We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #40429 from thaJeztah/bump_golang_1.13.7

Update Golang 1.13.7, golang.org/x/crypto (CVE-2020-0601, CVE-2020-7919)
Akihiro Suda 5 years ago
parent
513b207b00 b606c8e440
commit
46ec8731fb
34 changed files with 691 additions and 3617 deletions
Split View Show Diff Stats
  1. 1 1
      Dockerfile
  2. 1 1
      Dockerfile.e2e
  3. 1 1
      Dockerfile.simple
  4. 1 1
      Dockerfile.windows
  5. 1 1
      vendor.conf
  6. 3 2
      vendor/golang.org/x/crypto/cryptobyte/asn1.go
  7. 1 6
      vendor/golang.org/x/crypto/cryptobyte/string.go
  8. 0 8
      vendor/golang.org/x/crypto/curve25519/const_amd64.h
  9. 0 20
      vendor/golang.org/x/crypto/curve25519/const_amd64.s
  10. 0 65
      vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
  11. 0 834
      vendor/golang.org/x/crypto/curve25519/curve25519.go
  12. 0 23
      vendor/golang.org/x/crypto/curve25519/doc.go
  13. 0 73
      vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
  14. 0 1377
      vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
  15. 0 240
      vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
  16. 0 169
      vendor/golang.org/x/crypto/curve25519/mul_amd64.s
  17. 0 132
      vendor/golang.org/x/crypto/curve25519/square_amd64.s
  18. 5 0
      vendor/golang.org/x/crypto/ed25519/ed25519.go
  19. 73 0
      vendor/golang.org/x/crypto/ed25519/ed25519_go113.go
  20. 6 1
      vendor/golang.org/x/crypto/go.mod
  21. 1 0
      vendor/golang.org/x/crypto/pkcs12/pkcs12.go
  22. 39 0
      vendor/golang.org/x/crypto/poly1305/bits_compat.go
  23. 21 0
      vendor/golang.org/x/crypto/poly1305/bits_go1.13.go
  24. 1 1
      vendor/golang.org/x/crypto/poly1305/mac_noasm.go
  25. 8 2
      vendor/golang.org/x/crypto/poly1305/poly1305.go
  26. 23 33
      vendor/golang.org/x/crypto/poly1305/sum_amd64.go
  27. 0 40
      vendor/golang.org/x/crypto/poly1305/sum_amd64.s
  28. 0 22
      vendor/golang.org/x/crypto/poly1305/sum_arm.go
  29. 0 427
      vendor/golang.org/x/crypto/poly1305/sum_arm.s
  30. 263 128
      vendor/golang.org/x/crypto/poly1305/sum_generic.go
  31. 2 5
      vendor/golang.org/x/crypto/poly1305/sum_noasm.go
  32. 58 0
      vendor/golang.org/x/crypto/poly1305/sum_ppc64le.go
  33. 181 0
      vendor/golang.org/x/crypto/poly1305/sum_ppc64le.s
  34. 1 4
      vendor/golang.org/x/crypto/poly1305/sum_s390x.go

+ 1 - 1
Dockerfile
View File 

@@ -1,7 +1,7 @@
 
 # syntax=docker/dockerfile:1.1.3-experimental
 
 
 ARG CROSS="false"
 
-ARG GO_VERSION=1.13.6
 
+ARG GO_VERSION=1.13.7
 
 ARG DEBIAN_FRONTEND=noninteractive
 
 ARG VPNKIT_DIGEST=e508a17cfacc8fd39261d5b4e397df2b953690da577e2c987a47630cd0c42f8e
 
 ARG DOCKER_BUILDTAGS="apparmor seccomp selinux"

+ 1 - 1
Dockerfile.e2e
View File 

@@ -1,4 +1,4 @@
 
-ARG GO_VERSION=1.13.6
 
+ARG GO_VERSION=1.13.7
 
 
 FROM golang:${GO_VERSION}-alpine AS base
 
 ENV GO111MODULE=off

+ 1 - 1
Dockerfile.simple
View File 

@@ -5,7 +5,7 @@
 
 
 # This represents the bare minimum required to build and test Docker.
 
 
-ARG GO_VERSION=1.13.6
 
+ARG GO_VERSION=1.13.7
 
 
 FROM golang:${GO_VERSION}-stretch
 
 ENV GO111MODULE=off

+ 1 - 1
Dockerfile.windows
View File 

@@ -165,7 +165,7 @@ FROM microsoft/windowsservercore
 
 # Use PowerShell as the default shell
 
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 
-ARG GO_VERSION=1.13.6
 
+ARG GO_VERSION=1.13.7
 
 ARG GOTESTSUM_COMMIT=v0.3.5
 
 
 # Environment variable notes:

+ 1 - 1
vendor.conf
View File 

@@ -134,7 +134,7 @@ github.com/golang/protobuf                          aa810b61a9c79d51363740d207bb
 
 github.com/cloudflare/cfssl                         5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2
 
 github.com/fernet/fernet-go                         9eac43b88a5efb8651d24de9b68e87567e029736
 
 github.com/google/certificate-transparency-go       37a384cd035e722ea46e55029093e26687138edf # v1.0.20
 
-golang.org/x/crypto                                 88737f569e3a9c7ab309cdc09a07fe7fc87233c3
 
+golang.org/x/crypto                                 69ecbb4d6d5dab05e49161c6e77ea40a030884e1
 
 golang.org/x/time                                   fbb02b2291d28baffd63558aa44b4b56f178d650
 
 github.com/hashicorp/go-memdb                       cb9a474f84cc5e41b273b20c6927680b2a8776ad
 
 github.com/hashicorp/go-immutable-radix             826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git

+ 3 - 2
vendor/golang.org/x/crypto/cryptobyte/asn1.go
View File 

@@ -470,7 +470,8 @@ func (s *String) ReadASN1GeneralizedTime(out *time.Time) bool {
 
 // It reports whether the read was successful.
 
 func (s *String) ReadASN1BitString(out *encoding_asn1.BitString) bool {
 
 	var bytes String
 
-	if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 {
 
+	if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 ||
 
+		len(bytes)*8/8 != len(bytes) {
 
 		return false
 
 	}
 
 
@@ -740,7 +741,7 @@ func (s *String) readASN1(out *String, outTag *asn1.Tag, skipHeader bool) bool {
 
 		length = headerLen + len32
 
 	}
 
 
-	if uint32(int(length)) != length || !s.ReadBytes((*[]byte)(out), int(length)) {
 
+	if int(length) < 0 || !s.ReadBytes((*[]byte)(out), int(length)) {
 
 		return false
 
 	}
 
 	if skipHeader && !out.Skip(int(headerLen)) {

+ 1 - 6
vendor/golang.org/x/crypto/cryptobyte/string.go
View File 

@@ -24,7 +24,7 @@ type String []byte
 
 // read advances a String by n bytes and returns them. If less than n bytes
 
 // remain, it returns nil.
 
 func (s *String) read(n int) []byte {
 
-	if len(*s) < n {
 
+	if len(*s) < n || n < 0 {
 
 		return nil
 
 	}
 
 	v := (*s)[:n]
 
@@ -105,11 +105,6 @@ func (s *String) readLengthPrefixed(lenLen int, outChild *String) bool {
 
 		length = length << 8
 
 		length = length | uint32(b)
 
 	}
 
-	if int(length) < 0 {
 
-		// This currently cannot overflow because we read uint24 at most, but check
 
-		// anyway in case that changes in the future.
 
-		return false
 
-	}
 
 	v := s.read(int(length))
 
 	if v == nil {
 
 		return false

+ 0 - 8
vendor/golang.org/x/crypto/curve25519/const_amd64.h
View File 

@@ -1,8 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// This code was translated into a form compatible with 6a from the public
 
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
 
-
 
-#define REDMASK51     0x0007FFFFFFFFFFFF

+ 0 - 20
vendor/golang.org/x/crypto/curve25519/const_amd64.s
View File 

@@ -1,20 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// This code was translated into a form compatible with 6a from the public
 
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-// These constants cannot be encoded in non-MOVQ immediates.
 
-// We access them directly from memory instead.
 
-
 
-DATA ·_121666_213(SB)/8, $996687872
 
-GLOBL ·_121666_213(SB), 8, $8
 
-
 
-DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA
 
-GLOBL ·_2P0(SB), 8, $8
 
-
 
-DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE
 
-GLOBL ·_2P1234(SB), 8, $8

+ 0 - 65
vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
View File 

@@ -1,65 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-// func cswap(inout *[4][5]uint64, v uint64)
 
-TEXT ·cswap(SB),7,$0
 
-	MOVQ inout+0(FP),DI
 
-	MOVQ v+8(FP),SI
 
-
 
-	SUBQ $1, SI
 
-	NOTQ SI
 
-	MOVQ SI, X15
 
-	PSHUFD $0x44, X15, X15
 
-
 
-	MOVOU 0(DI), X0
 
-	MOVOU 16(DI), X2
 
-	MOVOU 32(DI), X4
 
-	MOVOU 48(DI), X6
 
-	MOVOU 64(DI), X8
 
-	MOVOU 80(DI), X1
 
-	MOVOU 96(DI), X3
 
-	MOVOU 112(DI), X5
 
-	MOVOU 128(DI), X7
 
-	MOVOU 144(DI), X9
 
-
 
-	MOVO X1, X10
 
-	MOVO X3, X11
 
-	MOVO X5, X12
 
-	MOVO X7, X13
 
-	MOVO X9, X14
 
-
 
-	PXOR X0, X10
 
-	PXOR X2, X11
 
-	PXOR X4, X12
 
-	PXOR X6, X13
 
-	PXOR X8, X14
 
-	PAND X15, X10
 
-	PAND X15, X11
 
-	PAND X15, X12
 
-	PAND X15, X13
 
-	PAND X15, X14
 
-	PXOR X10, X0
 
-	PXOR X10, X1
 
-	PXOR X11, X2
 
-	PXOR X11, X3
 
-	PXOR X12, X4
 
-	PXOR X12, X5
 
-	PXOR X13, X6
 
-	PXOR X13, X7
 
-	PXOR X14, X8
 
-	PXOR X14, X9
 
-
 
-	MOVOU X0, 0(DI)
 
-	MOVOU X2, 16(DI)
 
-	MOVOU X4, 32(DI)
 
-	MOVOU X6, 48(DI)
 
-	MOVOU X8, 64(DI)
 
-	MOVOU X1, 80(DI)
 
-	MOVOU X3, 96(DI)
 
-	MOVOU X5, 112(DI)
 
-	MOVOU X7, 128(DI)
 
-	MOVOU X9, 144(DI)
 
-	RET

+ 0 - 834
vendor/golang.org/x/crypto/curve25519/curve25519.go
View File 

@@ -1,834 +0,0 @@
 
-// Copyright 2013 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// We have an implementation in amd64 assembly so this code is only run on
 
-// non-amd64 platforms. The amd64 assembly does not support gccgo.
 
-// +build !amd64 gccgo appengine
 
-
 
-package curve25519
 
-
 
-import (
 
-	"encoding/binary"
 
-)
 
-
 
-// This code is a port of the public domain, "ref10" implementation of
 
-// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
 
-
 
-// fieldElement represents an element of the field GF(2^255 - 19). An element
 
-// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
 
-// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
 
-// context.
 
-type fieldElement [10]int32
 
-
 
-func feZero(fe *fieldElement) {
 
-	for i := range fe {
 
-		fe[i] = 0
 
-	}
 
-}
 
-
 
-func feOne(fe *fieldElement) {
 
-	feZero(fe)
 
-	fe[0] = 1
 
-}
 
-
 
-func feAdd(dst, a, b *fieldElement) {
 
-	for i := range dst {
 
-		dst[i] = a[i] + b[i]
 
-	}
 
-}
 
-
 
-func feSub(dst, a, b *fieldElement) {
 
-	for i := range dst {
 
-		dst[i] = a[i] - b[i]
 
-	}
 
-}
 
-
 
-func feCopy(dst, src *fieldElement) {
 
-	for i := range dst {
 
-		dst[i] = src[i]
 
-	}
 
-}
 
-
 
-// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
 
-//
 
-// Preconditions: b in {0,1}.
 
-func feCSwap(f, g *fieldElement, b int32) {
 
-	b = -b
 
-	for i := range f {
 
-		t := b & (f[i] ^ g[i])
 
-		f[i] ^= t
 
-		g[i] ^= t
 
-	}
 
-}
 
-
 
-// load3 reads a 24-bit, little-endian value from in.
 
-func load3(in []byte) int64 {
 
-	var r int64
 
-	r = int64(in[0])
 
-	r |= int64(in[1]) << 8
 
-	r |= int64(in[2]) << 16
 
-	return r
 
-}
 
-
 
-// load4 reads a 32-bit, little-endian value from in.
 
-func load4(in []byte) int64 {
 
-	return int64(binary.LittleEndian.Uint32(in))
 
-}
 
-
 
-func feFromBytes(dst *fieldElement, src *[32]byte) {
 
-	h0 := load4(src[:])
 
-	h1 := load3(src[4:]) << 6
 
-	h2 := load3(src[7:]) << 5
 
-	h3 := load3(src[10:]) << 3
 
-	h4 := load3(src[13:]) << 2
 
-	h5 := load4(src[16:])
 
-	h6 := load3(src[20:]) << 7
 
-	h7 := load3(src[23:]) << 5
 
-	h8 := load3(src[26:]) << 4
 
-	h9 := (load3(src[29:]) & 0x7fffff) << 2
 
-
 
-	var carry [10]int64
 
-	carry[9] = (h9 + 1<<24) >> 25
 
-	h0 += carry[9] * 19
 
-	h9 -= carry[9] << 25
 
-	carry[1] = (h1 + 1<<24) >> 25
 
-	h2 += carry[1]
 
-	h1 -= carry[1] << 25
 
-	carry[3] = (h3 + 1<<24) >> 25
 
-	h4 += carry[3]
 
-	h3 -= carry[3] << 25
 
-	carry[5] = (h5 + 1<<24) >> 25
 
-	h6 += carry[5]
 
-	h5 -= carry[5] << 25
 
-	carry[7] = (h7 + 1<<24) >> 25
 
-	h8 += carry[7]
 
-	h7 -= carry[7] << 25
 
-
 
-	carry[0] = (h0 + 1<<25) >> 26
 
-	h1 += carry[0]
 
-	h0 -= carry[0] << 26
 
-	carry[2] = (h2 + 1<<25) >> 26
 
-	h3 += carry[2]
 
-	h2 -= carry[2] << 26
 
-	carry[4] = (h4 + 1<<25) >> 26
 
-	h5 += carry[4]
 
-	h4 -= carry[4] << 26
 
-	carry[6] = (h6 + 1<<25) >> 26
 
-	h7 += carry[6]
 
-	h6 -= carry[6] << 26
 
-	carry[8] = (h8 + 1<<25) >> 26
 
-	h9 += carry[8]
 
-	h8 -= carry[8] << 26
 
-
 
-	dst[0] = int32(h0)
 
-	dst[1] = int32(h1)
 
-	dst[2] = int32(h2)
 
-	dst[3] = int32(h3)
 
-	dst[4] = int32(h4)
 
-	dst[5] = int32(h5)
 
-	dst[6] = int32(h6)
 
-	dst[7] = int32(h7)
 
-	dst[8] = int32(h8)
 
-	dst[9] = int32(h9)
 
-}
 
-
 
-// feToBytes marshals h to s.
 
-// Preconditions:
 
-//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 
-//
 
-// Write p=2^255-19; q=floor(h/p).
 
-// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
 
-//
 
-// Proof:
 
-//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
 
-//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
 
-//
 
-//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
 
-//   Then 0<y<1.
 
-//
 
-//   Write r=h-pq.
 
-//   Have 0<=r<=p-1=2^255-20.
 
-//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
 
-//
 
-//   Write x=r+19(2^-255)r+y.
 
-//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
 
-//
 
-//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
 
-//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
 
-func feToBytes(s *[32]byte, h *fieldElement) {
 
-	var carry [10]int32
 
-
 
-	q := (19*h[9] + (1 << 24)) >> 25
 
-	q = (h[0] + q) >> 26
 
-	q = (h[1] + q) >> 25
 
-	q = (h[2] + q) >> 26
 
-	q = (h[3] + q) >> 25
 
-	q = (h[4] + q) >> 26
 
-	q = (h[5] + q) >> 25
 
-	q = (h[6] + q) >> 26
 
-	q = (h[7] + q) >> 25
 
-	q = (h[8] + q) >> 26
 
-	q = (h[9] + q) >> 25
 
-
 
-	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
 
-	h[0] += 19 * q
 
-	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
 
-
 
-	carry[0] = h[0] >> 26
 
-	h[1] += carry[0]
 
-	h[0] -= carry[0] << 26
 
-	carry[1] = h[1] >> 25
 
-	h[2] += carry[1]
 
-	h[1] -= carry[1] << 25
 
-	carry[2] = h[2] >> 26
 
-	h[3] += carry[2]
 
-	h[2] -= carry[2] << 26
 
-	carry[3] = h[3] >> 25
 
-	h[4] += carry[3]
 
-	h[3] -= carry[3] << 25
 
-	carry[4] = h[4] >> 26
 
-	h[5] += carry[4]
 
-	h[4] -= carry[4] << 26
 
-	carry[5] = h[5] >> 25
 
-	h[6] += carry[5]
 
-	h[5] -= carry[5] << 25
 
-	carry[6] = h[6] >> 26
 
-	h[7] += carry[6]
 
-	h[6] -= carry[6] << 26
 
-	carry[7] = h[7] >> 25
 
-	h[8] += carry[7]
 
-	h[7] -= carry[7] << 25
 
-	carry[8] = h[8] >> 26
 
-	h[9] += carry[8]
 
-	h[8] -= carry[8] << 26
 
-	carry[9] = h[9] >> 25
 
-	h[9] -= carry[9] << 25
 
-	// h10 = carry9
 
-
 
-	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
 
-	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
 
-	// evidently 2^255 h10-2^255 q = 0.
 
-	// Goal: Output h[0]+...+2^230 h[9].
 
-
 
-	s[0] = byte(h[0] >> 0)
 
-	s[1] = byte(h[0] >> 8)
 
-	s[2] = byte(h[0] >> 16)
 
-	s[3] = byte((h[0] >> 24) | (h[1] << 2))
 
-	s[4] = byte(h[1] >> 6)
 
-	s[5] = byte(h[1] >> 14)
 
-	s[6] = byte((h[1] >> 22) | (h[2] << 3))
 
-	s[7] = byte(h[2] >> 5)
 
-	s[8] = byte(h[2] >> 13)
 
-	s[9] = byte((h[2] >> 21) | (h[3] << 5))
 
-	s[10] = byte(h[3] >> 3)
 
-	s[11] = byte(h[3] >> 11)
 
-	s[12] = byte((h[3] >> 19) | (h[4] << 6))
 
-	s[13] = byte(h[4] >> 2)
 
-	s[14] = byte(h[4] >> 10)
 
-	s[15] = byte(h[4] >> 18)
 
-	s[16] = byte(h[5] >> 0)
 
-	s[17] = byte(h[5] >> 8)
 
-	s[18] = byte(h[5] >> 16)
 
-	s[19] = byte((h[5] >> 24) | (h[6] << 1))
 
-	s[20] = byte(h[6] >> 7)
 
-	s[21] = byte(h[6] >> 15)
 
-	s[22] = byte((h[6] >> 23) | (h[7] << 3))
 
-	s[23] = byte(h[7] >> 5)
 
-	s[24] = byte(h[7] >> 13)
 
-	s[25] = byte((h[7] >> 21) | (h[8] << 4))
 
-	s[26] = byte(h[8] >> 4)
 
-	s[27] = byte(h[8] >> 12)
 
-	s[28] = byte((h[8] >> 20) | (h[9] << 6))
 
-	s[29] = byte(h[9] >> 2)
 
-	s[30] = byte(h[9] >> 10)
 
-	s[31] = byte(h[9] >> 18)
 
-}
 
-
 
-// feMul calculates h = f * g
 
-// Can overlap h with f or g.
 
