Backed out changeset 3006febc4c38 (bug 1606927) for causing startup crashes in latest nightly version. UPGRADE_NSS_RELEASE a=backout
authorCosmin Sabou <csabou@mozilla.com>
Wed, 15 Jan 2020 18:52:15 +0200
changeset 510323 46e1717494fbf0f1913e22052c3304fe9f7c19b8
parent 510322 28abd2840682f762f865e07d2713e3d0b3c4410d
child 510368 da072daff8e841718b1582241f1a3fb70938ad49
push id37019
push usercsabou@mozilla.com
push dateWed, 15 Jan 2020 16:55:27 +0000
treeherdermozilla-central@46e1717494fb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbackout
bugs1606927
milestone74.0a1
backs out3006febc4c38bdde634a759fc2cb7b56e1360bd0
first release with
nightly linux32
46e1717494fb / 74.0a1 / 20200115165527 / files
nightly linux64
46e1717494fb / 74.0a1 / 20200115165527 / files
nightly mac
46e1717494fb / 74.0a1 / 20200115165527 / files
nightly win32
46e1717494fb / 74.0a1 / 20200115165527 / files
nightly win64
46e1717494fb / 74.0a1 / 20200115165527 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Backed out changeset 3006febc4c38 (bug 1606927) for causing startup crashes in latest nightly version. UPGRADE_NSS_RELEASE a=backout
security/nss/TAG-INFO
security/nss/automation/buildbot-slave/bbenv-example.sh
security/nss/automation/buildbot-slave/build.sh
security/nss/automation/buildbot-slave/reboot.bat
security/nss/automation/buildbot-slave/startbuild.bat
security/nss/automation/saw/chacha20.saw
security/nss/automation/taskcluster/docker-builds/Dockerfile
security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
security/nss/automation/taskcluster/docker-hacl/Dockerfile
security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh
security/nss/automation/taskcluster/docker-hacl/license.txt
security/nss/automation/taskcluster/docker-hacl/setup-user.sh
security/nss/automation/taskcluster/docker-hacl/setup.sh
security/nss/automation/taskcluster/graph/src/extend.js
security/nss/automation/taskcluster/scripts/run_hacl.sh
security/nss/automation/taskcluster/windows/build_gyp.sh
security/nss/coreconf/config.gypi
security/nss/coreconf/coreconf.dep
security/nss/gtests/common/testvectors/hkdf-vectors.h
security/nss/gtests/pk11_gtest/manifest.mn
security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
security/nss/gtests/pk11_gtest/pk11_gtest.gyp
security/nss/gtests/pk11_gtest/pk11_hkdf_unittest.cc
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/aes-armv8.c
security/nss/lib/freebl/blapii.h
security/nss/lib/freebl/blinit.c
security/nss/lib/freebl/chacha20poly1305.c
security/nss/lib/freebl/det_rng.c
security/nss/lib/freebl/ecl/curve25519_64.c
security/nss/lib/freebl/freebl.gyp
security/nss/lib/freebl/freebl_base.gypi
security/nss/lib/freebl/gcm-arm32-neon.c
security/nss/lib/freebl/gcm.c
security/nss/lib/freebl/rijndael.c
security/nss/lib/freebl/verified/FStar.c
security/nss/lib/freebl/verified/FStar.h
security/nss/lib/freebl/verified/Hacl_Chacha20.c
security/nss/lib/freebl/verified/Hacl_Chacha20.h
security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_128.c
security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_128.h
security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.c
security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.h
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
security/nss/lib/freebl/verified/Hacl_Curve25519.c
security/nss/lib/freebl/verified/Hacl_Curve25519.h
security/nss/lib/freebl/verified/Hacl_Curve25519_51.c
security/nss/lib/freebl/verified/Hacl_Curve25519_51.h
security/nss/lib/freebl/verified/Hacl_Kremlib.h
security/nss/lib/freebl/verified/Hacl_Poly1305_128.c
security/nss/lib/freebl/verified/Hacl_Poly1305_128.h
security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
security/nss/lib/freebl/verified/kremlib.h
security/nss/lib/freebl/verified/kremlib_base.h
security/nss/lib/freebl/verified/kremlin/include/kremlin/internal/callconv.h
security/nss/lib/freebl/verified/kremlin/include/kremlin/internal/compat.h
security/nss/lib/freebl/verified/kremlin/include/kremlin/internal/target.h
security/nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
security/nss/lib/freebl/verified/kremlin/include/kremlin/lowstar_endianness.h
security/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h
security/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verified.h
security/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_16_32_64.h
security/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_Endianness.h
security/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
security/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_msvc.h
security/nss/lib/freebl/verified/libintvector.h
security/nss/lib/freebl/verified/specs/Spec.CTR.fst
security/nss/lib/freebl/verified/specs/Spec.Chacha20.fst
security/nss/lib/freebl/verified/specs/Spec.Curve25519.fst
security/nss/lib/freebl/verified/specs/Spec.Poly1305.fst
security/nss/lib/freebl/verified/vec128.h
security/nss/nss-tool/hw-support.c
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-239797efc34b
\ No newline at end of file
+a06bd0f6bbe8
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/buildbot-slave/bbenv-example.sh
@@ -0,0 +1,67 @@
+#! /bin/bash
+
+# Each buildbot-slave requires a bbenv.sh file that defines
+# machine specific variables. This is an example file.
+
+
+HOST=$(hostname | cut -d. -f1)
+export HOST
+
+# if your machine's IP isn't registered in DNS,
+# you must set appropriate environment variables
+# that can be resolved locally.
+# For example, if localhost.localdomain works on your system, set:
+#HOST=localhost
+#DOMSUF=localdomain
+#export DOMSUF
+
+ARCH=$(uname -s)
+
+ulimit -c unlimited 2> /dev/null
+
+export NSPR_LOG_MODULES="pkix:1"
+
+#export JAVA_HOME_32=
+#export JAVA_HOME_64=
+
+#enable if you have PKITS data
+#export PKITS_DATA=$HOME/pkits/data/
+
+NSS_BUILD_TARGET="clean nss_build_all"
+JSS_BUILD_TARGET="clean all"
+
+MAKE=gmake
+AWK=awk
+PATCH=patch
+
+if [ "${ARCH}" = "SunOS" ]; then
+    AWK=nawk
+    PATCH=gpatch
+    ARCH=SunOS/$(uname -p)
+fi
+
+if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then
+   VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release`
+   ARCH=Linux/${VERSION}
+   echo ${ARCH}
+fi
+
+PROCESSOR=$(uname -p)
+if [ "${PROCESSOR}" = "ppc64" ]; then
+    ARCH="${ARCH}/ppc64"
+fi
+if [ "${PROCESSOR}" = "powerpc" ]; then
+    ARCH="${ARCH}/ppc"
+fi
+
+PORT_64_DBG=8543
+PORT_64_OPT=8544
+PORT_32_DBG=8545
+PORT_32_OPT=8546
+
+if [ "${NSS_TESTS}" = "memleak" ]; then
+    PORT_64_DBG=8547
+    PORT_64_OPT=8548
+    PORT_32_DBG=8549
+    PORT_32_OPT=8550
+fi
new file mode 100755
--- /dev/null
+++ b/security/nss/automation/buildbot-slave/build.sh
@@ -0,0 +1,548 @@
+#! /bin/bash
+
+# Ensure a failure of the first command inside a pipe
+# won't be hidden by commands later in the pipe.
+# (e.g. as in ./dosomething | grep)
+
+set -o pipefail
+
+proc_args()
+{
+    while [ -n "$1" ]; do
+        OPT=$(echo $1 | cut -d= -f1)
+        VAL=$(echo $1 | cut -d= -f2)
+
+        case $OPT in
+            "--build-nss")
+                BUILD_NSS=1
+                ;;
+            "--test-nss")
+                TEST_NSS=1
+                ;;
+            "--check-abi")
+                CHECK_ABI=1
+                ;;
+            "--build-jss")
+                BUILD_JSS=1
+                ;;
+            "--test-jss")
+                TEST_JSS=1
+                ;;
+            "--memtest")
+                NSS_TESTS="memleak"
+                export NSS_TESTS
+                ;;
+            "--nojsssign")
+                NO_JSS_SIGN=1
+                ;;
+            *)
+                echo "Usage: $0 ..."
+                echo "    --memtest   - run the memory leak tests"
+                echo "    --nojsssign - try to sign jss"
+                echo "    --build-nss"
+                echo "    --build-jss"
+                echo "    --test-nss"
+                echo "    --test-jss"
+                echo "    --check-abi"
+                exit 1
+                ;;
+        esac 
+
+        shift
+    done
+}
+
+set_env()
+{
+    TOPDIR=$(pwd)
+    HGDIR=$(pwd)$(echo "/hg")
+    OUTPUTDIR=$(pwd)$(echo "/output")
+    LOG_ALL="${OUTPUTDIR}/all.log"
+    LOG_TMP="${OUTPUTDIR}/tmp.log"
+
+    echo "hello" |grep --line-buffered hello >/dev/null 2>&1
+    [ $? -eq 0 ] && GREP_BUFFER="--line-buffered"
+}
+
+print_log()
+{
+    DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]")
+    echo "${DATE} $*"
+    echo "${DATE} $*" >> ${LOG_ALL}
+}
+
+print_result()
+{
+    TESTNAME=$1
+    RET=$2
+    EXP=$3
+
+    if [ ${RET} -eq ${EXP} ]; then
+        print_log "${TESTNAME} PASSED"
+    else
+        print_log "${TESTNAME} FAILED"
+    fi
+}
+
+print_env()
+{
+    print_log "######## Environment variables ########"
+
+    uname -a | tee -a ${LOG_ALL}
+    if [ -e "/etc/redhat-release" ]; then
+        cat "/etc/redhat-release" | tee -a ${LOG_ALL}
+    fi
+    # don't print the MAIL command, it might contain a password    
+    env | grep -v "^MAIL=" | tee -a ${LOG_ALL}
+}
+
+set_cycle()
+{
+    BITS=$1
+    OPT=$2
+
+    if [ "${BITS}" = "64" ]; then
+        USE_64=1
+        JAVA_HOME=${JAVA_HOME_64} 
+        PORT_DBG=${PORT_64_DBG}
+        PORT_OPT=${PORT_64_OPT}
+    else
+        USE_64=
+        JAVA_HOME=${JAVA_HOME_32} 
+        PORT_DBG=${PORT_32_DBG}
+        PORT_OPT=${PORT_32_OPT}
+    fi
+    export USE_64
+    export JAVA_HOME
+
+    BUILD_OPT=
+    if [ "${OPT}" = "OPT" ]; then
+        BUILD_OPT=1
+        XPCLASS=xpclass.jar
+        PORT=${PORT_OPT}
+    else
+        BUILD_OPT=
+        XPCLASS=xpclass_dbg.jar
+        PORT=${PORT_DBG}
+    fi
+    export BUILD_OPT
+
+    PORT_JSS_SERVER=$(expr ${PORT} + 20)
+    PORT_JSSE_SERVER=$(expr ${PORT} + 40)
+
+    export PORT
+    export PORT_JSS_SERVER
+    export PORT_JSSE_SERVER
+}
+
+build_nss()
+{
+    print_log "######## NSS - build - ${BITS} bits - ${OPT} ########"
+
+    print_log "$ cd ${HGDIR}/nss"
+    cd ${HGDIR}/nss
+
+    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
+    #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+    RET=$?
+    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
+
+    if [ ${RET} -eq 0 ]; then
+        return 0
+    else
+        tail -100 ${LOG_ALL}
+        return ${RET}
+    fi
+}
+
+build_jss()
+{
+    print_log "######## JSS - build - ${BITS} bits - ${OPT} ########"
+
+    print_log "$ cd ${HGDIR}/jss"
+    cd ${HGDIR}/jss
+
+    print_log "$ ${MAKE} ${JSS_BUILD_TARGET}"
+    #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+    ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+    RET=$?
+    print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0
+    [ ${RET} -eq 0 ] || return ${RET}
+
+    print_log "$ cd ${HGDIR}/dist"
+    cd ${HGDIR}/dist
+
+    if [ -z "${NO_JSS_SIGN}" ]; then
+	print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa"
+	cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1
+	RET=$?
+	print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0
+	[ ${RET} -eq 0 ] || return ${RET}
+    fi
+    print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}"
+    ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1
+    RET=$?
+    print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0
+    [ ${RET} -eq 0 ] || return ${RET}
+
+    return 0
+}
+
+test_nss()
+{
+    print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########"
+
+    if [ "${OS_TARGET}" = "Android" ]; then
+	print_log "$ cd ${HGDIR}/nss/tests/remote"
+	cd ${HGDIR}/nss/tests/remote
+	print_log "$ make test_android"
+	make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #"
+	OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log
+    else
+	print_log "$ cd ${HGDIR}/nss/tests"
+	cd ${HGDIR}/nss/tests
+	print_log "$ ./all.sh"
+	./all.sh 2>&1 | tee ${LOG_TMP} | egrep ${GREP_BUFFER} ": #|^\[.{10}\] "
+	OUTPUTFILE=${LOG_TMP}
+    fi
+
+    cat ${LOG_TMP} >> ${LOG_ALL}
+    tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL}
+    RET=$?
+
+    print_log "######## details of detected failures (if any) ########"
+    grep -B50 -w FAILED ${OUTPUTFILE}
+    [ $? -eq 1 ] || RET=1
+
+    print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
+    return ${RET}
+}
+
+check_abi()
+{
+    print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########"
+    print_log "######## creating temporary HG clones ########"
+
+    rm -rf ${HGDIR}/baseline
+    mkdir ${HGDIR}/baseline
+    BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release`
+    hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss"
+    if [ $? -ne 0 ]; then
+        echo "invalid tag in automation/abi-check/previous-nss-release"
+        return 1
+    fi
+
+    BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH
+    hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr"
+    if [ $? -ne 0 ]; then
+        echo "nonexisting tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt"
+        # Assume that version hasn't been released yet, fall back to trunk
+        pushd "${HGDIR}/baseline/nspr"
+        hg update default
+        popd
+    fi
+
+    print_log "######## building baseline NSPR/NSS ########"
+    pushd ${HGDIR}/baseline/nss
+
+    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
+    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+    RET=$?
+    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
+    if [ ${RET} -ne 0 ]; then
+        tail -100 ${LOG_ALL}
+        return ${RET}
+    fi
+    popd
+
+    ABI_PROBLEM_FOUND=0
+    ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
+    rm -f ${ABI_REPORT}
+    PREVDIST=${HGDIR}/baseline/dist
+    NEWDIST=${HGDIR}/dist
+    ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
+    for SO in ${ALL_SOs}; do
+        if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
+            touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt
+        fi
+        abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
+            $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
+            > ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
+        RET=$?
+        cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \
+            | grep -v "^Functions changes summary:" \
+            | grep -v "^Variables changes summary:" \
+            > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
+        rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
+        ABIDIFF_ERROR=$((($RET & 0x01) != 0))
+        ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0))
+        ABIDIFF_ABI_CHANGE=$((($RET & 0x04) != 0))
+        ABIDIFF_ABI_INCOMPATIBLE_CHANGE=$((($RET & 0x08) != 0))
+        ABIDIFF_UNKNOWN_BIT_SET=$((($RET & 0xf0) != 0))
+
+        # If abidiff reports an error, or a usage error, or if it sets a result
+        # bit value this script doesn't know yet about, we'll report failure.
+        # For ABI changes, we don't yet report an error. We'll compare the
+        # result report with our whitelist. This allows us to silence changes
+        # that we're already aware of and have been declared acceptable.
+
+        REPORT_RET_AS_FAILURE=0
+        if [ $ABIDIFF_ERROR -ne 0 ]; then
+            print_log "abidiff reported ABIDIFF_ERROR."
+            REPORT_RET_AS_FAILURE=1
+        fi
+        if [ $ABIDIFF_USAGE_ERROR -ne 0 ]; then
+            print_log "abidiff reported ABIDIFF_USAGE_ERROR."
+            REPORT_RET_AS_FAILURE=1
+        fi
+        if [ $ABIDIFF_UNKNOWN_BIT_SET -ne 0 ]; then
+            print_log "abidiff reported ABIDIFF_UNKNOWN_BIT_SET."
+            REPORT_RET_AS_FAILURE=1
+        fi
+
+        if [ $ABIDIFF_ABI_CHANGE -ne 0 ]; then
+            print_log "Ignoring abidiff result ABI_CHANGE, instead we'll check for non-whitelisted differences."
+        fi
+        if [ $ABIDIFF_ABI_INCOMPATIBLE_CHANGE -ne 0 ]; then
+            print_log "Ignoring abidiff result ABIDIFF_ABI_INCOMPATIBLE_CHANGE, instead we'll check for non-whitelisted differences."
+        fi
+
+        if [ $REPORT_RET_AS_FAILURE -ne 0 ]; then
+            ABI_PROBLEM_FOUND=1
+            print_log "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt"
+        fi
+        if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
+            ABI_PROBLEM_FOUND=1
+            print_log "FAILED to access report file: ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt"
+        fi
+
+        diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \
+                ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
+        if [ ! -f ${ABI_REPORT} ]; then
+            ABI_PROBLEM_FOUND=1
+            print_log "FAILED to compare exepcted and new report: ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt"
+        fi
+    done
+
+    if [ -s ${ABI_REPORT} ]; then
+        print_log "FAILED: there are new unexpected ABI changes"
+        cat ${ABI_REPORT}
+        return 1
+    elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then
+        print_log "FAILED: failure executing the ABI checks"
+        cat ${ABI_REPORT}
+        return 1
+    fi
+
+    return 0
+}
+
+test_jss()
+{
+    print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
+
+    print_log "$ cd ${HGDIR}/jss"
+    cd ${HGDIR}/jss
+
+    print_log "$ ${MAKE} platform"
+    PLATFORM=$(${MAKE} platform)
+    print_log "PLATFORM=${PLATFORM}"
+
+    print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests"
+    cd ${HGDIR}/jss/org/mozilla/jss/tests
+
+    print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}"
+    perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP}
+    cat ${LOG_TMP} >> ${LOG_ALL}
+
+    tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null
+    RET=$?
+
+    grep FAIL ${LOG_TMP} 
+    [ $? -eq 1 ] || RET=1
+
+    print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0
+    return ${RET}
+}
+
+create_objdir_dist_link()
+{
+    # compute relevant 'dist' OBJDIR_NAME subdirectory names for JSS and NSS
+    OS_TARGET=`uname -s`
+    OS_RELEASE=`uname -r | sed 's/-.*//' | sed 's/-.*//' | cut -d . -f1,2`
+    CPU_TAG=_`uname -m`
+    # OBJDIR_NAME_COMPILER appears to be defined for NSS but not JSS
+    OBJDIR_NAME_COMPILER=_cc
+    LIBC_TAG=_glibc
+    IMPL_STRATEGY=_PTH
+    if [ "${RUN_BITS}" = "64" ]; then
+        OBJDIR_TAG=_${RUN_BITS}_${RUN_OPT}.OBJ
+    else
+        OBJDIR_TAG=_${RUN_OPT}.OBJ
+    fi
+
+    # define NSS_OBJDIR_NAME
+    NSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}${OBJDIR_NAME_COMPILER}
+    NSS_OBJDIR_NAME=${NSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG}
+    print_log "create_objdir_dist_link(): NSS_OBJDIR_NAME='${NSS_OBJDIR_NAME}'"
+
+    # define JSS_OBJDIR_NAME
+    JSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}
+    JSS_OBJDIR_NAME=${JSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG}
+    print_log "create_objdir_dist_link(): JSS_OBJDIR_NAME='${JSS_OBJDIR_NAME}'"
+
+    if [ -e "${HGDIR}/dist/${NSS_OBJDIR_NAME}" ]; then
+        SOURCE=${HGDIR}/dist/${NSS_OBJDIR_NAME}
+        TARGET=${HGDIR}/dist/${JSS_OBJDIR_NAME}
+        ln -s ${SOURCE} ${TARGET} >/dev/null 2>&1
+    fi
+}
+
+build_and_test()
+{
+    if [ -n "${BUILD_NSS}" ]; then
+        build_nss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${TEST_NSS}" ]; then
+        test_nss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${CHECK_ABI}" ]; then
+        check_abi
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${BUILD_JSS}" ]; then
+        create_objdir_dist_link
+        build_jss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    if [ -n "${TEST_JSS}" ]; then
+        test_jss
+        [ $? -eq 0 ] || return 1
+    fi
+
+    return 0
+}
+
+run_cycle()
+{
+    print_env
+    build_and_test
+    RET=$?
+
+    grep ^TinderboxPrint ${LOG_ALL}
+
+    return ${RET}
+}
+
+prepare()
+{
+    rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1
+    mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1
+    mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1
+    mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1
+    mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1
+    mkdir -p ${OUTPUTDIR}
+
+    # Remove temporary test files from previous jobs, that weren't cleaned up
+    # by move_results(), e.g. caused by unexpected interruptions.
+    rm -rf ${HGDIR}/tests_results/
+
+    cd ${HGDIR}/nss
+
+    if [ -n "${FEWER_STRESS_ITERATIONS}" ]; then
+        sed -i 's/-c_1000_/-c_500_/g' tests/ssl/sslstress.txt
+    fi
+
+    return 0
+}
+
+move_results()
+{
+    cd ${HGDIR}
+    if [ -n "${TEST_NSS}" ]; then
+	mv -f tests_results ${OUTPUTDIR}
+    fi
+    tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist
+    rm -rf dist
+}
+
+run_all()
+{
+    set_cycle ${BITS} ${OPT}
+    prepare
+    run_cycle
+    RESULT=$?
+    print_log "### result of run_cycle is ${RESULT}"
+    move_results
+    return ${RESULT}
+}
+
+main()
+{
+    VALID=0
+    RET=1
+    FAIL=0
+
+    for BITS in 32 64; do
+        echo ${RUN_BITS} | grep ${BITS} > /dev/null
+        [ $? -eq 0 ] || continue
+        for OPT in DBG OPT; do
+            echo ${RUN_OPT} | grep ${OPT} > /dev/null
+            [ $? -eq 0 ] || continue
+
+            VALID=1
+            set_env
+            run_all
+            RET=$?
+            print_log "### result of run_all is ${RET}"
+            if [ ${RET} -ne 0 ]; then
+                FAIL=${RET}
+            fi
+        done
+    done
+
+    if [ ${VALID} -ne 1 ]; then
+        echo "Need to set valid bits/opt values."
+        return 1
+    fi
+
+    return ${FAIL}
+}
+
+#function killallsub()
+#{
+#    FINAL_RET=$?
+#    for proc in `jobs -p`
+#    do
+#        kill -9 $proc
+#    done
+#    return ${FINAL_RET}
+#}
+#trap killallsub EXIT
+
+#IS_RUNNING_FILE="./build-is-running"
+
+#if [ -a $IS_RUNNING_FILE ]; then
+#    echo "exiting, because old job is still running"
+#    exit 1
+#fi
+
+#touch $IS_RUNNING_FILE
+
+echo "tinderbox args: $0 $@"
+. ${ENVVARS}
+proc_args "$@"
+main
+
+RET=$?
+print_log "### result of main is ${RET}"
+
+#rm $IS_RUNNING_FILE
+exit ${RET}
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/buildbot-slave/reboot.bat
@@ -0,0 +1,6 @@
+IF EXIST ..\buildbot-is-building (
+    del ..\buildbot-is-building
+    shutdown /r /t 0
+
+    timeout /t 120
+)
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/buildbot-slave/startbuild.bat
@@ -0,0 +1,14 @@
+echo running > ..\buildbot-is-building
+
+echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*"
+"%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*"
+
+if %errorlevel% neq 0 (
+  set EXITCODE=1
+) else (
+  set EXITCODE=0
+)
+
+del ..\buildbot-is-building
+
+exit /b %EXITCODE%
--- a/security/nss/automation/saw/chacha20.saw
+++ b/security/nss/automation/saw/chacha20.saw
@@ -29,12 +29,12 @@ let SpecChaCha20 n = do {
   ctr <- llvm_var "ctr" (llvm_int 32);
 
   llvm_ensure_eq "*output" {{ chacha20::encrypt k ctr n1 plain }};
 
   llvm_verify_tactic abc;
 };
 
 print "Proving equality for a single block...";
-time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 64));
+time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 64));
 
 print "Proving equality for multiple blocks...";
-time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 256));
+time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 256));
--- a/security/nss/automation/taskcluster/docker-builds/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-builds/Dockerfile
@@ -29,23 +29,19 @@ RUN apt-get update \
     linux-libc-dev:i386 \
     llvm-dev \
     locales \
     mercurial \
     ninja-build \
     pkg-config \
     valgrind \
     zlib1g-dev \
-    clang-format-3.9 \
  && rm -rf /var/lib/apt/lists/* \
  && apt-get autoremove -y && apt-get clean -y
 
-RUN update-alternatives --install /usr/bin/clang-format \
-    clang-format $(which clang-format-3.9) 10
-
 # Latest version of abigail-tools
 RUN apt-get update \
  && apt-get install -y --no-install-recommends automake libtool libxml2-dev \
  && git clone git://sourceware.org/git/libabigail.git /tmp/libabigail \
  && cd /tmp/libabigail \
  && autoreconf -fi \
  && ./configure --prefix=/usr --disable-static --disable-apidoc --disable-manual \
  && make && make install \
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
@@ -0,0 +1,143 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM
+5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+
+LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe
+V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT
+pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr
+RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo
+OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz
+atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W
+l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB
+P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx
+OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB
+tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JARwEEAECAAYFAlT2
+MQAACgkQVfXNcLtaBWnDKgf/fjusXk+kh1zuyn5eOCe16+2vV1lmXZrDIGdJtXDW
+ZtHKele1Yv1BA3kUi5tKQi+VOOrvHL0+TMjFWFiCy1sYJS9qgkS08kReI2nAnhZ7
+INdqEVxtVk1TTOhtYjOPy6txwujoICuPv5F4rHVhn1LPKGTLtYD2LOwf/8eKYQox
+51gaJ8dNxpcHE/iFOIDXdebJPufo3EhqDRihchxb8AVLhrNss7pGGG/tVfichmHK
+djPT2KfSh14pq1ahFOz0zH4nmTu7CCLnLAdRBHuhL8HVDbi0vKBtCiSmQggdxvoj
+u+hpXiiDFQoCjLh0zVCwtFqWDZbnKMTBNNF26aTmQ+2fiYkBMwQQAQgAHRYhBB/m
+NI7eqCWiKXDlxI3TBA8SPMP0BQJbcLU1AAoJEI3TBA8SPMP021sH/jD1m7azNCN6
+DVL1iDJT6uIIYCTylygH5XI46CRoWaz/LwdFnUqWHHTcQxJ5pIkWV9KF+SIgMT42
+brdZZmNvvSdX0odjFKqj5UR6w+wDN+uZ6Q40zu4pNoNzbk7pRpbFf1XIfGB1liyu
+m28EJ58IXu/0AV7FiDAHGGBqppK/cwQN8pGLwmz1n6YELtXeFmtOGnusO6iLYOE7
+3ByFCCqJB6twT5+7dDqFYqqQJgQ6jDTy19dDZ1vDhDttL+2Rn0OYXqPw7gy/1D2p
+Y1cM9PgPBsR4EXhbtV0uKUNomk8tM/HnGMFT0KirI/tSwEP3v9g5YH992mrvNuIV
+TkyQn0jGeMeJATMEEAEIAB0WIQRswFHTwdmkr54mDFjT45SsdE4uuwUCW3haCQAK
+CRDT45SsdE4uu4JjCACppkreiMrpJSREKbUscdOvFxFRYzkTFeSCwX9Ih7r5ENpa
+zjczfIqCCfWzioV6y4K0V04y8CXt/5S5a9vfW801pBUdF9nG4X8YbUn/xSe+8A9m
+MsfDjMNcF7Cp5czVoSS4/4oHm9mQUMYQsn3AwwCPDKFORRRv5Eb0om9JawKtt++7
+ZW0fOgDkvOCm14SN0UtVc4mxTx6iyxdMDgrKinBZVjxEh5oeqUyXh5TYM+XyWFVh
+/gDUvUWwLI0GUWNTyOyUQU1oPVp+sWqrEe1BXLVCKFVWaSTtgJtJ5FyP+z2uzRcv
+aanPOj/ohHAo8VBq9QbefYVAkShNBEuJkATnXhcGiQEzBBABCAAdFiEEvlzFWRM6
+4JjNAb2a+j2ZL9Cqr7wFAlkBCcIACgkQ+j2ZL9Cqr7yB9AgArj+0+i0DCo1nm4MF
+TLnW1Y9GF/Hq/mBva1MhkT0j3BzENK3xgqrqac8KqupsporNEmJ0ZbZzilJdZImb
+o4X5BFdmmnjMiGaH6GAiPqRBBHGvLV2r2pG467J4tOMWO3XipFRf7FibbfhAU1lV
+/GLWYTSwLqwWwBE8u5rriEvDngWUJw2Yd4Yqwduef7O6F+JfsGPRXFomR3387II0
+8AXo/C+P5cl64llaxV6BmkJhQ6ydL0/KwSkHVdlXugk1sPtV/qOyPQ5L1Ibqbsvh
+lLq/jhHlUUNLFjlQ2lrS9bhHGw9OIHTMJvS8RDrk0yAmoHAyRWNgbFN7aA62vBhq
+pcUVzokBMwQQAQgAHRYhBPZ+fW6ADyQOg+vIZ/9qyaZGTfCcBQJa+ZAwAAoJEP9q
+yaZGTfCcKMgH/jRxGfYhhGnlMnDLAEpYC+TGSDLMgmg9cOZbonqyMv+7Kts+pV03
+KUr9SPV+VtGtOxRNiqwFt6V2MHcwPJfTXuH/bBW/HCCpr6UlOVWqIiCNK0Gnpcj5
+rRt5unjG9CwsgyaK9QPI8bGin/c6m8BjwmEdfJ01ATLiUb8WuDHQy9OCyrEAnzSq
+FD5ZtFmAFxvzm2x1nwb5HPuqkOqbRatp8aRJzTxIeSJPpgLw0PawHKGN3Ckp7REc
+g26P1spkPe7SIVRsobH3al4uw7mgs7wiDWN3t8CdmuHAzmB2UrsR84JMTb45GboO
+Bc1CX8xZcHyNaDEpyWHav+P8nZqwfBm+cLiJAjMEEAEIAB0WIQSawVDb4dGOtiX0
++gWyD0lU8+/LPwUCW/4O9QAKCRCyD0lU8+/LPyI7EACWtj0GEb1VT02gKwtKwgFn
+RJ2pz8vYm188wgJwCJaL04d2D/VwE0jMvmfH80hSKgSLPAVMG06RIOb/tGhHsQKU
+zBlHiAFmfjlJo1FC/Mp44RrERRsFAWBg0/URIs4vP8+5Vl+5m70sZrQpKeq+6TLM
+1dQ0Ohz+QkQ04Z+DTroChWU8/7Uw0E3CqGGKYqPvDh54T1q4s8FoN0no8ZUlt/O+
+r/3c7awr85ZnxqtnHIcuMbVyIZ+gOqXdrLa85yZITsh4zQrjYuyTEg7dpziReyiZ
++rkpdIdFKl8YeD+d0JWzVm7kq9D4K3+x9C509z0IgJUT3bhsX/N0Yf/QUtUW5oxI
+T7fod86B/Q2M7zBTttFhd1vAjiSjEalK48SjTzWqTDYVIkea1+f1kZK5A0QlthqG
+P2zy5GUjZVzOiCSOhyEOvAorU3zKD2s84VFKlayZEqlHJh8u5U59TWBdkW3qZUJd
+ewW31xt0s8IovYSgOwX3wbsClQs6eVwNuCZT2yQAgAyXA5iFztBvDRQ0qmetvzV2
+Ay9SrjvkQ3qr/eZmbMErEwEUxIO4b1rctCQ6jcbyVxMTAZAfaDoVKWEMXNiF2KSw
+F9SSzGPIZDgiEXUlgaJBlUIYSFxrPuE+da0CM5RixyYIinU6AER6crl9C4C9XL6a
+u3jf+5MTGxviRGn2oQzSCYkCMwQQAQgAHRYhBKeHFU4z7cw4HFbYuaxFYRTTj42I
+BQJboq6kAAoJEKxFYRTTj42IWIAP/3rc9GjDTM4nI6Oi4OzLkwm/I2Vr7LUKG8oX
+8E4Nj3amvNGupzGySjB+vrM6APrMSScXunvM0f19LV84EnNrUQ3KFZcSC6r5WC0B
+2+TVRYGpY+6R9AQpqnuxicW0sa/AlV9WSEb4fDavCel2nW0arH4wkkCzTThUxoBB
+X4I9nf4ZzGoUnnDAwTD9rN0gpI6Td/7faa3t99dRLb6AHJ1KhvyiiV3lr0xtTssD
+xVHo0SpzQTnOcRJnYf/2rTny8bVfROPWieh6HuEiP7SxT1HyeTr4WSAjSCoG95O2
+b3OgSMl0Z82FRMoJYmxID/V5YqH7015SjCxKdYhEZVp9YwWruEJIH8r6MGbWYNAl
+REnyDvfGzAF0L0+gAUymDRmtp1jeXLo+HmLgVEUWegafs1TPfCWS/H9n10Upjmuq
+akituzacz6Kjleq9qbnl81Xmh4AKmOILRwE7Pmcbl8HATOrmi5EaKffjMdWFzOWh
+3U4/VsNDujqSTXD88EjGcpLiIiYefGy0sURJbIMTkfXVt3ruHLyuvhsRE/2QEAi7
+gWB0zuBV8iGBaag+6RQkxGdpemPiogzuDijqZHoUXlp7Q6IYLanXeweyivdrSyTB
+4HOECDbWEPZwk6tCxnuklW5iJndxBmxjSxefIMGU7G2JS9quppCVFCrKUjIWnf7b
+gXnNji5JiQIzBBABCAAdFiEExZuSbLy7rtFhdiOuHt8NuZ2LeoQFAluirpUACgkQ
+Ht8NuZ2LeoR/gQ/6A71JxUavzyBlCXlMy2Hx2+gOfy68b8UWl7DwKTOBSoZOzPC7
+dVCSTzoK8dRELqsp7CkFImWcEwLJWMptuH2I1nK+Ua8bvxJSMJnOlPxYE8Wz5EK3
+SQ2mQvifRezQTe8zjdpxEDSR6xocSiigvJow4X+Mivrxxj8sMgu1KA1ud2VGX/IR
+wMbwuBTH9YydgvzmFzTxdlJHEYmsI8koHrVWPHm//QqqPBn+qz2z9uAzDmGAiDYg
+qtQijo5IJC8ZjxgdcTfCkN6he+GhHtOhyP/KF/FcRHY83DoNCtqexQZWGuKtbd8o
+nQYtmemRFob5kR7GxuNdAqF74oQfXcvXZNtHSuN3VtLqkB4fzW+21JBJCsP3XCzd
+nKjR4erXNrQycmp3shSoJbnVvdbDwaVlWhDen1DvJb0Lj2sO3PQPcwVQbf5XHWR/
+ZCf2OQTfVgwFEB4/0Twv70XwYIui2Ry9hmTPbD4Nn+UXbMQ3SOp90tj/e2yY/MFt
+FvcIYcJTk9LM5IsnKgh+fSWDmdS3HD5Kjv2EPUHTNalruwwfmhS+ScJwM4XqHTJY
+JkB16j/Xv2FTF+6KlbA1zdOVycPzoFKjAENYccQBVo2B+WQac7dFDqGEVNal9z66
+DyU4ciAHl6PsbuN7DWeuScLoqq5jwx61bZgn71mUOYC1/47ypat2BKCOXZ2JAjME
+EgEIAB0WIQSm5op4O95BdGcqQkHwXKpE5VGK/wUCWie53AAKCRDwXKpE5VGK/3rM
+D/9jcYKOjYaPJh3Q7wNC1HjjUa73eo5GvJqyXbsXufIh/RAYgQkD08P5JgzfXvQ0
+zOQTtDlDTVG8VMFoBYeMJVDd0k9LBbaljxcttMPfOll+AlQGAL7iQIqTAndknkJL
+CFdl0ypa5GVsl1tzqmNC5fuMJ3vBoRtYbMitlHQkO0vLjZ7yl9fz+7YkREpEo/d5
+Ya8t4+L6el6lrETYaiGCTxHcbYD7VdiJxpxFQlpgl+XKtobrj70RocGQ5JwUNilC
+nRJKUb33lbmntwDwQ1y1AjCnhB++3GHjJDXBPgYFDCSZPCndKeOXhxmB2psFf41i
+8foJPJXuh1vWOqArdwseFCRM6W2deF1utZmROMSkUo6IC8dYlucO/hjpjhG+C8Zv
+QiM5uLylD3IPMX9wCz1tAhMNs3v4pEPo/4A//1cdLkor9cQVLFj3+TkS888EWZdj
+Y8mUTIXU6yL1DXcj8CfDPS29fMpDorDpK1swl4pN5qgGfsL5BSAXUf1AZDWbxnEY
+xf5rakfHDzrfbtbTSSfrBxS8gdW2vBKM+3nL21BeP8hQ0tkLA7bn2fNGz3aCOw46
+XeVJdBk1gVTwazspylqrh1ljr0hQEN4gs/8kM645BRdD0IyAFFcI44VmuVwd8+2g
+5miAGmVKSqN77w2cgMRnF7xpUsanv+3zKzaTnG+2liTeCokCPgQTAQIAKAUCVL7V
+IAIbAwUJBaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQD8MELjRa0F1m
+RhAAj9X+/4iiQsN888dNW/H1wEFFTd/1vqb2j0sHP3t02LkEPN5Ii9u71TSD2gSD
+WTu1Eb46nRDcapFNv5M0vXcWrEt7PK9b51Kuj4KpP5IjJHpTl2g7umaYQWC8fqcY
+TJTH0guMSCzZlsP0xGLbAj3cG6X5OPzCO+IxEafXmE//SfS9w46n1OC57ca1Y0Fp
+WXfjA0sJrcozgNchsptu3jg/oEteYJoxDAzNO45O4geNONq5D9PUQPb+H5Vv5zpy
+MI7iUJhVnTOFvnoUgRS7v6pWiA3flh5FelK8tYPCzEfvxfe7EB5GO7MaJEO3ZLni
+COaAZ3Nfn6Tt28tCOgd052W4FeGWow7iYCS1Wgd30bq/FNgnl+tKv2woxmWt4jJv
+ioBHQ4PbUnap2RCmBFaG7llRkrKP8nhWSUdwSS3OmDwAfxTTXjPaESK9EX9OV9Xo
+or07thq+7OMs+2cyiy2jSfIau0SELy/tVioZBhoB7hzAJUB8sGHOxMPlVDFdUr3x
+F/cgCclWANhw2xvgPim1wQ0XpeZe6w9RpmjZR7ReMYwxn8APBDP/e9R5aLDUQAep
+2hrJUPK38D0L69RnpWQsR9hZ2hEOrMV2M6ChlvhwHbGSdJ2CcqG5Jx4ZAP23DK3A
+N26TB88H9F7IMrM0REZeu7KzvYwCWlpg0zMXXKQ/2vovoe2JAlUEEwECAD8CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F
+Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR
+M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ
+bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N
+xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem
+d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX
+vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T
+jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa
+JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92
+xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv
+dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ
+bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn
+suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC
+898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy
++UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr
+m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap
+2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+
+xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ
+DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak
+EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E
+cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q
+5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas
+Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh
+EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC
+Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT
+eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB
+fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y
+2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9
+pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui
++TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X
+l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR
+dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc
+KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr
+m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w
+V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1
+67H2IH//2sf8dw==
+=fTDu
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/Dockerfile
@@ -0,0 +1,31 @@
+FROM ubuntu:xenial
+
+MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Based on the HACL* image from Benjamin Beurdouche and
+# the original F* formula with Daniel Fabian
+
+# Pinned versions of HACL* (F* and KreMLin are pinned as submodules)
+ENV haclrepo https://github.com/mitls/hacl-star.git
+
+# Define versions of dependencies
+ENV opamv 4.05.0
+ENV haclversion 1442c015dab97cdf203ae238b1f3aeccf511bd1e
+
+# Install required packages and set versions
+ADD B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
+ADD setup.sh /tmp/setup.sh
+RUN bash /tmp/setup.sh
+
+# Create user, add scripts.
+RUN useradd -ms /bin/bash worker
+WORKDIR /home/worker
+ADD bin /home/worker/bin
+RUN chmod +x /home/worker/bin/*
+USER worker
+
+# Build F*, HACL*, verify. Install a few more dependencies.
+ENV OPAMYES true
+ENV PATH "/home/worker/hacl-star/dependencies/z3/bin:$PATH"
+ADD setup-user.sh /tmp/setup-user.sh
+ADD license.txt /tmp/license.txt
+RUN bash /tmp/setup-user.sh
new file mode 100755
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+if [ $(id -u) = 0 ]; then
+    # Drop privileges by re-running this script.
+    exec su worker $0
+fi
+
+# Default values for testing.
+REVISION=${NSS_HEAD_REVISION:-default}
+REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
+
+# Clone NSS.
+for i in 0 2 5; do
+    sleep $i
+    hg clone -r $REVISION $REPOSITORY nss && exit 0
+    rm -rf nss
+done
+exit 1
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/license.txt
@@ -0,0 +1,15 @@
+/* Copyright 2016-2017 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Prepare build (OCaml packages)
+opam init
+echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true" >> .bashrc
+opam switch -v ${opamv}
+opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint
+
+# Get the HACL* code
+git clone ${haclrepo} hacl-star
+git -C hacl-star checkout ${haclversion}
+
+# Prepare submodules, and build, verify, test, and extract c code
+# This caches the extracted c code (pins the HACL* version). All we need to do
+# on CI now is comparing the code in this docker image with the one in NSS.
+opam config exec -- make -C hacl-star prepare -j$(nproc)
+make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
+KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
+make -C hacl-star/code/salsa-family test -j$(nproc)
+make -C hacl-star/code/poly1305 test -j$(nproc)
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
new file mode 100644
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/setup.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -v -e -x
+
+# Update packages.
+export DEBIAN_FRONTEND=noninteractive
+apt-get -qq update
+apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales
+update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
+update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
+
+# Get clang-format-3.9
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
+curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+
+# Verify the signature. The key used for verification was fetched via:
+#    gpg --keyserver pgp.key-server.io --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+# Use a local copy to workaround bug 1565013.
+gpg --no-default-keyring --keyring tmp.keyring --import /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
+gpg --no-default-keyring --keyring tmp.keyring --verify clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+
+# Install into /usr/local/.
+tar xJvf *.tar.xz -C /usr/local --strip-components=1
+# Cleanup.
+rm *.tar.xz*
+
+locale-gen en_US.UTF-8
+dpkg-reconfigure locales
+
+# Cleanup.
+rm -rf ~/.ccache ~/.cache
+apt-get autoremove -y
+apt-get clean
+apt-get autoclean
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -36,16 +36,21 @@ const FUZZ_IMAGE = {
 };
 
