & m2) & m3) & m4;
+ uint64_t f0_ = f0 - (mask & (uint64_t)0x7ffffffffffedU);
+ uint64_t f1_ = f1 - (mask & (uint64_t)0x7ffffffffffffU);
+ uint64_t f2_ = f2 - (mask & (uint64_t)0x7ffffffffffffU);
+ uint64_t f3_ = f3 - (mask & (uint64_t)0x7ffffffffffffU);
+ uint64_t f4_ = f4 - (mask & (uint64_t)0x7ffffffffffffU);
+ uint64_t f01 = f0_;
+ uint64_t f11 = f1_;
+ uint64_t f21 = f2_;
+ uint64_t f31 = f3_;
+ uint64_t f41 = f4_;
+ out[0U] = f01;
+ out[1U] = f11;
+ out[2U] = f21;
+ out[3U] = f31;
+ out[4U] = f41;
+}
+
+void
+Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input)
+{
+ uint64_t u64s[4U] = { 0U };
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ uint64_t *os = u64s;
+ uint8_t *bj = input + i * (uint32_t)8U;
+ uint64_t u = load64_le(bj);
+ uint64_t r = u;
+ uint64_t x = r;
+ os[i] = x;);
+ uint64_t u64s3 = u64s[3U];
+ u64s[3U] = u64s3 & (uint64_t)0x7fffffffffffffffU;
+ output[0U] = u64s[0U] & (uint64_t)0x7ffffffffffffU;
+ output[1U] = u64s[0U] >> (uint32_t)51U | (u64s[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U;
+ output[2U] = u64s[1U] >> (uint32_t)38U | (u64s[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U;
+ output[3U] = u64s[2U] >> (uint32_t)25U | (u64s[3U] & (uint64_t)0xfffU) << (uint32_t)39U;
+ output[4U] = u64s[3U] >> (uint32_t)12U;
+}
+
+void
+Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input)
+{
+ uint64_t u64s[4U] = { 0U };
+ Hacl_Impl_Curve25519_Field51_store_felem(u64s, input);
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ store64_le(output + i * (uint32_t)8U, u64s[i]););
+}
+
+void
+Hacl_Impl_Ed25519_PointDouble_point_double(uint64_t *out, uint64_t *p)
+{
+ uint64_t tmp[20U] = { 0U };
+ uint64_t *tmp1 = tmp;
+ uint64_t *tmp20 = tmp + (uint32_t)5U;
+ uint64_t *tmp30 = tmp + (uint32_t)10U;
+ uint64_t *tmp40 = tmp + (uint32_t)15U;
+ uint64_t *x10 = p;
+ uint64_t *y10 = p + (uint32_t)5U;
+ uint64_t *z1 = p + (uint32_t)10U;
+ fsquare(tmp1, x10);
+ fsquare(tmp20, y10);
+ fsum(tmp30, tmp1, tmp20);
+ fdifference(tmp40, tmp1, tmp20);
+ fsquare(tmp1, z1);
+ times_2(tmp1, tmp1);
+ uint64_t *tmp10 = tmp;
+ uint64_t *tmp2 = tmp + (uint32_t)5U;
+ uint64_t *tmp3 = tmp + (uint32_t)10U;
+ uint64_t *tmp4 = tmp + (uint32_t)15U;
+ uint64_t *x1 = p;
+ uint64_t *y1 = p + (uint32_t)5U;
+ fsum(tmp2, x1, y1);
+ fsquare(tmp2, tmp2);
+ Hacl_Bignum25519_reduce_513(tmp3);
+ fdifference(tmp2, tmp3, tmp2);
+ Hacl_Bignum25519_reduce_513(tmp10);
+ Hacl_Bignum25519_reduce_513(tmp4);
+ fsum(tmp10, tmp10, tmp4);
+ uint64_t *tmp_f = tmp;
+ uint64_t *tmp_e = tmp + (uint32_t)5U;
+ uint64_t *tmp_h = tmp + (uint32_t)10U;
+ uint64_t *tmp_g = tmp + (uint32_t)15U;
+ uint64_t *x3 = out;
+ uint64_t *y3 = out + (uint32_t)5U;
+ uint64_t *z3 = out + (uint32_t)10U;
+ uint64_t *t3 = out + (uint32_t)15U;
+ fmul0(x3, tmp_e, tmp_f);
+ fmul0(y3, tmp_g, tmp_h);
+ fmul0(t3, tmp_e, tmp_h);
+ fmul0(z3, tmp_f, tmp_g);
+}
+
+void
+Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q)
+{
+ uint64_t tmp[30U] = { 0U };
+ uint64_t *tmp1 = tmp;
+ uint64_t *tmp20 = tmp + (uint32_t)5U;
+ uint64_t *tmp30 = tmp + (uint32_t)10U;
+ uint64_t *tmp40 = tmp + (uint32_t)15U;
+ uint64_t *x1 = p;
+ uint64_t *y1 = p + (uint32_t)5U;
+ uint64_t *x2 = q;
+ uint64_t *y2 = q + (uint32_t)5U;
+ fdifference(tmp1, y1, x1);
+ fdifference(tmp20, y2, x2);
+ fmul0(tmp30, tmp1, tmp20);
+ fsum(tmp1, y1, x1);
+ fsum(tmp20, y2, x2);
+ fmul0(tmp40, tmp1, tmp20);
+ uint64_t *tmp10 = tmp;
+ uint64_t *tmp2 = tmp + (uint32_t)5U;
+ uint64_t *tmp3 = tmp + (uint32_t)10U;
+ uint64_t *tmp4 = tmp + (uint32_t)15U;
+ uint64_t *tmp5 = tmp + (uint32_t)20U;
+ uint64_t *tmp6 = tmp + (uint32_t)25U;
+ uint64_t *z1 = p + (uint32_t)10U;
+ uint64_t *t1 = p + (uint32_t)15U;
+ uint64_t *z2 = q + (uint32_t)10U;
+ uint64_t *t2 = q + (uint32_t)15U;
+ times_2d(tmp10, t1);
+ fmul0(tmp10, tmp10, t2);
+ times_2(tmp2, z1);
+ fmul0(tmp2, tmp2, z2);
+ fdifference(tmp5, tmp4, tmp3);
+ fdifference(tmp6, tmp2, tmp10);
+ fsum(tmp10, tmp2, tmp10);
+ fsum(tmp2, tmp4, tmp3);
+ uint64_t *tmp_g = tmp;
+ uint64_t *tmp_h = tmp + (uint32_t)5U;
+ uint64_t *tmp_e = tmp + (uint32_t)20U;
+ uint64_t *tmp_f = tmp + (uint32_t)25U;
+ uint64_t *x3 = out;
+ uint64_t *y3 = out + (uint32_t)5U;
+ uint64_t *z3 = out + (uint32_t)10U;
+ uint64_t *t3 = out + (uint32_t)15U;
+ fmul0(x3, tmp_e, tmp_f);
+ fmul0(y3, tmp_g, tmp_h);
+ fmul0(t3, tmp_e, tmp_h);
+ fmul0(z3, tmp_f, tmp_g);
+}
+
+void
+Hacl_Impl_Ed25519_PointConstants_make_point_inf(uint64_t *b)
+{
+ uint64_t *x = b;
+ uint64_t *y = b + (uint32_t)5U;
+ uint64_t *z = b + (uint32_t)10U;
+ uint64_t *t = b + (uint32_t)15U;
+ x[0U] = (uint64_t)0U;
+ x[1U] = (uint64_t)0U;
+ x[2U] = (uint64_t)0U;
+ x[3U] = (uint64_t)0U;
+ x[4U] = (uint64_t)0U;
+ y[0U] = (uint64_t)1U;
+ y[1U] = (uint64_t)0U;
+ y[2U] = (uint64_t)0U;
+ y[3U] = (uint64_t)0U;
+ y[4U] = (uint64_t)0U;
+ z[0U] = (uint64_t)1U;
+ z[1U] = (uint64_t)0U;
+ z[2U] = (uint64_t)0U;
+ z[3U] = (uint64_t)0U;
+ z[4U] = (uint64_t)0U;
+ t[0U] = (uint64_t)0U;
+ t[1U] = (uint64_t)0U;
+ t[2U] = (uint64_t)0U;
+ t[3U] = (uint64_t)0U;
+ t[4U] = (uint64_t)0U;
+}
+
+static inline void
+pow2_252m2(uint64_t *out, uint64_t *z)
+{
+ uint64_t buf[20U] = { 0U };
+ uint64_t *a = buf;
+ uint64_t *t00 = buf + (uint32_t)5U;
+ uint64_t *b0 = buf + (uint32_t)10U;
+ uint64_t *c0 = buf + (uint32_t)15U;
+ fsquare_times(a, z, (uint32_t)1U);
+ fsquare_times(t00, a, (uint32_t)2U);
+ fmul0(b0, t00, z);
+ fmul0(a, b0, a);
+ fsquare_times(t00, a, (uint32_t)1U);
+ fmul0(b0, t00, b0);
+ fsquare_times(t00, b0, (uint32_t)5U);
+ fmul0(b0, t00, b0);
+ fsquare_times(t00, b0, (uint32_t)10U);
+ fmul0(c0, t00, b0);
+ fsquare_times(t00, c0, (uint32_t)20U);
+ fmul0(t00, t00, c0);
+ fsquare_times_inplace(t00, (uint32_t)10U);
+ fmul0(b0, t00, b0);
+ fsquare_times(t00, b0, (uint32_t)50U);
+ uint64_t *a0 = buf;
+ uint64_t *t0 = buf + (uint32_t)5U;
+ uint64_t *b = buf + (uint32_t)10U;
+ uint64_t *c = buf + (uint32_t)15U;
+ fsquare_times(a0, z, (uint32_t)1U);
+ fmul0(c, t0, b);
+ fsquare_times(t0, c, (uint32_t)100U);
+ fmul0(t0, t0, c);
+ fsquare_times_inplace(t0, (uint32_t)50U);
+ fmul0(t0, t0, b);
+ fsquare_times_inplace(t0, (uint32_t)2U);
+ fmul0(out, t0, a0);
+}
+
+static inline bool
+is_0(uint64_t *x)
+{
+ uint64_t x0 = x[0U];
+ uint64_t x1 = x[1U];
+ uint64_t x2 = x[2U];
+ uint64_t x3 = x[3U];
+ uint64_t x4 = x[4U];
+ return x0 == (uint64_t)0U && x1 == (uint64_t)0U && x2 == (uint64_t)0U && x3 == (uint64_t)0U && x4 == (uint64_t)0U;
+}
+
+static inline void
+mul_modp_sqrt_m1(uint64_t *x)
+{
+ uint64_t sqrt_m1[5U] = { 0U };
+ sqrt_m1[0U] = (uint64_t)0x00061b274a0ea0b0U;
+ sqrt_m1[1U] = (uint64_t)0x0000d5a5fc8f189dU;
+ sqrt_m1[2U] = (uint64_t)0x0007ef5e9cbd0c60U;
+ sqrt_m1[3U] = (uint64_t)0x00078595a6804c9eU;
+ sqrt_m1[4U] = (uint64_t)0x0002b8324804fc1dU;
+ fmul0(x, x, sqrt_m1);
+}
+
+static inline bool
+recover_x(uint64_t *x, uint64_t *y, uint64_t sign)
+{
+ uint64_t tmp[15U] = { 0U };
+ uint64_t *x2 = tmp;
+ uint64_t x00 = y[0U];
+ uint64_t x1 = y[1U];
+ uint64_t x21 = y[2U];
+ uint64_t x30 = y[3U];
+ uint64_t x4 = y[4U];
+ bool
+ b =
+ x00 >= (uint64_t)0x7ffffffffffedU && x1 == (uint64_t)0x7ffffffffffffU && x21 == (uint64_t)0x7ffffffffffffU && x30 == (uint64_t)0x7ffffffffffffU && x4 == (uint64_t)0x7ffffffffffffU;
+ bool res;
+ if (b) {
+ res = false;
+ } else {
+ uint64_t tmp1[20U] = { 0U };
+ uint64_t *one = tmp1;
+ uint64_t *y2 = tmp1 + (uint32_t)5U;
+ uint64_t *dyyi = tmp1 + (uint32_t)10U;
+ uint64_t *dyy = tmp1 + (uint32_t)15U;
+ one[0U] = (uint64_t)1U;
+ one[1U] = (uint64_t)0U;
+ one[2U] = (uint64_t)0U;
+ one[3U] = (uint64_t)0U;
+ one[4U] = (uint64_t)0U;
+ fsquare(y2, y);
+ times_d(dyy, y2);
+ fsum(dyy, dyy, one);
+ Hacl_Bignum25519_reduce_513(dyy);
+ Hacl_Bignum25519_inverse(dyyi, dyy);
+ fdifference(x2, y2, one);
+ fmul0(x2, x2, dyyi);
+ reduce(x2);
+ bool x2_is_0 = is_0(x2);
+ uint8_t z;
+ if (x2_is_0) {
+ if (sign == (uint64_t)0U) {
+ x[0U] = (uint64_t)0U;
+ x[1U] = (uint64_t)0U;
+ x[2U] = (uint64_t)0U;
+ x[3U] = (uint64_t)0U;
+ x[4U] = (uint64_t)0U;
+ z = (uint8_t)1U;
+ } else {
+ z = (uint8_t)0U;
+ }
+ } else {
+ z = (uint8_t)2U;
+ }
+ if (z == (uint8_t)0U) {
+ res = false;
+ } else if (z == (uint8_t)1U) {
+ res = true;
+ } else {
+ uint64_t *x210 = tmp;
+ uint64_t *x31 = tmp + (uint32_t)5U;
+ uint64_t *t00 = tmp + (uint32_t)10U;
+ pow2_252m2(x31, x210);
+ fsquare(t00, x31);
+ fdifference(t00, t00, x210);
+ Hacl_Bignum25519_reduce_513(t00);
+ reduce(t00);
+ bool t0_is_0 = is_0(t00);
+ if (!t0_is_0) {
+ mul_modp_sqrt_m1(x31);
+ }
+ uint64_t *x211 = tmp;
+ uint64_t *x3 = tmp + (uint32_t)5U;
+ uint64_t *t01 = tmp + (uint32_t)10U;
+ fsquare(t01, x3);
+ fdifference(t01, t01, x211);
+ Hacl_Bignum25519_reduce_513(t01);
+ reduce(t01);
+ bool z1 = is_0(t01);
+ if (z1 == false) {
+ res = false;
+ } else {
+ uint64_t *x32 = tmp + (uint32_t)5U;
+ uint64_t *t0 = tmp + (uint32_t)10U;
+ reduce(x32);
+ uint64_t x0 = x32[0U];
+ uint64_t x01 = x0 & (uint64_t)1U;
+ if (!(x01 == sign)) {
+ t0[0U] = (uint64_t)0U;
+ t0[1U] = (uint64_t)0U;
+ t0[2U] = (uint64_t)0U;
+ t0[3U] = (uint64_t)0U;
+ t0[4U] = (uint64_t)0U;
+ fdifference(x32, t0, x32);
+ Hacl_Bignum25519_reduce_513(x32);
+ reduce(x32);
+ }
+ memcpy(x, x32, (uint32_t)5U * sizeof(uint64_t));
+ res = true;
+ }
+ }
+ }
+ bool res0 = res;
+ return res0;
+}
+
+bool
+Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s)
+{
+ uint64_t tmp[10U] = { 0U };
+ uint64_t *y = tmp;
+ uint64_t *x = tmp + (uint32_t)5U;
+ uint8_t s31 = s[31U];
+ uint8_t z = s31 >> (uint32_t)7U;
+ uint64_t sign = (uint64_t)z;
+ Hacl_Bignum25519_load_51(y, s);
+ bool z0 = recover_x(x, y, sign);
+ bool res;
+ if (z0 == false) {
+ res = false;
+ } else {
+ uint64_t *outx = out;
+ uint64_t *outy = out + (uint32_t)5U;
+ uint64_t *outz = out + (uint32_t)10U;
+ uint64_t *outt = out + (uint32_t)15U;
+ memcpy(outx, x, (uint32_t)5U * sizeof(uint64_t));
+ memcpy(outy, y, (uint32_t)5U * sizeof(uint64_t));
+ outz[0U] = (uint64_t)1U;
+ outz[1U] = (uint64_t)0U;
+ outz[2U] = (uint64_t)0U;
+ outz[3U] = (uint64_t)0U;
+ outz[4U] = (uint64_t)0U;
+ fmul0(outt, x, y);
+ res = true;
+ }
+ bool res0 = res;
+ return res0;
+}
+
+void
+Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p)
+{
+ uint64_t tmp[15U] = { 0U };
+ uint64_t *x = tmp + (uint32_t)5U;
+ uint64_t *out = tmp + (uint32_t)10U;
+ uint64_t *zinv1 = tmp;
+ uint64_t *x1 = tmp + (uint32_t)5U;
+ uint64_t *out1 = tmp + (uint32_t)10U;
+ uint64_t *px = p;
+ uint64_t *py = p + (uint32_t)5U;
+ uint64_t *pz = p + (uint32_t)10U;
+ Hacl_Bignum25519_inverse(zinv1, pz);
+ fmul0(x1, px, zinv1);
+ reduce(x1);
+ fmul0(out1, py, zinv1);
+ Hacl_Bignum25519_reduce_513(out1);
+ uint64_t x0 = x[0U];
+ uint64_t b = x0 & (uint64_t)1U;
+ Hacl_Bignum25519_store_51(z, out);
+ uint8_t xbyte = (uint8_t)b;
+ uint8_t o31 = z[31U];
+ z[31U] = o31 + (xbyte << (uint32_t)7U);
+}
+
+static inline void
+barrett_reduction(uint64_t *z, uint64_t *t)
+{
+ uint64_t t0 = t[0U];
+ uint64_t t1 = t[1U];
+ uint64_t t2 = t[2U];
+ uint64_t t3 = t[3U];
+ uint64_t t4 = t[4U];
+ uint64_t t5 = t[5U];
+ uint64_t t6 = t[6U];
+ uint64_t t7 = t[7U];
+ uint64_t t8 = t[8U];
+ uint64_t t9 = t[9U];
+ uint64_t m00 = (uint64_t)0x12631a5cf5d3edU;
+ uint64_t m10 = (uint64_t)0xf9dea2f79cd658U;
+ uint64_t m20 = (uint64_t)0x000000000014deU;
+ uint64_t m30 = (uint64_t)0x00000000000000U;
+ uint64_t m40 = (uint64_t)0x00000010000000U;
+ uint64_t m0 = m00;
+ uint64_t m1 = m10;
+ uint64_t m2 = m20;
+ uint64_t m3 = m30;
+ uint64_t m4 = m40;
+ uint64_t m010 = (uint64_t)0x9ce5a30a2c131bU;
+ uint64_t m110 = (uint64_t)0x215d086329a7edU;
+ uint64_t m210 = (uint64_t)0xffffffffeb2106U;
+ uint64_t m310 = (uint64_t)0xffffffffffffffU;
+ uint64_t m410 = (uint64_t)0x00000fffffffffU;
+ uint64_t mu0 = m010;
+ uint64_t mu1 = m110;
+ uint64_t mu2 = m210;
+ uint64_t mu3 = m310;
+ uint64_t mu4 = m410;
+ uint64_t y_ = (t5 & (uint64_t)0xffffffU) << (uint32_t)32U;
+ uint64_t x_ = t4 >> (uint32_t)24U;
+ uint64_t z00 = x_ | y_;
+ uint64_t y_0 = (t6 & (uint64_t)0xffffffU) << (uint32_t)32U;
+ uint64_t x_0 = t5 >> (uint32_t)24U;
+ uint64_t z10 = x_0 | y_0;
+ uint64_t y_1 = (t7 & (uint64_t)0xffffffU) << (uint32_t)32U;
+ uint64_t x_1 = t6 >> (uint32_t)24U;
+ uint64_t z20 = x_1 | y_1;
+ uint64_t y_2 = (t8 & (uint64_t)0xffffffU) << (uint32_t)32U;
+ uint64_t x_2 = t7 >> (uint32_t)24U;
+ uint64_t z30 = x_2 | y_2;
+ uint64_t y_3 = (t9 & (uint64_t)0xffffffU) << (uint32_t)32U;
+ uint64_t x_3 = t8 >> (uint32_t)24U;
+ uint64_t z40 = x_3 | y_3;
+ uint64_t q0 = z00;
+ uint64_t q1 = z10;
+ uint64_t q2 = z20;
+ uint64_t q3 = z30;
+ uint64_t q4 = z40;
+ FStar_UInt128_uint128 xy000 = FStar_UInt128_mul_wide(q0, mu0);
+ FStar_UInt128_uint128 xy010 = FStar_UInt128_mul_wide(q0, mu1);
+ FStar_UInt128_uint128 xy020 = FStar_UInt128_mul_wide(q0, mu2);
+ FStar_UInt128_uint128 xy030 = FStar_UInt128_mul_wide(q0, mu3);
+ FStar_UInt128_uint128 xy040 = FStar_UInt128_mul_wide(q0, mu4);
+ FStar_UInt128_uint128 xy100 = FStar_UInt128_mul_wide(q1, mu0);
+ FStar_UInt128_uint128 xy110 = FStar_UInt128_mul_wide(q1, mu1);
+ FStar_UInt128_uint128 xy120 = FStar_UInt128_mul_wide(q1, mu2);
+ FStar_UInt128_uint128 xy130 = FStar_UInt128_mul_wide(q1, mu3);
+ FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(q1, mu4);
+ FStar_UInt128_uint128 xy200 = FStar_UInt128_mul_wide(q2, mu0);
+ FStar_UInt128_uint128 xy210 = FStar_UInt128_mul_wide(q2, mu1);
+ FStar_UInt128_uint128 xy220 = FStar_UInt128_mul_wide(q2, mu2);
+ FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(q2, mu3);
+ FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(q2, mu4);
+ FStar_UInt128_uint128 xy300 = FStar_UInt128_mul_wide(q3, mu0);
+ FStar_UInt128_uint128 xy310 = FStar_UInt128_mul_wide(q3, mu1);
+ FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(q3, mu2);
+ FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(q3, mu3);
+ FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(q3, mu4);
+ FStar_UInt128_uint128 xy400 = FStar_UInt128_mul_wide(q4, mu0);
+ FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(q4, mu1);
+ FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(q4, mu2);
+ FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(q4, mu3);
+ FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(q4, mu4);
+ FStar_UInt128_uint128 z01 = xy000;
+ FStar_UInt128_uint128 z11 = FStar_UInt128_add_mod(xy010, xy100);
+ FStar_UInt128_uint128 z21 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy020, xy110), xy200);
+ FStar_UInt128_uint128
+ z31 =
+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy030, xy120), xy210),
+ xy300);
+ FStar_UInt128_uint128
+ z41 =
+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy040,
+ xy130),
+ xy220),
+ xy310),
+ xy400);
+ FStar_UInt128_uint128
+ z5 =
+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32),
+ xy41);
+ FStar_UInt128_uint128 z6 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42);
+ FStar_UInt128_uint128 z7 = FStar_UInt128_add_mod(xy34, xy43);
+ FStar_UInt128_uint128 z8 = xy44;
+ FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z01, (uint32_t)56U);
+ FStar_UInt128_uint128 c00 = carry0;
+ FStar_UInt128_uint128
+ carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z11, c00), (uint32_t)56U);
+ FStar_UInt128_uint128 c10 = carry1;
+ FStar_UInt128_uint128
+ carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z21, c10), (uint32_t)56U);
+ FStar_UInt128_uint128 c20 = carry2;
+ FStar_UInt128_uint128
+ carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z31, c20), (uint32_t)56U);
+ FStar_UInt128_uint128 c30 = carry3;
+ FStar_UInt128_uint128
+ carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z41, c30), (uint32_t)56U);
+ uint64_t
+ t100 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z41, c30)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c40 = carry4;
+ uint64_t t410 = t100;
+ FStar_UInt128_uint128
+ carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z5, c40), (uint32_t)56U);
+ uint64_t
+ t101 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z5, c40)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c5 = carry5;
+ uint64_t t51 = t101;
+ FStar_UInt128_uint128
+ carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z6, c5), (uint32_t)56U);
+ uint64_t
+ t102 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z6, c5)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c6 = carry6;
+ uint64_t t61 = t102;
+ FStar_UInt128_uint128
+ carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z7, c6), (uint32_t)56U);
+ uint64_t
+ t103 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z7, c6)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c7 = carry7;
+ uint64_t t71 = t103;
+ FStar_UInt128_uint128
+ carry8 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z8, c7), (uint32_t)56U);
+ uint64_t
+ t104 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z8, c7)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c8 = carry8;
+ uint64_t t81 = t104;
+ uint64_t t91 = FStar_UInt128_uint128_to_uint64(c8);
+ uint64_t qmu4_ = t410;
+ uint64_t qmu5_ = t51;
+ uint64_t qmu6_ = t61;
+ uint64_t qmu7_ = t71;
+ uint64_t qmu8_ = t81;
+ uint64_t qmu9_ = t91;
+ uint64_t y_4 = (qmu5_ & (uint64_t)0xffffffffffU) << (uint32_t)16U;
+ uint64_t x_4 = qmu4_ >> (uint32_t)40U;
+ uint64_t z02 = x_4 | y_4;
+ uint64_t y_5 = (qmu6_ & (uint64_t)0xffffffffffU) << (uint32_t)16U;
+ uint64_t x_5 = qmu5_ >> (uint32_t)40U;
+ uint64_t z12 = x_5 | y_5;
+ uint64_t y_6 = (qmu7_ & (uint64_t)0xffffffffffU) << (uint32_t)16U;
+ uint64_t x_6 = qmu6_ >> (uint32_t)40U;
+ uint64_t z22 = x_6 | y_6;
+ uint64_t y_7 = (qmu8_ & (uint64_t)0xffffffffffU) << (uint32_t)16U;
+ uint64_t x_7 = qmu7_ >> (uint32_t)40U;
+ uint64_t z32 = x_7 | y_7;
+ uint64_t y_8 = (qmu9_ & (uint64_t)0xffffffffffU) << (uint32_t)16U;
