windows_compatibility

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows_testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

windows testing

Revert "windows testing"

This reverts commit 4b1047d433.

Revert "windows testing"

This reverts commit 4deaad7796.

Revert "windows testing"

This reverts commit ce1af72cd1.

windows testing

src/include/arch_32/arch_intrinsics.h

@@ -7,6 +7,11 @@
 
 #define ARCH_WORD_BITS 32
 
+#if defined _MSC_VER
+#define __attribute(x)
+#define __inline__ __inline
+#endif // MSVC
+
 static __inline__ __attribute((always_inline,unused))
 uint32_t word_is_zero(uint32_t a) {
     /* let's hope the compiler isn't clever enough to optimize this. */

src/include/keccak_internal.h

@@ -12,6 +12,13 @@
 
 #include <stdint.h>
 
+/* Aliasing MSVC preprocessing to GNU preprocessing */
+#if defined _MSC_VER
+#define __attribute__(x)        // Turn off attribute code
+#define __attribute(x)
+#define __restrict__ __restrict  // Use MSVC restrict code
+#endif // MSVC
+
 /* The internal, non-opaque definition of the decaf_sponge struct. */
 typedef union {
     uint64_t w[25]; uint8_t b[25*8];

src/include/portable_endian.h

@@ -21,8 +21,12 @@
 #	define htole64(x) LE_64(x)
 #	define le64toh(x) LE_64(x)
 #elif defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)
+#	if defined(_MSC_VER)
+#		define __builtin_bswap64(x) _byteswap_uint64((x))
+#	else
+#		include <sys/param.h>
+#	endif
 #	include <winsock2.h>
-#	include <sys/param.h>
 #	if BYTE_ORDER == LITTLE_ENDIAN
 #		define htole64(x) (x)
 #		define le64toh(x) (x)

src/include/word.h

@@ -13,6 +13,11 @@
 extern int posix_memalign(void **, size_t, size_t);
 #endif
 
+// MSVC has no posix_memalign
+#if defined(_MSC_VER)
+#define posix_memalign(p, a, s) (((*(p)) = _aligned_malloc((s), (a))), *(p) ?0 :errno)
+#endif
+
 #include <assert.h>
 #include <stdint.h>
 #include "arch_intrinsics.h"

src/per_curve/decaf.tmpl.c

@@ -7,6 +7,23 @@
 #include <decaf.h>
 #include <decaf/ed$(gf_bits).h>
 
+/* MSVC has no builtint ctz, this is a fix as in
+https://stackoverflow.com/questions/355967/how-to-use-msvc-intrinsics-to-get-the-equivalent-of-this-gcc-code/5468852#5468852
+*/
+#ifdef _MSC_VER
+#include <intrin.h>
+
+uint32_t __inline ctz(uint32_t value)
+{
+    DWORD trailing_zero = 0;
+    if ( _BitScanForward( &trailing_zero, value ) )
+        return trailing_zero;
+    else
+        return 32;  // This is undefined, I better choose 32 than 0
+}
+#define __builtin_ctz(x) ctz(x)
+#endif
+
 /* Template stuff */
 #define API_NS(_id) $(c_ns)_##_id
 #define SCALAR_BITS $(C_NS)_SCALAR_BITS
@@ -514,6 +531,7 @@ void API_NS(point_scalarmul) (
     const point_t b,
     const scalar_t scalar
 ) {
+
     const int WINDOW = DECAF_WINDOW_BITS,
         WINDOW_MASK = (1<<WINDOW)-1,
         WINDOW_T_MASK = WINDOW_MASK >> 1,
@@ -524,7 +542,7 @@ void API_NS(point_scalarmul) (
     API_NS(scalar_halve)(scalar1x,scalar1x);
     
     /* Set up a precomputed table with odd multiples of b. */
-    pniels_t pn, multiples[NTABLE];
+    pniels_t pn, multiples[1<<((int)(DECAF_WINDOW_BITS)-1)];  // == NTABLE (MSVC compatibility issue)
     point_t tmp;
     prepare_fixed_window(multiples, b, NTABLE);
 
@@ -575,12 +593,13 @@ void API_NS(point_double_scalarmul) (
     const scalar_t scalarb,
     const point_t c,
     const scalar_t scalarc
-) {
+) {    
+    
     const int WINDOW = DECAF_WINDOW_BITS,
         WINDOW_MASK = (1<<WINDOW)-1,
         WINDOW_T_MASK = WINDOW_MASK >> 1,
         NTABLE = 1<<(WINDOW-1);
-        
+
     scalar_t scalar1x, scalar2x;
     API_NS(scalar_add)(scalar1x, scalarb, point_scalarmul_adjustment);
     API_NS(scalar_halve)(scalar1x,scalar1x);
@@ -588,9 +607,10 @@ void API_NS(point_double_scalarmul) (
     API_NS(scalar_halve)(scalar2x,scalar2x);
     