 // Bug 1488148 - temporary image for fuzzing 32-bit builds.
 const FUZZ_IMAGE_32 = {
   name: "fuzz32",
   path: "automation/taskcluster/docker-fuzz32"
 };
 
+const HACL_GEN_IMAGE = {
+  name: "hacl",
+  path: "automation/taskcluster/docker-hacl"
+};
+
 const SAW_IMAGE = {
   name: "saw",
   path: "automation/taskcluster/docker-saw"
 };
 
 const WINDOWS_CHECKOUT_CMD =
   "bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
     "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
@@ -1016,20 +1021,16 @@ function scheduleTests(task_build, task_
   }));
   queue.scheduleTask(merge(cert_base_long, {
     name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher",
     env: {
       NSS_DISABLE_ARM_NEON: "1",
       NSS_DISABLE_SSSE3: "1"
     }, group: "Cipher"
   }));
-  queue.scheduleTask(merge(cert_base_long, {
-    name: "Cipher tests", symbol: "NoSSE4.1", tests: "cipher",
-    env: {NSS_DISABLE_SSE4_1: "1"}, group: "Cipher"
-  }));
   queue.scheduleTask(merge(cert_base, {
     name: "EC tests", symbol: "EC", tests: "ec"
   }));
   queue.scheduleTask(merge(cert_base, {
     name: "Lowhash tests", symbol: "Lowhash", tests: "lowhash"
   }));
   queue.scheduleTask(merge(cert_base, {
     name: "SDR tests", symbol: "SDR", tests: "sdr"
@@ -1148,17 +1149,17 @@ async function scheduleTools() {
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/run_coverity.sh"
     ]
   }));
 
   queue.scheduleTask(merge(base, {
     symbol: "hacl",
     name: "hacl",
-    image: LINUX_BUILDS_IMAGE,
+    image: HACL_GEN_IMAGE,
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/run_hacl.sh"
     ]
   }));
 
   let task_saw = queue.scheduleTask(merge(base, {
@@ -1194,32 +1195,28 @@ async function scheduleTools() {
     image: SAW_IMAGE,
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh bmul"
     ]
   }));
 
-  // TODO: The ChaCha20 saw verification is currently disabled because the new
-  //       HACL 32-bit code can't be verified by saw right now to the best of
-  //       my knowledge.
-  //       Bug 1604130
-  // queue.scheduleTask(merge(base, {
-  //   parent: task_saw,
-  //   symbol: "ChaCha20",
-  //   group: "SAW",
-  //   name: "chacha20.saw",
-  //   image: SAW_IMAGE,
-  //   command: [
-  //     "/bin/bash",
-  //     "-c",
-  //     "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20"
-  //   ]
-  // }));
+  queue.scheduleTask(merge(base, {
+    parent: task_saw,
+    symbol: "ChaCha20",
+    group: "SAW",
+    name: "chacha20.saw",
+    image: SAW_IMAGE,
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20"
+    ]
+  }));
 
   queue.scheduleTask(merge(base, {
     parent: task_saw,
     symbol: "Poly1305",
     group: "SAW",
     name: "poly1305.saw",
     image: SAW_IMAGE,
     command: [
--- a/security/nss/automation/taskcluster/scripts/run_hacl.sh
+++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh
@@ -3,30 +3,38 @@
 if [[ $(id -u) -eq 0 ]]; then
     # Drop privileges by re-running this script.
     # Note: this mangles arguments, better to avoid running scripts as root.
     exec su worker -c "$0 $*"
 fi
 
 set -e -x -v
 
-# The docker image this is running in has NSS sources.
-# Get the HACL* source, containing a snapshot of the C code, extracted on the
-# HACL CI.
-# When bug 1593647 is resolved, extract the code on CI again.
-git clone -q "https://github.com/project-everest/hacl-star" ~/hacl-star
-git -C ~/hacl-star checkout -q 186a985597d57e3b587ceb0ef6deb0b5de706ae2
+# The docker image this is running in has the HACL* and NSS sources.
+# The extracted C code from HACL* is already generated and the HACL* tests were
+# successfully executed.
+
+# Verify HACL*. Taskcluster fails when we do this in the image build.
+make -C hacl-star verify-nss -j$(nproc)
 
-# Format the C snapshot.
-cd ~/hacl-star/dist/mozilla
-cp ~/nss/.clang-format .
-find . -type f -name '*.[ch]' -exec clang-format -i {} \+
-cd ~/hacl-star/dist/kremlin
+# Add license header to specs
+spec_files=($(find ~/hacl-star/specs -type f -name '*.fst'))
+for f in "${spec_files[@]}"; do
+    cat /tmp/license.txt "$f" > /tmp/tmpfile && mv /tmp/tmpfile "$f"
+done
+
+# Format the extracted C code.
+cd ~/hacl-star/snapshots/nss
 cp ~/nss/.clang-format .
 find . -type f -name '*.[ch]' -exec clang-format -i {} \+
 
 # These diff commands will return 1 if there are differences and stop the script.
 files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]'))
 for f in "${files[@]}"; do
-    file_name=$(basename "$f")
-    hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/kremlin/ -type f -name $file_name))
-    diff $hacl_file $f
+    diff $f $(basename "$f")
 done
+
+# Check that the specs didn't change either.
+cd ~/hacl-star/specs
+files=($(find ~/nss/lib/freebl/verified/specs -type f))
+for f in "${files[@]}"; do
+    diff $f $(basename "$f")
+done
--- a/security/nss/automation/taskcluster/windows/build_gyp.sh
+++ b/security/nss/automation/taskcluster/windows/build_gyp.sh
@@ -14,17 +14,17 @@ done
 [[ "$m" == "ia32" ]] && m=x86
 source "$(dirname "$0")/setup.sh"
 
 # Install GYP.
 pushd gyp
 python -m virtualenv test-env
 test-env/Scripts/python setup.py install
 test-env/Scripts/python -m pip install --upgrade pip
-test-env/Scripts/pip install --upgrade 'setuptools<45.0.0'
+test-env/Scripts/pip install --upgrade setuptools
 # Fool GYP.
 touch "${VSPATH}/VC/vcvarsall.bat"
 export GYP_MSVS_OVERRIDE_PATH="${VSPATH}"
 export GYP_MSVS_VERSION=2015
 popd
 
 export PATH="${PATH}:${PWD}/ninja/bin:${PWD}/gyp/test-env/Scripts"
 
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -120,17 +120,16 @@
     'nss_private_dist_dir%': '<(nss_dist_dir)/private',
     # This is only needed when building with --mozpkix-only and might not work
     # on all machines.
     'nss_include_dir%': '/usr/include/nss',
     'only_dev_random%': 1,
     'disable_fips%': 1,
     'mozpkix_only%': 0,
     'coverage%': 0,
-    'softfp_cflags%': '',
   },
   'target_defaults': {
     # Settings specific to targets should go here.
     # This is mostly for linking to libraries.
     'variables': {
       'mapfile%': '',
       'static_libs%': 0,
       'debug_optimization_level%': '0',
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
deleted file mode 100644
--- a/security/nss/gtests/common/testvectors/hkdf-vectors.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef hkdf_vectors_h__
-#define hkdf_vectors_h__
-
-#include <vector>
-
-typedef struct hkdf_result_str {
-  SECStatus expect_rv;
-  bool output_match;
-} hkdf_result;
-
-typedef struct hkdf_vector_str {
-  uint32_t test_id;
-  CK_MECHANISM_TYPE mech;
-  size_t l;
-  std::vector<uint8_t> ikm;
-  std::vector<uint8_t> salt;
-  std::vector<uint8_t> info;
-  std::vector<uint8_t> okm;
-  hkdf_result res;
-} hkdf_vector;
-
-// Vectors sourced from https://tools.ietf.org/html/rfc5869
-// Test IDs correspond to those in Appendix A.
-const hkdf_vector kHkdfTestVectors[] = {
-    {1,
-     CKM_NSS_HKDF_SHA256,
-     42,
-     {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b},
-     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-      0x0c},
-     {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9},
-     {0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f,
-      0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
-      0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34,
-      0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65},
-     {SECSuccess, true}},
-
-    {2,
-     CKM_NSS_HKDF_SHA256,
-     82,
-     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-      0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
-      0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
-      0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f},
-     {0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
-      0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83,
-      0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-      0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
-      0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-      0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf},
-     {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb,
-      0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-      0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3,
-      0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-      0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb,
-      0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-      0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff},
-     {0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c,
-      0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
-      0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04, 0x5a, 0x99,
-      0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
-      0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77, 0x93, 0xa9,
-      0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
-      0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87},
-     {SECSuccess, true}},
-
-    {3,
-     CKM_NSS_HKDF_SHA256,
-     42,
-     {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b},
-     {},
-     {},
-     {0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80,
-      0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1,
-      0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d,
-      0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8},
-     {SECSuccess, true}},
-
-    {4,
-     CKM_NSS_HKDF_SHA1,
-     42,
-     {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b},
-     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-      0x0c},
-     {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9},
-     {0x08, 0x5a, 0x01, 0xea, 0x1b, 0x10, 0xf3, 0x69, 0x33, 0x06, 0x8b,
-      0x56, 0xef, 0xa5, 0xad, 0x81, 0xa4, 0xf1, 0x4b, 0x82, 0x2f, 0x5b,
-      0x09, 0x15, 0x68, 0xa9, 0xcd, 0xd4, 0xf1, 0x55, 0xfd, 0xa2, 0xc2,
-      0x2e, 0x42, 0x24, 0x78, 0xd3, 0x05, 0xf3, 0xf8, 0x96},
-     {SECSuccess, true}},
-
-    {5,
-     CKM_NSS_HKDF_SHA1,
-     82,
-     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
-      0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
-      0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
-      0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
-      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f},
-     {0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
-      0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, 0x83,
-      0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-      0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
-      0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-      0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf},
-     {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb,
-      0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-      0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3,
-      0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-      0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb,
-      0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-      0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff},
-     {0x0b, 0xd7, 0x70, 0xa7, 0x4d, 0x11, 0x60, 0xf7, 0xc9, 0xf1, 0x2c, 0xd5,
-      0x91, 0x2a, 0x06, 0xeb, 0xff, 0x6a, 0xdc, 0xae, 0x89, 0x9d, 0x92, 0x19,
-      0x1f, 0xe4, 0x30, 0x56, 0x73, 0xba, 0x2f, 0xfe, 0x8f, 0xa3, 0xf1, 0xa4,
-      0xe5, 0xad, 0x79, 0xf3, 0xf3, 0x34, 0xb3, 0xb2, 0x02, 0xb2, 0x17, 0x3c,
-      0x48, 0x6e, 0xa3, 0x7c, 0xe3, 0xd3, 0x97, 0xed, 0x03, 0x4c, 0x7f, 0x9d,
-      0xfe, 0xb1, 0x5c, 0x5e, 0x92, 0x73, 0x36, 0xd0, 0x44, 0x1f, 0x4c, 0x43,
-      0x00, 0xe2, 0xcf, 0xf0, 0xd0, 0x90, 0x0b, 0x52, 0xd3, 0xb4},
-     {SECSuccess, true}},
-
-    {6,
-     CKM_NSS_HKDF_SHA1,
-     42,
-     {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-      0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b},
-     {},
-     {},
-     {0x0a, 0xc1, 0xaf, 0x70, 0x02, 0xb3, 0xd7, 0x61, 0xd1, 0xe5, 0x52,
-      0x98, 0xda, 0x9d, 0x05, 0x06, 0xb9, 0xae, 0x52, 0x05, 0x72, 0x20,
-      0xa3, 0x06, 0xe0, 0x7b, 0x6b, 0x87, 0xe8, 0xdf, 0x21, 0xd0, 0xea,
-      0x00, 0x03, 0x3d, 0xe0, 0x39, 0x84, 0xd3, 0x49, 0x18},
-     {SECSuccess, true}},
-
-    {7,
-     CKM_NSS_HKDF_SHA1,
-     42,
-     {0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c,
-      0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c},
-     {},
-     {},
-     {0x2c, 0x91, 0x11, 0x72, 0x04, 0xd7, 0x45, 0xf3, 0x50, 0x0d, 0x63,
-      0x6a, 0x62, 0xf6, 0x4f, 0x0a, 0xb3, 0xba, 0xe5, 0x48, 0xaa, 0x53,
-      0xd4, 0x23, 0xb0, 0xd1, 0xf2, 0x7e, 0xbb, 0xa6, 0xf5, 0xe5, 0x67,
-      0x3a, 0x08, 0x1d, 0x70, 0xcc, 0xe7, 0xac, 0xfc, 0x48},
-     {SECSuccess, true}}};
-#endif  // hkdf_vectors_h__
--- a/security/nss/gtests/pk11_gtest/manifest.mn
+++ b/security/nss/gtests/pk11_gtest/manifest.mn
@@ -14,17 +14,16 @@ CPPSRCS = \
       pk11_chacha20poly1305_unittest.cc \
       pk11_curve25519_unittest.cc \
       pk11_der_private_key_import_unittest.cc \
       pk11_des_unittest.cc \
       pk11_ecdsa_unittest.cc \
       pk11_encrypt_derive_unittest.cc \
       pk11_export_unittest.cc \
       pk11_find_certs_unittest.cc \
-      pk11_hkdf_unittest.cc \
       pk11_import_unittest.cc \
       pk11_kbkdf.cc \
       pk11_keygen.cc \
       pk11_key_unittest.cc \
       pk11_module_unittest.cc \
       pk11_pbkdf2_unittest.cc \
       pk11_prf_unittest.cc \
       pk11_prng_unittest.cc \
--- a/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/security/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -69,17 +69,16 @@ class Pkcs11ChaCha20Poly1305Test
     }
 
     EXPECT_EQ(rv, SECSuccess);
     EXPECT_EQ(encrypted.size(), static_cast<size_t>(encrypted_len));
 
     // Check ciphertext and tag.
     if (ct) {
       ASSERT_EQ(ct_len, encrypted_len);
-      EXPECT_TRUE(!memcmp(ct, encrypted.data(), encrypted.size() - 16));
       EXPECT_TRUE(!memcmp(ct, encrypted.data(), encrypted.size()) !=
                   invalid_tag);
     }
 
     // Get the *estimated* plaintext length. This value should
     // never be zero as it could lead to a NULL outPtr being
     // passed to a subsequent decryption call (for AEAD we
     // must authenticate even when the pt is zero-length).
--- a/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
+++ b/security/nss/gtests/pk11_gtest/pk11_gtest.gyp
@@ -19,17 +19,16 @@
         'pk11_chacha20poly1305_unittest.cc',
         'pk11_cipherop_unittest.cc',
         'pk11_curve25519_unittest.cc',
         'pk11_der_private_key_import_unittest.cc',
         'pk11_des_unittest.cc',
         'pk11_ecdsa_unittest.cc',
         'pk11_encrypt_derive_unittest.cc',
         'pk11_find_certs_unittest.cc',
-        'pk11_hkdf_unittest.cc',
         'pk11_import_unittest.cc',
         'pk11_kbkdf.cc',
         'pk11_keygen.cc',
         'pk11_key_unittest.cc',
         'pk11_module_unittest.cc',
         'pk11_pbkdf2_unittest.cc',
         'pk11_prf_unittest.cc',
         'pk11_prng_unittest.cc',
deleted file mode 100644
--- a/security/nss/gtests/pk11_gtest/pk11_hkdf_unittest.cc
+++ /dev/null
@@ -1,124 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include <memory>
-#include "blapi.h"
-#include "gtest/gtest.h"
-#include "nss.h"
-#include "nss_scoped_ptrs.h"
-#include "pk11pub.h"
-#include "secerr.h"
-#include "sechash.h"
-#include "testvectors/hkdf-vectors.h"
-#include "util.h"
-
-namespace nss_test {
-
-class Pkcs11HkdfTest : public ::testing::TestWithParam<hkdf_vector> {
- protected:
-  ScopedPK11SymKey ImportKey(CK_MECHANISM_TYPE mech, SECItem *ikm_item) {
-    ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
-    if (!slot) {
-      ADD_FAILURE() << "Can't get slot";
-      return nullptr;
-    }
-    ScopedPK11SymKey ikm(
-        PK11_ImportSymKey(slot.get(), CKM_GENERIC_SECRET_KEY_GEN,
-                          PK11_OriginUnwrap, CKA_SIGN, ikm_item, nullptr));
-
-    return ikm;
-  }
-
-  void RunTest(hkdf_vector vec) {
-    SECItem ikm_item = {siBuffer, vec.ikm.data(),
-                        static_cast<unsigned int>(vec.ikm.size())};
-
-    CK_NSS_HKDFParams hkdf_params = {
-        true, vec.salt.data(), static_cast<unsigned int>(vec.salt.size()),
-        true, vec.info.data(), static_cast<unsigned int>(vec.info.size())};
-    SECItem params_item = {siBuffer, (unsigned char *)&hkdf_params,
-                           sizeof(hkdf_params)};
-
-    ScopedPK11SymKey ikm = ImportKey(vec.mech, &ikm_item);
-    ASSERT_NE(nullptr, ikm.get());
-    ScopedPK11SymKey okm = ScopedPK11SymKey(
-        PK11_Derive(ikm.get(), vec.mech, &params_item,
-                    CKM_GENERIC_SECRET_KEY_GEN, CKA_DERIVE, vec.l));
-    if (vec.res.expect_rv == SECSuccess) {
-      ASSERT_NE(nullptr, okm.get());
-      if (vec.res.output_match) {
-        ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(okm.get()));
-        SECItem *act_okm_item = PK11_GetKeyData(okm.get());
-        SECItem vec_okm_item = {siBuffer, vec.okm.data(),
-                                static_cast<unsigned int>(vec.okm.size())};
-        ASSERT_EQ(0, SECITEM_CompareItem(&vec_okm_item, act_okm_item));
-      }
-    } else {
-      ASSERT_EQ(nullptr, okm.get());
-    }
-  }
-};
-
-TEST_P(Pkcs11HkdfTest, TestVectors) { RunTest(GetParam()); }
-
-INSTANTIATE_TEST_CASE_P(Pkcs11HkdfTests, Pkcs11HkdfTest,
-                        ::testing::ValuesIn(kHkdfTestVectors));
-
-TEST_F(Pkcs11HkdfTest, OkmLimits) {
-  hkdf_vector vector{
-      0,
-      CKM_NSS_HKDF_SHA1,
-      255 * SHA1_LENGTH /* per rfc5869 */,
-      {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
-       0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b},
-      {},
-      {},
-      {},
-      {SECSuccess, false} /* Only looking at return value */
-  };
-
-  // SHA1 limit
-  RunTest(vector);
-
-  // SHA1 limit + 1
-  vector.l += 1;
-  vector.res.expect_rv = SECFailure;
-  RunTest(vector);
-
-  // SHA256 limit
-  vector.mech = CKM_NSS_HKDF_SHA256;
-  vector.l = 255 * SHA256_LENGTH; /* per rfc5869 */
-  vector.res.expect_rv = SECSuccess;
-  RunTest(vector);
-
-  // SHA256 limit + 1
-  vector.l += 1;
-  vector.res.expect_rv = SECFailure;
-  RunTest(vector);
-
-  // SHA384 limit
-  vector.mech = CKM_NSS_HKDF_SHA384;
-  vector.l = 255 * SHA384_LENGTH; /* per rfc5869 */
-  vector.res.expect_rv = SECSuccess;
-  RunTest(vector);
-
-  // SHA384 limit + 1
-  vector.l += 1;
-  vector.res.expect_rv = SECFailure;
-  RunTest(vector);
-
-  // SHA512 limit
-  vector.mech = CKM_NSS_HKDF_SHA512;
-  vector.l = 255 * SHA512_LENGTH; /* per rfc5869 */
-  vector.res.expect_rv = SECSuccess;
-  RunTest(vector);
-
-  // SHA512 limit + 1
-  vector.l += 1;
-  vector.res.expect_rv = SECFailure;
-  RunTest(vector);
-}
-}  // namespace nss_test
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -530,36 +530,52 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null 
             HAVE_INT128_SUPPORT = 1
             DEFINES += -DHAVE_INT128_SUPPORT
         endif
     endif
 endif # lcc
 endif # USE_64
 
 ifndef HAVE_INT128_SUPPORT
-    DEFINES += -DKRML_VERIFIED_UINT128
+    DEFINES += -DKRML_NOUINT128
 endif
 
 ifndef NSS_DISABLE_CHACHAPOLY
     ifeq ($(CPU_ARCH),x86_64)
-        EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c
+        ifdef HAVE_INT128_SUPPORT
+            EXTRA_SRCS += Hacl_Poly1305_64.c
+        else
+            EXTRA_SRCS += Hacl_Poly1305_32.c
+        endif
+    else
+        ifeq ($(CPU_ARCH),aarch64)
+            EXTRA_SRCS += Hacl_Poly1305_64.c
+        else
+            EXTRA_SRCS += Hacl_Poly1305_32.c
+        endif
     endif # x86_64
 
-    VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
+    VERIFIED_SRCS += Hacl_Chacha20.c
+    VERIFIED_SRCS += Hacl_Chacha20_Vec128.c
 endif # NSS_DISABLE_CHACHAPOLY
 
-ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
-    # All 64-bit architectures get the 64 bit version.
+ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
+    # All intel architectures get the 64 bit version
+    # With custom uint128 if necessary (faster than generic 32 bit version).
     ECL_SRCS += curve25519_64.c
-    VERIFIED_SRCS += Hacl_Curve25519_51.c
+    VERIFIED_SRCS += Hacl_Curve25519.c
 else
-    # All other architectures get the generic 32 bit implementation
+    # All non intel architectures get the generic 32 bit implementation (slow!)
     ECL_SRCS += curve25519_32.c
 endif
 
+ifndef HAVE_INT128_SUPPORT
+    VERIFIED_SRCS += FStar.c
+endif
+
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
 # (6) Execute "component" rules. (OPTIONAL)                           #
@@ -578,17 +594,17 @@ rijndael_tables:
 	         $(DEFINES) $(INCLUDES) $(OBJDIR)/libfreebl.a
 	$(OBJDIR)/make_rijndael_tab
 
 vpath %.h mpi ecl verified
 vpath %.c mpi ecl verified
 vpath %.S mpi ecl
 vpath %.s mpi ecl
 vpath %.asm mpi ecl
-INCLUDES += -Impi -Iecl -Iverified -Iverified/kremlin/include -Iverified/kremlin/kremlib/dist/minimal
+INCLUDES += -Impi -Iecl -Iverified
 
 
 DEFINES += -DMP_API_COMPATIBLE
 
 MPI_USERS = dh.c pqg.c dsa.c rsa.c ec.c
 
 MPI_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_SRCS:.c=$(OBJ_SUFFIX)))
 MPI_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(MPI_USERS:.c=$(OBJ_SUFFIX)))
@@ -760,27 +776,19 @@ endif
 ifdef INTEL_GCM_CLANG_CL
 #
 # clang-cl needs -mssse3
 #
 $(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
 endif
 
 ifeq ($(CPU_ARCH),arm)
-# When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when
-# enabling NEON for these objects.
-# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
-USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1)
-$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
-$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
+$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
+$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon
 endif
 ifeq ($(CPU_ARCH),aarch64)
 $(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
 $(OBJDIR)/$(PROG_PREFIX)gcm-aarch64$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
 endif
 
 ifeq ($(CPU_ARCH),ppc)
 $(OBJDIR)/$(PROG_PREFIX)gcm-ppc$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec
 endif
-
-$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20_Vec128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4 -mavx -maes 
-$(OBJDIR)/$(PROG_PREFIX)Hacl_Chacha20Poly1305_128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4 -mavx -maes 
-$(OBJDIR)/$(PROG_PREFIX)Hacl_Poly1305_128$(OBJ_SUFFIX): CFLAGS += -mssse3 -msse4 -mavx -maes -mpclmul
--- a/security/nss/lib/freebl/aes-armv8.c
+++ b/security/nss/lib/freebl/aes-armv8.c
@@ -3,17 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "secerr.h"
 #include "rijndael.h"
 
 #if ((defined(__clang__) ||                                         \
       (defined(__GNUC__) && defined(__GNUC_MINOR__) &&              \
        (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 8)))) && \
-     defined(IS_LITTLE_ENDIAN))
+     (defined(__ARM_NEON) || defined(__ARM_NEON__)))
 
 #ifndef __ARM_FEATURE_CRYPTO
 #error "Compiler option is invalid"
 #endif
 
 #include <arm_neon.h>
 
 SECStatus
--- a/security/nss/lib/freebl/blapii.h
+++ b/security/nss/lib/freebl/blapii.h
@@ -76,18 +76,16 @@ SEC_END_PROTOS
 SECStatus RSA_Init();
 SECStatus generate_prime(mp_int *prime, int primeLen);
 
 /* Freebl state. */
 PRBool aesni_support();
 PRBool clmul_support();
 PRBool avx_support();
 PRBool ssse3_support();
-PRBool sse4_1_support();
-PRBool sse4_2_support();
 PRBool arm_neon_support();
 PRBool arm_aes_support();
 PRBool arm_pmull_support();
 PRBool arm_sha1_support();
 PRBool arm_sha2_support();
 PRBool ppc_crypto_support();
 
 #endif /* _BLAPII_H_ */
--- a/security/nss/lib/freebl/blinit.c
+++ b/security/nss/lib/freebl/blinit.c
@@ -23,18 +23,16 @@
 
 static PRCallOnceType coFreeblInit;
 
 /* State variables. */
 static PRBool aesni_support_ = PR_FALSE;
 static PRBool clmul_support_ = PR_FALSE;
 static PRBool avx_support_ = PR_FALSE;
 static PRBool ssse3_support_ = PR_FALSE;
-static PRBool sse4_1_support_ = PR_FALSE;
-static PRBool sse4_2_support_ = PR_FALSE;
 static PRBool arm_neon_support_ = PR_FALSE;
 static PRBool arm_aes_support_ = PR_FALSE;
 static PRBool arm_sha1_support_ = PR_FALSE;
 static PRBool arm_sha2_support_ = PR_FALSE;
 static PRBool arm_pmull_support_ = PR_FALSE;
 static PRBool ppc_crypto_support_ = PR_FALSE;
 
 #ifdef NSS_X86_OR_X64
@@ -71,43 +69,35 @@ check_xcr0_ymm()
 }
 
 #define ECX_AESNI (1 << 25)
 #define ECX_CLMUL (1 << 1)
 #define ECX_XSAVE (1 << 26)
 #define ECX_OSXSAVE (1 << 27)
 #define ECX_AVX (1 << 28)
 #define ECX_SSSE3 (1 << 9)
-#define ECX_SSE4_1 (1 << 19)
-#define ECX_SSE4_2 (1 << 20)
 #define AVX_BITS (ECX_XSAVE | ECX_OSXSAVE | ECX_AVX)
 
 void
 CheckX86CPUSupport()
 {
     unsigned long eax, ebx, ecx, edx;
     char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
     char *disable_pclmul = PR_GetEnvSecure("NSS_DISABLE_PCLMUL");
     char *disable_avx = PR_GetEnvSecure("NSS_DISABLE_AVX");
     char *disable_ssse3 = PR_GetEnvSecure("NSS_DISABLE_SSSE3");
-    char *disable_sse4_1 = PR_GetEnvSecure("NSS_DISABLE_SSE4_1");
-    char *disable_sse4_2 = PR_GetEnvSecure("NSS_DISABLE_SSE4_2");
     freebl_cpuid(1, &eax, &ebx, &ecx, &edx);
     aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL);
     clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL);
     /* For AVX we check AVX, OSXSAVE, and XSAVE
      * as well as XMM and YMM state. */
     avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
                    disable_avx == NULL;
     ssse3_support_ = (PRBool)((ecx & ECX_SSSE3) != 0 &&
                               disable_ssse3 == NULL);
-    sse4_1_support_ = (PRBool)((ecx & ECX_SSE4_1) != 0 &&
-                               disable_sse4_1 == NULL);
-    sse4_2_support_ = (PRBool)((ecx & ECX_SSE4_2) != 0 &&
-                               disable_sse4_2 == NULL);
 }
 #endif /* NSS_X86_OR_X64 */
 
 /* clang-format off */
 #if defined(__aarch64__) || defined(__arm__)
 #ifndef __has_include
 #define __has_include(x) 0
 #endif
@@ -128,79 +118,53 @@ static unsigned long (*getauxval)(unsign
 #ifndef AT_HWCAP
 #define AT_HWCAP 16
 #endif
 
 #endif /* defined(__aarch64__) || defined(__arm__) */
 /* clang-format on */
 
 #if defined(__aarch64__)
-
-#if defined(__linux__)
 // Defines from hwcap.h in Linux kernel - ARM64
 #ifndef HWCAP_AES
 #define HWCAP_AES (1 << 3)
 #endif
 #ifndef HWCAP_PMULL
 #define HWCAP_PMULL (1 << 4)
 #endif
 #ifndef HWCAP_SHA1
 #define HWCAP_SHA1 (1 << 5)
 #endif
 #ifndef HWCAP_SHA2
 #define HWCAP_SHA2 (1 << 6)
 #endif
-#endif /* defined(__linux__) */
-
-#if defined(__FreeBSD__)
-#include <stdint.h>
-#include <machine/armreg.h>
-// Support for older version of armreg.h
-#ifndef ID_AA64ISAR0_AES_VAL
-#define ID_AA64ISAR0_AES_VAL ID_AA64ISAR0_AES
-#endif
-#ifndef ID_AA64ISAR0_SHA1_VAL
-#define ID_AA64ISAR0_SHA1_VAL ID_AA64ISAR0_SHA1
-#endif
-#ifndef ID_AA64ISAR0_SHA2_VAL
-#define ID_AA64ISAR0_SHA2_VAL ID_AA64ISAR0_SHA2
-#endif
-#endif /* defined(__FreeBSD__) */
 
 void
 CheckARMSupport()
 {
+    char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON");
+    char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
+    char *disable_pmull = PR_GetEnvSecure("NSS_DISABLE_PMULL");
 #if defined(_WIN64)
     BOOL arm_crypto_support = IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE);
-    arm_aes_support_ = arm_crypto_support;
-    arm_pmull_support_ = arm_crypto_support;
+    arm_aes_support_ = arm_crypto_support && disable_hw_aes == NULL;
+    arm_pmull_support_ = arm_crypto_support && disable_pmull == NULL;
     arm_sha1_support_ = arm_crypto_support;
     arm_sha2_support_ = arm_crypto_support;
-#elif defined(__linux__)
+#else
     if (getauxval) {
         long hwcaps = getauxval(AT_HWCAP);
-        arm_aes_support_ = (hwcaps & HWCAP_AES) == HWCAP_AES;
-        arm_pmull_support_ = (hwcaps & HWCAP_PMULL) == HWCAP_PMULL;
-        arm_sha1_support_ = (hwcaps & HWCAP_SHA1) == HWCAP_SHA1;
-        arm_sha2_support_ = (hwcaps & HWCAP_SHA2) == HWCAP_SHA2;
-    }
-#elif defined(__FreeBSD__)
-    /* qemu-user does not support register access from userspace */
-    if (PR_GetEnvSecure("QEMU_EMULATING") == NULL) {
-        uint64_t isar0 = READ_SPECIALREG(id_aa64isar0_el1);
-        arm_aes_support_ = ID_AA64ISAR0_AES_VAL(isar0) >= ID_AA64ISAR0_AES_BASE;
-        arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(isar0) >= ID_AA64ISAR0_AES_PMULL;
-        arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(isar0) >= ID_AA64ISAR0_SHA1_BASE;
-        arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(isar0) >= ID_AA64ISAR0_SHA2_BASE;
+        arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL;
+        arm_pmull_support_ = hwcaps & HWCAP_PMULL && disable_pmull == NULL;
+        arm_sha1_support_ = hwcaps & HWCAP_SHA1;
+        arm_sha2_support_ = hwcaps & HWCAP_SHA2;
     }
 #endif
     /* aarch64 must support NEON. */
-    arm_neon_support_ = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON") == NULL;
-    arm_aes_support_ &= PR_GetEnvSecure("NSS_DISABLE_HW_AES") == NULL;
-    arm_pmull_support_ &= PR_GetEnvSecure("NSS_DISABLE_PMULL") == NULL;
+    arm_neon_support_ = disable_arm_neon == NULL;
 }
 #endif /* defined(__aarch64__) */
 
 #if defined(__arm__)
 // Defines from hwcap.h in Linux kernel - ARM
 /*
  * HWCAP flags - for elf_hwcap (in kernel) and AT_HWCAP
  */
@@ -368,26 +332,16 @@ avx_support()
     return avx_support_;
 }
 PRBool
 ssse3_support()
 {
     return ssse3_support_;
 }
 PRBool
-sse4_1_support()
-{
-    return sse4_1_support_;
-}
-PRBool
-sse4_2_support()
-{
-    return sse4_2_support_;
-}
-PRBool
 arm_neon_support()
 {
     return arm_neon_support_;
 }
 PRBool
 arm_aes_support()
 {
     return arm_aes_support_;
--- a/security/nss/lib/freebl/chacha20poly1305.c
+++ b/security/nss/lib/freebl/chacha20poly1305.c
@@ -8,50 +8,101 @@
 
 #include <string.h>
 #include <stdio.h>
 
 #include "seccomon.h"
 #include "secerr.h"
 #include "blapit.h"
 #include "blapii.h"
+
+#ifndef NSS_DISABLE_CHACHAPOLY
 #include "chacha20poly1305.h"
+// Forward declaration from "Hacl_Chacha20_Vec128.h".
+extern void Hacl_Chacha20_Vec128_chacha20(uint8_t *output, uint8_t *plain,
+                                          uint32_t len, uint8_t *k, uint8_t *n1,
+                                          uint32_t ctr);
+// Forward declaration from "Hacl_Chacha20.h".
+extern void Hacl_Chacha20_chacha20(uint8_t *output, uint8_t *plain, uint32_t len,
+                                   uint8_t *k, uint8_t *n1, uint32_t ctr);
 
-// There are two implementations of ChaCha20Poly1305:
-// 1) 128-bit with hardware acceleration used on x64
-// 2) 32-bit used on all other platforms
-// Instead of including the headers (they bring other things we don't want),
-// we declare the functions here.
-// Usage is guarded by runtime checks of required hardware features.
+#if defined(HAVE_INT128_SUPPORT) && (defined(NSS_X86_OR_X64) || defined(__aarch64__))
+/* Use HACL* Poly1305 on 64-bit Intel and ARM */
+#include "verified/Hacl_Poly1305_64.h"
+#define NSS_POLY1305_64 1
+#define Hacl_Poly1305_update Hacl_Poly1305_64_update
+#define Hacl_Poly1305_mk_state Hacl_Poly1305_64_mk_state
+#define Hacl_Poly1305_init Hacl_Poly1305_64_init
+#define Hacl_Poly1305_finish Hacl_Poly1305_64_finish
+typedef Hacl_Impl_Poly1305_64_State_poly1305_state Hacl_Impl_Poly1305_State_poly1305_state;
+#else
+/* All other platforms get the 32-bit poly1305 HACL* implementation. */
+#include "verified/Hacl_Poly1305_32.h"
+#define NSS_POLY1305_32 1
+#define Hacl_Poly1305_update Hacl_Poly1305_32_update
+#define Hacl_Poly1305_mk_state Hacl_Poly1305_32_mk_state
+#define Hacl_Poly1305_init Hacl_Poly1305_32_init
+#define Hacl_Poly1305_finish Hacl_Poly1305_32_finish
+typedef Hacl_Impl_Poly1305_32_State_poly1305_state Hacl_Impl_Poly1305_State_poly1305_state;
+#endif /* HAVE_INT128_SUPPORT */
 