+ uint64_t x_8 = qmu8_ >> (uint32_t)40U;
+ uint64_t z42 = x_8 | y_8;
+ uint64_t qdiv0 = z02;
+ uint64_t qdiv1 = z12;
+ uint64_t qdiv2 = z22;
+ uint64_t qdiv3 = z32;
+ uint64_t qdiv4 = z42;
+ uint64_t r0 = t0;
+ uint64_t r1 = t1;
+ uint64_t r2 = t2;
+ uint64_t r3 = t3;
+ uint64_t r4 = t4 & (uint64_t)0xffffffffffU;
+ FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(qdiv0, m0);
+ FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(qdiv0, m1);
+ FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(qdiv0, m2);
+ FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(qdiv0, m3);
+ FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(qdiv0, m4);
+ FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(qdiv1, m0);
+ FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(qdiv1, m1);
+ FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(qdiv1, m2);
+ FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(qdiv1, m3);
+ FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(qdiv2, m0);
+ FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(qdiv2, m1);
+ FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(qdiv2, m2);
+ FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(qdiv3, m0);
+ FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(qdiv3, m1);
+ FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(qdiv4, m0);
+ FStar_UInt128_uint128 carry9 = FStar_UInt128_shift_right(xy00, (uint32_t)56U);
+ uint64_t t105 = FStar_UInt128_uint128_to_uint64(xy00) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c0 = carry9;
+ uint64_t t010 = t105;
+ FStar_UInt128_uint128
+ carry10 =
+ FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0),
+ (uint32_t)56U);
+ uint64_t
+ t106 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy01, xy10), c0)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c11 = carry10;
+ uint64_t t110 = t106;
+ FStar_UInt128_uint128
+ carry11 =
+ FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02,
+ xy11),
+ xy20),
+ c11),
+ (uint32_t)56U);
+ uint64_t
+ t107 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02,
+ xy11),
+ xy20),
+ c11)) &
+ (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c21 = carry11;
+ uint64_t t210 = t107;
+ FStar_UInt128_uint128
+ carry =
+ FStar_UInt128_shift_right(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03,
+ xy12),
+ xy21),
+ xy30),
+ c21),
+ (uint32_t)56U);
+ uint64_t
+ t108 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03,
+ xy12),
+ xy21),
+ xy30),
+ c21)) &
+ (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c31 = carry;
+ uint64_t t310 = t108;
+ uint64_t
+ t411 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04,
+ xy13),
+ xy22),
+ xy31),
+ xy40),
+ c31)) &
+ (uint64_t)0xffffffffffU;
+ uint64_t qmul0 = t010;
+ uint64_t qmul1 = t110;
+ uint64_t qmul2 = t210;
+ uint64_t qmul3 = t310;
+ uint64_t qmul4 = t411;
+ uint64_t b5 = (r0 - qmul0) >> (uint32_t)63U;
+ uint64_t t109 = (b5 << (uint32_t)56U) + r0 - qmul0;
+ uint64_t c1 = b5;
+ uint64_t t011 = t109;
+ uint64_t b6 = (r1 - (qmul1 + c1)) >> (uint32_t)63U;
+ uint64_t t1010 = (b6 << (uint32_t)56U) + r1 - (qmul1 + c1);
+ uint64_t c2 = b6;
+ uint64_t t111 = t1010;
+ uint64_t b7 = (r2 - (qmul2 + c2)) >> (uint32_t)63U;
+ uint64_t t1011 = (b7 << (uint32_t)56U) + r2 - (qmul2 + c2);
+ uint64_t c3 = b7;
+ uint64_t t211 = t1011;
+ uint64_t b8 = (r3 - (qmul3 + c3)) >> (uint32_t)63U;
+ uint64_t t1012 = (b8 << (uint32_t)56U) + r3 - (qmul3 + c3);
+ uint64_t c4 = b8;
+ uint64_t t311 = t1012;
+ uint64_t b9 = (r4 - (qmul4 + c4)) >> (uint32_t)63U;
+ uint64_t t1013 = (b9 << (uint32_t)40U) + r4 - (qmul4 + c4);
+ uint64_t t412 = t1013;
+ uint64_t s0 = t011;
+ uint64_t s1 = t111;
+ uint64_t s2 = t211;
+ uint64_t s3 = t311;
+ uint64_t s4 = t412;
+ uint64_t m01 = (uint64_t)0x12631a5cf5d3edU;
+ uint64_t m11 = (uint64_t)0xf9dea2f79cd658U;
+ uint64_t m21 = (uint64_t)0x000000000014deU;
+ uint64_t m31 = (uint64_t)0x00000000000000U;
+ uint64_t m41 = (uint64_t)0x00000010000000U;
+ uint64_t y0 = m01;
+ uint64_t y1 = m11;
+ uint64_t y2 = m21;
+ uint64_t y3 = m31;
+ uint64_t y4 = m41;
+ uint64_t b10 = (s0 - y0) >> (uint32_t)63U;
+ uint64_t t1014 = (b10 << (uint32_t)56U) + s0 - y0;
+ uint64_t b0 = b10;
+ uint64_t t01 = t1014;
+ uint64_t b11 = (s1 - (y1 + b0)) >> (uint32_t)63U;
+ uint64_t t1015 = (b11 << (uint32_t)56U) + s1 - (y1 + b0);
+ uint64_t b1 = b11;
+ uint64_t t11 = t1015;
+ uint64_t b12 = (s2 - (y2 + b1)) >> (uint32_t)63U;
+ uint64_t t1016 = (b12 << (uint32_t)56U) + s2 - (y2 + b1);
+ uint64_t b2 = b12;
+ uint64_t t21 = t1016;
+ uint64_t b13 = (s3 - (y3 + b2)) >> (uint32_t)63U;
+ uint64_t t1017 = (b13 << (uint32_t)56U) + s3 - (y3 + b2);
+ uint64_t b3 = b13;
+ uint64_t t31 = t1017;
+ uint64_t b = (s4 - (y4 + b3)) >> (uint32_t)63U;
+ uint64_t t10 = (b << (uint32_t)56U) + s4 - (y4 + b3);
+ uint64_t b4 = b;
+ uint64_t t41 = t10;
+ uint64_t mask = b4 - (uint64_t)1U;
+ uint64_t z03 = s0 ^ (mask & (s0 ^ t01));
+ uint64_t z13 = s1 ^ (mask & (s1 ^ t11));
+ uint64_t z23 = s2 ^ (mask & (s2 ^ t21));
+ uint64_t z33 = s3 ^ (mask & (s3 ^ t31));
+ uint64_t z43 = s4 ^ (mask & (s4 ^ t41));
+ uint64_t z04 = z03;
+ uint64_t z14 = z13;
+ uint64_t z24 = z23;
+ uint64_t z34 = z33;
+ uint64_t z44 = z43;
+ uint64_t o0 = z04;
+ uint64_t o1 = z14;
+ uint64_t o2 = z24;
+ uint64_t o3 = z34;
+ uint64_t o4 = z44;
+ uint64_t z0 = o0;
+ uint64_t z1 = o1;
+ uint64_t z2 = o2;
+ uint64_t z3 = o3;
+ uint64_t z4 = o4;
+ z[0U] = z0;
+ z[1U] = z1;
+ z[2U] = z2;
+ z[3U] = z3;
+ z[4U] = z4;
+}
+
+static inline void
+mul_modq(uint64_t *out, uint64_t *x, uint64_t *y)
+{
+ uint64_t tmp[10U] = { 0U };
+ uint64_t x0 = x[0U];
+ uint64_t x1 = x[1U];
+ uint64_t x2 = x[2U];
+ uint64_t x3 = x[3U];
+ uint64_t x4 = x[4U];
+ uint64_t y0 = y[0U];
+ uint64_t y1 = y[1U];
+ uint64_t y2 = y[2U];
+ uint64_t y3 = y[3U];
+ uint64_t y4 = y[4U];
+ FStar_UInt128_uint128 xy00 = FStar_UInt128_mul_wide(x0, y0);
+ FStar_UInt128_uint128 xy01 = FStar_UInt128_mul_wide(x0, y1);
+ FStar_UInt128_uint128 xy02 = FStar_UInt128_mul_wide(x0, y2);
+ FStar_UInt128_uint128 xy03 = FStar_UInt128_mul_wide(x0, y3);
+ FStar_UInt128_uint128 xy04 = FStar_UInt128_mul_wide(x0, y4);
+ FStar_UInt128_uint128 xy10 = FStar_UInt128_mul_wide(x1, y0);
+ FStar_UInt128_uint128 xy11 = FStar_UInt128_mul_wide(x1, y1);
+ FStar_UInt128_uint128 xy12 = FStar_UInt128_mul_wide(x1, y2);
+ FStar_UInt128_uint128 xy13 = FStar_UInt128_mul_wide(x1, y3);
+ FStar_UInt128_uint128 xy14 = FStar_UInt128_mul_wide(x1, y4);
+ FStar_UInt128_uint128 xy20 = FStar_UInt128_mul_wide(x2, y0);
+ FStar_UInt128_uint128 xy21 = FStar_UInt128_mul_wide(x2, y1);
+ FStar_UInt128_uint128 xy22 = FStar_UInt128_mul_wide(x2, y2);
+ FStar_UInt128_uint128 xy23 = FStar_UInt128_mul_wide(x2, y3);
+ FStar_UInt128_uint128 xy24 = FStar_UInt128_mul_wide(x2, y4);
+ FStar_UInt128_uint128 xy30 = FStar_UInt128_mul_wide(x3, y0);
+ FStar_UInt128_uint128 xy31 = FStar_UInt128_mul_wide(x3, y1);
+ FStar_UInt128_uint128 xy32 = FStar_UInt128_mul_wide(x3, y2);
+ FStar_UInt128_uint128 xy33 = FStar_UInt128_mul_wide(x3, y3);
+ FStar_UInt128_uint128 xy34 = FStar_UInt128_mul_wide(x3, y4);
+ FStar_UInt128_uint128 xy40 = FStar_UInt128_mul_wide(x4, y0);
+ FStar_UInt128_uint128 xy41 = FStar_UInt128_mul_wide(x4, y1);
+ FStar_UInt128_uint128 xy42 = FStar_UInt128_mul_wide(x4, y2);
+ FStar_UInt128_uint128 xy43 = FStar_UInt128_mul_wide(x4, y3);
+ FStar_UInt128_uint128 xy44 = FStar_UInt128_mul_wide(x4, y4);
+ FStar_UInt128_uint128 z00 = xy00;
+ FStar_UInt128_uint128 z10 = FStar_UInt128_add_mod(xy01, xy10);
+ FStar_UInt128_uint128 z20 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy02, xy11), xy20);
+ FStar_UInt128_uint128
+ z30 =
+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy03, xy12), xy21),
+ xy30);
+ FStar_UInt128_uint128
+ z40 =
+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy04,
+ xy13),
+ xy22),
+ xy31),
+ xy40);
+ FStar_UInt128_uint128
+ z50 =
+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy14, xy23), xy32),
+ xy41);
+ FStar_UInt128_uint128 z60 = FStar_UInt128_add_mod(FStar_UInt128_add_mod(xy24, xy33), xy42);
+ FStar_UInt128_uint128 z70 = FStar_UInt128_add_mod(xy34, xy43);
+ FStar_UInt128_uint128 z80 = xy44;
+ FStar_UInt128_uint128 carry0 = FStar_UInt128_shift_right(z00, (uint32_t)56U);
+ uint64_t t10 = FStar_UInt128_uint128_to_uint64(z00) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c0 = carry0;
+ uint64_t t0 = t10;
+ FStar_UInt128_uint128
+ carry1 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z10, c0), (uint32_t)56U);
+ uint64_t
+ t11 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z10, c0)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c1 = carry1;
+ uint64_t t1 = t11;
+ FStar_UInt128_uint128
+ carry2 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z20, c1), (uint32_t)56U);
+ uint64_t
+ t12 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z20, c1)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c2 = carry2;
+ uint64_t t2 = t12;
+ FStar_UInt128_uint128
+ carry3 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z30, c2), (uint32_t)56U);
+ uint64_t
+ t13 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z30, c2)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c3 = carry3;
+ uint64_t t3 = t13;
+ FStar_UInt128_uint128
+ carry4 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z40, c3), (uint32_t)56U);
+ uint64_t
+ t14 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z40, c3)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c4 = carry4;
+ uint64_t t4 = t14;
+ FStar_UInt128_uint128
+ carry5 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z50, c4), (uint32_t)56U);
+ uint64_t
+ t15 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z50, c4)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c5 = carry5;
+ uint64_t t5 = t15;
+ FStar_UInt128_uint128
+ carry6 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z60, c5), (uint32_t)56U);
+ uint64_t
+ t16 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z60, c5)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c6 = carry6;
+ uint64_t t6 = t16;
+ FStar_UInt128_uint128
+ carry7 = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z70, c6), (uint32_t)56U);
+ uint64_t
+ t17 =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z70, c6)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c7 = carry7;
+ uint64_t t7 = t17;
+ FStar_UInt128_uint128
+ carry = FStar_UInt128_shift_right(FStar_UInt128_add_mod(z80, c7), (uint32_t)56U);
+ uint64_t
+ t =
+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_add_mod(z80, c7)) & (uint64_t)0xffffffffffffffU;
+ FStar_UInt128_uint128 c8 = carry;
+ uint64_t t8 = t;
+ uint64_t t9 = FStar_UInt128_uint128_to_uint64(c8);
+ uint64_t z0 = t0;
+ uint64_t z1 = t1;
+ uint64_t z2 = t2;
+ uint64_t z3 = t3;
+ uint64_t z4 = t4;
+ uint64_t z5 = t5;
+ uint64_t z6 = t6;
+ uint64_t z7 = t7;
+ uint64_t z8 = t8;
+ uint64_t z9 = t9;
+ tmp[0U] = z0;
+ tmp[1U] = z1;
+ tmp[2U] = z2;
+ tmp[3U] = z3;
+ tmp[4U] = z4;
+ tmp[5U] = z5;
+ tmp[6U] = z6;
+ tmp[7U] = z7;
+ tmp[8U] = z8;
+ tmp[9U] = z9;
+ barrett_reduction(out, tmp);
+}
+
+static inline void
+add_modq(uint64_t *out, uint64_t *x, uint64_t *y)
+{
+ uint64_t x0 = x[0U];
+ uint64_t x1 = x[1U];
+ uint64_t x2 = x[2U];
+ uint64_t x3 = x[3U];
+ uint64_t x4 = x[4U];
+ uint64_t y0 = y[0U];
+ uint64_t y1 = y[1U];
+ uint64_t y2 = y[2U];
+ uint64_t y3 = y[3U];
+ uint64_t y4 = y[4U];
+ uint64_t carry0 = (x0 + y0) >> (uint32_t)56U;
+ uint64_t t0 = (x0 + y0) & (uint64_t)0xffffffffffffffU;
+ uint64_t t00 = t0;
+ uint64_t c0 = carry0;
+ uint64_t carry1 = (x1 + y1 + c0) >> (uint32_t)56U;
+ uint64_t t1 = (x1 + y1 + c0) & (uint64_t)0xffffffffffffffU;
+ uint64_t t10 = t1;
+ uint64_t c1 = carry1;
+ uint64_t carry2 = (x2 + y2 + c1) >> (uint32_t)56U;
+ uint64_t t2 = (x2 + y2 + c1) & (uint64_t)0xffffffffffffffU;
+ uint64_t t20 = t2;
+ uint64_t c2 = carry2;
+ uint64_t carry = (x3 + y3 + c2) >> (uint32_t)56U;
+ uint64_t t3 = (x3 + y3 + c2) & (uint64_t)0xffffffffffffffU;
+ uint64_t t30 = t3;
+ uint64_t c3 = carry;
+ uint64_t t4 = x4 + y4 + c3;
+ uint64_t m0 = (uint64_t)0x12631a5cf5d3edU;
+ uint64_t m1 = (uint64_t)0xf9dea2f79cd658U;
+ uint64_t m2 = (uint64_t)0x000000000014deU;
+ uint64_t m3 = (uint64_t)0x00000000000000U;
+ uint64_t m4 = (uint64_t)0x00000010000000U;
+ uint64_t y01 = m0;
+ uint64_t y11 = m1;
+ uint64_t y21 = m2;
+ uint64_t y31 = m3;
+ uint64_t y41 = m4;
+ uint64_t b5 = (t00 - y01) >> (uint32_t)63U;
+ uint64_t t5 = (b5 << (uint32_t)56U) + t00 - y01;
+ uint64_t b0 = b5;
+ uint64_t t01 = t5;
+ uint64_t b6 = (t10 - (y11 + b0)) >> (uint32_t)63U;
+ uint64_t t6 = (b6 << (uint32_t)56U) + t10 - (y11 + b0);
+ uint64_t b1 = b6;
+ uint64_t t11 = t6;
+ uint64_t b7 = (t20 - (y21 + b1)) >> (uint32_t)63U;
+ uint64_t t7 = (b7 << (uint32_t)56U) + t20 - (y21 + b1);
+ uint64_t b2 = b7;
+ uint64_t t21 = t7;
+ uint64_t b8 = (t30 - (y31 + b2)) >> (uint32_t)63U;
+ uint64_t t8 = (b8 << (uint32_t)56U) + t30 - (y31 + b2);
+ uint64_t b3 = b8;
+ uint64_t t31 = t8;
+ uint64_t b = (t4 - (y41 + b3)) >> (uint32_t)63U;
+ uint64_t t = (b << (uint32_t)56U) + t4 - (y41 + b3);
+ uint64_t b4 = b;
+ uint64_t t41 = t;
+ uint64_t mask = b4 - (uint64_t)1U;
+ uint64_t z00 = t00 ^ (mask & (t00 ^ t01));
+ uint64_t z10 = t10 ^ (mask & (t10 ^ t11));
+ uint64_t z20 = t20 ^ (mask & (t20 ^ t21));
+ uint64_t z30 = t30 ^ (mask & (t30 ^ t31));
+ uint64_t z40 = t4 ^ (mask & (t4 ^ t41));
+ uint64_t z01 = z00;
+ uint64_t z11 = z10;
+ uint64_t z21 = z20;
+ uint64_t z31 = z30;
+ uint64_t z41 = z40;
+ uint64_t o0 = z01;
+ uint64_t o1 = z11;
+ uint64_t o2 = z21;
+ uint64_t o3 = z31;
+ uint64_t o4 = z41;
+ uint64_t z0 = o0;
+ uint64_t z1 = o1;
+ uint64_t z2 = o2;
+ uint64_t z3 = o3;
+ uint64_t z4 = o4;
+ out[0U] = z0;
+ out[1U] = z1;
+ out[2U] = z2;
+ out[3U] = z3;
+ out[4U] = z4;
+}
+
+static inline bool
+gte_q(uint64_t *s)
+{
+ uint64_t s0 = s[0U];
+ uint64_t s1 = s[1U];
+ uint64_t s2 = s[2U];
+ uint64_t s3 = s[3U];
+ uint64_t s4 = s[4U];
+ if (s4 > (uint64_t)0x00000010000000U) {
+ return true;
+ }
+ if (s4 < (uint64_t)0x00000010000000U) {
+ return false;
+ }
+ if (s3 > (uint64_t)0x00000000000000U) {
+ return true;
+ }
+ if (s2 > (uint64_t)0x000000000014deU) {
+ return true;
+ }
+ if (s2 < (uint64_t)0x000000000014deU) {
+ return false;
+ }
+ if (s1 > (uint64_t)0xf9dea2f79cd658U) {
+ return true;
+ }
+ if (s1 < (uint64_t)0xf9dea2f79cd658U) {
+ return false;
+ }
+ if (s0 >= (uint64_t)0x12631a5cf5d3edU) {
+ return true;
+ }
+ return false;
+}
+
+static inline bool
+eq(uint64_t *a, uint64_t *b)
+{
+ uint64_t a0 = a[0U];
+ uint64_t a1 = a[1U];
+ uint64_t a2 = a[2U];
+ uint64_t a3 = a[3U];
+ uint64_t a4 = a[4U];
+ uint64_t b0 = b[0U];
+ uint64_t b1 = b[1U];
+ uint64_t b2 = b[2U];
+ uint64_t b3 = b[3U];
+ uint64_t b4 = b[4U];
+ return a0 == b0 && a1 == b1 && a2 == b2 && a3 == b3 && a4 == b4;
+}
+
+bool
+Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q)
+{
+ uint64_t tmp[20U] = { 0U };
+ uint64_t *pxqz = tmp;
+ uint64_t *qxpz = tmp + (uint32_t)5U;
+ fmul0(pxqz, p, q + (uint32_t)10U);
+ reduce(pxqz);
+ fmul0(qxpz, q, p + (uint32_t)10U);
+ reduce(qxpz);
+ bool b = eq(pxqz, qxpz);
+ if (b) {
+ uint64_t *pyqz = tmp + (uint32_t)10U;
+ uint64_t *qypz = tmp + (uint32_t)15U;
+ fmul0(pyqz, p + (uint32_t)5U, q + (uint32_t)10U);
+ reduce(pyqz);
+ fmul0(qypz, q + (uint32_t)5U, p + (uint32_t)10U);
+ reduce(qypz);
+ return eq(pyqz, qypz);
+ }
+ return false;
+}
+
+void
+Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out)
+{
+ uint64_t zero[5U] = { 0U };
+ zero[0U] = (uint64_t)0U;
+ zero[1U] = (uint64_t)0U;
+ zero[2U] = (uint64_t)0U;
+ zero[3U] = (uint64_t)0U;
+ zero[4U] = (uint64_t)0U;
+ uint64_t *x = p;
+ uint64_t *y = p + (uint32_t)5U;
+ uint64_t *z = p + (uint32_t)10U;
+ uint64_t *t = p + (uint32_t)15U;
+ uint64_t *x1 = out;
+ uint64_t *y1 = out + (uint32_t)5U;
+ uint64_t *z1 = out + (uint32_t)10U;
+ uint64_t *t1 = out + (uint32_t)15U;
+ fdifference(x1, zero, x);
+ Hacl_Bignum25519_reduce_513(x1);
+ memcpy(y1, y, (uint32_t)5U * sizeof(uint64_t));
+ memcpy(z1, z, (uint32_t)5U * sizeof(uint64_t));
+ fdifference(t1, zero, t);
+ Hacl_Bignum25519_reduce_513(t1);
+}
+
+void
+Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *out, uint8_t *scalar, uint64_t *q)
+{
+ uint64_t bscalar[4U] = { 0U };
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ uint64_t *os = bscalar;
+ uint8_t *bj = scalar + i * (uint32_t)8U;
+ uint64_t u = load64_le(bj);
+ uint64_t r = u;
+ uint64_t x = r;
+ os[i] = x;);
+ uint64_t table[320U] = { 0U };
+ uint64_t tmp[20U] = { 0U };
+ uint64_t *t0 = table;
+ uint64_t *t1 = table + (uint32_t)20U;
+ Hacl_Impl_Ed25519_PointConstants_make_point_inf(t0);
+ memcpy(t1, q, (uint32_t)20U * sizeof(uint64_t));
+ KRML_MAYBE_FOR7(i,
+ (uint32_t)0U,
+ (uint32_t)7U,
+ (uint32_t)1U,
+ uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)20U;
+ Hacl_Impl_Ed25519_PointDouble_point_double(tmp, t11);
+ memcpy(table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)20U,
+ tmp,
+ (uint32_t)20U * sizeof(uint64_t));
+ uint64_t *t2 = table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)20U;
+ Hacl_Impl_Ed25519_PointAdd_point_add(tmp, q, t2);
+ memcpy(table + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)20U,
+ tmp,
+ (uint32_t)20U * sizeof(uint64_t)););
+ Hacl_Impl_Ed25519_PointConstants_make_point_inf(out);
+ uint64_t tmp0[20U] = { 0U };
+ for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) {
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ Hacl_Impl_Ed25519_PointDouble_point_double(out, out););
+ uint32_t k = (uint32_t)256U - (uint32_t)4U * i0 - (uint32_t)4U;
+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, bscalar, k, (uint32_t)4U);
