RubyGems - grpc - Versions diffs - 1.28.0 → 1.30.0 - Mend

grpc 1.28.0 → 1.30.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (497) hide show

data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc CHANGED

@@ -67,62 +67,100 @@
 BSSL_NAMESPACE_BEGIN
-static void ssl3_on_handshake_complete(SSL *ssl) {
+static void tls_on_handshake_complete(SSL *ssl) {
   // The handshake should have released its final message.
   assert(!ssl->s3->has_message);
   // During the handshake, |hs_buf| is retained. Release if it there is no
-  // excess in it. There may be excess left if there server sent Finished and
-  // HelloRequest in the same record.
-  //
-  // TODO(davidben): SChannel does not support this. Reject this case.
+  // excess in it. There should not be any excess because the handshake logic
+  // rejects unprocessed data after each Finished message. Note this means we do
+  // not allow a TLS 1.2 HelloRequest to be packed into the same record as
+  // Finished. (Schannel also rejects this.)
+  assert(!ssl->s3->hs_buf || ssl->s3->hs_buf->length == 0);
   if (ssl->s3->hs_buf && ssl->s3->hs_buf->length == 0) {
     ssl->s3->hs_buf.reset();
   }
 }
-static bool ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
+static bool tls_set_read_state(SSL *ssl, ssl_encryption_level_t level,
+                               UniquePtr<SSLAEADContext> aead_ctx,
+                               Span<const uint8_t> secret_for_quic) {
   // Cipher changes are forbidden if the current epoch has leftover data.
   if (tls_has_unprocessed_handshake_data(ssl)) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
+    OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
     return false;
   }
+  if (ssl->quic_method != nullptr) {
+    if (!ssl->quic_method->set_read_secret(ssl, level, aead_ctx->cipher(),
+                                           secret_for_quic.data(),
+                                           secret_for_quic.size())) {
+      return false;
+    }
+    // QUIC only uses |ssl| for handshake messages, which never use early data
+    // keys, so we return without installing anything. This avoids needing to
+    // have two secrets active at once in 0-RTT.
+    if (level == ssl_encryption_early_data) {
+      return true;
+    }
+  }
   OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
   ssl->s3->aead_read_ctx = std::move(aead_ctx);
+  ssl->s3->read_level = level;
   return true;
 }
-static bool ssl3_set_write_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
+static bool tls_set_write_state(SSL *ssl, ssl_encryption_level_t level,
+                                UniquePtr<SSLAEADContext> aead_ctx,
+                                Span<const uint8_t> secret_for_quic) {
   if (!tls_flush_pending_hs_data(ssl)) {
     return false;
   }
+  if (ssl->quic_method != nullptr) {
+    if (!ssl->quic_method->set_write_secret(ssl, level, aead_ctx->cipher(),
+                                            secret_for_quic.data(),
+                                            secret_for_quic.size())) {
+      return false;
+    }
+    // QUIC only uses |ssl| for handshake messages, which never use early data
+    // keys, so we return without installing anything. This avoids needing to
+    // have two secrets active at once in 0-RTT.