-//
 
-// Preconditions:
 
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 
-//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 
-//
 
-// Postconditions:
 
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 
-//
 
-// Notes on implementation strategy:
 
-//
 
-// Using schoolbook multiplication.
 
-// Karatsuba would save a little in some cost models.
 
-//
 
-// Most multiplications by 2 and 19 are 32-bit precomputations;
 
-// cheaper than 64-bit postcomputations.
 
-//
 
-// There is one remaining multiplication by 19 in the carry chain;
 
-// one *19 precomputation can be merged into this,
 
-// but the resulting data flow is considerably less clean.
 
-//
 
-// There are 12 carries below.
 
-// 10 of them are 2-way parallelizable and vectorizable.
 
-// Can get away with 11 carries, but then data flow is much deeper.
 
-//
 
-// With tighter constraints on inputs can squeeze carries into int32.
 
-func feMul(h, f, g *fieldElement) {
 
-	f0 := f[0]
 
-	f1 := f[1]
 
-	f2 := f[2]
 
-	f3 := f[3]
 
-	f4 := f[4]
 
-	f5 := f[5]
 
-	f6 := f[6]
 
-	f7 := f[7]
 
-	f8 := f[8]
 
-	f9 := f[9]
 
-	g0 := g[0]
 
-	g1 := g[1]
 
-	g2 := g[2]
 
-	g3 := g[3]
 
-	g4 := g[4]
 
-	g5 := g[5]
 
-	g6 := g[6]
 
-	g7 := g[7]
 
-	g8 := g[8]
 
-	g9 := g[9]
 
-	g1_19 := 19 * g1 // 1.4*2^29
 
-	g2_19 := 19 * g2 // 1.4*2^30; still ok
 
-	g3_19 := 19 * g3
 
-	g4_19 := 19 * g4
 
-	g5_19 := 19 * g5
 
-	g6_19 := 19 * g6
 
-	g7_19 := 19 * g7
 
-	g8_19 := 19 * g8
 
-	g9_19 := 19 * g9
 
-	f1_2 := 2 * f1
 
-	f3_2 := 2 * f3
 
-	f5_2 := 2 * f5
 
-	f7_2 := 2 * f7
 
-	f9_2 := 2 * f9
 
-	f0g0 := int64(f0) * int64(g0)
 
-	f0g1 := int64(f0) * int64(g1)
 
-	f0g2 := int64(f0) * int64(g2)
 
-	f0g3 := int64(f0) * int64(g3)
 
-	f0g4 := int64(f0) * int64(g4)
 
-	f0g5 := int64(f0) * int64(g5)
 
-	f0g6 := int64(f0) * int64(g6)
 
-	f0g7 := int64(f0) * int64(g7)
 
-	f0g8 := int64(f0) * int64(g8)
 
-	f0g9 := int64(f0) * int64(g9)
 
-	f1g0 := int64(f1) * int64(g0)
 
-	f1g1_2 := int64(f1_2) * int64(g1)
 
-	f1g2 := int64(f1) * int64(g2)
 
-	f1g3_2 := int64(f1_2) * int64(g3)
 
-	f1g4 := int64(f1) * int64(g4)
 
-	f1g5_2 := int64(f1_2) * int64(g5)
 
-	f1g6 := int64(f1) * int64(g6)
 
-	f1g7_2 := int64(f1_2) * int64(g7)
 
-	f1g8 := int64(f1) * int64(g8)
 
-	f1g9_38 := int64(f1_2) * int64(g9_19)
 
-	f2g0 := int64(f2) * int64(g0)
 
-	f2g1 := int64(f2) * int64(g1)
 
-	f2g2 := int64(f2) * int64(g2)
 
-	f2g3 := int64(f2) * int64(g3)
 
-	f2g4 := int64(f2) * int64(g4)
 
-	f2g5 := int64(f2) * int64(g5)
 
-	f2g6 := int64(f2) * int64(g6)
 
-	f2g7 := int64(f2) * int64(g7)
 
-	f2g8_19 := int64(f2) * int64(g8_19)
 
-	f2g9_19 := int64(f2) * int64(g9_19)
 
-	f3g0 := int64(f3) * int64(g0)
 
-	f3g1_2 := int64(f3_2) * int64(g1)
 
-	f3g2 := int64(f3) * int64(g2)
 
-	f3g3_2 := int64(f3_2) * int64(g3)
 
-	f3g4 := int64(f3) * int64(g4)
 
-	f3g5_2 := int64(f3_2) * int64(g5)
 
-	f3g6 := int64(f3) * int64(g6)
 
-	f3g7_38 := int64(f3_2) * int64(g7_19)
 
-	f3g8_19 := int64(f3) * int64(g8_19)
 
-	f3g9_38 := int64(f3_2) * int64(g9_19)
 
-	f4g0 := int64(f4) * int64(g0)
 
-	f4g1 := int64(f4) * int64(g1)
 
-	f4g2 := int64(f4) * int64(g2)
 
-	f4g3 := int64(f4) * int64(g3)
 
-	f4g4 := int64(f4) * int64(g4)
 
-	f4g5 := int64(f4) * int64(g5)
 
-	f4g6_19 := int64(f4) * int64(g6_19)
 
-	f4g7_19 := int64(f4) * int64(g7_19)
 
-	f4g8_19 := int64(f4) * int64(g8_19)
 
-	f4g9_19 := int64(f4) * int64(g9_19)
 
-	f5g0 := int64(f5) * int64(g0)
 
-	f5g1_2 := int64(f5_2) * int64(g1)
 
-	f5g2 := int64(f5) * int64(g2)
 
-	f5g3_2 := int64(f5_2) * int64(g3)
 
-	f5g4 := int64(f5) * int64(g4)
 
-	f5g5_38 := int64(f5_2) * int64(g5_19)
 
-	f5g6_19 := int64(f5) * int64(g6_19)
 
-	f5g7_38 := int64(f5_2) * int64(g7_19)
 
-	f5g8_19 := int64(f5) * int64(g8_19)
 
-	f5g9_38 := int64(f5_2) * int64(g9_19)
 
-	f6g0 := int64(f6) * int64(g0)
 
-	f6g1 := int64(f6) * int64(g1)
 
-	f6g2 := int64(f6) * int64(g2)
 
-	f6g3 := int64(f6) * int64(g3)
 
-	f6g4_19 := int64(f6) * int64(g4_19)
 
-	f6g5_19 := int64(f6) * int64(g5_19)
 
-	f6g6_19 := int64(f6) * int64(g6_19)
 
-	f6g7_19 := int64(f6) * int64(g7_19)
 
-	f6g8_19 := int64(f6) * int64(g8_19)
 
-	f6g9_19 := int64(f6) * int64(g9_19)
 
-	f7g0 := int64(f7) * int64(g0)
 
-	f7g1_2 := int64(f7_2) * int64(g1)
 
-	f7g2 := int64(f7) * int64(g2)
 
-	f7g3_38 := int64(f7_2) * int64(g3_19)
 
-	f7g4_19 := int64(f7) * int64(g4_19)
 
-	f7g5_38 := int64(f7_2) * int64(g5_19)
 
-	f7g6_19 := int64(f7) * int64(g6_19)
 
-	f7g7_38 := int64(f7_2) * int64(g7_19)
 
-	f7g8_19 := int64(f7) * int64(g8_19)
 
-	f7g9_38 := int64(f7_2) * int64(g9_19)
 
-	f8g0 := int64(f8) * int64(g0)
 
-	f8g1 := int64(f8) * int64(g1)
 
-	f8g2_19 := int64(f8) * int64(g2_19)
 
-	f8g3_19 := int64(f8) * int64(g3_19)
 
-	f8g4_19 := int64(f8) * int64(g4_19)
 
-	f8g5_19 := int64(f8) * int64(g5_19)
 
-	f8g6_19 := int64(f8) * int64(g6_19)
 
-	f8g7_19 := int64(f8) * int64(g7_19)
 
-	f8g8_19 := int64(f8) * int64(g8_19)
 
-	f8g9_19 := int64(f8) * int64(g9_19)
 
-	f9g0 := int64(f9) * int64(g0)
 
-	f9g1_38 := int64(f9_2) * int64(g1_19)
 
-	f9g2_19 := int64(f9) * int64(g2_19)
 
-	f9g3_38 := int64(f9_2) * int64(g3_19)
 
-	f9g4_19 := int64(f9) * int64(g4_19)
 
-	f9g5_38 := int64(f9_2) * int64(g5_19)
 
-	f9g6_19 := int64(f9) * int64(g6_19)
 
-	f9g7_38 := int64(f9_2) * int64(g7_19)
 
-	f9g8_19 := int64(f9) * int64(g8_19)
 
-	f9g9_38 := int64(f9_2) * int64(g9_19)
 
-	h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
 
-	h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
 
-	h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
 
-	h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
 
-	h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
 
-	h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
 
-	h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
 
-	h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
 
-	h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
 
-	h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
 
-	var carry [10]int64
 
-
 
-	// |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
 
-	//   i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
 
-	// |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
 
-	//   i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
 
-
 
-	carry[0] = (h0 + (1 << 25)) >> 26
 
-	h1 += carry[0]
 
-	h0 -= carry[0] << 26
 
-	carry[4] = (h4 + (1 << 25)) >> 26
 
-	h5 += carry[4]
 
-	h4 -= carry[4] << 26
 
-	// |h0| <= 2^25
 
-	// |h4| <= 2^25
 
-	// |h1| <= 1.51*2^58
 
-	// |h5| <= 1.51*2^58
 
-
 
-	carry[1] = (h1 + (1 << 24)) >> 25
 
-	h2 += carry[1]
 
-	h1 -= carry[1] << 25
 
-	carry[5] = (h5 + (1 << 24)) >> 25
 
-	h6 += carry[5]
 
-	h5 -= carry[5] << 25
 
-	// |h1| <= 2^24; from now on fits into int32
 
-	// |h5| <= 2^24; from now on fits into int32
 
-	// |h2| <= 1.21*2^59
 
-	// |h6| <= 1.21*2^59
 
-
 
-	carry[2] = (h2 + (1 << 25)) >> 26
 
-	h3 += carry[2]
 
-	h2 -= carry[2] << 26
 
-	carry[6] = (h6 + (1 << 25)) >> 26
 
-	h7 += carry[6]
 
-	h6 -= carry[6] << 26
 
-	// |h2| <= 2^25; from now on fits into int32 unchanged
 
-	// |h6| <= 2^25; from now on fits into int32 unchanged
 
-	// |h3| <= 1.51*2^58
 
-	// |h7| <= 1.51*2^58
 
-
 
-	carry[3] = (h3 + (1 << 24)) >> 25
 
-	h4 += carry[3]
 
-	h3 -= carry[3] << 25
 
-	carry[7] = (h7 + (1 << 24)) >> 25
 
-	h8 += carry[7]
 
-	h7 -= carry[7] << 25
 
-	// |h3| <= 2^24; from now on fits into int32 unchanged
 
-	// |h7| <= 2^24; from now on fits into int32 unchanged
 
-	// |h4| <= 1.52*2^33
 
-	// |h8| <= 1.52*2^33
 
-
 
-	carry[4] = (h4 + (1 << 25)) >> 26
 
-	h5 += carry[4]
 
-	h4 -= carry[4] << 26
 
-	carry[8] = (h8 + (1 << 25)) >> 26
 
-	h9 += carry[8]
 
-	h8 -= carry[8] << 26
 
-	// |h4| <= 2^25; from now on fits into int32 unchanged
 
-	// |h8| <= 2^25; from now on fits into int32 unchanged
 
-	// |h5| <= 1.01*2^24
 
-	// |h9| <= 1.51*2^58
 
-
 
-	carry[9] = (h9 + (1 << 24)) >> 25
 
-	h0 += carry[9] * 19
 
-	h9 -= carry[9] << 25
 
-	// |h9| <= 2^24; from now on fits into int32 unchanged
 
-	// |h0| <= 1.8*2^37
 
-
 
-	carry[0] = (h0 + (1 << 25)) >> 26
 
-	h1 += carry[0]
 
-	h0 -= carry[0] << 26
 
-	// |h0| <= 2^25; from now on fits into int32 unchanged
 
-	// |h1| <= 1.01*2^24
 
-
 
-	h[0] = int32(h0)
 
-	h[1] = int32(h1)
 
-	h[2] = int32(h2)
 
-	h[3] = int32(h3)
 
-	h[4] = int32(h4)
 
-	h[5] = int32(h5)
 
-	h[6] = int32(h6)
 
-	h[7] = int32(h7)
 
-	h[8] = int32(h8)
 
-	h[9] = int32(h9)
 
-}
 
-
 
-// feSquare calculates h = f*f. Can overlap h with f.
 
-//
 
-// Preconditions:
 
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 
-//
 
-// Postconditions:
 
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 
-func feSquare(h, f *fieldElement) {
 
-	f0 := f[0]
 
-	f1 := f[1]
 
-	f2 := f[2]
 
-	f3 := f[3]
 
-	f4 := f[4]
 
-	f5 := f[5]
 
-	f6 := f[6]
 
-	f7 := f[7]
 
-	f8 := f[8]
 
-	f9 := f[9]
 
-	f0_2 := 2 * f0
 
-	f1_2 := 2 * f1
 
-	f2_2 := 2 * f2
 
-	f3_2 := 2 * f3
 
-	f4_2 := 2 * f4
 
-	f5_2 := 2 * f5
 
-	f6_2 := 2 * f6
 
-	f7_2 := 2 * f7
 
-	f5_38 := 38 * f5 // 1.31*2^30
 
-	f6_19 := 19 * f6 // 1.31*2^30
 
-	f7_38 := 38 * f7 // 1.31*2^30
 
-	f8_19 := 19 * f8 // 1.31*2^30
 
-	f9_38 := 38 * f9 // 1.31*2^30
 
-	f0f0 := int64(f0) * int64(f0)
 
-	f0f1_2 := int64(f0_2) * int64(f1)
 
-	f0f2_2 := int64(f0_2) * int64(f2)
 
-	f0f3_2 := int64(f0_2) * int64(f3)
 
-	f0f4_2 := int64(f0_2) * int64(f4)
 
-	f0f5_2 := int64(f0_2) * int64(f5)
 
-	f0f6_2 := int64(f0_2) * int64(f6)
 
-	f0f7_2 := int64(f0_2) * int64(f7)
 
-	f0f8_2 := int64(f0_2) * int64(f8)
 
-	f0f9_2 := int64(f0_2) * int64(f9)
 
-	f1f1_2 := int64(f1_2) * int64(f1)
 
-	f1f2_2 := int64(f1_2) * int64(f2)
 
-	f1f3_4 := int64(f1_2) * int64(f3_2)
 
-	f1f4_2 := int64(f1_2) * int64(f4)
 
-	f1f5_4 := int64(f1_2) * int64(f5_2)
 
-	f1f6_2 := int64(f1_2) * int64(f6)
 
-	f1f7_4 := int64(f1_2) * int64(f7_2)
 
-	f1f8_2 := int64(f1_2) * int64(f8)
 
-	f1f9_76 := int64(f1_2) * int64(f9_38)
 
-	f2f2 := int64(f2) * int64(f2)
 
-	f2f3_2 := int64(f2_2) * int64(f3)
 
-	f2f4_2 := int64(f2_2) * int64(f4)
 
-	f2f5_2 := int64(f2_2) * int64(f5)
 
-	f2f6_2 := int64(f2_2) * int64(f6)
 
-	f2f7_2 := int64(f2_2) * int64(f7)
 
-	f2f8_38 := int64(f2_2) * int64(f8_19)
 
-	f2f9_38 := int64(f2) * int64(f9_38)
 
-	f3f3_2 := int64(f3_2) * int64(f3)
 
-	f3f4_2 := int64(f3_2) * int64(f4)
 
-	f3f5_4 := int64(f3_2) * int64(f5_2)
 
-	f3f6_2 := int64(f3_2) * int64(f6)
 
-	f3f7_76 := int64(f3_2) * int64(f7_38)
 
-	f3f8_38 := int64(f3_2) * int64(f8_19)
 
-	f3f9_76 := int64(f3_2) * int64(f9_38)
 
-	f4f4 := int64(f4) * int64(f4)
 
-	f4f5_2 := int64(f4_2) * int64(f5)
 
-	f4f6_38 := int64(f4_2) * int64(f6_19)
 
-	f4f7_38 := int64(f4) * int64(f7_38)
 
-	f4f8_38 := int64(f4_2) * int64(f8_19)
 
-	f4f9_38 := int64(f4) * int64(f9_38)
 
-	f5f5_38 := int64(f5) * int64(f5_38)
 
-	f5f6_38 := int64(f5_2) * int64(f6_19)
 
-	f5f7_76 := int64(f5_2) * int64(f7_38)
 
-	f5f8_38 := int64(f5_2) * int64(f8_19)
 
-	f5f9_76 := int64(f5_2) * int64(f9_38)
 
-	f6f6_19 := int64(f6) * int64(f6_19)
 
-	f6f7_38 := int64(f6) * int64(f7_38)
 
-	f6f8_38 := int64(f6_2) * int64(f8_19)
 
-	f6f9_38 := int64(f6) * int64(f9_38)
 
-	f7f7_38 := int64(f7) * int64(f7_38)
 
-	f7f8_38 := int64(f7_2) * int64(f8_19)
 
-	f7f9_76 := int64(f7_2) * int64(f9_38)
 
-	f8f8_19 := int64(f8) * int64(f8_19)
 
-	f8f9_38 := int64(f8) * int64(f9_38)
 
-	f9f9_38 := int64(f9) * int64(f9_38)
 
-	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
 
-	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
 
-	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
 
-	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
 
-	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
 
-	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
 
-	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
 
-	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
 
-	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
 
-	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
 
-	var carry [10]int64
 
-
 
-	carry[0] = (h0 + (1 << 25)) >> 26
 
-	h1 += carry[0]
 
-	h0 -= carry[0] << 26
 
-	carry[4] = (h4 + (1 << 25)) >> 26
 
-	h5 += carry[4]
 
-	h4 -= carry[4] << 26
 
-
 
-	carry[1] = (h1 + (1 << 24)) >> 25
 
-	h2 += carry[1]
 
-	h1 -= carry[1] << 25
 
-	carry[5] = (h5 + (1 << 24)) >> 25
 
-	h6 += carry[5]
 
-	h5 -= carry[5] << 25
 
-
 
-	carry[2] = (h2 + (1 << 25)) >> 26
 
-	h3 += carry[2]
 
-	h2 -= carry[2] << 26
 
-	carry[6] = (h6 + (1 << 25)) >> 26
 
-	h7 += carry[6]
 
-	h6 -= carry[6] << 26
 
-
 
-	carry[3] = (h3 + (1 << 24)) >> 25
 
-	h4 += carry[3]
 
-	h3 -= carry[3] << 25
 
-	carry[7] = (h7 + (1 << 24)) >> 25
 
-	h8 += carry[7]
 
-	h7 -= carry[7] << 25
 
-
 
-	carry[4] = (h4 + (1 << 25)) >> 26
 
-	h5 += carry[4]
 
-	h4 -= carry[4] << 26
 
-	carry[8] = (h8 + (1 << 25)) >> 26
 
-	h9 += carry[8]
 
-	h8 -= carry[8] << 26
 
-
 
-	carry[9] = (h9 + (1 << 24)) >> 25
 
-	h0 += carry[9] * 19
 
-	h9 -= carry[9] << 25
 
-
 
-	carry[0] = (h0 + (1 << 25)) >> 26
 
-	h1 += carry[0]
 
-	h0 -= carry[0] << 26
 
-
 
-	h[0] = int32(h0)
 
-	h[1] = int32(h1)
 
-	h[2] = int32(h2)
 
-	h[3] = int32(h3)
 
-	h[4] = int32(h4)
 
-	h[5] = int32(h5)
 
-	h[6] = int32(h6)
 
-	h[7] = int32(h7)
 
-	h[8] = int32(h8)
 
-	h[9] = int32(h9)
 
-}
 
-
 
-// feMul121666 calculates h = f * 121666. Can overlap h with f.
 