+ memcpy(tmp0, (uint64_t *)table, (uint32_t)20U * sizeof(uint64_t));
+ KRML_MAYBE_FOR15(
+ i1,
+ (uint32_t)0U,
+ (uint32_t)15U,
+ (uint32_t)1U,
+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i1 + (uint32_t)1U));
+ const uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)20U;
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)20U; i++) {
+ uint64_t *os = tmp0;
+ uint64_t x = (c & res_j[i]) | (~c & tmp0[i]);
+ os[i] = x;
+ });
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp0);
+ }
+}
+
+static inline void
+precomp_get_consttime(const uint64_t *table, uint64_t bits_l, uint64_t *tmp)
+{
+ memcpy(tmp, (uint64_t *)table, (uint32_t)20U * sizeof(uint64_t));
+ KRML_MAYBE_FOR15(
+ i0,
+ (uint32_t)0U,
+ (uint32_t)15U,
+ (uint32_t)1U,
+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i0 + (uint32_t)1U));
+ const uint64_t *res_j = table + (i0 + (uint32_t)1U) * (uint32_t)20U;
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)20U; i++) {
+ uint64_t *os = tmp;
+ uint64_t x = (c & res_j[i]) | (~c & tmp[i]);
+ os[i] = x;
+ });
+}
+
+static inline void
+point_mul_g(uint64_t *out, uint8_t *scalar)
+{
+ uint64_t bscalar[4U] = { 0U };
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ uint64_t *os = bscalar;
+ uint8_t *bj = scalar + i * (uint32_t)8U;
+ uint64_t u = load64_le(bj);
+ uint64_t r = u;
+ uint64_t x = r;
+ os[i] = x;);
+ uint64_t q1[20U] = { 0U };
+ uint64_t *gx = q1;
+ uint64_t *gy = q1 + (uint32_t)5U;
+ uint64_t *gz = q1 + (uint32_t)10U;
+ uint64_t *gt = q1 + (uint32_t)15U;
+ gx[0U] = (uint64_t)0x00062d608f25d51aU;
+ gx[1U] = (uint64_t)0x000412a4b4f6592aU;
+ gx[2U] = (uint64_t)0x00075b7171a4b31dU;
+ gx[3U] = (uint64_t)0x0001ff60527118feU;
+ gx[4U] = (uint64_t)0x000216936d3cd6e5U;
+ gy[0U] = (uint64_t)0x0006666666666658U;
+ gy[1U] = (uint64_t)0x0004ccccccccccccU;
+ gy[2U] = (uint64_t)0x0001999999999999U;
+ gy[3U] = (uint64_t)0x0003333333333333U;
+ gy[4U] = (uint64_t)0x0006666666666666U;
+ gz[0U] = (uint64_t)1U;
+ gz[1U] = (uint64_t)0U;
+ gz[2U] = (uint64_t)0U;
+ gz[3U] = (uint64_t)0U;
+ gz[4U] = (uint64_t)0U;
+ gt[0U] = (uint64_t)0x00068ab3a5b7dda3U;
+ gt[1U] = (uint64_t)0x00000eea2a5eadbbU;
+ gt[2U] = (uint64_t)0x0002af8df483c27eU;
+ gt[3U] = (uint64_t)0x000332b375274732U;
+ gt[4U] = (uint64_t)0x00067875f0fd78b7U;
+ uint64_t
+ q2[20U] = {
+ (uint64_t)13559344787725U, (uint64_t)2051621493703448U, (uint64_t)1947659315640708U,
+ (uint64_t)626856790370168U, (uint64_t)1592804284034836U, (uint64_t)1781728767459187U,
+ (uint64_t)278818420518009U, (uint64_t)2038030359908351U, (uint64_t)910625973862690U,
+ (uint64_t)471887343142239U, (uint64_t)1298543306606048U, (uint64_t)794147365642417U,
+ (uint64_t)129968992326749U, (uint64_t)523140861678572U, (uint64_t)1166419653909231U,
+ (uint64_t)2009637196928390U, (uint64_t)1288020222395193U, (uint64_t)1007046974985829U,
+ (uint64_t)208981102651386U, (uint64_t)2074009315253380U
+ };
+ uint64_t
+ q3[20U] = {
+ (uint64_t)557549315715710U, (uint64_t)196756086293855U, (uint64_t)846062225082495U,
+ (uint64_t)1865068224838092U, (uint64_t)991112090754908U, (uint64_t)522916421512828U,
+ (uint64_t)2098523346722375U, (uint64_t)1135633221747012U, (uint64_t)858420432114866U,
+ (uint64_t)186358544306082U, (uint64_t)1044420411868480U, (uint64_t)2080052304349321U,
+ (uint64_t)557301814716724U, (uint64_t)1305130257814057U, (uint64_t)2126012765451197U,
+ (uint64_t)1441004402875101U, (uint64_t)353948968859203U, (uint64_t)470765987164835U,
+ (uint64_t)1507675957683570U, (uint64_t)1086650358745097U
+ };
+ uint64_t
+ q4[20U] = {
+ (uint64_t)1129953239743101U, (uint64_t)1240339163956160U, (uint64_t)61002583352401U,
+ (uint64_t)2017604552196030U, (uint64_t)1576867829229863U, (uint64_t)1508654942849389U,
+ (uint64_t)270111619664077U, (uint64_t)1253097517254054U, (uint64_t)721798270973250U,
+ (uint64_t)161923365415298U, (uint64_t)828530877526011U, (uint64_t)1494851059386763U,
+ (uint64_t)662034171193976U, (uint64_t)1315349646974670U, (uint64_t)2199229517308806U,
+ (uint64_t)497078277852673U, (uint64_t)1310507715989956U, (uint64_t)1881315714002105U,
+ (uint64_t)2214039404983803U, (uint64_t)1331036420272667U
+ };
+ uint64_t *r1 = bscalar;
+ uint64_t *r2 = bscalar + (uint32_t)1U;
+ uint64_t *r3 = bscalar + (uint32_t)2U;
+ uint64_t *r4 = bscalar + (uint32_t)3U;
+ Hacl_Impl_Ed25519_PointConstants_make_point_inf(out);
+ uint64_t tmp[20U] = { 0U };
+ KRML_MAYBE_FOR16(i,
+ (uint32_t)0U,
+ (uint32_t)16U,
+ (uint32_t)1U,
+ KRML_MAYBE_FOR4(i0,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ Hacl_Impl_Ed25519_PointDouble_point_double(out, out););
+ uint32_t k = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U;
+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r4, k, (uint32_t)4U);
+ precomp_get_consttime(Hacl_Ed25519_PrecompTable_precomp_g_pow2_192_table_w4, bits_l, tmp);
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp);
+ uint32_t k0 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U;
+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r3, k0, (uint32_t)4U);
+ precomp_get_consttime(Hacl_Ed25519_PrecompTable_precomp_g_pow2_128_table_w4, bits_l0, tmp);
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp);
+ uint32_t k1 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U;
+ uint64_t bits_l1 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r2, k1, (uint32_t)4U);
+ precomp_get_consttime(Hacl_Ed25519_PrecompTable_precomp_g_pow2_64_table_w4, bits_l1, tmp);
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp);
+ uint32_t k2 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U;
+ uint64_t bits_l2 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r1, k2, (uint32_t)4U);
+ precomp_get_consttime(Hacl_Ed25519_PrecompTable_precomp_basepoint_table_w4, bits_l2, tmp);
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp););
+ KRML_HOST_IGNORE(q2);
+ KRML_HOST_IGNORE(q3);
+ KRML_HOST_IGNORE(q4);
+}
+
+static inline void
+point_mul_g_double_vartime(uint64_t *out, uint8_t *scalar1, uint8_t *scalar2, uint64_t *q2)
+{
+ uint64_t tmp[28U] = { 0U };
+ uint64_t *g = tmp;
+ uint64_t *bscalar1 = tmp + (uint32_t)20U;
+ uint64_t *bscalar2 = tmp + (uint32_t)24U;
+ uint64_t *gx = g;
+ uint64_t *gy = g + (uint32_t)5U;
+ uint64_t *gz = g + (uint32_t)10U;
+ uint64_t *gt = g + (uint32_t)15U;
+ gx[0U] = (uint64_t)0x00062d608f25d51aU;
+ gx[1U] = (uint64_t)0x000412a4b4f6592aU;
+ gx[2U] = (uint64_t)0x00075b7171a4b31dU;
+ gx[3U] = (uint64_t)0x0001ff60527118feU;
+ gx[4U] = (uint64_t)0x000216936d3cd6e5U;
+ gy[0U] = (uint64_t)0x0006666666666658U;
+ gy[1U] = (uint64_t)0x0004ccccccccccccU;
+ gy[2U] = (uint64_t)0x0001999999999999U;
+ gy[3U] = (uint64_t)0x0003333333333333U;
+ gy[4U] = (uint64_t)0x0006666666666666U;
+ gz[0U] = (uint64_t)1U;
+ gz[1U] = (uint64_t)0U;
+ gz[2U] = (uint64_t)0U;
+ gz[3U] = (uint64_t)0U;
+ gz[4U] = (uint64_t)0U;
+ gt[0U] = (uint64_t)0x00068ab3a5b7dda3U;
+ gt[1U] = (uint64_t)0x00000eea2a5eadbbU;
+ gt[2U] = (uint64_t)0x0002af8df483c27eU;
+ gt[3U] = (uint64_t)0x000332b375274732U;
+ gt[4U] = (uint64_t)0x00067875f0fd78b7U;
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ uint64_t *os = bscalar1;
+ uint8_t *bj = scalar1 + i * (uint32_t)8U;
+ uint64_t u = load64_le(bj);
+ uint64_t r = u;
+ uint64_t x = r;
+ os[i] = x;);
+ KRML_MAYBE_FOR4(i,
+ (uint32_t)0U,
+ (uint32_t)4U,
+ (uint32_t)1U,
+ uint64_t *os = bscalar2;
+ uint8_t *bj = scalar2 + i * (uint32_t)8U;
+ uint64_t u = load64_le(bj);
+ uint64_t r = u;
+ uint64_t x = r;
+ os[i] = x;);
+ uint64_t table2[640U] = { 0U };
+ uint64_t tmp1[20U] = { 0U };
+ uint64_t *t0 = table2;
+ uint64_t *t1 = table2 + (uint32_t)20U;
+ Hacl_Impl_Ed25519_PointConstants_make_point_inf(t0);
+ memcpy(t1, q2, (uint32_t)20U * sizeof(uint64_t));
+ KRML_MAYBE_FOR15(i,
+ (uint32_t)0U,
+ (uint32_t)15U,
+ (uint32_t)1U,
+ uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)20U;
+ Hacl_Impl_Ed25519_PointDouble_point_double(tmp1, t11);
+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)20U,
+ tmp1,
+ (uint32_t)20U * sizeof(uint64_t));
+ uint64_t *t2 = table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)20U;
+ Hacl_Impl_Ed25519_PointAdd_point_add(tmp1, q2, t2);
+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)20U,
+ tmp1,
+ (uint32_t)20U * sizeof(uint64_t)););
+ uint64_t tmp10[20U] = { 0U };
+ uint32_t i0 = (uint32_t)255U;
+ uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, bscalar1, i0, (uint32_t)5U);
+ uint32_t bits_l32 = (uint32_t)bits_c;
+ const uint64_t
+ *a_bits_l = Hacl_Ed25519_PrecompTable_precomp_basepoint_table_w5 + bits_l32 * (uint32_t)20U;
+ memcpy(out, (uint64_t *)a_bits_l, (uint32_t)20U * sizeof(uint64_t));
+ uint32_t i1 = (uint32_t)255U;
+ uint64_t bits_c0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, bscalar2, i1, (uint32_t)5U);
+ uint32_t bits_l320 = (uint32_t)bits_c0;
+ const uint64_t *a_bits_l0 = table2 + bits_l320 * (uint32_t)20U;
+ memcpy(tmp10, (uint64_t *)a_bits_l0, (uint32_t)20U * sizeof(uint64_t));
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp10);
+ uint64_t tmp11[20U] = { 0U };
+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)51U; i++) {
+ KRML_MAYBE_FOR5(i2,
+ (uint32_t)0U,
+ (uint32_t)5U,
+ (uint32_t)1U,
+ Hacl_Impl_Ed25519_PointDouble_point_double(out, out););
+ uint32_t k = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U;
+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, bscalar2, k, (uint32_t)5U);
+ uint32_t bits_l321 = (uint32_t)bits_l;
+ const uint64_t *a_bits_l1 = table2 + bits_l321 * (uint32_t)20U;
+ memcpy(tmp11, (uint64_t *)a_bits_l1, (uint32_t)20U * sizeof(uint64_t));
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp11);
+ uint32_t k0 = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U;
+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, bscalar1, k0, (uint32_t)5U);
+ uint32_t bits_l322 = (uint32_t)bits_l0;
+ const uint64_t
+ *a_bits_l2 = Hacl_Ed25519_PrecompTable_precomp_basepoint_table_w5 + bits_l322 * (uint32_t)20U;
+ memcpy(tmp11, (uint64_t *)a_bits_l2, (uint32_t)20U * sizeof(uint64_t));
+ Hacl_Impl_Ed25519_PointAdd_point_add(out, out, tmp11);
+ }
+}
+
+static inline void
+point_negate_mul_double_g_vartime(
+ uint64_t *out,
+ uint8_t *scalar1,
+ uint8_t *scalar2,
+ uint64_t *q2)
+{
+ uint64_t q2_neg[20U] = { 0U };
+ Hacl_Impl_Ed25519_PointNegate_point_negate(q2, q2_neg);
+ point_mul_g_double_vartime(out, scalar1, scalar2, q2_neg);
+}
+
+static inline void
+store_56(uint8_t *out, uint64_t *b)
+{
+ uint64_t b0 = b[0U];
+ uint64_t b1 = b[1U];
+ uint64_t b2 = b[2U];
+ uint64_t b3 = b[3U];
+ uint64_t b4 = b[4U];
+ uint32_t b4_ = (uint32_t)b4;
+ uint8_t *b8 = out;
+ store64_le(b8, b0);
+ uint8_t *b80 = out + (uint32_t)7U;
+ store64_le(b80, b1);
+ uint8_t *b81 = out + (uint32_t)14U;
+ store64_le(b81, b2);
+ uint8_t *b82 = out + (uint32_t)21U;
+ store64_le(b82, b3);
+ store32_le(out + (uint32_t)28U, b4_);
+}
+
+static inline void
+load_64_bytes(uint64_t *out, uint8_t *b)
+{
+ uint8_t *b80 = b;
+ uint64_t u = load64_le(b80);
+ uint64_t z = u;
+ uint64_t b0 = z & (uint64_t)0xffffffffffffffU;
+ uint8_t *b81 = b + (uint32_t)7U;
+ uint64_t u0 = load64_le(b81);
+ uint64_t z0 = u0;
+ uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b82 = b + (uint32_t)14U;
+ uint64_t u1 = load64_le(b82);
+ uint64_t z1 = u1;
+ uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b83 = b + (uint32_t)21U;
+ uint64_t u2 = load64_le(b83);
+ uint64_t z2 = u2;
+ uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b84 = b + (uint32_t)28U;
+ uint64_t u3 = load64_le(b84);
+ uint64_t z3 = u3;
+ uint64_t b4 = z3 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b85 = b + (uint32_t)35U;
+ uint64_t u4 = load64_le(b85);
+ uint64_t z4 = u4;
+ uint64_t b5 = z4 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b86 = b + (uint32_t)42U;
+ uint64_t u5 = load64_le(b86);
+ uint64_t z5 = u5;
+ uint64_t b6 = z5 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b87 = b + (uint32_t)49U;
+ uint64_t u6 = load64_le(b87);
+ uint64_t z6 = u6;
+ uint64_t b7 = z6 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b8 = b + (uint32_t)56U;
+ uint64_t u7 = load64_le(b8);
+ uint64_t z7 = u7;
+ uint64_t b88 = z7 & (uint64_t)0xffffffffffffffU;
+ uint8_t b63 = b[63U];
+ uint64_t b9 = (uint64_t)b63;
+ out[0U] = b0;
+ out[1U] = b1;
+ out[2U] = b2;
+ out[3U] = b3;
+ out[4U] = b4;
+ out[5U] = b5;
+ out[6U] = b6;
+ out[7U] = b7;
+ out[8U] = b88;
+ out[9U] = b9;
+}
+
+static inline void
+load_32_bytes(uint64_t *out, uint8_t *b)
+{
+ uint8_t *b80 = b;
+ uint64_t u0 = load64_le(b80);
+ uint64_t z = u0;
+ uint64_t b0 = z & (uint64_t)0xffffffffffffffU;
+ uint8_t *b81 = b + (uint32_t)7U;
+ uint64_t u1 = load64_le(b81);
+ uint64_t z0 = u1;
+ uint64_t b1 = z0 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b82 = b + (uint32_t)14U;
+ uint64_t u2 = load64_le(b82);
+ uint64_t z1 = u2;
+ uint64_t b2 = z1 & (uint64_t)0xffffffffffffffU;
+ uint8_t *b8 = b + (uint32_t)21U;
+ uint64_t u3 = load64_le(b8);
+ uint64_t z2 = u3;
+ uint64_t b3 = z2 & (uint64_t)0xffffffffffffffU;
+ uint32_t u = load32_le(b + (uint32_t)28U);
+ uint32_t b4 = u;
+ uint64_t b41 = (uint64_t)b4;
+ out[0U] = b0;
+ out[1U] = b1;
+ out[2U] = b2;
+ out[3U] = b3;
+ out[4U] = b41;
+}
+
+static inline void
+sha512_modq_pre(uint64_t *out, uint8_t *prefix, uint32_t len, uint8_t *input)
+{
+ uint64_t tmp[10U] = { 0U };
+ uint8_t hash[64U] = { 0U };
+ sha512_pre_msg(hash, prefix, len, input);
+ load_64_bytes(tmp, hash);
+ barrett_reduction(out, tmp);
+}
+
+static inline void
+sha512_modq_pre_pre2(
+ uint64_t *out,
+ uint8_t *prefix,
+ uint8_t *prefix2,
+ uint32_t len,
+ uint8_t *input)
+{
+ uint64_t tmp[10U] = { 0U };
+ uint8_t hash[64U] = { 0U };
+ sha512_pre_pre2_msg(hash, prefix, prefix2, len, input);
+ load_64_bytes(tmp, hash);
+ barrett_reduction(out, tmp);
+}
+
+static inline void
+point_mul_g_compress(uint8_t *out, uint8_t *s)
+{
+ uint64_t tmp[20U] = { 0U };
+ point_mul_g(tmp, s);
+ Hacl_Impl_Ed25519_PointCompress_point_compress(out, tmp);
+}
+
+static inline void
+secret_expand(uint8_t *expanded, uint8_t *secret)
+{
+ Hacl_Streaming_SHA2_hash_512(secret, (uint32_t)32U, expanded);
+ uint8_t *h_low = expanded;
+ uint8_t h_low0 = h_low[0U];
+ uint8_t h_low31 = h_low[31U];
+ h_low[0U] = h_low0 & (uint8_t)0xf8U;
+ h_low[31U] = (h_low31 & (uint8_t)127U) | (uint8_t)64U;
+}
+
+/********************************************************************************
+ Verified C library for EdDSA signing and verification on the edwards25519 curve.
+********************************************************************************/
+
+/**
+Compute the public key from the private key.
+
+ The outparam `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+*/
+void
+Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key)
+{
+ uint8_t expanded_secret[64U] = { 0U };
+ secret_expand(expanded_secret, private_key);
+ uint8_t *a = expanded_secret;
+ point_mul_g_compress(public_key, a);
+}
+
+/**
+Compute the expanded keys for an Ed25519 signature.
+
+ The outparam `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96].
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+
+ If one needs to sign several messages under the same private key, it is more efficient
+ to call `expand_keys` only once and `sign_expanded` multiple times, for each message.
+*/
+void
+Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key)
+{
+ uint8_t *public_key = expanded_keys;
+ uint8_t *s_prefix = expanded_keys + (uint32_t)32U;
+ uint8_t *s = expanded_keys + (uint32_t)32U;
+ secret_expand(s_prefix, private_key);
+ point_mul_g_compress(public_key, s);
+}
+
+/**
+Create an Ed25519 signature with the (precomputed) expanded keys.
+
+ The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64].
+ The argument `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96].
+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len].
+
+ The argument `expanded_keys` is obtained through `expand_keys`.
+
+ If one needs to sign several messages under the same private key, it is more efficient
+ to call `expand_keys` only once and `sign_expanded` multiple times, for each message.
+*/
+void
+Hacl_Ed25519_sign_expanded(
+ uint8_t *signature,
+ uint8_t *expanded_keys,
+ uint32_t msg_len,
+ uint8_t *msg)
+{
+ uint8_t *rs = signature;
+ uint8_t *ss = signature + (uint32_t)32U;
+ uint64_t rq[5U] = { 0U };
+ uint64_t hq[5U] = { 0U };
+ uint8_t rb[32U] = { 0U };
+ uint8_t *public_key = expanded_keys;
+ uint8_t *s = expanded_keys + (uint32_t)32U;
+ uint8_t *prefix = expanded_keys + (uint32_t)64U;
+ sha512_modq_pre(rq, prefix, msg_len, msg);
+ store_56(rb, rq);
+ point_mul_g_compress(rs, rb);
+ sha512_modq_pre_pre2(hq, rs, public_key, msg_len, msg);
+ uint64_t aq[5U] = { 0U };
+ load_32_bytes(aq, s);
+ mul_modq(aq, hq, aq);
+ add_modq(aq, rq, aq);
+ store_56(ss, aq);
+}
+
+/**
+Create an Ed25519 signature.
+
+ The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64].
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len].
+
+ The function first calls `expand_keys` and then invokes `sign_expanded`.
+
+ If one needs to sign several messages under the same private key, it is more efficient
+ to call `expand_keys` only once and `sign_expanded` multiple times, for each message.
+*/
+void
+Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, uint8_t *msg)
+{
+ uint8_t expanded_keys[96U] = { 0U };
+ Hacl_Ed25519_expand_keys(expanded_keys, private_key);
+ Hacl_Ed25519_sign_expanded(signature, expanded_keys, msg_len, msg);
+}
+
+/**
+Verify an Ed25519 signature.
+
+ The function returns `true` if the signature is valid and `false` otherwise.
+
+ The argument `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len].
+ The argument `signature` points to 64 bytes of valid memory, i.e., uint8_t[64].