+    if (level == ssl_encryption_early_data) {
+      return true;
+    }
+  }
   OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
   ssl->s3->aead_write_ctx = std::move(aead_ctx);
+  ssl->s3->write_level = level;
   return true;
 }
 static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
     false /* is_dtls */,
-    ssl3_new,
-    ssl3_free,
-    ssl3_get_message,
-    ssl3_next_message,
-    ssl3_open_handshake,
-    ssl3_open_change_cipher_spec,
-    ssl3_open_app_data,
-    ssl3_write_app_data,
-    ssl3_dispatch_alert,
-    ssl3_init_message,
-    ssl3_finish_message,
-    ssl3_add_message,
-    ssl3_add_change_cipher_spec,
-    ssl3_flush_flight,
-    ssl3_on_handshake_complete,
-    ssl3_set_read_state,
-    ssl3_set_write_state,
+    tls_new,
+    tls_free,
+    tls_get_message,
+    tls_next_message,
+    tls_has_unprocessed_handshake_data,
+    tls_open_handshake,
+    tls_open_change_cipher_spec,
+    tls_open_app_data,
+    tls_write_app_data,
+    tls_dispatch_alert,
+    tls_init_message,
+    tls_finish_message,
+    tls_add_message,
+    tls_add_change_cipher_spec,
+    tls_flush_flight,
+    tls_on_handshake_complete,
+    tls_set_read_state,
+    tls_set_write_state,
 };
 static bool ssl_noop_x509_check_client_CA_names(

data/third_party/boringssl-with-bazel/src/third_party/fiat/curve25519_32.h CHANGED

@@ -1,17 +1,28 @@
-/* Autogenerated */
+/* Autogenerated: src/ExtractionOCaml/unsaturated_solinas --static 25519 10 '2^255 - 19' 32 carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */
 /* curve description: 25519 */
-/* requested operations: carry_mul, carry_square, carry_scmul121666, carry, add, sub, opp, selectznz, to_bytes, from_bytes */
+/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */
 /* n = 10 (from "10") */
-/* s = 0x8000000000000000000000000000000000000000000000000000000000000000 (from "2^255") */
-/* c = [(1, 19)] (from "1,19") */
+/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */
 /* machine_wordsize = 32 (from "32") */
+/* Computed values: */
+/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */
 #include <stdint.h>
 typedef unsigned char fiat_25519_uint1;
 typedef signed char fiat_25519_int1;
+#if (-1 & 3) != 3
+#error "This code only works on a two's complement system"
+#endif
 /*
+ * The function fiat_25519_addcarryx_u26 is an addition with carry.
+ * Postconditions:
+ *   out1 = (arg1 + arg2 + arg3) mod 2^26
+ *   out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋
+ *
  * Input Bounds:
  *   arg1: [0x0 ~> 0x1]
  *   arg2: [0x0 ~> 0x3ffffff]
@@ -29,6 +40,11 @@ static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fia
 }
 /*
+ * The function fiat_25519_subborrowx_u26 is a subtraction with borrow.
+ * Postconditions:
+ *   out1 = (-arg1 + arg2 + -arg3) mod 2^26
+ *   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋
+ *
  * Input Bounds:
  *   arg1: [0x0 ~> 0x1]
  *   arg2: [0x0 ~> 0x3ffffff]
@@ -46,6 +62,11 @@ static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fi
 }
 /*
+ * The function fiat_25519_addcarryx_u25 is an addition with carry.
+ * Postconditions:
+ *   out1 = (arg1 + arg2 + arg3) mod 2^25
+ *   out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋
+ *
  * Input Bounds:
  *   arg1: [0x0 ~> 0x1]
  *   arg2: [0x0 ~> 0x1ffffff]
@@ -63,6 +84,11 @@ static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fia
 }
 /*
+ * The function fiat_25519_subborrowx_u25 is a subtraction with borrow.
+ * Postconditions:
+ *   out1 = (-arg1 + arg2 + -arg3) mod 2^25
+ *   out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋
+ *
  * Input Bounds:
  *   arg1: [0x0 ~> 0x1]
  *   arg2: [0x0 ~> 0x1ffffff]
@@ -80,6 +106,10 @@ static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fi
 }
 /*
+ * The function fiat_25519_cmovznz_u32 is a single-word conditional move.