-//
 
-// Preconditions:
 
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
 
-//
 
-// Postconditions:
 
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
 
-func feMul121666(h, f *fieldElement) {
 
-	h0 := int64(f[0]) * 121666
 
-	h1 := int64(f[1]) * 121666
 
-	h2 := int64(f[2]) * 121666
 
-	h3 := int64(f[3]) * 121666
 
-	h4 := int64(f[4]) * 121666
 
-	h5 := int64(f[5]) * 121666
 
-	h6 := int64(f[6]) * 121666
 
-	h7 := int64(f[7]) * 121666
 
-	h8 := int64(f[8]) * 121666
 
-	h9 := int64(f[9]) * 121666
 
-	var carry [10]int64
 
-
 
-	carry[9] = (h9 + (1 << 24)) >> 25
 
-	h0 += carry[9] * 19
 
-	h9 -= carry[9] << 25
 
-	carry[1] = (h1 + (1 << 24)) >> 25
 
-	h2 += carry[1]
 
-	h1 -= carry[1] << 25
 
-	carry[3] = (h3 + (1 << 24)) >> 25
 
-	h4 += carry[3]
 
-	h3 -= carry[3] << 25
 
-	carry[5] = (h5 + (1 << 24)) >> 25
 
-	h6 += carry[5]
 
-	h5 -= carry[5] << 25
 
-	carry[7] = (h7 + (1 << 24)) >> 25
 
-	h8 += carry[7]
 
-	h7 -= carry[7] << 25
 
-
 
-	carry[0] = (h0 + (1 << 25)) >> 26
 
-	h1 += carry[0]
 
-	h0 -= carry[0] << 26
 
-	carry[2] = (h2 + (1 << 25)) >> 26
 
-	h3 += carry[2]
 
-	h2 -= carry[2] << 26
 
-	carry[4] = (h4 + (1 << 25)) >> 26
 
-	h5 += carry[4]
 
-	h4 -= carry[4] << 26
 
-	carry[6] = (h6 + (1 << 25)) >> 26
 
-	h7 += carry[6]
 
-	h6 -= carry[6] << 26
 
-	carry[8] = (h8 + (1 << 25)) >> 26
 
-	h9 += carry[8]
 
-	h8 -= carry[8] << 26
 
-
 
-	h[0] = int32(h0)
 
-	h[1] = int32(h1)
 
-	h[2] = int32(h2)
 
-	h[3] = int32(h3)
 
-	h[4] = int32(h4)
 
-	h[5] = int32(h5)
 
-	h[6] = int32(h6)
 
-	h[7] = int32(h7)
 
-	h[8] = int32(h8)
 
-	h[9] = int32(h9)
 
-}
 
-
 
-// feInvert sets out = z^-1.
 
-func feInvert(out, z *fieldElement) {
 
-	var t0, t1, t2, t3 fieldElement
 
-	var i int
 
-
 
-	feSquare(&t0, z)
 
-	for i = 1; i < 1; i++ {
 
-		feSquare(&t0, &t0)
 
-	}
 
-	feSquare(&t1, &t0)
 
-	for i = 1; i < 2; i++ {
 
-		feSquare(&t1, &t1)
 
-	}
 
-	feMul(&t1, z, &t1)
 
-	feMul(&t0, &t0, &t1)
 
-	feSquare(&t2, &t0)
 
-	for i = 1; i < 1; i++ {
 
-		feSquare(&t2, &t2)
 
-	}
 
-	feMul(&t1, &t1, &t2)
 
-	feSquare(&t2, &t1)
 
-	for i = 1; i < 5; i++ {
 
-		feSquare(&t2, &t2)
 
-	}
 
-	feMul(&t1, &t2, &t1)
 
-	feSquare(&t2, &t1)
 
-	for i = 1; i < 10; i++ {
 
-		feSquare(&t2, &t2)
 
-	}
 
-	feMul(&t2, &t2, &t1)
 
-	feSquare(&t3, &t2)
 
-	for i = 1; i < 20; i++ {
 
-		feSquare(&t3, &t3)
 
-	}
 
-	feMul(&t2, &t3, &t2)
 
-	feSquare(&t2, &t2)
 
-	for i = 1; i < 10; i++ {
 
-		feSquare(&t2, &t2)
 
-	}
 
-	feMul(&t1, &t2, &t1)
 
-	feSquare(&t2, &t1)
 
-	for i = 1; i < 50; i++ {
 
-		feSquare(&t2, &t2)
 
-	}
 
-	feMul(&t2, &t2, &t1)
 
-	feSquare(&t3, &t2)
 
-	for i = 1; i < 100; i++ {
 
-		feSquare(&t3, &t3)
 
-	}
 
-	feMul(&t2, &t3, &t2)
 
-	feSquare(&t2, &t2)
 
-	for i = 1; i < 50; i++ {
 
-		feSquare(&t2, &t2)
 
-	}
 
-	feMul(&t1, &t2, &t1)
 
-	feSquare(&t1, &t1)
 
-	for i = 1; i < 5; i++ {
 
-		feSquare(&t1, &t1)
 
-	}
 
-	feMul(out, &t1, &t0)
 
-}
 
-
 
-func scalarMult(out, in, base *[32]byte) {
 
-	var e [32]byte
 
-
 
-	copy(e[:], in[:])
 
-	e[0] &= 248
 
-	e[31] &= 127
 
-	e[31] |= 64
 
-
 
-	var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
 
-	feFromBytes(&x1, base)
 
-	feOne(&x2)
 
-	feCopy(&x3, &x1)
 
-	feOne(&z3)
 
-
 
-	swap := int32(0)
 
-	for pos := 254; pos >= 0; pos-- {
 
-		b := e[pos/8] >> uint(pos&7)
 
-		b &= 1
 
-		swap ^= int32(b)
 
-		feCSwap(&x2, &x3, swap)
 
-		feCSwap(&z2, &z3, swap)
 
-		swap = int32(b)
 
-
 
-		feSub(&tmp0, &x3, &z3)
 
-		feSub(&tmp1, &x2, &z2)
 
-		feAdd(&x2, &x2, &z2)
 
-		feAdd(&z2, &x3, &z3)
 
-		feMul(&z3, &tmp0, &x2)
 
-		feMul(&z2, &z2, &tmp1)
 
-		feSquare(&tmp0, &tmp1)
 
-		feSquare(&tmp1, &x2)
 
-		feAdd(&x3, &z3, &z2)
 
-		feSub(&z2, &z3, &z2)
 
-		feMul(&x2, &tmp1, &tmp0)
 
-		feSub(&tmp1, &tmp1, &tmp0)
 
-		feSquare(&z2, &z2)
 
-		feMul121666(&z3, &tmp1)
 
-		feSquare(&x3, &x3)
 
-		feAdd(&tmp0, &tmp0, &z3)
 
-		feMul(&z3, &x1, &z2)
 
-		feMul(&z2, &tmp1, &tmp0)
 
-	}
 
-
 
-	feCSwap(&x2, &x3, swap)
 
-	feCSwap(&z2, &z3, swap)
 
-
 
-	feInvert(&z2, &z2)
 
-	feMul(&x2, &x2, &z2)
 
-	feToBytes(out, &x2)
 
-}

+ 0 - 23
vendor/golang.org/x/crypto/curve25519/doc.go
View File 

@@ -1,23 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// Package curve25519 provides an implementation of scalar multiplication on
 
-// the elliptic curve known as curve25519. See https://cr.yp.to/ecdh.html
 
-package curve25519 // import "golang.org/x/crypto/curve25519"
 
-
 
-// basePoint is the x coordinate of the generator of the curve.
 
-var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
 
-
 
-// ScalarMult sets dst to the product in*base where dst and base are the x
 
-// coordinates of group points and all values are in little-endian form.
 
-func ScalarMult(dst, in, base *[32]byte) {
 
-	scalarMult(dst, in, base)
 
-}
 
-
 
-// ScalarBaseMult sets dst to the product in*base where dst and base are the x
 
-// coordinates of group points, base is the standard generator and all values
 
-// are in little-endian form.
 
-func ScalarBaseMult(dst, in *[32]byte) {
 
-	ScalarMult(dst, in, &basePoint)
 
-}

+ 0 - 73
vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
View File 

@@ -1,73 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// This code was translated into a form compatible with 6a from the public
 
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-#include "const_amd64.h"
 
-
 
-// func freeze(inout *[5]uint64)
 
-TEXT ·freeze(SB),7,$0-8
 
-	MOVQ inout+0(FP), DI
 
-
 
-	MOVQ 0(DI),SI
 
-	MOVQ 8(DI),DX
 
-	MOVQ 16(DI),CX
 
-	MOVQ 24(DI),R8
 
-	MOVQ 32(DI),R9
 
-	MOVQ $REDMASK51,AX
 
-	MOVQ AX,R10
 
-	SUBQ $18,R10
 
-	MOVQ $3,R11
 
-REDUCELOOP:
 
-	MOVQ SI,R12
 
-	SHRQ $51,R12
 
-	ANDQ AX,SI
 
-	ADDQ R12,DX
 
-	MOVQ DX,R12
 
-	SHRQ $51,R12
 
-	ANDQ AX,DX
 
-	ADDQ R12,CX
 
-	MOVQ CX,R12
 
-	SHRQ $51,R12
 
-	ANDQ AX,CX
 
-	ADDQ R12,R8
 
-	MOVQ R8,R12
 
-	SHRQ $51,R12
 
-	ANDQ AX,R8
 
-	ADDQ R12,R9
 
-	MOVQ R9,R12
 
-	SHRQ $51,R12
 
-	ANDQ AX,R9
 
-	IMUL3Q $19,R12,R12
 
-	ADDQ R12,SI
 
-	SUBQ $1,R11
 
-	JA REDUCELOOP
 
-	MOVQ $1,R12
 
-	CMPQ R10,SI
 
-	CMOVQLT R11,R12
 
-	CMPQ AX,DX
 
-	CMOVQNE R11,R12
 
-	CMPQ AX,CX
 
-	CMOVQNE R11,R12
 
-	CMPQ AX,R8
 
-	CMOVQNE R11,R12
 
-	CMPQ AX,R9
 
-	CMOVQNE R11,R12
 
-	NEGQ R12
 
-	ANDQ R12,AX
 
-	ANDQ R12,R10
 
-	SUBQ R10,SI
 
-	SUBQ AX,DX
 
-	SUBQ AX,CX
 
-	SUBQ AX,R8
 
-	SUBQ AX,R9
 
-	MOVQ SI,0(DI)
 
-	MOVQ DX,8(DI)
 
-	MOVQ CX,16(DI)
 
-	MOVQ R8,24(DI)
 
-	MOVQ R9,32(DI)
 
-	RET

+ 0 - 1377
vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
View File 

@@ -1,1377 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// This code was translated into a form compatible with 6a from the public
 
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-#include "const_amd64.h"
 
-
 
-// func ladderstep(inout *[5][5]uint64)
 
-TEXT ·ladderstep(SB),0,$296-8
 
-	MOVQ inout+0(FP),DI
 
-
 
-	MOVQ 40(DI),SI
 
-	MOVQ 48(DI),DX
 
-	MOVQ 56(DI),CX
 
-	MOVQ 64(DI),R8
 
-	MOVQ 72(DI),R9
 
-	MOVQ SI,AX
 
-	MOVQ DX,R10
 
-	MOVQ CX,R11
 
-	MOVQ R8,R12
 
-	MOVQ R9,R13
 
-	ADDQ ·_2P0(SB),AX
 
-	ADDQ ·_2P1234(SB),R10
 
-	ADDQ ·_2P1234(SB),R11
 
-	ADDQ ·_2P1234(SB),R12
 
-	ADDQ ·_2P1234(SB),R13
 
-	ADDQ 80(DI),SI
 
-	ADDQ 88(DI),DX
 
-	ADDQ 96(DI),CX
 
-	ADDQ 104(DI),R8
 
-	ADDQ 112(DI),R9
 
-	SUBQ 80(DI),AX
 
-	SUBQ 88(DI),R10
 
-	SUBQ 96(DI),R11
 
-	SUBQ 104(DI),R12
 
-	SUBQ 112(DI),R13
 
-	MOVQ SI,0(SP)
 
-	MOVQ DX,8(SP)
 
-	MOVQ CX,16(SP)
 
-	MOVQ R8,24(SP)
 
-	MOVQ R9,32(SP)
 
-	MOVQ AX,40(SP)
 
-	MOVQ R10,48(SP)
 
-	MOVQ R11,56(SP)
 
-	MOVQ R12,64(SP)
 
-	MOVQ R13,72(SP)
 
-	MOVQ 40(SP),AX
 
-	MULQ 40(SP)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 40(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 48(SP)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 40(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 56(SP)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 40(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 64(SP)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 40(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 72(SP)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 48(SP),AX
 
-	MULQ 48(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 48(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 56(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 48(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 48(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 56(SP),AX
 
-	MULQ 56(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 56(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 56(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 64(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 64(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 72(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	ANDQ DX,SI
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ADDQ R10,CX
 
-	ANDQ DX,R8
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ADDQ R12,CX
 
-	ANDQ DX,R9
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ADDQ R14,CX
 
-	ANDQ DX,AX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,80(SP)
 
-	MOVQ R8,88(SP)
 
-	MOVQ R9,96(SP)
 
-	MOVQ AX,104(SP)
 
-	MOVQ R10,112(SP)
 
-	MOVQ 0(SP),AX
 
-	MULQ 0(SP)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 0(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 8(SP)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 0(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 16(SP)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 0(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 24(SP)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 0(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 32(SP)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 8(SP),AX
 
-	MULQ 8(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 8(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 16(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 8(SP),AX
 
-	SHLQ $1,AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 8(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 16(SP),AX
 
-	MULQ 16(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 16(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 16(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 24(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 24(SP),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 32(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	ANDQ DX,SI
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ADDQ R10,CX
 
-	ANDQ DX,R8
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ADDQ R12,CX
 
-	ANDQ DX,R9
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ADDQ R14,CX
 
-	ANDQ DX,AX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,120(SP)
 
-	MOVQ R8,128(SP)
 
-	MOVQ R9,136(SP)
 
-	MOVQ AX,144(SP)
 
-	MOVQ R10,152(SP)
 
-	MOVQ SI,SI
 
-	MOVQ R8,DX
 
-	MOVQ R9,CX
 
-	MOVQ AX,R8
 
-	MOVQ R10,R9
 
-	ADDQ ·_2P0(SB),SI
 
-	ADDQ ·_2P1234(SB),DX
 
-	ADDQ ·_2P1234(SB),CX
 
-	ADDQ ·_2P1234(SB),R8
 
-	ADDQ ·_2P1234(SB),R9
 
-	SUBQ 80(SP),SI
 
-	SUBQ 88(SP),DX
 
-	SUBQ 96(SP),CX
 
-	SUBQ 104(SP),R8
 
-	SUBQ 112(SP),R9
 
-	MOVQ SI,160(SP)
 
-	MOVQ DX,168(SP)
 
-	MOVQ CX,176(SP)
 
-	MOVQ R8,184(SP)
 
-	MOVQ R9,192(SP)
 
-	MOVQ 120(DI),SI
 
-	MOVQ 128(DI),DX
 
-	MOVQ 136(DI),CX
 
-	MOVQ 144(DI),R8
 
-	MOVQ 152(DI),R9
 
-	MOVQ SI,AX
 
-	MOVQ DX,R10
 
-	MOVQ CX,R11
 
-	MOVQ R8,R12
 
-	MOVQ R9,R13
 
-	ADDQ ·_2P0(SB),AX
 
-	ADDQ ·_2P1234(SB),R10
 
-	ADDQ ·_2P1234(SB),R11
 
-	ADDQ ·_2P1234(SB),R12
 
-	ADDQ ·_2P1234(SB),R13
 
-	ADDQ 160(DI),SI
 
-	ADDQ 168(DI),DX
 
-	ADDQ 176(DI),CX
 
-	ADDQ 184(DI),R8
 
-	ADDQ 192(DI),R9
 
-	SUBQ 160(DI),AX
 
-	SUBQ 168(DI),R10
 
-	SUBQ 176(DI),R11
 
-	SUBQ 184(DI),R12
 
-	SUBQ 192(DI),R13
 
-	MOVQ SI,200(SP)
 
-	MOVQ DX,208(SP)
 
-	MOVQ CX,216(SP)
 
-	MOVQ R8,224(SP)
 
-	MOVQ R9,232(SP)
 
-	MOVQ AX,240(SP)
 
-	MOVQ R10,248(SP)
 
-	MOVQ R11,256(SP)
 
-	MOVQ R12,264(SP)
 
-	MOVQ R13,272(SP)
 
-	MOVQ 224(SP),SI
 
-	IMUL3Q $19,SI,AX
 
-	MOVQ AX,280(SP)
 
-	MULQ 56(SP)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 232(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,288(SP)
 
-	MULQ 48(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 200(SP),AX
 
-	MULQ 40(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 200(SP),AX
 
-	MULQ 48(SP)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 200(SP),AX
 
-	MULQ 56(SP)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 200(SP),AX
 
-	MULQ 64(SP)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 200(SP),AX
 
-	MULQ 72(SP)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 208(SP),AX
 
-	MULQ 40(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 208(SP),AX
 
-	MULQ 48(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 208(SP),AX
 
-	MULQ 56(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 208(SP),AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 208(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 216(SP),AX
 
-	MULQ 40(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 216(SP),AX
 
-	MULQ 48(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 216(SP),AX
 
-	MULQ 56(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 216(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 216(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 224(SP),AX
 
-	MULQ 40(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 224(SP),AX
 
-	MULQ 48(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 280(SP),AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 280(SP),AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 232(SP),AX
 
-	MULQ 40(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 288(SP),AX
 
-	MULQ 56(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 288(SP),AX
 
-	MULQ 64(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 288(SP),AX
 
-	MULQ 72(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ANDQ DX,SI
 
-	ADDQ R10,CX
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ANDQ DX,R8
 
-	ADDQ R12,CX
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ANDQ DX,R9
 
-	ADDQ R14,CX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	ANDQ DX,AX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,40(SP)
 
-	MOVQ R8,48(SP)
 
-	MOVQ R9,56(SP)
 
-	MOVQ AX,64(SP)
 
-	MOVQ R10,72(SP)
 
-	MOVQ 264(SP),SI
 
-	IMUL3Q $19,SI,AX
 
-	MOVQ AX,200(SP)
 
-	MULQ 16(SP)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 272(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,208(SP)
 
-	MULQ 8(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 240(SP),AX
 
-	MULQ 0(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 240(SP),AX
 
-	MULQ 8(SP)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 240(SP),AX
 
-	MULQ 16(SP)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 240(SP),AX
 
-	MULQ 24(SP)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 240(SP),AX
 
-	MULQ 32(SP)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 248(SP),AX
 
-	MULQ 0(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 248(SP),AX
 
-	MULQ 8(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 248(SP),AX
 
-	MULQ 16(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 248(SP),AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 248(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 256(SP),AX
 