+*/
+bool
+Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature)
+{
+ uint64_t a_[20U] = { 0U };
+ bool b = Hacl_Impl_Ed25519_PointDecompress_point_decompress(a_, public_key);
+ if (b) {
+ uint64_t r_[20U] = { 0U };
+ uint8_t *rs = signature;
+ bool b_ = Hacl_Impl_Ed25519_PointDecompress_point_decompress(r_, rs);
+ if (b_) {
+ uint8_t hb[32U] = { 0U };
+ uint8_t *rs1 = signature;
+ uint8_t *sb = signature + (uint32_t)32U;
+ uint64_t tmp[5U] = { 0U };
+ load_32_bytes(tmp, sb);
+ bool b1 = gte_q(tmp);
+ bool b10 = b1;
+ if (b10) {
+ return false;
+ }
+ uint64_t tmp0[5U] = { 0U };
+ sha512_modq_pre_pre2(tmp0, rs1, public_key, msg_len, msg);
+ store_56(hb, tmp0);
+ uint64_t exp_d[20U] = { 0U };
+ point_negate_mul_double_g_vartime(exp_d, sb, hb, a_);
+ bool b2 = Hacl_Impl_Ed25519_PointEqual_point_equal(exp_d, r_);
+ return b2;
+ }
+ return false;
+ }
+ return false;
+}
diff --git a/security/nss/lib/freebl/verified/Hacl_Ed25519.h b/security/nss/lib/freebl/verified/Hacl_Ed25519.h
new file mode 100644
index 0000000000..7d6f87dff2
--- /dev/null
+++ b/security/nss/lib/freebl/verified/Hacl_Ed25519.h
@@ -0,0 +1,114 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __Hacl_Ed25519_H
+#define __Hacl_Ed25519_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+#include "krml/internal/target.h"
+
+#include "Hacl_Streaming_Types.h"
+#include "Hacl_Krmllib.h"
+
+/********************************************************************************
+ Verified C library for EdDSA signing and verification on the edwards25519 curve.
+********************************************************************************/
+
+/**
+Compute the public key from the private key.
+
+ The outparam `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+*/
+void Hacl_Ed25519_secret_to_public(uint8_t *public_key, uint8_t *private_key);
+
+/**
+Compute the expanded keys for an Ed25519 signature.
+
+ The outparam `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96].
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+
+ If one needs to sign several messages under the same private key, it is more efficient
+ to call `expand_keys` only once and `sign_expanded` multiple times, for each message.
+*/
+void Hacl_Ed25519_expand_keys(uint8_t *expanded_keys, uint8_t *private_key);
+
+/**
+Create an Ed25519 signature with the (precomputed) expanded keys.
+
+ The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64].
+ The argument `expanded_keys` points to 96 bytes of valid memory, i.e., uint8_t[96].
+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len].
+
+ The argument `expanded_keys` is obtained through `expand_keys`.
+
+ If one needs to sign several messages under the same private key, it is more efficient
+ to call `expand_keys` only once and `sign_expanded` multiple times, for each message.
+*/
+void
+Hacl_Ed25519_sign_expanded(
+ uint8_t *signature,
+ uint8_t *expanded_keys,
+ uint32_t msg_len,
+ uint8_t *msg);
+
+/**
+Create an Ed25519 signature.
+
+ The outparam `signature` points to 64 bytes of valid memory, i.e., uint8_t[64].
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len].
+
+ The function first calls `expand_keys` and then invokes `sign_expanded`.
+
+ If one needs to sign several messages under the same private key, it is more efficient
+ to call `expand_keys` only once and `sign_expanded` multiple times, for each message.
+*/
+void
+Hacl_Ed25519_sign(uint8_t *signature, uint8_t *private_key, uint32_t msg_len, uint8_t *msg);
+
+/**
+Verify an Ed25519 signature.
+
+ The function returns `true` if the signature is valid and `false` otherwise.
+
+ The argument `public_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len].
+ The argument `signature` points to 64 bytes of valid memory, i.e., uint8_t[64].
+*/
+bool
+Hacl_Ed25519_verify(uint8_t *public_key, uint32_t msg_len, uint8_t *msg, uint8_t *signature);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __Hacl_Ed25519_H_DEFINED
+#endif
diff --git a/security/nss/lib/freebl/verified/Hacl_Hash_SHA3.c b/security/nss/lib/freebl/verified/Hacl_Hash_SHA3.c
index 3cd1091267..8fb5a86dbb 100644
--- a/security/nss/lib/freebl/verified/Hacl_Hash_SHA3.c
+++ b/security/nss/lib/freebl/verified/Hacl_Hash_SHA3.c
@@ -105,10 +105,9 @@ Hacl_Hash_SHA3_update_last_sha3(
uint32_t len = block_len(a);
if (input_len == len) {
Hacl_Impl_SHA3_absorb_inner(len, input, s);
- uint8_t *uu____0 = input + input_len;
uint8_t lastBlock_[200U] = { 0U };
uint8_t *lastBlock = lastBlock_;
- memcpy(lastBlock, uu____0, (uint32_t)0U * sizeof(uint8_t));
+ memcpy(lastBlock, input + input_len, (uint32_t)0U * sizeof(uint8_t));
lastBlock[0U] = suffix;
Hacl_Impl_SHA3_loadState(len, lastBlock, s);
if (!((suffix & (uint8_t)0x80U) == (uint8_t)0U) && (uint32_t)0U == len - (uint32_t)1U) {
@@ -144,8 +143,7 @@ typedef struct hash_buf2_s {
Spec_Hash_Definitions_hash_alg
Hacl_Streaming_Keccak_get_alg(Hacl_Streaming_Keccak_state *s)
{
- Hacl_Streaming_Keccak_state scrut = *s;
- Hacl_Streaming_Keccak_hash_buf block_state = scrut.block_state;
+ Hacl_Streaming_Keccak_hash_buf block_state = (*s).block_state;
return block_state.fst;
}
@@ -706,6 +704,7 @@ Hacl_Impl_SHA3_keccak(
uint32_t outputByteLen,
uint8_t *output)
{
+ KRML_HOST_IGNORE(capacity);
uint32_t rateInBytes = rate / (uint32_t)8U;
uint64_t s[25U] = { 0U };
absorb(s, rateInBytes, inputByteLen, input, delimitedSuffix);
diff --git a/security/nss/lib/freebl/verified/internal/Hacl_Bignum25519_51.h b/security/nss/lib/freebl/verified/internal/Hacl_Bignum25519_51.h
index c3e86ca512..162dd66edf 100644
--- a/security/nss/lib/freebl/verified/internal/Hacl_Bignum25519_51.h
+++ b/security/nss/lib/freebl/verified/internal/Hacl_Bignum25519_51.h
@@ -84,6 +84,7 @@ Hacl_Impl_Curve25519_Field51_fmul(
uint64_t *f2,
FStar_UInt128_uint128 *uu___)
{
+ KRML_HOST_IGNORE(uu___);
uint64_t f10 = f1[0U];
uint64_t f11 = f1[1U];
uint64_t f12 = f1[2U];
@@ -166,6 +167,7 @@ Hacl_Impl_Curve25519_Field51_fmul2(
uint64_t *f2,
FStar_UInt128_uint128 *uu___)
{
+ KRML_HOST_IGNORE(uu___);
uint64_t f10 = f1[0U];
uint64_t f11 = f1[1U];
uint64_t f12 = f1[2U];
@@ -371,6 +373,7 @@ Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2)
static inline void
Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___)
{
+ KRML_HOST_IGNORE(uu___);
uint64_t f0 = f[0U];
uint64_t f1 = f[1U];
uint64_t f2 = f[2U];
@@ -446,6 +449,7 @@ Hacl_Impl_Curve25519_Field51_fsqr(uint64_t *out, uint64_t *f, FStar_UInt128_uint
static inline void
Hacl_Impl_Curve25519_Field51_fsqr2(uint64_t *out, uint64_t *f, FStar_UInt128_uint128 *uu___)
{
+ KRML_HOST_IGNORE(uu___);
uint64_t f10 = f[0U];
uint64_t f11 = f[1U];
uint64_t f12 = f[2U];
diff --git a/security/nss/lib/freebl/verified/internal/Hacl_Ed25519.h b/security/nss/lib/freebl/verified/internal/Hacl_Ed25519.h
new file mode 100644
index 0000000000..ad36672b92
--- /dev/null
+++ b/security/nss/lib/freebl/verified/internal/Hacl_Ed25519.h
@@ -0,0 +1,73 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __internal_Hacl_Ed25519_H
+#define __internal_Hacl_Ed25519_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+#include "krml/internal/target.h"
+
+#include "internal/Hacl_Krmllib.h"
+#include "internal/Hacl_Ed25519_PrecompTable.h"
+#include "internal/Hacl_Curve25519_51.h"
+#include "internal/Hacl_Bignum_Base.h"
+#include "internal/Hacl_Bignum25519_51.h"
+#include "../Hacl_Ed25519.h"
+
+void Hacl_Bignum25519_reduce_513(uint64_t *a);
+
+void Hacl_Bignum25519_inverse(uint64_t *out, uint64_t *a);
+
+void Hacl_Bignum25519_load_51(uint64_t *output, uint8_t *input);
+
+void Hacl_Bignum25519_store_51(uint8_t *output, uint64_t *input);
+
+void Hacl_Impl_Ed25519_PointDouble_point_double(uint64_t *out, uint64_t *p);
+
+void Hacl_Impl_Ed25519_PointAdd_point_add(uint64_t *out, uint64_t *p, uint64_t *q);
+
+void Hacl_Impl_Ed25519_PointConstants_make_point_inf(uint64_t *b);
+
+bool Hacl_Impl_Ed25519_PointDecompress_point_decompress(uint64_t *out, uint8_t *s);
+
+void Hacl_Impl_Ed25519_PointCompress_point_compress(uint8_t *z, uint64_t *p);
+
+bool Hacl_Impl_Ed25519_PointEqual_point_equal(uint64_t *p, uint64_t *q);
+
+void Hacl_Impl_Ed25519_PointNegate_point_negate(uint64_t *p, uint64_t *out);
+
+void Hacl_Impl_Ed25519_Ladder_point_mul(uint64_t *out, uint8_t *scalar, uint64_t *q);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __internal_Hacl_Ed25519_H_DEFINED
+#endif
diff --git a/security/nss/lib/freebl/verified/internal/Hacl_Ed25519_PrecompTable.h b/security/nss/lib/freebl/verified/internal/Hacl_Ed25519_PrecompTable.h
new file mode 100644
index 0000000000..fe852f31a9
--- /dev/null
+++ b/security/nss/lib/freebl/verified/internal/Hacl_Ed25519_PrecompTable.h
@@ -0,0 +1,687 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __internal_Hacl_Ed25519_PrecompTable_H
+#define __internal_Hacl_Ed25519_PrecompTable_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+#include "krml/internal/target.h"
+
+static const uint64_t
+ Hacl_Ed25519_PrecompTable_precomp_basepoint_table_w4[320U] = {
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)1738742601995546U, (uint64_t)1146398526822698U,
+ (uint64_t)2070867633025821U, (uint64_t)562264141797630U, (uint64_t)587772402128613U,
+ (uint64_t)1801439850948184U, (uint64_t)1351079888211148U, (uint64_t)450359962737049U,
+ (uint64_t)900719925474099U, (uint64_t)1801439850948198U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1841354044333475U,
+ (uint64_t)16398895984059U, (uint64_t)755974180946558U, (uint64_t)900171276175154U,
+ (uint64_t)1821297809914039U, (uint64_t)1661154287933054U, (uint64_t)284530020860578U,
+ (uint64_t)1390261174866914U, (uint64_t)1524110943907984U, (uint64_t)1045603498418422U,
+ (uint64_t)928651508580478U, (uint64_t)1383326941296346U, (uint64_t)961937908925785U,
+ (uint64_t)80455759693706U, (uint64_t)904734540352947U, (uint64_t)1507481815385608U,
+ (uint64_t)2223447444246085U, (uint64_t)1083941587175919U, (uint64_t)2059929906842505U,
+ (uint64_t)1581435440146976U, (uint64_t)782730187692425U, (uint64_t)9928394897574U,
+ (uint64_t)1539449519985236U, (uint64_t)1923587931078510U, (uint64_t)552919286076056U,
+ (uint64_t)376925408065760U, (uint64_t)447320488831784U, (uint64_t)1362918338468019U,
+ (uint64_t)1470031896696846U, (uint64_t)2189796996539902U, (uint64_t)1337552949959847U,
+ (uint64_t)1762287177775726U, (uint64_t)237994495816815U, (uint64_t)1277840395970544U,
+ (uint64_t)543972849007241U, (uint64_t)1224692671618814U, (uint64_t)162359533289271U,
+ (uint64_t)282240927125249U, (uint64_t)586909166382289U, (uint64_t)17726488197838U,
+ (uint64_t)377014554985659U, (uint64_t)1433835303052512U, (uint64_t)702061469493692U,
+ (uint64_t)1142253108318154U, (uint64_t)318297794307551U, (uint64_t)954362646308543U,
+ (uint64_t)517363881452320U, (uint64_t)1868013482130416U, (uint64_t)262562472373260U,
+ (uint64_t)902232853249919U, (uint64_t)2107343057055746U, (uint64_t)462368348619024U,
+ (uint64_t)1893758677092974U, (uint64_t)2177729767846389U, (uint64_t)2168532543559143U,
+ (uint64_t)443867094639821U, (uint64_t)730169342581022U, (uint64_t)1564589016879755U,
+ (uint64_t)51218195700649U, (uint64_t)76684578423745U, (uint64_t)560266272480743U,
+ (uint64_t)922517457707697U, (uint64_t)2066645939860874U, (uint64_t)1318277348414638U,
+ (uint64_t)1576726809084003U, (uint64_t)1817337608563665U, (uint64_t)1874240939237666U,
+ (uint64_t)754733726333910U, (uint64_t)97085310406474U, (uint64_t)751148364309235U,
+ (uint64_t)1622159695715187U, (uint64_t)1444098819684916U, (uint64_t)130920805558089U,
+ (uint64_t)1260449179085308U, (uint64_t)1860021740768461U, (uint64_t)110052860348509U,
+ (uint64_t)193830891643810U, (uint64_t)164148413933881U, (uint64_t)180017794795332U,
+ (uint64_t)1523506525254651U, (uint64_t)465981629225956U, (uint64_t)559733514964572U,
+ (uint64_t)1279624874416974U, (uint64_t)2026642326892306U, (uint64_t)1425156829982409U,
+ (uint64_t)2160936383793147U, (uint64_t)1061870624975247U, (uint64_t)2023497043036941U,
+ (uint64_t)117942212883190U, (uint64_t)490339622800774U, (uint64_t)1729931303146295U,
+ (uint64_t)422305932971074U, (uint64_t)529103152793096U, (uint64_t)1211973233775992U,
+ (uint64_t)721364955929681U, (uint64_t)1497674430438813U, (uint64_t)342545521275073U,
+ (uint64_t)2102107575279372U, (uint64_t)2108462244669966U, (uint64_t)1382582406064082U,
+ (uint64_t)2206396818383323U, (uint64_t)2109093268641147U, (uint64_t)10809845110983U,
+ (uint64_t)1605176920880099U, (uint64_t)744640650753946U, (uint64_t)1712758897518129U,
+ (uint64_t)373410811281809U, (uint64_t)648838265800209U, (uint64_t)813058095530999U,
+ (uint64_t)513987632620169U, (uint64_t)465516160703329U, (uint64_t)2136322186126330U,
+ (uint64_t)1979645899422932U, (uint64_t)1197131006470786U, (uint64_t)1467836664863979U,
+ (uint64_t)1340751381374628U, (uint64_t)1810066212667962U, (uint64_t)1009933588225499U,
+ (uint64_t)1106129188080873U, (uint64_t)1388980405213901U, (uint64_t)533719246598044U,
+ (uint64_t)1169435803073277U, (uint64_t)198920999285821U, (uint64_t)487492330629854U,
+ (uint64_t)1807093008537778U, (uint64_t)1540899012923865U, (uint64_t)2075080271659867U,
+ (uint64_t)1527990806921523U, (uint64_t)1323728742908002U, (uint64_t)1568595959608205U,
+ (uint64_t)1388032187497212U, (uint64_t)2026968840050568U, (uint64_t)1396591153295755U,
+ (uint64_t)820416950170901U, (uint64_t)520060313205582U, (uint64_t)2016404325094901U,
+ (uint64_t)1584709677868520U, (uint64_t)272161374469956U, (uint64_t)1567188603996816U,
+ (uint64_t)1986160530078221U, (uint64_t)553930264324589U, (uint64_t)1058426729027503U,
+ (uint64_t)8762762886675U, (uint64_t)2216098143382988U, (uint64_t)1835145266889223U,
+ (uint64_t)1712936431558441U, (uint64_t)1017009937844974U, (uint64_t)585361667812740U,
+ (uint64_t)2114711541628181U, (uint64_t)2238729632971439U, (uint64_t)121257546253072U,
+ (uint64_t)847154149018345U, (uint64_t)211972965476684U, (uint64_t)287499084460129U,
+ (uint64_t)2098247259180197U, (uint64_t)839070411583329U, (uint64_t)339551619574372U,
+ (uint64_t)1432951287640743U, (uint64_t)526481249498942U, (uint64_t)931991661905195U,
+ (uint64_t)1884279965674487U, (uint64_t)200486405604411U, (uint64_t)364173020594788U,
+ (uint64_t)518034455936955U, (uint64_t)1085564703965501U, (uint64_t)16030410467927U,
+ (uint64_t)604865933167613U, (uint64_t)1695298441093964U, (uint64_t)498856548116159U,
+ (uint64_t)2193030062787034U, (uint64_t)1706339802964179U, (uint64_t)1721199073493888U,
+ (uint64_t)820740951039755U, (uint64_t)1216053436896834U, (uint64_t)23954895815139U,
+ (uint64_t)1662515208920491U, (uint64_t)1705443427511899U, (uint64_t)1957928899570365U,
+ (uint64_t)1189636258255725U, (uint64_t)1795695471103809U, (uint64_t)1691191297654118U,
+ (uint64_t)282402585374360U, (uint64_t)460405330264832U, (uint64_t)63765529445733U,
+ (uint64_t)469763447404473U, (uint64_t)733607089694996U, (uint64_t)685410420186959U,
+ (uint64_t)1096682630419738U, (uint64_t)1162548510542362U, (uint64_t)1020949526456676U,
+ (uint64_t)1211660396870573U, (uint64_t)613126398222696U, (uint64_t)1117829165843251U,
+ (uint64_t)742432540886650U, (uint64_t)1483755088010658U, (uint64_t)942392007134474U,
+ (uint64_t)1447834130944107U, (uint64_t)489368274863410U, (uint64_t)23192985544898U,
+ (uint64_t)648442406146160U, (uint64_t)785438843373876U, (uint64_t)249464684645238U,
+ (uint64_t)170494608205618U, (uint64_t)335112827260550U, (uint64_t)1462050123162735U,
+ (uint64_t)1084803668439016U, (uint64_t)853459233600325U, (uint64_t)215777728187495U,
+ (uint64_t)1965759433526974U, (uint64_t)1349482894446537U, (uint64_t)694163317612871U,
+ (uint64_t)860536766165036U, (uint64_t)1178788094084321U, (uint64_t)1652739626626996U,
+ (uint64_t)2115723946388185U, (uint64_t)1577204379094664U, (uint64_t)1083882859023240U,
+ (uint64_t)1768759143381635U, (uint64_t)1737180992507258U, (uint64_t)246054513922239U,
+ (uint64_t)577253134087234U, (uint64_t)356340280578042U, (uint64_t)1638917769925142U,
+ (uint64_t)223550348130103U, (uint64_t)470592666638765U, (uint64_t)22663573966996U,
+ (uint64_t)596552461152400U, (uint64_t)364143537069499U, (uint64_t)3942119457699U,
+ (uint64_t)107951982889287U, (uint64_t)1843471406713209U, (uint64_t)1625773041610986U,
+ (uint64_t)1466141092501702U, (uint64_t)1043024095021271U, (uint64_t)310429964047508U,
+ (uint64_t)98559121500372U, (uint64_t)152746933782868U, (uint64_t)259407205078261U,
+ (uint64_t)828123093322585U, (uint64_t)1576847274280091U, (uint64_t)1170871375757302U,
+ (uint64_t)1588856194642775U, (uint64_t)984767822341977U, (uint64_t)1141497997993760U,
+ (uint64_t)809325345150796U, (uint64_t)1879837728202511U, (uint64_t)201340910657893U,
+ (uint64_t)1079157558888483U, (uint64_t)1052373448588065U, (uint64_t)1732036202501778U,
+ (uint64_t)2105292670328445U, (uint64_t)679751387312402U, (uint64_t)1679682144926229U,
+ (uint64_t)1695823455818780U, (uint64_t)498852317075849U, (uint64_t)1786555067788433U,
+ (uint64_t)1670727545779425U, (uint64_t)117945875433544U, (uint64_t)407939139781844U,
+ (uint64_t)854632120023778U, (uint64_t)1413383148360437U, (uint64_t)286030901733673U,
+ (uint64_t)1207361858071196U, (uint64_t)461340408181417U, (uint64_t)1096919590360164U,
+ (uint64_t)1837594897475685U, (uint64_t)533755561544165U, (uint64_t)1638688042247712U,
+ (uint64_t)1431653684793005U, (uint64_t)1036458538873559U, (uint64_t)390822120341779U,
+ (uint64_t)1920929837111618U, (uint64_t)543426740024168U, (uint64_t)645751357799929U,
+ (uint64_t)2245025632994463U, (uint64_t)1550778638076452U, (uint64_t)223738153459949U,
+ (uint64_t)1337209385492033U, (uint64_t)1276967236456531U, (uint64_t)1463815821063071U,
+ (uint64_t)2070620870191473U, (uint64_t)1199170709413753U, (uint64_t)273230877394166U,
+ (uint64_t)1873264887608046U, (uint64_t)890877152910775U
+ };
+
+static const uint64_t
+ Hacl_Ed25519_PrecompTable_precomp_g_pow2_64_table_w4[320U] = {
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)13559344787725U, (uint64_t)2051621493703448U,
+ (uint64_t)1947659315640708U, (uint64_t)626856790370168U, (uint64_t)1592804284034836U,
+ (uint64_t)1781728767459187U, (uint64_t)278818420518009U, (uint64_t)2038030359908351U,
+ (uint64_t)910625973862690U, (uint64_t)471887343142239U, (uint64_t)1298543306606048U,
+ (uint64_t)794147365642417U, (uint64_t)129968992326749U, (uint64_t)523140861678572U,
+ (uint64_t)1166419653909231U, (uint64_t)2009637196928390U, (uint64_t)1288020222395193U,
+ (uint64_t)1007046974985829U, (uint64_t)208981102651386U, (uint64_t)2074009315253380U,
+ (uint64_t)1564056062071967U, (uint64_t)276822668750618U, (uint64_t)206621292512572U,
+ (uint64_t)470304361809269U, (uint64_t)895215438398493U, (uint64_t)1527859053868686U,
+ (uint64_t)1624967223409369U, (uint64_t)811821865979736U, (uint64_t)350450534838340U,
+ (uint64_t)219143807921807U, (uint64_t)507994540371254U, (uint64_t)986513794574720U,
+ (uint64_t)1142661369967121U, (uint64_t)621278293399257U, (uint64_t)556189161519781U,
+ (uint64_t)351964007865066U, (uint64_t)2011573453777822U, (uint64_t)1367125527151537U,
+ (uint64_t)1691316722438196U, (uint64_t)731328817345164U, (uint64_t)1284781192709232U,
+ (uint64_t)478439299539269U, (uint64_t)204842178076429U, (uint64_t)2085125369913651U,
+ (uint64_t)1980773492792985U, (uint64_t)1480264409524940U, (uint64_t)688389585376233U,
+ (uint64_t)612962643526972U, (uint64_t)165595382536676U, (uint64_t)1850300069212263U,
+ (uint64_t)1176357203491551U, (uint64_t)1880164984292321U, (uint64_t)10786153104736U,
+ (uint64_t)1242293560510203U, (uint64_t)1358399951884084U, (uint64_t)1901358796610357U,