+ * Postconditions:
+ *   out1 = (if arg1 = 0 then arg2 else arg3)
+ *
  * Input Bounds:
  *   arg1: [0x0 ~> 0x1]
  *   arg2: [0x0 ~> 0xffffffff]
@@ -101,6 +131,10 @@ static void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32
 }
 /*
+ * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 * eval arg2) mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]
  *   arg2: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]
@@ -108,65 +142,65 @@ static void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32
  *   out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
  */
 static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) {
-  uint64_t x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * ((uint32_t)0x2 * UINT8_C(0x13))));
-  uint64_t x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * (uint32_t)UINT8_C(0x13)));
-  uint64_t x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * ((uint32_t)0x2 * UINT8_C(0x13))));
+  uint64_t x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26)));
+  uint64_t x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26)));
+  uint64_t x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13)));
+  uint64_t x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26)));
+  uint64_t x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13)));
+  uint64_t x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26)));
+  uint64_t x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13)));
+  uint64_t x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26)));
+  uint64_t x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13)));
+  uint64_t x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13)));
+  uint64_t x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13)));
+  uint64_t x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13)));
+  uint64_t x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13)));
+  uint64_t x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13)));
+  uint64_t x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13)));
+  uint64_t x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26)));
+  uint64_t x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26)));
+  uint64_t x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13)));
+  uint64_t x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26)));
+  uint64_t x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13)));
+  uint64_t x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26)));
+  uint64_t x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13)));
+  uint64_t x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13)));
+  uint64_t x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13)));
+  uint64_t x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13)));
+  uint64_t x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13)));
+  uint64_t x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26)));
+  uint64_t x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26)));
+  uint64_t x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13)));
+  uint64_t x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26)));
+  uint64_t x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13)));
+  uint64_t x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13)));
+  uint64_t x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13)));
+  uint64_t x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26)));
+  uint64_t x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26)));
+  uint64_t x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13)));
+  uint64_t x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13)));
+  uint64_t x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26)));
   uint64_t x46 = ((uint64_t)(arg1[9]) * (arg2[0]));
   uint64_t x47 = ((uint64_t)(arg1[8]) * (arg2[1]));
   uint64_t x48 = ((uint64_t)(arg1[8]) * (arg2[0]));
   uint64_t x49 = ((uint64_t)(arg1[7]) * (arg2[2]));
-  uint64_t x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * (uint32_t)0x2));
+  uint64_t x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2));
   uint64_t x51 = ((uint64_t)(arg1[7]) * (arg2[0]));
   uint64_t x52 = ((uint64_t)(arg1[6]) * (arg2[3]));
   uint64_t x53 = ((uint64_t)(arg1[6]) * (arg2[2]));