     /* Set up a precomputed table with odd multiples of b. */
-    pniels_t pn, multiples1[NTABLE], multiples2[NTABLE];
+    pniels_t pn, multiples1[1<<((int)(DECAF_WINDOW_BITS)-1)], multiples2[1<<((int)(DECAF_WINDOW_BITS)-1)];
+    // Array size above equal NTABLE (MSVC compatibility issue)
     point_t tmp;
-    prepare_fixed_window(multiples1, b, NTABLE);
+    prepare_fixed_window(multiples1, b, NTABLE);  
     prepare_fixed_window(multiples2, c, NTABLE);
 
     /* Initialize. */
@@ -652,11 +672,13 @@ void API_NS(point_dual_scalarmul) (
     const scalar_t scalar1,
     const scalar_t scalar2
 ) {
+    
     const int WINDOW = DECAF_WINDOW_BITS,
         WINDOW_MASK = (1<<WINDOW)-1,
         WINDOW_T_MASK = WINDOW_MASK >> 1,
         NTABLE = 1<<(WINDOW-1);
-        
+
+
     scalar_t scalar1x, scalar2x;
     API_NS(scalar_add)(scalar1x, scalar1, point_scalarmul_adjustment);
     API_NS(scalar_halve)(scalar1x,scalar1x);
@@ -664,7 +686,9 @@ void API_NS(point_dual_scalarmul) (
     API_NS(scalar_halve)(scalar2x,scalar2x);
     
     /* Set up a precomputed table with odd multiples of b. */
-    point_t multiples1[NTABLE], multiples2[NTABLE], working, tmp;
+    point_t multiples1[1<<((int)(DECAF_WINDOW_BITS)-1)], multiples2[1<<((int)(DECAF_WINDOW_BITS)-1)], working, tmp;
+    // Array sizes above equal NTABLE (MSVC compatibility issue)
+
     pniels_t pn;
     
     API_NS(point_copy)(working, b);
@@ -887,11 +911,11 @@ void API_NS(precompute) (
     const unsigned int n = COMBS_N, t = COMBS_T, s = COMBS_S;
     assert(n*t*s >= SCALAR_BITS);
   
-    point_t working, start, doubles[t-1];
+    point_t working, start, doubles[COMBS_T-1];
     API_NS(point_copy)(working, base);
     pniels_t pn_tmp;
   
-    gf zs[n<<(t-1)], zis[n<<(t-1)];
+    gf zs[(unsigned int)(COMBS_N)<<(unsigned int)(COMBS_T-1)], zis[(unsigned int)(COMBS_N)<<(unsigned int)(COMBS_T-1)];
   
     unsigned int i,j,k;
     
@@ -1511,13 +1535,13 @@ void API_NS(base_double_scalarmul_non_secret) (
 ) {
     const int table_bits_var = DECAF_WNAF_VAR_TABLE_BITS,
         table_bits_pre = DECAF_WNAF_FIXED_TABLE_BITS;
-    struct smvt_control control_var[SCALAR_BITS/(table_bits_var+1)+3];
-    struct smvt_control control_pre[SCALAR_BITS/(table_bits_pre+1)+3];
+    struct smvt_control control_var[SCALAR_BITS/((int)(DECAF_WNAF_VAR_TABLE_BITS)+1)+3];
+    struct smvt_control control_pre[SCALAR_BITS/((int)(DECAF_WNAF_FIXED_TABLE_BITS)+1)+3];
     
     int ncb_pre = recode_wnaf(control_pre, scalar1, table_bits_pre);
     int ncb_var = recode_wnaf(control_var, scalar2, table_bits_var);
   
-    pniels_t precmp_var[1<<table_bits_var];
+    pniels_t precmp_var[1<<(int)(DECAF_WNAF_VAR_TABLE_BITS)];
     prepare_wnaf_table(precmp_var, base2, table_bits_var);
   
     int contp=0, contv=0, i = control_var[0].power;

src/per_curve/eddsa.tmpl.h

@@ -18,8 +18,13 @@ extern "C" {
 #define DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES (DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES + DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES)
 