-// Forward declaration from Hacl_Chacha20_Vec128.h and Hacl_Chacha20Poly1305_128.h.
-extern void Hacl_Chacha20_Vec128_chacha20_encrypt_128(uint32_t len, uint8_t *out,
-                                                      uint8_t *text, uint8_t *key,
-                                                      uint8_t *n1, uint32_t ctr);
-extern void
-Hacl_Chacha20Poly1305_128_aead_encrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
-                                       uint8_t *aad, uint32_t mlen, uint8_t *m,
-                                       uint8_t *cipher, uint8_t *mac);
-extern uint32_t
-Hacl_Chacha20Poly1305_128_aead_decrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
-                                       uint8_t *aad, uint32_t mlen, uint8_t *m,
-                                       uint8_t *cipher, uint8_t *mac);
+static void
+Poly1305PadUpdate(Hacl_Impl_Poly1305_State_poly1305_state state,
+                  unsigned char *block, const unsigned char *p,
+                  const unsigned int pLen)
+{
+    unsigned int pRemLen = pLen % 16;
+    Hacl_Poly1305_update(state, (uint8_t *)p, (pLen / 16));
+    if (pRemLen > 0) {
+        memcpy(block, p + (pLen - pRemLen), pRemLen);
+        Hacl_Poly1305_update(state, block, 1);
+    }
+}
 
-// Forward declaration from Hacl_Chacha20.h and Hacl_Chacha20Poly1305_32.h.
-extern void Hacl_Chacha20_chacha20_encrypt(uint32_t len, uint8_t *out,
-                                           uint8_t *text, uint8_t *key,
-                                           uint8_t *n1, uint32_t ctr);
-extern void
-Hacl_Chacha20Poly1305_32_aead_encrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
-                                      uint8_t *aad, uint32_t mlen, uint8_t *m,
-                                      uint8_t *cipher, uint8_t *mac);
-extern uint32_t
-Hacl_Chacha20Poly1305_32_aead_decrypt(uint8_t *k, uint8_t *n1, uint32_t aadlen,
-                                      uint8_t *aad, uint32_t mlen, uint8_t *m,
-                                      uint8_t *cipher, uint8_t *mac);
+/* Poly1305Do writes the Poly1305 authenticator of the given additional data
+ * and ciphertext to |out|. */
+static void
+Poly1305Do(unsigned char *out, const unsigned char *ad, unsigned int adLen,
+           const unsigned char *ciphertext, unsigned int ciphertextLen,
+           const unsigned char key[32])
+{
+#ifdef NSS_POLY1305_64
+    uint64_t stateStack[6U] = { 0U };
+    size_t offset = 3;
+#elif defined NSS_POLY1305_32
+    uint32_t stateStack[10U] = { 0U };
+    size_t offset = 5;
+#else
+#error "This can't happen."
+#endif
+    Hacl_Impl_Poly1305_State_poly1305_state state =
+        Hacl_Poly1305_mk_state(stateStack, stateStack + offset);
+
+    unsigned char block[16] = { 0 };
+    Hacl_Poly1305_init(state, (uint8_t *)key);
+
+    Poly1305PadUpdate(state, block, ad, adLen);
+    memset(block, 0, 16);
+    Poly1305PadUpdate(state, block, ciphertext, ciphertextLen);
+
+    unsigned int i;
+    unsigned int j;
+    for (i = 0, j = adLen; i < 8; i++, j >>= 8) {
+        block[i] = j;
+    }
+    for (i = 8, j = ciphertextLen; i < 16; i++, j >>= 8) {
+        block[i] = j;
+    }
+
+    Hacl_Poly1305_update(state, block, 1);
+    Hacl_Poly1305_finish(state, out, (uint8_t *)(key + 16));
+#undef NSS_POLY1305_64
+#undef NSS_POLY1305_32
+}
+#endif /* NSS_DISABLE_CHACHAPOLY */
 
 SECStatus
 ChaCha20Poly1305_InitContext(ChaCha20Poly1305Context *ctx,
                              const unsigned char *key, unsigned int keyLen,
                              unsigned int tagLen)
 {
 #ifdef NSS_DISABLE_CHACHAPOLY
     return SECFailure;
@@ -106,23 +157,20 @@ ChaCha20Poly1305_DestroyContext(ChaCha20
 #endif
 }
 
 #ifndef NSS_DISABLE_CHACHAPOLY
 void
 ChaCha20Xor(uint8_t *output, uint8_t *block, uint32_t len, uint8_t *k,
             uint8_t *nonce, uint32_t ctr)
 {
-#ifdef NSS_X64
-    if (ssse3_support() && sse4_1_support() && avx_support()) {
-        Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
-    } else
-#endif
-    {
-        Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
+    if (ssse3_support() || arm_neon_support()) {
+        Hacl_Chacha20_Vec128_chacha20(output, block, len, k, nonce, ctr);
+    } else {
+        Hacl_Chacha20_chacha20(output, block, len, k, nonce, ctr);
     }
 }
 #endif /* NSS_DISABLE_CHACHAPOLY */
 
 SECStatus
 ChaCha20_Xor(unsigned char *output, const unsigned char *block, unsigned int len,
              const unsigned char *k, const unsigned char *nonce, PRUint32 ctr)
 {
@@ -145,59 +193,61 @@ ChaCha20Poly1305_Seal(const ChaCha20Poly
                       unsigned int *outputLen, unsigned int maxOutputLen,
                       const unsigned char *input, unsigned int inputLen,
                       const unsigned char *nonce, unsigned int nonceLen,
                       const unsigned char *ad, unsigned int adLen)
 {
 #ifdef NSS_DISABLE_CHACHAPOLY
     return SECFailure;
 #else
+    unsigned char block[64];
+    unsigned char tag[16];
 
     if (nonceLen != 12) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
     // ChaCha has a 64 octet block, with a 32-bit block counter.
     if (sizeof(inputLen) > 4 && inputLen >= (1ULL << (6 + 32))) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
     if (maxOutputLen < inputLen + ctx->tagLen) {
         PORT_SetError(SEC_ERROR_OUTPUT_LEN);
         return SECFailure;
     }
 
-#ifdef NSS_X64
-    if (ssse3_support() && sse4_1_support() && avx_support()) {
-        Hacl_Chacha20Poly1305_128_aead_encrypt(
-            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
-            (uint8_t *)input, output, output + inputLen);
-    } else
-#endif
-    {
-        Hacl_Chacha20Poly1305_32_aead_encrypt(
-            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
-            (uint8_t *)input, output, output + inputLen);
-    }
+    PORT_Memset(block, 0, sizeof(block));
+    // Generate a block of keystream. The first 32 bytes will be the poly1305
+    // key. The remainder of the block is discarded.
+    ChaCha20Xor(block, (uint8_t *)block, sizeof(block), (uint8_t *)ctx->key,
+                (uint8_t *)nonce, 0);
+    ChaCha20Xor(output, (uint8_t *)input, inputLen, (uint8_t *)ctx->key,
+                (uint8_t *)nonce, 1);
+
+    Poly1305Do(tag, ad, adLen, output, inputLen, block);
+    PORT_Memcpy(output + inputLen, tag, ctx->tagLen);
 
     *outputLen = inputLen + ctx->tagLen;
     return SECSuccess;
 #endif
 }
 
 SECStatus
 ChaCha20Poly1305_Open(const ChaCha20Poly1305Context *ctx, unsigned char *output,
                       unsigned int *outputLen, unsigned int maxOutputLen,
                       const unsigned char *input, unsigned int inputLen,
                       const unsigned char *nonce, unsigned int nonceLen,
                       const unsigned char *ad, unsigned int adLen)
 {
 #ifdef NSS_DISABLE_CHACHAPOLY
     return SECFailure;
 #else
+    unsigned char block[64];
+    unsigned char tag[16];
     unsigned int ciphertextLen;
 
     if (nonceLen != 12) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
     if (inputLen < ctx->tagLen) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
@@ -209,31 +259,26 @@ ChaCha20Poly1305_Open(const ChaCha20Poly
         return SECFailure;
     }
     // ChaCha has a 64 octet block, with a 32-bit block counter.
     if (inputLen >= (1ULL << (6 + 32)) + ctx->tagLen) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
         return SECFailure;
     }
 
-    uint32_t res = 1;
-#ifdef NSS_X64
-    if (ssse3_support() && sse4_1_support()) {
-        res = Hacl_Chacha20Poly1305_128_aead_decrypt(
-            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
-            (uint8_t *)output, (uint8_t *)input, (uint8_t *)input + ciphertextLen);
-    } else
-#endif
-    {
-        res = Hacl_Chacha20Poly1305_32_aead_decrypt(
-            (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, ciphertextLen,
-            (uint8_t *)output, (uint8_t *)input, (uint8_t *)input + ciphertextLen);
-    }
-
-    if (res) {
+    PORT_Memset(block, 0, sizeof(block));
+    // Generate a block of keystream. The first 32 bytes will be the poly1305
+    // key. The remainder of the block is discarded.
+    ChaCha20Xor(block, (uint8_t *)block, sizeof(block), (uint8_t *)ctx->key,
+                (uint8_t *)nonce, 0);
+    Poly1305Do(tag, ad, adLen, input, ciphertextLen, block);
+    if (NSS_SecureMemcmp(tag, &input[ciphertextLen], ctx->tagLen) != 0) {
         PORT_SetError(SEC_ERROR_BAD_DATA);
         return SECFailure;
     }
 
+    ChaCha20Xor(output, (uint8_t *)input, ciphertextLen, (uint8_t *)ctx->key,
+                (uint8_t *)nonce, 1);
+
     *outputLen = ciphertextLen;
     return SECSuccess;
 #endif
 }
--- a/security/nss/lib/freebl/det_rng.c
+++ b/security/nss/lib/freebl/det_rng.c
@@ -94,18 +94,17 @@ RNG_GenerateGlobalRandomBytes(void *dest
     if (!cx) {
         PORT_SetError(SEC_ERROR_NO_MEMORY);
         PZ_Unlock(rng_lock);
         return SECFailure;
     }
 
     memset(dest, 0, len);
     memcpy(dest, globalBytes, PR_MIN(len, GLOBAL_BYTES_SIZE));
-    Hacl_Chacha20_chacha20_encrypt(len, (uint8_t *)dest, (uint8_t *)dest,
-                                   (uint8_t *)key, nonce, 0);
+    Hacl_Chacha20_chacha20(dest, (uint8_t *)dest, len, (uint8_t *)key, nonce, 0);
     ChaCha20Poly1305_DestroyContext(cx, PR_TRUE);
 
     PZ_Unlock(rng_lock);
     /* --- UNLOCKED --- */
 
     return SECSuccess;
 }
 
--- a/security/nss/lib/freebl/ecl/curve25519_64.c
+++ b/security/nss/lib/freebl/ecl/curve25519_64.c
@@ -1,14 +1,14 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "ecl-priv.h"
-#include "../verified/Hacl_Curve25519_51.h"
+#include "../verified/Hacl_Curve25519.h"
 
 SECStatus
 ec_Curve25519_mul(uint8_t *mypublic, const uint8_t *secret, const uint8_t *basepoint)
 {
     // Note: this cast is safe because HaCl* state has a post-condition that only "mypublic" changed.
-    Hacl_Curve25519_51_ecdh(mypublic, (uint8_t *)secret, (uint8_t *)basepoint);
+    Hacl_Curve25519_crypto_scalarmult(mypublic, (uint8_t *)secret, (uint8_t *)basepoint);
     return 0;
 }
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -52,74 +52,42 @@
       'cflags_mozilla': [
         '-mssse3'
       ],
     },
     {
       # TODO: make this so that all hardware accelerated code is in here.
       'target_name': 'hw-acc-crypto',
       'type': 'static_library',
-      # 'sources': [
-      #   All hardware accelerated crypto currently requires x64
-      # ],
+      'sources': [
+        'verified/Hacl_Chacha20_Vec128.c',
+      ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports'
       ],
       'conditions': [
-        [ 'target_arch=="x64"', {
+        [ 'target_arch=="ia32" or target_arch=="x64"', {
           'cflags': [
-            '-mssse3',
-            '-msse4'
+            '-mssse3'
           ],
           'cflags_mozilla': [
-            '-mssse3',
-            '-msse4',
-            '-mpclmul',
-            '-maes',
-            '-mavx',
+            '-mssse3'
           ],
           # GCC doesn't define this.
           'defines': [
             '__SSSE3__',
           ],
         }],
-        [ 'OS=="linux" or OS=="android" or OS=="dragonfly" or OS=="freebsd" or \
-           OS=="netbsd" or OS=="openbsd"', {
-          'cflags': [
-            '-mpclmul',
-            '-maes',
-            '-mavx',
-          ],
-        }],
-        # macOS build doesn't use cflags.
-        [ 'OS=="mac" or OS=="ios"', {
-          'xcode_settings': {
-            'OTHER_CFLAGS': [
-              '-mssse3',
-              '-msse4',
-              '-mpclmul',
-              '-maes',
-              '-mavx',
-            ],
-          },
-        }],
         [ 'target_arch=="arm"', {
           # Gecko doesn't support non-NEON platform on Android, but tier-3
           # platform such as Linux/arm will need it
           'cflags_mozilla': [
             '-mfpu=neon'
           ],
         }],
-        [ 'target_arch=="x64"', {
-          'sources': [
-            'verified/Hacl_Poly1305_128.c',
-            'verified/Hacl_Chacha20_Vec128.c',
-            'verified/Hacl_Chacha20Poly1305_128.c',
-          ],
-        }],
       ],
     },
     {
       'target_name': 'gcm-aes-x86_c_lib',
       'type': 'static_library',
       'sources': [
         'gcm-x86.c', 'aes-x86.c'
       ],
@@ -153,22 +121,20 @@
       'type': 'static_library',
       'sources': [
         'gcm-arm32-neon.c'
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports'
       ],
       'cflags': [
-        '-mfpu=neon',
-        '<@(softfp_cflags)',
+        '-mfpu=neon'
       ],
       'cflags_mozilla': [
-        '-mfpu=neon',
-        '<@(softfp_cflags)',
+        '-mfpu=neon'
       ]
     },
     {
       'target_name': 'gcm-aes-aarch64_c_lib',
       'type': 'static_library',
       'sources': [
         'gcm-aarch64.c'
       ],
@@ -208,23 +174,21 @@
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports'
       ],
       'conditions': [
         [ 'target_arch=="arm"', {
           'cflags': [
             '-march=armv8-a',
-            '-mfpu=crypto-neon-fp-armv8',
-            '<@(softfp_cflags)',
+            '-mfpu=crypto-neon-fp-armv8'
           ],
           'cflags_mozilla': [
             '-march=armv8-a',
-            '-mfpu=crypto-neon-fp-armv8',
-            '<@(softfp_cflags)',
+            '-mfpu=crypto-neon-fp-armv8'
           ],
         }, 'target_arch=="arm64" or target_arch=="aarch64"', {
           'cflags': [
             '-march=armv8-a+crypto'
           ],
           'cflags_mozilla': [
             '-march=armv8-a+crypto'
           ],
@@ -436,18 +400,16 @@
       ],
     }],
   ],
   'target_defaults': {
     'include_dirs': [
       'mpi',
       'ecl',
       'verified',
-      'verified/kremlin/include',
-      'verified/kremlin/kremlib/dist/minimal',
     ],
     'defines': [
       'SHLIB_SUFFIX=\"<(dll_suffix)\"',
       'SHLIB_PREFIX=\"<(dll_prefix)\"',
       'SHLIB_VERSION=\"3\"',
       'SOFTOKEN_SHLIB_VERSION=\"3\"',
       'RIJNDAEL_INCLUDE_TABLES',
       'MP_API_COMPATIBLE'
@@ -499,17 +461,17 @@
       }],
       [ 'have_int128_support==1', {
         'defines': [
           # The Makefile does version-tests on GCC, but we're not doing that here.
           'HAVE_INT128_SUPPORT',
         ],
       }, {
         'defines': [
-          'KRML_VERIFIED_UINT128',
+          'KRML_NOUINT128',
         ],
       }],
       [ 'OS=="linux"', {
         'defines': [
           'FREEBL_LOWHASH',
           'FREEBL_NO_DEPEND',
         ],
       }],
@@ -566,16 +528,11 @@
             'have_int128_support%': 1,
           }, {
             'have_int128_support%': 0,
           }],
         ],
       }, {
         'have_int128_support%': 0,
       }],
-      [ 'target_arch=="arm"', {
-        # When the compiler uses the softfloat ABI, we want to use the compatible softfp ABI when enabling NEON for these objects.
-        # Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
-        'softfp_cflags': '<!(${CC:-cc} -o - -E -dM - ${CFLAGS} < /dev/null | grep __SOFTFP__ > /dev/null && echo -mfloat-abi=softfp || true)',
-      }],
     ],
   }
 }
--- a/security/nss/lib/freebl/freebl_base.gypi
+++ b/security/nss/lib/freebl/freebl_base.gypi
@@ -128,37 +128,64 @@
         [ 'cc_is_clang!=1', {
           # MSVC
           'sources': [
             'intel-gcm-wrap.c',
           ],
         }],
       ],
     }],
-    ['have_int128_support==1 and \
-      (target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64")', {
+    ['target_arch=="ia32" or target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
       'sources': [
-        # All intel x64 and 64-bit ARM architectures get the 64 bit version.
+        # All intel and 64-bit ARM architectures get the 64 bit version.
         'ecl/curve25519_64.c',
-        'verified/Hacl_Curve25519_51.c',
+        'verified/Hacl_Curve25519.c',
       ],
     }, {
       'sources': [
-        # All other architectures get the generic 32 bit implementation.
+        # All other architectures get the generic 32 bit implementation (slow!)
         'ecl/curve25519_32.c',
       ],
     }],
     [ 'disable_chachapoly==0', {
       # The ChaCha20 code is linked in through the static ssse3-crypto lib on
       # all platforms that support SSSE3. There are runtime checks in place to
       # choose the correct ChaCha implementation at runtime.
       'sources': [
         'verified/Hacl_Chacha20.c',
-        'verified/Hacl_Chacha20Poly1305_32.c',
-        'verified/Hacl_Poly1305_32.c',
+      ],
+      'conditions': [
+        [ 'OS!="win"', {
+          'conditions': [
+            [ 'target_arch=="x64"', {
+              'sources': [
+                'verified/Hacl_Poly1305_64.c',
+              ],
+            }, {
+              # !Windows & !x64
+              'conditions': [
+                [ 'target_arch=="arm64" or target_arch=="aarch64"', {
+                  'sources': [
+                    'verified/Hacl_Poly1305_64.c',
+                  ],
+                }, {
+                  # !Windows & !x64 & !arm64 & !aarch64
+                  'sources': [
+                    'verified/Hacl_Poly1305_32.c',
+                  ],
+                }],
+              ],
+            }],
+          ],
+        }, {
+          # Windows
+          'sources': [
+            'verified/Hacl_Poly1305_32.c',
+          ],
+        }],
       ],
     }],
     [ 'fuzz==1', {
       'sources!': [ 'drbg.c' ],
       'sources': [ 'det_rng.c' ],
     }],
     [ 'fuzz_tls==1', {
       'defines': [
@@ -185,13 +212,16 @@
             'MP_USE_UINT_DIGIT',
             'MP_ASSEMBLY_MULTIPLY',
             'MP_ASSEMBLY_SQUARE',
             'MP_ASSEMBLY_DIV_2DX1D',
           ],
         }],
       ],
     }],
+    [ 'have_int128_support==0', {
+        'sources': [ 'verified/FStar.c' ],
+    }],
   ],
  'ldflags': [
    '-Wl,-Bsymbolic'
  ],
 }
--- a/security/nss/lib/freebl/gcm-arm32-neon.c
+++ b/security/nss/lib/freebl/gcm-arm32-neon.c
@@ -6,17 +6,17 @@
 #include "stubs.h"
 #endif
 #include "blapii.h"
 #include "blapit.h"
 #include "gcm.h"
 #include "secerr.h"
 #include "prtypes.h"
 
-#if defined(IS_LITTLE_ENDIAN)
+#if defined(__ARM_NEON__) || defined(__ARM_NEON)
 
 #include <arm_neon.h>
 
 SECStatus
 gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf)
 {
     vst1_u8(outbuf, vrev64_u8(vcreate_u8(ghash->x_high)));
     vst1_u8(outbuf + 8, vrev64_u8(vcreate_u8(ghash->x_low)));
@@ -194,9 +194,9 @@ gcm_HashInit_hw(gcmHashContext *ghash)
 SECStatus
 gcm_HashZeroX_hw(gcmHashContext *ghash)
 {
     ghash->x_low = 0;
     ghash->x_high = 0;
     return SECSuccess;
 }
 
-#endif /* IS_LITTLE_ENDIAN */
+#endif /* __ARM_NEON__ || __ARM_NEON */
--- a/security/nss/lib/freebl/gcm.c
+++ b/security/nss/lib/freebl/gcm.c
@@ -16,18 +16,21 @@
 #include "pkcs11t.h"
 
 #include <limits.h>
 
 /* old gcc doesn't support some poly64x2_t intrinsic */
 #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
     (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
 #define USE_ARM_GCM
-#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN)
-/* We don't test on big endian platform, so disable this on big endian. */
+#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \
+    (defined(__ARM_NEON__) || defined(__ARM_NEON))
+/* We don't test on big endian platform, so disable this on big endian.
+ * Also, we don't check whether compiler support NEON well, so this uses
+ * that compiler uses -mfpu=neon only. */
 #define USE_ARM_GCM
 #endif
 
 /* Forward declarations */
 SECStatus gcm_HashInit_hw(gcmHashContext *ghash);
 SECStatus gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf);
 SECStatus gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf,
                           unsigned int count);
--- a/security/nss/lib/freebl/rijndael.c
+++ b/security/nss/lib/freebl/rijndael.c
@@ -15,17 +15,18 @@
 #include "blapi.h"
 #include "rijndael.h"
 
 #include "cts.h"
 #include "ctr.h"
 #include "gcm.h"
 #include "mpi.h"
 
-#if !defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)
+#if (!defined(IS_LITTLE_ENDIAN) && !defined(NSS_X86_OR_X64)) || \
+    (defined(__arm__) && !defined(__ARM_NEON) && !defined(__ARM_NEON__))
 // not test yet on big endian platform of arm
 #undef USE_HW_AES
 #endif
 
 #ifdef USE_HW_AES
 #ifdef NSS_X86_OR_X64
 #include "intel-aes.h"
 #else
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/verified/FStar.c
@@ -0,0 +1,255 @@
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* This file was auto-generated by KreMLin! */
+
+#include "FStar.h"
+
+static uint64_t
+FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
+{
+    return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U;
+}
+
+static uint64_t
+FStar_UInt128_carry(uint64_t a, uint64_t b)
+{
+    return FStar_UInt128_constant_time_carry(a, b);
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return (
+        (FStar_UInt128_uint128){
+            .low = a.low + b.low,
+            .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return (
+        (FStar_UInt128_uint128){
+            .low = a.low + b.low,
+            .high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return (
+        (FStar_UInt128_uint128){
+            .low = a.low - b.low,
+            .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) });
+}
+
+static FStar_UInt128_uint128
+FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return (
+        (FStar_UInt128_uint128){
+            .low = a.low - b.low,
+            .high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return FStar_UInt128_sub_mod_impl(a, b);
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return ((FStar_UInt128_uint128){.low = a.low & b.low, .high = a.high & b.high });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return ((FStar_UInt128_uint128){.low = a.low ^ b.low, .high = a.high ^ b.high });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return ((FStar_UInt128_uint128){.low = a.low | b.low, .high = a.high | b.high });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_lognot(FStar_UInt128_uint128 a)
+{
+    return ((FStar_UInt128_uint128){.low = ~a.low, .high = ~a.high });
+}
+
+static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
+
+static uint64_t
+FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
+{
+    return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
+}
+
+static uint64_t
+FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
+{
+    return FStar_UInt128_add_u64_shift_left(hi, lo, s);
+}
+
+static FStar_UInt128_uint128
+FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
+{
+    if (s == (uint32_t)0U)
+        return a;
+    else
+        return (
+            (FStar_UInt128_uint128){
+                .low = a.low << s,
+                .high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) });
+}
+
+static FStar_UInt128_uint128
+FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
+{
+    return ((FStar_UInt128_uint128){.low = (uint64_t)0U, .high = a.low << (s - FStar_UInt128_u32_64) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
+{
+    if (s < FStar_UInt128_u32_64)
+        return FStar_UInt128_shift_left_small(a, s);
+    else
+        return FStar_UInt128_shift_left_large(a, s);
+}
+
+static uint64_t
+FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
+{
+    return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
+}
+
+static uint64_t
+FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
+{
+    return FStar_UInt128_add_u64_shift_right(hi, lo, s);
+}
+
+static FStar_UInt128_uint128
+FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
+{
+    if (s == (uint32_t)0U)
+        return a;
+    else
+        return (
+            (FStar_UInt128_uint128){
+                .low = FStar_UInt128_add_u64_shift_right_respec(a.high, a.low, s),
+                .high = a.high >> s });
+}
+
+static FStar_UInt128_uint128
+FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
+{
+    return ((FStar_UInt128_uint128){.low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0U });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
+{
+    if (s < FStar_UInt128_u32_64)
+        return FStar_UInt128_shift_right_small(a, s);
+    else
+        return FStar_UInt128_shift_right_large(a, s);
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return (
+        (FStar_UInt128_uint128){
+            .low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high),
+            .high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
+{
+    return (
+        (FStar_UInt128_uint128){
+            .low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)),
+            .high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_uint64_to_uint128(uint64_t a)
+{
+    return ((FStar_UInt128_uint128){.low = a, .high = (uint64_t)0U });
+}
+
+uint64_t
+FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
+{
+    return a.low;
+}
+
+static uint64_t FStar_UInt128_u64_l32_mask = (uint64_t)0xffffffffU;
+
+static uint64_t
+FStar_UInt128_u64_mod_32(uint64_t a)
+{
+    return a & FStar_UInt128_u64_l32_mask;
+}
+
+static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U;
+
+static K___uint64_t_uint64_t_uint64_t_uint64_t
+FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
+{
+    return (
+        (K___uint64_t_uint64_t_uint64_t_uint64_t){
+            .fst = FStar_UInt128_u64_mod_32(x),
+            .snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)),
+            .thd = x >> FStar_UInt128_u32_32,
+            .f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32) });
+}
+
+static uint64_t
+FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
+{
+    return lo + (hi << FStar_UInt128_u32_32);
+}
+
+static FStar_UInt128_uint128
+FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
+{
+    K___uint64_t_uint64_t_uint64_t_uint64_t scrut = FStar_UInt128_mul_wide_impl_t_(x, y);
+    uint64_t u1 = scrut.fst;
+    uint64_t w3 = scrut.snd;
+    uint64_t x_ = scrut.thd;
+    uint64_t t_ = scrut.f3;
+    return (
+        (FStar_UInt128_uint128){
+            .low = FStar_UInt128_u32_combine_(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_),
+                                              w3),
+            .high = x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) +
+                    ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32) });
+}
+
+FStar_UInt128_uint128
+FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
+{
+    return FStar_UInt128_mul_wide_impl(x, y);
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/verified/FStar.h
@@ -0,0 +1,69 @@
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* This file was auto-generated by KreMLin! */
+#ifndef __FStar_H
+#define __FStar_H
+
+#include "kremlib_base.h"
+
+typedef struct
+{
+    uint64_t low;
+    uint64_t high;
+} FStar_UInt128_uint128;
+
+typedef FStar_UInt128_uint128 FStar_UInt128_t;
+
+extern void FStar_UInt128_constant_time_carry_ok(uint64_t x0, uint64_t x1);
+
+FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a);
+
+FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s);
+
+FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
+
+FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
+
+FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
+
+uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
+
+typedef struct
+{
+    uint64_t fst;
+    uint64_t snd;
+    uint64_t thd;
+    uint64_t f3;
+} K___uint64_t_uint64_t_uint64_t_uint64_t;
+
+FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
+#endif
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.c
@@ -1,270 +1,270 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 #include "Hacl_Chacha20.h"
 
-uint32_t
-    Hacl_Impl_Chacha20_Vec_chacha20_constants[4U] =
-        { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U };
-
-inline static void
-Hacl_Impl_Chacha20_Core32_quarter_round(
-    uint32_t *st,
-    uint32_t a,
-    uint32_t b,
-    uint32_t c,
-    uint32_t d)
+static void
+Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len)
 {
-    uint32_t sta = st[a];
-    uint32_t stb0 = st[b];
-    uint32_t std0 = st[d];
-    uint32_t sta10 = sta + stb0;
-    uint32_t std10 = std0 ^ sta10;
-    uint32_t std2 = std10 << (uint32_t)16U | std10 >> (uint32_t)16U;
-    st[a] = sta10;
-    st[d] = std2;
-    uint32_t sta0 = st[c];
-    uint32_t stb1 = st[d];
-    uint32_t std3 = st[b];
-    uint32_t sta11 = sta0 + stb1;
-    uint32_t std11 = std3 ^ sta11;
-    uint32_t std20 = std11 << (uint32_t)12U | std11 >> (uint32_t)20U;
-    st[c] = sta11;
-    st[b] = std20;
-    uint32_t sta2 = st[a];
-    uint32_t stb2 = st[b];
-    uint32_t std4 = st[d];
-    uint32_t sta12 = sta2 + stb2;
-    uint32_t std12 = std4 ^ sta12;
-    uint32_t std21 = std12 << (uint32_t)8U | std12 >> (uint32_t)24U;
-    st[a] = sta12;
-    st[d] = std21;
-    uint32_t sta3 = st[c];
-    uint32_t stb = st[d];
-    uint32_t std = st[b];
-    uint32_t sta1 = sta3 + stb;
-    uint32_t std1 = std ^ sta1;
-    uint32_t std22 = std1 << (uint32_t)7U | std1 >> (uint32_t)25U;
-    st[c] = sta1;
-    st[b] = std22;
+    for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
+        uint8_t *x0 = input + (uint32_t)4U * i;
+        uint32_t inputi = load32_le(x0);
+        output[i] = inputi;
+    }
+}
+
+static void
+Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len)
+{
+    for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
+        uint32_t hd1 = input[i];
+        uint8_t *x0 = output + (uint32_t)4U * i;
+        store32_le(x0, hd1);
+    }
+}
+
+inline static uint32_t
+Hacl_Impl_Chacha20_rotate_left(uint32_t a, uint32_t s)
+{
+    return a << s | a >> ((uint32_t)32U - s);
 }
 
 inline static void
-Hacl_Impl_Chacha20_Core32_double_round(uint32_t *st)
+Hacl_Impl_Chacha20_quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
 {
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)0U,
-                                            (uint32_t)4U,
-                                            (uint32_t)8U,
-                                            (uint32_t)12U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)1U,
-                                            (uint32_t)5U,
-                                            (uint32_t)9U,
-                                            (uint32_t)13U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)2U,
-                                            (uint32_t)6U,
-                                            (uint32_t)10U,
-                                            (uint32_t)14U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)3U,
-                                            (uint32_t)7U,
-                                            (uint32_t)11U,
-                                            (uint32_t)15U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)0U,
-                                            (uint32_t)5U,
-                                            (uint32_t)10U,
-                                            (uint32_t)15U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)1U,
-                                            (uint32_t)6U,
-                                            (uint32_t)11U,
-                                            (uint32_t)12U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)2U,
-                                            (uint32_t)7U,
-                                            (uint32_t)8U,
-                                            (uint32_t)13U);
-    Hacl_Impl_Chacha20_Core32_quarter_round(st,
-                                            (uint32_t)3U,
-                                            (uint32_t)4U,
-                                            (uint32_t)9U,
-                                            (uint32_t)14U);
+    uint32_t sa = st[a];
+    uint32_t sb0 = st[b];
+    st[a] = sa + sb0;
+    uint32_t sd = st[d];
+    uint32_t sa10 = st[a];
+    uint32_t sda = sd ^ sa10;
+    st[d] = Hacl_Impl_Chacha20_rotate_left(sda, (uint32_t)16U);
+    uint32_t sa0 = st[c];
+    uint32_t sb1 = st[d];
+    st[c] = sa0 + sb1;
+    uint32_t sd0 = st[b];
+    uint32_t sa11 = st[c];
+    uint32_t sda0 = sd0 ^ sa11;
+    st[b] = Hacl_Impl_Chacha20_rotate_left(sda0, (uint32_t)12U);
+    uint32_t sa2 = st[a];
+    uint32_t sb2 = st[b];
+    st[a] = sa2 + sb2;
+    uint32_t sd1 = st[d];
+    uint32_t sa12 = st[a];
+    uint32_t sda1 = sd1 ^ sa12;
+    st[d] = Hacl_Impl_Chacha20_rotate_left(sda1, (uint32_t)8U);
+    uint32_t sa3 = st[c];
+    uint32_t sb = st[d];
+    st[c] = sa3 + sb;
+    uint32_t sd2 = st[b];
+    uint32_t sa1 = st[c];
+    uint32_t sda2 = sd2 ^ sa1;
+    st[b] = Hacl_Impl_Chacha20_rotate_left(sda2, (uint32_t)7U);
+}
+
+inline static void
+Hacl_Impl_Chacha20_double_round(uint32_t *st)
+{
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U);
+    Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U);
 }
 
 inline static void
 Hacl_Impl_Chacha20_rounds(uint32_t *st)
 {
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
-    Hacl_Impl_Chacha20_Core32_double_round(st);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
+        Hacl_Impl_Chacha20_double_round(st);
 }
 
 inline static void
-Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *ctx, uint32_t ctr)
-{
-    memcpy(k, ctx, (uint32_t)16U * sizeof ctx[0U]);
-    uint32_t ctr_u32 = ctr;
-    k[12U] = k[12U] + ctr_u32;
-    Hacl_Impl_Chacha20_rounds(k);
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        uint32_t *os = k;
-        uint32_t x = k[i] + ctx[i];
-        os[i] = x;
-    }
-    k[12U] = k[12U] + ctr_u32;
-}
-
-static uint32_t
-    Hacl_Impl_Chacha20_chacha20_constants[4U] =
-        { (uint32_t)0x61707865U, (uint32_t)0x3320646eU, (uint32_t)0x79622d32U, (uint32_t)0x6b206574U };
-
-inline static void
-Hacl_Impl_Chacha20_chacha20_init(uint32_t *ctx, uint8_t *k, uint8_t *n1, uint32_t ctr)
+Hacl_Impl_Chacha20_sum_states(uint32_t *st, uint32_t *st_)
 {
-    uint32_t *uu____0 = ctx;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
-        uint32_t *os = uu____0;
-        uint32_t x = Hacl_Impl_Chacha20_chacha20_constants[i];
-        os[i] = x;
-    }
-    uint32_t *uu____1 = ctx + (uint32_t)4U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) {
-        uint32_t *os = uu____1;
-        uint8_t *bj = k + i * (uint32_t)4U;
-        uint32_t u = load32_le(bj);
-        uint32_t r = u;
-        uint32_t x = r;
-        os[i] = x;
-    }
-    ctx[12U] = ctr;
-    uint32_t *uu____2 = ctx + (uint32_t)13U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) {
-        uint32_t *os = uu____2;
-        uint8_t *bj = n1 + i * (uint32_t)4U;
-        uint32_t u = load32_le(bj);
-        uint32_t r = u;
-        uint32_t x = r;
-        os[i] = x;
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+        uint32_t xi = st[i];
+        uint32_t yi = st_[i];
+        st[i] = xi + yi;
     }
 }
 
 inline static void
-Hacl_Impl_Chacha20_chacha20_encrypt_block(
-    uint32_t *ctx,
-    uint8_t *out,
-    uint32_t incr1,
-    uint8_t *text)
+Hacl_Impl_Chacha20_copy_state(uint32_t *st, uint32_t *st_)
 {
-    uint32_t k[16U] = { 0U };
-    Hacl_Impl_Chacha20_chacha20_core(k, ctx, incr1);
-    uint32_t bl[16U] = { 0U };
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        uint32_t *os = bl;
-        uint8_t *bj = text + i * (uint32_t)4U;
-        uint32_t u = load32_le(bj);
-        uint32_t r = u;
-        uint32_t x = r;
-        os[i] = x;
-    }
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        uint32_t *os = bl;
-        uint32_t x = bl[i] ^ k[i];
-        os[i] = x;
-    }
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        store32_le(out + i * (uint32_t)4U, bl[i]);
-    }
+    memcpy(st, st_, (uint32_t)16U * sizeof st_[0U]);
 }
 
 inline static void
-Hacl_Impl_Chacha20_chacha20_encrypt_last(
-    uint32_t *ctx,
-    uint32_t len,
-    uint8_t *out,
-    uint32_t incr1,
-    uint8_t *text)
+Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *st, uint32_t ctr)
 {
-    uint8_t plain[64U] = { 0U };
-    memcpy(plain, text, len * sizeof text[0U]);
-    Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx, plain, incr1, plain);
-    memcpy(out, plain, len * sizeof plain[0U]);
+    st[12U] = ctr;
+    Hacl_Impl_Chacha20_copy_state(k, st);
+    Hacl_Impl_Chacha20_rounds(k);
+    Hacl_Impl_Chacha20_sum_states(k, st);
+}
+
+inline static void
+Hacl_Impl_Chacha20_chacha20_block(uint8_t *stream_block, uint32_t *st, uint32_t ctr)
+{
+    uint32_t st_[16U] = { 0U };
+    Hacl_Impl_Chacha20_chacha20_core(st_, st, ctr);
+    Hacl_Lib_LoadStore32_uint32s_to_le_bytes(stream_block, st_, (uint32_t)16U);
 }
 
 inline static void
-Hacl_Impl_Chacha20_chacha20_update(uint32_t *ctx, uint32_t len, uint8_t *out, uint8_t *text)
+Hacl_Impl_Chacha20_init(uint32_t *st, uint8_t *k, uint8_t *n1)
+{
+    uint32_t *stcst = st;
+    uint32_t *stk = st + (uint32_t)4U;
+    uint32_t *stc = st + (uint32_t)12U;
+    uint32_t *stn = st + (uint32_t)13U;
+    stcst[0U] = (uint32_t)0x61707865U;
+    stcst[1U] = (uint32_t)0x3320646eU;
+    stcst[2U] = (uint32_t)0x79622d32U;
+    stcst[3U] = (uint32_t)0x6b206574U;
+    Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stk, k, (uint32_t)8U);
+    stc[0U] = (uint32_t)0U;
+    Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stn, n1, (uint32_t)3U);
+}
+
+static void
+Hacl_Impl_Chacha20_update(uint8_t *output, uint8_t *plain, uint32_t *st, uint32_t ctr)
+{
+    uint32_t b[48U] = { 0U };
+    uint32_t *k = b;
+    uint32_t *ib = b + (uint32_t)16U;
+    uint32_t *ob = b + (uint32_t)32U;
+    Hacl_Impl_Chacha20_chacha20_core(k, st, ctr);
+    Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
+        uint32_t xi = ib[i];
+        uint32_t yi = k[i];
+        ob[i] = xi ^ yi;
+    }
+    Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, ob, (uint32_t)16U);
+}
+
+static void
+Hacl_Impl_Chacha20_update_last(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    uint32_t *st,
+    uint32_t ctr)
 {
-    uint32_t rem1 = len % (uint32_t)64U;
-    uint32_t nb = len / (uint32_t)64U;
-    uint32_t rem2 = len % (uint32_t)64U;
-    for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
-        Hacl_Impl_Chacha20_chacha20_encrypt_block(ctx,
-                                                  out + i * (uint32_t)64U,
-                                                  i,
-                                                  text + i * (uint32_t)64U);
+    uint8_t block[64U] = { 0U };
+    Hacl_Impl_Chacha20_chacha20_block(block, st, ctr);
+    uint8_t *mask = block;
+    for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
+        uint8_t xi = plain[i];
+        uint8_t yi = mask[i];
+        output[i] = xi ^ yi;
+    }
+}
+
+static void
+Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t num_blocks,
+    uint32_t *st,
+    uint32_t ctr)
+{
+    for (uint32_t i = (uint32_t)0U; i < num_blocks; i = i + (uint32_t)1U) {
+        uint8_t *b = plain + (uint32_t)64U * i;
+        uint8_t *o = output + (uint32_t)64U * i;
+        Hacl_Impl_Chacha20_update(o, b, st, ctr + i);
     }
-    if (rem2 > (uint32_t)0U) {
-        Hacl_Impl_Chacha20_chacha20_encrypt_last(ctx,
-                                                 rem1,
-                                                 out + nb * (uint32_t)64U,
-                                                 nb,
-                                                 text + nb * (uint32_t)64U);
-    }
+}
+
+static void
+Hacl_Impl_Chacha20_chacha20_counter_mode(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    uint32_t *st,
+    uint32_t ctr)
+{
+    uint32_t blocks_len = len >> (uint32_t)6U;
+    uint32_t part_len = len & (uint32_t)0x3fU;
+    uint8_t *output_ = output;
+    uint8_t *plain_ = plain;
+    uint8_t *output__ = output + (uint32_t)64U * blocks_len;
+    uint8_t *plain__ = plain + (uint32_t)64U * blocks_len;
+    Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(output_, plain_, blocks_len, st, ctr);
+    if (part_len > (uint32_t)0U)
+        Hacl_Impl_Chacha20_update_last(output__, plain__, part_len, st, ctr + blocks_len);
+}
+
+static void
+Hacl_Impl_Chacha20_chacha20(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    uint8_t *k,
+    uint8_t *n1,
+    uint32_t ctr)
+{
+    uint32_t buf[16U] = { 0U };
+    uint32_t *st = buf;
+    Hacl_Impl_Chacha20_init(st, k, n1);
+    Hacl_Impl_Chacha20_chacha20_counter_mode(output, plain, len, st, ctr);
 }
 
 void
-Hacl_Chacha20_chacha20_encrypt(
+Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr)
+{
+    uint32_t buf[16U] = { 0U };
+    uint32_t *st = buf;
+    Hacl_Impl_Chacha20_init(st, k, n1);
+    Hacl_Impl_Chacha20_chacha20_block(block, st, ctr);
+}
+
+/*
+  This function implements Chacha20
+
+  val chacha20 :
+  output:uint8_p ->
+  plain:uint8_p{ disjoint output plain } ->
+  len:uint32_t{ v len = length output /\ v len = length plain } ->
+  key:uint8_p{ length key = 32 } ->
+  nonce:uint8_p{ length nonce = 12 } ->
+  ctr:uint32_t{ v ctr + length plain / 64 < pow2 32 } ->
+  Stack unit
+    (requires
+      fun h -> live h output /\ live h plain /\ live h nonce /\ live h key)
+    (ensures
+      fun h0 _ h1 ->
+        live h1 output /\ live h0 plain /\ modifies_1 output h0 h1 /\
+        live h0 nonce /\
+        live h0 key /\
+        h1.[ output ] ==
+        chacha20_encrypt_bytes h0.[ key ] h0.[ nonce ] (v ctr) h0.[ plain ])
+*/
+void
+Hacl_Chacha20_chacha20(
+    uint8_t *output,
+    uint8_t *plain,
     uint32_t len,
-    uint8_t *out,
-    uint8_t *text,
-    uint8_t *key,
+    uint8_t *k,
     uint8_t *n1,
     uint32_t ctr)
 {
-    uint32_t ctx[16U] = { 0U };
-    Hacl_Impl_Chacha20_chacha20_init(ctx, key, n1, ctr);
-    Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, text);
+    Hacl_Impl_Chacha20_chacha20(output, plain, len, k, n1, ctr);
 }
-
-void
-Hacl_Chacha20_chacha20_decrypt(
-    uint32_t len,
-    uint8_t *out,
-    uint8_t *cipher,
-    uint8_t *key,
-    uint8_t *n1,
-    uint32_t ctr)
-{
-    uint32_t ctx[16U] = { 0U };
-    Hacl_Impl_Chacha20_chacha20_init(ctx, key, n1, ctr);
-    Hacl_Impl_Chacha20_chacha20_update(ctx, len, out, cipher);
-}
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.h
@@ -1,55 +1,81 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
-#include "kremlin/internal/types.h"
-#include "kremlin/lowstar_endianness.h"
-#include <string.h>
-#include <stdbool.h>
-
+#include "kremlib.h"
 #ifndef __Hacl_Chacha20_H
 #define __Hacl_Chacha20_H
 