   uint64_t x54 = ((uint64_t)(arg1[6]) * (arg2[1]));
   uint64_t x55 = ((uint64_t)(arg1[6]) * (arg2[0]));
   uint64_t x56 = ((uint64_t)(arg1[5]) * (arg2[4]));
-  uint64_t x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * (uint32_t)0x2));
+  uint64_t x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2));
   uint64_t x58 = ((uint64_t)(arg1[5]) * (arg2[2]));
-  uint64_t x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * (uint32_t)0x2));
+  uint64_t x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2));
   uint64_t x60 = ((uint64_t)(arg1[5]) * (arg2[0]));
   uint64_t x61 = ((uint64_t)(arg1[4]) * (arg2[5]));
   uint64_t x62 = ((uint64_t)(arg1[4]) * (arg2[4]));
@@ -175,11 +209,11 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con
   uint64_t x65 = ((uint64_t)(arg1[4]) * (arg2[1]));
   uint64_t x66 = ((uint64_t)(arg1[4]) * (arg2[0]));
   uint64_t x67 = ((uint64_t)(arg1[3]) * (arg2[6]));
-  uint64_t x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * (uint32_t)0x2));
+  uint64_t x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2));
   uint64_t x69 = ((uint64_t)(arg1[3]) * (arg2[4]));
-  uint64_t x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * (uint32_t)0x2));
+  uint64_t x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2));
   uint64_t x71 = ((uint64_t)(arg1[3]) * (arg2[2]));
-  uint64_t x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * (uint32_t)0x2));
+  uint64_t x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2));
   uint64_t x73 = ((uint64_t)(arg1[3]) * (arg2[0]));
   uint64_t x74 = ((uint64_t)(arg1[2]) * (arg2[7]));
   uint64_t x75 = ((uint64_t)(arg1[2]) * (arg2[6]));
@@ -190,13 +224,13 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con
   uint64_t x80 = ((uint64_t)(arg1[2]) * (arg2[1]));
   uint64_t x81 = ((uint64_t)(arg1[2]) * (arg2[0]));
   uint64_t x82 = ((uint64_t)(arg1[1]) * (arg2[8]));
-  uint64_t x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * (uint32_t)0x2));
+  uint64_t x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2));
   uint64_t x84 = ((uint64_t)(arg1[1]) * (arg2[6]));
-  uint64_t x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * (uint32_t)0x2));
+  uint64_t x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2));
   uint64_t x86 = ((uint64_t)(arg1[1]) * (arg2[4]));
-  uint64_t x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * (uint32_t)0x2));
+  uint64_t x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2));
   uint64_t x88 = ((uint64_t)(arg1[1]) * (arg2[2]));
-  uint64_t x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * (uint32_t)0x2));
+  uint64_t x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2));
   uint64_t x90 = ((uint64_t)(arg1[1]) * (arg2[0]));
   uint64_t x91 = ((uint64_t)(arg1[0]) * (arg2[9]));
   uint64_t x92 = ((uint64_t)(arg1[0]) * (arg2[8]));
@@ -247,12 +281,12 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con
   uint64_t x137 = (x135 + x104);
   uint64_t x138 = (x137 >> 25);
   uint32_t x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff));
-  uint64_t x140 = (x138 * (uint64_t)UINT8_C(0x13));
+  uint64_t x140 = (x138 * UINT8_C(0x13));
   uint64_t x141 = (x103 + x140);
   uint32_t x142 = (uint32_t)(x141 >> 26);
   uint32_t x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff));
   uint32_t x144 = (x142 + x115);
-  uint32_t x145 = (x144 >> 25);
+  fiat_25519_uint1 x145 = (fiat_25519_uint1)(x144 >> 25);
   uint32_t x146 = (x144 & UINT32_C(0x1ffffff));
   uint32_t x147 = (x145 + x118);
   out1[0] = x143;
@@ -268,58 +302,62 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con
 }
 /*
+ * The function fiat_25519_carry_square squares a field element and reduces the result.
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 * eval arg1) mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]
  * Output Bounds:
  *   out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
  */
 static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) {
-  uint32_t x1 = ((arg1[9]) * (uint32_t)UINT8_C(0x13));
-  uint32_t x2 = (x1 * (uint32_t)0x2);
-  uint32_t x3 = ((arg1[9]) * (uint32_t)0x2);
-  uint32_t x4 = ((arg1[8]) * (uint32_t)UINT8_C(0x13));
-  uint64_t x5 = (x4 * (uint64_t)0x2);