-	MULQ 0(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 256(SP),AX
 
-	MULQ 8(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 256(SP),AX
 
-	MULQ 16(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 256(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 256(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 264(SP),AX
 
-	MULQ 0(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 264(SP),AX
 
-	MULQ 8(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 200(SP),AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 200(SP),AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 272(SP),AX
 
-	MULQ 0(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 208(SP),AX
 
-	MULQ 16(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 208(SP),AX
 
-	MULQ 24(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 208(SP),AX
 
-	MULQ 32(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ANDQ DX,SI
 
-	ADDQ R10,CX
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ANDQ DX,R8
 
-	ADDQ R12,CX
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ANDQ DX,R9
 
-	ADDQ R14,CX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	ANDQ DX,AX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,DX
 
-	MOVQ R8,CX
 
-	MOVQ R9,R11
 
-	MOVQ AX,R12
 
-	MOVQ R10,R13
 
-	ADDQ ·_2P0(SB),DX
 
-	ADDQ ·_2P1234(SB),CX
 
-	ADDQ ·_2P1234(SB),R11
 
-	ADDQ ·_2P1234(SB),R12
 
-	ADDQ ·_2P1234(SB),R13
 
-	ADDQ 40(SP),SI
 
-	ADDQ 48(SP),R8
 
-	ADDQ 56(SP),R9
 
-	ADDQ 64(SP),AX
 
-	ADDQ 72(SP),R10
 
-	SUBQ 40(SP),DX
 
-	SUBQ 48(SP),CX
 
-	SUBQ 56(SP),R11
 
-	SUBQ 64(SP),R12
 
-	SUBQ 72(SP),R13
 
-	MOVQ SI,120(DI)
 
-	MOVQ R8,128(DI)
 
-	MOVQ R9,136(DI)
 
-	MOVQ AX,144(DI)
 
-	MOVQ R10,152(DI)
 
-	MOVQ DX,160(DI)
 
-	MOVQ CX,168(DI)
 
-	MOVQ R11,176(DI)
 
-	MOVQ R12,184(DI)
 
-	MOVQ R13,192(DI)
 
-	MOVQ 120(DI),AX
 
-	MULQ 120(DI)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 120(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 128(DI)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 120(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 136(DI)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 120(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 144(DI)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 120(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 152(DI)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 128(DI),AX
 
-	MULQ 128(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 128(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 136(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 128(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 144(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 128(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 152(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 136(DI),AX
 
-	MULQ 136(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 136(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 144(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 136(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 152(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 144(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 144(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 144(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 152(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 152(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 152(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	ANDQ DX,SI
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ADDQ R10,CX
 
-	ANDQ DX,R8
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ADDQ R12,CX
 
-	ANDQ DX,R9
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ADDQ R14,CX
 
-	ANDQ DX,AX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,120(DI)
 
-	MOVQ R8,128(DI)
 
-	MOVQ R9,136(DI)
 
-	MOVQ AX,144(DI)
 
-	MOVQ R10,152(DI)
 
-	MOVQ 160(DI),AX
 
-	MULQ 160(DI)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 160(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 168(DI)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 160(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 176(DI)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 160(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 184(DI)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 160(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 192(DI)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 168(DI),AX
 
-	MULQ 168(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 168(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 176(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 168(DI),AX
 
-	SHLQ $1,AX
 
-	MULQ 184(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 168(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 192(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 176(DI),AX
 
-	MULQ 176(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 176(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 184(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 176(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 192(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 184(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 184(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 184(DI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 192(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 192(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 192(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	ANDQ DX,SI
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ADDQ R10,CX
 
-	ANDQ DX,R8
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ADDQ R12,CX
 
-	ANDQ DX,R9
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ADDQ R14,CX
 
-	ANDQ DX,AX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,160(DI)
 
-	MOVQ R8,168(DI)
 
-	MOVQ R9,176(DI)
 
-	MOVQ AX,184(DI)
 
-	MOVQ R10,192(DI)
 
-	MOVQ 184(DI),SI
 
-	IMUL3Q $19,SI,AX
 
-	MOVQ AX,0(SP)
 
-	MULQ 16(DI)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 192(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,8(SP)
 
-	MULQ 8(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 160(DI),AX
 
-	MULQ 0(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 160(DI),AX
 
-	MULQ 8(DI)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 160(DI),AX
 
-	MULQ 16(DI)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 160(DI),AX
 
-	MULQ 24(DI)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 160(DI),AX
 
-	MULQ 32(DI)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 168(DI),AX
 
-	MULQ 0(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 168(DI),AX
 
-	MULQ 8(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 168(DI),AX
 
-	MULQ 16(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 168(DI),AX
 
-	MULQ 24(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 168(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 176(DI),AX
 
-	MULQ 0(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 176(DI),AX
 
-	MULQ 8(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 176(DI),AX
 
-	MULQ 16(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 176(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 24(DI)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 176(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 184(DI),AX
 
-	MULQ 0(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 184(DI),AX
 
-	MULQ 8(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 0(SP),AX
 
-	MULQ 24(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 0(SP),AX
 
-	MULQ 32(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 192(DI),AX
 
-	MULQ 0(DI)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 8(SP),AX
 
-	MULQ 16(DI)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 8(SP),AX
 
-	MULQ 24(DI)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 8(SP),AX
 
-	MULQ 32(DI)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ANDQ DX,SI
 
-	ADDQ R10,CX
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ANDQ DX,R8
 
-	ADDQ R12,CX
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ANDQ DX,R9
 
-	ADDQ R14,CX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	ANDQ DX,AX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,160(DI)
 
-	MOVQ R8,168(DI)
 
-	MOVQ R9,176(DI)
 
-	MOVQ AX,184(DI)
 
-	MOVQ R10,192(DI)
 
-	MOVQ 144(SP),SI
 
-	IMUL3Q $19,SI,AX
 
-	MOVQ AX,0(SP)
 
-	MULQ 96(SP)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 152(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,8(SP)
 
-	MULQ 88(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 120(SP),AX
 
-	MULQ 80(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 120(SP),AX
 
-	MULQ 88(SP)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 120(SP),AX
 
-	MULQ 96(SP)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 120(SP),AX
 
-	MULQ 104(SP)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 120(SP),AX
 
-	MULQ 112(SP)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 128(SP),AX
 
-	MULQ 80(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 128(SP),AX
 
-	MULQ 88(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 128(SP),AX
 
-	MULQ 96(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 128(SP),AX
 
-	MULQ 104(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 128(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 112(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 136(SP),AX
 
-	MULQ 80(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 136(SP),AX
 
-	MULQ 88(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 136(SP),AX
 
-	MULQ 96(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 136(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 104(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 136(SP),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 112(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 144(SP),AX
 
-	MULQ 80(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 144(SP),AX
 
-	MULQ 88(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 0(SP),AX
 
-	MULQ 104(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 0(SP),AX
 
-	MULQ 112(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 152(SP),AX
 
-	MULQ 80(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 8(SP),AX
 
-	MULQ 96(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 8(SP),AX
 
-	MULQ 104(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 8(SP),AX
 
-	MULQ 112(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ANDQ DX,SI
 
-	ADDQ R10,CX
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ANDQ DX,R8
 
-	ADDQ R12,CX
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ANDQ DX,R9
 
-	ADDQ R14,CX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	ANDQ DX,AX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,40(DI)
 
-	MOVQ R8,48(DI)
 
-	MOVQ R9,56(DI)
 
-	MOVQ AX,64(DI)
 
-	MOVQ R10,72(DI)
 
-	MOVQ 160(SP),AX
 
-	MULQ ·_121666_213(SB)
 
-	SHRQ $13,AX
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 168(SP),AX
 
-	MULQ ·_121666_213(SB)
 
-	SHRQ $13,AX
 
-	ADDQ AX,CX
 
-	MOVQ DX,R8
 
-	MOVQ 176(SP),AX
 
-	MULQ ·_121666_213(SB)
 
-	SHRQ $13,AX
 
-	ADDQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 184(SP),AX
 
-	MULQ ·_121666_213(SB)
 
-	SHRQ $13,AX
 
-	ADDQ AX,R9
 
-	MOVQ DX,R10
 
-	MOVQ 192(SP),AX
 
-	MULQ ·_121666_213(SB)
 
-	SHRQ $13,AX
 
-	ADDQ AX,R10
 
-	IMUL3Q $19,DX,DX
 
-	ADDQ DX,SI
 
-	ADDQ 80(SP),SI
 
-	ADDQ 88(SP),CX
 
-	ADDQ 96(SP),R8
 
-	ADDQ 104(SP),R9
 
-	ADDQ 112(SP),R10
 
-	MOVQ SI,80(DI)
 
-	MOVQ CX,88(DI)
 
-	MOVQ R8,96(DI)
 
-	MOVQ R9,104(DI)
 
-	MOVQ R10,112(DI)
 
-	MOVQ 104(DI),SI
 
-	IMUL3Q $19,SI,AX
 
-	MOVQ AX,0(SP)
 
-	MULQ 176(SP)
 
-	MOVQ AX,SI
 
-	MOVQ DX,CX
 
-	MOVQ 112(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,8(SP)
 
-	MULQ 168(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 80(DI),AX
 
-	MULQ 160(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 80(DI),AX
 
-	MULQ 168(SP)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 80(DI),AX
 
-	MULQ 176(SP)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 80(DI),AX
 
-	MULQ 184(SP)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 80(DI),AX
 
-	MULQ 192(SP)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 88(DI),AX
 
-	MULQ 160(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 88(DI),AX
 
-	MULQ 168(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 88(DI),AX
 
-	MULQ 176(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 88(DI),AX
 
-	MULQ 184(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 88(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 192(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 96(DI),AX
 
-	MULQ 160(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 96(DI),AX
 
-	MULQ 168(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 96(DI),AX
 
-	MULQ 176(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 96(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 184(SP)
 
-	ADDQ AX,SI
 
-	ADCQ DX,CX
 
-	MOVQ 96(DI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 192(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 104(DI),AX
 
-	MULQ 160(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 104(DI),AX
 
-	MULQ 168(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 0(SP),AX
 
-	MULQ 184(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 0(SP),AX
 
-	MULQ 192(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 112(DI),AX
 
-	MULQ 160(SP)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 8(SP),AX
 
-	MULQ 176(SP)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 8(SP),AX
 
-	MULQ 184(SP)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 8(SP),AX
 
-	MULQ 192(SP)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ $REDMASK51,DX
 
-	SHLQ $13,CX:SI
 
-	ANDQ DX,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ DX,R8
 
-	ADDQ CX,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ DX,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ DX,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ DX,R14
 
-	ADDQ R13,R14
 
-	IMUL3Q $19,R15,CX
 
-	ADDQ CX,SI
 
-	MOVQ SI,CX
 
-	SHRQ $51,CX
 
-	ADDQ R8,CX
 
-	MOVQ CX,R8
 
-	SHRQ $51,CX
 
-	ANDQ DX,SI
 
-	ADDQ R10,CX
 
-	MOVQ CX,R9
 
-	SHRQ $51,CX
 
-	ANDQ DX,R8
 
-	ADDQ R12,CX
 
-	MOVQ CX,AX
 
-	SHRQ $51,CX
 
-	ANDQ DX,R9
 
-	ADDQ R14,CX
 
-	MOVQ CX,R10
 
-	SHRQ $51,CX
 
-	ANDQ DX,AX
 
-	IMUL3Q $19,CX,CX
 
-	ADDQ CX,SI
 
-	ANDQ DX,R10
 
-	MOVQ SI,80(DI)
 
-	MOVQ R8,88(DI)
 
-	MOVQ R9,96(DI)
 
-	MOVQ AX,104(DI)
 
-	MOVQ R10,112(DI)
 
-	RET

+ 0 - 240
vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
View File 

@@ -1,240 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-package curve25519
 
-
 
-// These functions are implemented in the .s files. The names of the functions
 
-// in the rest of the file are also taken from the SUPERCOP sources to help
 
-// people following along.
 
-
 
-//go:noescape
 
-
 
-func cswap(inout *[5]uint64, v uint64)
 
-
 
-//go:noescape
 
-
 
-func ladderstep(inout *[5][5]uint64)
 
-
 
-//go:noescape
 
-
 
-func freeze(inout *[5]uint64)
 
-
 
-//go:noescape
 
-
 
-func mul(dest, a, b *[5]uint64)
 
-
 
-//go:noescape
 
-
 
-func square(out, in *[5]uint64)
 
-
 
-// mladder uses a Montgomery ladder to calculate (xr/zr) *= s.
 
-func mladder(xr, zr *[5]uint64, s *[32]byte) {
 
-	var work [5][5]uint64
 
-
 
-	work[0] = *xr
 
-	setint(&work[1], 1)
 
-	setint(&work[2], 0)
 
-	work[3] = *xr
 
-	setint(&work[4], 1)
 
-
 
-	j := uint(6)
 
-	var prevbit byte
 
-
 
-	for i := 31; i >= 0; i-- {
 
-		for j < 8 {
 
-			bit := ((*s)[i] >> j) & 1
 
-			swap := bit ^ prevbit
 
-			prevbit = bit
 
-			cswap(&work[1], uint64(swap))
 
-			ladderstep(&work)
 
-			j--
 
-		}
 
-		j = 7
 
-	}
 
-
 
-	*xr = work[1]
 
-	*zr = work[2]
 
-}
 
-
 
-func scalarMult(out, in, base *[32]byte) {
 
-	var e [32]byte
 
-	copy(e[:], (*in)[:])
 
-	e[0] &= 248
 
-	e[31] &= 127
 
-	e[31] |= 64
 
-
 
-	var t, z [5]uint64
 
-	unpack(&t, base)
 
-	mladder(&t, &z, &e)
 
-	invert(&z, &z)
 
-	mul(&t, &t, &z)
 
-	pack(out, &t)
 
-}
 
-
 
-func setint(r *[5]uint64, v uint64) {
 
-	r[0] = v
 
-	r[1] = 0
 
-	r[2] = 0
 
-	r[3] = 0
 
-	r[4] = 0
 
-}
 
-
 
-// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian
 
-// order.
 
-func unpack(r *[5]uint64, x *[32]byte) {
 
-	r[0] = uint64(x[0]) |
 
-		uint64(x[1])<<8 |
 
-		uint64(x[2])<<16 |
 
-		uint64(x[3])<<24 |
 
-		uint64(x[4])<<32 |
 
-		uint64(x[5])<<40 |
 
-		uint64(x[6]&7)<<48
 
-
 
-	r[1] = uint64(x[6])>>3 |
 
-		uint64(x[7])<<5 |
 
-		uint64(x[8])<<13 |
 
-		uint64(x[9])<<21 |
 
-		uint64(x[10])<<29 |
 
-		uint64(x[11])<<37 |
 
-		uint64(x[12]&63)<<45
 
-
 
-	r[2] = uint64(x[12])>>6 |
 
-		uint64(x[13])<<2 |
 
-		uint64(x[14])<<10 |
 
-		uint64(x[15])<<18 |
 
-		uint64(x[16])<<26 |
 
-		uint64(x[17])<<34 |
 
-		uint64(x[18])<<42 |
 
-		uint64(x[19]&1)<<50
 
-
 
-	r[3] = uint64(x[19])>>1 |
 
-		uint64(x[20])<<7 |
 
-		uint64(x[21])<<15 |
 
-		uint64(x[22])<<23 |
 
-		uint64(x[23])<<31 |
 
-		uint64(x[24])<<39 |
 
-		uint64(x[25]&15)<<47
 
-
 
-	r[4] = uint64(x[25])>>4 |
 
-		uint64(x[26])<<4 |
 
-		uint64(x[27])<<12 |
 
-		uint64(x[28])<<20 |
 
-		uint64(x[29])<<28 |
 
-		uint64(x[30])<<36 |
 
-		uint64(x[31]&127)<<44
 
-}
 
-
 
-// pack sets out = x where out is the usual, little-endian form of the 5,
 
-// 51-bit limbs in x.
 
-func pack(out *[32]byte, x *[5]uint64) {
 
-	t := *x
 
-	freeze(&t)
 
-
 
-	out[0] = byte(t[0])
 
-	out[1] = byte(t[0] >> 8)
 
-	out[2] = byte(t[0] >> 16)
 
-	out[3] = byte(t[0] >> 24)
 
-	out[4] = byte(t[0] >> 32)
 
-	out[5] = byte(t[0] >> 40)
 
-	out[6] = byte(t[0] >> 48)
 
-
 
-	out[6] ^= byte(t[1]<<3) & 0xf8
 
-	out[7] = byte(t[1] >> 5)
 
-	out[8] = byte(t[1] >> 13)
 
-	out[9] = byte(t[1] >> 21)
 
-	out[10] = byte(t[1] >> 29)
 
-	out[11] = byte(t[1] >> 37)
 
-	out[12] = byte(t[1] >> 45)
 
-
 
-	out[12] ^= byte(t[2]<<6) & 0xc0
 
-	out[13] = byte(t[2] >> 2)
 
-	out[14] = byte(t[2] >> 10)
 
-	out[15] = byte(t[2] >> 18)
 
-	out[16] = byte(t[2] >> 26)
 
-	out[17] = byte(t[2] >> 34)
 
-	out[18] = byte(t[2] >> 42)
 
-	out[19] = byte(t[2] >> 50)
 
-
 
-	out[19] ^= byte(t[3]<<1) & 0xfe
 
-	out[20] = byte(t[3] >> 7)
 
-	out[21] = byte(t[3] >> 15)
 
-	out[22] = byte(t[3] >> 23)
 
-	out[23] = byte(t[3] >> 31)
 
-	out[24] = byte(t[3] >> 39)
 
-	out[25] = byte(t[3] >> 47)
 
-
 
-	out[25] ^= byte(t[4]<<4) & 0xf0
 
-	out[26] = byte(t[4] >> 4)
 
-	out[27] = byte(t[4] >> 12)
 
-	out[28] = byte(t[4] >> 20)
 
-	out[29] = byte(t[4] >> 28)
 
-	out[30] = byte(t[4] >> 36)
 
-	out[31] = byte(t[4] >> 44)
 
-}
 
-
 
-// invert calculates r = x^-1 mod p using Fermat's little theorem.
 