+ (uint64_t)1385092558795806U, (uint64_t)1734893785311348U, (uint64_t)2046201851951191U,
+ (uint64_t)1233811309557352U, (uint64_t)1531160168656129U, (uint64_t)1543287181303358U,
+ (uint64_t)516121446374119U, (uint64_t)723422668089935U, (uint64_t)1228176774959679U,
+ (uint64_t)1598014722726267U, (uint64_t)1630810326658412U, (uint64_t)1343833067463760U,
+ (uint64_t)1024397964362099U, (uint64_t)1157142161346781U, (uint64_t)56422174971792U,
+ (uint64_t)544901687297092U, (uint64_t)1291559028869009U, (uint64_t)1336918672345120U,
+ (uint64_t)1390874603281353U, (uint64_t)1127199512010904U, (uint64_t)992644979940964U,
+ (uint64_t)1035213479783573U, (uint64_t)36043651196100U, (uint64_t)1220961519321221U,
+ (uint64_t)1348190007756977U, (uint64_t)579420200329088U, (uint64_t)1703819961008985U,
+ (uint64_t)1993919213460047U, (uint64_t)2225080008232251U, (uint64_t)392785893702372U,
+ (uint64_t)464312521482632U, (uint64_t)1224525362116057U, (uint64_t)810394248933036U,
+ (uint64_t)932513521649107U, (uint64_t)592314953488703U, (uint64_t)586334603791548U,
+ (uint64_t)1310888126096549U, (uint64_t)650842674074281U, (uint64_t)1596447001791059U,
+ (uint64_t)2086767406328284U, (uint64_t)1866377645879940U, (uint64_t)1721604362642743U,
+ (uint64_t)738502322566890U, (uint64_t)1851901097729689U, (uint64_t)1158347571686914U,
+ (uint64_t)2023626733470827U, (uint64_t)329625404653699U, (uint64_t)563555875598551U,
+ (uint64_t)516554588079177U, (uint64_t)1134688306104598U, (uint64_t)186301198420809U,
+ (uint64_t)1339952213563300U, (uint64_t)643605614625891U, (uint64_t)1947505332718043U,
+ (uint64_t)1722071694852824U, (uint64_t)601679570440694U, (uint64_t)1821275721236351U,
+ (uint64_t)1808307842870389U, (uint64_t)1654165204015635U, (uint64_t)1457334100715245U,
+ (uint64_t)217784948678349U, (uint64_t)1820622417674817U, (uint64_t)1946121178444661U,
+ (uint64_t)597980757799332U, (uint64_t)1745271227710764U, (uint64_t)2010952890941980U,
+ (uint64_t)339811849696648U, (uint64_t)1066120666993872U, (uint64_t)261276166508990U,
+ (uint64_t)323098645774553U, (uint64_t)207454744271283U, (uint64_t)941448672977675U,
+ (uint64_t)71890920544375U, (uint64_t)840849789313357U, (uint64_t)1223996070717926U,
+ (uint64_t)196832550853408U, (uint64_t)115986818309231U, (uint64_t)1586171527267675U,
+ (uint64_t)1666169080973450U, (uint64_t)1456454731176365U, (uint64_t)44467854369003U,
+ (uint64_t)2149656190691480U, (uint64_t)283446383597589U, (uint64_t)2040542647729974U,
+ (uint64_t)305705593840224U, (uint64_t)475315822269791U, (uint64_t)648133452550632U,
+ (uint64_t)169218658835720U, (uint64_t)24960052338251U, (uint64_t)938907951346766U,
+ (uint64_t)425970950490510U, (uint64_t)1037622011013183U, (uint64_t)1026882082708180U,
+ (uint64_t)1635699409504916U, (uint64_t)1644776942870488U, (uint64_t)2151820331175914U,
+ (uint64_t)824120674069819U, (uint64_t)835744976610113U, (uint64_t)1991271032313190U,
+ (uint64_t)96507354724855U, (uint64_t)400645405133260U, (uint64_t)343728076650825U,
+ (uint64_t)1151585441385566U, (uint64_t)1403339955333520U, (uint64_t)230186314139774U,
+ (uint64_t)1736248861506714U, (uint64_t)1010804378904572U, (uint64_t)1394932289845636U,
+ (uint64_t)1901351256960852U, (uint64_t)2187471430089807U, (uint64_t)1003853262342670U,
+ (uint64_t)1327743396767461U, (uint64_t)1465160415991740U, (uint64_t)366625359144534U,
+ (uint64_t)1534791405247604U, (uint64_t)1790905930250187U, (uint64_t)1255484115292738U,
+ (uint64_t)2223291365520443U, (uint64_t)210967717407408U, (uint64_t)26722916813442U,
+ (uint64_t)1919574361907910U, (uint64_t)468825088280256U, (uint64_t)2230011775946070U,
+ (uint64_t)1628365642214479U, (uint64_t)568871869234932U, (uint64_t)1066987968780488U,
+ (uint64_t)1692242903745558U, (uint64_t)1678903997328589U, (uint64_t)214262165888021U,
+ (uint64_t)1929686748607204U, (uint64_t)1790138967989670U, (uint64_t)1790261616022076U,
+ (uint64_t)1559824537553112U, (uint64_t)1230364591311358U, (uint64_t)147531939886346U,
+ (uint64_t)1528207085815487U, (uint64_t)477957922927292U, (uint64_t)285670243881618U,
+ (uint64_t)264430080123332U, (uint64_t)1163108160028611U, (uint64_t)373201522147371U,
+ (uint64_t)34903775270979U, (uint64_t)1750870048600662U, (uint64_t)1319328308741084U,
+ (uint64_t)1547548634278984U, (uint64_t)1691259592202927U, (uint64_t)2247758037259814U,
+ (uint64_t)329611399953677U, (uint64_t)1385555496268877U, (uint64_t)2242438354031066U,
+ (uint64_t)1329523854843632U, (uint64_t)399895373846055U, (uint64_t)678005703193452U,
+ (uint64_t)1496357700997771U, (uint64_t)71909969781942U, (uint64_t)1515391418612349U,
+ (uint64_t)470110837888178U, (uint64_t)1981307309417466U, (uint64_t)1259888737412276U,
+ (uint64_t)669991710228712U, (uint64_t)1048546834514303U, (uint64_t)1678323291295512U,
+ (uint64_t)2172033978088071U, (uint64_t)1529278455500556U, (uint64_t)901984601941894U,
+ (uint64_t)780867622403807U, (uint64_t)550105677282793U, (uint64_t)975860231176136U,
+ (uint64_t)525188281689178U, (uint64_t)49966114807992U, (uint64_t)1776449263836645U,
+ (uint64_t)267851776380338U, (uint64_t)2225969494054620U, (uint64_t)2016794225789822U,
+ (uint64_t)1186108678266608U, (uint64_t)1023083271408882U, (uint64_t)1119289418565906U,
+ (uint64_t)1248185897348801U, (uint64_t)1846081539082697U, (uint64_t)23756429626075U,
+ (uint64_t)1441999021105403U, (uint64_t)724497586552825U, (uint64_t)1287761623605379U,
+ (uint64_t)685303359654224U, (uint64_t)2217156930690570U, (uint64_t)163769288918347U,
+ (uint64_t)1098423278284094U, (uint64_t)1391470723006008U, (uint64_t)570700152353516U,
+ (uint64_t)744804507262556U, (uint64_t)2200464788609495U, (uint64_t)624141899161992U,
+ (uint64_t)2249570166275684U, (uint64_t)378706441983561U, (uint64_t)122486379999375U,
+ (uint64_t)430741162798924U, (uint64_t)113847463452574U, (uint64_t)266250457840685U,
+ (uint64_t)2120743625072743U, (uint64_t)222186221043927U, (uint64_t)1964290018305582U,
+ (uint64_t)1435278008132477U, (uint64_t)1670867456663734U, (uint64_t)2009989552599079U,
+ (uint64_t)1348024113448744U, (uint64_t)1158423886300455U, (uint64_t)1356467152691569U,
+ (uint64_t)306943042363674U, (uint64_t)926879628664255U, (uint64_t)1349295689598324U,
+ (uint64_t)725558330071205U, (uint64_t)536569987519948U, (uint64_t)116436990335366U,
+ (uint64_t)1551888573800376U, (uint64_t)2044698345945451U, (uint64_t)104279940291311U,
+ (uint64_t)251526570943220U, (uint64_t)754735828122925U, (uint64_t)33448073576361U,
+ (uint64_t)994605876754543U, (uint64_t)546007584022006U, (uint64_t)2217332798409487U,
+ (uint64_t)706477052561591U, (uint64_t)131174619428653U, (uint64_t)2148698284087243U,
+ (uint64_t)239290486205186U, (uint64_t)2161325796952184U, (uint64_t)1713452845607994U,
+ (uint64_t)1297861562938913U, (uint64_t)1779539876828514U, (uint64_t)1926559018603871U,
+ (uint64_t)296485747893968U, (uint64_t)1859208206640686U, (uint64_t)538513979002718U,
+ (uint64_t)103998826506137U, (uint64_t)2025375396538469U, (uint64_t)1370680785701206U,
+ (uint64_t)1698557311253840U, (uint64_t)1411096399076595U, (uint64_t)2132580530813677U,
+ (uint64_t)2071564345845035U, (uint64_t)498581428556735U, (uint64_t)1136010486691371U,
+ (uint64_t)1927619356993146U
+ };
+
+static const uint64_t
+ Hacl_Ed25519_PrecompTable_precomp_g_pow2_128_table_w4[320U] = {
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)557549315715710U, (uint64_t)196756086293855U,
+ (uint64_t)846062225082495U, (uint64_t)1865068224838092U, (uint64_t)991112090754908U,
+ (uint64_t)522916421512828U, (uint64_t)2098523346722375U, (uint64_t)1135633221747012U,
+ (uint64_t)858420432114866U, (uint64_t)186358544306082U, (uint64_t)1044420411868480U,
+ (uint64_t)2080052304349321U, (uint64_t)557301814716724U, (uint64_t)1305130257814057U,
+ (uint64_t)2126012765451197U, (uint64_t)1441004402875101U, (uint64_t)353948968859203U,
+ (uint64_t)470765987164835U, (uint64_t)1507675957683570U, (uint64_t)1086650358745097U,
+ (uint64_t)1911913434398388U, (uint64_t)66086091117182U, (uint64_t)1137511952425971U,
+ (uint64_t)36958263512141U, (uint64_t)2193310025325256U, (uint64_t)1085191426269045U,
+ (uint64_t)1232148267909446U, (uint64_t)1449894406170117U, (uint64_t)1241416717139557U,
+ (uint64_t)1940876999212868U, (uint64_t)829758415918121U, (uint64_t)309608450373449U,
+ (uint64_t)2228398547683851U, (uint64_t)1580623271960188U, (uint64_t)1675601502456740U,
+ (uint64_t)1360363115493548U, (uint64_t)1098397313096815U, (uint64_t)1809255384359797U,
+ (uint64_t)1458261916834384U, (uint64_t)210682545649705U, (uint64_t)1606836641068115U,
+ (uint64_t)1230478270405318U, (uint64_t)1843192771547802U, (uint64_t)1794596343564051U,
+ (uint64_t)229060710252162U, (uint64_t)2169742775467181U, (uint64_t)701467067318072U,
+ (uint64_t)696018499035555U, (uint64_t)521051885339807U, (uint64_t)158329567901874U,
+ (uint64_t)740426481832143U, (uint64_t)1369811177301441U, (uint64_t)503351589084015U,
+ (uint64_t)1781114827942261U, (uint64_t)1650493549693035U, (uint64_t)2174562418345156U,
+ (uint64_t)456517194809244U, (uint64_t)2052761522121179U, (uint64_t)2233342271123682U,
+ (uint64_t)1445872925177435U, (uint64_t)1131882576902813U, (uint64_t)220765848055241U,
+ (uint64_t)1280259961403769U, (uint64_t)1581497080160712U, (uint64_t)1477441080108824U,
+ (uint64_t)218428165202767U, (uint64_t)1970598141278907U, (uint64_t)643366736173069U,
+ (uint64_t)2167909426804014U, (uint64_t)834993711408259U, (uint64_t)1922437166463212U,
+ (uint64_t)1900036281472252U, (uint64_t)513794844386304U, (uint64_t)1297904164900114U,
+ (uint64_t)1147626295373268U, (uint64_t)1910101606251299U, (uint64_t)182933838633381U,
+ (uint64_t)806229530787362U, (uint64_t)155511666433200U, (uint64_t)290522463375462U,
+ (uint64_t)534373523491751U, (uint64_t)1302938814480515U, (uint64_t)1664979184120445U,
+ (uint64_t)304235649499423U, (uint64_t)339284524318609U, (uint64_t)1881717946973483U,
+ (uint64_t)1670802286833842U, (uint64_t)2223637120675737U, (uint64_t)135818919485814U,
+ (uint64_t)1144856572842792U, (uint64_t)2234981613434386U, (uint64_t)963917024969826U,
+ (uint64_t)402275378284993U, (uint64_t)141532417412170U, (uint64_t)921537468739387U,
+ (uint64_t)963905069722607U, (uint64_t)1405442890733358U, (uint64_t)1567763927164655U,
+ (uint64_t)1664776329195930U, (uint64_t)2095924165508507U, (uint64_t)994243110271379U,
+ (uint64_t)1243925610609353U, (uint64_t)1029845815569727U, (uint64_t)1001968867985629U,
+ (uint64_t)170368934002484U, (uint64_t)1100906131583801U, (uint64_t)1825190326449569U,
+ (uint64_t)1462285121182096U, (uint64_t)1545240767016377U, (uint64_t)797859025652273U,
+ (uint64_t)1062758326657530U, (uint64_t)1125600735118266U, (uint64_t)739325756774527U,
+ (uint64_t)1420144485966996U, (uint64_t)1915492743426702U, (uint64_t)752968196344993U,
+ (uint64_t)882156396938351U, (uint64_t)1909097048763227U, (uint64_t)849058590685611U,
+ (uint64_t)840754951388500U, (uint64_t)1832926948808323U, (uint64_t)2023317100075297U,
+ (uint64_t)322382745442827U, (uint64_t)1569741341737601U, (uint64_t)1678986113194987U,
+ (uint64_t)757598994581938U, (uint64_t)29678659580705U, (uint64_t)1239680935977986U,
+ (uint64_t)1509239427168474U, (uint64_t)1055981929287006U, (uint64_t)1894085471158693U,
+ (uint64_t)916486225488490U, (uint64_t)642168890366120U, (uint64_t)300453362620010U,
+ (uint64_t)1858797242721481U, (uint64_t)2077989823177130U, (uint64_t)510228455273334U,
+ (uint64_t)1473284798689270U, (uint64_t)5173934574301U, (uint64_t)765285232030050U,
+ (uint64_t)1007154707631065U, (uint64_t)1862128712885972U, (uint64_t)168873464821340U,
+ (uint64_t)1967853269759318U, (uint64_t)1489896018263031U, (uint64_t)592451806166369U,
+ (uint64_t)1242298565603883U, (uint64_t)1838918921339058U, (uint64_t)697532763910695U,
+ (uint64_t)294335466239059U, (uint64_t)135687058387449U, (uint64_t)2133734403874176U,
+ (uint64_t)2121911143127699U, (uint64_t)20222476737364U, (uint64_t)1200824626476747U,
+ (uint64_t)1397731736540791U, (uint64_t)702378430231418U, (uint64_t)59059527640068U,
+ (uint64_t)460992547183981U, (uint64_t)1016125857842765U, (uint64_t)1273530839608957U,
+ (uint64_t)96724128829301U, (uint64_t)1313433042425233U, (uint64_t)3543822857227U,
+ (uint64_t)761975685357118U, (uint64_t)110417360745248U, (uint64_t)1079634164577663U,
+ (uint64_t)2044574510020457U, (uint64_t)338709058603120U, (uint64_t)94541336042799U,
+ (uint64_t)127963233585039U, (uint64_t)94427896272258U, (uint64_t)1143501979342182U,
+ (uint64_t)1217958006212230U, (uint64_t)2153887831492134U, (uint64_t)1519219513255575U,
+ (uint64_t)251793195454181U, (uint64_t)392517349345200U, (uint64_t)1507033011868881U,
+ (uint64_t)2208494254670752U, (uint64_t)1364389582694359U, (uint64_t)2214069430728063U,
+ (uint64_t)1272814257105752U, (uint64_t)741450148906352U, (uint64_t)1105776675555685U,
+ (uint64_t)824447222014984U, (uint64_t)528745219306376U, (uint64_t)589427609121575U,
+ (uint64_t)1501786838809155U, (uint64_t)379067373073147U, (uint64_t)184909476589356U,
+ (uint64_t)1346887560616185U, (uint64_t)1932023742314082U, (uint64_t)1633302311869264U,
+ (uint64_t)1685314821133069U, (uint64_t)1836610282047884U, (uint64_t)1595571594397150U,
+ (uint64_t)615441688872198U, (uint64_t)1926435616702564U, (uint64_t)235632180396480U,
+ (uint64_t)1051918343571810U, (uint64_t)2150570051687050U, (uint64_t)879198845408738U,
+ (uint64_t)1443966275205464U, (uint64_t)481362545245088U, (uint64_t)512807443532642U,
+ (uint64_t)641147578283480U, (uint64_t)1594276116945596U, (uint64_t)1844812743300602U,
+ (uint64_t)2044559316019485U, (uint64_t)202620777969020U, (uint64_t)852992984136302U,
+ (uint64_t)1500869642692910U, (uint64_t)1085216217052457U, (uint64_t)1736294372259758U,
+ (uint64_t)2009666354486552U, (uint64_t)1262389020715248U, (uint64_t)1166527705256867U,
+ (uint64_t)1409917450806036U, (uint64_t)1705819160057637U, (uint64_t)1116901782584378U,
+ (uint64_t)1278460472285473U, (uint64_t)257879811360157U, (uint64_t)40314007176886U,
+ (uint64_t)701309846749639U, (uint64_t)1380457676672777U, (uint64_t)631519782380272U,
+ (uint64_t)1196339573466793U, (uint64_t)955537708940017U, (uint64_t)532725633381530U,
+ (uint64_t)641190593731833U, (uint64_t)7214357153807U, (uint64_t)481922072107983U,
+ (uint64_t)1634886189207352U, (uint64_t)1247659758261633U, (uint64_t)1655809614786430U,
+ (uint64_t)43105797900223U, (uint64_t)76205809912607U, (uint64_t)1936575107455823U,
+ (uint64_t)1107927314642236U, (uint64_t)2199986333469333U, (uint64_t)802974829322510U,
+ (uint64_t)718173128143482U, (uint64_t)539385184235615U, (uint64_t)2075693785611221U,
+ (uint64_t)953281147333690U, (uint64_t)1623571637172587U, (uint64_t)655274535022250U,
+ (uint64_t)1568078078819021U, (uint64_t)101142125049712U, (uint64_t)1488441673350881U,
+ (uint64_t)1457969561944515U, (uint64_t)1492622544287712U, (uint64_t)2041460689280803U,
+ (uint64_t)1961848091392887U, (uint64_t)461003520846938U, (uint64_t)934728060399807U,
+ (uint64_t)117723291519705U, (uint64_t)1027773762863526U, (uint64_t)56765304991567U,
+ (uint64_t)2184028379550479U, (uint64_t)1768767711894030U, (uint64_t)1304432068983172U,
+ (uint64_t)498080974452325U, (uint64_t)2134905654858163U, (uint64_t)1446137427202647U,
+ (uint64_t)551613831549590U, (uint64_t)680288767054205U, (uint64_t)1278113339140386U,
+ (uint64_t)378149431842614U, (uint64_t)80520494426960U, (uint64_t)2080985256348782U,
+ (uint64_t)673432591799820U, (uint64_t)739189463724560U, (uint64_t)1847191452197509U,
+ (uint64_t)527737312871602U, (uint64_t)477609358840073U, (uint64_t)1891633072677946U,
+ (uint64_t)1841456828278466U, (uint64_t)2242502936489002U, (uint64_t)524791829362709U,
+ (uint64_t)276648168514036U, (uint64_t)991706903257619U, (uint64_t)512580228297906U,
+ (uint64_t)1216855104975946U, (uint64_t)67030930303149U, (uint64_t)769593945208213U,
+ (uint64_t)2048873385103577U, (uint64_t)455635274123107U, (uint64_t)2077404927176696U,
+ (uint64_t)1803539634652306U, (uint64_t)1837579953843417U, (uint64_t)1564240068662828U,
+ (uint64_t)1964310918970435U, (uint64_t)832822906252492U, (uint64_t)1516044634195010U,
+ (uint64_t)770571447506889U, (uint64_t)602215152486818U, (uint64_t)1760828333136947U,
+ (uint64_t)730156776030376U
+ };
+
+static const uint64_t
+ Hacl_Ed25519_PrecompTable_precomp_g_pow2_192_table_w4[320U] = {
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)1129953239743101U, (uint64_t)1240339163956160U,
+ (uint64_t)61002583352401U, (uint64_t)2017604552196030U, (uint64_t)1576867829229863U,
+ (uint64_t)1508654942849389U, (uint64_t)270111619664077U, (uint64_t)1253097517254054U,
+ (uint64_t)721798270973250U, (uint64_t)161923365415298U, (uint64_t)828530877526011U,
+ (uint64_t)1494851059386763U, (uint64_t)662034171193976U, (uint64_t)1315349646974670U,
+ (uint64_t)2199229517308806U, (uint64_t)497078277852673U, (uint64_t)1310507715989956U,
+ (uint64_t)1881315714002105U, (uint64_t)2214039404983803U, (uint64_t)1331036420272667U,
+ (uint64_t)296286697520787U, (uint64_t)1179367922639127U, (uint64_t)25348441419697U,
+ (uint64_t)2200984961703188U, (uint64_t)150893128908291U, (uint64_t)1978614888570852U,
+ (uint64_t)1539657347172046U, (uint64_t)553810196523619U, (uint64_t)246017573977646U,
+ (uint64_t)1440448985385485U, (uint64_t)346049108099981U, (uint64_t)601166606218546U,
+ (uint64_t)855822004151713U, (uint64_t)1957521326383188U, (uint64_t)1114240380430887U,
+ (uint64_t)1349639675122048U, (uint64_t)957375954499040U, (uint64_t)111551795360136U,
+ (uint64_t)618586733648988U, (uint64_t)490708840688866U, (uint64_t)1267002049697314U,
+ (uint64_t)1130723224930028U, (uint64_t)215603029480828U, (uint64_t)1277138555414710U,
+ (uint64_t)1556750324971322U, (uint64_t)1407903521793741U, (uint64_t)1836836546590749U,
+ (uint64_t)576500297444199U, (uint64_t)2074707599091135U, (uint64_t)1826239864380012U,
+ (uint64_t)1935365705983312U, (uint64_t)239501825683682U, (uint64_t)1594236669034980U,
+ (uint64_t)1283078975055301U, (uint64_t)856745636255925U, (uint64_t)1342128647959981U,
+ (uint64_t)945216428379689U, (uint64_t)938746202496410U, (uint64_t)105775123333919U,
+ (uint64_t)1379852610117266U, (uint64_t)1770216827500275U, (uint64_t)1016017267535704U,
+ (uint64_t)1902885522469532U, (uint64_t)994184703730489U, (uint64_t)2227487538793763U,
+ (uint64_t)53155967096055U, (uint64_t)1264120808114350U, (uint64_t)1334928769376729U,
+ (uint64_t)393911808079997U, (uint64_t)826229239481845U, (uint64_t)1827903006733192U,
+ (uint64_t)1449283706008465U, (uint64_t)1258040415217849U, (uint64_t)1641484112868370U,
+ (uint64_t)1140150841968176U, (uint64_t)391113338021313U, (uint64_t)162138667815833U,
+ (uint64_t)742204396566060U, (uint64_t)110709233440557U, (uint64_t)90179377432917U,
+ (uint64_t)530511949644489U, (uint64_t)911568635552279U, (uint64_t)135869304780166U,
+ (uint64_t)617719999563692U, (uint64_t)1802525001631319U, (uint64_t)1836394639510490U,
+ (uint64_t)1862739456475085U, (uint64_t)1378284444664288U, (uint64_t)1617882529391756U,
+ (uint64_t)876124429891172U, (uint64_t)1147654641445091U, (uint64_t)1476943370400542U,
+ (uint64_t)688601222759067U, (uint64_t)2120281968990205U, (uint64_t)1387113236912611U,
+ (uint64_t)2125245820685788U, (uint64_t)1030674016350092U, (uint64_t)1594684598654247U,
+ (uint64_t)1165939511879820U, (uint64_t)271499323244173U, (uint64_t)546587254515484U,
+ (uint64_t)945603425742936U, (uint64_t)1242252568170226U, (uint64_t)561598728058142U,
+ (uint64_t)604827091794712U, (uint64_t)19869753585186U, (uint64_t)565367744708915U,
+ (uint64_t)536755754533603U, (uint64_t)1767258313589487U, (uint64_t)907952975936127U,