 /** Does EdDSA support non-contextual signatures? */
+#if defined _MSC_VER  /* Different syntax for exposing API */
 #define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTLESS_SIGS $(eddsa_no_context)
-$("extern const uint8_t * const DECAF_ED" + gf_shortname + "_NO_CONTEXT DECAF_API_VIS;\n" if eddsa_no_context else "")
+$("extern const DECAF_API_VIS uint8_t * const DECAF_ED" + gf_shortname + "_NO_CONTEXT;\n" if eddsa_no_context else "")
+#else
+#define DECAF_EDDSA_$(gf_shortname)_SUPPORTS_CONTEXTLESS_SIGS $(eddsa_no_context)
+$("DECAF_API_VIS extern const uint8_t * const DECAF_ED" + gf_shortname + "_NO_CONTEXT;\n" if eddsa_no_context else "")
+#endif
 
 /** Prehash context (raw), because each EdDSA instance has a different prehash. */
 #define decaf_ed$(gf_shortname)_prehash_ctx_s   decaf_$(eddsa_hash)_ctx_s
@@ -46,10 +51,10 @@ $("extern const uint8_t * const DECAF_ED" + gf_shortname + "_NO_CONTEXT DECAF_AP
  * @param [out] pubkey The public key.
  * @param [in] privkey The private key.
  */    
-void decaf_ed$(gf_shortname)_derive_public_key (
+void DECAF_API_VIS decaf_ed$(gf_shortname)_derive_public_key (
     uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief EdDSA signing.
@@ -68,7 +73,7 @@ void decaf_ed$(gf_shortname)_derive_public_key (
  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
  * you no seat belt.
  */  
-void decaf_ed$(gf_shortname)_sign (
+void DECAF_API_VIS decaf_ed$(gf_shortname)_sign (
     uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
     const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
@@ -77,7 +82,7 @@ void decaf_ed$(gf_shortname)_sign (
     uint8_t prehashed,
     const uint8_t *context,
     uint8_t context_len
-) DECAF_API_VIS __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;
+) __attribute__((nonnull(1,2,3))) DECAF_NOINLINE;
 
 /**
  * @brief EdDSA signing with prehash.
@@ -94,23 +99,23 @@ void decaf_ed$(gf_shortname)_sign (
  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
  * you no seat belt.
  */  
-void decaf_ed$(gf_shortname)_sign_prehash (
+void DECAF_API_VIS decaf_ed$(gf_shortname)_sign_prehash (
     uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
     const uint8_t privkey[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
     const uint8_t *context,
     uint8_t context_len
-) DECAF_API_VIS __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;
+) __attribute__((nonnull(1,2,3,4))) DECAF_NOINLINE;
     
 /**
  * @brief Prehash initialization, with contexts if supported.
  *
  * @param [out] hash The hash object to be initialized.
  */
-void decaf_ed$(gf_shortname)_prehash_init (
+void DECAF_API_VIS decaf_ed$(gf_shortname)_prehash_init (
     decaf_ed$(gf_shortname)_prehash_ctx_t hash
-) DECAF_API_VIS __attribute__((nonnull(1))) DECAF_NOINLINE;
+) __attribute__((nonnull(1))) DECAF_NOINLINE;
 
 /**
  * @brief EdDSA signature verification.
@@ -130,7 +135,7 @@ void decaf_ed$(gf_shortname)_prehash_init (
  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
  * you no seat belt.
  */
-decaf_error_t decaf_ed$(gf_shortname)_verify (
+decaf_error_t DECAF_API_VIS decaf_ed$(gf_shortname)_verify (
     const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t *message,
@@ -138,7 +143,7 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
     uint8_t prehashed,
     const uint8_t *context,
     uint8_t context_len
-) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;
+) __attribute__((nonnull(1,2))) DECAF_NOINLINE;
 
 /**
  * @brief EdDSA signature verification.
@@ -156,13 +161,13 @@ decaf_error_t decaf_ed$(gf_shortname)_verify (
  * safe.  The C++ wrapper is designed to make it harder to screw this up, but this C code gives
  * you no seat belt.
  */
-decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
+decaf_error_t DECAF_API_VIS decaf_ed$(gf_shortname)_verify_prehash (
     const uint8_t signature[DECAF_EDDSA_$(gf_shortname)_SIGNATURE_BYTES],
     const uint8_t pubkey[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const decaf_ed$(gf_shortname)_prehash_ctx_t hash,
     const uint8_t *context,
     uint8_t context_len
-) DECAF_API_VIS __attribute__((nonnull(1,2))) DECAF_NOINLINE;
+) __attribute__((nonnull(1,2))) DECAF_NOINLINE;
 