-func invert(r *[5]uint64, x *[5]uint64) {
 
-	var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64
 
-
 
-	square(&z2, x)        /* 2 */
 
-	square(&t, &z2)       /* 4 */
 
-	square(&t, &t)        /* 8 */
 
-	mul(&z9, &t, x)       /* 9 */
 
-	mul(&z11, &z9, &z2)   /* 11 */
 
-	square(&t, &z11)      /* 22 */
 
-	mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */
 
-
 
-	square(&t, &z2_5_0)      /* 2^6 - 2^1 */
 
-	for i := 1; i < 5; i++ { /* 2^20 - 2^10 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */
 
-
 
-	square(&t, &z2_10_0)      /* 2^11 - 2^1 */
 
-	for i := 1; i < 10; i++ { /* 2^20 - 2^10 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */
 
-
 
-	square(&t, &z2_20_0)      /* 2^21 - 2^1 */
 
-	for i := 1; i < 20; i++ { /* 2^40 - 2^20 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */
 
-
 
-	square(&t, &t)            /* 2^41 - 2^1 */
 
-	for i := 1; i < 10; i++ { /* 2^50 - 2^10 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */
 
-
 
-	square(&t, &z2_50_0)      /* 2^51 - 2^1 */
 
-	for i := 1; i < 50; i++ { /* 2^100 - 2^50 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */
 
-
 
-	square(&t, &z2_100_0)      /* 2^101 - 2^1 */
 
-	for i := 1; i < 100; i++ { /* 2^200 - 2^100 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */
 
-
 
-	square(&t, &t)            /* 2^201 - 2^1 */
 
-	for i := 1; i < 50; i++ { /* 2^250 - 2^50 */
 
-		square(&t, &t)
 
-	}
 
-	mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */
 
-
 
-	square(&t, &t) /* 2^251 - 2^1 */
 
-	square(&t, &t) /* 2^252 - 2^2 */
 
-	square(&t, &t) /* 2^253 - 2^3 */
 
-
 
-	square(&t, &t) /* 2^254 - 2^4 */
 
-
 
-	square(&t, &t)   /* 2^255 - 2^5 */
 
-	mul(r, &t, &z11) /* 2^255 - 21 */
 
-}

+ 0 - 169
vendor/golang.org/x/crypto/curve25519/mul_amd64.s
View File 

@@ -1,169 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// This code was translated into a form compatible with 6a from the public
 
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-#include "const_amd64.h"
 
-
 
-// func mul(dest, a, b *[5]uint64)
 
-TEXT ·mul(SB),0,$16-24
 
-	MOVQ dest+0(FP), DI
 
-	MOVQ a+8(FP), SI
 
-	MOVQ b+16(FP), DX
 
-
 
-	MOVQ DX,CX
 
-	MOVQ 24(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,0(SP)
 
-	MULQ 16(CX)
 
-	MOVQ AX,R8
 
-	MOVQ DX,R9
 
-	MOVQ 32(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MOVQ AX,8(SP)
 
-	MULQ 8(CX)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 0(SI),AX
 
-	MULQ 0(CX)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 0(SI),AX
 
-	MULQ 8(CX)
 
-	MOVQ AX,R10
 
-	MOVQ DX,R11
 
-	MOVQ 0(SI),AX
 
-	MULQ 16(CX)
 
-	MOVQ AX,R12
 
-	MOVQ DX,R13
 
-	MOVQ 0(SI),AX
 
-	MULQ 24(CX)
 
-	MOVQ AX,R14
 
-	MOVQ DX,R15
 
-	MOVQ 0(SI),AX
 
-	MULQ 32(CX)
 
-	MOVQ AX,BX
 
-	MOVQ DX,BP
 
-	MOVQ 8(SI),AX
 
-	MULQ 0(CX)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 8(SI),AX
 
-	MULQ 8(CX)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 8(SI),AX
 
-	MULQ 16(CX)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 8(SI),AX
 
-	MULQ 24(CX)
 
-	ADDQ AX,BX
 
-	ADCQ DX,BP
 
-	MOVQ 8(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(CX)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 16(SI),AX
 
-	MULQ 0(CX)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 16(SI),AX
 
-	MULQ 8(CX)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 16(SI),AX
 
-	MULQ 16(CX)
 
-	ADDQ AX,BX
 
-	ADCQ DX,BP
 
-	MOVQ 16(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 24(CX)
 
-	ADDQ AX,R8
 
-	ADCQ DX,R9
 
-	MOVQ 16(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(CX)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 24(SI),AX
 
-	MULQ 0(CX)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ 24(SI),AX
 
-	MULQ 8(CX)
 
-	ADDQ AX,BX
 
-	ADCQ DX,BP
 
-	MOVQ 0(SP),AX
 
-	MULQ 24(CX)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 0(SP),AX
 
-	MULQ 32(CX)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 32(SI),AX
 
-	MULQ 0(CX)
 
-	ADDQ AX,BX
 
-	ADCQ DX,BP
 
-	MOVQ 8(SP),AX
 
-	MULQ 16(CX)
 
-	ADDQ AX,R10
 
-	ADCQ DX,R11
 
-	MOVQ 8(SP),AX
 
-	MULQ 24(CX)
 
-	ADDQ AX,R12
 
-	ADCQ DX,R13
 
-	MOVQ 8(SP),AX
 
-	MULQ 32(CX)
 
-	ADDQ AX,R14
 
-	ADCQ DX,R15
 
-	MOVQ $REDMASK51,SI
 
-	SHLQ $13,R9:R8
 
-	ANDQ SI,R8
 
-	SHLQ $13,R11:R10
 
-	ANDQ SI,R10
 
-	ADDQ R9,R10
 
-	SHLQ $13,R13:R12
 
-	ANDQ SI,R12
 
-	ADDQ R11,R12
 
-	SHLQ $13,R15:R14
 
-	ANDQ SI,R14
 
-	ADDQ R13,R14
 
-	SHLQ $13,BP:BX
 
-	ANDQ SI,BX
 
-	ADDQ R15,BX
 
-	IMUL3Q $19,BP,DX
 
-	ADDQ DX,R8
 
-	MOVQ R8,DX
 
-	SHRQ $51,DX
 
-	ADDQ R10,DX
 
-	MOVQ DX,CX
 
-	SHRQ $51,DX
 
-	ANDQ SI,R8
 
-	ADDQ R12,DX
 
-	MOVQ DX,R9
 
-	SHRQ $51,DX
 
-	ANDQ SI,CX
 
-	ADDQ R14,DX
 
-	MOVQ DX,AX
 
-	SHRQ $51,DX
 
-	ANDQ SI,R9
 
-	ADDQ BX,DX
 
-	MOVQ DX,R10
 
-	SHRQ $51,DX
 
-	ANDQ SI,AX
 
-	IMUL3Q $19,DX,DX
 
-	ADDQ DX,R8
 
-	ANDQ SI,R10
 
-	MOVQ R8,0(DI)
 
-	MOVQ CX,8(DI)
 
-	MOVQ R9,16(DI)
 
-	MOVQ AX,24(DI)
 
-	MOVQ R10,32(DI)
 
-	RET

+ 0 - 132
vendor/golang.org/x/crypto/curve25519/square_amd64.s
View File 

@@ -1,132 +0,0 @@
 
-// Copyright 2012 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// This code was translated into a form compatible with 6a from the public
 
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
 
-
 
-// +build amd64,!gccgo,!appengine
 
-
 
-#include "const_amd64.h"
 
-
 
-// func square(out, in *[5]uint64)
 
-TEXT ·square(SB),7,$0-16
 
-	MOVQ out+0(FP), DI
 
-	MOVQ in+8(FP), SI
 
-
 
-	MOVQ 0(SI),AX
 
-	MULQ 0(SI)
 
-	MOVQ AX,CX
 
-	MOVQ DX,R8
 
-	MOVQ 0(SI),AX
 
-	SHLQ $1,AX
 
-	MULQ 8(SI)
 
-	MOVQ AX,R9
 
-	MOVQ DX,R10
 
-	MOVQ 0(SI),AX
 
-	SHLQ $1,AX
 
-	MULQ 16(SI)
 
-	MOVQ AX,R11
 
-	MOVQ DX,R12
 
-	MOVQ 0(SI),AX
 
-	SHLQ $1,AX
 
-	MULQ 24(SI)
 
-	MOVQ AX,R13
 
-	MOVQ DX,R14
 
-	MOVQ 0(SI),AX
 
-	SHLQ $1,AX
 
-	MULQ 32(SI)
 
-	MOVQ AX,R15
 
-	MOVQ DX,BX
 
-	MOVQ 8(SI),AX
 
-	MULQ 8(SI)
 
-	ADDQ AX,R11
 
-	ADCQ DX,R12
 
-	MOVQ 8(SI),AX
 
-	SHLQ $1,AX
 
-	MULQ 16(SI)
 
-	ADDQ AX,R13
 
-	ADCQ DX,R14
 
-	MOVQ 8(SI),AX
 
-	SHLQ $1,AX
 
-	MULQ 24(SI)
 
-	ADDQ AX,R15
 
-	ADCQ DX,BX
 
-	MOVQ 8(SI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 32(SI)
 
-	ADDQ AX,CX
 
-	ADCQ DX,R8
 
-	MOVQ 16(SI),AX
 
-	MULQ 16(SI)
 
-	ADDQ AX,R15
 
-	ADCQ DX,BX
 
-	MOVQ 16(SI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 24(SI)
 
-	ADDQ AX,CX
 
-	ADCQ DX,R8
 
-	MOVQ 16(SI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 32(SI)
 
-	ADDQ AX,R9
 
-	ADCQ DX,R10
 
-	MOVQ 24(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 24(SI)
 
-	ADDQ AX,R9
 
-	ADCQ DX,R10
 
-	MOVQ 24(SI),DX
 
-	IMUL3Q $38,DX,AX
 
-	MULQ 32(SI)
 
-	ADDQ AX,R11
 
-	ADCQ DX,R12
 
-	MOVQ 32(SI),DX
 
-	IMUL3Q $19,DX,AX
 
-	MULQ 32(SI)
 
-	ADDQ AX,R13
 
-	ADCQ DX,R14
 
-	MOVQ $REDMASK51,SI
 
-	SHLQ $13,R8:CX
 
-	ANDQ SI,CX
 
-	SHLQ $13,R10:R9
 
-	ANDQ SI,R9
 
-	ADDQ R8,R9
 
-	SHLQ $13,R12:R11
 
-	ANDQ SI,R11
 
-	ADDQ R10,R11
 
-	SHLQ $13,R14:R13
 
-	ANDQ SI,R13
 
-	ADDQ R12,R13
 
-	SHLQ $13,BX:R15
 
-	ANDQ SI,R15
 
-	ADDQ R14,R15
 
-	IMUL3Q $19,BX,DX
 
-	ADDQ DX,CX
 
-	MOVQ CX,DX
 
-	SHRQ $51,DX
 
-	ADDQ R9,DX
 
-	ANDQ SI,CX
 
-	MOVQ DX,R8
 
-	SHRQ $51,DX
 
-	ADDQ R11,DX
 
-	ANDQ SI,R8
 
-	MOVQ DX,R9
 
-	SHRQ $51,DX
 
-	ADDQ R13,DX
 
-	ANDQ SI,R9
 
-	MOVQ DX,AX
 
-	SHRQ $51,DX
 
-	ADDQ R15,DX
 
-	ANDQ SI,AX
 
-	MOVQ DX,R10
 
-	SHRQ $51,DX
 
-	IMUL3Q $19,DX,DX
 
-	ADDQ DX,CX
 
-	ANDQ SI,R10
 
-	MOVQ CX,0(DI)
 
-	MOVQ R8,8(DI)
 
-	MOVQ R9,16(DI)
 
-	MOVQ AX,24(DI)
 
-	MOVQ R10,32(DI)
 
-	RET

+ 5 - 0
vendor/golang.org/x/crypto/ed25519/ed25519.go
View File 

@@ -2,6 +2,11 @@
 
 // Use of this source code is governed by a BSD-style
 
 // license that can be found in the LICENSE file.
 
 
+// In Go 1.13, the ed25519 package was promoted to the standard library as
 
+// crypto/ed25519, and this package became a wrapper for the standard library one.
 
+//
 
+// +build !go1.13
 
+
 
 // Package ed25519 implements the Ed25519 signature algorithm. See
 
 // https://ed25519.cr.yp.to/.
 
 //

+ 73 - 0
vendor/golang.org/x/crypto/ed25519/ed25519_go113.go
View File 

@@ -0,0 +1,73 @@
 
+// Copyright 2019 The Go Authors. All rights reserved.
 
+// Use of this source code is governed by a BSD-style
 
+// license that can be found in the LICENSE file.
 
+
 
+// +build go1.13
 
+
 
+// Package ed25519 implements the Ed25519 signature algorithm. See
 
+// https://ed25519.cr.yp.to/.
 
+//
 
+// These functions are also compatible with the “Ed25519” function defined in
 
+// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
 
+// representation includes a public key suffix to make multiple signing
 
+// operations with the same key more efficient. This package refers to the RFC
 
+// 8032 private key as the “seed”.
 
+//
 
+// Beginning with Go 1.13, the functionality of this package was moved to the
 
+// standard library as crypto/ed25519. This package only acts as a compatibility
 
+// wrapper.
 
+package ed25519
 
+
 
+import (
 
+	"crypto/ed25519"
 
+	"io"
 
+)
 
+
 
+const (
 
+	// PublicKeySize is the size, in bytes, of public keys as used in this package.
 
+	PublicKeySize = 32
 
+	// PrivateKeySize is the size, in bytes, of private keys as used in this package.
 
+	PrivateKeySize = 64
 
+	// SignatureSize is the size, in bytes, of signatures generated and verified by this package.
 
+	SignatureSize = 64
 
+	// SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
 
+	SeedSize = 32
 
+)
 
+
 
+// PublicKey is the type of Ed25519 public keys.
 
+//
 
+// This type is an alias for crypto/ed25519's PublicKey type.
 
+// See the crypto/ed25519 package for the methods on this type.
 
+type PublicKey = ed25519.PublicKey
 
+
 
+// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
 
+//
 
+// This type is an alias for crypto/ed25519's PrivateKey type.
 
+// See the crypto/ed25519 package for the methods on this type.
 
+type PrivateKey = ed25519.PrivateKey
 
+
 
+// GenerateKey generates a public/private key pair using entropy from rand.
 
+// If rand is nil, crypto/rand.Reader will be used.
 
+func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) {
 
+	return ed25519.GenerateKey(rand)
 
+}
 
+
 
+// NewKeyFromSeed calculates a private key from a seed. It will panic if
 
+// len(seed) is not SeedSize. This function is provided for interoperability
 
+// with RFC 8032. RFC 8032's private keys correspond to seeds in this
 
+// package.
 
+func NewKeyFromSeed(seed []byte) PrivateKey {
 
+	return ed25519.NewKeyFromSeed(seed)
 
+}
 
+
 
+// Sign signs the message with privateKey and returns a signature. It will
 
+// panic if len(privateKey) is not PrivateKeySize.
 
+func Sign(privateKey PrivateKey, message []byte) []byte {
 
+	return ed25519.Sign(privateKey, message)
 
+}
 
+
 
+// Verify reports whether sig is a valid signature of message by publicKey. It
 
+// will panic if len(publicKey) is not PublicKeySize.
 
+func Verify(publicKey PublicKey, message, sig []byte) bool {
 
+	return ed25519.Verify(publicKey, message, sig)
 
+}

+ 6 - 1
vendor/golang.org/x/crypto/go.mod
View File 

@@ -1,3 +1,8 @@
 
 module golang.org/x/crypto
 
 
-require golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e
 
+go 1.11
 
+
 
+require (
 
+	golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3
 
+	golang.org/x/sys v0.0.0-20190412213103-97732733099d
 
+)

+ 1 - 0
vendor/golang.org/x/crypto/pkcs12/pkcs12.go
View File 

@@ -252,6 +252,7 @@ func Decode(pfxData []byte, password string) (privateKey interface{}, certificat
 
 		case bag.Id.Equal(oidPKCS8ShroundedKeyBag):
 
 			if privateKey != nil {
 
 				err = errors.New("pkcs12: expected exactly one key bag")
 
+				return nil, nil, err
 
 			}
 
 
 			if privateKey, err = decodePkcs8ShroudedKeyBag(bag.Value.Bytes, encodedPassword); err != nil {

+ 39 - 0
vendor/golang.org/x/crypto/poly1305/bits_compat.go
View File 

@@ -0,0 +1,39 @@
 
+// Copyright 2019 The Go Authors. All rights reserved.
 
+// Use of this source code is governed by a BSD-style
 
+// license that can be found in the LICENSE file.
 
+
 
+// +build !go1.13
 
+
 
+package poly1305
 
+
 
+// Generic fallbacks for the math/bits intrinsics, copied from
 
+// src/math/bits/bits.go. They were added in Go 1.12, but Add64 and Sum64 had
 
+// variable time fallbacks until Go 1.13.
 
+
 
+func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64) {
 
+	sum = x + y + carry
 
+	carryOut = ((x & y) | ((x | y) &^ sum)) >> 63
 
+	return
 
+}
 
+
 
+func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64) {
 
+	diff = x - y - borrow
 
+	borrowOut = ((^x & y) | (^(x ^ y) & diff)) >> 63
 
+	return
 
+}
 
+
 
+func bitsMul64(x, y uint64) (hi, lo uint64) {
 
+	const mask32 = 1<<32 - 1
 
+	x0 := x & mask32
 
+	x1 := x >> 32
 
+	y0 := y & mask32
 
+	y1 := y >> 32
 
+	w0 := x0 * y0
 
+	t := x1*y0 + w0>>32
 
+	w1 := t & mask32
 
+	w2 := t >> 32
 
+	w1 += x0 * y1
 
+	hi = x1*y1 + w2 + w1>>32
 
+	lo = x * y
 
+	return
 
+}

+ 21 - 0
vendor/golang.org/x/crypto/poly1305/bits_go1.13.go
View File 

@@ -0,0 +1,21 @@
 
+// Copyright 2019 The Go Authors. All rights reserved.
 
+// Use of this source code is governed by a BSD-style
 
+// license that can be found in the LICENSE file.
 
+
 
+// +build go1.13
 
+
 
+package poly1305
 
+
 
+import "math/bits"
 
+
 
+func bitsAdd64(x, y, carry uint64) (sum, carryOut uint64) {
 
+	return bits.Add64(x, y, carry)
 
+}
 
+
 
+func bitsSub64(x, y, borrow uint64) (diff, borrowOut uint64) {
 
+	return bits.Sub64(x, y, borrow)
 
+}
 
+
 
+func bitsMul64(x, y uint64) (hi, lo uint64) {
 
+	return bits.Mul64(x, y)
 
+}

+ 1 - 1
vendor/golang.org/x/crypto/poly1305/mac_noasm.go
View File 

@@ -2,7 +2,7 @@
 
 // Use of this source code is governed by a BSD-style
 
 // license that can be found in the LICENSE file.
 
 
-// +build !amd64 gccgo appengine
 
+// +build !amd64,!ppc64le gccgo appengine
 
 
 package poly1305

+ 8 - 2
vendor/golang.org/x/crypto/poly1305/poly1305.go
View File 

@@ -22,8 +22,14 @@ import "crypto/subtle"
 
 // TagSize is the size, in bytes, of a poly1305 authenticator.
 
 const TagSize = 16
 
 
-// Verify returns true if mac is a valid authenticator for m with the given
 
-// key.
 
+// Sum generates an authenticator for msg using a one-time key and puts the
 
+// 16-byte result into out. Authenticating two different messages with the same
 
+// key allows an attacker to forge messages at will.
 
+func Sum(out *[16]byte, m []byte, key *[32]byte) {
 
+	sum(out, m, key)
 
+}
 
+
 
+// Verify returns true if mac is a valid authenticator for m with the given key.
 
 func Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
 
 	var tmp [16]byte
 
 	Sum(&tmp, m, key)

+ 23 - 33
vendor/golang.org/x/crypto/poly1305/sum_amd64.go
View File 

@@ -7,62 +7,52 @@
 
 package poly1305
 
 
 //go:noescape
 
-func initialize(state *[7]uint64, key *[32]byte)
 
+func update(state *macState, msg []byte)
 
 
-//go:noescape
 
-func update(state *[7]uint64, msg []byte)
 
-
 
-//go:noescape
 
-func finalize(tag *[TagSize]byte, state *[7]uint64)
 
-
 
-// Sum generates an authenticator for m using a one-time key and puts the
 
-// 16-byte result into out. Authenticating two different messages with the same
 
-// key allows an attacker to forge messages at will.
 