-  uint32_t x6 = ((arg1[8]) * (uint32_t)0x2);
-  uint32_t x7 = ((arg1[7]) * (uint32_t)UINT8_C(0x13));
-  uint32_t x8 = (x7 * (uint32_t)0x2);
-  uint32_t x9 = ((arg1[7]) * (uint32_t)0x2);
-  uint32_t x10 = ((arg1[6]) * (uint32_t)UINT8_C(0x13));
-  uint64_t x11 = (x10 * (uint64_t)0x2);
-  uint32_t x12 = ((arg1[6]) * (uint32_t)0x2);
-  uint32_t x13 = ((arg1[5]) * (uint32_t)UINT8_C(0x13));
-  uint32_t x14 = ((arg1[5]) * (uint32_t)0x2);
-  uint32_t x15 = ((arg1[4]) * (uint32_t)0x2);
-  uint32_t x16 = ((arg1[3]) * (uint32_t)0x2);
-  uint32_t x17 = ((arg1[2]) * (uint32_t)0x2);
-  uint32_t x18 = ((arg1[1]) * (uint32_t)0x2);
-  uint64_t x19 = ((uint64_t)(arg1[9]) * (x1 * (uint32_t)0x2));
+  uint32_t x1 = ((arg1[9]) * UINT8_C(0x13));
+  uint32_t x2 = (x1 * 0x2);
+  uint32_t x3 = ((arg1[9]) * 0x2);
+  uint32_t x4 = ((arg1[8]) * UINT8_C(0x13));
+  uint64_t x5 = ((uint64_t)x4 * 0x2);
+  uint32_t x6 = ((arg1[8]) * 0x2);
+  uint32_t x7 = ((arg1[7]) * UINT8_C(0x13));
+  uint32_t x8 = (x7 * 0x2);
+  uint32_t x9 = ((arg1[7]) * 0x2);
+  uint32_t x10 = ((arg1[6]) * UINT8_C(0x13));
+  uint64_t x11 = ((uint64_t)x10 * 0x2);
+  uint32_t x12 = ((arg1[6]) * 0x2);
+  uint32_t x13 = ((arg1[5]) * UINT8_C(0x13));
+  uint32_t x14 = ((arg1[5]) * 0x2);
+  uint32_t x15 = ((arg1[4]) * 0x2);
+  uint32_t x16 = ((arg1[3]) * 0x2);
+  uint32_t x17 = ((arg1[2]) * 0x2);
+  uint32_t x18 = ((arg1[1]) * 0x2);
+  uint64_t x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2));
   uint64_t x20 = ((uint64_t)(arg1[8]) * x2);
   uint64_t x21 = ((uint64_t)(arg1[8]) * x4);
-  uint64_t x22 = ((arg1[7]) * (x2 * (uint64_t)0x2));
+  uint64_t x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2));
   uint64_t x23 = ((arg1[7]) * x5);
-  uint64_t x24 = ((uint64_t)(arg1[7]) * (x7 * (uint32_t)0x2));
+  uint64_t x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2));
   uint64_t x25 = ((uint64_t)(arg1[6]) * x2);
   uint64_t x26 = ((arg1[6]) * x5);
   uint64_t x27 = ((uint64_t)(arg1[6]) * x8);
   uint64_t x28 = ((uint64_t)(arg1[6]) * x10);
-  uint64_t x29 = ((arg1[5]) * (x2 * (uint64_t)0x2));
+  uint64_t x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2));
   uint64_t x30 = ((arg1[5]) * x5);
-  uint64_t x31 = ((arg1[5]) * (x8 * (uint64_t)0x2));
+  uint64_t x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2));
   uint64_t x32 = ((arg1[5]) * x11);
-  uint64_t x33 = ((uint64_t)(arg1[5]) * (x13 * (uint32_t)0x2));
+  uint64_t x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2));
   uint64_t x34 = ((uint64_t)(arg1[4]) * x2);
   uint64_t x35 = ((arg1[4]) * x5);
   uint64_t x36 = ((uint64_t)(arg1[4]) * x8);
   uint64_t x37 = ((arg1[4]) * x11);
   uint64_t x38 = ((uint64_t)(arg1[4]) * x14);
   uint64_t x39 = ((uint64_t)(arg1[4]) * (arg1[4]));
-  uint64_t x40 = ((arg1[3]) * (x2 * (uint64_t)0x2));
+  uint64_t x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2));
   uint64_t x41 = ((arg1[3]) * x5);
-  uint64_t x42 = ((arg1[3]) * (x8 * (uint64_t)0x2));
+  uint64_t x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2));
   uint64_t x43 = ((uint64_t)(arg1[3]) * x12);
-  uint64_t x44 = ((uint64_t)(arg1[3]) * (x14 * (uint32_t)0x2));
+  uint64_t x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2));
   uint64_t x45 = ((uint64_t)(arg1[3]) * x15);
-  uint64_t x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * (uint32_t)0x2));
+  uint64_t x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2));
   uint64_t x47 = ((uint64_t)(arg1[2]) * x2);
   uint64_t x48 = ((arg1[2]) * x5);
   uint64_t x49 = ((uint64_t)(arg1[2]) * x9);
@@ -328,15 +366,15 @@ static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10])
   uint64_t x52 = ((uint64_t)(arg1[2]) * x15);
   uint64_t x53 = ((uint64_t)(arg1[2]) * x16);
   uint64_t x54 = ((uint64_t)(arg1[2]) * (arg1[2]));
-  uint64_t x55 = ((arg1[1]) * (x2 * (uint64_t)0x2));
+  uint64_t x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2));
   uint64_t x56 = ((uint64_t)(arg1[1]) * x6);
-  uint64_t x57 = ((uint64_t)(arg1[1]) * (x9 * (uint32_t)0x2));
+  uint64_t x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2));
   uint64_t x58 = ((uint64_t)(arg1[1]) * x12);
-  uint64_t x59 = ((uint64_t)(arg1[1]) * (x14 * (uint32_t)0x2));
+  uint64_t x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2));