+ (uint64_t)292851652613937U, (uint64_t)163573546237963U, (uint64_t)837601408384564U,
+ (uint64_t)591996990118301U, (uint64_t)2126051747693057U, (uint64_t)182247548824566U,
+ (uint64_t)908369044122868U, (uint64_t)1335442699947273U, (uint64_t)2234292296528612U,
+ (uint64_t)689537529333034U, (uint64_t)2174778663790714U, (uint64_t)1011407643592667U,
+ (uint64_t)1856130618715473U, (uint64_t)1557437221651741U, (uint64_t)2250285407006102U,
+ (uint64_t)1412384213410827U, (uint64_t)1428042038612456U, (uint64_t)962709733973660U,
+ (uint64_t)313995703125919U, (uint64_t)1844969155869325U, (uint64_t)787716782673657U,
+ (uint64_t)622504542173478U, (uint64_t)930119043384654U, (uint64_t)2128870043952488U,
+ (uint64_t)537781531479523U, (uint64_t)1556666269904940U, (uint64_t)417333635741346U,
+ (uint64_t)1986743846438415U, (uint64_t)877620478041197U, (uint64_t)2205624582983829U,
+ (uint64_t)595260668884488U, (uint64_t)2025159350373157U, (uint64_t)2091659716088235U,
+ (uint64_t)1423634716596391U, (uint64_t)653686638634080U, (uint64_t)1972388399989956U,
+ (uint64_t)795575741798014U, (uint64_t)889240107997846U, (uint64_t)1446156876910732U,
+ (uint64_t)1028507012221776U, (uint64_t)1071697574586478U, (uint64_t)1689630411899691U,
+ (uint64_t)604092816502174U, (uint64_t)1909917373896122U, (uint64_t)1602544877643837U,
+ (uint64_t)1227177032923867U, (uint64_t)62684197535630U, (uint64_t)186146290753883U,
+ (uint64_t)414449055316766U, (uint64_t)1560555880866750U, (uint64_t)157579947096755U,
+ (uint64_t)230526795502384U, (uint64_t)1197673369665894U, (uint64_t)593779215869037U,
+ (uint64_t)214638834474097U, (uint64_t)1796344443484478U, (uint64_t)493550548257317U,
+ (uint64_t)1628442824033694U, (uint64_t)1410811655893495U, (uint64_t)1009361960995171U,
+ (uint64_t)604736219740352U, (uint64_t)392445928555351U, (uint64_t)1254295770295706U,
+ (uint64_t)1958074535046128U, (uint64_t)508699942241019U, (uint64_t)739405911261325U,
+ (uint64_t)1678760393882409U, (uint64_t)517763708545996U, (uint64_t)640040257898722U,
+ (uint64_t)384966810872913U, (uint64_t)407454748380128U, (uint64_t)152604679407451U,
+ (uint64_t)185102854927662U, (uint64_t)1448175503649595U, (uint64_t)100328519208674U,
+ (uint64_t)1153263667012830U, (uint64_t)1643926437586490U, (uint64_t)609632142834154U,
+ (uint64_t)980984004749261U, (uint64_t)855290732258779U, (uint64_t)2186022163021506U,
+ (uint64_t)1254052618626070U, (uint64_t)1850030517182611U, (uint64_t)162348933090207U,
+ (uint64_t)1948712273679932U, (uint64_t)1331832516262191U, (uint64_t)1219400369175863U,
+ (uint64_t)89689036937483U, (uint64_t)1554886057235815U, (uint64_t)1520047528432789U,
+ (uint64_t)81263957652811U, (uint64_t)146612464257008U, (uint64_t)2207945627164163U,
+ (uint64_t)919846660682546U, (uint64_t)1925694087906686U, (uint64_t)2102027292388012U,
+ (uint64_t)887992003198635U, (uint64_t)1817924871537027U, (uint64_t)746660005584342U,
+ (uint64_t)753757153275525U, (uint64_t)91394270908699U, (uint64_t)511837226544151U,
+ (uint64_t)736341543649373U, (uint64_t)1256371121466367U, (uint64_t)1977778299551813U,
+ (uint64_t)817915174462263U, (uint64_t)1602323381418035U, (uint64_t)190035164572930U,
+ (uint64_t)603796401391181U, (uint64_t)2152666873671669U, (uint64_t)1813900316324112U,
+ (uint64_t)1292622433358041U, (uint64_t)888439870199892U, (uint64_t)978918155071994U,
+ (uint64_t)534184417909805U, (uint64_t)466460084317313U, (uint64_t)1275223140288685U,
+ (uint64_t)786407043883517U, (uint64_t)1620520623925754U, (uint64_t)1753625021290269U,
+ (uint64_t)751937175104525U, (uint64_t)905301961820613U, (uint64_t)697059847245437U,
+ (uint64_t)584919033981144U, (uint64_t)1272165506533156U, (uint64_t)1532180021450866U,
+ (uint64_t)1901407354005301U, (uint64_t)1421319720492586U, (uint64_t)2179081609765456U,
+ (uint64_t)2193253156667632U, (uint64_t)1080248329608584U, (uint64_t)2158422436462066U,
+ (uint64_t)759167597017850U, (uint64_t)545759071151285U, (uint64_t)641600428493698U,
+ (uint64_t)943791424499848U, (uint64_t)469571542427864U, (uint64_t)951117845222467U,
+ (uint64_t)1780538594373407U, (uint64_t)614611122040309U, (uint64_t)1354826131886963U,
+ (uint64_t)221898131992340U, (uint64_t)1145699723916219U, (uint64_t)798735379961769U,
+ (uint64_t)1843560518208287U, (uint64_t)1424523160161545U, (uint64_t)205549016574779U,
+ (uint64_t)2239491587362749U, (uint64_t)1918363582399888U, (uint64_t)1292183072788455U,
+ (uint64_t)1783513123192567U, (uint64_t)1584027954317205U, (uint64_t)1890421443925740U,
+ (uint64_t)1718459319874929U, (uint64_t)1522091040748809U, (uint64_t)399467600667219U,
+ (uint64_t)1870973059066576U, (uint64_t)287514433150348U, (uint64_t)1397845311152885U,
+ (uint64_t)1880440629872863U, (uint64_t)709302939340341U, (uint64_t)1813571361109209U,
+ (uint64_t)86598795876860U, (uint64_t)1146964554310612U, (uint64_t)1590956584862432U,
+ (uint64_t)2097004628155559U, (uint64_t)656227622102390U, (uint64_t)1808500445541891U,
+ (uint64_t)958336726523135U, (uint64_t)2007604569465975U, (uint64_t)313504950390997U,
+ (uint64_t)1399686004953620U, (uint64_t)1759732788465234U, (uint64_t)1562539721055836U,
+ (uint64_t)1575722765016293U, (uint64_t)793318366641259U, (uint64_t)443876859384887U,
+ (uint64_t)547308921989704U, (uint64_t)636698687503328U, (uint64_t)2179175835287340U,
+ (uint64_t)498333551718258U, (uint64_t)932248760026176U, (uint64_t)1612395686304653U,
+ (uint64_t)2179774103745626U, (uint64_t)1359658123541018U, (uint64_t)171488501802442U,
+ (uint64_t)1625034951791350U, (uint64_t)520196922773633U, (uint64_t)1873787546341877U,
+ (uint64_t)303457823885368U
+ };
+
+static const uint64_t
+ Hacl_Ed25519_PrecompTable_precomp_basepoint_table_w5[640U] = {
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)1738742601995546U, (uint64_t)1146398526822698U,
+ (uint64_t)2070867633025821U, (uint64_t)562264141797630U, (uint64_t)587772402128613U,
+ (uint64_t)1801439850948184U, (uint64_t)1351079888211148U, (uint64_t)450359962737049U,
+ (uint64_t)900719925474099U, (uint64_t)1801439850948198U, (uint64_t)1U, (uint64_t)0U,
+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1841354044333475U,
+ (uint64_t)16398895984059U, (uint64_t)755974180946558U, (uint64_t)900171276175154U,
+ (uint64_t)1821297809914039U, (uint64_t)1661154287933054U, (uint64_t)284530020860578U,
+ (uint64_t)1390261174866914U, (uint64_t)1524110943907984U, (uint64_t)1045603498418422U,
+ (uint64_t)928651508580478U, (uint64_t)1383326941296346U, (uint64_t)961937908925785U,
+ (uint64_t)80455759693706U, (uint64_t)904734540352947U, (uint64_t)1507481815385608U,
+ (uint64_t)2223447444246085U, (uint64_t)1083941587175919U, (uint64_t)2059929906842505U,
+ (uint64_t)1581435440146976U, (uint64_t)782730187692425U, (uint64_t)9928394897574U,
+ (uint64_t)1539449519985236U, (uint64_t)1923587931078510U, (uint64_t)552919286076056U,
+ (uint64_t)376925408065760U, (uint64_t)447320488831784U, (uint64_t)1362918338468019U,
+ (uint64_t)1470031896696846U, (uint64_t)2189796996539902U, (uint64_t)1337552949959847U,
+ (uint64_t)1762287177775726U, (uint64_t)237994495816815U, (uint64_t)1277840395970544U,
+ (uint64_t)543972849007241U, (uint64_t)1224692671618814U, (uint64_t)162359533289271U,
+ (uint64_t)282240927125249U, (uint64_t)586909166382289U, (uint64_t)17726488197838U,
+ (uint64_t)377014554985659U, (uint64_t)1433835303052512U, (uint64_t)702061469493692U,
+ (uint64_t)1142253108318154U, (uint64_t)318297794307551U, (uint64_t)954362646308543U,
+ (uint64_t)517363881452320U, (uint64_t)1868013482130416U, (uint64_t)262562472373260U,
+ (uint64_t)902232853249919U, (uint64_t)2107343057055746U, (uint64_t)462368348619024U,
+ (uint64_t)1893758677092974U, (uint64_t)2177729767846389U, (uint64_t)2168532543559143U,
+ (uint64_t)443867094639821U, (uint64_t)730169342581022U, (uint64_t)1564589016879755U,
+ (uint64_t)51218195700649U, (uint64_t)76684578423745U, (uint64_t)560266272480743U,
+ (uint64_t)922517457707697U, (uint64_t)2066645939860874U, (uint64_t)1318277348414638U,
+ (uint64_t)1576726809084003U, (uint64_t)1817337608563665U, (uint64_t)1874240939237666U,
+ (uint64_t)754733726333910U, (uint64_t)97085310406474U, (uint64_t)751148364309235U,
+ (uint64_t)1622159695715187U, (uint64_t)1444098819684916U, (uint64_t)130920805558089U,
+ (uint64_t)1260449179085308U, (uint64_t)1860021740768461U, (uint64_t)110052860348509U,
+ (uint64_t)193830891643810U, (uint64_t)164148413933881U, (uint64_t)180017794795332U,
+ (uint64_t)1523506525254651U, (uint64_t)465981629225956U, (uint64_t)559733514964572U,
+ (uint64_t)1279624874416974U, (uint64_t)2026642326892306U, (uint64_t)1425156829982409U,
+ (uint64_t)2160936383793147U, (uint64_t)1061870624975247U, (uint64_t)2023497043036941U,
+ (uint64_t)117942212883190U, (uint64_t)490339622800774U, (uint64_t)1729931303146295U,
+ (uint64_t)422305932971074U, (uint64_t)529103152793096U, (uint64_t)1211973233775992U,
+ (uint64_t)721364955929681U, (uint64_t)1497674430438813U, (uint64_t)342545521275073U,
+ (uint64_t)2102107575279372U, (uint64_t)2108462244669966U, (uint64_t)1382582406064082U,
+ (uint64_t)2206396818383323U, (uint64_t)2109093268641147U, (uint64_t)10809845110983U,
+ (uint64_t)1605176920880099U, (uint64_t)744640650753946U, (uint64_t)1712758897518129U,
+ (uint64_t)373410811281809U, (uint64_t)648838265800209U, (uint64_t)813058095530999U,
+ (uint64_t)513987632620169U, (uint64_t)465516160703329U, (uint64_t)2136322186126330U,
+ (uint64_t)1979645899422932U, (uint64_t)1197131006470786U, (uint64_t)1467836664863979U,
+ (uint64_t)1340751381374628U, (uint64_t)1810066212667962U, (uint64_t)1009933588225499U,
+ (uint64_t)1106129188080873U, (uint64_t)1388980405213901U, (uint64_t)533719246598044U,
+ (uint64_t)1169435803073277U, (uint64_t)198920999285821U, (uint64_t)487492330629854U,
+ (uint64_t)1807093008537778U, (uint64_t)1540899012923865U, (uint64_t)2075080271659867U,
+ (uint64_t)1527990806921523U, (uint64_t)1323728742908002U, (uint64_t)1568595959608205U,
+ (uint64_t)1388032187497212U, (uint64_t)2026968840050568U, (uint64_t)1396591153295755U,
+ (uint64_t)820416950170901U, (uint64_t)520060313205582U, (uint64_t)2016404325094901U,
+ (uint64_t)1584709677868520U, (uint64_t)272161374469956U, (uint64_t)1567188603996816U,
+ (uint64_t)1986160530078221U, (uint64_t)553930264324589U, (uint64_t)1058426729027503U,
+ (uint64_t)8762762886675U, (uint64_t)2216098143382988U, (uint64_t)1835145266889223U,
+ (uint64_t)1712936431558441U, (uint64_t)1017009937844974U, (uint64_t)585361667812740U,
+ (uint64_t)2114711541628181U, (uint64_t)2238729632971439U, (uint64_t)121257546253072U,
+ (uint64_t)847154149018345U, (uint64_t)211972965476684U, (uint64_t)287499084460129U,
+ (uint64_t)2098247259180197U, (uint64_t)839070411583329U, (uint64_t)339551619574372U,
+ (uint64_t)1432951287640743U, (uint64_t)526481249498942U, (uint64_t)931991661905195U,
+ (uint64_t)1884279965674487U, (uint64_t)200486405604411U, (uint64_t)364173020594788U,
+ (uint64_t)518034455936955U, (uint64_t)1085564703965501U, (uint64_t)16030410467927U,
+ (uint64_t)604865933167613U, (uint64_t)1695298441093964U, (uint64_t)498856548116159U,
+ (uint64_t)2193030062787034U, (uint64_t)1706339802964179U, (uint64_t)1721199073493888U,
+ (uint64_t)820740951039755U, (uint64_t)1216053436896834U, (uint64_t)23954895815139U,
+ (uint64_t)1662515208920491U, (uint64_t)1705443427511899U, (uint64_t)1957928899570365U,
+ (uint64_t)1189636258255725U, (uint64_t)1795695471103809U, (uint64_t)1691191297654118U,
+ (uint64_t)282402585374360U, (uint64_t)460405330264832U, (uint64_t)63765529445733U,
+ (uint64_t)469763447404473U, (uint64_t)733607089694996U, (uint64_t)685410420186959U,
+ (uint64_t)1096682630419738U, (uint64_t)1162548510542362U, (uint64_t)1020949526456676U,
+ (uint64_t)1211660396870573U, (uint64_t)613126398222696U, (uint64_t)1117829165843251U,
+ (uint64_t)742432540886650U, (uint64_t)1483755088010658U, (uint64_t)942392007134474U,
+ (uint64_t)1447834130944107U, (uint64_t)489368274863410U, (uint64_t)23192985544898U,
+ (uint64_t)648442406146160U, (uint64_t)785438843373876U, (uint64_t)249464684645238U,
+ (uint64_t)170494608205618U, (uint64_t)335112827260550U, (uint64_t)1462050123162735U,
+ (uint64_t)1084803668439016U, (uint64_t)853459233600325U, (uint64_t)215777728187495U,
+ (uint64_t)1965759433526974U, (uint64_t)1349482894446537U, (uint64_t)694163317612871U,
+ (uint64_t)860536766165036U, (uint64_t)1178788094084321U, (uint64_t)1652739626626996U,
+ (uint64_t)2115723946388185U, (uint64_t)1577204379094664U, (uint64_t)1083882859023240U,
+ (uint64_t)1768759143381635U, (uint64_t)1737180992507258U, (uint64_t)246054513922239U,
+ (uint64_t)577253134087234U, (uint64_t)356340280578042U, (uint64_t)1638917769925142U,
+ (uint64_t)223550348130103U, (uint64_t)470592666638765U, (uint64_t)22663573966996U,
+ (uint64_t)596552461152400U, (uint64_t)364143537069499U, (uint64_t)3942119457699U,
+ (uint64_t)107951982889287U, (uint64_t)1843471406713209U, (uint64_t)1625773041610986U,
+ (uint64_t)1466141092501702U, (uint64_t)1043024095021271U, (uint64_t)310429964047508U,
+ (uint64_t)98559121500372U, (uint64_t)152746933782868U, (uint64_t)259407205078261U,
+ (uint64_t)828123093322585U, (uint64_t)1576847274280091U, (uint64_t)1170871375757302U,
+ (uint64_t)1588856194642775U, (uint64_t)984767822341977U, (uint64_t)1141497997993760U,
+ (uint64_t)809325345150796U, (uint64_t)1879837728202511U, (uint64_t)201340910657893U,
+ (uint64_t)1079157558888483U, (uint64_t)1052373448588065U, (uint64_t)1732036202501778U,
+ (uint64_t)2105292670328445U, (uint64_t)679751387312402U, (uint64_t)1679682144926229U,
+ (uint64_t)1695823455818780U, (uint64_t)498852317075849U, (uint64_t)1786555067788433U,
+ (uint64_t)1670727545779425U, (uint64_t)117945875433544U, (uint64_t)407939139781844U,
+ (uint64_t)854632120023778U, (uint64_t)1413383148360437U, (uint64_t)286030901733673U,
+ (uint64_t)1207361858071196U, (uint64_t)461340408181417U, (uint64_t)1096919590360164U,
+ (uint64_t)1837594897475685U, (uint64_t)533755561544165U, (uint64_t)1638688042247712U,
+ (uint64_t)1431653684793005U, (uint64_t)1036458538873559U, (uint64_t)390822120341779U,
+ (uint64_t)1920929837111618U, (uint64_t)543426740024168U, (uint64_t)645751357799929U,
+ (uint64_t)2245025632994463U, (uint64_t)1550778638076452U, (uint64_t)223738153459949U,
+ (uint64_t)1337209385492033U, (uint64_t)1276967236456531U, (uint64_t)1463815821063071U,
+ (uint64_t)2070620870191473U, (uint64_t)1199170709413753U, (uint64_t)273230877394166U,
+ (uint64_t)1873264887608046U, (uint64_t)890877152910775U, (uint64_t)983226445635730U,
+ (uint64_t)44873798519521U, (uint64_t)697147127512130U, (uint64_t)961631038239304U,
+ (uint64_t)709966160696826U, (uint64_t)1706677689540366U, (uint64_t)502782733796035U,
+ (uint64_t)812545535346033U, (uint64_t)1693622521296452U, (uint64_t)1955813093002510U,
+ (uint64_t)1259937612881362U, (uint64_t)1873032503803559U, (uint64_t)1140330566016428U,
+ (uint64_t)1675726082440190U, (uint64_t)60029928909786U, (uint64_t)170335608866763U,
+ (uint64_t)766444312315022U, (uint64_t)2025049511434113U, (uint64_t)2200845622430647U,
+ (uint64_t)1201269851450408U, (uint64_t)590071752404907U, (uint64_t)1400995030286946U,
+ (uint64_t)2152637413853822U, (uint64_t)2108495473841983U, (uint64_t)3855406710349U,
+ (uint64_t)1726137673168580U, (uint64_t)51004317200100U, (uint64_t)1749082328586939U,
+ (uint64_t)1704088976144558U, (uint64_t)1977318954775118U, (uint64_t)2062602253162400U,
+ (uint64_t)948062503217479U, (uint64_t)361953965048030U, (uint64_t)1528264887238440U,
+ (uint64_t)62582552172290U, (uint64_t)2241602163389280U, (uint64_t)156385388121765U,
+ (uint64_t)2124100319761492U, (uint64_t)388928050571382U, (uint64_t)1556123596922727U,
+ (uint64_t)979310669812384U, (uint64_t)113043855206104U, (uint64_t)2023223924825469U,
+ (uint64_t)643651703263034U, (uint64_t)2234446903655540U, (uint64_t)1577241261424997U,
+ (uint64_t)860253174523845U, (uint64_t)1691026473082448U, (uint64_t)1091672764933872U,
+ (uint64_t)1957463109756365U, (uint64_t)530699502660193U, (uint64_t)349587141723569U,
+ (uint64_t)674661681919563U, (uint64_t)1633727303856240U, (uint64_t)708909037922144U,
+ (uint64_t)2160722508518119U, (uint64_t)1302188051602540U, (uint64_t)976114603845777U,
+ (uint64_t)120004758721939U, (uint64_t)1681630708873780U, (uint64_t)622274095069244U,
+ (uint64_t)1822346309016698U, (uint64_t)1100921177951904U, (uint64_t)2216952659181677U,
+ (uint64_t)1844020550362490U, (uint64_t)1976451368365774U, (uint64_t)1321101422068822U,
+ (uint64_t)1189859436282668U, (uint64_t)2008801879735257U, (uint64_t)2219413454333565U,
+ (uint64_t)424288774231098U, (uint64_t)359793146977912U, (uint64_t)270293357948703U,
+ (uint64_t)587226003677000U, (uint64_t)1482071926139945U, (uint64_t)1419630774650359U,
+ (uint64_t)1104739070570175U, (uint64_t)1662129023224130U, (uint64_t)1609203612533411U,
+ (uint64_t)1250932720691980U, (uint64_t)95215711818495U, (uint64_t)498746909028150U,
+ (uint64_t)158151296991874U, (uint64_t)1201379988527734U, (uint64_t)561599945143989U,
+ (uint64_t)2211577425617888U, (uint64_t)2166577612206324U, (uint64_t)1057590354233512U,
+ (uint64_t)1968123280416769U, (uint64_t)1316586165401313U, (uint64_t)762728164447634U,
+ (uint64_t)2045395244316047U, (uint64_t)1531796898725716U, (uint64_t)315385971670425U,
+ (uint64_t)1109421039396756U, (uint64_t)2183635256408562U, (uint64_t)1896751252659461U,
+ (uint64_t)840236037179080U, (uint64_t)796245792277211U, (uint64_t)508345890111193U,
+ (uint64_t)1275386465287222U, (uint64_t)513560822858784U, (uint64_t)1784735733120313U,
+ (uint64_t)1346467478899695U, (uint64_t)601125231208417U, (uint64_t)701076661112726U,
+ (uint64_t)1841998436455089U, (uint64_t)1156768600940434U, (uint64_t)1967853462343221U,
+ (uint64_t)2178318463061452U, (uint64_t)481885520752741U, (uint64_t)675262828640945U,
+ (uint64_t)1033539418596582U, (uint64_t)1743329872635846U, (uint64_t)159322641251283U,
+ (uint64_t)1573076470127113U, (uint64_t)954827619308195U, (uint64_t)778834750662635U,
+ (uint64_t)619912782122617U, (uint64_t)515681498488209U, (uint64_t)1675866144246843U,
+ (uint64_t)811716020969981U, (uint64_t)1125515272217398U, (uint64_t)1398917918287342U,
+ (uint64_t)1301680949183175U, (uint64_t)726474739583734U, (uint64_t)587246193475200U,
+ (uint64_t)1096581582611864U, (uint64_t)1469911826213486U, (uint64_t)1990099711206364U,
+ (uint64_t)1256496099816508U, (uint64_t)2019924615195672U, (uint64_t)1251232456707555U,
+ (uint64_t)2042971196009755U, (uint64_t)214061878479265U, (uint64_t)115385726395472U,
+ (uint64_t)1677875239524132U, (uint64_t)756888883383540U, (uint64_t)1153862117756233U,
+ (uint64_t)503391530851096U, (uint64_t)946070017477513U, (uint64_t)1878319040542579U,
+ (uint64_t)1101349418586920U, (uint64_t)793245696431613U, (uint64_t)397920495357645U,
+ (uint64_t)2174023872951112U, (uint64_t)1517867915189593U, (uint64_t)1829855041462995U,
+ (uint64_t)1046709983503619U, (uint64_t)424081940711857U, (uint64_t)2112438073094647U,
+ (uint64_t)1504338467349861U, (uint64_t)2244574127374532U, (uint64_t)2136937537441911U,
+ (uint64_t)1741150838990304U, (uint64_t)25894628400571U, (uint64_t)512213526781178U,
+ (uint64_t)1168384260796379U, (uint64_t)1424607682379833U, (uint64_t)938677789731564U,
+ (uint64_t)872882241891896U, (uint64_t)1713199397007700U, (uint64_t)1410496326218359U,
+ (uint64_t)854379752407031U, (uint64_t)465141611727634U, (uint64_t)315176937037857U,
+ (uint64_t)1020115054571233U, (uint64_t)1856290111077229U, (uint64_t)2028366269898204U,
+ (uint64_t)1432980880307543U, (uint64_t)469932710425448U, (uint64_t)581165267592247U,