-func Sum(out *[16]byte, m []byte, key *[32]byte) {
 
+func sum(out *[16]byte, m []byte, key *[32]byte) {
 
 	h := newMAC(key)
 
 	h.Write(m)
 
 	h.Sum(out)
 
 }
 
 
 func newMAC(key *[32]byte) (h mac) {
 
-	initialize(&h.state, key)
 
+	initialize(key, &h.r, &h.s)
 
 	return
 
 }
 
 
-type mac struct {
 
-	state [7]uint64 // := uint64{ h0, h1, h2, r0, r1, pad0, pad1 }
 
-
 
-	buffer [TagSize]byte
 
-	offset int
 
-}
 
+// mac is a wrapper for macGeneric that redirects calls that would have gone to
 
+// updateGeneric to update.
 
+//
 
+// Its Write and Sum methods are otherwise identical to the macGeneric ones, but
 
+// using function pointers would carry a major performance cost.
 
+type mac struct{ macGeneric }
 
 
-func (h *mac) Write(p []byte) (n int, err error) {
 
-	n = len(p)
 
+func (h *mac) Write(p []byte) (int, error) {
 
+	nn := len(p)
 
 	if h.offset > 0 {
 
-		remaining := TagSize - h.offset
 
-		if n < remaining {
 
-			h.offset += copy(h.buffer[h.offset:], p)
 
-			return n, nil
 
+		n := copy(h.buffer[h.offset:], p)
 
+		if h.offset+n < TagSize {
 
+			h.offset += n
 
+			return nn, nil
 
 		}
 
-		copy(h.buffer[h.offset:], p[:remaining])
 
-		p = p[remaining:]
 
+		p = p[n:]
 
 		h.offset = 0
 
-		update(&h.state, h.buffer[:])
 
+		update(&h.macState, h.buffer[:])
 
 	}
 
-	if nn := len(p) - (len(p) % TagSize); nn > 0 {
 
-		update(&h.state, p[:nn])
 
-		p = p[nn:]
 
+	if n := len(p) - (len(p) % TagSize); n > 0 {
 
+		update(&h.macState, p[:n])
 
+		p = p[n:]
 
 	}
 
 	if len(p) > 0 {
 
 		h.offset += copy(h.buffer[h.offset:], p)
 
 	}
 
-	return n, nil
 
+	return nn, nil
 
 }
 
 
 func (h *mac) Sum(out *[16]byte) {
 
-	state := h.state
 
+	state := h.macState
 
 	if h.offset > 0 {
 
 		update(&state, h.buffer[:h.offset])
 
 	}
 
-	finalize(out, &state)
 
+	finalize(out, &state.h, &state.s)
 
 }

+ 0 - 40
vendor/golang.org/x/crypto/poly1305/sum_amd64.s
View File 

@@ -54,10 +54,6 @@
 
 	ADCQ  t3, h1;                  \
 
 	ADCQ  $0, h2
 
 
-DATA ·poly1305Mask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF
 
-DATA ·poly1305Mask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC
 
-GLOBL ·poly1305Mask<>(SB), RODATA, $16
 
-
 
 // func update(state *[7]uint64, msg []byte)
 
 TEXT ·update(SB), $0-32
 
 	MOVQ state+0(FP), DI
 
@@ -110,39 +106,3 @@ done:
 
 	MOVQ R9, 8(DI)
 
 	MOVQ R10, 16(DI)
 
 	RET
 
-
 
-// func initialize(state *[7]uint64, key *[32]byte)
 
-TEXT ·initialize(SB), $0-16
 
-	MOVQ state+0(FP), DI
 
-	MOVQ key+8(FP), SI
 
-
 
-	// state[0...7] is initialized with zero
 
-	MOVOU 0(SI), X0
 
-	MOVOU 16(SI), X1
 
-	MOVOU ·poly1305Mask<>(SB), X2
 
-	PAND  X2, X0
 
-	MOVOU X0, 24(DI)
 
-	MOVOU X1, 40(DI)
 
-	RET
 
-
 
-// func finalize(tag *[TagSize]byte, state *[7]uint64)
 
-TEXT ·finalize(SB), $0-16
 
-	MOVQ tag+0(FP), DI
 
-	MOVQ state+8(FP), SI
 
-
 
-	MOVQ    0(SI), AX
 
-	MOVQ    8(SI), BX
 
-	MOVQ    16(SI), CX
 
-	MOVQ    AX, R8
 
-	MOVQ    BX, R9
 
-	SUBQ    $0xFFFFFFFFFFFFFFFB, AX
 
-	SBBQ    $0xFFFFFFFFFFFFFFFF, BX
 
-	SBBQ    $3, CX
 
-	CMOVQCS R8, AX
 
-	CMOVQCS R9, BX
 
-	ADDQ    40(SI), AX
 
-	ADCQ    48(SI), BX
 
-
 
-	MOVQ AX, 0(DI)
 
-	MOVQ BX, 8(DI)
 
-	RET

+ 0 - 22
vendor/golang.org/x/crypto/poly1305/sum_arm.go
View File 

@@ -1,22 +0,0 @@
 
-// Copyright 2015 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// +build arm,!gccgo,!appengine,!nacl
 
-
 
-package poly1305
 
-
 
-// This function is implemented in sum_arm.s
 
-//go:noescape
 
-func poly1305_auth_armv6(out *[16]byte, m *byte, mlen uint32, key *[32]byte)
 
-
 
-// Sum generates an authenticator for m using a one-time key and puts the
 
-// 16-byte result into out. Authenticating two different messages with the same
 
-// key allows an attacker to forge messages at will.
 
-func Sum(out *[16]byte, m []byte, key *[32]byte) {
 
-	var mPtr *byte
 
-	if len(m) > 0 {
 
-		mPtr = &m[0]
 
-	}
 
-	poly1305_auth_armv6(out, mPtr, uint32(len(m)), key)
 
-}

+ 0 - 427
vendor/golang.org/x/crypto/poly1305/sum_arm.s
View File 

@@ -1,427 +0,0 @@
 
-// Copyright 2015 The Go Authors. All rights reserved.
 
-// Use of this source code is governed by a BSD-style
 
-// license that can be found in the LICENSE file.
 
-
 
-// +build arm,!gccgo,!appengine,!nacl
 
-
 
-#include "textflag.h"
 
-
 
-// This code was translated into a form compatible with 5a from the public
 
-// domain source by Andrew Moon: github.com/floodyberry/poly1305-opt/blob/master/app/extensions/poly1305.
 
-
 
-DATA ·poly1305_init_constants_armv6<>+0x00(SB)/4, $0x3ffffff
 
-DATA ·poly1305_init_constants_armv6<>+0x04(SB)/4, $0x3ffff03
 
-DATA ·poly1305_init_constants_armv6<>+0x08(SB)/4, $0x3ffc0ff
 
-DATA ·poly1305_init_constants_armv6<>+0x0c(SB)/4, $0x3f03fff
 
-DATA ·poly1305_init_constants_armv6<>+0x10(SB)/4, $0x00fffff
 
-GLOBL ·poly1305_init_constants_armv6<>(SB), 8, $20
 
-
 
-// Warning: the linker may use R11 to synthesize certain instructions. Please
 
-// take care and verify that no synthetic instructions use it.
 
-
 
-TEXT poly1305_init_ext_armv6<>(SB), NOSPLIT, $0
 
-	// Needs 16 bytes of stack and 64 bytes of space pointed to by R0.  (It
 
-	// might look like it's only 60 bytes of space but the final four bytes
 
-	// will be written by another function.) We need to skip over four
 
-	// bytes of stack because that's saving the value of 'g'.
 
-	ADD       $4, R13, R8
 
-	MOVM.IB   [R4-R7], (R8)
 
-	MOVM.IA.W (R1), [R2-R5]
 
-	MOVW      $·poly1305_init_constants_armv6<>(SB), R7
 
-	MOVW      R2, R8
 
-	MOVW      R2>>26, R9
 
-	MOVW      R3>>20, g
 
-	MOVW      R4>>14, R11
 
-	MOVW      R5>>8, R12
 
-	ORR       R3<<6, R9, R9
 
-	ORR       R4<<12, g, g
 
-	ORR       R5<<18, R11, R11
 
-	MOVM.IA   (R7), [R2-R6]
 
-	AND       R8, R2, R2
 
-	AND       R9, R3, R3
 
-	AND       g, R4, R4
 
-	AND       R11, R5, R5
 
-	AND       R12, R6, R6
 
-	MOVM.IA.W [R2-R6], (R0)
 
-	EOR       R2, R2, R2
 
-	EOR       R3, R3, R3
 
-	EOR       R4, R4, R4
 
-	EOR       R5, R5, R5
 
-	EOR       R6, R6, R6
 
-	MOVM.IA.W [R2-R6], (R0)
 
-	MOVM.IA.W (R1), [R2-R5]
 
-	MOVM.IA   [R2-R6], (R0)
 
-	ADD       $20, R13, R0
 
-	MOVM.DA   (R0), [R4-R7]
 
-	RET
 
-
 
-#define MOVW_UNALIGNED(Rsrc, Rdst, Rtmp, offset) \
 
-	MOVBU (offset+0)(Rsrc), Rtmp; \
 
-	MOVBU Rtmp, (offset+0)(Rdst); \
 
-	MOVBU (offset+1)(Rsrc), Rtmp; \
 
-	MOVBU Rtmp, (offset+1)(Rdst); \
 
-	MOVBU (offset+2)(Rsrc), Rtmp; \
 
-	MOVBU Rtmp, (offset+2)(Rdst); \
 
-	MOVBU (offset+3)(Rsrc), Rtmp; \
 
-	MOVBU Rtmp, (offset+3)(Rdst)
 
-
 
-TEXT poly1305_blocks_armv6<>(SB), NOSPLIT, $0
 
-	// Needs 24 bytes of stack for saved registers and then 88 bytes of
 
-	// scratch space after that. We assume that 24 bytes at (R13) have
 
-	// already been used: four bytes for the link register saved in the
 
-	// prelude of poly1305_auth_armv6, four bytes for saving the value of g
 
-	// in that function and 16 bytes of scratch space used around
 
-	// poly1305_finish_ext_armv6_skip1.
 
-	ADD     $24, R13, R12
 
-	MOVM.IB [R4-R8, R14], (R12)
 
-	MOVW    R0, 88(R13)
 
-	MOVW    R1, 92(R13)
 
-	MOVW    R2, 96(R13)
 
-	MOVW    R1, R14
 
-	MOVW    R2, R12
 
-	MOVW    56(R0), R8
 
-	WORD    $0xe1180008                // TST R8, R8 not working see issue 5921
 
-	EOR     R6, R6, R6
 
-	MOVW.EQ $(1<<24), R6
 
-	MOVW    R6, 84(R13)
 
-	ADD     $116, R13, g
 
-	MOVM.IA (R0), [R0-R9]
 
-	MOVM.IA [R0-R4], (g)
 
-	CMP     $16, R12
 
-	BLO     poly1305_blocks_armv6_done
 
-
 
-poly1305_blocks_armv6_mainloop:
 
-	WORD    $0xe31e0003                            // TST R14, #3 not working see issue 5921
 
-	BEQ     poly1305_blocks_armv6_mainloop_aligned
 
-	ADD     $100, R13, g
 
-	MOVW_UNALIGNED(R14, g, R0, 0)
 
-	MOVW_UNALIGNED(R14, g, R0, 4)
 
-	MOVW_UNALIGNED(R14, g, R0, 8)
 
-	MOVW_UNALIGNED(R14, g, R0, 12)
 
-	MOVM.IA (g), [R0-R3]
 
-	ADD     $16, R14
 
-	B       poly1305_blocks_armv6_mainloop_loaded
 
-
 
-poly1305_blocks_armv6_mainloop_aligned:
 
-	MOVM.IA.W (R14), [R0-R3]
 
-
 
-poly1305_blocks_armv6_mainloop_loaded:
 
-	MOVW    R0>>26, g
 
-	MOVW    R1>>20, R11
 
-	MOVW    R2>>14, R12
 
-	MOVW    R14, 92(R13)
 
-	MOVW    R3>>8, R4
 
-	ORR     R1<<6, g, g
 
-	ORR     R2<<12, R11, R11
 
-	ORR     R3<<18, R12, R12
 
-	BIC     $0xfc000000, R0, R0
 
-	BIC     $0xfc000000, g, g
 
-	MOVW    84(R13), R3
 
-	BIC     $0xfc000000, R11, R11
 
-	BIC     $0xfc000000, R12, R12
 
-	ADD     R0, R5, R5
 
-	ADD     g, R6, R6
 
-	ORR     R3, R4, R4
 
-	ADD     R11, R7, R7
 
-	ADD     $116, R13, R14
 
-	ADD     R12, R8, R8
 
-	ADD     R4, R9, R9
 
-	MOVM.IA (R14), [R0-R4]
 
-	MULLU   R4, R5, (R11, g)
 
-	MULLU   R3, R5, (R14, R12)
 
-	MULALU  R3, R6, (R11, g)
 
-	MULALU  R2, R6, (R14, R12)
 
-	MULALU  R2, R7, (R11, g)
 
-	MULALU  R1, R7, (R14, R12)
 
-	ADD     R4<<2, R4, R4
 
-	ADD     R3<<2, R3, R3
 
-	MULALU  R1, R8, (R11, g)
 
-	MULALU  R0, R8, (R14, R12)
 
-	MULALU  R0, R9, (R11, g)
 
-	MULALU  R4, R9, (R14, R12)
 
-	MOVW    g, 76(R13)
 
-	MOVW    R11, 80(R13)
 
-	MOVW    R12, 68(R13)
 
-	MOVW    R14, 72(R13)
 
-	MULLU   R2, R5, (R11, g)
 
-	MULLU   R1, R5, (R14, R12)
 
-	MULALU  R1, R6, (R11, g)
 
-	MULALU  R0, R6, (R14, R12)
 
-	MULALU  R0, R7, (R11, g)
 
-	MULALU  R4, R7, (R14, R12)
 
-	ADD     R2<<2, R2, R2
 
-	ADD     R1<<2, R1, R1
 
-	MULALU  R4, R8, (R11, g)
 
-	MULALU  R3, R8, (R14, R12)
 
-	MULALU  R3, R9, (R11, g)
 
-	MULALU  R2, R9, (R14, R12)
 
-	MOVW    g, 60(R13)
 
-	MOVW    R11, 64(R13)
 
-	MOVW    R12, 52(R13)
 
-	MOVW    R14, 56(R13)
 
-	MULLU   R0, R5, (R11, g)
 
-	MULALU  R4, R6, (R11, g)
 
-	MULALU  R3, R7, (R11, g)
 
-	MULALU  R2, R8, (R11, g)
 
-	MULALU  R1, R9, (R11, g)
 
-	ADD     $52, R13, R0
 
-	MOVM.IA (R0), [R0-R7]
 
-	MOVW    g>>26, R12
 
-	MOVW    R4>>26, R14
 
-	ORR     R11<<6, R12, R12
 
-	ORR     R5<<6, R14, R14
 
-	BIC     $0xfc000000, g, g
 
-	BIC     $0xfc000000, R4, R4
 
-	ADD.S   R12, R0, R0
 
-	ADC     $0, R1, R1
 
-	ADD.S   R14, R6, R6
 
-	ADC     $0, R7, R7
 
-	MOVW    R0>>26, R12
 
-	MOVW    R6>>26, R14
 
-	ORR     R1<<6, R12, R12
 
-	ORR     R7<<6, R14, R14
 
-	BIC     $0xfc000000, R0, R0
 
-	BIC     $0xfc000000, R6, R6
 
-	ADD     R14<<2, R14, R14
 
-	ADD.S   R12, R2, R2
 
-	ADC     $0, R3, R3
 
-	ADD     R14, g, g
 
-	MOVW    R2>>26, R12
 
-	MOVW    g>>26, R14
 
-	ORR     R3<<6, R12, R12
 
-	BIC     $0xfc000000, g, R5
 
-	BIC     $0xfc000000, R2, R7
 
-	ADD     R12, R4, R4
 
-	ADD     R14, R0, R0
 
-	MOVW    R4>>26, R12
 
-	BIC     $0xfc000000, R4, R8
 
-	ADD     R12, R6, R9
 
-	MOVW    96(R13), R12
 
-	MOVW    92(R13), R14
 
-	MOVW    R0, R6
 
-	CMP     $32, R12
 
-	SUB     $16, R12, R12
 
-	MOVW    R12, 96(R13)
 
-	BHS     poly1305_blocks_armv6_mainloop
 
-
 
-poly1305_blocks_armv6_done:
 
-	MOVW    88(R13), R12
 
-	MOVW    R5, 20(R12)
 
-	MOVW    R6, 24(R12)
 
-	MOVW    R7, 28(R12)
 
-	MOVW    R8, 32(R12)
 
-	MOVW    R9, 36(R12)
 
-	ADD     $48, R13, R0
 
-	MOVM.DA (R0), [R4-R8, R14]
 
-	RET
 
-
 
-#define MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp) \
 
-	MOVBU.P 1(Rsrc), Rtmp; \
 
-	MOVBU.P Rtmp, 1(Rdst); \
 
-	MOVBU.P 1(Rsrc), Rtmp; \
 
-	MOVBU.P Rtmp, 1(Rdst)
 
-
 
-#define MOVWP_UNALIGNED(Rsrc, Rdst, Rtmp) \
 
-	MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp); \
 
-	MOVHUP_UNALIGNED(Rsrc, Rdst, Rtmp)
 
-
 
-// func poly1305_auth_armv6(out *[16]byte, m *byte, mlen uint32, key *[32]key)
 
-TEXT ·poly1305_auth_armv6(SB), $196-16
 
-	// The value 196, just above, is the sum of 64 (the size of the context
 
-	// structure) and 132 (the amount of stack needed).
 
-	//
 
-	// At this point, the stack pointer (R13) has been moved down. It
 
-	// points to the saved link register and there's 196 bytes of free
 
-	// space above it.
 
-	//
 
-	// The stack for this function looks like:
 
-	//
 
-	// +---------------------
 
-	// |
 
-	// | 64 bytes of context structure
 
-	// |
 
-	// +---------------------
 
-	// |
 
-	// | 112 bytes for poly1305_blocks_armv6
 
-	// |
 
-	// +---------------------
 
-	// | 16 bytes of final block, constructed at
 
-	// | poly1305_finish_ext_armv6_skip8
 
-	// +---------------------
 
-	// | four bytes of saved 'g'
 
-	// +---------------------
 
-	// | lr, saved by prelude    <- R13 points here
 
-	// +---------------------
 
-	MOVW g, 4(R13)
 
-
 
-	MOVW out+0(FP), R4
 
-	MOVW m+4(FP), R5
 
-	MOVW mlen+8(FP), R6
 
-	MOVW key+12(FP), R7
 
-
 
-	ADD  $136, R13, R0 // 136 = 4 + 4 + 16 + 112
 
-	MOVW R7, R1
 
-
 
-	// poly1305_init_ext_armv6 will write to the stack from R13+4, but
 
-	// that's ok because none of the other values have been written yet.
 