   uint64_t x60 = ((uint64_t)(arg1[1]) * x15);
-  uint64_t x61 = ((uint64_t)(arg1[1]) * (x16 * (uint32_t)0x2));
+  uint64_t x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2));
   uint64_t x62 = ((uint64_t)(arg1[1]) * x17);
-  uint64_t x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * (uint32_t)0x2));
+  uint64_t x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2));
   uint64_t x64 = ((uint64_t)(arg1[0]) * x3);
   uint64_t x65 = ((uint64_t)(arg1[0]) * x6);
   uint64_t x66 = ((uint64_t)(arg1[0]) * x9);
@@ -386,12 +424,12 @@ static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10])
   uint64_t x110 = (x108 + x77);
   uint64_t x111 = (x110 >> 25);
   uint32_t x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff));
-  uint64_t x113 = (x111 * (uint64_t)UINT8_C(0x13));
+  uint64_t x113 = (x111 * UINT8_C(0x13));
   uint64_t x114 = (x76 + x113);
   uint32_t x115 = (uint32_t)(x114 >> 26);
   uint32_t x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff));
   uint32_t x117 = (x115 + x88);
-  uint32_t x118 = (x117 >> 25);
+  fiat_25519_uint1 x118 = (fiat_25519_uint1)(x117 >> 25);
   uint32_t x119 = (x117 & UINT32_C(0x1ffffff));
   uint32_t x120 = (x118 + x91);
   out1[0] = x116;
@@ -407,72 +445,10 @@ static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10])
 }
 /*
- * Input Bounds:
- *   arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]
- * Output Bounds:
- *   out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
- */
-static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1[10]) {
-  uint64_t x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9]));
-  uint64_t x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8]));
-  uint64_t x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7]));
-  uint64_t x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6]));
-  uint64_t x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5]));
-  uint64_t x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4]));
-  uint64_t x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3]));
-  uint64_t x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2]));
-  uint64_t x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1]));
-  uint64_t x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0]));
-  uint32_t x11 = (uint32_t)(x10 >> 26);
-  uint32_t x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff));
-  uint64_t x13 = (x11 + x9);
-  uint32_t x14 = (uint32_t)(x13 >> 25);
-  uint32_t x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff));
-  uint64_t x16 = (x14 + x8);
-  uint32_t x17 = (uint32_t)(x16 >> 26);
-  uint32_t x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff));
-  uint64_t x19 = (x17 + x7);
-  uint32_t x20 = (uint32_t)(x19 >> 25);
-  uint32_t x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff));
-  uint64_t x22 = (x20 + x6);
-  uint32_t x23 = (uint32_t)(x22 >> 26);
-  uint32_t x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff));
-  uint64_t x25 = (x23 + x5);
-  uint32_t x26 = (uint32_t)(x25 >> 25);
-  uint32_t x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff));
-  uint64_t x28 = (x26 + x4);
-  uint32_t x29 = (uint32_t)(x28 >> 26);
-  uint32_t x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff));
-  uint64_t x31 = (x29 + x3);
-  uint32_t x32 = (uint32_t)(x31 >> 25);
-  uint32_t x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff));
-  uint64_t x34 = (x32 + x2);
-  uint32_t x35 = (uint32_t)(x34 >> 26);
-  uint32_t x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff));
-  uint64_t x37 = (x35 + x1);
-  uint32_t x38 = (uint32_t)(x37 >> 25);
-  uint32_t x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff));
-  uint32_t x40 = (x38 * (uint32_t)UINT8_C(0x13));
-  uint32_t x41 = (x12 + x40);
-  uint32_t x42 = (x41 >> 26);
-  uint32_t x43 = (x41 & UINT32_C(0x3ffffff));
-  uint32_t x44 = (x42 + x15);
-  uint32_t x45 = (x44 >> 25);
-  uint32_t x46 = (x44 & UINT32_C(0x1ffffff));
-  uint32_t x47 = (x45 + x18);
-  out1[0] = x43;
-  out1[1] = x46;
-  out1[2] = x47;
-  out1[3] = x21;
-  out1[4] = x24;
-  out1[5] = x27;
-  out1[6] = x30;
-  out1[7] = x33;
-  out1[8] = x36;
-  out1[9] = x39;
-}
-/*
+ * The function fiat_25519_carry reduces a field element.