-#include "Hacl_Kremlib.h"
+typedef uint32_t Hacl_Impl_Xor_Lemmas_u32;
+
+typedef uint8_t Hacl_Impl_Xor_Lemmas_u8;
+
+typedef uint8_t *Hacl_Lib_LoadStore32_uint8_p;
+
+typedef uint32_t Hacl_Impl_Chacha20_u32;
+
+typedef uint32_t Hacl_Impl_Chacha20_h32;
+
+typedef uint8_t *Hacl_Impl_Chacha20_uint8_p;
+
+typedef uint32_t *Hacl_Impl_Chacha20_state;
+
+typedef uint32_t Hacl_Impl_Chacha20_idx;
+
+typedef struct
+{
+    void *k;
+    void *n;
+} Hacl_Impl_Chacha20_log_t_;
+
+typedef void *Hacl_Impl_Chacha20_log_t;
+
+typedef uint32_t Hacl_Lib_Create_h32;
 
-extern uint32_t Hacl_Impl_Chacha20_Vec_chacha20_constants[4U];
+typedef uint8_t *Hacl_Chacha20_uint8_p;
+
+typedef uint32_t Hacl_Chacha20_uint32_t;
+
+void Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr);
+
+/*
+  This function implements Chacha20
 
+  val chacha20 :
+  output:uint8_p ->
+  plain:uint8_p{ disjoint output plain } ->
+  len:uint32_t{ v len = length output /\ v len = length plain } ->
+  key:uint8_p{ length key = 32 } ->
+  nonce:uint8_p{ length nonce = 12 } ->
+  ctr:uint32_t{ v ctr + length plain / 64 < pow2 32 } ->
+  Stack unit
+    (requires
+      fun h -> live h output /\ live h plain /\ live h nonce /\ live h key)
+    (ensures
+      fun h0 _ h1 ->
+        live h1 output /\ live h0 plain /\ modifies_1 output h0 h1 /\
+        live h0 nonce /\
+        live h0 key /\
+        h1.[ output ] ==
+        chacha20_encrypt_bytes h0.[ key ] h0.[ nonce ] (v ctr) h0.[ plain ])
+*/
 void
-Hacl_Chacha20_chacha20_encrypt(
+Hacl_Chacha20_chacha20(
+    uint8_t *output,
+    uint8_t *plain,
     uint32_t len,
-    uint8_t *out,
-    uint8_t *text,
-    uint8_t *key,
+    uint8_t *k,
     uint8_t *n1,
     uint32_t ctr);
-
-void
-Hacl_Chacha20_chacha20_decrypt(
-    uint32_t len,
-    uint8_t *out,
-    uint8_t *cipher,
-    uint8_t *key,
-    uint8_t *n1,
-    uint32_t ctr);
-
-#define __Hacl_Chacha20_H_DEFINED
 #endif
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_128.c
+++ /dev/null
@@ -1,1247 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "Hacl_Chacha20Poly1305_128.h"
-
-inline static void
-Hacl_Chacha20Poly1305_128_poly1305_padded_128(
-    Lib_IntVector_Intrinsics_vec128 *ctx,
-    uint32_t len,
-    uint8_t *text)
-{
-    uint32_t n1 = len / (uint32_t)16U;
-    uint32_t r = len % (uint32_t)16U;
-    uint8_t *blocks = text;
-    uint8_t *rem1 = text + n1 * (uint32_t)16U;
-    Lib_IntVector_Intrinsics_vec128 *pre0 = ctx + (uint32_t)5U;
-    Lib_IntVector_Intrinsics_vec128 *acc0 = ctx;
-    uint32_t sz_block = (uint32_t)32U;
-    uint32_t len0 = n1 * (uint32_t)16U / sz_block * sz_block;
-    uint8_t *t00 = blocks;
-    if (len0 > (uint32_t)0U) {
-        uint32_t bs = (uint32_t)32U;
-        uint8_t *text0 = t00;
-        Hacl_Impl_Poly1305_Field32xN_128_load_acc2(acc0, text0);
-        uint32_t len1 = len0 - bs;
-        uint8_t *text1 = t00 + bs;
-        uint32_t nb = len1 / bs;
-        for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
-            uint8_t *block = text1 + i * bs;
-            Lib_IntVector_Intrinsics_vec128 e[5U];
-            for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
-                e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-            Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load_le(block);
-            Lib_IntVector_Intrinsics_vec128
-                b2 = Lib_IntVector_Intrinsics_vec128_load_le(block + (uint32_t)16U);
-            Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2);
-            Lib_IntVector_Intrinsics_vec128
-                hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2);
-            Lib_IntVector_Intrinsics_vec128
-                f00 =
-                    Lib_IntVector_Intrinsics_vec128_and(lo,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                f15 =
-                    Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo,
-                                                                                                      (uint32_t)26U),
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                f25 =
-                    Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo,
-                                                                                                     (uint32_t)52U),
-                                                       Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi,
-                                                                                                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)),
-                                                                                                    (uint32_t)12U));
-            Lib_IntVector_Intrinsics_vec128
-                f30 =
-                    Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi,
-                                                                                                      (uint32_t)14U),
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U);
-            Lib_IntVector_Intrinsics_vec128 f0 = f00;
-            Lib_IntVector_Intrinsics_vec128 f1 = f15;
-            Lib_IntVector_Intrinsics_vec128 f2 = f25;
-            Lib_IntVector_Intrinsics_vec128 f3 = f30;
-            Lib_IntVector_Intrinsics_vec128 f41 = f40;
-            e[0U] = f0;
-            e[1U] = f1;
-            e[2U] = f2;
-            e[3U] = f3;
-            e[4U] = f41;
-            uint64_t b = (uint64_t)0x1000000U;
-            Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b);
-            Lib_IntVector_Intrinsics_vec128 f4 = e[4U];
-            e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask);
-            Lib_IntVector_Intrinsics_vec128 *rn = pre0 + (uint32_t)10U;
-            Lib_IntVector_Intrinsics_vec128 *rn5 = pre0 + (uint32_t)15U;
-            Lib_IntVector_Intrinsics_vec128 r0 = rn[0U];
-            Lib_IntVector_Intrinsics_vec128 r1 = rn[1U];
-            Lib_IntVector_Intrinsics_vec128 r2 = rn[2U];
-            Lib_IntVector_Intrinsics_vec128 r3 = rn[3U];
-            Lib_IntVector_Intrinsics_vec128 r4 = rn[4U];
-            Lib_IntVector_Intrinsics_vec128 r51 = rn5[1U];
-            Lib_IntVector_Intrinsics_vec128 r52 = rn5[2U];
-            Lib_IntVector_Intrinsics_vec128 r53 = rn5[3U];
-            Lib_IntVector_Intrinsics_vec128 r54 = rn5[4U];
-            Lib_IntVector_Intrinsics_vec128 f10 = acc0[0U];
-            Lib_IntVector_Intrinsics_vec128 f110 = acc0[1U];
-            Lib_IntVector_Intrinsics_vec128 f120 = acc0[2U];
-            Lib_IntVector_Intrinsics_vec128 f130 = acc0[3U];
-            Lib_IntVector_Intrinsics_vec128 f140 = acc0[4U];
-            Lib_IntVector_Intrinsics_vec128 a0 = Lib_IntVector_Intrinsics_vec128_mul64(r0, f10);
-            Lib_IntVector_Intrinsics_vec128 a1 = Lib_IntVector_Intrinsics_vec128_mul64(r1, f10);
-            Lib_IntVector_Intrinsics_vec128 a2 = Lib_IntVector_Intrinsics_vec128_mul64(r2, f10);
-            Lib_IntVector_Intrinsics_vec128 a3 = Lib_IntVector_Intrinsics_vec128_mul64(r3, f10);
-            Lib_IntVector_Intrinsics_vec128 a4 = Lib_IntVector_Intrinsics_vec128_mul64(r4, f10);
-            Lib_IntVector_Intrinsics_vec128
-                a01 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a0,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r54, f110));
-            Lib_IntVector_Intrinsics_vec128
-                a11 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a1,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r0, f110));
-            Lib_IntVector_Intrinsics_vec128
-                a21 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a2,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r1, f110));
-            Lib_IntVector_Intrinsics_vec128
-                a31 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a3,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r2, f110));
-            Lib_IntVector_Intrinsics_vec128
-                a41 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a4,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r3, f110));
-            Lib_IntVector_Intrinsics_vec128
-                a02 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a01,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r53, f120));
-            Lib_IntVector_Intrinsics_vec128
-                a12 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a11,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r54, f120));
-            Lib_IntVector_Intrinsics_vec128
-                a22 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a21,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r0, f120));
-            Lib_IntVector_Intrinsics_vec128
-                a32 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a31,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r1, f120));
-            Lib_IntVector_Intrinsics_vec128
-                a42 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a41,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r2, f120));
-            Lib_IntVector_Intrinsics_vec128
-                a03 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a02,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r52, f130));
-            Lib_IntVector_Intrinsics_vec128
-                a13 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a12,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r53, f130));
-            Lib_IntVector_Intrinsics_vec128
-                a23 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a22,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r54, f130));
-            Lib_IntVector_Intrinsics_vec128
-                a33 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a32,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r0, f130));
-            Lib_IntVector_Intrinsics_vec128
-                a43 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a42,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r1, f130));
-            Lib_IntVector_Intrinsics_vec128
-                a04 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a03,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r51, f140));
-            Lib_IntVector_Intrinsics_vec128
-                a14 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a13,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r52, f140));
-            Lib_IntVector_Intrinsics_vec128
-                a24 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a23,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r53, f140));
-            Lib_IntVector_Intrinsics_vec128
-                a34 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a33,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r54, f140));
-            Lib_IntVector_Intrinsics_vec128
-                a44 =
-                    Lib_IntVector_Intrinsics_vec128_add64(a43,
-                                                          Lib_IntVector_Intrinsics_vec128_mul64(r0, f140));
-            Lib_IntVector_Intrinsics_vec128 t01 = a04;
-            Lib_IntVector_Intrinsics_vec128 t1 = a14;
-            Lib_IntVector_Intrinsics_vec128 t2 = a24;
-            Lib_IntVector_Intrinsics_vec128 t3 = a34;
-            Lib_IntVector_Intrinsics_vec128 t4 = a44;
-            Lib_IntVector_Intrinsics_vec128
-                l = Lib_IntVector_Intrinsics_vec128_add64(t01, Lib_IntVector_Intrinsics_vec128_zero);
-            Lib_IntVector_Intrinsics_vec128
-                tmp0 =
-                    Lib_IntVector_Intrinsics_vec128_and(l,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t1, c01);
-            Lib_IntVector_Intrinsics_vec128
-                tmp1 =
-                    Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
-            Lib_IntVector_Intrinsics_vec128
-                tmp2 =
-                    Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
-            Lib_IntVector_Intrinsics_vec128
-                tmp3 =
-                    Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-            Lib_IntVector_Intrinsics_vec128
-                tmp4 =
-                    Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128
-                l4 =
-                    Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                          Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-            Lib_IntVector_Intrinsics_vec128
-                tmp01 =
-                    Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                        Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-            Lib_IntVector_Intrinsics_vec128
-                c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-            Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-            Lib_IntVector_Intrinsics_vec128 o00 = tmp01;
-            Lib_IntVector_Intrinsics_vec128 o10 = tmp11;
-            Lib_IntVector_Intrinsics_vec128 o20 = tmp2;
-            Lib_IntVector_Intrinsics_vec128 o30 = tmp3;
-            Lib_IntVector_Intrinsics_vec128 o40 = tmp4;
-            acc0[0U] = o00;
-            acc0[1U] = o10;
-            acc0[2U] = o20;
-            acc0[3U] = o30;
-            acc0[4U] = o40;
-            Lib_IntVector_Intrinsics_vec128 f100 = acc0[0U];
-            Lib_IntVector_Intrinsics_vec128 f11 = acc0[1U];
-            Lib_IntVector_Intrinsics_vec128 f12 = acc0[2U];
-            Lib_IntVector_Intrinsics_vec128 f13 = acc0[3U];
-            Lib_IntVector_Intrinsics_vec128 f14 = acc0[4U];
-            Lib_IntVector_Intrinsics_vec128 f20 = e[0U];
-            Lib_IntVector_Intrinsics_vec128 f21 = e[1U];
-            Lib_IntVector_Intrinsics_vec128 f22 = e[2U];
-            Lib_IntVector_Intrinsics_vec128 f23 = e[3U];
-            Lib_IntVector_Intrinsics_vec128 f24 = e[4U];
-            Lib_IntVector_Intrinsics_vec128 o0 = Lib_IntVector_Intrinsics_vec128_add64(f100, f20);
-            Lib_IntVector_Intrinsics_vec128 o1 = Lib_IntVector_Intrinsics_vec128_add64(f11, f21);
-            Lib_IntVector_Intrinsics_vec128 o2 = Lib_IntVector_Intrinsics_vec128_add64(f12, f22);
-            Lib_IntVector_Intrinsics_vec128 o3 = Lib_IntVector_Intrinsics_vec128_add64(f13, f23);
-            Lib_IntVector_Intrinsics_vec128 o4 = Lib_IntVector_Intrinsics_vec128_add64(f14, f24);
-            acc0[0U] = o0;
-            acc0[1U] = o1;
-            acc0[2U] = o2;
-            acc0[3U] = o3;
-            acc0[4U] = o4;
-        }
-        Hacl_Impl_Poly1305_Field32xN_128_fmul_r2_normalize(acc0, pre0);
-    }
-    uint32_t len1 = n1 * (uint32_t)16U - len0;
-    uint8_t *t10 = blocks + len0;
-    uint32_t nb = len1 / (uint32_t)16U;
-    uint32_t rem2 = len1 % (uint32_t)16U;
-    for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
-        uint8_t *block = t10 + i * (uint32_t)16U;
-        Lib_IntVector_Intrinsics_vec128 e[5U];
-        for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
-            e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        uint64_t u0 = load64_le(block);
-        uint64_t lo = u0;
-        uint64_t u = load64_le(block + (uint32_t)8U);
-        uint64_t hi = u;
-        Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo);
-        Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi);
-        Lib_IntVector_Intrinsics_vec128
-            f010 =
-                Lib_IntVector_Intrinsics_vec128_and(f0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f110 =
-                Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                                  (uint32_t)26U),
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f20 =
-                Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                                 (uint32_t)52U),
-                                                   Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1,
-                                                                                                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)),
-                                                                                                (uint32_t)12U));
-        Lib_IntVector_Intrinsics_vec128
-            f30 =
-                Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1,
-                                                                                                  (uint32_t)14U),
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U);
-        Lib_IntVector_Intrinsics_vec128 f01 = f010;
-        Lib_IntVector_Intrinsics_vec128 f111 = f110;
-        Lib_IntVector_Intrinsics_vec128 f2 = f20;
-        Lib_IntVector_Intrinsics_vec128 f3 = f30;
-        Lib_IntVector_Intrinsics_vec128 f41 = f40;
-        e[0U] = f01;
-        e[1U] = f111;
-        e[2U] = f2;
-        e[3U] = f3;
-        e[4U] = f41;
-        uint64_t b = (uint64_t)0x1000000U;
-        Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b);
-        Lib_IntVector_Intrinsics_vec128 f4 = e[4U];
-        e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask);
-        Lib_IntVector_Intrinsics_vec128 *r1 = pre0;
-        Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U;
-        Lib_IntVector_Intrinsics_vec128 r0 = r1[0U];
-        Lib_IntVector_Intrinsics_vec128 r11 = r1[1U];
-        Lib_IntVector_Intrinsics_vec128 r2 = r1[2U];
-        Lib_IntVector_Intrinsics_vec128 r3 = r1[3U];
-        Lib_IntVector_Intrinsics_vec128 r4 = r1[4U];
-        Lib_IntVector_Intrinsics_vec128 r51 = r5[1U];
-        Lib_IntVector_Intrinsics_vec128 r52 = r5[2U];
-        Lib_IntVector_Intrinsics_vec128 r53 = r5[3U];
-        Lib_IntVector_Intrinsics_vec128 r54 = r5[4U];
-        Lib_IntVector_Intrinsics_vec128 f10 = e[0U];
-        Lib_IntVector_Intrinsics_vec128 f11 = e[1U];
-        Lib_IntVector_Intrinsics_vec128 f12 = e[2U];
-        Lib_IntVector_Intrinsics_vec128 f13 = e[3U];
-        Lib_IntVector_Intrinsics_vec128 f14 = e[4U];
-        Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U];
-        Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U];
-        Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U];
-        Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U];
-        Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U];
-        Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10);
-        Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11);
-        Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12);
-        Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13);
-        Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14);
-        Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01);
-        Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01);
-        Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01);
-        Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01);
-        Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01);
-        Lib_IntVector_Intrinsics_vec128
-            a03 =
-                Lib_IntVector_Intrinsics_vec128_add64(a02,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a13 =
-                Lib_IntVector_Intrinsics_vec128_add64(a12,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a23 =
-                Lib_IntVector_Intrinsics_vec128_add64(a22,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a33 =
-                Lib_IntVector_Intrinsics_vec128_add64(a32,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r2, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a43 =
-                Lib_IntVector_Intrinsics_vec128_add64(a42,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r3, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a04 =
-                Lib_IntVector_Intrinsics_vec128_add64(a03,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a14 =
-                Lib_IntVector_Intrinsics_vec128_add64(a13,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a24 =
-                Lib_IntVector_Intrinsics_vec128_add64(a23,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a34 =
-                Lib_IntVector_Intrinsics_vec128_add64(a33,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a44 =
-                Lib_IntVector_Intrinsics_vec128_add64(a43,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r2, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a05 =
-                Lib_IntVector_Intrinsics_vec128_add64(a04,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r52, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a15 =
-                Lib_IntVector_Intrinsics_vec128_add64(a14,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a25 =
-                Lib_IntVector_Intrinsics_vec128_add64(a24,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a35 =
-                Lib_IntVector_Intrinsics_vec128_add64(a34,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a45 =
-                Lib_IntVector_Intrinsics_vec128_add64(a44,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a06 =
-                Lib_IntVector_Intrinsics_vec128_add64(a05,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r51, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a16 =
-                Lib_IntVector_Intrinsics_vec128_add64(a15,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r52, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a26 =
-                Lib_IntVector_Intrinsics_vec128_add64(a25,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a36 =
-                Lib_IntVector_Intrinsics_vec128_add64(a35,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a46 =
-                Lib_IntVector_Intrinsics_vec128_add64(a45,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a41));
-        Lib_IntVector_Intrinsics_vec128 t01 = a06;
-        Lib_IntVector_Intrinsics_vec128 t11 = a16;
-        Lib_IntVector_Intrinsics_vec128 t2 = a26;
-        Lib_IntVector_Intrinsics_vec128 t3 = a36;
-        Lib_IntVector_Intrinsics_vec128 t4 = a46;
-        Lib_IntVector_Intrinsics_vec128
-            l = Lib_IntVector_Intrinsics_vec128_add64(t01, Lib_IntVector_Intrinsics_vec128_zero);
-        Lib_IntVector_Intrinsics_vec128
-            tmp0 =
-                Lib_IntVector_Intrinsics_vec128_and(l,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t11, c01);
-        Lib_IntVector_Intrinsics_vec128
-            tmp1 =
-                Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
-        Lib_IntVector_Intrinsics_vec128
-            tmp2 =
-                Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
-        Lib_IntVector_Intrinsics_vec128
-            tmp3 =
-                Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-        Lib_IntVector_Intrinsics_vec128
-            tmp4 =
-                Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128
-            l4 =
-                Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                      Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-        Lib_IntVector_Intrinsics_vec128
-            tmp01 =
-                Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-        Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-        Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-        Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-        Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-        Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
-        acc0[0U] = o0;
-        acc0[1U] = o1;
-        acc0[2U] = o2;
-        acc0[3U] = o3;
-        acc0[4U] = o4;
-    }
-    if (rem2 > (uint32_t)0U) {
-        uint8_t *last1 = t10 + nb * (uint32_t)16U;
-        Lib_IntVector_Intrinsics_vec128 e[5U];
-        for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
-            e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        uint8_t tmp[16U] = { 0U };
-        memcpy(tmp, last1, rem2 * sizeof last1[0U]);
-        uint64_t u0 = load64_le(tmp);
-        uint64_t lo = u0;
-        uint64_t u = load64_le(tmp + (uint32_t)8U);
-        uint64_t hi = u;
-        Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo);
-        Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi);
-        Lib_IntVector_Intrinsics_vec128
-            f010 =
-                Lib_IntVector_Intrinsics_vec128_and(f0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f110 =
-                Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                                  (uint32_t)26U),
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f20 =
-                Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                                 (uint32_t)52U),
-                                                   Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1,
-                                                                                                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)),
-                                                                                                (uint32_t)12U));
-        Lib_IntVector_Intrinsics_vec128
-            f30 =
-                Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1,
-                                                                                                  (uint32_t)14U),
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U);
-        Lib_IntVector_Intrinsics_vec128 f01 = f010;
-        Lib_IntVector_Intrinsics_vec128 f111 = f110;
-        Lib_IntVector_Intrinsics_vec128 f2 = f20;
-        Lib_IntVector_Intrinsics_vec128 f3 = f30;
-        Lib_IntVector_Intrinsics_vec128 f4 = f40;
-        e[0U] = f01;
-        e[1U] = f111;
-        e[2U] = f2;
-        e[3U] = f3;
-        e[4U] = f4;
-        uint64_t b = (uint64_t)1U << rem2 * (uint32_t)8U % (uint32_t)26U;
-        Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b);
-        Lib_IntVector_Intrinsics_vec128 fi = e[rem2 * (uint32_t)8U / (uint32_t)26U];
-        e[rem2 * (uint32_t)8U / (uint32_t)26U] = Lib_IntVector_Intrinsics_vec128_or(fi, mask);
-        Lib_IntVector_Intrinsics_vec128 *r1 = pre0;
-        Lib_IntVector_Intrinsics_vec128 *r5 = pre0 + (uint32_t)5U;
-        Lib_IntVector_Intrinsics_vec128 r0 = r1[0U];
-        Lib_IntVector_Intrinsics_vec128 r11 = r1[1U];
-        Lib_IntVector_Intrinsics_vec128 r2 = r1[2U];
-        Lib_IntVector_Intrinsics_vec128 r3 = r1[3U];
-        Lib_IntVector_Intrinsics_vec128 r4 = r1[4U];
-        Lib_IntVector_Intrinsics_vec128 r51 = r5[1U];
-        Lib_IntVector_Intrinsics_vec128 r52 = r5[2U];
-        Lib_IntVector_Intrinsics_vec128 r53 = r5[3U];
-        Lib_IntVector_Intrinsics_vec128 r54 = r5[4U];
-        Lib_IntVector_Intrinsics_vec128 f10 = e[0U];
-        Lib_IntVector_Intrinsics_vec128 f11 = e[1U];
-        Lib_IntVector_Intrinsics_vec128 f12 = e[2U];
-        Lib_IntVector_Intrinsics_vec128 f13 = e[3U];
-        Lib_IntVector_Intrinsics_vec128 f14 = e[4U];
-        Lib_IntVector_Intrinsics_vec128 a0 = acc0[0U];
-        Lib_IntVector_Intrinsics_vec128 a1 = acc0[1U];
-        Lib_IntVector_Intrinsics_vec128 a2 = acc0[2U];
-        Lib_IntVector_Intrinsics_vec128 a3 = acc0[3U];
-        Lib_IntVector_Intrinsics_vec128 a4 = acc0[4U];
-        Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10);
-        Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11);
-        Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12);
-        Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13);
-        Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14);
-        Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01);
-        Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01);
-        Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01);
-        Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01);
-        Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01);
-        Lib_IntVector_Intrinsics_vec128
-            a03 =
-                Lib_IntVector_Intrinsics_vec128_add64(a02,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a13 =
-                Lib_IntVector_Intrinsics_vec128_add64(a12,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a23 =
-                Lib_IntVector_Intrinsics_vec128_add64(a22,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a33 =
-                Lib_IntVector_Intrinsics_vec128_add64(a32,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r2, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a43 =
-                Lib_IntVector_Intrinsics_vec128_add64(a42,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r3, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a04 =
-                Lib_IntVector_Intrinsics_vec128_add64(a03,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a14 =
-                Lib_IntVector_Intrinsics_vec128_add64(a13,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a24 =
-                Lib_IntVector_Intrinsics_vec128_add64(a23,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a34 =
-                Lib_IntVector_Intrinsics_vec128_add64(a33,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a44 =
-                Lib_IntVector_Intrinsics_vec128_add64(a43,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r2, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a05 =
-                Lib_IntVector_Intrinsics_vec128_add64(a04,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r52, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a15 =
-                Lib_IntVector_Intrinsics_vec128_add64(a14,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a25 =
-                Lib_IntVector_Intrinsics_vec128_add64(a24,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a35 =
-                Lib_IntVector_Intrinsics_vec128_add64(a34,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a45 =
-                Lib_IntVector_Intrinsics_vec128_add64(a44,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a06 =
-                Lib_IntVector_Intrinsics_vec128_add64(a05,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r51, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a16 =
-                Lib_IntVector_Intrinsics_vec128_add64(a15,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r52, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a26 =
-                Lib_IntVector_Intrinsics_vec128_add64(a25,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a36 =
-                Lib_IntVector_Intrinsics_vec128_add64(a35,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a46 =
-                Lib_IntVector_Intrinsics_vec128_add64(a45,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a41));
-        Lib_IntVector_Intrinsics_vec128 t01 = a06;
-        Lib_IntVector_Intrinsics_vec128 t11 = a16;
-        Lib_IntVector_Intrinsics_vec128 t2 = a26;
-        Lib_IntVector_Intrinsics_vec128 t3 = a36;
-        Lib_IntVector_Intrinsics_vec128 t4 = a46;
-        Lib_IntVector_Intrinsics_vec128
-            l = Lib_IntVector_Intrinsics_vec128_add64(t01, Lib_IntVector_Intrinsics_vec128_zero);
-        Lib_IntVector_Intrinsics_vec128
-            tmp0 =
-                Lib_IntVector_Intrinsics_vec128_and(l,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t11, c01);
-        Lib_IntVector_Intrinsics_vec128
-            tmp1 =
-                Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
-        Lib_IntVector_Intrinsics_vec128
-            tmp2 =
-                Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
-        Lib_IntVector_Intrinsics_vec128
-            tmp3 =
-                Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-        Lib_IntVector_Intrinsics_vec128
-            tmp4 =
-                Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128
-            l4 =
-                Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                      Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-        Lib_IntVector_Intrinsics_vec128
-            tmp01 =
-                Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-        Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-        Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-        Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-        Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-        Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
-        acc0[0U] = o0;
-        acc0[1U] = o1;
-        acc0[2U] = o2;
-        acc0[3U] = o3;
-        acc0[4U] = o4;
-    }
-    uint8_t tmp[16U] = { 0U };
-    memcpy(tmp, rem1, r * sizeof rem1[0U]);
-    if (r > (uint32_t)0U) {
-        Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U;
-        Lib_IntVector_Intrinsics_vec128 *acc = ctx;
-        Lib_IntVector_Intrinsics_vec128 e[5U];
-        for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
-            e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        uint64_t u0 = load64_le(tmp);
-        uint64_t lo = u0;
-        uint64_t u = load64_le(tmp + (uint32_t)8U);
-        uint64_t hi = u;
-        Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo);
-        Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi);
-        Lib_IntVector_Intrinsics_vec128
-            f010 =
-                Lib_IntVector_Intrinsics_vec128_and(f0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f110 =
-                Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                                  (uint32_t)26U),
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f20 =
-                Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                                 (uint32_t)52U),
-                                                   Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1,
-                                                                                                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)),
-                                                                                                (uint32_t)12U));
-        Lib_IntVector_Intrinsics_vec128
-            f30 =
-                Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1,
-                                                                                                  (uint32_t)14U),
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U);
-        Lib_IntVector_Intrinsics_vec128 f01 = f010;
-        Lib_IntVector_Intrinsics_vec128 f111 = f110;
-        Lib_IntVector_Intrinsics_vec128 f2 = f20;
-        Lib_IntVector_Intrinsics_vec128 f3 = f30;
-        Lib_IntVector_Intrinsics_vec128 f41 = f40;
-        e[0U] = f01;
-        e[1U] = f111;
-        e[2U] = f2;
-        e[3U] = f3;
-        e[4U] = f41;
-        uint64_t b = (uint64_t)0x1000000U;
-        Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b);
-        Lib_IntVector_Intrinsics_vec128 f4 = e[4U];
-        e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask);
-        Lib_IntVector_Intrinsics_vec128 *r1 = pre;
-        Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U;
-        Lib_IntVector_Intrinsics_vec128 r0 = r1[0U];
-        Lib_IntVector_Intrinsics_vec128 r11 = r1[1U];
-        Lib_IntVector_Intrinsics_vec128 r2 = r1[2U];
-        Lib_IntVector_Intrinsics_vec128 r3 = r1[3U];
-        Lib_IntVector_Intrinsics_vec128 r4 = r1[4U];
-        Lib_IntVector_Intrinsics_vec128 r51 = r5[1U];
-        Lib_IntVector_Intrinsics_vec128 r52 = r5[2U];
-        Lib_IntVector_Intrinsics_vec128 r53 = r5[3U];
-        Lib_IntVector_Intrinsics_vec128 r54 = r5[4U];
-        Lib_IntVector_Intrinsics_vec128 f10 = e[0U];
-        Lib_IntVector_Intrinsics_vec128 f11 = e[1U];
-        Lib_IntVector_Intrinsics_vec128 f12 = e[2U];
-        Lib_IntVector_Intrinsics_vec128 f13 = e[3U];
-        Lib_IntVector_Intrinsics_vec128 f14 = e[4U];
-        Lib_IntVector_Intrinsics_vec128 a0 = acc[0U];
-        Lib_IntVector_Intrinsics_vec128 a1 = acc[1U];
-        Lib_IntVector_Intrinsics_vec128 a2 = acc[2U];
-        Lib_IntVector_Intrinsics_vec128 a3 = acc[3U];
-        Lib_IntVector_Intrinsics_vec128 a4 = acc[4U];
-        Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10);
-        Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11);
-        Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12);
-        Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13);
-        Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14);
-        Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01);
-        Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r11, a01);
-        Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01);
-        Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01);
-        Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01);
-        Lib_IntVector_Intrinsics_vec128
-            a03 =
-                Lib_IntVector_Intrinsics_vec128_add64(a02,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a13 =
-                Lib_IntVector_Intrinsics_vec128_add64(a12,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a23 =
-                Lib_IntVector_Intrinsics_vec128_add64(a22,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a33 =
-                Lib_IntVector_Intrinsics_vec128_add64(a32,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r2, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a43 =
-                Lib_IntVector_Intrinsics_vec128_add64(a42,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r3, a11));
-        Lib_IntVector_Intrinsics_vec128
-            a04 =
-                Lib_IntVector_Intrinsics_vec128_add64(a03,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a14 =
-                Lib_IntVector_Intrinsics_vec128_add64(a13,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a24 =
-                Lib_IntVector_Intrinsics_vec128_add64(a23,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a34 =
-                Lib_IntVector_Intrinsics_vec128_add64(a33,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a44 =
-                Lib_IntVector_Intrinsics_vec128_add64(a43,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r2, a21));
-        Lib_IntVector_Intrinsics_vec128
-            a05 =
-                Lib_IntVector_Intrinsics_vec128_add64(a04,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r52, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a15 =
-                Lib_IntVector_Intrinsics_vec128_add64(a14,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a25 =
-                Lib_IntVector_Intrinsics_vec128_add64(a24,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a35 =
-                Lib_IntVector_Intrinsics_vec128_add64(a34,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a45 =
-                Lib_IntVector_Intrinsics_vec128_add64(a44,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r11, a31));
-        Lib_IntVector_Intrinsics_vec128
-            a06 =
-                Lib_IntVector_Intrinsics_vec128_add64(a05,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r51, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a16 =
-                Lib_IntVector_Intrinsics_vec128_add64(a15,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r52, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a26 =
-                Lib_IntVector_Intrinsics_vec128_add64(a25,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r53, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a36 =
-                Lib_IntVector_Intrinsics_vec128_add64(a35,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r54, a41));
-        Lib_IntVector_Intrinsics_vec128
-            a46 =
-                Lib_IntVector_Intrinsics_vec128_add64(a45,
-                                                      Lib_IntVector_Intrinsics_vec128_mul64(r0, a41));
-        Lib_IntVector_Intrinsics_vec128 t0 = a06;
-        Lib_IntVector_Intrinsics_vec128 t1 = a16;
-        Lib_IntVector_Intrinsics_vec128 t2 = a26;
-        Lib_IntVector_Intrinsics_vec128 t3 = a36;
-        Lib_IntVector_Intrinsics_vec128 t4 = a46;
-        Lib_IntVector_Intrinsics_vec128
-            l = Lib_IntVector_Intrinsics_vec128_add64(t0, Lib_IntVector_Intrinsics_vec128_zero);
-        Lib_IntVector_Intrinsics_vec128
-            tmp0 =
-                Lib_IntVector_Intrinsics_vec128_and(l,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t1, c01);
-        Lib_IntVector_Intrinsics_vec128
-            tmp1 =
-                Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
-        Lib_IntVector_Intrinsics_vec128
-            tmp2 =
-                Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
-        Lib_IntVector_Intrinsics_vec128
-            tmp3 =
-                Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-        Lib_IntVector_Intrinsics_vec128
-            tmp4 =
-                Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128
-            l4 =
-                Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                      Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-        Lib_IntVector_Intrinsics_vec128
-            tmp01 =
-                Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                    Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-        Lib_IntVector_Intrinsics_vec128
-            c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-        Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-        Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-        Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-        Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-        Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-        Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
-        acc[0U] = o0;
-        acc[1U] = o1;
-        acc[2U] = o2;
-        acc[3U] = o3;
-        acc[4U] = o4;
-        return;
-    }
-}
-
-inline static void
-Hacl_Chacha20Poly1305_128_poly1305_do_128(
-    uint8_t *k,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *out)
-{
-    Lib_IntVector_Intrinsics_vec128 ctx[25U];
-    for (uint32_t _i = 0U; _i < (uint32_t)25U; ++_i)
-        ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    uint8_t block[16U] = { 0U };
-    Hacl_Poly1305_128_poly1305_init(ctx, k);
-    Hacl_Chacha20Poly1305_128_poly1305_padded_128(ctx, aadlen, aad);
-    Hacl_Chacha20Poly1305_128_poly1305_padded_128(ctx, mlen, m);
-    store64_le(block, (uint64_t)aadlen);
-    store64_le(block + (uint32_t)8U, (uint64_t)mlen);
-    Lib_IntVector_Intrinsics_vec128 *pre = ctx + (uint32_t)5U;
-    Lib_IntVector_Intrinsics_vec128 *acc = ctx;
-    Lib_IntVector_Intrinsics_vec128 e[5U];
-    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
-        e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    uint64_t u0 = load64_le(block);
-    uint64_t lo = u0;
-    uint64_t u = load64_le(block + (uint32_t)8U);
-    uint64_t hi = u;
-    Lib_IntVector_Intrinsics_vec128 f0 = Lib_IntVector_Intrinsics_vec128_load64(lo);
-    Lib_IntVector_Intrinsics_vec128 f1 = Lib_IntVector_Intrinsics_vec128_load64(hi);
-    Lib_IntVector_Intrinsics_vec128
-        f010 =
-            Lib_IntVector_Intrinsics_vec128_and(f0,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        f110 =
-            Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                              (uint32_t)26U),
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        f20 =
-            Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(f0,
-                                                                                             (uint32_t)52U),
-                                               Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(f1,
-                                                                                                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)),
-                                                                                            (uint32_t)12U));
-    Lib_IntVector_Intrinsics_vec128
-        f30 =
-            Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(f1,
-                                                                                              (uint32_t)14U),
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(f1, (uint32_t)40U);
-    Lib_IntVector_Intrinsics_vec128 f01 = f010;
-    Lib_IntVector_Intrinsics_vec128 f111 = f110;
-    Lib_IntVector_Intrinsics_vec128 f2 = f20;
-    Lib_IntVector_Intrinsics_vec128 f3 = f30;
-    Lib_IntVector_Intrinsics_vec128 f41 = f40;
-    e[0U] = f01;
-    e[1U] = f111;
-    e[2U] = f2;
-    e[3U] = f3;
-    e[4U] = f41;
-    uint64_t b = (uint64_t)0x1000000U;
-    Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b);
-    Lib_IntVector_Intrinsics_vec128 f4 = e[4U];
-    e[4U] = Lib_IntVector_Intrinsics_vec128_or(f4, mask);
-    Lib_IntVector_Intrinsics_vec128 *r = pre;
-    Lib_IntVector_Intrinsics_vec128 *r5 = pre + (uint32_t)5U;
-    Lib_IntVector_Intrinsics_vec128 r0 = r[0U];
-    Lib_IntVector_Intrinsics_vec128 r1 = r[1U];
-    Lib_IntVector_Intrinsics_vec128 r2 = r[2U];
-    Lib_IntVector_Intrinsics_vec128 r3 = r[3U];
-    Lib_IntVector_Intrinsics_vec128 r4 = r[4U];
-    Lib_IntVector_Intrinsics_vec128 r51 = r5[1U];
-    Lib_IntVector_Intrinsics_vec128 r52 = r5[2U];
-    Lib_IntVector_Intrinsics_vec128 r53 = r5[3U];
-    Lib_IntVector_Intrinsics_vec128 r54 = r5[4U];
-    Lib_IntVector_Intrinsics_vec128 f10 = e[0U];
-    Lib_IntVector_Intrinsics_vec128 f11 = e[1U];
-    Lib_IntVector_Intrinsics_vec128 f12 = e[2U];
-    Lib_IntVector_Intrinsics_vec128 f13 = e[3U];
-    Lib_IntVector_Intrinsics_vec128 f14 = e[4U];
-    Lib_IntVector_Intrinsics_vec128 a0 = acc[0U];
-    Lib_IntVector_Intrinsics_vec128 a1 = acc[1U];
-    Lib_IntVector_Intrinsics_vec128 a2 = acc[2U];
-    Lib_IntVector_Intrinsics_vec128 a3 = acc[3U];
-    Lib_IntVector_Intrinsics_vec128 a4 = acc[4U];
-    Lib_IntVector_Intrinsics_vec128 a01 = Lib_IntVector_Intrinsics_vec128_add64(a0, f10);
-    Lib_IntVector_Intrinsics_vec128 a11 = Lib_IntVector_Intrinsics_vec128_add64(a1, f11);
-    Lib_IntVector_Intrinsics_vec128 a21 = Lib_IntVector_Intrinsics_vec128_add64(a2, f12);
-    Lib_IntVector_Intrinsics_vec128 a31 = Lib_IntVector_Intrinsics_vec128_add64(a3, f13);
-    Lib_IntVector_Intrinsics_vec128 a41 = Lib_IntVector_Intrinsics_vec128_add64(a4, f14);
-    Lib_IntVector_Intrinsics_vec128 a02 = Lib_IntVector_Intrinsics_vec128_mul64(r0, a01);
-    Lib_IntVector_Intrinsics_vec128 a12 = Lib_IntVector_Intrinsics_vec128_mul64(r1, a01);
-    Lib_IntVector_Intrinsics_vec128 a22 = Lib_IntVector_Intrinsics_vec128_mul64(r2, a01);
-    Lib_IntVector_Intrinsics_vec128 a32 = Lib_IntVector_Intrinsics_vec128_mul64(r3, a01);
-    Lib_IntVector_Intrinsics_vec128 a42 = Lib_IntVector_Intrinsics_vec128_mul64(r4, a01);
-    Lib_IntVector_Intrinsics_vec128
-        a03 =
-            Lib_IntVector_Intrinsics_vec128_add64(a02,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r54, a11));
-    Lib_IntVector_Intrinsics_vec128
-        a13 =
-            Lib_IntVector_Intrinsics_vec128_add64(a12,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r0, a11));
-    Lib_IntVector_Intrinsics_vec128
-        a23 =
-            Lib_IntVector_Intrinsics_vec128_add64(a22,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r1, a11));
-    Lib_IntVector_Intrinsics_vec128
-        a33 =
-            Lib_IntVector_Intrinsics_vec128_add64(a32,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r2, a11));
-    Lib_IntVector_Intrinsics_vec128
-        a43 =
-            Lib_IntVector_Intrinsics_vec128_add64(a42,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r3, a11));
-    Lib_IntVector_Intrinsics_vec128
-        a04 =
-            Lib_IntVector_Intrinsics_vec128_add64(a03,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r53, a21));
-    Lib_IntVector_Intrinsics_vec128
-        a14 =
-            Lib_IntVector_Intrinsics_vec128_add64(a13,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r54, a21));
-    Lib_IntVector_Intrinsics_vec128
-        a24 =
-            Lib_IntVector_Intrinsics_vec128_add64(a23,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r0, a21));
-    Lib_IntVector_Intrinsics_vec128
-        a34 =
-            Lib_IntVector_Intrinsics_vec128_add64(a33,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r1, a21));
-    Lib_IntVector_Intrinsics_vec128
-        a44 =
-            Lib_IntVector_Intrinsics_vec128_add64(a43,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r2, a21));
-    Lib_IntVector_Intrinsics_vec128
-        a05 =
-            Lib_IntVector_Intrinsics_vec128_add64(a04,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r52, a31));
-    Lib_IntVector_Intrinsics_vec128
-        a15 =
-            Lib_IntVector_Intrinsics_vec128_add64(a14,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r53, a31));
-    Lib_IntVector_Intrinsics_vec128
-        a25 =
-            Lib_IntVector_Intrinsics_vec128_add64(a24,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r54, a31));
-    Lib_IntVector_Intrinsics_vec128
-        a35 =
-            Lib_IntVector_Intrinsics_vec128_add64(a34,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r0, a31));
-    Lib_IntVector_Intrinsics_vec128
-        a45 =
-            Lib_IntVector_Intrinsics_vec128_add64(a44,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r1, a31));
-    Lib_IntVector_Intrinsics_vec128
-        a06 =
-            Lib_IntVector_Intrinsics_vec128_add64(a05,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r51, a41));
-    Lib_IntVector_Intrinsics_vec128
-        a16 =
-            Lib_IntVector_Intrinsics_vec128_add64(a15,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r52, a41));
-    Lib_IntVector_Intrinsics_vec128
-        a26 =
-            Lib_IntVector_Intrinsics_vec128_add64(a25,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r53, a41));
-    Lib_IntVector_Intrinsics_vec128
-        a36 =
-            Lib_IntVector_Intrinsics_vec128_add64(a35,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r54, a41));
-    Lib_IntVector_Intrinsics_vec128
-        a46 =
-            Lib_IntVector_Intrinsics_vec128_add64(a45,
-                                                  Lib_IntVector_Intrinsics_vec128_mul64(r0, a41));
-    Lib_IntVector_Intrinsics_vec128 t0 = a06;
-    Lib_IntVector_Intrinsics_vec128 t1 = a16;
-    Lib_IntVector_Intrinsics_vec128 t2 = a26;
-    Lib_IntVector_Intrinsics_vec128 t3 = a36;
-    Lib_IntVector_Intrinsics_vec128 t4 = a46;
-    Lib_IntVector_Intrinsics_vec128
-        l = Lib_IntVector_Intrinsics_vec128_add64(t0, Lib_IntVector_Intrinsics_vec128_zero);
-    Lib_IntVector_Intrinsics_vec128
-        tmp0 =
-            Lib_IntVector_Intrinsics_vec128_and(l,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c01 = Lib_IntVector_Intrinsics_vec128_shift_right64(l, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l0 = Lib_IntVector_Intrinsics_vec128_add64(t1, c01);
-    Lib_IntVector_Intrinsics_vec128
-        tmp1 =
-            Lib_IntVector_Intrinsics_vec128_and(l0,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c11 = Lib_IntVector_Intrinsics_vec128_shift_right64(l0, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l1 = Lib_IntVector_Intrinsics_vec128_add64(t2, c11);
-    Lib_IntVector_Intrinsics_vec128
-        tmp2 =
-            Lib_IntVector_Intrinsics_vec128_and(l1,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c21 = Lib_IntVector_Intrinsics_vec128_shift_right64(l1, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l2 = Lib_IntVector_Intrinsics_vec128_add64(t3, c21);
-    Lib_IntVector_Intrinsics_vec128
-        tmp3 =
-            Lib_IntVector_Intrinsics_vec128_and(l2,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c31 = Lib_IntVector_Intrinsics_vec128_shift_right64(l2, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 l3 = Lib_IntVector_Intrinsics_vec128_add64(t4, c31);
-    Lib_IntVector_Intrinsics_vec128
-        tmp4 =
-            Lib_IntVector_Intrinsics_vec128_and(l3,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c4 = Lib_IntVector_Intrinsics_vec128_shift_right64(l3, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128
-        l4 =
-            Lib_IntVector_Intrinsics_vec128_add64(tmp0,
-                                                  Lib_IntVector_Intrinsics_vec128_smul64(c4, (uint64_t)5U));
-    Lib_IntVector_Intrinsics_vec128
-        tmp01 =
-            Lib_IntVector_Intrinsics_vec128_and(l4,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        c5 = Lib_IntVector_Intrinsics_vec128_shift_right64(l4, (uint32_t)26U);
-    Lib_IntVector_Intrinsics_vec128 tmp11 = Lib_IntVector_Intrinsics_vec128_add64(tmp1, c5);
-    Lib_IntVector_Intrinsics_vec128 o0 = tmp01;
-    Lib_IntVector_Intrinsics_vec128 o1 = tmp11;
-    Lib_IntVector_Intrinsics_vec128 o2 = tmp2;
-    Lib_IntVector_Intrinsics_vec128 o3 = tmp3;
-    Lib_IntVector_Intrinsics_vec128 o4 = tmp4;
-    acc[0U] = o0;
-    acc[1U] = o1;
-    acc[2U] = o2;
-    acc[3U] = o3;
-    acc[4U] = o4;
-    Hacl_Poly1305_128_poly1305_finish(out, k, ctx);
-}
-
-void
-Hacl_Chacha20Poly1305_128_aead_encrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac)
-{
-    Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, cipher, m, k, n1, (uint32_t)1U);
-    uint8_t tmp[64U] = { 0U };
-    Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
-    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_128_poly1305_do_128(key, aadlen, aad, mlen, cipher, mac);
-}
-
-uint32_t
-Hacl_Chacha20Poly1305_128_aead_decrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac)
-{
-    uint8_t computed_mac[16U] = { 0U };
-    uint8_t tmp[64U] = { 0U };
-    Hacl_Chacha20_Vec128_chacha20_encrypt_128((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
-    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_128_poly1305_do_128(key, aadlen, aad, mlen, cipher, computed_mac);
-    uint8_t res = (uint8_t)255U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]);
-        res = uu____0 & res;
-    }
-    uint8_t z = res;
-    if (z == (uint8_t)255U) {
-        Hacl_Chacha20_Vec128_chacha20_encrypt_128(mlen, m, cipher, k, n1, (uint32_t)1U);
-        return (uint32_t)0U;
-    }
-    return (uint32_t)1U;
-}
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_128.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "libintvector.h"
-#include "kremlin/internal/types.h"
-#include "kremlin/lowstar_endianness.h"
-#include <string.h>
-#include <stdbool.h>
-
-#ifndef __Hacl_Chacha20Poly1305_128_H
-#define __Hacl_Chacha20Poly1305_128_H
-
-#include "Hacl_Kremlib.h"
-#include "Hacl_Chacha20_Vec128.h"
-#include "Hacl_Poly1305_128.h"
-
-void
-Hacl_Chacha20Poly1305_128_aead_encrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac);
-
-uint32_t
-Hacl_Chacha20Poly1305_128_aead_decrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac);
-
-#define __Hacl_Chacha20Poly1305_128_H_DEFINED
-#endif
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.c
+++ /dev/null
@@ -1,564 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "Hacl_Chacha20Poly1305_32.h"
-
-static void
-Hacl_Chacha20Poly1305_32_poly1305_padded_32(uint64_t *ctx, uint32_t len, uint8_t *text)
-{
-    uint32_t n1 = len / (uint32_t)16U;
-    uint32_t r = len % (uint32_t)16U;
-    uint8_t *blocks = text;
-    uint8_t *rem1 = text + n1 * (uint32_t)16U;
-    uint64_t *pre0 = ctx + (uint32_t)5U;
-    uint64_t *acc0 = ctx;
-    uint32_t nb = n1 * (uint32_t)16U / (uint32_t)16U;
-    uint32_t rem2 = n1 * (uint32_t)16U % (uint32_t)16U;
-    for (uint32_t i = (uint32_t)0U; i < nb; i = i + (uint32_t)1U) {
-        uint8_t *block = blocks + i * (uint32_t)16U;
-        uint64_t e[5U] = { 0U };
-        uint64_t u0 = load64_le(block);
-        uint64_t lo = u0;
-        uint64_t u = load64_le(block + (uint32_t)8U);
-        uint64_t hi = u;
-        uint64_t f0 = lo;
-        uint64_t f1 = hi;
-        uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
-        uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
-        uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
-        uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
-        uint64_t f40 = f1 >> (uint32_t)40U;
-        uint64_t f01 = f010;
-        uint64_t f111 = f110;
-        uint64_t f2 = f20;
-        uint64_t f3 = f30;
-        uint64_t f41 = f40;
-        e[0U] = f01;
-        e[1U] = f111;
-        e[2U] = f2;
-        e[3U] = f3;
-        e[4U] = f41;
-        uint64_t b = (uint64_t)0x1000000U;
-        uint64_t mask = b;
-        uint64_t f4 = e[4U];
-        e[4U] = f4 | mask;
-        uint64_t *r1 = pre0;
-        uint64_t *r5 = pre0 + (uint32_t)5U;
-        uint64_t r0 = r1[0U];
-        uint64_t r11 = r1[1U];
-        uint64_t r2 = r1[2U];
-        uint64_t r3 = r1[3U];
-        uint64_t r4 = r1[4U];
-        uint64_t r51 = r5[1U];
-        uint64_t r52 = r5[2U];
-        uint64_t r53 = r5[3U];
-        uint64_t r54 = r5[4U];
-        uint64_t f10 = e[0U];
-        uint64_t f11 = e[1U];
-        uint64_t f12 = e[2U];
-        uint64_t f13 = e[3U];
-        uint64_t f14 = e[4U];
-        uint64_t a0 = acc0[0U];
-        uint64_t a1 = acc0[1U];
-        uint64_t a2 = acc0[2U];
-        uint64_t a3 = acc0[3U];
-        uint64_t a4 = acc0[4U];
-        uint64_t a01 = a0 + f10;
-        uint64_t a11 = a1 + f11;
-        uint64_t a21 = a2 + f12;
-        uint64_t a31 = a3 + f13;
-        uint64_t a41 = a4 + f14;
-        uint64_t a02 = r0 * a01;
-        uint64_t a12 = r11 * a01;
-        uint64_t a22 = r2 * a01;
-        uint64_t a32 = r3 * a01;
-        uint64_t a42 = r4 * a01;
-        uint64_t a03 = a02 + r54 * a11;
-        uint64_t a13 = a12 + r0 * a11;
-        uint64_t a23 = a22 + r11 * a11;
-        uint64_t a33 = a32 + r2 * a11;
-        uint64_t a43 = a42 + r3 * a11;
-        uint64_t a04 = a03 + r53 * a21;
-        uint64_t a14 = a13 + r54 * a21;
-        uint64_t a24 = a23 + r0 * a21;
-        uint64_t a34 = a33 + r11 * a21;
-        uint64_t a44 = a43 + r2 * a21;
-        uint64_t a05 = a04 + r52 * a31;
-        uint64_t a15 = a14 + r53 * a31;
-        uint64_t a25 = a24 + r54 * a31;
-        uint64_t a35 = a34 + r0 * a31;
-        uint64_t a45 = a44 + r11 * a31;
-        uint64_t a06 = a05 + r51 * a41;
-        uint64_t a16 = a15 + r52 * a41;
-        uint64_t a26 = a25 + r53 * a41;
-        uint64_t a36 = a35 + r54 * a41;
-        uint64_t a46 = a45 + r0 * a41;
-        uint64_t t0 = a06;
-        uint64_t t1 = a16;
-        uint64_t t2 = a26;
-        uint64_t t3 = a36;
-        uint64_t t4 = a46;
-        uint64_t l = t0 + (uint64_t)0U;
-        uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-        uint64_t c01 = l >> (uint32_t)26U;
-        uint64_t l0 = t1 + c01;
-        uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-        uint64_t c11 = l0 >> (uint32_t)26U;
-        uint64_t l1 = t2 + c11;
-        uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-        uint64_t c21 = l1 >> (uint32_t)26U;
-        uint64_t l2 = t3 + c21;
-        uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-        uint64_t c31 = l2 >> (uint32_t)26U;
-        uint64_t l3 = t4 + c31;
-        uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-        uint64_t c4 = l3 >> (uint32_t)26U;
-        uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-        uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-        uint64_t c5 = l4 >> (uint32_t)26U;
-        uint64_t tmp11 = tmp1 + c5;
-        uint64_t o0 = tmp01;
-        uint64_t o1 = tmp11;
-        uint64_t o2 = tmp2;
-        uint64_t o3 = tmp3;
-        uint64_t o4 = tmp4;
-        acc0[0U] = o0;
-        acc0[1U] = o1;
-        acc0[2U] = o2;
-        acc0[3U] = o3;
-        acc0[4U] = o4;
-    }
-    if (rem2 > (uint32_t)0U) {
-        uint8_t *last1 = blocks + nb * (uint32_t)16U;
-        uint64_t e[5U] = { 0U };
-        uint8_t tmp[16U] = { 0U };
-        memcpy(tmp, last1, rem2 * sizeof last1[0U]);
-        uint64_t u0 = load64_le(tmp);
-        uint64_t lo = u0;
-        uint64_t u = load64_le(tmp + (uint32_t)8U);
-        uint64_t hi = u;
-        uint64_t f0 = lo;
-        uint64_t f1 = hi;
-        uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
-        uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
-        uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
-        uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
-        uint64_t f40 = f1 >> (uint32_t)40U;
-        uint64_t f01 = f010;
-        uint64_t f111 = f110;
-        uint64_t f2 = f20;
-        uint64_t f3 = f30;
-        uint64_t f4 = f40;
-        e[0U] = f01;
-        e[1U] = f111;
-        e[2U] = f2;
-        e[3U] = f3;
-        e[4U] = f4;
-        uint64_t b = (uint64_t)1U << rem2 * (uint32_t)8U % (uint32_t)26U;
-        uint64_t mask = b;
-        uint64_t fi = e[rem2 * (uint32_t)8U / (uint32_t)26U];
-        e[rem2 * (uint32_t)8U / (uint32_t)26U] = fi | mask;
-        uint64_t *r1 = pre0;
-        uint64_t *r5 = pre0 + (uint32_t)5U;
-        uint64_t r0 = r1[0U];
-        uint64_t r11 = r1[1U];
-        uint64_t r2 = r1[2U];
-        uint64_t r3 = r1[3U];
-        uint64_t r4 = r1[4U];
-        uint64_t r51 = r5[1U];
-        uint64_t r52 = r5[2U];
-        uint64_t r53 = r5[3U];
-        uint64_t r54 = r5[4U];
-        uint64_t f10 = e[0U];
-        uint64_t f11 = e[1U];
-        uint64_t f12 = e[2U];
-        uint64_t f13 = e[3U];
-        uint64_t f14 = e[4U];
-        uint64_t a0 = acc0[0U];
-        uint64_t a1 = acc0[1U];
-        uint64_t a2 = acc0[2U];
-        uint64_t a3 = acc0[3U];
-        uint64_t a4 = acc0[4U];
-        uint64_t a01 = a0 + f10;
-        uint64_t a11 = a1 + f11;
-        uint64_t a21 = a2 + f12;
-        uint64_t a31 = a3 + f13;
-        uint64_t a41 = a4 + f14;
-        uint64_t a02 = r0 * a01;
-        uint64_t a12 = r11 * a01;
-        uint64_t a22 = r2 * a01;
-        uint64_t a32 = r3 * a01;
-        uint64_t a42 = r4 * a01;
-        uint64_t a03 = a02 + r54 * a11;
-        uint64_t a13 = a12 + r0 * a11;
-        uint64_t a23 = a22 + r11 * a11;
-        uint64_t a33 = a32 + r2 * a11;
-        uint64_t a43 = a42 + r3 * a11;
-        uint64_t a04 = a03 + r53 * a21;
-        uint64_t a14 = a13 + r54 * a21;
-        uint64_t a24 = a23 + r0 * a21;
-        uint64_t a34 = a33 + r11 * a21;
-        uint64_t a44 = a43 + r2 * a21;
-        uint64_t a05 = a04 + r52 * a31;
-        uint64_t a15 = a14 + r53 * a31;
-        uint64_t a25 = a24 + r54 * a31;
-        uint64_t a35 = a34 + r0 * a31;
-        uint64_t a45 = a44 + r11 * a31;
-        uint64_t a06 = a05 + r51 * a41;
-        uint64_t a16 = a15 + r52 * a41;
-        uint64_t a26 = a25 + r53 * a41;
-        uint64_t a36 = a35 + r54 * a41;
-        uint64_t a46 = a45 + r0 * a41;
-        uint64_t t0 = a06;
-        uint64_t t1 = a16;
-        uint64_t t2 = a26;
-        uint64_t t3 = a36;
-        uint64_t t4 = a46;
-        uint64_t l = t0 + (uint64_t)0U;
-        uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-        uint64_t c01 = l >> (uint32_t)26U;
-        uint64_t l0 = t1 + c01;
-        uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-        uint64_t c11 = l0 >> (uint32_t)26U;
-        uint64_t l1 = t2 + c11;
-        uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-        uint64_t c21 = l1 >> (uint32_t)26U;
-        uint64_t l2 = t3 + c21;
-        uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-        uint64_t c31 = l2 >> (uint32_t)26U;
-        uint64_t l3 = t4 + c31;
-        uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-        uint64_t c4 = l3 >> (uint32_t)26U;
-        uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-        uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-        uint64_t c5 = l4 >> (uint32_t)26U;
-        uint64_t tmp11 = tmp1 + c5;
-        uint64_t o0 = tmp01;
-        uint64_t o1 = tmp11;
-        uint64_t o2 = tmp2;
-        uint64_t o3 = tmp3;
-        uint64_t o4 = tmp4;
-        acc0[0U] = o0;
-        acc0[1U] = o1;
-        acc0[2U] = o2;
-        acc0[3U] = o3;
-        acc0[4U] = o4;
-    }
-    uint8_t tmp[16U] = { 0U };
-    memcpy(tmp, rem1, r * sizeof rem1[0U]);
-    if (r > (uint32_t)0U) {
-        uint64_t *pre = ctx + (uint32_t)5U;
-        uint64_t *acc = ctx;
-        uint64_t e[5U] = { 0U };
-        uint64_t u0 = load64_le(tmp);
-        uint64_t lo = u0;
-        uint64_t u = load64_le(tmp + (uint32_t)8U);
-        uint64_t hi = u;
-        uint64_t f0 = lo;
-        uint64_t f1 = hi;
-        uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
-        uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
-        uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
-        uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
-        uint64_t f40 = f1 >> (uint32_t)40U;
-        uint64_t f01 = f010;
-        uint64_t f111 = f110;
-        uint64_t f2 = f20;
-        uint64_t f3 = f30;
-        uint64_t f41 = f40;
-        e[0U] = f01;
-        e[1U] = f111;
-        e[2U] = f2;
-        e[3U] = f3;
-        e[4U] = f41;
-        uint64_t b = (uint64_t)0x1000000U;
-        uint64_t mask = b;
-        uint64_t f4 = e[4U];
-        e[4U] = f4 | mask;
-        uint64_t *r1 = pre;
-        uint64_t *r5 = pre + (uint32_t)5U;
-        uint64_t r0 = r1[0U];
-        uint64_t r11 = r1[1U];
-        uint64_t r2 = r1[2U];
-        uint64_t r3 = r1[3U];
-        uint64_t r4 = r1[4U];
-        uint64_t r51 = r5[1U];
-        uint64_t r52 = r5[2U];
-        uint64_t r53 = r5[3U];
-        uint64_t r54 = r5[4U];
-        uint64_t f10 = e[0U];
-        uint64_t f11 = e[1U];
-        uint64_t f12 = e[2U];
-        uint64_t f13 = e[3U];
-        uint64_t f14 = e[4U];
-        uint64_t a0 = acc[0U];
-        uint64_t a1 = acc[1U];
-        uint64_t a2 = acc[2U];
-        uint64_t a3 = acc[3U];
-        uint64_t a4 = acc[4U];
-        uint64_t a01 = a0 + f10;
-        uint64_t a11 = a1 + f11;
-        uint64_t a21 = a2 + f12;
-        uint64_t a31 = a3 + f13;
-        uint64_t a41 = a4 + f14;
-        uint64_t a02 = r0 * a01;
-        uint64_t a12 = r11 * a01;
-        uint64_t a22 = r2 * a01;
-        uint64_t a32 = r3 * a01;
-        uint64_t a42 = r4 * a01;
-        uint64_t a03 = a02 + r54 * a11;
-        uint64_t a13 = a12 + r0 * a11;
-        uint64_t a23 = a22 + r11 * a11;
-        uint64_t a33 = a32 + r2 * a11;
-        uint64_t a43 = a42 + r3 * a11;
-        uint64_t a04 = a03 + r53 * a21;
-        uint64_t a14 = a13 + r54 * a21;
-        uint64_t a24 = a23 + r0 * a21;
-        uint64_t a34 = a33 + r11 * a21;
-        uint64_t a44 = a43 + r2 * a21;
-        uint64_t a05 = a04 + r52 * a31;
-        uint64_t a15 = a14 + r53 * a31;
-        uint64_t a25 = a24 + r54 * a31;
-        uint64_t a35 = a34 + r0 * a31;
-        uint64_t a45 = a44 + r11 * a31;
-        uint64_t a06 = a05 + r51 * a41;
-        uint64_t a16 = a15 + r52 * a41;
-        uint64_t a26 = a25 + r53 * a41;
-        uint64_t a36 = a35 + r54 * a41;
-        uint64_t a46 = a45 + r0 * a41;
-        uint64_t t0 = a06;
-        uint64_t t1 = a16;
-        uint64_t t2 = a26;
-        uint64_t t3 = a36;
-        uint64_t t4 = a46;
-        uint64_t l = t0 + (uint64_t)0U;
-        uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-        uint64_t c01 = l >> (uint32_t)26U;
-        uint64_t l0 = t1 + c01;
-        uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-        uint64_t c11 = l0 >> (uint32_t)26U;
-        uint64_t l1 = t2 + c11;
-        uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-        uint64_t c21 = l1 >> (uint32_t)26U;
-        uint64_t l2 = t3 + c21;
-        uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-        uint64_t c31 = l2 >> (uint32_t)26U;
-        uint64_t l3 = t4 + c31;
-        uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-        uint64_t c4 = l3 >> (uint32_t)26U;
-        uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-        uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-        uint64_t c5 = l4 >> (uint32_t)26U;
-        uint64_t tmp11 = tmp1 + c5;
-        uint64_t o0 = tmp01;
-        uint64_t o1 = tmp11;
-        uint64_t o2 = tmp2;
-        uint64_t o3 = tmp3;
-        uint64_t o4 = tmp4;
-        acc[0U] = o0;
-        acc[1U] = o1;
-        acc[2U] = o2;
-        acc[3U] = o3;
-        acc[4U] = o4;
-        return;
-    }
-}
-
-static void
-Hacl_Chacha20Poly1305_32_poly1305_do_32(
-    uint8_t *k,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *out)
-{
-    uint64_t ctx[25U] = { 0U };
-    uint8_t block[16U] = { 0U };
-    Hacl_Poly1305_32_poly1305_init(ctx, k);
-    Hacl_Chacha20Poly1305_32_poly1305_padded_32(ctx, aadlen, aad);
-    Hacl_Chacha20Poly1305_32_poly1305_padded_32(ctx, mlen, m);
-    store64_le(block, (uint64_t)aadlen);
-    store64_le(block + (uint32_t)8U, (uint64_t)mlen);
-    uint64_t *pre = ctx + (uint32_t)5U;
-    uint64_t *acc = ctx;
-    uint64_t e[5U] = { 0U };
-    uint64_t u0 = load64_le(block);
-    uint64_t lo = u0;
-    uint64_t u = load64_le(block + (uint32_t)8U);
-    uint64_t hi = u;
-    uint64_t f0 = lo;
-    uint64_t f1 = hi;
-    uint64_t f010 = f0 & (uint64_t)0x3ffffffU;
-    uint64_t f110 = f0 >> (uint32_t)26U & (uint64_t)0x3ffffffU;
-    uint64_t f20 = f0 >> (uint32_t)52U | (f1 & (uint64_t)0x3fffU) << (uint32_t)12U;
-    uint64_t f30 = f1 >> (uint32_t)14U & (uint64_t)0x3ffffffU;
-    uint64_t f40 = f1 >> (uint32_t)40U;
-    uint64_t f01 = f010;
-    uint64_t f111 = f110;
-    uint64_t f2 = f20;
-    uint64_t f3 = f30;
-    uint64_t f41 = f40;
-    e[0U] = f01;
-    e[1U] = f111;
-    e[2U] = f2;
-    e[3U] = f3;
-    e[4U] = f41;
-    uint64_t b = (uint64_t)0x1000000U;
-    uint64_t mask = b;
-    uint64_t f4 = e[4U];
-    e[4U] = f4 | mask;
-    uint64_t *r = pre;
-    uint64_t *r5 = pre + (uint32_t)5U;
-    uint64_t r0 = r[0U];
-    uint64_t r1 = r[1U];
-    uint64_t r2 = r[2U];
-    uint64_t r3 = r[3U];
-    uint64_t r4 = r[4U];
-    uint64_t r51 = r5[1U];
-    uint64_t r52 = r5[2U];
-    uint64_t r53 = r5[3U];
-    uint64_t r54 = r5[4U];
-    uint64_t f10 = e[0U];
-    uint64_t f11 = e[1U];
-    uint64_t f12 = e[2U];
-    uint64_t f13 = e[3U];
-    uint64_t f14 = e[4U];
-    uint64_t a0 = acc[0U];
-    uint64_t a1 = acc[1U];
-    uint64_t a2 = acc[2U];
-    uint64_t a3 = acc[3U];
-    uint64_t a4 = acc[4U];
-    uint64_t a01 = a0 + f10;
-    uint64_t a11 = a1 + f11;
-    uint64_t a21 = a2 + f12;
-    uint64_t a31 = a3 + f13;
-    uint64_t a41 = a4 + f14;
-    uint64_t a02 = r0 * a01;
-    uint64_t a12 = r1 * a01;
-    uint64_t a22 = r2 * a01;
-    uint64_t a32 = r3 * a01;
-    uint64_t a42 = r4 * a01;
-    uint64_t a03 = a02 + r54 * a11;
-    uint64_t a13 = a12 + r0 * a11;
-    uint64_t a23 = a22 + r1 * a11;
-    uint64_t a33 = a32 + r2 * a11;
-    uint64_t a43 = a42 + r3 * a11;
-    uint64_t a04 = a03 + r53 * a21;
-    uint64_t a14 = a13 + r54 * a21;
-    uint64_t a24 = a23 + r0 * a21;
-    uint64_t a34 = a33 + r1 * a21;
-    uint64_t a44 = a43 + r2 * a21;
-    uint64_t a05 = a04 + r52 * a31;
-    uint64_t a15 = a14 + r53 * a31;
-    uint64_t a25 = a24 + r54 * a31;
-    uint64_t a35 = a34 + r0 * a31;
-    uint64_t a45 = a44 + r1 * a31;
-    uint64_t a06 = a05 + r51 * a41;
-    uint64_t a16 = a15 + r52 * a41;
-    uint64_t a26 = a25 + r53 * a41;
-    uint64_t a36 = a35 + r54 * a41;
-    uint64_t a46 = a45 + r0 * a41;
-    uint64_t t0 = a06;
-    uint64_t t1 = a16;
-    uint64_t t2 = a26;
-    uint64_t t3 = a36;
-    uint64_t t4 = a46;
-    uint64_t l = t0 + (uint64_t)0U;
-    uint64_t tmp0 = l & (uint64_t)0x3ffffffU;
-    uint64_t c01 = l >> (uint32_t)26U;
-    uint64_t l0 = t1 + c01;
-    uint64_t tmp1 = l0 & (uint64_t)0x3ffffffU;
-    uint64_t c11 = l0 >> (uint32_t)26U;
-    uint64_t l1 = t2 + c11;
-    uint64_t tmp2 = l1 & (uint64_t)0x3ffffffU;
-    uint64_t c21 = l1 >> (uint32_t)26U;
-    uint64_t l2 = t3 + c21;
-    uint64_t tmp3 = l2 & (uint64_t)0x3ffffffU;
-    uint64_t c31 = l2 >> (uint32_t)26U;
-    uint64_t l3 = t4 + c31;
-    uint64_t tmp4 = l3 & (uint64_t)0x3ffffffU;
-    uint64_t c4 = l3 >> (uint32_t)26U;
-    uint64_t l4 = tmp0 + c4 * (uint64_t)5U;
-    uint64_t tmp01 = l4 & (uint64_t)0x3ffffffU;
-    uint64_t c5 = l4 >> (uint32_t)26U;
-    uint64_t tmp11 = tmp1 + c5;
-    uint64_t o0 = tmp01;
-    uint64_t o1 = tmp11;
-    uint64_t o2 = tmp2;
-    uint64_t o3 = tmp3;
-    uint64_t o4 = tmp4;
-    acc[0U] = o0;
-    acc[1U] = o1;
-    acc[2U] = o2;
-    acc[3U] = o3;
-    acc[4U] = o4;
-    Hacl_Poly1305_32_poly1305_finish(out, k, ctx);
-}
-
-void
-Hacl_Chacha20Poly1305_32_aead_encrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac)
-{
-    Hacl_Chacha20_chacha20_encrypt(mlen, cipher, m, k, n1, (uint32_t)1U);
-    uint8_t tmp[64U] = { 0U };
-    Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
-    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_32_poly1305_do_32(key, aadlen, aad, mlen, cipher, mac);
-}
-
-uint32_t
-Hacl_Chacha20Poly1305_32_aead_decrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac)
-{
-    uint8_t computed_mac[16U] = { 0U };
-    uint8_t tmp[64U] = { 0U };
-    Hacl_Chacha20_chacha20_encrypt((uint32_t)64U, tmp, tmp, k, n1, (uint32_t)0U);
-    uint8_t *key = tmp;
-    Hacl_Chacha20Poly1305_32_poly1305_do_32(key, aadlen, aad, mlen, cipher, computed_mac);
-    uint8_t res = (uint8_t)255U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        uint8_t uu____0 = FStar_UInt8_eq_mask(computed_mac[i], mac[i]);
-        res = uu____0 & res;
-    }
-    uint8_t z = res;
-    if (z == (uint8_t)255U) {
-        Hacl_Chacha20_chacha20_encrypt(mlen, m, cipher, k, n1, (uint32_t)1U);
-        return (uint32_t)0U;
-    }
-    return (uint32_t)1U;
-}
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20Poly1305_32.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "kremlin/internal/types.h"
-#include "kremlin/lowstar_endianness.h"
-#include <string.h>
-#include <stdbool.h>
-
-#ifndef __Hacl_Chacha20Poly1305_32_H
-#define __Hacl_Chacha20Poly1305_32_H
-
-#include "Hacl_Chacha20.h"
-#include "Hacl_Kremlib.h"
-#include "Hacl_Poly1305_32.h"
-
-void
-Hacl_Chacha20Poly1305_32_aead_encrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac);
-
-uint32_t
-Hacl_Chacha20Poly1305_32_aead_decrypt(
-    uint8_t *k,
-    uint8_t *n1,
-    uint32_t aadlen,
-    uint8_t *aad,
-    uint32_t mlen,
-    uint8_t *m,
-    uint8_t *cipher,
-    uint8_t *mac);
-
-#define __Hacl_Chacha20Poly1305_32_H_DEFINED
-#endif
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
@@ -1,792 +1,390 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
 #include "Hacl_Chacha20_Vec128.h"
 