-	BL    poly1305_init_ext_armv6<>(SB)
 
-	BIC.S $15, R6, R2
 
-	BEQ   poly1305_auth_armv6_noblocks
 
-	ADD   $136, R13, R0
 
-	MOVW  R5, R1
 
-	ADD   R2, R5, R5
 
-	SUB   R2, R6, R6
 
-	BL    poly1305_blocks_armv6<>(SB)
 
-
 
-poly1305_auth_armv6_noblocks:
 
-	ADD  $136, R13, R0
 
-	MOVW R5, R1
 
-	MOVW R6, R2
 
-	MOVW R4, R3
 
-
 
-	MOVW  R0, R5
 
-	MOVW  R1, R6
 
-	MOVW  R2, R7
 
-	MOVW  R3, R8
 
-	AND.S R2, R2, R2
 
-	BEQ   poly1305_finish_ext_armv6_noremaining
 
-	EOR   R0, R0
 
-	ADD   $8, R13, R9                           // 8 = offset to 16 byte scratch space
 
-	MOVW  R0, (R9)
 
-	MOVW  R0, 4(R9)
 
-	MOVW  R0, 8(R9)
 
-	MOVW  R0, 12(R9)
 
-	WORD  $0xe3110003                           // TST R1, #3 not working see issue 5921
 
-	BEQ   poly1305_finish_ext_armv6_aligned
 
-	WORD  $0xe3120008                           // TST R2, #8 not working see issue 5921
 
-	BEQ   poly1305_finish_ext_armv6_skip8
 
-	MOVWP_UNALIGNED(R1, R9, g)
 
-	MOVWP_UNALIGNED(R1, R9, g)
 
-
 
-poly1305_finish_ext_armv6_skip8:
 
-	WORD $0xe3120004                     // TST $4, R2 not working see issue 5921
 
-	BEQ  poly1305_finish_ext_armv6_skip4
 
-	MOVWP_UNALIGNED(R1, R9, g)
 
-
 
-poly1305_finish_ext_armv6_skip4:
 
-	WORD $0xe3120002                     // TST $2, R2 not working see issue 5921
 
-	BEQ  poly1305_finish_ext_armv6_skip2
 
-	MOVHUP_UNALIGNED(R1, R9, g)
 
-	B    poly1305_finish_ext_armv6_skip2
 
-
 
-poly1305_finish_ext_armv6_aligned:
 
-	WORD      $0xe3120008                             // TST R2, #8 not working see issue 5921
 
-	BEQ       poly1305_finish_ext_armv6_skip8_aligned
 
-	MOVM.IA.W (R1), [g-R11]
 
-	MOVM.IA.W [g-R11], (R9)
 
-
 
-poly1305_finish_ext_armv6_skip8_aligned:
 
-	WORD   $0xe3120004                             // TST $4, R2 not working see issue 5921
 
-	BEQ    poly1305_finish_ext_armv6_skip4_aligned
 
-	MOVW.P 4(R1), g
 
-	MOVW.P g, 4(R9)
 
-
 
-poly1305_finish_ext_armv6_skip4_aligned:
 
-	WORD    $0xe3120002                     // TST $2, R2 not working see issue 5921
 
-	BEQ     poly1305_finish_ext_armv6_skip2
 
-	MOVHU.P 2(R1), g
 
-	MOVH.P  g, 2(R9)
 
-
 
-poly1305_finish_ext_armv6_skip2:
 
-	WORD    $0xe3120001                     // TST $1, R2 not working see issue 5921
 
-	BEQ     poly1305_finish_ext_armv6_skip1
 
-	MOVBU.P 1(R1), g
 
-	MOVBU.P g, 1(R9)
 
-
 
-poly1305_finish_ext_armv6_skip1:
 
-	MOVW  $1, R11
 
-	MOVBU R11, 0(R9)
 
-	MOVW  R11, 56(R5)
 
-	MOVW  R5, R0
 
-	ADD   $8, R13, R1
 
-	MOVW  $16, R2
 
-	BL    poly1305_blocks_armv6<>(SB)
 
-
 
-poly1305_finish_ext_armv6_noremaining:
 
-	MOVW      20(R5), R0
 
-	MOVW      24(R5), R1
 
-	MOVW      28(R5), R2
 
-	MOVW      32(R5), R3
 
-	MOVW      36(R5), R4
 
-	MOVW      R4>>26, R12
 
-	BIC       $0xfc000000, R4, R4
 
-	ADD       R12<<2, R12, R12
 
-	ADD       R12, R0, R0
 
-	MOVW      R0>>26, R12
 
-	BIC       $0xfc000000, R0, R0
 
-	ADD       R12, R1, R1
 
-	MOVW      R1>>26, R12
 
-	BIC       $0xfc000000, R1, R1
 
-	ADD       R12, R2, R2
 
-	MOVW      R2>>26, R12
 
-	BIC       $0xfc000000, R2, R2
 
-	ADD       R12, R3, R3
 
-	MOVW      R3>>26, R12
 
-	BIC       $0xfc000000, R3, R3
 
-	ADD       R12, R4, R4
 
-	ADD       $5, R0, R6
 
-	MOVW      R6>>26, R12
 
-	BIC       $0xfc000000, R6, R6
 
-	ADD       R12, R1, R7
 
-	MOVW      R7>>26, R12
 
-	BIC       $0xfc000000, R7, R7
 
-	ADD       R12, R2, g
 
-	MOVW      g>>26, R12
 
-	BIC       $0xfc000000, g, g
 
-	ADD       R12, R3, R11
 
-	MOVW      $-(1<<26), R12
 
-	ADD       R11>>26, R12, R12
 
-	BIC       $0xfc000000, R11, R11
 
-	ADD       R12, R4, R9
 
-	MOVW      R9>>31, R12
 
-	SUB       $1, R12
 
-	AND       R12, R6, R6
 
-	AND       R12, R7, R7
 
-	AND       R12, g, g
 
-	AND       R12, R11, R11
 
-	AND       R12, R9, R9
 
-	MVN       R12, R12
 
-	AND       R12, R0, R0
 
-	AND       R12, R1, R1
 
-	AND       R12, R2, R2
 
-	AND       R12, R3, R3
 
-	AND       R12, R4, R4
 
-	ORR       R6, R0, R0
 
-	ORR       R7, R1, R1
 
-	ORR       g, R2, R2
 
-	ORR       R11, R3, R3
 
-	ORR       R9, R4, R4
 
-	ORR       R1<<26, R0, R0
 
-	MOVW      R1>>6, R1
 
-	ORR       R2<<20, R1, R1
 
-	MOVW      R2>>12, R2
 
-	ORR       R3<<14, R2, R2
 
-	MOVW      R3>>18, R3
 
-	ORR       R4<<8, R3, R3
 
-	MOVW      40(R5), R6
 
-	MOVW      44(R5), R7
 
-	MOVW      48(R5), g
 
-	MOVW      52(R5), R11
 
-	ADD.S     R6, R0, R0
 
-	ADC.S     R7, R1, R1
 
-	ADC.S     g, R2, R2
 
-	ADC.S     R11, R3, R3
 
-	MOVM.IA   [R0-R3], (R8)
 
-	MOVW      R5, R12
 
-	EOR       R0, R0, R0
 
-	EOR       R1, R1, R1
 
-	EOR       R2, R2, R2
 
-	EOR       R3, R3, R3
 
-	EOR       R4, R4, R4
 
-	EOR       R5, R5, R5
 
-	EOR       R6, R6, R6
 
-	EOR       R7, R7, R7
 
-	MOVM.IA.W [R0-R7], (R12)
 
-	MOVM.IA   [R0-R7], (R12)
 
-	MOVW      4(R13), g
 
-	RET

+ 263 - 128
vendor/golang.org/x/crypto/poly1305/sum_generic.go
View File 

@@ -2,18 +2,29 @@
 
 // Use of this source code is governed by a BSD-style
 
 // license that can be found in the LICENSE file.
 
 
+// This file provides the generic implementation of Sum and MAC. Other files
 
+// might provide optimized assembly implementations of some of this code.
 
+
 
 package poly1305
 
 
 import "encoding/binary"
 
 
-const (
 
-	msgBlock   = uint32(1 << 24)
 
-	finalBlock = uint32(0)
 
-)
 
+// Poly1305 [RFC 7539] is a relatively simple algorithm: the authentication tag
 
+// for a 64 bytes message is approximately
 
+//
 
+//     s + m[0:16] * r⁴ + m[16:32] * r³ + m[32:48] * r² + m[48:64] * r  mod  2¹³⁰ - 5
 
+//
 
+// for some secret r and s. It can be computed sequentially like
 
+//
 
+//     for len(msg) > 0:
 
+//         h += read(msg, 16)
 
+//         h *= r
 
+//         h %= 2¹³⁰ - 5
 
+//     return h + s
 
+//
 
+// All the complexity is about doing performant constant-time math on numbers
 
+// larger than any available numeric type.
 
 
-// sumGeneric generates an authenticator for msg using a one-time key and
 
-// puts the 16-byte result into out. This is the generic implementation of
 
-// Sum and should be called if no assembly implementation is available.
 
 func sumGeneric(out *[TagSize]byte, msg []byte, key *[32]byte) {
 
 	h := newMACGeneric(key)
 
 	h.Write(msg)
 
@@ -21,152 +32,276 @@ func sumGeneric(out *[TagSize]byte, msg []byte, key *[32]byte) {
 
 }
 
 
 func newMACGeneric(key *[32]byte) (h macGeneric) {
 
-	h.r[0] = binary.LittleEndian.Uint32(key[0:]) & 0x3ffffff
 
-	h.r[1] = (binary.LittleEndian.Uint32(key[3:]) >> 2) & 0x3ffff03
 
-	h.r[2] = (binary.LittleEndian.Uint32(key[6:]) >> 4) & 0x3ffc0ff
 
-	h.r[3] = (binary.LittleEndian.Uint32(key[9:]) >> 6) & 0x3f03fff
 
-	h.r[4] = (binary.LittleEndian.Uint32(key[12:]) >> 8) & 0x00fffff
 
-
 
-	h.s[0] = binary.LittleEndian.Uint32(key[16:])
 
-	h.s[1] = binary.LittleEndian.Uint32(key[20:])
 
-	h.s[2] = binary.LittleEndian.Uint32(key[24:])
 
-	h.s[3] = binary.LittleEndian.Uint32(key[28:])
 
+	initialize(key, &h.r, &h.s)
 
 	return
 
 }
 
 
+// macState holds numbers in saturated 64-bit little-endian limbs. That is,
 
+// the value of [x0, x1, x2] is x[0] + x[1] * 2⁶⁴ + x[2] * 2¹²⁸.
 
+type macState struct {
 
+	// h is the main accumulator. It is to be interpreted modulo 2¹³⁰ - 5, but
 
+	// can grow larger during and after rounds.
 
+	h [3]uint64
 
+	// r and s are the private key components.
 
+	r [2]uint64
 
+	s [2]uint64
 
+}
 
+
 
 type macGeneric struct {
 
-	h, r [5]uint32
 
-	s    [4]uint32
 
+	macState
 
 
 	buffer [TagSize]byte
 
 	offset int
 
 }
 
 
-func (h *macGeneric) Write(p []byte) (n int, err error) {
 
-	n = len(p)
 
+// Write splits the incoming message into TagSize chunks, and passes them to
 
+// update. It buffers incomplete chunks.
 
+func (h *macGeneric) Write(p []byte) (int, error) {
 
+	nn := len(p)
 
 	if h.offset > 0 {
 
-		remaining := TagSize - h.offset
 
-		if n < remaining {
 
-			h.offset += copy(h.buffer[h.offset:], p)
 
-			return n, nil
 
+		n := copy(h.buffer[h.offset:], p)
 
+		if h.offset+n < TagSize {
 
+			h.offset += n
 
+			return nn, nil
 
 		}
 
-		copy(h.buffer[h.offset:], p[:remaining])
 
-		p = p[remaining:]
 
+		p = p[n:]
 
 		h.offset = 0
 
-		updateGeneric(h.buffer[:], msgBlock, &(h.h), &(h.r))
 
+		updateGeneric(&h.macState, h.buffer[:])
 
 	}
 
-	if nn := len(p) - (len(p) % TagSize); nn > 0 {
 
-		updateGeneric(p, msgBlock, &(h.h), &(h.r))
 
-		p = p[nn:]
 
+	if n := len(p) - (len(p) % TagSize); n > 0 {
 
+		updateGeneric(&h.macState, p[:n])
 
+		p = p[n:]
 
 	}
 
 	if len(p) > 0 {
 
 		h.offset += copy(h.buffer[h.offset:], p)
 
 	}
 
-	return n, nil
 
+	return nn, nil
 
 }
 
 
-func (h *macGeneric) Sum(out *[16]byte) {
 
-	H, R := h.h, h.r
 
+// Sum flushes the last incomplete chunk from the buffer, if any, and generates
 
+// the MAC output. It does not modify its state, in order to allow for multiple
 
+// calls to Sum, even if no Write is allowed after Sum.
 
+func (h *macGeneric) Sum(out *[TagSize]byte) {
 
+	state := h.macState
 
 	if h.offset > 0 {
 
-		var buffer [TagSize]byte
 
-		copy(buffer[:], h.buffer[:h.offset])
 
-		buffer[h.offset] = 1 // invariant: h.offset < TagSize
 
-		updateGeneric(buffer[:], finalBlock, &H, &R)
 
+		updateGeneric(&state, h.buffer[:h.offset])
 
 	}
 
-	finalizeGeneric(out, &H, &(h.s))
 
+	finalize(out, &state.h, &state.s)
 
+}
 
+
 
+// [rMask0, rMask1] is the specified Poly1305 clamping mask in little-endian. It
 
+// clears some bits of the secret coefficient to make it possible to implement
 
+// multiplication more efficiently.
 
+const (
 
+	rMask0 = 0x0FFFFFFC0FFFFFFF
 
+	rMask1 = 0x0FFFFFFC0FFFFFFC
 
+)
 
+
 
+func initialize(key *[32]byte, r, s *[2]uint64) {
 
+	r[0] = binary.LittleEndian.Uint64(key[0:8]) & rMask0
 
+	r[1] = binary.LittleEndian.Uint64(key[8:16]) & rMask1
 
+	s[0] = binary.LittleEndian.Uint64(key[16:24])
 
+	s[1] = binary.LittleEndian.Uint64(key[24:32])
 
+}
 
+
 
+// uint128 holds a 128-bit number as two 64-bit limbs, for use with the
 
+// bits.Mul64 and bits.Add64 intrinsics.
 
+type uint128 struct {
 
+	lo, hi uint64
 
+}
 
+
 
+func mul64(a, b uint64) uint128 {
 
+	hi, lo := bitsMul64(a, b)
 
+	return uint128{lo, hi}
 
 }
 
 
-func updateGeneric(msg []byte, flag uint32, h, r *[5]uint32) {
 
-	h0, h1, h2, h3, h4 := h[0], h[1], h[2], h[3], h[4]
 
-	r0, r1, r2, r3, r4 := uint64(r[0]), uint64(r[1]), uint64(r[2]), uint64(r[3]), uint64(r[4])
 
-	R1, R2, R3, R4 := r1*5, r2*5, r3*5, r4*5
 
-
 
-	for len(msg) >= TagSize {
 
-		// h += msg
 
-		h0 += binary.LittleEndian.Uint32(msg[0:]) & 0x3ffffff
 
-		h1 += (binary.LittleEndian.Uint32(msg[3:]) >> 2) & 0x3ffffff
 
-		h2 += (binary.LittleEndian.Uint32(msg[6:]) >> 4) & 0x3ffffff
 
-		h3 += (binary.LittleEndian.Uint32(msg[9:]) >> 6) & 0x3ffffff
 
-		h4 += (binary.LittleEndian.Uint32(msg[12:]) >> 8) | flag
 
-
 
-		// h *= r
 
-		d0 := (uint64(h0) * r0) + (uint64(h1) * R4) + (uint64(h2) * R3) + (uint64(h3) * R2) + (uint64(h4) * R1)
 
-		d1 := (d0 >> 26) + (uint64(h0) * r1) + (uint64(h1) * r0) + (uint64(h2) * R4) + (uint64(h3) * R3) + (uint64(h4) * R2)
 
-		d2 := (d1 >> 26) + (uint64(h0) * r2) + (uint64(h1) * r1) + (uint64(h2) * r0) + (uint64(h3) * R4) + (uint64(h4) * R3)
 
-		d3 := (d2 >> 26) + (uint64(h0) * r3) + (uint64(h1) * r2) + (uint64(h2) * r1) + (uint64(h3) * r0) + (uint64(h4) * R4)
 
-		d4 := (d3 >> 26) + (uint64(h0) * r4) + (uint64(h1) * r3) + (uint64(h2) * r2) + (uint64(h3) * r1) + (uint64(h4) * r0)
 
-
 
-		// h %= p
 
-		h0 = uint32(d0) & 0x3ffffff
 
-		h1 = uint32(d1) & 0x3ffffff
 
-		h2 = uint32(d2) & 0x3ffffff
 
-		h3 = uint32(d3) & 0x3ffffff
 
-		h4 = uint32(d4) & 0x3ffffff
 
-
 
-		h0 += uint32(d4>>26) * 5
 
-		h1 += h0 >> 26
 
-		h0 = h0 & 0x3ffffff
 
-
 
-		msg = msg[TagSize:]
 
+func add128(a, b uint128) uint128 {
 
+	lo, c := bitsAdd64(a.lo, b.lo, 0)
 
+	hi, c := bitsAdd64(a.hi, b.hi, c)
 
+	if c != 0 {
 
+		panic("poly1305: unexpected overflow")
 
 	}
 
+	return uint128{lo, hi}
 
+}
 
 
-	h[0], h[1], h[2], h[3], h[4] = h0, h1, h2, h3, h4
 
+func shiftRightBy2(a uint128) uint128 {
 
+	a.lo = a.lo>>2 | (a.hi&3)<<62
 
+	a.hi = a.hi >> 2
 
+	return a
 
 }
 
 
-func finalizeGeneric(out *[TagSize]byte, h *[5]uint32, s *[4]uint32) {
 
-	h0, h1, h2, h3, h4 := h[0], h[1], h[2], h[3], h[4]
 
-
 
-	// h %= p reduction
 
-	h2 += h1 >> 26
 
-	h1 &= 0x3ffffff
 
-	h3 += h2 >> 26
 
-	h2 &= 0x3ffffff
 
-	h4 += h3 >> 26
 
-	h3 &= 0x3ffffff
 
-	h0 += 5 * (h4 >> 26)
 
-	h4 &= 0x3ffffff
 
-	h1 += h0 >> 26
 
-	h0 &= 0x3ffffff
 
-
 
-	// h - p
 
-	t0 := h0 + 5
 
-	t1 := h1 + (t0 >> 26)
 
-	t2 := h2 + (t1 >> 26)
 
-	t3 := h3 + (t2 >> 26)
 
-	t4 := h4 + (t3 >> 26) - (1 << 26)
 
-	t0 &= 0x3ffffff
 
-	t1 &= 0x3ffffff
 
-	t2 &= 0x3ffffff
 
-	t3 &= 0x3ffffff
 
-
 
-	// select h if h < p else h - p
 
-	t_mask := (t4 >> 31) - 1
 
-	h_mask := ^t_mask
 
-	h0 = (h0 & h_mask) | (t0 & t_mask)
 
-	h1 = (h1 & h_mask) | (t1 & t_mask)
 
-	h2 = (h2 & h_mask) | (t2 & t_mask)
 
-	h3 = (h3 & h_mask) | (t3 & t_mask)
 
-	h4 = (h4 & h_mask) | (t4 & t_mask)
 
-
 
-	// h %= 2^128
 
-	h0 |= h1 << 26
 
-	h1 = ((h1 >> 6) | (h2 << 20))
 
-	h2 = ((h2 >> 12) | (h3 << 14))
 
-	h3 = ((h3 >> 18) | (h4 << 8))
 
-
 
-	// s: the s part of the key
 
-	// tag = (h + s) % (2^128)
 
-	t := uint64(h0) + uint64(s[0])
 
-	h0 = uint32(t)
 
-	t = uint64(h1) + uint64(s[1]) + (t >> 32)
 
-	h1 = uint32(t)
 
-	t = uint64(h2) + uint64(s[2]) + (t >> 32)
 
-	h2 = uint32(t)
 
-	t = uint64(h3) + uint64(s[3]) + (t >> 32)
 
-	h3 = uint32(t)
 
-
 
-	binary.LittleEndian.PutUint32(out[0:], h0)
 
-	binary.LittleEndian.PutUint32(out[4:], h1)
 
-	binary.LittleEndian.PutUint32(out[8:], h2)
 
-	binary.LittleEndian.PutUint32(out[12:], h3)
 
+// updateGeneric absorbs msg into the state.h accumulator. For each chunk m of
 
+// 128 bits of message, it computes
 
+//
 
+//     h₊ = (h + m) * r  mod  2¹³⁰ - 5
 
+//
 
+// If the msg length is not a multiple of TagSize, it assumes the last
 
+// incomplete chunk is the final one.
 