+ * Postconditions:
+ *   eval out1 mod m = eval arg1 mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]
  * Output Bounds:
@@ -489,11 +465,11 @@ static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) {
   uint32_t x8 = ((x7 >> 26) + (arg1[7]));
   uint32_t x9 = ((x8 >> 25) + (arg1[8]));
   uint32_t x10 = ((x9 >> 26) + (arg1[9]));
-  uint32_t x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * (uint32_t)UINT8_C(0x13)));
-  uint32_t x12 = ((x11 >> 26) + (x2 & UINT32_C(0x1ffffff)));
+  uint32_t x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13)));
+  uint32_t x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff)));
   uint32_t x13 = (x11 & UINT32_C(0x3ffffff));
   uint32_t x14 = (x12 & UINT32_C(0x1ffffff));
-  uint32_t x15 = ((x12 >> 25) + (x3 & UINT32_C(0x3ffffff)));
+  uint32_t x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff)));
   uint32_t x16 = (x4 & UINT32_C(0x1ffffff));
   uint32_t x17 = (x5 & UINT32_C(0x3ffffff));
   uint32_t x18 = (x6 & UINT32_C(0x1ffffff));
@@ -514,6 +490,10 @@ static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) {
 }
 /*
+ * The function fiat_25519_add adds two field elements.
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 + eval arg2) mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
  *   arg2: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
@@ -544,6 +524,10 @@ static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uin
 }
 /*
+ * The function fiat_25519_sub subtracts two field elements.
+ * Postconditions:
+ *   eval out1 mod m = (eval arg1 - eval arg2) mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
  *   arg2: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
@@ -574,6 +558,10 @@ static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uin
 }
 /*
+ * The function fiat_25519_opp negates a field element.
+ * Postconditions:
+ *   eval out1 mod m = -eval arg1 mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
  * Output Bounds:
@@ -603,6 +591,10 @@ static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) {
 }
 /*
+ * The function fiat_25519_selectznz is a multi-limb conditional select.
+ * Postconditions:
+ *   eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)
+ *
  * Input Bounds:
  *   arg1: [0x0 ~> 0x1]
  *   arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]
@@ -644,6 +636,10 @@ static void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const
 }
 /*
+ * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.
+ * Postconditions:
+ *   out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
  * Output Bounds:
@@ -684,34 +680,34 @@ static void fiat_25519_to_bytes(uint8_t out1[32], const uint32_t arg1[10]) {
   fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff));
   uint32_t x22;
   fiat_25519_uint1 x23;
-  fiat_25519_addcarryx_u26(&x22, &x23, 0x0, (x21 & UINT32_C(0x3ffffed)), x1);
+  fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed)));
   uint32_t x24;
   fiat_25519_uint1 x25;
-  fiat_25519_addcarryx_u25(&x24, &x25, x23, (x21 & UINT32_C(0x1ffffff)), x3);
+  fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff)));
   uint32_t x26;
   fiat_25519_uint1 x27;
-  fiat_25519_addcarryx_u26(&x26, &x27, x25, (x21 & UINT32_C(0x3ffffff)), x5);
+  fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff)));
   uint32_t x28;
   fiat_25519_uint1 x29;
-  fiat_25519_addcarryx_u25(&x28, &x29, x27, (x21 & UINT32_C(0x1ffffff)), x7);
+  fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff)));
   uint32_t x30;
   fiat_25519_uint1 x31;
-  fiat_25519_addcarryx_u26(&x30, &x31, x29, (x21 & UINT32_C(0x3ffffff)), x9);
+  fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff)));
   uint32_t x32;
   fiat_25519_uint1 x33;
-  fiat_25519_addcarryx_u25(&x32, &x33, x31, (x21 & UINT32_C(0x1ffffff)), x11);
+  fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff)));
   uint32_t x34;
   fiat_25519_uint1 x35;
-  fiat_25519_addcarryx_u26(&x34, &x35, x33, (x21 & UINT32_C(0x3ffffff)), x13);
+  fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff)));
   uint32_t x36;
   fiat_25519_uint1 x37;
-  fiat_25519_addcarryx_u25(&x36, &x37, x35, (x21 & UINT32_C(0x1ffffff)), x15);
+  fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff)));
   uint32_t x38;
   fiat_25519_uint1 x39;
-  fiat_25519_addcarryx_u26(&x38, &x39, x37, (x21 & UINT32_C(0x3ffffff)), x17);
+  fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff)));
   uint32_t x40;
   fiat_25519_uint1 x41;
-  fiat_25519_addcarryx_u25(&x40, &x41, x39, (x21 & UINT32_C(0x1ffffff)), x19);
+  fiat_25519_addcarryx_u25(&x40, &x41, x39, x19, (x21 & UINT32_C(0x1ffffff)));
   uint32_t x42 = (x40 << 6);
   uint32_t x43 = (x38 << 4);
   uint32_t x44 = (x36 << 3);
@@ -824,6 +820,10 @@ static void fiat_25519_to_bytes(uint8_t out1[32], const uint32_t arg1[10]) {
 }
 /*
+ * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.