-static void
-Hacl_Chacha20_Vec128_double_round_128(Lib_IntVector_Intrinsics_vec128 *st)
+inline static void
+Hacl_Impl_Chacha20_Vec128_State_state_incr(vec *k)
+{
+    vec k3 = k[3U];
+    k[3U] = vec_increment(k3);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(uint8_t *stream_block, vec *k)
+{
+    vec k0 = k[0U];
+    vec k1 = k[1U];
+    vec k2 = k[2U];
+    vec k3 = k[3U];
+    uint8_t *a = stream_block;
+    uint8_t *b = stream_block + (uint32_t)16U;
+    uint8_t *c = stream_block + (uint32_t)32U;
+    uint8_t *d = stream_block + (uint32_t)48U;
+    vec_store_le(a, k0);
+    vec_store_le(b, k1);
+    vec_store_le(c, k2);
+    vec_store_le(d, k3);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_State_state_setup(vec *st, uint8_t *k, uint8_t *n1, uint32_t c)
+{
+    st[0U] =
+        vec_load_32x4((uint32_t)0x61707865U,
+                      (uint32_t)0x3320646eU,
+                      (uint32_t)0x79622d32U,
+                      (uint32_t)0x6b206574U);
+    vec k0 = vec_load128_le(k);
+    vec k1 = vec_load128_le(k + (uint32_t)16U);
+    st[1U] = k0;
+    st[2U] = k1;
+    uint32_t n0 = load32_le(n1);
+    uint8_t *x00 = n1 + (uint32_t)4U;
+    uint32_t n10 = load32_le(x00);
+    uint8_t *x0 = n1 + (uint32_t)8U;
+    uint32_t n2 = load32_le(x0);
+    vec v1 = vec_load_32x4(c, n0, n10, n2);
+    st[3U] = v1;
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_round(vec *st)
 {
-    st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]);
-    Lib_IntVector_Intrinsics_vec128 std = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]);
-    st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std, (uint32_t)16U);
-    st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]);
-    Lib_IntVector_Intrinsics_vec128 std0 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]);
-    st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std0, (uint32_t)12U);
-    st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[4U]);
-    Lib_IntVector_Intrinsics_vec128 std1 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[0U]);
-    st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std1, (uint32_t)8U);
-    st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[12U]);
-    Lib_IntVector_Intrinsics_vec128 std2 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[8U]);
-    st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std2, (uint32_t)7U);
-    st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]);
-    Lib_IntVector_Intrinsics_vec128 std3 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]);
-    st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std3, (uint32_t)16U);
-    st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]);
-    Lib_IntVector_Intrinsics_vec128 std4 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]);
-    st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std4, (uint32_t)12U);
-    st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[5U]);
-    Lib_IntVector_Intrinsics_vec128 std5 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[1U]);
-    st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std5, (uint32_t)8U);
-    st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[13U]);
-    Lib_IntVector_Intrinsics_vec128 std6 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[9U]);
-    st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std6, (uint32_t)7U);
-    st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]);
-    Lib_IntVector_Intrinsics_vec128 std7 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]);
-    st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std7, (uint32_t)16U);
-    st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]);
-    Lib_IntVector_Intrinsics_vec128 std8 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]);
-    st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std8, (uint32_t)12U);
-    st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[6U]);
-    Lib_IntVector_Intrinsics_vec128 std9 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[2U]);
-    st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std9, (uint32_t)8U);
-    st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[14U]);
-    Lib_IntVector_Intrinsics_vec128 std10 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[10U]);
-    st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std10, (uint32_t)7U);
-    st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]);
-    Lib_IntVector_Intrinsics_vec128 std11 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]);
-    st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std11, (uint32_t)16U);
-    st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]);
-    Lib_IntVector_Intrinsics_vec128 std12 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]);
-    st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std12, (uint32_t)12U);
-    st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[7U]);
-    Lib_IntVector_Intrinsics_vec128 std13 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[3U]);
-    st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std13, (uint32_t)8U);
-    st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[15U]);
-    Lib_IntVector_Intrinsics_vec128 std14 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[11U]);
-    st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std14, (uint32_t)7U);
-    st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]);
-    Lib_IntVector_Intrinsics_vec128 std15 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]);
-    st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std15, (uint32_t)16U);
-    st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]);
-    Lib_IntVector_Intrinsics_vec128 std16 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]);
-    st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std16, (uint32_t)12U);
-    st[0U] = Lib_IntVector_Intrinsics_vec128_add32(st[0U], st[5U]);
-    Lib_IntVector_Intrinsics_vec128 std17 = Lib_IntVector_Intrinsics_vec128_xor(st[15U], st[0U]);
-    st[15U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std17, (uint32_t)8U);
-    st[10U] = Lib_IntVector_Intrinsics_vec128_add32(st[10U], st[15U]);
-    Lib_IntVector_Intrinsics_vec128 std18 = Lib_IntVector_Intrinsics_vec128_xor(st[5U], st[10U]);
-    st[5U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std18, (uint32_t)7U);
-    st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]);
-    Lib_IntVector_Intrinsics_vec128 std19 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]);
-    st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std19, (uint32_t)16U);
-    st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]);
-    Lib_IntVector_Intrinsics_vec128 std20 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]);
-    st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std20, (uint32_t)12U);
-    st[1U] = Lib_IntVector_Intrinsics_vec128_add32(st[1U], st[6U]);
-    Lib_IntVector_Intrinsics_vec128 std21 = Lib_IntVector_Intrinsics_vec128_xor(st[12U], st[1U]);
-    st[12U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std21, (uint32_t)8U);
-    st[11U] = Lib_IntVector_Intrinsics_vec128_add32(st[11U], st[12U]);
-    Lib_IntVector_Intrinsics_vec128 std22 = Lib_IntVector_Intrinsics_vec128_xor(st[6U], st[11U]);
-    st[6U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std22, (uint32_t)7U);
-    st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]);
-    Lib_IntVector_Intrinsics_vec128 std23 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]);
-    st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std23, (uint32_t)16U);
-    st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]);
-    Lib_IntVector_Intrinsics_vec128 std24 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]);
-    st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std24, (uint32_t)12U);
-    st[2U] = Lib_IntVector_Intrinsics_vec128_add32(st[2U], st[7U]);
-    Lib_IntVector_Intrinsics_vec128 std25 = Lib_IntVector_Intrinsics_vec128_xor(st[13U], st[2U]);
-    st[13U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std25, (uint32_t)8U);
-    st[8U] = Lib_IntVector_Intrinsics_vec128_add32(st[8U], st[13U]);
-    Lib_IntVector_Intrinsics_vec128 std26 = Lib_IntVector_Intrinsics_vec128_xor(st[7U], st[8U]);
-    st[7U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std26, (uint32_t)7U);
-    st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]);
-    Lib_IntVector_Intrinsics_vec128 std27 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]);
-    st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std27, (uint32_t)16U);
-    st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]);
-    Lib_IntVector_Intrinsics_vec128 std28 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]);
-    st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std28, (uint32_t)12U);
-    st[3U] = Lib_IntVector_Intrinsics_vec128_add32(st[3U], st[4U]);
-    Lib_IntVector_Intrinsics_vec128 std29 = Lib_IntVector_Intrinsics_vec128_xor(st[14U], st[3U]);
-    st[14U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std29, (uint32_t)8U);
-    st[9U] = Lib_IntVector_Intrinsics_vec128_add32(st[9U], st[14U]);
-    Lib_IntVector_Intrinsics_vec128 std30 = Lib_IntVector_Intrinsics_vec128_xor(st[4U], st[9U]);
-    st[4U] = Lib_IntVector_Intrinsics_vec128_rotate_left32(std30, (uint32_t)7U);
+    vec sa = st[0U];
+    vec sb0 = st[1U];
+    vec sd0 = st[3U];
+    vec sa10 = vec_add(sa, sb0);
+    vec sd10 = vec_rotate_left(vec_xor(sd0, sa10), (uint32_t)16U);
+    st[0U] = sa10;
+    st[3U] = sd10;
+    vec sa0 = st[2U];
+    vec sb1 = st[3U];
+    vec sd2 = st[1U];
+    vec sa11 = vec_add(sa0, sb1);
+    vec sd11 = vec_rotate_left(vec_xor(sd2, sa11), (uint32_t)12U);
+    st[2U] = sa11;
+    st[1U] = sd11;
+    vec sa2 = st[0U];
+    vec sb2 = st[1U];
+    vec sd3 = st[3U];
+    vec sa12 = vec_add(sa2, sb2);
+    vec sd12 = vec_rotate_left(vec_xor(sd3, sa12), (uint32_t)8U);
+    st[0U] = sa12;
+    st[3U] = sd12;
+    vec sa3 = st[2U];
+    vec sb = st[3U];
+    vec sd = st[1U];
+    vec sa1 = vec_add(sa3, sb);
+    vec sd1 = vec_rotate_left(vec_xor(sd, sa1), (uint32_t)7U);
+    st[2U] = sa1;
+    st[1U] = sd1;
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_double_round(vec *st)
+{
+    Hacl_Impl_Chacha20_Vec128_round(st);
+    vec r1 = st[1U];
+    vec r20 = st[2U];
+    vec r30 = st[3U];
+    st[1U] = vec_shuffle_right(r1, (uint32_t)1U);
+    st[2U] = vec_shuffle_right(r20, (uint32_t)2U);
+    st[3U] = vec_shuffle_right(r30, (uint32_t)3U);
+    Hacl_Impl_Chacha20_Vec128_round(st);
+    vec r10 = st[1U];
+    vec r2 = st[2U];
+    vec r3 = st[3U];
+    st[1U] = vec_shuffle_right(r10, (uint32_t)3U);
+    st[2U] = vec_shuffle_right(r2, (uint32_t)2U);
+    st[3U] = vec_shuffle_right(r3, (uint32_t)1U);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_double_round3(vec *st, vec *st_, vec *st__)
+{
+    Hacl_Impl_Chacha20_Vec128_double_round(st);
+    Hacl_Impl_Chacha20_Vec128_double_round(st_);
+    Hacl_Impl_Chacha20_Vec128_double_round(st__);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_sum_states(vec *st_, vec *st)
+{
+    vec s0 = st[0U];
+    vec s1 = st[1U];
+    vec s2 = st[2U];
+    vec s3 = st[3U];
+    vec s0_ = st_[0U];
+    vec s1_ = st_[1U];
+    vec s2_ = st_[2U];
+    vec s3_ = st_[3U];
+    st_[0U] = vec_add(s0_, s0);
+    st_[1U] = vec_add(s1_, s1);
+    st_[2U] = vec_add(s2_, s2);
+    st_[3U] = vec_add(s3_, s3);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_copy_state(vec *st_, vec *st)
+{
+    vec st0 = st[0U];
+    vec st1 = st[1U];
+    vec st2 = st[2U];
+    vec st3 = st[3U];
+    st_[0U] = st0;
+    st_[1U] = st1;
+    st_[2U] = st2;
+    st_[3U] = st3;
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_chacha20_core(vec *k, vec *st)
+{
+    Hacl_Impl_Chacha20_Vec128_copy_state(k, st);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
+        Hacl_Impl_Chacha20_Vec128_double_round(k);
+    Hacl_Impl_Chacha20_Vec128_sum_states(k, st);
 }
 
 static void
-Hacl_Chacha20_Vec128_chacha20_core_128(
-    Lib_IntVector_Intrinsics_vec128 *k,
-    Lib_IntVector_Intrinsics_vec128 *ctx,
-    uint32_t ctr)
+Hacl_Impl_Chacha20_Vec128_state_incr(vec *st)
+{
+    Hacl_Impl_Chacha20_Vec128_State_state_incr(st);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_chacha20_incr3(vec *k0, vec *k1, vec *k2, vec *st)
+{
+    Hacl_Impl_Chacha20_Vec128_copy_state(k0, st);
+    Hacl_Impl_Chacha20_Vec128_copy_state(k1, st);
+    Hacl_Impl_Chacha20_Vec128_state_incr(k1);
+    Hacl_Impl_Chacha20_Vec128_copy_state(k2, k1);
+    Hacl_Impl_Chacha20_Vec128_state_incr(k2);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_chacha20_sum3(vec *k0, vec *k1, vec *k2, vec *st)
+{
+    Hacl_Impl_Chacha20_Vec128_sum_states(k0, st);
+    Hacl_Impl_Chacha20_Vec128_state_incr(st);
+    Hacl_Impl_Chacha20_Vec128_sum_states(k1, st);
+    Hacl_Impl_Chacha20_Vec128_state_incr(st);
+    Hacl_Impl_Chacha20_Vec128_sum_states(k2, st);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_chacha20_core3(vec *k0, vec *k1, vec *k2, vec *st)
+{
+    Hacl_Impl_Chacha20_Vec128_chacha20_incr3(k0, k1, k2, st);
+    for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
+        Hacl_Impl_Chacha20_Vec128_double_round3(k0, k1, k2);
+    Hacl_Impl_Chacha20_Vec128_chacha20_sum3(k0, k1, k2, st);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_chacha20_block(uint8_t *stream_block, vec *st)
+{
+    KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
+    vec k[4U];
+    for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
+        k[_i] = vec_zero();
+    Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st);
+    Hacl_Impl_Chacha20_Vec128_State_state_to_key_block(stream_block, k);
+}
+
+inline static void
+Hacl_Impl_Chacha20_Vec128_init(vec *st, uint8_t *k, uint8_t *n1, uint32_t ctr)
 {
-    memcpy(k, ctx, (uint32_t)16U * sizeof ctx[0U]);
-    uint32_t ctr_u32 = (uint32_t)4U * ctr;
-    Lib_IntVector_Intrinsics_vec128 cv = Lib_IntVector_Intrinsics_vec128_load32(ctr_u32);
-    k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    Hacl_Chacha20_Vec128_double_round_128(k);
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        Lib_IntVector_Intrinsics_vec128 *os = k;
-        Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_add32(k[i], ctx[i]);
-        os[i] = x;
+    Hacl_Impl_Chacha20_Vec128_State_state_setup(st, k, n1, ctr);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_update_last(uint8_t *output, uint8_t *plain, uint32_t len, vec *st)
+{
+    uint8_t block[64U] = { 0U };
+    Hacl_Impl_Chacha20_Vec128_chacha20_block(block, st);
+    uint8_t *mask = block;
+    for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
+        uint8_t xi = plain[i];
+        uint8_t yi = mask[i];
+        output[i] = xi ^ yi;
     }
-    k[12U] = Lib_IntVector_Intrinsics_vec128_add32(k[12U], cv);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_xor_block(uint8_t *output, uint8_t *plain, vec *st)
+{
+    vec p0 = vec_load_le(plain);
+    vec p1 = vec_load_le(plain + (uint32_t)16U);
+    vec p2 = vec_load_le(plain + (uint32_t)32U);
+    vec p3 = vec_load_le(plain + (uint32_t)48U);
+    vec k0 = st[0U];
+    vec k1 = st[1U];
+    vec k2 = st[2U];
+    vec k3 = st[3U];
+    vec o00 = vec_xor(p0, k0);
+    vec o10 = vec_xor(p1, k1);
+    vec o20 = vec_xor(p2, k2);
+    vec o30 = vec_xor(p3, k3);
+    uint8_t *o0 = output;
+    uint8_t *o1 = output + (uint32_t)16U;
+    uint8_t *o2 = output + (uint32_t)32U;
+    uint8_t *o3 = output + (uint32_t)48U;
+    vec_store_le(o0, o00);
+    vec_store_le(o1, o10);
+    vec_store_le(o2, o20);
+    vec_store_le(o3, o30);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_update(uint8_t *output, uint8_t *plain, vec *st)
+{
+    KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
+    vec k[4U];
+    for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
+        k[_i] = vec_zero();
+    Hacl_Impl_Chacha20_Vec128_chacha20_core(k, st);
+    Hacl_Impl_Chacha20_Vec128_xor_block(output, plain, k);
 }
 
 static void
-Hacl_Chacha20_Vec128_chacha20_init_128(
-    Lib_IntVector_Intrinsics_vec128 *ctx,
+Hacl_Impl_Chacha20_Vec128_update3(uint8_t *output, uint8_t *plain, vec *st)
+{
+    KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
+    vec k0[4U];
+    for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
+        k0[_i] = vec_zero();
+    KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
+    vec k1[4U];
+    for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
+        k1[_i] = vec_zero();
+    KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
+    vec k2[4U];
+    for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
+        k2[_i] = vec_zero();
+    Hacl_Impl_Chacha20_Vec128_chacha20_core3(k0, k1, k2, st);
+    uint8_t *p0 = plain;
+    uint8_t *p1 = plain + (uint32_t)64U;
+    uint8_t *p2 = plain + (uint32_t)128U;
+    uint8_t *o0 = output;
+    uint8_t *o1 = output + (uint32_t)64U;
+    uint8_t *o2 = output + (uint32_t)128U;
+    Hacl_Impl_Chacha20_Vec128_xor_block(o0, p0, k0);
+    Hacl_Impl_Chacha20_Vec128_xor_block(o1, p1, k1);
+    Hacl_Impl_Chacha20_Vec128_xor_block(o2, p2, k2);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_update3_(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    vec *st,
+    uint32_t i)
+{
+    uint8_t *out_block = output + (uint32_t)192U * i;
+    uint8_t *plain_block = plain + (uint32_t)192U * i;
+    Hacl_Impl_Chacha20_Vec128_update3(out_block, plain_block, st);
+    Hacl_Impl_Chacha20_Vec128_state_incr(st);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks3(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    vec *st)
+{
+    for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U)
+        Hacl_Impl_Chacha20_Vec128_update3_(output, plain, len, st, i);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    vec *st)
+{
+    uint32_t len3 = len / (uint32_t)3U;
+    uint32_t rest3 = len % (uint32_t)3U;
+    uint8_t *plain_ = plain;
+    uint8_t *blocks1 = plain + (uint32_t)192U * len3;
+    uint8_t *output_ = output;
+    uint8_t *outs = output + (uint32_t)192U * len3;
+    Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks3(output_, plain_, len3, st);
+    if (rest3 == (uint32_t)2U) {
+        uint8_t *block0 = blocks1;
+        uint8_t *block1 = blocks1 + (uint32_t)64U;
+        uint8_t *out0 = outs;
+        uint8_t *out1 = outs + (uint32_t)64U;
+        Hacl_Impl_Chacha20_Vec128_update(out0, block0, st);
+        Hacl_Impl_Chacha20_Vec128_state_incr(st);
+        Hacl_Impl_Chacha20_Vec128_update(out1, block1, st);
+        Hacl_Impl_Chacha20_Vec128_state_incr(st);
+    } else if (rest3 == (uint32_t)1U) {
+        Hacl_Impl_Chacha20_Vec128_update(outs, blocks1, st);
+        Hacl_Impl_Chacha20_Vec128_state_incr(st);
+    }
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
+    vec *st)
+{
+    uint32_t blocks_len = len >> (uint32_t)6U;
+    uint32_t part_len = len & (uint32_t)0x3fU;
+    uint8_t *output_ = output;
+    uint8_t *plain_ = plain;
+    uint8_t *output__ = output + (uint32_t)64U * blocks_len;
+    uint8_t *plain__ = plain + (uint32_t)64U * blocks_len;
+    Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode_blocks(output_, plain_, blocks_len, st);
+    if (part_len > (uint32_t)0U)
+        Hacl_Impl_Chacha20_Vec128_update_last(output__, plain__, part_len, st);
+}
+
+static void
+Hacl_Impl_Chacha20_Vec128_chacha20(
+    uint8_t *output,
+    uint8_t *plain,
+    uint32_t len,
     uint8_t *k,
     uint8_t *n1,
     uint32_t ctr)
 {
-    uint32_t ctx1[16U] = { 0U };
-    uint32_t *uu____0 = ctx1;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
-        uint32_t *os = uu____0;
-        uint32_t x = Hacl_Impl_Chacha20_Vec_chacha20_constants[i];
-        os[i] = x;
-    }
-    uint32_t *uu____1 = ctx1 + (uint32_t)4U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)8U; i = i + (uint32_t)1U) {
-        uint32_t *os = uu____1;
-        uint8_t *bj = k + i * (uint32_t)4U;
-        uint32_t u = load32_le(bj);
-        uint32_t r = u;
-        uint32_t x = r;
-        os[i] = x;
-    }
-    ctx1[12U] = ctr;
-    uint32_t *uu____2 = ctx1 + (uint32_t)13U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)3U; i = i + (uint32_t)1U) {
-        uint32_t *os = uu____2;
-        uint8_t *bj = n1 + i * (uint32_t)4U;
-        uint32_t u = load32_le(bj);
-        uint32_t r = u;
-        uint32_t x = r;
-        os[i] = x;
-    }
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-        Lib_IntVector_Intrinsics_vec128 *os = ctx;
-        uint32_t x = ctx1[i];
-        Lib_IntVector_Intrinsics_vec128 x0 = Lib_IntVector_Intrinsics_vec128_load32(x);
-        os[i] = x0;
-    }
-    Lib_IntVector_Intrinsics_vec128
-        ctr1 =
-            Lib_IntVector_Intrinsics_vec128_load32s((uint32_t)3U,
-                                                    (uint32_t)2U,
-                                                    (uint32_t)1U,
-                                                    (uint32_t)0U);
-    Lib_IntVector_Intrinsics_vec128 c12 = ctx[12U];
-    ctx[12U] = Lib_IntVector_Intrinsics_vec128_add32(c12, ctr1);
+    KRML_CHECK_SIZE(vec_zero(), (uint32_t)4U);
+    vec buf[4U];
+    for (uint32_t _i = 0U; _i < (uint32_t)4U; ++_i)
+        buf[_i] = vec_zero();
+    vec *st = buf;
+    Hacl_Impl_Chacha20_Vec128_init(st, k, n1, ctr);
+    Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(output, plain, len, st);
 }
 
 void
-Hacl_Chacha20_Vec128_chacha20_encrypt_128(
+Hacl_Chacha20_Vec128_chacha20(
+    uint8_t *output,
+    uint8_t *plain,
     uint32_t len,
-    uint8_t *out,
-    uint8_t *text,
-    uint8_t *key,
+    uint8_t *k,
     uint8_t *n1,
     uint32_t ctr)
 {
-    Lib_IntVector_Intrinsics_vec128 ctx[16U];
-    for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-        ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    Hacl_Chacha20_Vec128_chacha20_init_128(ctx, key, n1, ctr);
-    uint32_t rem1 = len % ((uint32_t)4U * (uint32_t)64U);
-    uint32_t nb = len / ((uint32_t)4U * (uint32_t)64U);
-    uint32_t rem2 = len % ((uint32_t)4U * (uint32_t)64U);
-    for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0 = i0 + (uint32_t)1U) {
-        uint8_t *uu____0 = out + i0 * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____1 = text + i0 * (uint32_t)256U;
-        Lib_IntVector_Intrinsics_vec128 k[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, i0);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(uu____1 + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
-        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
-        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
-        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
-        Lib_IntVector_Intrinsics_vec128 v30 = k[3U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128
-            v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128 v0 = v0__;
-        Lib_IntVector_Intrinsics_vec128 v1 = v1__;
-        Lib_IntVector_Intrinsics_vec128 v2 = v2__;
-        Lib_IntVector_Intrinsics_vec128 v3 = v3__;
-        Lib_IntVector_Intrinsics_vec128 v010 = k[4U];
-        Lib_IntVector_Intrinsics_vec128 v110 = k[5U];
-        Lib_IntVector_Intrinsics_vec128 v210 = k[6U];
-        Lib_IntVector_Intrinsics_vec128 v310 = k[7U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v0__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v1__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v2__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128
-            v3__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128 v4 = v0__0;
-        Lib_IntVector_Intrinsics_vec128 v5 = v1__0;
-        Lib_IntVector_Intrinsics_vec128 v6 = v2__0;
-        Lib_IntVector_Intrinsics_vec128 v7 = v3__0;
-        Lib_IntVector_Intrinsics_vec128 v011 = k[8U];
-        Lib_IntVector_Intrinsics_vec128 v111 = k[9U];
-        Lib_IntVector_Intrinsics_vec128 v211 = k[10U];
-        Lib_IntVector_Intrinsics_vec128 v311 = k[11U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128
-            v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128 v8 = v0__1;
-        Lib_IntVector_Intrinsics_vec128 v9 = v1__1;
-        Lib_IntVector_Intrinsics_vec128 v10 = v2__1;
-        Lib_IntVector_Intrinsics_vec128 v11 = v3__1;
-        Lib_IntVector_Intrinsics_vec128 v01 = k[12U];
-        Lib_IntVector_Intrinsics_vec128 v120 = k[13U];
-        Lib_IntVector_Intrinsics_vec128 v21 = k[14U];
-        Lib_IntVector_Intrinsics_vec128 v31 = k[15U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v0__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v1__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v2__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128
-            v3__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128 v12 = v0__2;
-        Lib_IntVector_Intrinsics_vec128 v13 = v1__2;
-        Lib_IntVector_Intrinsics_vec128 v14 = v2__2;
-        Lib_IntVector_Intrinsics_vec128 v15 = v3__2;
-        k[0U] = v0;
-        k[1U] = v4;
-        k[2U] = v8;
-        k[3U] = v12;
-        k[4U] = v1;
-        k[5U] = v5;
-        k[6U] = v9;
-        k[7U] = v13;
-        k[8U] = v2;
-        k[9U] = v6;
-        k[10U] = v10;
-        k[11U] = v14;
-        k[12U] = v3;
-        k[13U] = v7;
-        k[14U] = v11;
-        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
-        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(uu____0 + i * (uint32_t)16U, bl[i]);
-        }
-    }
-    if (rem2 > (uint32_t)0U) {
-        uint8_t *uu____2 = out + nb * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____3 = text + nb * (uint32_t)4U * (uint32_t)64U;
-        uint8_t plain[256U] = { 0U };
-        memcpy(plain, uu____3, rem1 * sizeof uu____3[0U]);
-        Lib_IntVector_Intrinsics_vec128 k[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, nb);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(plain + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
-        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
-        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
-        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
-        Lib_IntVector_Intrinsics_vec128 v30 = k[3U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128
-            v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128 v0 = v0__;
-        Lib_IntVector_Intrinsics_vec128 v1 = v1__;
-        Lib_IntVector_Intrinsics_vec128 v2 = v2__;
-        Lib_IntVector_Intrinsics_vec128 v3 = v3__;
-        Lib_IntVector_Intrinsics_vec128 v010 = k[4U];
-        Lib_IntVector_Intrinsics_vec128 v110 = k[5U];
-        Lib_IntVector_Intrinsics_vec128 v210 = k[6U];
-        Lib_IntVector_Intrinsics_vec128 v310 = k[7U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v0__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v1__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v2__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128
-            v3__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128 v4 = v0__0;
-        Lib_IntVector_Intrinsics_vec128 v5 = v1__0;
-        Lib_IntVector_Intrinsics_vec128 v6 = v2__0;
-        Lib_IntVector_Intrinsics_vec128 v7 = v3__0;
-        Lib_IntVector_Intrinsics_vec128 v011 = k[8U];
-        Lib_IntVector_Intrinsics_vec128 v111 = k[9U];
-        Lib_IntVector_Intrinsics_vec128 v211 = k[10U];
-        Lib_IntVector_Intrinsics_vec128 v311 = k[11U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128
-            v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128 v8 = v0__1;
-        Lib_IntVector_Intrinsics_vec128 v9 = v1__1;
-        Lib_IntVector_Intrinsics_vec128 v10 = v2__1;
-        Lib_IntVector_Intrinsics_vec128 v11 = v3__1;
-        Lib_IntVector_Intrinsics_vec128 v01 = k[12U];
-        Lib_IntVector_Intrinsics_vec128 v120 = k[13U];
-        Lib_IntVector_Intrinsics_vec128 v21 = k[14U];
-        Lib_IntVector_Intrinsics_vec128 v31 = k[15U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v0__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v1__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v2__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128
-            v3__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128 v12 = v0__2;
-        Lib_IntVector_Intrinsics_vec128 v13 = v1__2;
-        Lib_IntVector_Intrinsics_vec128 v14 = v2__2;
-        Lib_IntVector_Intrinsics_vec128 v15 = v3__2;
-        k[0U] = v0;
-        k[1U] = v4;
-        k[2U] = v8;
-        k[3U] = v12;
-        k[4U] = v1;
-        k[5U] = v5;
-        k[6U] = v9;
-        k[7U] = v13;
-        k[8U] = v2;
-        k[9U] = v6;
-        k[10U] = v10;
-        k[11U] = v14;
-        k[12U] = v3;
-        k[13U] = v7;
-        k[14U] = v11;
-        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
-        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(plain + i * (uint32_t)16U, bl[i]);
-        }
-        memcpy(uu____2, plain, rem1 * sizeof plain[0U]);
-    }
+    Hacl_Impl_Chacha20_Vec128_chacha20(output, plain, len, k, n1, ctr);
 }
-
-void
-Hacl_Chacha20_Vec128_chacha20_decrypt_128(
-    uint32_t len,
-    uint8_t *out,
-    uint8_t *cipher,
-    uint8_t *key,
-    uint8_t *n1,
-    uint32_t ctr)
-{
-    Lib_IntVector_Intrinsics_vec128 ctx[16U];
-    for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-        ctx[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    Hacl_Chacha20_Vec128_chacha20_init_128(ctx, key, n1, ctr);
-    uint32_t rem1 = len % ((uint32_t)4U * (uint32_t)64U);
-    uint32_t nb = len / ((uint32_t)4U * (uint32_t)64U);
-    uint32_t rem2 = len % ((uint32_t)4U * (uint32_t)64U);
-    for (uint32_t i0 = (uint32_t)0U; i0 < nb; i0 = i0 + (uint32_t)1U) {
-        uint8_t *uu____0 = out + i0 * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____1 = cipher + i0 * (uint32_t)256U;
-        Lib_IntVector_Intrinsics_vec128 k[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, i0);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(uu____1 + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
-        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
-        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
-        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
-        Lib_IntVector_Intrinsics_vec128 v30 = k[3U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128
-            v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128 v0 = v0__;
-        Lib_IntVector_Intrinsics_vec128 v1 = v1__;
-        Lib_IntVector_Intrinsics_vec128 v2 = v2__;
-        Lib_IntVector_Intrinsics_vec128 v3 = v3__;
-        Lib_IntVector_Intrinsics_vec128 v010 = k[4U];
-        Lib_IntVector_Intrinsics_vec128 v110 = k[5U];
-        Lib_IntVector_Intrinsics_vec128 v210 = k[6U];
-        Lib_IntVector_Intrinsics_vec128 v310 = k[7U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v0__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v1__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v2__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128
-            v3__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128 v4 = v0__0;
-        Lib_IntVector_Intrinsics_vec128 v5 = v1__0;
-        Lib_IntVector_Intrinsics_vec128 v6 = v2__0;
-        Lib_IntVector_Intrinsics_vec128 v7 = v3__0;
-        Lib_IntVector_Intrinsics_vec128 v011 = k[8U];
-        Lib_IntVector_Intrinsics_vec128 v111 = k[9U];
-        Lib_IntVector_Intrinsics_vec128 v211 = k[10U];
-        Lib_IntVector_Intrinsics_vec128 v311 = k[11U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128
-            v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128 v8 = v0__1;
-        Lib_IntVector_Intrinsics_vec128 v9 = v1__1;
-        Lib_IntVector_Intrinsics_vec128 v10 = v2__1;
-        Lib_IntVector_Intrinsics_vec128 v11 = v3__1;
-        Lib_IntVector_Intrinsics_vec128 v01 = k[12U];
-        Lib_IntVector_Intrinsics_vec128 v120 = k[13U];
-        Lib_IntVector_Intrinsics_vec128 v21 = k[14U];
-        Lib_IntVector_Intrinsics_vec128 v31 = k[15U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v0__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v1__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v2__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128
-            v3__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128 v12 = v0__2;
-        Lib_IntVector_Intrinsics_vec128 v13 = v1__2;
-        Lib_IntVector_Intrinsics_vec128 v14 = v2__2;
-        Lib_IntVector_Intrinsics_vec128 v15 = v3__2;
-        k[0U] = v0;
-        k[1U] = v4;
-        k[2U] = v8;
-        k[3U] = v12;
-        k[4U] = v1;
-        k[5U] = v5;
-        k[6U] = v9;
-        k[7U] = v13;
-        k[8U] = v2;
-        k[9U] = v6;
-        k[10U] = v10;
-        k[11U] = v14;
-        k[12U] = v3;
-        k[13U] = v7;
-        k[14U] = v11;
-        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
-        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(uu____0 + i * (uint32_t)16U, bl[i]);
-        }
-    }
-    if (rem2 > (uint32_t)0U) {
-        uint8_t *uu____2 = out + nb * (uint32_t)4U * (uint32_t)64U;
-        uint8_t *uu____3 = cipher + nb * (uint32_t)4U * (uint32_t)64U;
-        uint8_t plain[256U] = { 0U };
-        memcpy(plain, uu____3, rem1 * sizeof uu____3[0U]);
-        Lib_IntVector_Intrinsics_vec128 k[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            k[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        Hacl_Chacha20_Vec128_chacha20_core_128(k, ctx, nb);
-        Lib_IntVector_Intrinsics_vec128 bl[16U];
-        for (uint32_t _i = 0U; _i < (uint32_t)16U; ++_i)
-            bl[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128
-                x = Lib_IntVector_Intrinsics_vec128_load_le(plain + i * (uint32_t)4U * (uint32_t)4U);
-            os[i] = x;
-        }
-        Lib_IntVector_Intrinsics_vec128 v00 = k[0U];
-        Lib_IntVector_Intrinsics_vec128 v16 = k[1U];
-        Lib_IntVector_Intrinsics_vec128 v20 = k[2U];
-        Lib_IntVector_Intrinsics_vec128 v30 = k[3U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v1_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v00, v16);
-        Lib_IntVector_Intrinsics_vec128
-            v2_ = Lib_IntVector_Intrinsics_vec128_interleave_low32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v3_ = Lib_IntVector_Intrinsics_vec128_interleave_high32(v20, v30);
-        Lib_IntVector_Intrinsics_vec128
-            v0__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v1__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_, v2_);
-        Lib_IntVector_Intrinsics_vec128
-            v2__ = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128
-            v3__ = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_, v3_);
-        Lib_IntVector_Intrinsics_vec128 v0 = v0__;
-        Lib_IntVector_Intrinsics_vec128 v1 = v1__;
-        Lib_IntVector_Intrinsics_vec128 v2 = v2__;
-        Lib_IntVector_Intrinsics_vec128 v3 = v3__;
-        Lib_IntVector_Intrinsics_vec128 v010 = k[4U];
-        Lib_IntVector_Intrinsics_vec128 v110 = k[5U];
-        Lib_IntVector_Intrinsics_vec128 v210 = k[6U];
-        Lib_IntVector_Intrinsics_vec128 v310 = k[7U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v1_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v010, v110);
-        Lib_IntVector_Intrinsics_vec128
-            v2_0 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v3_0 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v210, v310);
-        Lib_IntVector_Intrinsics_vec128
-            v0__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v1__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_0, v2_0);
-        Lib_IntVector_Intrinsics_vec128
-            v2__0 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128
-            v3__0 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_0, v3_0);
-        Lib_IntVector_Intrinsics_vec128 v4 = v0__0;
-        Lib_IntVector_Intrinsics_vec128 v5 = v1__0;
-        Lib_IntVector_Intrinsics_vec128 v6 = v2__0;
-        Lib_IntVector_Intrinsics_vec128 v7 = v3__0;
-        Lib_IntVector_Intrinsics_vec128 v011 = k[8U];
-        Lib_IntVector_Intrinsics_vec128 v111 = k[9U];
-        Lib_IntVector_Intrinsics_vec128 v211 = k[10U];
-        Lib_IntVector_Intrinsics_vec128 v311 = k[11U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v1_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v011, v111);
-        Lib_IntVector_Intrinsics_vec128
-            v2_1 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v3_1 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v211, v311);
-        Lib_IntVector_Intrinsics_vec128
-            v0__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v1__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_1, v2_1);
-        Lib_IntVector_Intrinsics_vec128
-            v2__1 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128
-            v3__1 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_1, v3_1);
-        Lib_IntVector_Intrinsics_vec128 v8 = v0__1;
-        Lib_IntVector_Intrinsics_vec128 v9 = v1__1;
-        Lib_IntVector_Intrinsics_vec128 v10 = v2__1;
-        Lib_IntVector_Intrinsics_vec128 v11 = v3__1;
-        Lib_IntVector_Intrinsics_vec128 v01 = k[12U];
-        Lib_IntVector_Intrinsics_vec128 v120 = k[13U];
-        Lib_IntVector_Intrinsics_vec128 v21 = k[14U];
-        Lib_IntVector_Intrinsics_vec128 v31 = k[15U];
-        Lib_IntVector_Intrinsics_vec128
-            v0_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v1_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v01, v120);
-        Lib_IntVector_Intrinsics_vec128
-            v2_2 = Lib_IntVector_Intrinsics_vec128_interleave_low32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v3_2 = Lib_IntVector_Intrinsics_vec128_interleave_high32(v21, v31);
-        Lib_IntVector_Intrinsics_vec128
-            v0__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v1__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v0_2, v2_2);
-        Lib_IntVector_Intrinsics_vec128
-            v2__2 = Lib_IntVector_Intrinsics_vec128_interleave_low64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128
-            v3__2 = Lib_IntVector_Intrinsics_vec128_interleave_high64(v1_2, v3_2);
-        Lib_IntVector_Intrinsics_vec128 v12 = v0__2;
-        Lib_IntVector_Intrinsics_vec128 v13 = v1__2;
-        Lib_IntVector_Intrinsics_vec128 v14 = v2__2;
-        Lib_IntVector_Intrinsics_vec128 v15 = v3__2;
-        k[0U] = v0;
-        k[1U] = v4;
-        k[2U] = v8;
-        k[3U] = v12;
-        k[4U] = v1;
-        k[5U] = v5;
-        k[6U] = v9;
-        k[7U] = v13;
-        k[8U] = v2;
-        k[9U] = v6;
-        k[10U] = v10;
-        k[11U] = v14;
-        k[12U] = v3;
-        k[13U] = v7;
-        k[14U] = v11;
-        k[15U] = v15;
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128 *os = bl;
-            Lib_IntVector_Intrinsics_vec128 x = Lib_IntVector_Intrinsics_vec128_xor(bl[i], k[i]);
-            os[i] = x;
-        }
-        for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
-            Lib_IntVector_Intrinsics_vec128_store_le(plain + i * (uint32_t)16U, bl[i]);
-        }
-        memcpy(uu____2, plain, rem1 * sizeof plain[0U]);
-    }
-}
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
@@ -1,55 +1,61 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
 
-#include "libintvector.h"
-#include "kremlin/internal/types.h"
-#include "kremlin/lowstar_endianness.h"
-#include <string.h>
-#include <stdbool.h>
-
+#include "kremlib.h"
 #ifndef __Hacl_Chacha20_Vec128_H
 #define __Hacl_Chacha20_Vec128_H
 