+func updateGeneric(state *macState, msg []byte) {
 
+	h0, h1, h2 := state.h[0], state.h[1], state.h[2]
 
+	r0, r1 := state.r[0], state.r[1]
 
+
 
+	for len(msg) > 0 {
 
+		var c uint64
 
+
 
+		// For the first step, h + m, we use a chain of bits.Add64 intrinsics.
 
+		// The resulting value of h might exceed 2¹³⁰ - 5, but will be partially
 
+		// reduced at the end of the multiplication below.
 
+		//
 
+		// The spec requires us to set a bit just above the message size, not to
 
+		// hide leading zeroes. For full chunks, that's 1 << 128, so we can just
 
+		// add 1 to the most significant (2¹²⁸) limb, h2.
 
+		if len(msg) >= TagSize {
 
+			h0, c = bitsAdd64(h0, binary.LittleEndian.Uint64(msg[0:8]), 0)
 
+			h1, c = bitsAdd64(h1, binary.LittleEndian.Uint64(msg[8:16]), c)
 
+			h2 += c + 1
 
+
 
+			msg = msg[TagSize:]
 
+		} else {
 
+			var buf [TagSize]byte
 
+			copy(buf[:], msg)
 
+			buf[len(msg)] = 1
 
+
 
+			h0, c = bitsAdd64(h0, binary.LittleEndian.Uint64(buf[0:8]), 0)
 
+			h1, c = bitsAdd64(h1, binary.LittleEndian.Uint64(buf[8:16]), c)
 
+			h2 += c
 
+
 
+			msg = nil
 
+		}
 
+
 
+		// Multiplication of big number limbs is similar to elementary school
 
+		// columnar multiplication. Instead of digits, there are 64-bit limbs.
 
+		//
 
+		// We are multiplying a 3 limbs number, h, by a 2 limbs number, r.
 
+		//
 
+		//                        h2    h1    h0  x
 
+		//                              r1    r0  =
 
+		//                       ----------------
 
+		//                      h2r0  h1r0  h0r0     <-- individual 128-bit products
 
+		//            +   h2r1  h1r1  h0r1
 
+		//               ------------------------
 
+		//                 m3    m2    m1    m0      <-- result in 128-bit overlapping limbs
 
+		//               ------------------------
 
+		//         m3.hi m2.hi m1.hi m0.hi           <-- carry propagation
 
+		//     +         m3.lo m2.lo m1.lo m0.lo
 
+		//        -------------------------------
 
+		//           t4    t3    t2    t1    t0      <-- final result in 64-bit limbs
 
+		//
 
+		// The main difference from pen-and-paper multiplication is that we do
 
+		// carry propagation in a separate step, as if we wrote two digit sums
 
+		// at first (the 128-bit limbs), and then carried the tens all at once.
 
+
 
+		h0r0 := mul64(h0, r0)
 
+		h1r0 := mul64(h1, r0)
 
+		h2r0 := mul64(h2, r0)
 
+		h0r1 := mul64(h0, r1)
 
+		h1r1 := mul64(h1, r1)
 
+		h2r1 := mul64(h2, r1)
 
+
 
+		// Since h2 is known to be at most 7 (5 + 1 + 1), and r0 and r1 have their
 
+		// top 4 bits cleared by rMask{0,1}, we know that their product is not going
 
+		// to overflow 64 bits, so we can ignore the high part of the products.
 
+		//
 
+		// This also means that the product doesn't have a fifth limb (t4).
 
+		if h2r0.hi != 0 {
 
+			panic("poly1305: unexpected overflow")
 
+		}
 
+		if h2r1.hi != 0 {
 
+			panic("poly1305: unexpected overflow")
 
+		}
 
+
 
+		m0 := h0r0
 
+		m1 := add128(h1r0, h0r1) // These two additions don't overflow thanks again
 
+		m2 := add128(h2r0, h1r1) // to the 4 masked bits at the top of r0 and r1.
 
+		m3 := h2r1
 
+
 
+		t0 := m0.lo
 
+		t1, c := bitsAdd64(m1.lo, m0.hi, 0)
 
+		t2, c := bitsAdd64(m2.lo, m1.hi, c)
 
+		t3, _ := bitsAdd64(m3.lo, m2.hi, c)
 
+
 
+		// Now we have the result as 4 64-bit limbs, and we need to reduce it
 
+		// modulo 2¹³⁰ - 5. The special shape of this Crandall prime lets us do
 
+		// a cheap partial reduction according to the reduction identity
 
+		//
 
+		//     c * 2¹³⁰ + n  =  c * 5 + n  mod  2¹³⁰ - 5
 
+		//
 
+		// because 2¹³⁰ = 5 mod 2¹³⁰ - 5. Partial reduction since the result is
 
+		// likely to be larger than 2¹³⁰ - 5, but still small enough to fit the
 
+		// assumptions we make about h in the rest of the code.
 
+		//
 
+		// See also https://speakerdeck.com/gtank/engineering-prime-numbers?slide=23
 
+
 
+		// We split the final result at the 2¹³⁰ mark into h and cc, the carry.
 
+		// Note that the carry bits are effectively shifted left by 2, in other
 
+		// words, cc = c * 4 for the c in the reduction identity.
 
+		h0, h1, h2 = t0, t1, t2&maskLow2Bits
 
+		cc := uint128{t2 & maskNotLow2Bits, t3}
 
+
 
+		// To add c * 5 to h, we first add cc = c * 4, and then add (cc >> 2) = c.
 
+
 
+		h0, c = bitsAdd64(h0, cc.lo, 0)
 
+		h1, c = bitsAdd64(h1, cc.hi, c)
 
+		h2 += c
 
+
 
+		cc = shiftRightBy2(cc)
 
+
 
+		h0, c = bitsAdd64(h0, cc.lo, 0)
 
+		h1, c = bitsAdd64(h1, cc.hi, c)
 
+		h2 += c
 
+
 
+		// h2 is at most 3 + 1 + 1 = 5, making the whole of h at most
 
+		//
 
+		//     5 * 2¹²⁸ + (2¹²⁸ - 1) = 6 * 2¹²⁸ - 1
 
+	}
 
+
 
+	state.h[0], state.h[1], state.h[2] = h0, h1, h2
 
+}
 
+
 
+const (
 
+	maskLow2Bits    uint64 = 0x0000000000000003
 
+	maskNotLow2Bits uint64 = ^maskLow2Bits
 
+)
 
+
 
+// select64 returns x if v == 1 and y if v == 0, in constant time.
 
+func select64(v, x, y uint64) uint64 { return ^(v-1)&x | (v-1)&y }
 
+
 
+// [p0, p1, p2] is 2¹³⁰ - 5 in little endian order.
 
+const (
 
+	p0 = 0xFFFFFFFFFFFFFFFB
 
+	p1 = 0xFFFFFFFFFFFFFFFF
 
+	p2 = 0x0000000000000003
 
+)
 
+
 
+// finalize completes the modular reduction of h and computes
 
+//
 
+//     out = h + s  mod  2¹²⁸
 
+//
 
+func finalize(out *[TagSize]byte, h *[3]uint64, s *[2]uint64) {
 
+	h0, h1, h2 := h[0], h[1], h[2]
 
+
 
+	// After the partial reduction in updateGeneric, h might be more than
 
+	// 2¹³⁰ - 5, but will be less than 2 * (2¹³⁰ - 5). To complete the reduction
 
+	// in constant time, we compute t = h - (2¹³⁰ - 5), and select h as the
 
+	// result if the subtraction underflows, and t otherwise.
 
+
 
+	hMinusP0, b := bitsSub64(h0, p0, 0)
 
+	hMinusP1, b := bitsSub64(h1, p1, b)
 
+	_, b = bitsSub64(h2, p2, b)
 
+
 
+	// h = h if h < p else h - p
 
+	h0 = select64(b, h0, hMinusP0)
 
+	h1 = select64(b, h1, hMinusP1)
 
+
 
+	// Finally, we compute the last Poly1305 step
 
+	//
 
+	//     tag = h + s  mod  2¹²⁸
 
+	//
 
+	// by just doing a wide addition with the 128 low bits of h and discarding
 
+	// the overflow.
 
+	h0, c := bitsAdd64(h0, s[0], 0)
 
+	h1, _ = bitsAdd64(h1, s[1], c)
 
+
 
+	binary.LittleEndian.PutUint64(out[0:8], h0)
 
+	binary.LittleEndian.PutUint64(out[8:16], h1)
 
 }

+ 2 - 5
vendor/golang.org/x/crypto/poly1305/sum_noasm.go
View File 

@@ -2,14 +2,11 @@
 
 // Use of this source code is governed by a BSD-style
 
 // license that can be found in the LICENSE file.
 
 
-// +build s390x,!go1.11 !arm,!amd64,!s390x gccgo appengine nacl
 
+// +build s390x,!go1.11 !amd64,!s390x,!ppc64le gccgo appengine nacl
 
 
 package poly1305
 
 
-// Sum generates an authenticator for msg using a one-time key and puts the
 
-// 16-byte result into out. Authenticating two different messages with the same
 
-// key allows an attacker to forge messages at will.
 
-func Sum(out *[TagSize]byte, msg []byte, key *[32]byte) {
 
+func sum(out *[TagSize]byte, msg []byte, key *[32]byte) {
 
 	h := newMAC(key)
 
 	h.Write(msg)
 
 	h.Sum(out)

+ 58 - 0
vendor/golang.org/x/crypto/poly1305/sum_ppc64le.go
View File 

@@ -0,0 +1,58 @@
 
+// Copyright 2019 The Go Authors. All rights reserved.
 
+// Use of this source code is governed by a BSD-style
 
+// license that can be found in the LICENSE file.
 
+
 
+// +build ppc64le,!gccgo,!appengine
 
+
 
+package poly1305
 
+
 
+//go:noescape
 
+func update(state *macState, msg []byte)
 
+
 
+func sum(out *[16]byte, m []byte, key *[32]byte) {
 
+	h := newMAC(key)
 
+	h.Write(m)
 
+	h.Sum(out)
 
+}
 
+
 
+func newMAC(key *[32]byte) (h mac) {
 
+	initialize(key, &h.r, &h.s)
 
+	return
 
+}
 
+
 
+// mac is a wrapper for macGeneric that redirects calls that would have gone to
 
+// updateGeneric to update.
 
+//
 
+// Its Write and Sum methods are otherwise identical to the macGeneric ones, but
 
+// using function pointers would carry a major performance cost.
 
+type mac struct{ macGeneric }
 
+
 
+func (h *mac) Write(p []byte) (int, error) {
 
+	nn := len(p)
 
+	if h.offset > 0 {
 
+		n := copy(h.buffer[h.offset:], p)
 
+		if h.offset+n < TagSize {
 
+			h.offset += n
 
+			return nn, nil
 
+		}
 
+		p = p[n:]
 
+		h.offset = 0
 
+		update(&h.macState, h.buffer[:])
 
+	}
 
+	if n := len(p) - (len(p) % TagSize); n > 0 {
 
+		update(&h.macState, p[:n])
 
+		p = p[n:]
 
+	}
 
+	if len(p) > 0 {
 
+		h.offset += copy(h.buffer[h.offset:], p)
 
+	}
 
+	return nn, nil
 
+}
 
+
 
+func (h *mac) Sum(out *[16]byte) {
 
+	state := h.macState
 
+	if h.offset > 0 {
 
+		update(&state, h.buffer[:h.offset])
 
+	}
 
+	finalize(out, &state.h, &state.s)
 
+}

+ 181 - 0
vendor/golang.org/x/crypto/poly1305/sum_ppc64le.s
View File 

@@ -0,0 +1,181 @@
 
+// Copyright 2019 The Go Authors. All rights reserved.
 
+// Use of this source code is governed by a BSD-style
 
+// license that can be found in the LICENSE file.
 
+
 
+// +build ppc64le,!gccgo,!appengine
 
+
 
+#include "textflag.h"
 
+
 
+// This was ported from the amd64 implementation.
 
+
 
+#define POLY1305_ADD(msg, h0, h1, h2, t0, t1, t2) \
 
+	MOVD (msg), t0;  \
 
+	MOVD 8(msg), t1; \
 
+	MOVD $1, t2;     \
 
+	ADDC t0, h0, h0; \
 
+	ADDE t1, h1, h1; \
 
+	ADDE t2, h2;     \
 
+	ADD  $16, msg
 
+
 
+#define POLY1305_MUL(h0, h1, h2, r0, r1, t0, t1, t2, t3, t4, t5) \
 
+	MULLD  r0, h0, t0;  \
 
+	MULLD  r0, h1, t4;  \
 
+	MULHDU r0, h0, t1;  \
 
+	MULHDU r0, h1, t5;  \
 
+	ADDC   t4, t1, t1;  \
 
+	MULLD  r0, h2, t2;  \
 
+	ADDZE  t5;          \
 
+	MULHDU r1, h0, t4;  \
 
+	MULLD  r1, h0, h0;  \
 
+	ADD    t5, t2, t2;  \
 
+	ADDC   h0, t1, t1;  \
 
+	MULLD  h2, r1, t3;  \
 
+	ADDZE  t4, h0;      \
 
+	MULHDU r1, h1, t5;  \
 
+	MULLD  r1, h1, t4;  \
 
+	ADDC   t4, t2, t2;  \
 
+	ADDE   t5, t3, t3;  \
 
+	ADDC   h0, t2, t2;  \
 
+	MOVD   $-4, t4;     \
 
+	MOVD   t0, h0;      \
 
+	MOVD   t1, h1;      \
 
+	ADDZE  t3;          \
 
+	ANDCC  $3, t2, h2;  \
 
+	AND    t2, t4, t0;  \
 
+	ADDC   t0, h0, h0;  \
 
+	ADDE   t3, h1, h1;  \
 
+	SLD    $62, t3, t4; \
 
+	SRD    $2, t2;      \
 
+	ADDZE  h2;          \
 
+	OR     t4, t2, t2;  \
 
+	SRD    $2, t3;      \
 
+	ADDC   t2, h0, h0;  \
 
+	ADDE   t3, h1, h1;  \
 
+	ADDZE  h2
 
+
 
+DATA ·poly1305Mask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF
 
+DATA ·poly1305Mask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC
 
+GLOBL ·poly1305Mask<>(SB), RODATA, $16
 
+
 
+// func update(state *[7]uint64, msg []byte)
 
+TEXT ·update(SB), $0-32
 
+	MOVD state+0(FP), R3
 
+	MOVD msg_base+8(FP), R4
 
+	MOVD msg_len+16(FP), R5
 
+
 
+	MOVD 0(R3), R8   // h0
 
+	MOVD 8(R3), R9   // h1
 
+	MOVD 16(R3), R10 // h2
 
+	MOVD 24(R3), R11 // r0
 
+	MOVD 32(R3), R12 // r1
 
+
 
+	CMP R5, $16
 
+	BLT bytes_between_0_and_15
 
+
 
+loop:
 
+	POLY1305_ADD(R4, R8, R9, R10, R20, R21, R22)
 
+
 
+multiply:
 
+	POLY1305_MUL(R8, R9, R10, R11, R12, R16, R17, R18, R14, R20, R21)
 
+	ADD $-16, R5
 
+	CMP R5, $16
 
+	BGE loop
 
+
 
+bytes_between_0_and_15:
 
+	CMP  $0, R5
 
+	BEQ  done
 
+	MOVD $0, R16 // h0
 
+	MOVD $0, R17 // h1
 
+
 
+flush_buffer:
 
+	CMP R5, $8
 
+	BLE just1
 
+
 
+	MOVD $8, R21
 
+	SUB  R21, R5, R21
 
+
 
+	// Greater than 8 -- load the rightmost remaining bytes in msg
 
+	// and put into R17 (h1)
 
+	MOVD (R4)(R21), R17
 
+	MOVD $16, R22
 
+
 
+	// Find the offset to those bytes
 
+	SUB R5, R22, R22
 
+	SLD $3, R22
 
+
 
+	// Shift to get only the bytes in msg
 
+	SRD R22, R17, R17
 
+
 
+	// Put 1 at high end
 
+	MOVD $1, R23
 
+	SLD  $3, R21
 
+	SLD  R21, R23, R23
 
+	OR   R23, R17, R17
 
+
 
+	// Remainder is 8
 
+	MOVD $8, R5
 
+
 
+just1:
 
+	CMP R5, $8
 
+	BLT less8
 
+
 
+	// Exactly 8
 
+	MOVD (R4), R16
 
+
 
+	CMP $0, R17
 
+
 
+	// Check if we've already set R17; if not
 
+	// set 1 to indicate end of msg.
 
+	BNE  carry
 
+	MOVD $1, R17
 
+	BR   carry
 
+
 
+less8:
 
+	MOVD  $0, R16   // h0
 
+	MOVD  $0, R22   // shift count
 
+	CMP   R5, $4
 
+	BLT   less4
 
+	MOVWZ (R4), R16
 
+	ADD   $4, R4
 
+	ADD   $-4, R5
 
+	MOVD  $32, R22
 
+
 
+less4:
 
+	CMP   R5, $2
 
+	BLT   less2
 
+	MOVHZ (R4), R21
 
+	SLD   R22, R21, R21
 
+	OR    R16, R21, R16
 
+	ADD   $16, R22
 
+	ADD   $-2, R5
 
+	ADD   $2, R4
 
+
 
+less2:
 
+	CMP   $0, R5
 
+	BEQ   insert1
 
+	MOVBZ (R4), R21
 
+	SLD   R22, R21, R21
 
+	OR    R16, R21, R16
 
+	ADD   $8, R22
 
+
 
+insert1:
 
+	// Insert 1 at end of msg
 
+	MOVD $1, R21
 
+	SLD  R22, R21, R21
 
+	OR   R16, R21, R16
 
+
 
+carry:
 
+	// Add new values to h0, h1, h2
 
+	ADDC R16, R8
 
+	ADDE R17, R9
 
+	ADDE $0, R10
 
+	MOVD $16, R5
 
+	ADD  R5, R4
 
+	BR   multiply
 
+
 
+done:
 
+	// Save h0, h1, h2 in state
 
+	MOVD R8, 0(R3)
 
+	MOVD R9, 8(R3)
 
+	MOVD R10, 16(R3)
 
+	RET

+ 1 - 4
vendor/golang.org/x/crypto/poly1305/sum_s390x.go
View File 

@@ -22,10 +22,7 @@ func poly1305vx(out *[16]byte, m *byte, mlen uint64, key *[32]byte)
 
 //go:noescape
 
 func poly1305vmsl(out *[16]byte, m *byte, mlen uint64, key *[32]byte)
 
 
-// Sum generates an authenticator for m using a one-time key and puts the
 
-// 16-byte result into out. Authenticating two different messages with the same
 
-// key allows an attacker to forge messages at will.
 
-func Sum(out *[16]byte, m []byte, key *[32]byte) {
 
+func sum(out *[16]byte, m []byte, key *[32]byte) {
 
 	if cpu.S390X.HasVX {
 
 		var mPtr *byte
 
 		if len(m) > 0 {

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5