+ (uint64_t)496399148156603U, (uint64_t)2063435226705903U, (uint64_t)2116841086237705U,
+ (uint64_t)498272567217048U, (uint64_t)1829438076967906U, (uint64_t)1573925801278491U,
+ (uint64_t)460763576329867U, (uint64_t)1705264723728225U, (uint64_t)999514866082412U,
+ (uint64_t)29635061779362U, (uint64_t)1884233592281020U, (uint64_t)1449755591461338U,
+ (uint64_t)42579292783222U, (uint64_t)1869504355369200U, (uint64_t)495506004805251U,
+ (uint64_t)264073104888427U, (uint64_t)2088880861028612U, (uint64_t)104646456386576U,
+ (uint64_t)1258445191399967U, (uint64_t)1348736801545799U, (uint64_t)2068276361286613U,
+ (uint64_t)884897216646374U, (uint64_t)922387476801376U, (uint64_t)1043886580402805U,
+ (uint64_t)1240883498470831U, (uint64_t)1601554651937110U, (uint64_t)804382935289482U,
+ (uint64_t)512379564477239U, (uint64_t)1466384519077032U, (uint64_t)1280698500238386U,
+ (uint64_t)211303836685749U, (uint64_t)2081725624793803U, (uint64_t)545247644516879U,
+ (uint64_t)215313359330384U, (uint64_t)286479751145614U, (uint64_t)2213650281751636U,
+ (uint64_t)2164927945999874U, (uint64_t)2072162991540882U, (uint64_t)1443769115444779U,
+ (uint64_t)1581473274363095U, (uint64_t)434633875922699U, (uint64_t)340456055781599U,
+ (uint64_t)373043091080189U, (uint64_t)839476566531776U, (uint64_t)1856706858509978U,
+ (uint64_t)931616224909153U, (uint64_t)1888181317414065U, (uint64_t)213654322650262U,
+ (uint64_t)1161078103416244U, (uint64_t)1822042328851513U, (uint64_t)915817709028812U,
+ (uint64_t)1828297056698188U, (uint64_t)1212017130909403U, (uint64_t)60258343247333U,
+ (uint64_t)342085800008230U, (uint64_t)930240559508270U, (uint64_t)1549884999174952U,
+ (uint64_t)809895264249462U, (uint64_t)184726257947682U, (uint64_t)1157065433504828U,
+ (uint64_t)1209999630381477U, (uint64_t)999920399374391U, (uint64_t)1714770150788163U,
+ (uint64_t)2026130985413228U, (uint64_t)506776632883140U, (uint64_t)1349042668246528U,
+ (uint64_t)1937232292976967U, (uint64_t)942302637530730U, (uint64_t)160211904766226U,
+ (uint64_t)1042724500438571U, (uint64_t)212454865139142U, (uint64_t)244104425172642U,
+ (uint64_t)1376990622387496U, (uint64_t)76126752421227U, (uint64_t)1027540886376422U,
+ (uint64_t)1912210655133026U, (uint64_t)13410411589575U, (uint64_t)1475856708587773U,
+ (uint64_t)615563352691682U, (uint64_t)1446629324872644U, (uint64_t)1683670301784014U,
+ (uint64_t)1049873327197127U, (uint64_t)1826401704084838U, (uint64_t)2032577048760775U,
+ (uint64_t)1922203607878853U, (uint64_t)836708788764806U, (uint64_t)2193084654695012U,
+ (uint64_t)1342923183256659U, (uint64_t)849356986294271U, (uint64_t)1228863973965618U,
+ (uint64_t)94886161081867U, (uint64_t)1423288430204892U, (uint64_t)2016167528707016U,
+ (uint64_t)1633187660972877U, (uint64_t)1550621242301752U, (uint64_t)340630244512994U,
+ (uint64_t)2103577710806901U, (uint64_t)221625016538931U, (uint64_t)421544147350960U,
+ (uint64_t)580428704555156U, (uint64_t)1479831381265617U, (uint64_t)518057926544698U,
+ (uint64_t)955027348790630U, (uint64_t)1326749172561598U, (uint64_t)1118304625755967U,
+ (uint64_t)1994005916095176U, (uint64_t)1799757332780663U, (uint64_t)751343129396941U,
+ (uint64_t)1468672898746144U, (uint64_t)1451689964451386U, (uint64_t)755070293921171U,
+ (uint64_t)904857405877052U, (uint64_t)1276087530766984U, (uint64_t)403986562858511U,
+ (uint64_t)1530661255035337U, (uint64_t)1644972908910502U, (uint64_t)1370170080438957U,
+ (uint64_t)139839536695744U, (uint64_t)909930462436512U, (uint64_t)1899999215356933U,
+ (uint64_t)635992381064566U, (uint64_t)788740975837654U, (uint64_t)224241231493695U,
+ (uint64_t)1267090030199302U, (uint64_t)998908061660139U, (uint64_t)1784537499699278U,
+ (uint64_t)859195370018706U, (uint64_t)1953966091439379U, (uint64_t)2189271820076010U,
+ (uint64_t)2039067059943978U, (uint64_t)1526694380855202U, (uint64_t)2040321513194941U,
+ (uint64_t)329922071218689U, (uint64_t)1953032256401326U, (uint64_t)989631424403521U,
+ (uint64_t)328825014934242U, (uint64_t)9407151397696U, (uint64_t)63551373671268U,
+ (uint64_t)1624728632895792U, (uint64_t)1608324920739262U, (uint64_t)1178239350351945U,
+ (uint64_t)1198077399579702U, (uint64_t)277620088676229U, (uint64_t)1775359437312528U,
+ (uint64_t)1653558177737477U, (uint64_t)1652066043408850U, (uint64_t)1063359889686622U,
+ (uint64_t)1975063804860653U
+ };
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __internal_Hacl_Ed25519_PrecompTable_H_DEFINED
+#endif
diff --git a/security/nss/lib/freebl/verified/karamel/include/krml/internal/target.h b/security/nss/lib/freebl/verified/karamel/include/krml/internal/target.h
index b63967f480..198d65f64b 100644
--- a/security/nss/lib/freebl/verified/karamel/include/krml/internal/target.h
+++ b/security/nss/lib/freebl/verified/karamel/include/krml/internal/target.h
@@ -57,6 +57,14 @@
#define KRML_HOST_IGNORE(x) (void)(x)
#endif
+#ifndef KRML_MAYBE_UNUSED
+#if defined(__GNUC__)
+#define KRML_MAYBE_UNUSED __attribute__((unused))
+#else
+#define KRML_MAYBE_UNUSED
+#endif
+#endif
+
#ifndef KRML_NOINLINE
#if defined(_MSC_VER)
#define KRML_NOINLINE __declspec(noinline)
diff --git a/security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h b/security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h
index 33cff6b6d4..51c2325854 100644
--- a/security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h
+++ b/security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h
@@ -148,7 +148,7 @@ FStar_UInt128_eq_mask(uint128_t x, uint128_t y)
{
uint64_t mask =
FStar_UInt64_eq_mask((uint64_t)(x >> 64), (uint64_t)(y >> 64)) &
- FStar_UInt64_eq_mask(x, y);
+ FStar_UInt64_eq_mask((uint64_t)x, (uint64_t)y);
return ((uint128_t)mask) << 64 | mask;
}
@@ -158,7 +158,7 @@ FStar_UInt128_gte_mask(uint128_t x, uint128_t y)
uint64_t mask =
(FStar_UInt64_gte_mask(x >> 64, y >> 64) &
~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) |
- (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask(x, y));
+ (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y));
return ((uint128_t)mask) << 64 | mask;
}
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
index 67272f98a6..f3608b5813 100644
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,9 +22,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.98" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.99" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
-#define NSS_VMINOR 98
+#define NSS_VMINOR 99
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c
index 343a5bdef5..b797b54aef 100644
--- a/security/nss/lib/pk11wrap/pk11akey.c
+++ b/security/nss/lib/pk11wrap/pk11akey.c
@@ -41,6 +41,7 @@ pk11_MakeIDFromPublicKey(SECKEYPublicKey *pubKey)
case dhKey:
pubKeyIndex = &pubKey->u.dh.publicValue;
break;
+ case edKey:
case ecKey:
pubKeyIndex = &pubKey->u.ec.publicValue;
break;
@@ -190,6 +191,19 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
pubKey->u.dh.publicValue.len);
attrs++;
break;
+ case edKey:
+ keyType = CKK_EC_EDWARDS;
+ PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+ attrs++;
+ PK11_SETATTRS(attrs, CKA_EC_PARAMS,
+ pubKey->u.ec.DEREncodedParams.data,
+ pubKey->u.ec.DEREncodedParams.len);
+ attrs++;
+ PK11_SETATTRS(attrs, CKA_EC_POINT,
+ pubKey->u.ec.publicValue.data,
+ pubKey->u.ec.publicValue.len);
+ attrs++;
+ break;
case ecKey:
keyType = CKK_EC;
PK11_SETATTRS(attrs, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
@@ -248,7 +262,7 @@ PK11_ImportPublicKey(PK11SlotInfo *slot, SECKEYPublicKey *pubKey,
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
- if (pubKey->keyType != ecKey && pubKey->keyType != kyberKey) {
+ if (pubKey->keyType != ecKey && pubKey->keyType != kyberKey && pubKey->keyType != edKey) {
PORT_Assert(signedattr);
signedcount = attrs - signedattr;
for (attrs = signedattr; signedcount; attrs++, signedcount--) {
@@ -407,6 +421,7 @@ pk11_get_EC_PointLenInBytes(PLArenaPool *arena, const SECItem *ecParams,
case SEC_OID_SECG_EC_SECT571R1:
return 145; /*curve len in bytes = 72 bytes */
case SEC_OID_CURVE25519:
+ case SEC_OID_ED25519_PUBLIC_KEY:
*plain = PR_TRUE;
return 32; /* curve len in bytes = 32 bytes (only X) */
/* unknown or unrecognized OIDs. return unknown length */
@@ -642,6 +657,9 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, CK_OBJECT_HANDLE id)
case CKK_EC:
keyType = ecKey;
break;
+ case CKK_EC_EDWARDS:
+ keyType = edKey;
+ break;
case CKK_NSS_KYBER:
keyType = kyberKey;
break;
@@ -771,6 +789,7 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, CK_OBJECT_HANDLE id)
if (crv != CKR_OK)
break;
break;
+ case edKey:
case ecKey:
pubKey->u.ec.size = 0;
ecparams = attrs;
@@ -785,7 +804,7 @@ PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, CK_OBJECT_HANDLE id)
if (crv != CKR_OK)
break;
- if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC)) {
+ if ((keyClass != CKO_PUBLIC_KEY) || (pk11KeyType != CKK_EC && pk11KeyType != CKK_EC_EDWARDS)) {
crv = CKR_OBJECT_HANDLE_INVALID;
break;
}
@@ -886,6 +905,9 @@ PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
case CKK_EC:
keyType = ecKey;
break;
+ case CKK_EC_EDWARDS:
+ keyType = edKey;
+ break;
case CKK_NSS_KYBER:
keyType = kyberKey;
break;
@@ -1093,6 +1115,7 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
extra_count++;
break;
case ecKey:
+ case edKey:
ap->type = CKA_EC_PARAMS;
ap++;
count++;
@@ -1101,10 +1124,13 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
ap++;
count++;
extra_count++;
- ap->type = CKA_DERIVE;
- ap++;
- count++;
- extra_count++;
+ if (privKey->keyType == ecKey) {
+ ap->type = CKA_DERIVE;
+ ap++;
+ count++;
+ extra_count++;
+ }
+
ap->type = CKA_SIGN;
ap++;
count++;
@@ -1143,7 +1169,7 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *slot, SECKEYPrivateKey *privKey,
* them the raw data as unsigned. The exception is EC,
* where the values are encoded or zero-preserving
* per-RFC5915 */
- if (privKey->keyType != ecKey) {
+ if (privKey->keyType != ecKey && privKey->keyType != edKey) {
for (ap = attrs; extra_count; ap++, extra_count--) {
pk11_SignedToUnsigned(ap);
}
@@ -1499,6 +1525,16 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
keyType = kyberKey;
test_mech.mechanism = CKM_NSS_KYBER;
break;
+ case CKM_EC_EDWARDS_KEY_PAIR_GEN:
+ ecParams = (SECKEYECParams *)param;
+ attrs = ecPubTemplate;
+ PK11_SETATTRS(attrs, CKA_EC_PARAMS, ecParams->data,
+ ecParams->len);
+ attrs++;
+ pubTemplate = ecPubTemplate;
+ keyType = edKey;
+ test_mech.mechanism = CKM_EDDSA;
+ break;
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
return NULL;
@@ -1555,6 +1591,10 @@ PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
case CKM_ECDSA:
mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
break;
+ case CKM_EDDSA:
+ mechanism_info.flags = CKF_SIGN | CKF_VERIFY;
+ break;
+
default:
break;
}
@@ -1835,6 +1875,7 @@ SECKEY_SetPublicValue(SECKEYPrivateKey *privKey, SECItem *publicValue)
rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE,
arena, &pubKey.u.dh.base);
break;
+ case edKey:
case ecKey:
pubKey.u.ec.publicValue = *publicValue;
pubKey.u.ec.encoding = ECPoint_Undefined;
@@ -1905,6 +1946,7 @@ PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
CK_ATTRIBUTE_TYPE dsaUsage[] = { CKA_SIGN };
CK_ATTRIBUTE_TYPE dhUsage[] = { CKA_DERIVE };
CK_ATTRIBUTE_TYPE ecUsage[] = { CKA_SIGN, CKA_DERIVE };
+ CK_ATTRIBUTE_TYPE edUsage[] = { CKA_SIGN };
if ((epki == NULL) || (pwitem == NULL))
return SECFailure;
@@ -1959,6 +2001,11 @@ PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
break;
}
break;
+ case edKey:
+ key_type = CKK_EC_EDWARDS;
+ usage = edUsage;
+ usageCount = 1;
+ break;
}
try_faulty_3des:
diff --git a/security/nss/lib/pk11wrap/pk11cert.c b/security/nss/lib/pk11wrap/pk11cert.c
index 580d02b613..fb37b713ed 100644
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -171,6 +171,7 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
pubKey->u.dh.publicValue.len);
break;
case ecKey:
+ case edKey:
PK11_SETATTRS(&theTemplate, CKA_EC_POINT,
pubKey->u.ec.publicValue.data,
pubKey->u.ec.publicValue.len);
@@ -187,7 +188,7 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERTCertificate *cert,
SECKEY_DestroyPublicKey(pubKey);
return PR_FALSE;
}
- if (pubKey->keyType != ecKey) {
+ if (pubKey->keyType != ecKey && pubKey->keyType != edKey) {
pk11_SignedToUnsigned(&theTemplate);
}
if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) {
@@ -1113,6 +1114,7 @@ PK11_GetPubIndexKeyID(CERTCertificate *cert)
newItem = SECITEM_DupItem(&pubk->u.dh.publicValue);
break;
case ecKey:
+ case edKey:
newItem = SECITEM_DupItem(&pubk->u.ec.publicValue);
break;
case fortezzaKey:
diff --git a/security/nss/lib/pk11wrap/pk11mech.c b/security/nss/lib/pk11wrap/pk11mech.c
index 54e55c6da2..df7e3455bc 100644
--- a/security/nss/lib/pk11wrap/pk11mech.c
+++ b/security/nss/lib/pk11wrap/pk11mech.c
@@ -198,6 +198,8 @@ PK11_GetKeyMechanism(CK_KEY_TYPE type)
return CKM_KEA_KEY_DERIVE;
case CKK_EC: /* CKK_ECDSA is deprecated */
return CKM_ECDSA;
+ case CKK_EC_EDWARDS:
+ return CKM_EDDSA;
case CKK_HKDF:
return CKM_HKDF_DERIVE;
case CKK_GENERIC_SECRET:
@@ -388,6 +390,9 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len)
case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
case CKM_ECDH1_DERIVE:
return CKK_EC; /* CKK_ECDSA is deprecated */
+ case CKM_EC_EDWARDS_KEY_PAIR_GEN:
+ case CKM_EDDSA:
+ return CKK_EC_EDWARDS;
case CKM_HKDF_KEY_GEN:
case CKM_HKDF_DERIVE:
case CKM_HKDF_DATA:
@@ -603,6 +608,8 @@ PK11_GetKeyGenWithSize(CK_MECHANISM_TYPE type, int size)
case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
case CKM_ECDH1_DERIVE:
return CKM_EC_KEY_PAIR_GEN;
+ case CKM_EDDSA:
+ return CKM_EC_EDWARDS_KEY_PAIR_GEN;
case CKM_SSL3_PRE_MASTER_KEY_GEN:
case CKM_SSL3_MASTER_KEY_DERIVE:
case CKM_SSL3_KEY_AND_MAC_DERIVE:
@@ -1917,6 +1924,8 @@ PK11_MapSignKeyType(KeyType keyType)
return CKM_DSA;
case ecKey:
return CKM_ECDSA;
+ case edKey:
+ return CKM_EDDSA;
case dhKey:
default:
break;
diff --git a/security/nss/lib/pk11wrap/pk11obj.c b/security/nss/lib/pk11wrap/pk11obj.c
index 1661bcb2b4..5759408a27 100644
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@@ -575,7 +575,7 @@ PK11_SignatureLen(SECKEYPrivateKey *key)
return length * 2;
}
return pk11_backupGetSignLength(key);
-
+ case edKey:
case ecKey:
rv = PK11_ReadAttribute(key->pkcs11Slot, key->pkcs11ID, CKA_EC_PARAMS,
NULL, &attributeItem);
diff --git a/security/nss/lib/pk11wrap/pk11pars.c b/security/nss/lib/pk11wrap/pk11pars.c
index bda4ab688a..45b4a5934a 100644
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -402,6 +402,8 @@ static const oidValDef signOptList[] = {
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ { CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
+ NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
diff --git a/security/nss/lib/pk11wrap/pk11pk12.c b/security/nss/lib/pk11wrap/pk11pk12.c
index 917b7f0f67..5d8b00d3d0 100644
--- a/security/nss/lib/pk11wrap/pk11pk12.c
+++ b/security/nss/lib/pk11wrap/pk11pk12.c
@@ -180,6 +180,13 @@ const SEC_ASN1Template SECKEY_ECPrivateKeyExportTemplate[] = {
{ 0 }
};
+/* The template operates a private key consisting only of private key. */
+const SEC_ASN1Template SECKEY_EDPrivateKeyExportTemplate[] = {
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(SECKEYRawPrivateKey, u.ec.privateValue) },
+ { 0 }
+};
+
const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
@@ -270,8 +277,10 @@ PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, SECItem *derPKI,
SECStatus rv = SECFailure;
temparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
- if (!temparena)
+ if (!temparena) {
return rv;
+ }
+
pki = PORT_ArenaZNew(temparena, SECKEYPrivateKeyInfo);
if (!pki) {
PORT_FreeArena(temparena, PR_FALSE);
@@ -523,13 +532,31 @@ PK11_ImportAndReturnPrivateKey(PK11SlotInfo *slot, SECKEYRawPrivateKey *lpk,
lpk->u.ec.publicValue.len);
attrs++;
break;
+ case edKey:
+ keyType = CKK_EC_EDWARDS;
+ PK11_SETATTRS(attrs, CKA_SIGN, &cktrue, sizeof(CK_BBOOL));
+ attrs++;
+ if (nickname) {
+ PK11_SETATTRS(attrs, CKA_LABEL, nickname->data, nickname->len);
+ attrs++;
+ }
+
+ /* No signed attrs for EC */
+ /* curveOID always is a copy of AlgorithmID.parameters. */
+ PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data,
+ lpk->u.ec.curveOID.len);
+ attrs++;
+ PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.ec.privateValue.data,
+ lpk->u.ec.privateValue.len);
+ attrs++;
+ break;
default:
PORT_SetError(SEC_ERROR_BAD_KEY);
goto loser;
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
- if (lpk->keyType != ecKey) {
+ if (lpk->keyType != ecKey && lpk->keyType != edKey) {
PORT_Assert(signedattr);
signedcount = attrs - signedattr;
for (ap = signedattr; signedcount; ap++, signedcount--) {
@@ -604,6 +631,12 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
paramDest = NULL;
lpk->keyType = dhKey;
break;
+ case SEC_OID_ED25519_PUBLIC_KEY:
+ keyTemplate = SECKEY_EDPrivateKeyExportTemplate;
+ paramTemplate = NULL;
+ paramDest = NULL;
+ lpk->keyType = edKey;
+ break;
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
prepare_ec_priv_key_export_for_asn1(lpk);
keyTemplate = SECKEY_ECPrivateKeyExportTemplate;
@@ -641,6 +674,26 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
}
}
+ if (lpk->keyType == edKey) {
+ /* Convert length in bits to length in bytes. */
+ lpk->u.ec.publicValue.len >>= 3;
+
+ if (pki->algorithm.parameters.len != 0) {
+ /* Currently supporting only (Pure)Ed25519 .*/
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ goto loser;
+ }
+
+ SECOidData *oidEd25519 = SECOID_FindOIDByTag(SEC_OID_ED25519_PUBLIC_KEY);
+
+ if (!SECITEM_AllocItem(arena, &lpk->u.ec.curveOID, oidEd25519->oid.len + 2)) {
+ goto loser;
+ }
+ lpk->u.ec.curveOID.data[0] = SEC_ASN1_OBJECT_ID;
+ lpk->u.ec.curveOID.data[1] = oidEd25519->oid.len;
+ PORT_Memcpy(lpk->u.ec.curveOID.data + 2, oidEd25519->oid.data, oidEd25519->oid.len);
+ }
+
if (paramDest && paramTemplate) {
rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
&(pki->algorithm.parameters));
@@ -651,7 +704,6 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
rv = PK11_ImportAndReturnPrivateKey(slot, lpk, nickname, publicValue, isPerm,
isPrivate, keyUsage, privk, wincx);
-
loser:
if (arena != NULL) {
PORT_FreeArena(arena, PR_TRUE);
@@ -800,6 +852,28 @@ PK11_ExportPrivKeyInfo(SECKEYPrivateKey *pk, void *wincx)
}
} break;
+ case edKey: {
+ rawKey.u.ec.version.type = siUnsignedInteger;
+ rawKey.u.ec.version.data = (unsigned char *)PORT_ArenaAlloc(arena, 1);
+ if (!rawKey.u.ec.version.data) {
+ goto loser;
+ }
+ rawKey.u.ec.version.data[0] = ecVersion;
+ rawKey.u.ec.version.len = 1;
+
+ if (!ReadAttribute(pk, CKA_VALUE, arena,
+ &rawKey.u.ec.privateValue)) {
+ goto loser;
+ }
+
+ keyTemplate = SECKEY_EDPrivateKeyExportTemplate;
+ /* Currently, ED25519 does not support any parameter. */
+ rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, SEC_OID_ED25519_PUBLIC_KEY, NULL);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ } break;
default: {
PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
goto loser;
diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index f09519ee27..02db85b6bf 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -2097,7 +2097,7 @@ PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
/*
* This Generates a wrapping key based on a privateKey, publicKey, and two
* random numbers. For Mail usage RandomB should be NULL. In the Sender's
- * case RandomA is generate, outherwize it is passed.