-#include "Hacl_Chacha20.h"
-#include "Hacl_Kremlib.h"
+#include "vec128.h"
+
+typedef uint32_t Hacl_Impl_Xor_Lemmas_u32;
+
+typedef uint8_t Hacl_Impl_Xor_Lemmas_u8;
+
+typedef uint32_t Hacl_Impl_Chacha20_Vec128_State_u32;
+
+typedef uint32_t Hacl_Impl_Chacha20_Vec128_State_h32;
+
+typedef uint8_t *Hacl_Impl_Chacha20_Vec128_State_uint8_p;
+
+typedef vec *Hacl_Impl_Chacha20_Vec128_State_state;
+
+typedef uint32_t Hacl_Impl_Chacha20_Vec128_u32;
+
+typedef uint32_t Hacl_Impl_Chacha20_Vec128_h32;
+
+typedef uint8_t *Hacl_Impl_Chacha20_Vec128_uint8_p;
+
+typedef uint32_t Hacl_Impl_Chacha20_Vec128_idx;
+
+typedef struct
+{
+    void *k;
+    void *n;
+    uint32_t ctr;
+} Hacl_Impl_Chacha20_Vec128_log_t_;
+
+typedef void *Hacl_Impl_Chacha20_Vec128_log_t;
+
+typedef uint8_t *Hacl_Chacha20_Vec128_uint8_p;
 
