119 static void fe_frombytes_strict(fe *h, const uint8_t s[32]) {  in fe_frombytes_strict()
121   assert((s[31] & 0x80) == 0);  in fe_frombytes_strict()
122   fiat_25519_from_bytes(h->v, s);  in fe_frombytes_strict()
126 static void fe_frombytes(fe *h, const uint8_t s[32]) {  in fe_frombytes()
128   memcpy(s_copy, s, 32);  in fe_frombytes()
133 static void fe_tobytes(uint8_t s[32], const fe *f) {  in fe_tobytes()
135   fiat_25519_to_bytes(s, f->v);  in fe_tobytes()
321   uint8_t s[32];  in fe_isnonzero()  local
322   fe_tobytes(s, &tight);  in fe_isnonzero()
325   return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;  in fe_isnonzero()
331   uint8_t s[32];  in fe_isnegative()  local
332   fe_tobytes(s, f);  in fe_isnegative()
333   return s[0] & 1;  in fe_isnegative()
406 void x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h) {  in x25519_ge_tobytes()
414   fe_tobytes(s, &y);  in x25519_ge_tobytes()
415   s[31] ^= fe_isnegative(&x) << 7;  in x25519_ge_tobytes()
418 int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) {  in x25519_ge_frombytes_vartime()
425   fe_frombytes(&h->Y, s);  in x25519_ge_frombytes_vartime()
454   if (fe_isnegative(&h->X) != (s[31] >> 7)) {  in x25519_ge_frombytes_vartime()
719 void x25519_sc_reduce(uint8_t s[64]) {  in x25519_sc_reduce()
720   int64_t s0 = 2097151 & load_3(s);  in x25519_sc_reduce()
721   int64_t s1 = 2097151 & (load_4(s + 2) >> 5);  in x25519_sc_reduce()
722   int64_t s2 = 2097151 & (load_3(s + 5) >> 2);  in x25519_sc_reduce()
723   int64_t s3 = 2097151 & (load_4(s + 7) >> 7);  in x25519_sc_reduce()
724   int64_t s4 = 2097151 & (load_4(s + 10) >> 4);  in x25519_sc_reduce()
725   int64_t s5 = 2097151 & (load_3(s + 13) >> 1);  in x25519_sc_reduce()
726   int64_t s6 = 2097151 & (load_4(s + 15) >> 6);  in x25519_sc_reduce()
727   int64_t s7 = 2097151 & (load_3(s + 18) >> 3);  in x25519_sc_reduce()
728   int64_t s8 = 2097151 & load_3(s + 21);  in x25519_sc_reduce()
729   int64_t s9 = 2097151 & (load_4(s + 23) >> 5);  in x25519_sc_reduce()
730   int64_t s10 = 2097151 & (load_3(s + 26) >> 2);  in x25519_sc_reduce()
731   int64_t s11 = 2097151 & (load_4(s + 28) >> 7);  in x25519_sc_reduce()
732   int64_t s12 = 2097151 & (load_4(s + 31) >> 4);  in x25519_sc_reduce()
733   int64_t s13 = 2097151 & (load_3(s + 34) >> 1);  in x25519_sc_reduce()
734   int64_t s14 = 2097151 & (load_4(s + 36) >> 6);  in x25519_sc_reduce()
735   int64_t s15 = 2097151 & (load_3(s + 39) >> 3);  in x25519_sc_reduce()
736   int64_t s16 = 2097151 & load_3(s + 42);  in x25519_sc_reduce()
737   int64_t s17 = 2097151 & (load_4(s + 44) >> 5);  in x25519_sc_reduce()
738   int64_t s18 = 2097151 & (load_3(s + 47) >> 2);  in x25519_sc_reduce()
739   int64_t s19 = 2097151 & (load_4(s + 49) >> 7);  in x25519_sc_reduce()
740   int64_t s20 = 2097151 & (load_4(s + 52) >> 4);  in x25519_sc_reduce()
741   int64_t s21 = 2097151 & (load_3(s + 55) >> 1);  in x25519_sc_reduce()
742   int64_t s22 = 2097151 & (load_4(s + 57) >> 6);  in x25519_sc_reduce()
743   int64_t s23 = (load_4(s + 60) >> 3);  in x25519_sc_reduce()
1018   s[0] = s0 >> 0;  in x25519_sc_reduce()
1019   s[1] = s0 >> 8;  in x25519_sc_reduce()
1020   s[2] = (s0 >> 16) | (s1 << 5);  in x25519_sc_reduce()
1021   s[3] = s1 >> 3;  in x25519_sc_reduce()
1022   s[4] = s1 >> 11;  in x25519_sc_reduce()
1023   s[5] = (s1 >> 19) | (s2 << 2);  in x25519_sc_reduce()
1024   s[6] = s2 >> 6;  in x25519_sc_reduce()
1025   s[7] = (s2 >> 14) | (s3 << 7);  in x25519_sc_reduce()
1026   s[8] = s3 >> 1;  in x25519_sc_reduce()
1027   s[9] = s3 >> 9;  in x25519_sc_reduce()
1028   s[10] = (s3 >> 17) | (s4 << 4);  in x25519_sc_reduce()
1029   s[11] = s4 >> 4;  in x25519_sc_reduce()
1030   s[12] = s4 >> 12;  in x25519_sc_reduce()
1031   s[13] = (s4 >> 20) | (s5 << 1);  in x25519_sc_reduce()
1032   s[14] = s5 >> 7;  in x25519_sc_reduce()
1033   s[15] = (s5 >> 15) | (s6 << 6);  in x25519_sc_reduce()
1034   s[16] = s6 >> 2;  in x25519_sc_reduce()
1035   s[17] = s6 >> 10;  in x25519_sc_reduce()
1036   s[18] = (s6 >> 18) | (s7 << 3);  in x25519_sc_reduce()
1037   s[19] = s7 >> 5;  in x25519_sc_reduce()
1038   s[20] = s7 >> 13;  in x25519_sc_reduce()
1039   s[21] = s8 >> 0;  in x25519_sc_reduce()
1040   s[22] = s8 >> 8;  in x25519_sc_reduce()
1041   s[23] = (s8 >> 16) | (s9 << 5);  in x25519_sc_reduce()
1042   s[24] = s9 >> 3;  in x25519_sc_reduce()
1043   s[25] = s9 >> 11;  in x25519_sc_reduce()
1044   s[26] = (s9 >> 19) | (s10 << 2);  in x25519_sc_reduce()
1045   s[27] = s10 >> 6;  in x25519_sc_reduce()
1046   s[28] = (s10 >> 14) | (s11 << 7);  in x25519_sc_reduce()
1047   s[29] = s11 >> 1;  in x25519_sc_reduce()
1048   s[30] = s11 >> 9;  in x25519_sc_reduce()
1049   s[31] = s11 >> 17;  in x25519_sc_reduce()
1120   struct tc_sha512_state_struct s;  in ED25519_verify()  local
1123   rc = tc_sha512_init(&s);  in ED25519_verify()
1126   rc = tc_sha512_update(&s, signature, 32);  in ED25519_verify()
1128   rc = tc_sha512_update(&s, public_key, 32);  in ED25519_verify()
1130   rc = tc_sha512_update(&s, message, message_len);  in ED25519_verify()
1134   rc = tc_sha512_final(h, &s);  in ED25519_verify()