+ * Postconditions:
+ *   eval out1 mod m = bytes_eval arg1 mod m
+ *
  * Input Bounds:
  *   arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]
  * Output Bounds:
@@ -909,3 +909,73 @@ static void fiat_25519_from_bytes(uint32_t out1[10], const uint8_t arg1[32]) {
   out1[9] = x67;
 }
+/*
+ * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.
+ * Postconditions:
+ *   eval out1 mod m = (121666 * eval arg1) mod m
+ *
+ * Input Bounds:
+ *   arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]
+ * Output Bounds:
+ *   out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]
+ */
+static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1[10]) {
+  uint64_t x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9]));
+  uint64_t x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8]));
+  uint64_t x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7]));
+  uint64_t x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6]));
+  uint64_t x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5]));
+  uint64_t x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4]));
+  uint64_t x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3]));
+  uint64_t x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2]));
+  uint64_t x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1]));
+  uint64_t x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0]));
+  uint32_t x11 = (uint32_t)(x10 >> 26);
+  uint32_t x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff));
+  uint64_t x13 = (x11 + x9);
+  uint32_t x14 = (uint32_t)(x13 >> 25);
+  uint32_t x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff));
+  uint64_t x16 = (x14 + x8);
+  uint32_t x17 = (uint32_t)(x16 >> 26);
+  uint32_t x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff));
+  uint64_t x19 = (x17 + x7);
+  uint32_t x20 = (uint32_t)(x19 >> 25);
+  uint32_t x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff));
+  uint64_t x22 = (x20 + x6);
+  uint32_t x23 = (uint32_t)(x22 >> 26);
+  uint32_t x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff));
+  uint64_t x25 = (x23 + x5);
+  uint32_t x26 = (uint32_t)(x25 >> 25);
+  uint32_t x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff));
+  uint64_t x28 = (x26 + x4);
+  uint32_t x29 = (uint32_t)(x28 >> 26);
+  uint32_t x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff));
+  uint64_t x31 = (x29 + x3);
+  uint32_t x32 = (uint32_t)(x31 >> 25);
+  uint32_t x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff));
+  uint64_t x34 = (x32 + x2);
+  uint32_t x35 = (uint32_t)(x34 >> 26);
+  uint32_t x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff));
+  uint64_t x37 = (x35 + x1);
+  uint32_t x38 = (uint32_t)(x37 >> 25);
+  uint32_t x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff));
+  uint32_t x40 = (x38 * UINT8_C(0x13));
+  uint32_t x41 = (x12 + x40);
+  fiat_25519_uint1 x42 = (fiat_25519_uint1)(x41 >> 26);
+  uint32_t x43 = (x41 & UINT32_C(0x3ffffff));
+  uint32_t x44 = (x42 + x15);
+  fiat_25519_uint1 x45 = (fiat_25519_uint1)(x44 >> 25);
+  uint32_t x46 = (x44 & UINT32_C(0x1ffffff));
+  uint32_t x47 = (x45 + x18);
+  out1[0] = x43;
+  out1[1] = x46;
+  out1[2] = x47;
+  out1[3] = x21;
+  out1[4] = x24;
+  out1[5] = x27;
+  out1[6] = x30;
+  out1[7] = x33;
+  out1[8] = x36;
+  out1[9] = x39;
+}