 void
-Hacl_Chacha20_Vec128_chacha20_encrypt_128(
+Hacl_Chacha20_Vec128_chacha20(
+    uint8_t *output,
+    uint8_t *plain,
     uint32_t len,
-    uint8_t *out,
-    uint8_t *text,
-    uint8_t *key,
+    uint8_t *k,
     uint8_t *n1,
     uint32_t ctr);
-
-void
-Hacl_Chacha20_Vec128_chacha20_decrypt_128(
-    uint32_t len,
-    uint8_t *out,
-    uint8_t *cipher,
-    uint8_t *key,
-    uint8_t *n1,
-    uint32_t ctr);
-
-#define __Hacl_Chacha20_Vec128_H_DEFINED
 #endif
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519.c
@@ -0,0 +1,845 @@
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "Hacl_Curve25519.h"
+
+static void
+Hacl_Bignum_Modulo_carry_top(uint64_t *b)
+{
+    uint64_t b4 = b[4U];
+    uint64_t b0 = b[0U];
+    uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
+    uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
+    b[4U] = b4_;
+    b[0U] = b0_;
+}
+
+inline static void
+Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input)
+{
+    {
+        FStar_UInt128_t xi = input[0U];
+        output[0U] = FStar_UInt128_uint128_to_uint64(xi);
+    }
+    {
+        FStar_UInt128_t xi = input[1U];
+        output[1U] = FStar_UInt128_uint128_to_uint64(xi);
+    }
+    {
+        FStar_UInt128_t xi = input[2U];
+        output[2U] = FStar_UInt128_uint128_to_uint64(xi);
+    }
+    {
+        FStar_UInt128_t xi = input[3U];
+        output[3U] = FStar_UInt128_uint128_to_uint64(xi);
+    }
+    {
+        FStar_UInt128_t xi = input[4U];
+        output[4U] = FStar_UInt128_uint128_to_uint64(xi);
+    }
+}
+
+inline static void
+Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
+    FStar_UInt128_t *output,
+    uint64_t *input,
+    uint64_t s)
+{
+    {
+        FStar_UInt128_t xi = output[0U];
+        uint64_t yi = input[0U];
+        output[0U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
+    }
+    {
+        FStar_UInt128_t xi = output[1U];
+        uint64_t yi = input[1U];
+        output[1U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
+    }
+    {
+        FStar_UInt128_t xi = output[2U];
+        uint64_t yi = input[2U];
+        output[2U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
+    }
+    {
+        FStar_UInt128_t xi = output[3U];
+        uint64_t yi = input[3U];
+        output[3U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
+    }
+    {
+        FStar_UInt128_t xi = output[4U];
+        uint64_t yi = input[4U];
+        output[4U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
+    }
+}
+
+inline static void
+Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp)
+{
+    {
+        uint32_t ctr = (uint32_t)0U;
+        FStar_UInt128_t tctr = tmp[ctr];
+        FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
+        uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
+        FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
+        tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
+        tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
+    }
+    {
+        uint32_t ctr = (uint32_t)1U;
+        FStar_UInt128_t tctr = tmp[ctr];
+        FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
+        uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
+        FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
+        tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
+        tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
+    }
+    {
+        uint32_t ctr = (uint32_t)2U;
+        FStar_UInt128_t tctr = tmp[ctr];
+        FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
+        uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
+        FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
+        tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
+        tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
+    }
+    {
+        uint32_t ctr = (uint32_t)3U;
+        FStar_UInt128_t tctr = tmp[ctr];
+        FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
+        uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
+        FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
+        tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
+        tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
+    }
+}
+
+inline static void
+Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
+{
+    uint64_t tmp = output[4U];
+    {
+        uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U;
+        uint64_t z = output[ctr - (uint32_t)1U];
+        output[ctr] = z;
+    }
+    {
+        uint32_t ctr = (uint32_t)5U - (uint32_t)1U - (uint32_t)1U;
+        uint64_t z = output[ctr - (uint32_t)1U];
+        output[ctr] = z;
+    }
+    {
+        uint32_t ctr = (uint32_t)5U - (uint32_t)2U - (uint32_t)1U;
+        uint64_t z = output[ctr - (uint32_t)1U];
+        output[ctr] = z;
+    }
+    {
+        uint32_t ctr = (uint32_t)5U - (uint32_t)3U - (uint32_t)1U;
+        uint64_t z = output[ctr - (uint32_t)1U];
+        output[ctr] = z;
+    }
+    output[0U] = tmp;
+    uint64_t b0 = output[0U];
+    output[0U] = (uint64_t)19U * b0;
+}
+
+static void
+Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21)
+{
+    {
+        uint64_t input2i = input21[0U];
+        Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+        Hacl_Bignum_Fmul_shift_reduce(input);
+    }
+    {
+        uint64_t input2i = input21[1U];
+        Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+        Hacl_Bignum_Fmul_shift_reduce(input);
+    }
+    {
+        uint64_t input2i = input21[2U];
+        Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+        Hacl_Bignum_Fmul_shift_reduce(input);
+    }
+    {
+        uint64_t input2i = input21[3U];
+        Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+        Hacl_Bignum_Fmul_shift_reduce(input);
+    }
+    uint32_t i = (uint32_t)4U;
+    uint64_t input2i = input21[i];
+    Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
+}
+
+inline static void
+Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21)
+{
+    uint64_t tmp[5U] = { 0U };
+    memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
+    KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
+    FStar_UInt128_t t[5U];
+    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+        t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+    Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21);
+    Hacl_Bignum_Fproduct_carry_wide_(t);
+    FStar_UInt128_t b4 = t[4U];
+    FStar_UInt128_t b0 = t[0U];
+    FStar_UInt128_t
+        b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
+    FStar_UInt128_t
+        b0_ =
+            FStar_UInt128_add(b0,
+                              FStar_UInt128_mul_wide((uint64_t)19U,
+                                                     FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
+    t[4U] = b4_;
+    t[0U] = b0_;
+    Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
+    uint64_t i0 = output[0U];
+    uint64_t i1 = output[1U];
+    uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
+    uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
+    output[0U] = i0_;
+    output[1U] = i1_;
+}
+
+inline static void
+Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_t *tmp, uint64_t *output)
+{
+    uint64_t r0 = output[0U];
+    uint64_t r1 = output[1U];
+    uint64_t r2 = output[2U];
+    uint64_t r3 = output[3U];
+    uint64_t r4 = output[4U];
+    uint64_t d0 = r0 * (uint64_t)2U;
+    uint64_t d1 = r1 * (uint64_t)2U;
+    uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
+    uint64_t d419 = r4 * (uint64_t)19U;
+    uint64_t d4 = d419 * (uint64_t)2U;
+    FStar_UInt128_t
+        s0 =
+            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0),
+                                                FStar_UInt128_mul_wide(d4, r1)),
+                              FStar_UInt128_mul_wide(d2, r3));
+    FStar_UInt128_t
+        s1 =
+            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1),
+                                                FStar_UInt128_mul_wide(d4, r2)),
+                              FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3));
+    FStar_UInt128_t
+        s2 =
+            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2),
+                                                FStar_UInt128_mul_wide(r1, r1)),
+                              FStar_UInt128_mul_wide(d4, r3));
+    FStar_UInt128_t
+        s3 =
+            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3),
+                                                FStar_UInt128_mul_wide(d1, r2)),
+                              FStar_UInt128_mul_wide(r4, d419));
+    FStar_UInt128_t
+        s4 =
+            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4),
+                                                FStar_UInt128_mul_wide(d1, r3)),
+                              FStar_UInt128_mul_wide(r2, r2));
+    tmp[0U] = s0;
+    tmp[1U] = s1;
+    tmp[2U] = s2;
+    tmp[3U] = s3;
+    tmp[4U] = s4;
+}
+
+inline static void
+Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output)
+{
+    Hacl_Bignum_Fsquare_fsquare__(tmp, output);
+    Hacl_Bignum_Fproduct_carry_wide_(tmp);
+    FStar_UInt128_t b4 = tmp[4U];
+    FStar_UInt128_t b0 = tmp[0U];
+    FStar_UInt128_t
+        b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
+    FStar_UInt128_t
+        b0_ =
+            FStar_UInt128_add(b0,
+                              FStar_UInt128_mul_wide((uint64_t)19U,
+                                                     FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
+    tmp[4U] = b4_;
+    tmp[0U] = b0_;
+    Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
+    uint64_t i0 = output[0U];
+    uint64_t i1 = output[1U];
+    uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
+    uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
+    output[0U] = i0_;
+    output[1U] = i1_;
+}
+
+static void
+Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1)
+{
+    Hacl_Bignum_Fsquare_fsquare_(tmp, input);
+    for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
+        Hacl_Bignum_Fsquare_fsquare_(tmp, input);
+}
+
+inline static void
+Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
+{
+    KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
+    FStar_UInt128_t t[5U];
+    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+        t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+    memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
+    Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
+}
+
+inline static void
+Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
+{
+    KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
+    FStar_UInt128_t t[5U];
+    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+        t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+    Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
+}
+
+inline static void
+Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
+{
+    uint64_t buf[20U] = { 0U };
+    uint64_t *a = buf;
+    uint64_t *t00 = buf + (uint32_t)5U;
+    uint64_t *b0 = buf + (uint32_t)10U;
+    Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U);
+    Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U);
+    Hacl_Bignum_Fmul_fmul(b0, t00, z);
+    Hacl_Bignum_Fmul_fmul(a, b0, a);
+    Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U);
+    Hacl_Bignum_Fmul_fmul(b0, t00, b0);
+    Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
+    uint64_t *t01 = buf + (uint32_t)5U;
+    uint64_t *b1 = buf + (uint32_t)10U;
+    uint64_t *c0 = buf + (uint32_t)15U;
+    Hacl_Bignum_Fmul_fmul(b1, t01, b1);
+    Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
+    Hacl_Bignum_Fmul_fmul(c0, t01, b1);
+    Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
+    Hacl_Bignum_Fmul_fmul(t01, t01, c0);
+    Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
+    Hacl_Bignum_Fmul_fmul(b1, t01, b1);
+    Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
+    uint64_t *a0 = buf;
+    uint64_t *t0 = buf + (uint32_t)5U;
+    uint64_t *b = buf + (uint32_t)10U;
+    uint64_t *c = buf + (uint32_t)15U;
+    Hacl_Bignum_Fmul_fmul(c, t0, b);
+    Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
+    Hacl_Bignum_Fmul_fmul(t0, t0, c);
+    Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
+    Hacl_Bignum_Fmul_fmul(t0, t0, b);
+    Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
+    Hacl_Bignum_Fmul_fmul(out, t0, a0);
+}
+
+inline static void
+Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
+{
+    {
+        uint64_t xi = a[0U];
+        uint64_t yi = b[0U];
+        a[0U] = xi + yi;
+    }
+    {
+        uint64_t xi = a[1U];
+        uint64_t yi = b[1U];
+        a[1U] = xi + yi;
+    }
+    {
+        uint64_t xi = a[2U];
+        uint64_t yi = b[2U];
+        a[2U] = xi + yi;
+    }
+    {
+        uint64_t xi = a[3U];
+        uint64_t yi = b[3U];
+        a[3U] = xi + yi;
+    }
+    {
+        uint64_t xi = a[4U];
+        uint64_t yi = b[4U];
+        a[4U] = xi + yi;
+    }
+}
+
+inline static void
+Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
+{
+    uint64_t tmp[5U] = { 0U };
+    memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
+    uint64_t b0 = tmp[0U];
+    uint64_t b1 = tmp[1U];
+    uint64_t b2 = tmp[2U];
+    uint64_t b3 = tmp[3U];
+    uint64_t b4 = tmp[4U];
+    tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
+    tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
+    tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
+    tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
+    tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
+    {
+        uint64_t xi = a[0U];
+        uint64_t yi = tmp[0U];
+        a[0U] = yi - xi;
+    }
+    {
+        uint64_t xi = a[1U];
+        uint64_t yi = tmp[1U];
+        a[1U] = yi - xi;
+    }
+    {
+        uint64_t xi = a[2U];
+        uint64_t yi = tmp[2U];
+        a[2U] = yi - xi;
+    }
+    {
+        uint64_t xi = a[3U];
+        uint64_t yi = tmp[3U];
+        a[3U] = yi - xi;
+    }
+    {
+        uint64_t xi = a[4U];
+        uint64_t yi = tmp[4U];
+        a[4U] = yi - xi;
+    }
+}
+
+inline static void
+Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
+{
+    KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
+    FStar_UInt128_t tmp[5U];
+    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
+        tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
+    {
+        uint64_t xi = b[0U];
+        tmp[0U] = FStar_UInt128_mul_wide(xi, s);
+    }
+    {
+        uint64_t xi = b[1U];
+        tmp[1U] = FStar_UInt128_mul_wide(xi, s);
+    }
+    {
+        uint64_t xi = b[2U];
+        tmp[2U] = FStar_UInt128_mul_wide(xi, s);
+    }
+    {
+        uint64_t xi = b[3U];
+        tmp[3U] = FStar_UInt128_mul_wide(xi, s);
+    }
+    {
+        uint64_t xi = b[4U];
+        tmp[4U] = FStar_UInt128_mul_wide(xi, s);
+    }
+    Hacl_Bignum_Fproduct_carry_wide_(tmp);
+    FStar_UInt128_t b4 = tmp[4U];
+    FStar_UInt128_t b0 = tmp[0U];
+    FStar_UInt128_t
+        b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
+    FStar_UInt128_t
+        b0_ =
+            FStar_UInt128_add(b0,
+                              FStar_UInt128_mul_wide((uint64_t)19U,
+                                                     FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
+    tmp[4U] = b4_;
+    tmp[0U] = b0_;
+    Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
+}
+
+inline static void
+Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
+{
+    Hacl_Bignum_Fmul_fmul(output, a, b);
+}
+
+inline static void
+Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
+{
+    Hacl_Bignum_Crecip_crecip(output, input);
+}
+
+static void
+Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
+{
+    uint32_t i = ctr - (uint32_t)1U;
+    uint64_t ai = a[i];
+    uint64_t bi = b[i];
+    uint64_t x = swap1 & (ai ^ bi);
+    uint64_t ai1 = ai ^ x;
+    uint64_t bi1 = bi ^ x;
+    a[i] = ai1;
+    b[i] = bi1;
+}
+
+static void
+Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
+{
+    if (!(ctr == (uint32_t)0U)) {
+        Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
+        uint32_t i = ctr - (uint32_t)1U;
+        Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
+    }
+}
+
+static void
+Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
+{
+    uint64_t swap1 = (uint64_t)0U - iswap;
+    Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
+    Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
+}
+
+static void
+Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
+{
+    memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
+    memcpy(output + (uint32_t)5U,
+           input + (uint32_t)5U,
+           (uint32_t)5U * sizeof(input + (uint32_t)5U)[0U]);
+}
+
+static void
+Hacl_EC_AddAndDouble_fmonty(
+    uint64_t *pp,
+    uint64_t *ppq,
+    uint64_t *p,
+    uint64_t *pq,
+    uint64_t *qmqp)
+{
+    uint64_t *qx = qmqp;
+    uint64_t *x2 = pp;
+    uint64_t *z2 = pp + (uint32_t)5U;
+    uint64_t *x3 = ppq;
+    uint64_t *z3 = ppq + (uint32_t)5U;
+    uint64_t *x = p;
+    uint64_t *z = p + (uint32_t)5U;
+    uint64_t *xprime = pq;
+    uint64_t *zprime = pq + (uint32_t)5U;
+    uint64_t buf[40U] = { 0U };
+    uint64_t *origx = buf;
+    uint64_t *origxprime = buf + (uint32_t)5U;
+    uint64_t *xxprime0 = buf + (uint32_t)25U;
+    uint64_t *zzprime0 = buf + (uint32_t)30U;
+    memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
+    Hacl_Bignum_fsum(x, z);
+    Hacl_Bignum_fdifference(z, origx);
+    memcpy(origxprime, xprime, (uint32_t)5U * sizeof xprime[0U]);
+    Hacl_Bignum_fsum(xprime, zprime);
+    Hacl_Bignum_fdifference(zprime, origxprime);
+    Hacl_Bignum_fmul(xxprime0, xprime, z);
+    Hacl_Bignum_fmul(zzprime0, x, zprime);
+    uint64_t *origxprime0 = buf + (uint32_t)5U;
+    uint64_t *xx0 = buf + (uint32_t)15U;
+    uint64_t *zz0 = buf + (uint32_t)20U;
+    uint64_t *xxprime = buf + (uint32_t)25U;
+    uint64_t *zzprime = buf + (uint32_t)30U;
+    uint64_t *zzzprime = buf + (uint32_t)35U;
+    memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
+    Hacl_Bignum_fsum(xxprime, zzprime);
+    Hacl_Bignum_fdifference(zzprime, origxprime0);
+    Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
+    Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
+    Hacl_Bignum_fmul(z3, zzzprime, qx);
+    Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
+    Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
+    uint64_t *zzz = buf + (uint32_t)10U;
+    uint64_t *xx = buf + (uint32_t)15U;
+    uint64_t *zz = buf + (uint32_t)20U;
+    Hacl_Bignum_fmul(x2, xx, zz);
+    Hacl_Bignum_fdifference(zz, xx);
+    uint64_t scalar = (uint64_t)121665U;
+    Hacl_Bignum_fscalar(zzz, zz, scalar);
+    Hacl_Bignum_fsum(zzz, xx);
+    Hacl_Bignum_fmul(z2, zzz, zz);
+}
+
+static void
+Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
+    uint64_t *nq,
+    uint64_t *nqpq,
+    uint64_t *nq2,
+    uint64_t *nqpq2,
+    uint64_t *q,
+    uint8_t byt)
+{
+    uint64_t bit = (uint64_t)(byt >> (uint32_t)7U);
+    Hacl_EC_Point_swap_conditional(nq, nqpq, bit);
+    Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
+    uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
+    Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0);
+}
+
+static void
+Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
+    uint64_t *nq,
+    uint64_t *nqpq,
+    uint64_t *nq2,
+    uint64_t *nqpq2,
+    uint64_t *q,
+    uint8_t byt)
+{
+    Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
+    uint8_t byt1 = byt << (uint32_t)1U;
+    Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
+}
+
+static void
+Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
+    uint64_t *nq,
+    uint64_t *nqpq,
+    uint64_t *nq2,
+    uint64_t *nqpq2,
+    uint64_t *q,
+    uint8_t byt,
+    uint32_t i)
+{
+    if (!(i == (uint32_t)0U)) {
+        uint32_t i_ = i - (uint32_t)1U;
+        Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
+        uint8_t byt_ = byt << (uint32_t)2U;
+        Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
+    }
+}
+
+static void
+Hacl_EC_Ladder_BigLoop_cmult_big_loop(
+    uint8_t *n1,
+    uint64_t *nq,
+    uint64_t *nqpq,
+    uint64_t *nq2,
+    uint64_t *nqpq2,
+    uint64_t *q,
+    uint32_t i)
+{
+    if (!(i == (uint32_t)0U)) {
+        uint32_t i1 = i - (uint32_t)1U;
+        uint8_t byte = n1[i1];
+        Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
+        Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
+    }
+}
+
+static void
+Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
+{
+    uint64_t point_buf[40U] = { 0U };
+    uint64_t *nq = point_buf;
+    uint64_t *nqpq = point_buf + (uint32_t)10U;
+    uint64_t *nq2 = point_buf + (uint32_t)20U;
+    uint64_t *nqpq2 = point_buf + (uint32_t)30U;
+    Hacl_EC_Point_copy(nqpq, q);
+    nq[0U] = (uint64_t)1U;
+    Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
+    Hacl_EC_Point_copy(result, nq);
+}
+
+static void
+Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
+{
+    uint64_t i0 = load64_le(input);
+    uint8_t *x00 = input + (uint32_t)6U;
+    uint64_t i1 = load64_le(x00);
+    uint8_t *x01 = input + (uint32_t)12U;
+    uint64_t i2 = load64_le(x01);
+    uint8_t *x02 = input + (uint32_t)19U;
+    uint64_t i3 = load64_le(x02);
+    uint8_t *x0 = input + (uint32_t)24U;
+    uint64_t i4 = load64_le(x0);
+    uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
+    uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
+    uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
+    uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
+    uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
+    output[0U] = output0;
+    output[1U] = output1;
+    output[2U] = output2;
+    output[3U] = output3;
+    output[4U] = output4;
+}
+
+static void
+Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
+{
+    uint64_t t0 = input[0U];
+    uint64_t t1 = input[1U];
+    uint64_t t2 = input[2U];
+    uint64_t t3 = input[3U];
+    uint64_t t4 = input[4U];
+    uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
+    uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
+    uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
+    uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
+    uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
+    uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
+    uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
+    uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
+    input[0U] = t0_;
+    input[1U] = t1__;
+    input[2U] = t2__;
+    input[3U] = t3__;
+    input[4U] = t4_;
+}
+
+static void
+Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
+{
+    Hacl_EC_Format_fcontract_first_carry_pass(input);
+    Hacl_Bignum_Modulo_carry_top(input);
+}
+
+static void
+Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
+{
+    uint64_t t0 = input[0U];
+    uint64_t t1 = input[1U];
+    uint64_t t2 = input[2U];
+    uint64_t t3 = input[3U];
+    uint64_t t4 = input[4U];
+    uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
+    uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
+    uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
+    uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
+    uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
+    uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
+    uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
+    uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
+    input[0U] = t0_;
+    input[1U] = t1__;
+    input[2U] = t2__;
+    input[3U] = t3__;
+    input[4U] = t4_;
+}
+
+static void
+Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
+{
+    Hacl_EC_Format_fcontract_second_carry_pass(input);
+    Hacl_Bignum_Modulo_carry_top(input);
+    uint64_t i0 = input[0U];
+    uint64_t i1 = input[1U];
+    uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
+    uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
+    input[0U] = i0_;
+    input[1U] = i1_;
+}
+
+static void
+Hacl_EC_Format_fcontract_trim(uint64_t *input)
+{
+    uint64_t a0 = input[0U];
+    uint64_t a1 = input[1U];
+    uint64_t a2 = input[2U];
+    uint64_t a3 = input[3U];
+    uint64_t a4 = input[4U];
+    uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
+    uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
+    uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
+    uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
+    uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
+    uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
+    uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
+    uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
+    uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
+    uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
+    uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
+    input[0U] = a0_;
+    input[1U] = a1_;
+    input[2U] = a2_;
+    input[3U] = a3_;
+    input[4U] = a4_;
+}
+
+static void
+Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
+{
+    uint64_t t0 = input[0U];
+    uint64_t t1 = input[1U];
+    uint64_t t2 = input[2U];
+    uint64_t t3 = input[3U];
+    uint64_t t4 = input[4U];
+    uint64_t o0 = t1 << (uint32_t)51U | t0;
+    uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
+    uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
+    uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
+    uint8_t *b0 = output;
+    uint8_t *b1 = output + (uint32_t)8U;
+    uint8_t *b2 = output + (uint32_t)16U;
+    uint8_t *b3 = output + (uint32_t)24U;
+    store64_le(b0, o0);
+    store64_le(b1, o1);
+    store64_le(b2, o2);
+    store64_le(b3, o3);
+}
+
+static void
+Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
+{
+    Hacl_EC_Format_fcontract_first_carry_full(input);
+    Hacl_EC_Format_fcontract_second_carry_full(input);
+    Hacl_EC_Format_fcontract_trim(input);
+    Hacl_EC_Format_fcontract_store(output, input);
+}
+
+static void
+Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
+{
+    uint64_t *x = point;
+    uint64_t *z = point + (uint32_t)5U;
+    uint64_t buf[10U] = { 0U };
+    uint64_t *zmone = buf;
+    uint64_t *sc = buf + (uint32_t)5U;
+    Hacl_Bignum_crecip(zmone, z);
+    Hacl_Bignum_fmul(sc, x, zmone);
+    Hacl_EC_Format_fcontract(scalar, sc);
+}
+
+void
+Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
+{
+    uint64_t buf0[10U] = { 0U };
+    uint64_t *x0 = buf0;
+    uint64_t *z = buf0 + (uint32_t)5U;
+    Hacl_EC_Format_fexpand(x0, basepoint);
+    z[0U] = (uint64_t)1U;
+    uint64_t *q = buf0;
+    uint8_t e[32U] = { 0U };
+    memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
+    uint8_t e0 = e[0U];
+    uint8_t e31 = e[31U];
+    uint8_t e01 = e0 & (uint8_t)248U;
+    uint8_t e311 = e31 & (uint8_t)127U;
+    uint8_t e312 = e311 | (uint8_t)64U;
+    e[0U] = e01;
+    e[31U] = e312;
+    uint8_t *scalar = e;
+    uint64_t buf[15U] = { 0U };
+    uint64_t *nq = buf;
+    uint64_t *x = nq;
+    x[0U] = (uint64_t)1U;
+    Hacl_EC_Ladder_cmult(nq, scalar, q);
+    Hacl_EC_Format_scalar_of_point(mypublic, nq);
+}
+
+void
+Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
+{
+    Hacl_EC_crypto_scalarmult(mypublic, secret, basepoint);
+}
new file mode 100644
--- /dev/null
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519.h
@@ -0,0 +1,57 @@
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "kremlib.h"
+#ifndef __Hacl_Curve25519_H
+#define __Hacl_Curve25519_H
+
+typedef uint64_t Hacl_Bignum_Constants_limb;
+
+typedef FStar_UInt128_t Hacl_Bignum_Constants_wide;
+
+typedef uint64_t Hacl_Bignum_Parameters_limb;
+
+typedef FStar_UInt128_t Hacl_Bignum_Parameters_wide;
+
+typedef uint32_t Hacl_Bignum_Parameters_ctr;
+
+typedef uint64_t *Hacl_Bignum_Parameters_felem;
+
+typedef FStar_UInt128_t *Hacl_Bignum_Parameters_felem_wide;
+
+typedef void *Hacl_Bignum_Parameters_seqelem;
+
+typedef void *Hacl_Bignum_Parameters_seqelem_wide;
+
+typedef FStar_UInt128_t Hacl_Bignum_Wide_t;
+
+typedef uint64_t Hacl_Bignum_Limb_t;
+
+extern void Hacl_Bignum_lemma_diff(Prims_int x0, Prims_int x1, Prims_pos x2);
+
+typedef uint64_t *Hacl_EC_Point_point;
+
+typedef uint8_t *Hacl_EC_Ladder_SmallLoop_uint8_p;
+
+typedef uint8_t *Hacl_EC_Ladder_uint8_p;
+
+typedef uint8_t *Hacl_EC_Format_uint8_p;
+
+void Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
+
+typedef uint8_t *Hacl_Curve25519_uint8_p;
+
+void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
+#endif
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519_51.c
+++ /dev/null
@@ -1,933 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "Hacl_Curve25519_51.h"
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fadd(uint64_t *out, uint64_t *f1, uint64_t *f2)
-{
-    uint64_t f10 = f1[0U];
-    uint64_t f20 = f2[0U];
-    uint64_t f11 = f1[1U];
-    uint64_t f21 = f2[1U];
-    uint64_t f12 = f1[2U];
-    uint64_t f22 = f2[2U];
-    uint64_t f13 = f1[3U];
-    uint64_t f23 = f2[3U];
-    uint64_t f14 = f1[4U];
-    uint64_t f24 = f2[4U];
-    out[0U] = f10 + f20;
-    out[1U] = f11 + f21;
-    out[2U] = f12 + f22;
-    out[3U] = f13 + f23;
-    out[4U] = f14 + f24;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fsub(uint64_t *out, uint64_t *f1, uint64_t *f2)
-{
-    uint64_t f10 = f1[0U];
-    uint64_t f20 = f2[0U];
-    uint64_t f11 = f1[1U];
-    uint64_t f21 = f2[1U];
-    uint64_t f12 = f1[2U];
-    uint64_t f22 = f2[2U];
-    uint64_t f13 = f1[3U];
-    uint64_t f23 = f2[3U];
-    uint64_t f14 = f1[4U];
-    uint64_t f24 = f2[4U];
-    out[0U] = f10 + (uint64_t)0x3fffffffffff68U - f20;
-    out[1U] = f11 + (uint64_t)0x3ffffffffffff8U - f21;
-    out[2U] = f12 + (uint64_t)0x3ffffffffffff8U - f22;
-    out[3U] = f13 + (uint64_t)0x3ffffffffffff8U - f23;
-    out[4U] = f14 + (uint64_t)0x3ffffffffffff8U - f24;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fmul(
-    uint64_t *out,
-    uint64_t *f1,
-    uint64_t *f2,
-    FStar_UInt128_uint128 *uu____2959)
-{
-    uint64_t f10 = f1[0U];
-    uint64_t f11 = f1[1U];
-    uint64_t f12 = f1[2U];
-    uint64_t f13 = f1[3U];
-    uint64_t f14 = f1[4U];
-    uint64_t f20 = f2[0U];
-    uint64_t f21 = f2[1U];
-    uint64_t f22 = f2[2U];
-    uint64_t f23 = f2[3U];
-    uint64_t f24 = f2[4U];
-    uint64_t tmp1 = f21 * (uint64_t)19U;
-    uint64_t tmp2 = f22 * (uint64_t)19U;
-    uint64_t tmp3 = f23 * (uint64_t)19U;
-    uint64_t tmp4 = f24 * (uint64_t)19U;
-    FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20);
-    FStar_UInt128_uint128 o10 = FStar_UInt128_mul_wide(f10, f21);
-    FStar_UInt128_uint128 o20 = FStar_UInt128_mul_wide(f10, f22);
-    FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23);
-    FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24);
-    FStar_UInt128_uint128 o01 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp4));
-    FStar_UInt128_uint128 o11 = FStar_UInt128_add(o10, FStar_UInt128_mul_wide(f11, f20));
-    FStar_UInt128_uint128 o21 = FStar_UInt128_add(o20, FStar_UInt128_mul_wide(f11, f21));
-    FStar_UInt128_uint128 o31 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22));
-    FStar_UInt128_uint128 o41 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23));
-    FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f12, tmp3));
-    FStar_UInt128_uint128 o12 = FStar_UInt128_add(o11, FStar_UInt128_mul_wide(f12, tmp4));
-    FStar_UInt128_uint128 o22 = FStar_UInt128_add(o21, FStar_UInt128_mul_wide(f12, f20));
-    FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f12, f21));
-    FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f12, f22));
-    FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f13, tmp2));
-    FStar_UInt128_uint128 o13 = FStar_UInt128_add(o12, FStar_UInt128_mul_wide(f13, tmp3));
-    FStar_UInt128_uint128 o23 = FStar_UInt128_add(o22, FStar_UInt128_mul_wide(f13, tmp4));
-    FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f13, f20));
-    FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f13, f21));
-    FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f14, tmp1));
-    FStar_UInt128_uint128 o14 = FStar_UInt128_add(o13, FStar_UInt128_mul_wide(f14, tmp2));
-    FStar_UInt128_uint128 o24 = FStar_UInt128_add(o23, FStar_UInt128_mul_wide(f14, tmp3));
-    FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f14, tmp4));
-    FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f14, f20));
-    FStar_UInt128_uint128 tmp_w0 = o04;
-    FStar_UInt128_uint128 tmp_w1 = o14;
-    FStar_UInt128_uint128 tmp_w2 = o24;
-    FStar_UInt128_uint128 tmp_w3 = o34;
-    FStar_UInt128_uint128 tmp_w4 = o44;
-    FStar_UInt128_uint128
-        l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp01 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U));
-    FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0));
-    uint64_t tmp11 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U));
-    FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1));
-    uint64_t tmp21 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U));
-    FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2));
-    uint64_t tmp31 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U));
-    FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3));
-    uint64_t tmp41 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U));
-    uint64_t l_4 = tmp01 + c4 * (uint64_t)19U;
-    uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c5 = l_4 >> (uint32_t)51U;
-    uint64_t o0 = tmp0_;
-    uint64_t o1 = tmp11 + c5;
-    uint64_t o2 = tmp21;
-    uint64_t o3 = tmp31;
-    uint64_t o4 = tmp41;
-    out[0U] = o0;
-    out[1U] = o1;
-    out[2U] = o2;
-    out[3U] = o3;
-    out[4U] = o4;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fmul2(
-    uint64_t *out,
-    uint64_t *f1,
-    uint64_t *f2,
-    FStar_UInt128_uint128 *uu____4281)
-{
-    uint64_t f10 = f1[0U];
-    uint64_t f11 = f1[1U];
-    uint64_t f12 = f1[2U];
-    uint64_t f13 = f1[3U];
-    uint64_t f14 = f1[4U];
-    uint64_t f20 = f2[0U];
-    uint64_t f21 = f2[1U];
-    uint64_t f22 = f2[2U];
-    uint64_t f23 = f2[3U];
-    uint64_t f24 = f2[4U];
-    uint64_t f30 = f1[5U];
-    uint64_t f31 = f1[6U];
-    uint64_t f32 = f1[7U];
-    uint64_t f33 = f1[8U];
-    uint64_t f34 = f1[9U];
-    uint64_t f40 = f2[5U];
-    uint64_t f41 = f2[6U];
-    uint64_t f42 = f2[7U];
-    uint64_t f43 = f2[8U];
-    uint64_t f44 = f2[9U];
-    uint64_t tmp11 = f21 * (uint64_t)19U;
-    uint64_t tmp12 = f22 * (uint64_t)19U;
-    uint64_t tmp13 = f23 * (uint64_t)19U;
-    uint64_t tmp14 = f24 * (uint64_t)19U;
-    uint64_t tmp21 = f41 * (uint64_t)19U;
-    uint64_t tmp22 = f42 * (uint64_t)19U;
-    uint64_t tmp23 = f43 * (uint64_t)19U;
-    uint64_t tmp24 = f44 * (uint64_t)19U;
-    FStar_UInt128_uint128 o00 = FStar_UInt128_mul_wide(f10, f20);
-    FStar_UInt128_uint128 o15 = FStar_UInt128_mul_wide(f10, f21);
-    FStar_UInt128_uint128 o25 = FStar_UInt128_mul_wide(f10, f22);
-    FStar_UInt128_uint128 o30 = FStar_UInt128_mul_wide(f10, f23);
-    FStar_UInt128_uint128 o40 = FStar_UInt128_mul_wide(f10, f24);
-    FStar_UInt128_uint128 o010 = FStar_UInt128_add(o00, FStar_UInt128_mul_wide(f11, tmp14));
-    FStar_UInt128_uint128 o110 = FStar_UInt128_add(o15, FStar_UInt128_mul_wide(f11, f20));
-    FStar_UInt128_uint128 o210 = FStar_UInt128_add(o25, FStar_UInt128_mul_wide(f11, f21));
-    FStar_UInt128_uint128 o310 = FStar_UInt128_add(o30, FStar_UInt128_mul_wide(f11, f22));
-    FStar_UInt128_uint128 o410 = FStar_UInt128_add(o40, FStar_UInt128_mul_wide(f11, f23));
-    FStar_UInt128_uint128 o020 = FStar_UInt128_add(o010, FStar_UInt128_mul_wide(f12, tmp13));
-    FStar_UInt128_uint128 o120 = FStar_UInt128_add(o110, FStar_UInt128_mul_wide(f12, tmp14));
-    FStar_UInt128_uint128 o220 = FStar_UInt128_add(o210, FStar_UInt128_mul_wide(f12, f20));
-    FStar_UInt128_uint128 o320 = FStar_UInt128_add(o310, FStar_UInt128_mul_wide(f12, f21));
-    FStar_UInt128_uint128 o420 = FStar_UInt128_add(o410, FStar_UInt128_mul_wide(f12, f22));
-    FStar_UInt128_uint128 o030 = FStar_UInt128_add(o020, FStar_UInt128_mul_wide(f13, tmp12));
-    FStar_UInt128_uint128 o130 = FStar_UInt128_add(o120, FStar_UInt128_mul_wide(f13, tmp13));
-    FStar_UInt128_uint128 o230 = FStar_UInt128_add(o220, FStar_UInt128_mul_wide(f13, tmp14));
-    FStar_UInt128_uint128 o330 = FStar_UInt128_add(o320, FStar_UInt128_mul_wide(f13, f20));
-    FStar_UInt128_uint128 o430 = FStar_UInt128_add(o420, FStar_UInt128_mul_wide(f13, f21));
-    FStar_UInt128_uint128 o040 = FStar_UInt128_add(o030, FStar_UInt128_mul_wide(f14, tmp11));
-    FStar_UInt128_uint128 o140 = FStar_UInt128_add(o130, FStar_UInt128_mul_wide(f14, tmp12));