+ * case RandomA is generate, otherwise it is passed.
*/
PK11SymKey *
PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
@@ -2218,6 +2218,9 @@ PK11_PubDerive(SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
return symKey;
PORT_SetError(PK11_MapError(crv));
} break;
+ case edKey:
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ break;
case ecKey: {
CK_BBOOL cktrue = CK_TRUE;
CK_OBJECT_CLASS keyClass = CKO_SECRET_KEY;
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
index d61d0f750d..90a429d952 100644
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -36,6 +36,7 @@ const PK11DefaultArrayEntry PK11_DefaultArray[] = {
{ "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
{ "DSA", SECMOD_DSA_FLAG, CKM_DSA },
{ "ECC", SECMOD_ECC_FLAG, CKM_ECDSA },
+ { "EDDSA", SECMOD_ECC_FLAG, CKM_EDDSA },
{ "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
{ "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
{ "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
@@ -940,6 +941,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
case CKM_DH_PKCS_KEY_PAIR_GEN:
case CKM_DH_PKCS_DERIVE:
return &pk11_dhSlotList;
+ case CKM_EDDSA:
+ case CKM_EC_EDWARDS_KEY_PAIR_GEN:
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
index f4a8a39e9e..fb803e1f79 100644
--- a/security/nss/lib/smime/cms.h
+++ b/security/nss/lib/smime/cms.h
@@ -815,6 +815,9 @@ NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd);
* cmsrecinfo.c - CMS recipientInfo methods
************************************************************************/
+extern PRBool
+NSS_CMSRecipient_IsSupported(CERTCertificate *cert);
+
/*
* NSS_CMSRecipientInfo_Create - create a recipientinfo
*
diff --git a/security/nss/lib/smime/cmsrecinfo.c b/security/nss/lib/smime/cmsrecinfo.c
index 20dd698e8f..6cf2c68c31 100644
--- a/security/nss/lib/smime/cmsrecinfo.c
+++ b/security/nss/lib/smime/cmsrecinfo.c
@@ -118,6 +118,8 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg,
certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm));
rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier;
+
+ // This switch must match the switch in NSS_CMSRecipient_IsSupported.
switch (certalgtag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans;
@@ -258,6 +260,28 @@ loser:
}
/*
+ * NSS_CMSRecipient_IsSupported - checks for a support certificate
+ *
+ * Use this function to confirm that the given certificate will be
+ * accepted by NSS_CMSRecipientInfo_Create, which means that the
+ * certificate can be used with a supported encryption algorithm.
+ */
+PRBool
+NSS_CMSRecipient_IsSupported(CERTCertificate *cert)
+{
+ CERTSubjectPublicKeyInfo *spki = &(cert->subjectPublicKeyInfo);
+ SECOidTag certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm));
+
+ switch (certalgtag) {
+ case SEC_OID_PKCS1_RSA_ENCRYPTION:
+ case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
+ return PR_TRUE;
+ default:
+ return PR_FALSE;
+ }
+}
+
+/*
* NSS_CMSRecipientInfo_Create - create a recipientinfo
*
* we currently do not create KeyAgreement recipientinfos with multiple
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
index ba9d09d8cb..d5cff92f37 100644
--- a/security/nss/lib/smime/smime.def
+++ b/security/nss/lib/smime/smime.def
@@ -291,3 +291,9 @@ NSS_CMSSignerInfo_GetDigestAlgTag;
;+ local:
;+ *;
;+};
+;+NSS_3.99 { # NSS 3.99 release
+;+ global:
+NSS_CMSRecipient_IsSupported;
+;+ local:
+;+ *;
+;+};
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
index f47bda231d..5adae04263 100644
--- a/security/nss/lib/softoken/lowkey.c
+++ b/security/nss/lib/softoken/lowkey.c
@@ -9,6 +9,7 @@
#include "secasn1.h"
#include "secerr.h"
#include "softoken.h"
+#include "ec.h"
SEC_ASN1_MKSUB(SEC_AnyTemplate)
SEC_ASN1_MKSUB(SEC_BitStringTemplate)
@@ -381,6 +382,24 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
pubk->arena = arena;
pubk->keyType = privk->keyType;
+
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.ec.publicValue.len == 0) {
+ /* Checking if it's an ed25519 key. */
+ SECOidTag privKeyOIDTag = SECOID_FindOIDTag(&privk->u.ec.ecParams.curveOID);
+ if (privKeyOIDTag == SEC_OID_ED25519_PUBLIC_KEY) {
+ PORT_Memset(&privk->u.ec.publicValue, 0, sizeof(privk->u.ec.publicValue));
+ if (SECITEM_AllocItem(privk->arena, &privk->u.ec.publicValue, Ed25519_PUBLIC_KEYLEN) == NULL) {
+ break;
+ }
+
+ rv = ED_DerivePublicKey(&privk->u.ec.privateValue, &privk->u.ec.publicValue);
+ if (rv != CKR_OK) {
+ break;
+ }
+ }
+ }
+
rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
&privk->u.ec.publicValue);
if (rv != SECSuccess)
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
index ff80f573ff..68c19aaaf4 100644
--- a/security/nss/lib/softoken/lowpbe.c
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -803,13 +803,7 @@ nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
goto loser;
}
- if (pbe_param->is2KeyDES) {
- PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
- PORT_Memcpy(&(key->data[(key->len * 2) / 3]), key->data,
- key->len / 3);
- } else {
- PORT_Memcpy(key->data, hash->data, key->len);
- }
+ PORT_Memcpy(key->data, hash->data, key->len);
SECITEM_ZfreeItem(hash, PR_TRUE);
return key;
@@ -878,10 +872,15 @@ nsspkcs5_FillInParam(SECOidTag algorithm, HASH_HashType hashType,
/* DES3 Algorithms */
case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
pbe_param->is2KeyDES = PR_TRUE;
- /* fall through */
+ pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+ pbe_param->keyLen = 16;
+ pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
+ break;
case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
- /* fall through */
+ pbe_param->keyLen = 24;
+ pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
+ break;
case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
pbe_param->keyLen = 24;
pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 9c0d93e317..768c7c2669 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -310,6 +310,7 @@ struct mechanismList {
#define CKF_EC_PNU CKF_EC_F_P | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS
#define CKF_EC_BPNU CKF_EC_F_2M | CKF_EC_PNU
+#define CKF_EC_POC CKF_EC_F_P | CKF_EC_OID | CKF_EC_COMPRESS
#define CK_MAX 0xffffffff
@@ -379,6 +380,8 @@ static const struct mechanismList mechanisms[] = {
{ CKM_ECDSA_SHA256, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDSA_SHA384, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
{ CKM_ECDSA_SHA512, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_EC_EDWARDS_KEY_PAIR_GEN, { ECD_MIN_KEY_BITS, ECD_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
+ { CKM_EDDSA, { ECD_MIN_KEY_BITS, ECD_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_POC }, PR_TRUE },
/* ------------------------- RC2 Operations --------------------------- */
{ CKM_RC2_KEY_GEN, { 1, 128, CKF_GENERATE }, PR_TRUE },
{ CKM_RC2_ECB, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
@@ -1074,6 +1077,8 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
recover = CK_FALSE;
wrap = CK_FALSE;
break;
+ case CKK_EC_MONTGOMERY:
+ case CKK_EC_EDWARDS:
case CKK_EC:
if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
@@ -1081,8 +1086,9 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
if (!sftk_hasAttribute(object, CKA_EC_POINT)) {
return CKR_TEMPLATE_INCOMPLETE;
}
- derive = CK_TRUE; /* for ECDH */
- verify = CK_TRUE; /* for ECDSA */
+ /* for ECDSA and EDDSA. Change if the structure of any of them is modified. */
+ derive = (key_type == CKK_EC_EDWARDS) ? CK_FALSE : CK_TRUE; /* CK_TRUE for ECDH */
+ verify = CK_TRUE; /* for ECDSA */
encrypt = CK_FALSE;
recover = CK_FALSE;
wrap = CK_FALSE;
@@ -1129,7 +1135,7 @@ sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey;
/* Check that an imported EC key is valid */
- if (key_type == CKK_EC) {
+ if (key_type == CKK_EC || key_type == CKK_EC_EDWARDS || key_type == CKK_EC_MONTGOMERY) {
NSSLOWKEYPublicKey *pubKey = (NSSLOWKEYPublicKey *)object->objectInfo;
SECStatus rv = EC_ValidatePublicKey(&pubKey->u.ec.ecParams,
&pubKey->u.ec.publicValue);
@@ -1271,6 +1277,8 @@ sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYP
wrap = CK_FALSE;
break;
case CKK_EC:
+ case CKK_EC_EDWARDS:
+ case CKK_EC_MONTGOMERY:
if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
return CKR_TEMPLATE_INCOMPLETE;
}
@@ -1926,6 +1934,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type,
crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
object, CKA_VALUE);
break;
+ case CKK_EC_EDWARDS:
+ case CKK_EC_MONTGOMERY:
case CKK_EC:
pubKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
@@ -2098,7 +2108,8 @@ sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
/* privKey was zero'd so public value is already set to NULL, 0
* if we don't set it explicitly */
break;
-
+ case CKK_EC_EDWARDS:
+ case CKK_EC_MONTGOMERY:
case CKK_EC:
privKey->keyType = NSSLOWKEYECKey;
crv = sftk_Attribute2SSecItem(arena,
@@ -2414,6 +2425,8 @@ sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyTyp
sftk_item_expand(&pubKey->u.dh.publicValue));
break;
case CKK_EC:
+ case CKK_EC_MONTGOMERY:
+ case CKK_EC_EDWARDS:
sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS);
sftk_DeleteAttributeType(publicKey, CKA_EC_POINT);
crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS,
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index 856c98e7cf..758a7eba45 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -2668,13 +2668,9 @@ static SECStatus
nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
{
- SECItem signature, digest;
+ SECItem signature = { siBuffer, (unsigned char *)sigBuf, sigLen };
+ SECItem digest = { siBuffer, (unsigned char *)dataBuf, dataLen };
NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
-
- signature.data = (unsigned char *)sigBuf;
- signature.len = sigLen;
- digest.data = (unsigned char *)dataBuf;
- digest.len = dataLen;
return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest);
}
@@ -2683,15 +2679,10 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
void *dataBuf, unsigned int dataLen)
{
- SECItem signature, digest;
- SECStatus rv;
NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
-
- signature.data = (unsigned char *)sigBuf;
- signature.len = maxSigLen;
- digest.data = (unsigned char *)dataBuf;
- digest.len = dataLen;
- rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
+ SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
+ SECItem digest = { siBuffer, (unsigned char *)dataBuf, dataLen };
+ SECStatus rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
sftk_fatalError = PR_TRUE;
}
@@ -2703,13 +2694,9 @@ static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
{
- SECItem signature, digest;
+ SECItem signature = { siBuffer, (unsigned char *)sigBuf, sigLen };
+ SECItem digest = { siBuffer, (unsigned char *)dataBuf, dataLen };
NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
-
- signature.data = (unsigned char *)sigBuf;
- signature.len = sigLen;
- digest.data = (unsigned char *)dataBuf;
- digest.len = dataLen;
return ECDSA_VerifyDigest(&(key->u.ec), &signature, &digest);
}
@@ -2718,15 +2705,38 @@ nsc_ECDSASignStub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
void *dataBuf, unsigned int dataLen)
{
- SECItem signature, digest;
- SECStatus rv;
NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+ SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
+ SECItem digest = { siBuffer, (unsigned char *)dataBuf, dataLen };
- signature.data = (unsigned char *)sigBuf;
- signature.len = maxSigLen;
- digest.data = (unsigned char *)dataBuf;
- digest.len = dataLen;
- rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
+ SECStatus rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ *sigLen = signature.len;
+ return rv;
+}
+
+static SECStatus
+nsc_EDDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
+ void *dataBuf, unsigned int dataLen)
+{
+ SECItem signature = { siBuffer, (unsigned char *)sigBuf, sigLen };
+ SECItem digest = { siBuffer, (unsigned char *)dataBuf, dataLen };
+ NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
+ return ED_VerifyMessage(&(key->u.ec), &signature, &digest);
+}
+
+static SECStatus
+nsc_EDDSASignStub(void *ctx, void *sigBuf,
+ unsigned int *sigLen, unsigned int maxSigLen,
+ void *dataBuf, unsigned int dataLen)
+{
+ NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+ SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
+ SECItem digest = { siBuffer, (unsigned char *)dataBuf, dataLen };
+
+ SECStatus rv = ED_SignMessage(&(key->u.ec), &signature, &digest);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
sftk_fatalError = PR_TRUE;
}
@@ -2953,6 +2963,29 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
break;
+ case CKM_EDDSA:
+ if (key_type != CKK_EC_EDWARDS) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+
+ if (pMechanism->pParameter) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ privKey = sftk_GetPrivKey(key, CKK_EC_EDWARDS, &crv);
+ if (privKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->cipherInfo = privKey;
+ context->update = (SFTKCipher)nsc_EDDSASignStub;
+ context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
+ context->maxLen = MAX_ECKEY_LEN * 2;
+
+ break;
+
#define INIT_HMAC_MECH(mmm) \
case CKM_##mmm##_HMAC_GENERAL: \
PORT_Assert(pMechanism->pParameter); \
@@ -3736,6 +3769,27 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession,
INIT_HMAC_MECH(SHA3_384)
INIT_HMAC_MECH(SHA3_512)
+ case CKM_EDDSA:
+ if (key_type != CKK_EC_EDWARDS) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ pubKey = sftk_GetPubKey(key, CKK_EC_EDWARDS, &crv);
+ if (pubKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ if (pMechanism->pParameter) {
+ crv = CKR_FUNCTION_NOT_SUPPORTED;
+ break;
+ }
+
+ context->cipherInfo = pubKey;
+ context->verify = (SFTKVerify)nsc_EDDSAVerifyStub;
+ context->destroy = sftk_Null;
+ break;
+
case CKM_SSL3_MD5_MAC:
PORT_Assert(pMechanism->pParameter);
if (!pMechanism->pParameter) {
@@ -5070,6 +5124,10 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot,
signature_length = MAX_ECKEY_LEN * 2;
mech.mechanism = CKM_ECDSA;
break;
+ case CKK_EC_EDWARDS:
+ signature_length = ED25519_SIGN_LEN;
+ mech.mechanism = CKM_EDDSA;
+ break;
default:
return CKR_DEVICE_ERROR;
}
@@ -5749,6 +5807,61 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
SECITEM_FreeItem(&pubKey, PR_FALSE);
break;
+ case CKM_EC_EDWARDS_KEY_PAIR_GEN:
+ sftk_DeleteAttributeType(privateKey, CKA_EC_PARAMS);
+ sftk_DeleteAttributeType(privateKey, CKA_VALUE);
+ sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
+ key_type = CKK_EC_EDWARDS;
+
+ /* extract the necessary parameters and copy them to private keys */
+ crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey,
+ CKA_EC_PARAMS);
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ crv = sftk_AddAttributeType(privateKey, CKA_EC_PARAMS,
+ sftk_item_expand(&ecEncodedParams));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&ecEncodedParams, PR_FALSE);
+ break;
+ }
+
+ /* Decode ec params before calling EC_NewKey */
+ rv = EC_DecodeParams(&ecEncodedParams, &ecParams);
+ SECITEM_ZfreeItem(&ecEncodedParams, PR_FALSE);
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+
+ rv = EC_NewKey(ecParams, &ecPriv);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ PORT_FreeArena(ecParams->arena, PR_TRUE);
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+ PORT_FreeArena(ecParams->arena, PR_TRUE);
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+ sftk_item_expand(&ecPriv->publicValue));
+ if (crv != CKR_OK)
+ goto edgn_done;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_VALUE,
+ sftk_item_expand(&ecPriv->privateValue));
+ if (crv != CKR_OK)
+ goto edgn_done;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB,
+ sftk_item_expand(&ecPriv->publicValue));
+ edgn_done:
+ /* should zeroize, since this function doesn't. */
+ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
+ break;
+
default:
crv = CKR_MECHANISM_INVALID;
}
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
index 1a203f56f2..ae4ebbe017 100644
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,9 +17,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.98" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.99" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
-#define SOFTOKEN_VMINOR 98
+#define SOFTOKEN_VMINOR 99
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
diff --git a/security/nss/lib/ssl/ssl3ext.h b/security/nss/lib/ssl/ssl3ext.h
index c1bed29901..6176bd5c9e 100644
--- a/security/nss/lib/ssl/ssl3ext.h
+++ b/security/nss/lib/ssl/ssl3ext.h
@@ -30,16 +30,6 @@ typedef struct {
sslExtensionBuilderFunc ex_sender;
} sslExtensionBuilder;
-/* RFC 8879: TLS Certificate Compression - 3. Negotiating Certificate Compression
-** enum {
-** zlib(1),
-** brotli(2),
-** zstd(3),
-** (65535)
-** } CertificateCompressionAlgorithm;
-*/
-typedef PRUint16 SSLCertificateCompressionAlgorithmID;
-
struct TLSExtensionDataStr {
/* registered callbacks that send server hello extensions */
sslExtensionBuilder serverHelloSenders[SSL_MAX_EXTENSIONS];
diff --git a/security/nss/lib/ssl/sslexp.h b/security/nss/lib/ssl/sslexp.h
index b26afd9b17..b51d224d50 100644
--- a/security/nss/lib/ssl/sslexp.h
+++ b/security/nss/lib/ssl/sslexp.h
@@ -1079,10 +1079,10 @@ typedef struct SSLMaskingContextStr {
* The function SSL_SetCertificateCompressionAlgorithm() adds a certificate
* compression mechanism to the socket fd. */
-#define SSL_SetCertificateCompressionAlgorithm(fd, t) \
- SSL_EXPERIMENTAL_API("SSL_SetCertificateCompressionAlgorithm", \
- (PRFileDesc * _fd, \
- SSLCertificateCompressionAlgorithmType t), \
+#define SSL_SetCertificateCompressionAlgorithm(fd, t) \
+ SSL_EXPERIMENTAL_API("SSL_SetCertificateCompressionAlgorithm", \
+ (PRFileDesc * _fd, \
+ SSLCertificateCompressionAlgorithm t), \
(fd, t))
/* Deprecated experimental APIs */
diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h
index 7a5757b6db..973a5db9f7 100644
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -26,6 +26,8 @@
#include "pkcs11t.h"
#if defined(XP_UNIX)
#include "unistd.h"
+#elif defined(XP_WIN)
+#include <process.h>
#endif
#include "nssrwlk.h"
#include "prthread.h"
@@ -733,8 +735,8 @@ typedef struct SSL3HandshakeStateStr {
PRUint32 rtRetries; /* The retry counter */
SECItem srvVirtName; /* for server: name that was negotiated
- * with a client. For client - is
- * always set to NULL.*/
+ * with a client. For client - is
+ * always set to NULL.*/
/* This group of values is used for TLS 1.3 and above */
PK11SymKey *currentSecret; /* The secret down the "left hand side"
@@ -815,14 +817,6 @@ typedef struct SSL3HandshakeStateStr {
PORT_Assert(ss->ssl3.hs.messages.len == 0); \
PORT_Assert(ss->ssl3.hs.echInnerMessages.len == 0); \
} while (0)
-
-typedef struct SSLCertificateCompressionAlgorithmStr {
- SSLCertificateCompressionAlgorithmID id;
- const char *name;
- SECStatus (*encode)(const SECItem *input, SECItem *output);
- SECStatus (*decode)(const SECItem *input, SECItem *output, size_t expectedLenDecodedCertificate);
-} SSLCertificateCompressionAlgorithm;
-
/*
** This is the "ssl3" struct, as in "ss->ssl3".
** note:
@@ -2039,7 +2033,6 @@ SEC_END_PROTOS
#if defined(XP_UNIX) || defined(XP_OS2)
#define SSL_GETPID getpid
#elif defined(WIN32)
-extern int __cdecl _getpid(void);
#define SSL_GETPID _getpid
#else
#define SSL_GETPID() 0
diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c
index 8f6c50c67c..befa4eda43 100644
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@@ -4376,6 +4376,7 @@ struct {
EXP(SetResumptionToken),
EXP(SetServerEchConfigs),
EXP(SetTimeFunc),
+ EXP(SetCertificateCompressionAlgorithm),
#endif
{ "", NULL }
};
diff --git a/security/nss/lib/ssl/sslt.h b/security/nss/lib/ssl/sslt.h
index 133ae6a296..d8927319c2 100644
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -585,4 +585,21 @@ typedef enum {
ssl_dhe_group_max
} SSLDHEGroupType;
+/* RFC 8879: TLS Certificate Compression - 3. Negotiating Certificate Compression
+** enum {
+** zlib(1),
+** brotli(2),
+** zstd(3),
+** (65535)
+** } CertificateCompressionAlgorithm;
+*/
+typedef PRUint16 SSLCertificateCompressionAlgorithmID;
+
+typedef struct SSLCertificateCompressionAlgorithmStr {
+ SSLCertificateCompressionAlgorithmID id;
+ const char* name;
+ SECStatus (*encode)(const SECItem* input, SECItem* output);
+ SECStatus (*decode)(const SECItem* input, SECItem* output, size_t expectedLenDecodedCertificate);
+} SSLCertificateCompressionAlgorithm;
+
#endif /* __sslt_h_ */
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index b1a7c5fc59..d49a6890c1 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,9 +19,9 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.98"
+#define NSSUTIL_VERSION "3.99"
#define NSSUTIL_VMAJOR 3
-#define NSSUTIL_VMINOR 98
+#define NSSUTIL_VMINOR 99
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index 800cc7ff62..05208eeffa 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -613,6 +613,22 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
*/
CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 };
+/*
+ https://oid-rep.orange-labs.fr/get/1.3.101.112
+ A.1. ASN.1 Object for Ed25519
+ id-Ed25519 OBJECT IDENTIFIER ::= { 1.3.101.112 }
+ Parameters are absent. Length is 7 bytes.
+ Binary encoding: 3005 0603 2B65 70
+
+ The same algorithm identifiers are used for identifying a public key,
+ a private key, and a signature (for the two EdDSA related OIDs).
+ Additional encoding information is provided below for each of these
+ locations.
+*/
+
+CONST_OID ed25519PublicKey[] = { 0x2B, 0x65, 0x70 };
+CONST_OID ed25519Signature[] = { 0x2B, 0x65, 0x70 };
+
#define OI(x) \
{ \
siDEROID, (unsigned char *)x, sizeof x \
@@ -1819,6 +1835,13 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
ODE(SEC_OID_XYBER768D00,
"X25519+Kyber768 key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+ OD(ed25519Signature, SEC_OID_ED25519_SIGNATURE, "X9.62 EDDSA signature", CKM_EDDSA,
+ INVALID_CERT_EXTENSION),
+
+ OD(ed25519PublicKey, SEC_OID_ED25519_PUBLIC_KEY,
+ "X9.62 elliptic edwards curve public key", CKM_EC_EDWARDS_KEY_PAIR_GEN, INVALID_CERT_EXTENSION),
+
};
/* PRIVATE EXTENDED SECOID Table
@@ -2133,10 +2156,9 @@ SECOID_Init(void)
for (i = 0; i < SEC_OID_TOTAL; i++) {
oid = &oids[i];
-
PORT_Assert(oid->offset == i);
-
entry = PL_HashTableAdd(oidhash, &oid->oid, (void *)oid);
+
if (entry == NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
PORT_Assert(0); /*This function should never fail. */
@@ -2196,7 +2218,6 @@ SECOID_FindOID(const SECItem *oid)
PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID);
}
}
-
return (ret);
}
@@ -2206,8 +2227,9 @@ SECOID_FindOIDTag(const SECItem *oid)
SECOidData *oiddata;
oiddata = SECOID_FindOID(oid);
- if (oiddata == NULL)
+ if (oiddata == NULL) {
return SEC_OID_UNKNOWN;
+ }
return oiddata->offset;
}
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
index 3ab0d6cc74..f2618d62cb 100644
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -514,6 +514,9 @@ typedef enum {
SEC_OID_XYBER768D00 = 372,
+ SEC_OID_ED25519_SIGNATURE = 373,
+ SEC_OID_ED25519_PUBLIC_KEY = 374,
+
SEC_OID_TOTAL
} SECOidTag;
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-09 22:50:54 +0000