-    FStar_UInt128_uint128 o240 = FStar_UInt128_add(o230, FStar_UInt128_mul_wide(f14, tmp13));
-    FStar_UInt128_uint128 o340 = FStar_UInt128_add(o330, FStar_UInt128_mul_wide(f14, tmp14));
-    FStar_UInt128_uint128 o440 = FStar_UInt128_add(o430, FStar_UInt128_mul_wide(f14, f20));
-    FStar_UInt128_uint128 tmp_w10 = o040;
-    FStar_UInt128_uint128 tmp_w11 = o140;
-    FStar_UInt128_uint128 tmp_w12 = o240;
-    FStar_UInt128_uint128 tmp_w13 = o340;
-    FStar_UInt128_uint128 tmp_w14 = o440;
-    FStar_UInt128_uint128 o0 = FStar_UInt128_mul_wide(f30, f40);
-    FStar_UInt128_uint128 o1 = FStar_UInt128_mul_wide(f30, f41);
-    FStar_UInt128_uint128 o2 = FStar_UInt128_mul_wide(f30, f42);
-    FStar_UInt128_uint128 o3 = FStar_UInt128_mul_wide(f30, f43);
-    FStar_UInt128_uint128 o4 = FStar_UInt128_mul_wide(f30, f44);
-    FStar_UInt128_uint128 o01 = FStar_UInt128_add(o0, FStar_UInt128_mul_wide(f31, tmp24));
-    FStar_UInt128_uint128 o111 = FStar_UInt128_add(o1, FStar_UInt128_mul_wide(f31, f40));
-    FStar_UInt128_uint128 o211 = FStar_UInt128_add(o2, FStar_UInt128_mul_wide(f31, f41));
-    FStar_UInt128_uint128 o31 = FStar_UInt128_add(o3, FStar_UInt128_mul_wide(f31, f42));
-    FStar_UInt128_uint128 o41 = FStar_UInt128_add(o4, FStar_UInt128_mul_wide(f31, f43));
-    FStar_UInt128_uint128 o02 = FStar_UInt128_add(o01, FStar_UInt128_mul_wide(f32, tmp23));
-    FStar_UInt128_uint128 o121 = FStar_UInt128_add(o111, FStar_UInt128_mul_wide(f32, tmp24));
-    FStar_UInt128_uint128 o221 = FStar_UInt128_add(o211, FStar_UInt128_mul_wide(f32, f40));
-    FStar_UInt128_uint128 o32 = FStar_UInt128_add(o31, FStar_UInt128_mul_wide(f32, f41));
-    FStar_UInt128_uint128 o42 = FStar_UInt128_add(o41, FStar_UInt128_mul_wide(f32, f42));
-    FStar_UInt128_uint128 o03 = FStar_UInt128_add(o02, FStar_UInt128_mul_wide(f33, tmp22));
-    FStar_UInt128_uint128 o131 = FStar_UInt128_add(o121, FStar_UInt128_mul_wide(f33, tmp23));
-    FStar_UInt128_uint128 o231 = FStar_UInt128_add(o221, FStar_UInt128_mul_wide(f33, tmp24));
-    FStar_UInt128_uint128 o33 = FStar_UInt128_add(o32, FStar_UInt128_mul_wide(f33, f40));
-    FStar_UInt128_uint128 o43 = FStar_UInt128_add(o42, FStar_UInt128_mul_wide(f33, f41));
-    FStar_UInt128_uint128 o04 = FStar_UInt128_add(o03, FStar_UInt128_mul_wide(f34, tmp21));
-    FStar_UInt128_uint128 o141 = FStar_UInt128_add(o131, FStar_UInt128_mul_wide(f34, tmp22));
-    FStar_UInt128_uint128 o241 = FStar_UInt128_add(o231, FStar_UInt128_mul_wide(f34, tmp23));
-    FStar_UInt128_uint128 o34 = FStar_UInt128_add(o33, FStar_UInt128_mul_wide(f34, tmp24));
-    FStar_UInt128_uint128 o44 = FStar_UInt128_add(o43, FStar_UInt128_mul_wide(f34, f40));
-    FStar_UInt128_uint128 tmp_w20 = o04;
-    FStar_UInt128_uint128 tmp_w21 = o141;
-    FStar_UInt128_uint128 tmp_w22 = o241;
-    FStar_UInt128_uint128 tmp_w23 = o34;
-    FStar_UInt128_uint128 tmp_w24 = o44;
-    FStar_UInt128_uint128
-        l_ = FStar_UInt128_add(tmp_w10, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U));
-    FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w11, FStar_UInt128_uint64_to_uint128(c00));
-    uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U));
-    FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w12, FStar_UInt128_uint64_to_uint128(c10));
-    uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U));
-    FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w13, FStar_UInt128_uint64_to_uint128(c20));
-    uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U));
-    FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w14, FStar_UInt128_uint64_to_uint128(c30));
-    uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U));
-    uint64_t l_4 = tmp00 + c40 * (uint64_t)19U;
-    uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c50 = l_4 >> (uint32_t)51U;
-    uint64_t o100 = tmp0_;
-    uint64_t o112 = tmp10 + c50;
-    uint64_t o122 = tmp20;
-    uint64_t o132 = tmp30;
-    uint64_t o142 = tmp40;
-    FStar_UInt128_uint128
-        l_5 = FStar_UInt128_add(tmp_w20, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U));
-    FStar_UInt128_uint128 l_6 = FStar_UInt128_add(tmp_w21, FStar_UInt128_uint64_to_uint128(c0));
-    uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U));
-    FStar_UInt128_uint128 l_7 = FStar_UInt128_add(tmp_w22, FStar_UInt128_uint64_to_uint128(c1));
-    uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U));
-    FStar_UInt128_uint128 l_8 = FStar_UInt128_add(tmp_w23, FStar_UInt128_uint64_to_uint128(c2));
-    uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U));
-    FStar_UInt128_uint128 l_9 = FStar_UInt128_add(tmp_w24, FStar_UInt128_uint64_to_uint128(c3));
-    uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U));
-    uint64_t l_10 = tmp0 + c4 * (uint64_t)19U;
-    uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c5 = l_10 >> (uint32_t)51U;
-    uint64_t o200 = tmp0_0;
-    uint64_t o212 = tmp1 + c5;
-    uint64_t o222 = tmp2;
-    uint64_t o232 = tmp3;
-    uint64_t o242 = tmp4;
-    uint64_t o10 = o100;
-    uint64_t o11 = o112;
-    uint64_t o12 = o122;
-    uint64_t o13 = o132;
-    uint64_t o14 = o142;
-    uint64_t o20 = o200;
-    uint64_t o21 = o212;
-    uint64_t o22 = o222;
-    uint64_t o23 = o232;
-    uint64_t o24 = o242;
-    out[0U] = o10;
-    out[1U] = o11;
-    out[2U] = o12;
-    out[3U] = o13;
-    out[4U] = o14;
-    out[5U] = o20;
-    out[6U] = o21;
-    out[7U] = o22;
-    out[8U] = o23;
-    out[9U] = o24;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fmul1(uint64_t *out, uint64_t *f1, uint64_t f2)
-{
-    uint64_t f10 = f1[0U];
-    uint64_t f11 = f1[1U];
-    uint64_t f12 = f1[2U];
-    uint64_t f13 = f1[3U];
-    uint64_t f14 = f1[4U];
-    FStar_UInt128_uint128 tmp_w0 = FStar_UInt128_mul_wide(f2, f10);
-    FStar_UInt128_uint128 tmp_w1 = FStar_UInt128_mul_wide(f2, f11);
-    FStar_UInt128_uint128 tmp_w2 = FStar_UInt128_mul_wide(f2, f12);
-    FStar_UInt128_uint128 tmp_w3 = FStar_UInt128_mul_wide(f2, f13);
-    FStar_UInt128_uint128 tmp_w4 = FStar_UInt128_mul_wide(f2, f14);
-    FStar_UInt128_uint128
-        l_ = FStar_UInt128_add(tmp_w0, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U));
-    FStar_UInt128_uint128 l_0 = FStar_UInt128_add(tmp_w1, FStar_UInt128_uint64_to_uint128(c0));
-    uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U));
-    FStar_UInt128_uint128 l_1 = FStar_UInt128_add(tmp_w2, FStar_UInt128_uint64_to_uint128(c1));
-    uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U));
-    FStar_UInt128_uint128 l_2 = FStar_UInt128_add(tmp_w3, FStar_UInt128_uint64_to_uint128(c2));
-    uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U));
-    FStar_UInt128_uint128 l_3 = FStar_UInt128_add(tmp_w4, FStar_UInt128_uint64_to_uint128(c3));
-    uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U));
-    uint64_t l_4 = tmp0 + c4 * (uint64_t)19U;
-    uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c5 = l_4 >> (uint32_t)51U;
-    uint64_t o0 = tmp0_;
-    uint64_t o1 = tmp1 + c5;
-    uint64_t o2 = tmp2;
-    uint64_t o3 = tmp3;
-    uint64_t o4 = tmp4;
-    out[0U] = o0;
-    out[1U] = o1;
-    out[2U] = o2;
-    out[3U] = o3;
-    out[4U] = o4;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fsqr(
-    uint64_t *out,
-    uint64_t *f,
-    FStar_UInt128_uint128 *uu____6941)
-{
-    uint64_t f0 = f[0U];
-    uint64_t f1 = f[1U];
-    uint64_t f2 = f[2U];
-    uint64_t f3 = f[3U];
-    uint64_t f4 = f[4U];
-    uint64_t d0 = (uint64_t)2U * f0;
-    uint64_t d1 = (uint64_t)2U * f1;
-    uint64_t d2 = (uint64_t)38U * f2;
-    uint64_t d3 = (uint64_t)19U * f3;
-    uint64_t d419 = (uint64_t)19U * f4;
-    uint64_t d4 = (uint64_t)2U * d419;
-    FStar_UInt128_uint128
-        s0 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f0, f0),
-                                                FStar_UInt128_mul_wide(d4, f1)),
-                              FStar_UInt128_mul_wide(d2, f3));
-    FStar_UInt128_uint128
-        s1 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f1),
-                                                FStar_UInt128_mul_wide(d4, f2)),
-                              FStar_UInt128_mul_wide(d3, f3));
-    FStar_UInt128_uint128
-        s2 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f2),
-                                                FStar_UInt128_mul_wide(f1, f1)),
-                              FStar_UInt128_mul_wide(d4, f3));
-    FStar_UInt128_uint128
-        s3 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f3),
-                                                FStar_UInt128_mul_wide(d1, f2)),
-                              FStar_UInt128_mul_wide(f4, d419));
-    FStar_UInt128_uint128
-        s4 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f4),
-                                                FStar_UInt128_mul_wide(d1, f3)),
-                              FStar_UInt128_mul_wide(f2, f2));
-    FStar_UInt128_uint128 o00 = s0;
-    FStar_UInt128_uint128 o10 = s1;
-    FStar_UInt128_uint128 o20 = s2;
-    FStar_UInt128_uint128 o30 = s3;
-    FStar_UInt128_uint128 o40 = s4;
-    FStar_UInt128_uint128
-        l_ = FStar_UInt128_add(o00, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U));
-    FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o10, FStar_UInt128_uint64_to_uint128(c0));
-    uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U));
-    FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o20, FStar_UInt128_uint64_to_uint128(c1));
-    uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U));
-    FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o30, FStar_UInt128_uint64_to_uint128(c2));
-    uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U));
-    FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o40, FStar_UInt128_uint64_to_uint128(c3));
-    uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U));
-    uint64_t l_4 = tmp0 + c4 * (uint64_t)19U;
-    uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c5 = l_4 >> (uint32_t)51U;
-    uint64_t o0 = tmp0_;
-    uint64_t o1 = tmp1 + c5;
-    uint64_t o2 = tmp2;
-    uint64_t o3 = tmp3;
-    uint64_t o4 = tmp4;
-    out[0U] = o0;
-    out[1U] = o1;
-    out[2U] = o2;
-    out[3U] = o3;
-    out[4U] = o4;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_fsqr2(
-    uint64_t *out,
-    uint64_t *f,
-    FStar_UInt128_uint128 *uu____7692)
-{
-    uint64_t f10 = f[0U];
-    uint64_t f11 = f[1U];
-    uint64_t f12 = f[2U];
-    uint64_t f13 = f[3U];
-    uint64_t f14 = f[4U];
-    uint64_t f20 = f[5U];
-    uint64_t f21 = f[6U];
-    uint64_t f22 = f[7U];
-    uint64_t f23 = f[8U];
-    uint64_t f24 = f[9U];
-    uint64_t d00 = (uint64_t)2U * f10;
-    uint64_t d10 = (uint64_t)2U * f11;
-    uint64_t d20 = (uint64_t)38U * f12;
-    uint64_t d30 = (uint64_t)19U * f13;
-    uint64_t d4190 = (uint64_t)19U * f14;
-    uint64_t d40 = (uint64_t)2U * d4190;
-    FStar_UInt128_uint128
-        s00 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f10, f10),
-                                                FStar_UInt128_mul_wide(d40, f11)),
-                              FStar_UInt128_mul_wide(d20, f13));
-    FStar_UInt128_uint128
-        s10 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f11),
-                                                FStar_UInt128_mul_wide(d40, f12)),
-                              FStar_UInt128_mul_wide(d30, f13));
-    FStar_UInt128_uint128
-        s20 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f12),
-                                                FStar_UInt128_mul_wide(f11, f11)),
-                              FStar_UInt128_mul_wide(d40, f13));
-    FStar_UInt128_uint128
-        s30 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f13),
-                                                FStar_UInt128_mul_wide(d10, f12)),
-                              FStar_UInt128_mul_wide(f14, d4190));
-    FStar_UInt128_uint128
-        s40 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d00, f14),
-                                                FStar_UInt128_mul_wide(d10, f13)),
-                              FStar_UInt128_mul_wide(f12, f12));
-    FStar_UInt128_uint128 o100 = s00;
-    FStar_UInt128_uint128 o110 = s10;
-    FStar_UInt128_uint128 o120 = s20;
-    FStar_UInt128_uint128 o130 = s30;
-    FStar_UInt128_uint128 o140 = s40;
-    uint64_t d0 = (uint64_t)2U * f20;
-    uint64_t d1 = (uint64_t)2U * f21;
-    uint64_t d2 = (uint64_t)38U * f22;
-    uint64_t d3 = (uint64_t)19U * f23;
-    uint64_t d419 = (uint64_t)19U * f24;
-    uint64_t d4 = (uint64_t)2U * d419;
-    FStar_UInt128_uint128
-        s0 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(f20, f20),
-                                                FStar_UInt128_mul_wide(d4, f21)),
-                              FStar_UInt128_mul_wide(d2, f23));
-    FStar_UInt128_uint128
-        s1 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f21),
-                                                FStar_UInt128_mul_wide(d4, f22)),
-                              FStar_UInt128_mul_wide(d3, f23));
-    FStar_UInt128_uint128
-        s2 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f22),
-                                                FStar_UInt128_mul_wide(f21, f21)),
-                              FStar_UInt128_mul_wide(d4, f23));
-    FStar_UInt128_uint128
-        s3 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f23),
-                                                FStar_UInt128_mul_wide(d1, f22)),
-                              FStar_UInt128_mul_wide(f24, d419));
-    FStar_UInt128_uint128
-        s4 =
-            FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, f24),
-                                                FStar_UInt128_mul_wide(d1, f23)),
-                              FStar_UInt128_mul_wide(f22, f22));
-    FStar_UInt128_uint128 o200 = s0;
-    FStar_UInt128_uint128 o210 = s1;
-    FStar_UInt128_uint128 o220 = s2;
-    FStar_UInt128_uint128 o230 = s3;
-    FStar_UInt128_uint128 o240 = s4;
-    FStar_UInt128_uint128
-        l_ = FStar_UInt128_add(o100, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp00 = FStar_UInt128_uint128_to_uint64(l_) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c00 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_, (uint32_t)51U));
-    FStar_UInt128_uint128 l_0 = FStar_UInt128_add(o110, FStar_UInt128_uint64_to_uint128(c00));
-    uint64_t tmp10 = FStar_UInt128_uint128_to_uint64(l_0) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c10 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_0, (uint32_t)51U));
-    FStar_UInt128_uint128 l_1 = FStar_UInt128_add(o120, FStar_UInt128_uint64_to_uint128(c10));
-    uint64_t tmp20 = FStar_UInt128_uint128_to_uint64(l_1) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c20 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_1, (uint32_t)51U));
-    FStar_UInt128_uint128 l_2 = FStar_UInt128_add(o130, FStar_UInt128_uint64_to_uint128(c20));
-    uint64_t tmp30 = FStar_UInt128_uint128_to_uint64(l_2) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c30 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_2, (uint32_t)51U));
-    FStar_UInt128_uint128 l_3 = FStar_UInt128_add(o140, FStar_UInt128_uint64_to_uint128(c30));
-    uint64_t tmp40 = FStar_UInt128_uint128_to_uint64(l_3) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c40 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_3, (uint32_t)51U));
-    uint64_t l_4 = tmp00 + c40 * (uint64_t)19U;
-    uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c50 = l_4 >> (uint32_t)51U;
-    uint64_t o101 = tmp0_;
-    uint64_t o111 = tmp10 + c50;
-    uint64_t o121 = tmp20;
-    uint64_t o131 = tmp30;
-    uint64_t o141 = tmp40;
-    FStar_UInt128_uint128
-        l_5 = FStar_UInt128_add(o200, FStar_UInt128_uint64_to_uint128((uint64_t)0U));
-    uint64_t tmp0 = FStar_UInt128_uint128_to_uint64(l_5) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c0 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_5, (uint32_t)51U));
-    FStar_UInt128_uint128 l_6 = FStar_UInt128_add(o210, FStar_UInt128_uint64_to_uint128(c0));
-    uint64_t tmp1 = FStar_UInt128_uint128_to_uint64(l_6) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c1 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_6, (uint32_t)51U));
-    FStar_UInt128_uint128 l_7 = FStar_UInt128_add(o220, FStar_UInt128_uint64_to_uint128(c1));
-    uint64_t tmp2 = FStar_UInt128_uint128_to_uint64(l_7) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c2 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_7, (uint32_t)51U));
-    FStar_UInt128_uint128 l_8 = FStar_UInt128_add(o230, FStar_UInt128_uint64_to_uint128(c2));
-    uint64_t tmp3 = FStar_UInt128_uint128_to_uint64(l_8) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c3 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_8, (uint32_t)51U));
-    FStar_UInt128_uint128 l_9 = FStar_UInt128_add(o240, FStar_UInt128_uint64_to_uint128(c3));
-    uint64_t tmp4 = FStar_UInt128_uint128_to_uint64(l_9) & (uint64_t)0x7ffffffffffffU;
-    uint64_t c4 = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(l_9, (uint32_t)51U));
-    uint64_t l_10 = tmp0 + c4 * (uint64_t)19U;
-    uint64_t tmp0_0 = l_10 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c5 = l_10 >> (uint32_t)51U;
-    uint64_t o201 = tmp0_0;
-    uint64_t o211 = tmp1 + c5;
-    uint64_t o221 = tmp2;
-    uint64_t o231 = tmp3;
-    uint64_t o241 = tmp4;
-    uint64_t o10 = o101;
-    uint64_t o11 = o111;
-    uint64_t o12 = o121;
-    uint64_t o13 = o131;
-    uint64_t o14 = o141;
-    uint64_t o20 = o201;
-    uint64_t o21 = o211;
-    uint64_t o22 = o221;
-    uint64_t o23 = o231;
-    uint64_t o24 = o241;
-    out[0U] = o10;
-    out[1U] = o11;
-    out[2U] = o12;
-    out[3U] = o13;
-    out[4U] = o14;
-    out[5U] = o20;
-    out[6U] = o21;
-    out[7U] = o22;
-    out[8U] = o23;
-    out[9U] = o24;
-}
-
-static void
-Hacl_Impl_Curve25519_Field51_store_felem(uint64_t *u64s, uint64_t *f)
-{
-    uint64_t f0 = f[0U];
-    uint64_t f1 = f[1U];
-    uint64_t f2 = f[2U];
-    uint64_t f3 = f[3U];
-    uint64_t f4 = f[4U];
-    uint64_t l_ = f0 + (uint64_t)0U;
-    uint64_t tmp0 = l_ & (uint64_t)0x7ffffffffffffU;
-    uint64_t c0 = l_ >> (uint32_t)51U;
-    uint64_t l_0 = f1 + c0;
-    uint64_t tmp1 = l_0 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c1 = l_0 >> (uint32_t)51U;
-    uint64_t l_1 = f2 + c1;
-    uint64_t tmp2 = l_1 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c2 = l_1 >> (uint32_t)51U;
-    uint64_t l_2 = f3 + c2;
-    uint64_t tmp3 = l_2 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c3 = l_2 >> (uint32_t)51U;
-    uint64_t l_3 = f4 + c3;
-    uint64_t tmp4 = l_3 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c4 = l_3 >> (uint32_t)51U;
-    uint64_t l_4 = tmp0 + c4 * (uint64_t)19U;
-    uint64_t tmp0_ = l_4 & (uint64_t)0x7ffffffffffffU;
-    uint64_t c5 = l_4 >> (uint32_t)51U;
-    uint64_t f01 = tmp0_;
-    uint64_t f11 = tmp1 + c5;
-    uint64_t f21 = tmp2;
-    uint64_t f31 = tmp3;
-    uint64_t f41 = tmp4;
-    uint64_t m0 = FStar_UInt64_gte_mask(f01, (uint64_t)0x7ffffffffffedU);
-    uint64_t m1 = FStar_UInt64_eq_mask(f11, (uint64_t)0x7ffffffffffffU);
-    uint64_t m2 = FStar_UInt64_eq_mask(f21, (uint64_t)0x7ffffffffffffU);
-    uint64_t m3 = FStar_UInt64_eq_mask(f31, (uint64_t)0x7ffffffffffffU);
-    uint64_t m4 = FStar_UInt64_eq_mask(f41, (uint64_t)0x7ffffffffffffU);
-    uint64_t mask = (((m0 & m1) & m2) & m3) & m4;
-    uint64_t f0_ = f01 - (mask & (uint64_t)0x7ffffffffffedU);
-    uint64_t f1_ = f11 - (mask & (uint64_t)0x7ffffffffffffU);
-    uint64_t f2_ = f21 - (mask & (uint64_t)0x7ffffffffffffU);
-    uint64_t f3_ = f31 - (mask & (uint64_t)0x7ffffffffffffU);
-    uint64_t f4_ = f41 - (mask & (uint64_t)0x7ffffffffffffU);
-    uint64_t f02 = f0_;
-    uint64_t f12 = f1_;
-    uint64_t f22 = f2_;
-    uint64_t f32 = f3_;
-    uint64_t f42 = f4_;
-    uint64_t o00 = f02 | f12 << (uint32_t)51U;
-    uint64_t o10 = f12 >> (uint32_t)13U | f22 << (uint32_t)38U;
-    uint64_t o20 = f22 >> (uint32_t)26U | f32 << (uint32_t)25U;
-    uint64_t o30 = f32 >> (uint32_t)39U | f42 << (uint32_t)12U;
-    uint64_t o0 = o00;
-    uint64_t o1 = o10;
-    uint64_t o2 = o20;
-    uint64_t o3 = o30;
-    u64s[0U] = o0;
-    u64s[1U] = o1;
-    u64s[2U] = o2;
-    u64s[3U] = o3;
-}
-
-inline static void
-Hacl_Impl_Curve25519_Field51_cswap2(uint64_t bit, uint64_t *p1, uint64_t *p2)
-{
-    uint64_t mask = (uint64_t)0U - bit;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U) {
-        uint64_t dummy = mask & (p1[i] ^ p2[i]);
-        p1[i] = p1[i] ^ dummy;
-        p2[i] = p2[i] ^ dummy;
-    }
-}
-
-static uint8_t
-    Hacl_Curve25519_51_g25519[32U] =
-        {
-          (uint8_t)9U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U,
-          (uint8_t)0U, (uint8_t)0U, (uint8_t)0U, (uint8_t)0U
-        };
-
-static void
-Hacl_Curve25519_51_point_add_and_double(
-    uint64_t *q,
-    uint64_t *p01_tmp1,
-    FStar_UInt128_uint128 *tmp2)
-{
-    uint64_t *nq = p01_tmp1;
-    uint64_t *nq_p1 = p01_tmp1 + (uint32_t)10U;
-    uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U;
-    uint64_t *x1 = q;
-    uint64_t *x2 = nq;
-    uint64_t *z2 = nq + (uint32_t)5U;
-    uint64_t *z3 = nq_p1 + (uint32_t)5U;
-    uint64_t *a = tmp1;
-    uint64_t *b = tmp1 + (uint32_t)5U;
-    uint64_t *ab = tmp1;
-    uint64_t *dc = tmp1 + (uint32_t)10U;
-    Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2);
-    Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2);
-    uint64_t *x3 = nq_p1;
-    uint64_t *z31 = nq_p1 + (uint32_t)5U;
-    uint64_t *d0 = dc;
-    uint64_t *c0 = dc + (uint32_t)5U;
-    Hacl_Impl_Curve25519_Field51_fadd(c0, x3, z31);
-    Hacl_Impl_Curve25519_Field51_fsub(d0, x3, z31);
-    Hacl_Impl_Curve25519_Field51_fmul2(dc, dc, ab, tmp2);
-    Hacl_Impl_Curve25519_Field51_fadd(x3, d0, c0);
-    Hacl_Impl_Curve25519_Field51_fsub(z31, d0, c0);
-    uint64_t *a1 = tmp1;
-    uint64_t *b1 = tmp1 + (uint32_t)5U;
-    uint64_t *d = tmp1 + (uint32_t)10U;
-    uint64_t *c = tmp1 + (uint32_t)15U;
-    uint64_t *ab1 = tmp1;
-    uint64_t *dc1 = tmp1 + (uint32_t)10U;
-    Hacl_Impl_Curve25519_Field51_fsqr2(dc1, ab1, tmp2);
-    Hacl_Impl_Curve25519_Field51_fsqr2(nq_p1, nq_p1, tmp2);
-    a1[0U] = c[0U];
-    a1[1U] = c[1U];
-    a1[2U] = c[2U];
-    a1[3U] = c[3U];
-    a1[4U] = c[4U];
-    Hacl_Impl_Curve25519_Field51_fsub(c, d, c);
-    Hacl_Impl_Curve25519_Field51_fmul1(b1, c, (uint64_t)121665U);
-    Hacl_Impl_Curve25519_Field51_fadd(b1, b1, d);
-    Hacl_Impl_Curve25519_Field51_fmul2(nq, dc1, ab1, tmp2);
-    Hacl_Impl_Curve25519_Field51_fmul(z3, z3, x1, tmp2);
-}
-
-static void
-Hacl_Curve25519_51_point_double(uint64_t *nq, uint64_t *tmp1, FStar_UInt128_uint128 *tmp2)
-{
-    uint64_t *x2 = nq;
-    uint64_t *z2 = nq + (uint32_t)5U;
-    uint64_t *a = tmp1;
-    uint64_t *b = tmp1 + (uint32_t)5U;
-    uint64_t *d = tmp1 + (uint32_t)10U;
-    uint64_t *c = tmp1 + (uint32_t)15U;
-    uint64_t *ab = tmp1;
-    uint64_t *dc = tmp1 + (uint32_t)10U;
-    Hacl_Impl_Curve25519_Field51_fadd(a, x2, z2);
-    Hacl_Impl_Curve25519_Field51_fsub(b, x2, z2);
-    Hacl_Impl_Curve25519_Field51_fsqr2(dc, ab, tmp2);
-    a[0U] = c[0U];
-    a[1U] = c[1U];
-    a[2U] = c[2U];
-    a[3U] = c[3U];
-    a[4U] = c[4U];
-    Hacl_Impl_Curve25519_Field51_fsub(c, d, c);
-    Hacl_Impl_Curve25519_Field51_fmul1(b, c, (uint64_t)121665U);
-    Hacl_Impl_Curve25519_Field51_fadd(b, b, d);
-    Hacl_Impl_Curve25519_Field51_fmul2(nq, dc, ab, tmp2);
-}
-
-static void
-Hacl_Curve25519_51_montgomery_ladder(uint64_t *out, uint8_t *key, uint64_t *init1)
-{
-    FStar_UInt128_uint128 tmp2[10U];
-    for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i)
-        tmp2[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    uint64_t p01_tmp1_swap[41U] = { 0U };
-    uint64_t *p0 = p01_tmp1_swap;
-    uint64_t *p01 = p01_tmp1_swap;
-    uint64_t *p03 = p01;
-    uint64_t *p11 = p01 + (uint32_t)10U;
-    memcpy(p11, init1, (uint32_t)10U * sizeof init1[0U]);
-    uint64_t *x0 = p03;
-    uint64_t *z0 = p03 + (uint32_t)5U;
-    x0[0U] = (uint64_t)1U;
-    x0[1U] = (uint64_t)0U;
-    x0[2U] = (uint64_t)0U;
-    x0[3U] = (uint64_t)0U;
-    x0[4U] = (uint64_t)0U;
-    z0[0U] = (uint64_t)0U;
-    z0[1U] = (uint64_t)0U;
-    z0[2U] = (uint64_t)0U;
-    z0[3U] = (uint64_t)0U;
-    z0[4U] = (uint64_t)0U;
-    uint64_t *p01_tmp1 = p01_tmp1_swap;
-    uint64_t *p01_tmp11 = p01_tmp1_swap;
-    uint64_t *nq1 = p01_tmp1_swap;
-    uint64_t *nq_p11 = p01_tmp1_swap + (uint32_t)10U;
-    uint64_t *swap1 = p01_tmp1_swap + (uint32_t)40U;
-    Hacl_Impl_Curve25519_Field51_cswap2((uint64_t)1U, nq1, nq_p11);
-    Hacl_Curve25519_51_point_add_and_double(init1, p01_tmp11, tmp2);
-    swap1[0U] = (uint64_t)1U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)251U; i = i + (uint32_t)1U) {
-        uint64_t *p01_tmp12 = p01_tmp1_swap;
-        uint64_t *swap2 = p01_tmp1_swap + (uint32_t)40U;
-        uint64_t *nq2 = p01_tmp12;
-        uint64_t *nq_p12 = p01_tmp12 + (uint32_t)10U;
-        uint64_t
-            bit =
-                (uint64_t)(key[((uint32_t)253U - i) / (uint32_t)8U] >> ((uint32_t)253U - i) % (uint32_t)8U & (uint8_t)1U);
-        uint64_t sw = swap2[0U] ^ bit;
-        Hacl_Impl_Curve25519_Field51_cswap2(sw, nq2, nq_p12);
-        Hacl_Curve25519_51_point_add_and_double(init1, p01_tmp12, tmp2);
-        swap2[0U] = bit;
-    }
-    uint64_t sw = swap1[0U];
-    Hacl_Impl_Curve25519_Field51_cswap2(sw, nq1, nq_p11);
-    uint64_t *nq10 = p01_tmp1;
-    uint64_t *tmp1 = p01_tmp1 + (uint32_t)20U;
-    Hacl_Curve25519_51_point_double(nq10, tmp1, tmp2);
-    Hacl_Curve25519_51_point_double(nq10, tmp1, tmp2);
-    Hacl_Curve25519_51_point_double(nq10, tmp1, tmp2);
-    memcpy(out, p0, (uint32_t)10U * sizeof p0[0U]);
-}
-
-static void
-Hacl_Curve25519_51_fsquare_times(
-    uint64_t *o,
-    uint64_t *inp,
-    FStar_UInt128_uint128 *tmp,
-    uint32_t n1)
-{
-    Hacl_Impl_Curve25519_Field51_fsqr(o, inp, tmp);
-    for (uint32_t i = (uint32_t)0U; i < n1 - (uint32_t)1U; i = i + (uint32_t)1U) {
-        Hacl_Impl_Curve25519_Field51_fsqr(o, o, tmp);
-    }
-}
-
-static void
-Hacl_Curve25519_51_finv(uint64_t *o, uint64_t *i, FStar_UInt128_uint128 *tmp)
-{
-    uint64_t t1[20U] = { 0U };
-    uint64_t *a = t1;
-    uint64_t *b = t1 + (uint32_t)5U;
-    uint64_t *c = t1 + (uint32_t)10U;
-    uint64_t *t00 = t1 + (uint32_t)15U;
-    FStar_UInt128_uint128 *tmp1 = tmp;
-    Hacl_Curve25519_51_fsquare_times(a, i, tmp1, (uint32_t)1U);
-    Hacl_Curve25519_51_fsquare_times(t00, a, tmp1, (uint32_t)2U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, i, tmp);
-    Hacl_Impl_Curve25519_Field51_fmul(a, b, a, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, a, tmp1, (uint32_t)1U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, b, tmp1, (uint32_t)5U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, b, tmp1, (uint32_t)10U);
-    Hacl_Impl_Curve25519_Field51_fmul(c, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, c, tmp1, (uint32_t)20U);
-    Hacl_Impl_Curve25519_Field51_fmul(t00, t00, c, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, t00, tmp1, (uint32_t)10U);
-    Hacl_Impl_Curve25519_Field51_fmul(b, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, b, tmp1, (uint32_t)50U);
-    Hacl_Impl_Curve25519_Field51_fmul(c, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, c, tmp1, (uint32_t)100U);
-    Hacl_Impl_Curve25519_Field51_fmul(t00, t00, c, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, t00, tmp1, (uint32_t)50U);
-    Hacl_Impl_Curve25519_Field51_fmul(t00, t00, b, tmp);
-    Hacl_Curve25519_51_fsquare_times(t00, t00, tmp1, (uint32_t)5U);
-    uint64_t *a0 = t1;
-    uint64_t *t0 = t1 + (uint32_t)15U;
-    Hacl_Impl_Curve25519_Field51_fmul(o, t0, a0, tmp);
-}
-
-static void
-Hacl_Curve25519_51_encode_point(uint8_t *o, uint64_t *i)
-{
-    uint64_t *x = i;
-    uint64_t *z = i + (uint32_t)5U;
-    uint64_t tmp[5U] = { 0U };
-    uint64_t u64s[4U] = { 0U };
-    FStar_UInt128_uint128 tmp_w[10U];
-    for (uint32_t _i = 0U; _i < (uint32_t)10U; ++_i)
-        tmp_w[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
-    Hacl_Curve25519_51_finv(tmp, z, tmp_w);
-    Hacl_Impl_Curve25519_Field51_fmul(tmp, tmp, x, tmp_w);
-    Hacl_Impl_Curve25519_Field51_store_felem(u64s, tmp);
-    for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)4U; i0 = i0 + (uint32_t)1U) {
-        store64_le(o + i0 * (uint32_t)8U, u64s[i0]);
-    }
-}
-
-void
-Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub)
-{
-    uint64_t init1[10U] = { 0U };
-    uint64_t tmp[4U] = { 0U };
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)4U; i = i + (uint32_t)1U) {
-        uint64_t *os = tmp;
-        uint8_t *bj = pub + i * (uint32_t)8U;
-        uint64_t u = load64_le(bj);
-        uint64_t r = u;
-        uint64_t x = r;
-        os[i] = x;
-    }
-    uint64_t tmp3 = tmp[3U];
-    tmp[3U] = tmp3 & (uint64_t)0x7fffffffffffffffU;
-    uint64_t *x = init1;
-    uint64_t *z = init1 + (uint32_t)5U;
-    z[0U] = (uint64_t)1U;
-    z[1U] = (uint64_t)0U;
-    z[2U] = (uint64_t)0U;
-    z[3U] = (uint64_t)0U;
-    z[4U] = (uint64_t)0U;
-    uint64_t f0l = tmp[0U] & (uint64_t)0x7ffffffffffffU;
-    uint64_t f0h = tmp[0U] >> (uint32_t)51U;
-    uint64_t f1l = (tmp[1U] & (uint64_t)0x3fffffffffU) << (uint32_t)13U;
-    uint64_t f1h = tmp[1U] >> (uint32_t)38U;
-    uint64_t f2l = (tmp[2U] & (uint64_t)0x1ffffffU) << (uint32_t)26U;
-    uint64_t f2h = tmp[2U] >> (uint32_t)25U;
-    uint64_t f3l = (tmp[3U] & (uint64_t)0xfffU) << (uint32_t)39U;
-    uint64_t f3h = tmp[3U] >> (uint32_t)12U;
-    x[0U] = f0l;
-    x[1U] = f0h | f1l;
-    x[2U] = f1h | f2l;
-    x[3U] = f2h | f3l;
-    x[4U] = f3h;
-    Hacl_Curve25519_51_montgomery_ladder(init1, priv, init1);
-    Hacl_Curve25519_51_encode_point(out, init1);
-}
-
-void
-Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv)
-{
-    uint8_t basepoint[32U] = { 0U };
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i = i + (uint32_t)1U) {
-        uint8_t *os = basepoint;
-        uint8_t x = Hacl_Curve25519_51_g25519[i];
-        os[i] = x;
-    }
-    Hacl_Curve25519_51_scalarmult(pub, priv, basepoint);
-}
-
-bool
-Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub)
-{
-    uint8_t zeros1[32U] = { 0U };
-    Hacl_Curve25519_51_scalarmult(out, priv, pub);
-    uint8_t res = (uint8_t)255U;
-    for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i = i + (uint32_t)1U) {
-        uint8_t uu____0 = FStar_UInt8_eq_mask(out[i], zeros1[i]);
-        res = uu____0 & res;
-    }
-    uint8_t z = res;
-    bool r = z == (uint8_t)255U;
-    return !r;
-}
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519_51.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "kremlin/internal/types.h"
-#include "kremlin/lowstar_endianness.h"
-#include <string.h>
-#include <stdbool.h>
-
-#ifndef __Hacl_Curve25519_51_H
-#define __Hacl_Curve25519_51_H
-
-#include "Hacl_Kremlib.h"
-
-void Hacl_Curve25519_51_scalarmult(uint8_t *out, uint8_t *priv, uint8_t *pub);
-
-void Hacl_Curve25519_51_secret_to_public(uint8_t *pub, uint8_t *priv);
-
-bool Hacl_Curve25519_51_ecdh(uint8_t *out, uint8_t *priv, uint8_t *pub);
-
-#define __Hacl_Curve25519_51_H_DEFINED
-#endif
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Kremlib.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "kremlin/internal/types.h"
-#include "kremlin/lowstar_endianness.h"
-#include <string.h>
-#include <stdbool.h>
-
-#ifndef __Hacl_Kremlib_H
-#define __Hacl_Kremlib_H
-
-inline static uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b);
-
-inline static uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b);
-
-inline static uint64_t FStar_UInt64_gte_mask(uint64_t a, uint64_t b);
-
-inline static FStar_UInt128_uint128
-FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
-
-inline static FStar_UInt128_uint128
-FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
-
-inline static FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
-
-inline static uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
-
-inline static FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
-
-#define __Hacl_Kremlib_H_DEFINED
-#endif
deleted file mode 100644
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_128.c
+++ /dev/null
@@ -1,1678 +0,0 @@
-/* MIT License
- *
- * Copyright (c) 2016-2020 INRIA, CMU and Microsoft Corporation
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "Hacl_Poly1305_128.h"
-
-void
-Hacl_Impl_Poly1305_Field32xN_128_load_acc2(Lib_IntVector_Intrinsics_vec128 *acc, uint8_t *b)
-{
-    Lib_IntVector_Intrinsics_vec128 e[5U];
-    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
-        e[_i] = Lib_IntVector_Intrinsics_vec128_zero;
-    Lib_IntVector_Intrinsics_vec128 b1 = Lib_IntVector_Intrinsics_vec128_load_le(b);
-    Lib_IntVector_Intrinsics_vec128
-        b2 = Lib_IntVector_Intrinsics_vec128_load_le(b + (uint32_t)16U);
-    Lib_IntVector_Intrinsics_vec128 lo = Lib_IntVector_Intrinsics_vec128_interleave_low64(b1, b2);
-    Lib_IntVector_Intrinsics_vec128 hi = Lib_IntVector_Intrinsics_vec128_interleave_high64(b1, b2);
-    Lib_IntVector_Intrinsics_vec128
-        f00 =
-            Lib_IntVector_Intrinsics_vec128_and(lo,
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        f10 =
-            Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(lo,
-                                                                                              (uint32_t)26U),
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        f20 =
-            Lib_IntVector_Intrinsics_vec128_or(Lib_IntVector_Intrinsics_vec128_shift_right64(lo,
-                                                                                             (uint32_t)52U),
-                                               Lib_IntVector_Intrinsics_vec128_shift_left64(Lib_IntVector_Intrinsics_vec128_and(hi,
-                                                                                                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3fffU)),
-                                                                                            (uint32_t)12U));
-    Lib_IntVector_Intrinsics_vec128
-        f30 =
-            Lib_IntVector_Intrinsics_vec128_and(Lib_IntVector_Intrinsics_vec128_shift_right64(hi,
-                                                                                              (uint32_t)14U),
-                                                Lib_IntVector_Intrinsics_vec128_load64((uint64_t)0x3ffffffU));
-    Lib_IntVector_Intrinsics_vec128
-        f40 = Lib_IntVector_Intrinsics_vec128_shift_right64(hi, (uint32_t)40U);
-    Lib_IntVector_Intrinsics_vec128 f02 = f00;
-    Lib_IntVector_Intrinsics_vec128 f12 = f10;
-    Lib_IntVector_Intrinsics_vec128 f22 = f20;
-    Lib_IntVector_Intrinsics_vec128 f32 = f30;
-    Lib_IntVector_Intrinsics_vec128 f42 = f40;
-    e[0U] = f02;
-    e[1U] = f12;
-    e[2U] = f22;
-    e[3U] = f32;
-    e[4U] = f42;
-    uint64_t b10 = (uint64_t)0x1000000U;
-    Lib_IntVector_Intrinsics_vec128 mask = Lib_IntVector_Intrinsics_vec128_load64(b10);
-    Lib_IntVector_Intrinsics_vec128 f43 = e[4U];
-    e[4U] = Lib_IntVector_Intrinsics_vec128_or(f43, mask);
-    Lib_IntVector_Intrinsics_vec128 acc0 = acc[0U];
-    Lib_IntVector_Intrinsics_vec128 acc1 = acc[1U];
-    Lib_IntVector_Intrinsics_vec128 acc2 = acc[2U];
-    Lib_IntVector_Intrinsics_vec128 acc3 = acc[3U];
-    Lib_IntVector_Intrinsics_vec128 acc4 = acc[4U];
-    Lib_IntVector_Intrinsics_vec128 e0 = e[0U];
-    Lib_IntVector_Intrinsics_vec128 e1 = e[1U];
-    Lib_IntVector_Intrinsics_vec128 e2 = e[2U];
-    Lib_IntVector_Intrinsics_vec128 e3 = e[3U];
-    Lib_IntVector_Intrinsics_vec128 e4 = e[4U];
-    Lib_IntVector_Intrinsics_vec128
-        f0 = Lib_IntVector_Intrinsics_vec128_insert64(acc0, (uint64_t)0U, (uint32_t)1U);
-    Lib_IntVector_Intrinsics_vec128
-        f1 = Lib_IntVector_Intrinsics_vec128_insert64(acc1, (uint64_t)0U, (uint32_t)1U);
-    Lib_IntVector_Intrinsics_vec128
-        f2 = Lib_IntVector_Intrinsics_vec128_insert64(acc2, (uint64_t)0U, (uint32_t)1U);
-    Lib_IntVector_Intrinsics_vec128
-        f3 = Lib_IntVector_Intrinsics_vec128_insert64(acc3, (uint64_t)0U, (uint32_t)1U);
-    Lib_IntVector_Intrinsics_vec128
-        f4 = Lib_IntVector_Intrinsics_vec128_insert64(acc4, (uint64_t)0U, (uint32_t)1U);
-    Lib_IntVector_Intrinsics_vec128 f01 = Lib_IntVector_Intrinsics_vec128_add64(f0, e0);
-    Lib_IntVector_Intrinsics_vec128 f11 = Lib_IntVector_Intrinsics_vec128_add64(f1, e1);
-    Lib_IntVector_Intrinsics_vec128 f21 = Lib_IntVector_Intrinsics_vec128_add64(f2, e2);
-    Lib_IntVector_Intrinsics_vec128 f31 = Lib_IntVector_Intrinsics_vec128_add64(f3, e3);
-    Lib_IntVector_Intrinsics_vec128 f41 = Lib_IntVector_Intrinsics_vec128_add64(f4, e4);