 /**
  * @brief EdDSA point encoding.  Used internally, exposed externally.
@@ -188,10 +193,10 @@ decaf_error_t decaf_ed$(gf_shortname)_verify_prehash (
  * @param [out] enc The encoded point.
  * @param [in] p The point.
  */       
-void $(c_ns)_point_mul_by_ratio_and_encode_like_eddsa (
+void DECAF_API_VIS $(c_ns)_point_mul_by_ratio_and_encode_like_eddsa (
     uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES],
     const $(c_ns)_point_t p
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief EdDSA point decoding.  Multiplies by $(C_NS)_EDDSA_DECODE_RATIO,
@@ -202,10 +207,10 @@ void $(c_ns)_point_mul_by_ratio_and_encode_like_eddsa (
  * @param [out] enc The encoded point.
  * @param [in] p The point.
  */       
-decaf_error_t $(c_ns)_point_decode_like_eddsa_and_mul_by_ratio (
+decaf_error_t DECAF_API_VIS $(c_ns)_point_decode_like_eddsa_and_mul_by_ratio (
     $(c_ns)_point_t p,
     const uint8_t enc[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief EdDSA to ECDH public key conversion
@@ -218,10 +223,10 @@ decaf_error_t $(c_ns)_point_decode_like_eddsa_and_mul_by_ratio (
  * @param[out] x The ECDH public key as in RFC7748(point on Montgomery curve)
  * @param[in] ed The EdDSA public key(point on Edwards curve)
  */
-void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
+void DECAF_API_VIS decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
     uint8_t x[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t ed[DECAF_EDDSA_$(gf_shortname)_PUBLIC_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief EdDSA to ECDH private key conversion
@@ -231,10 +236,10 @@ void decaf_ed$(gf_shortname)_convert_public_key_to_x$(gf_shortname) (
  * @param[out] x The ECDH private key as in RFC7748
  * @param[in] ed The EdDSA private key
  */
-void decaf_ed$(gf_shortname)_convert_private_key_to_x$(gf_shortname) (
+void DECAF_API_VIS decaf_ed$(gf_shortname)_convert_private_key_to_x$(gf_shortname) (
     uint8_t x[DECAF_X$(gf_shortname)_PRIVATE_BYTES],
     const uint8_t ed[DECAF_EDDSA_$(gf_shortname)_PRIVATE_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 #ifdef __cplusplus
 } /* extern "C" */

src/per_curve/point.tmpl.h

@@ -63,7 +63,7 @@ struct $(c_ns)_precomputed_s;
 typedef struct $(c_ns)_precomputed_s $(c_ns)_precomputed_s; 
 
 /** Size and alignment of precomputed point tables. */
-extern const size_t $(c_ns)_sizeof_precomputed_s DECAF_API_VIS, $(c_ns)_alignof_precomputed_s DECAF_API_VIS;
+DECAF_API_VIS extern const size_t $(c_ns)_sizeof_precomputed_s, $(c_ns)_alignof_precomputed_s;
 
 /** Representation of an element of the scalar field. */
 typedef struct $(c_ns)_scalar_s {
@@ -72,21 +72,42 @@ typedef struct $(c_ns)_scalar_s {
     /** @endcond */
 } $(c_ns)_scalar_t[1];
 
+#if defined _MSC_VER
+
+/** The scalar 1. */
+extern const $(c_ns)_scalar_t DECAF_API_VIS $(c_ns)_scalar_one;
+
+/** The scalar 0. */
+extern const $(c_ns)_scalar_t DECAF_API_VIS $(c_ns)_scalar_zero;
+
+/** The identity (zero) point on the curve. */
+extern const $(c_ns)_point_t DECAF_API_VIS $(c_ns)_point_identity;
+
+/** An arbitrarily-chosen base point on the curve. */
+extern const $(c_ns)_point_t DECAF_API_VIS $(c_ns)_point_base;
+
+/** Precomputed table of multiples of the base point on the curve. */
+extern const struct DECAF_API_VIS $(c_ns)_precomputed_s *$(c_ns)_precomputed_base;
+
+
+#else // _MSC_VER
+
 /** The scalar 1. */
-extern const $(c_ns)_scalar_t $(c_ns)_scalar_one DECAF_API_VIS;
+DECAF_API_VIS extern const $(c_ns)_scalar_t $(c_ns)_scalar_one;
 
 /** The scalar 0. */
-extern const $(c_ns)_scalar_t $(c_ns)_scalar_zero DECAF_API_VIS;
+DECAF_API_VIS extern const $(c_ns)_scalar_t $(c_ns)_scalar_zero;
 
 /** The identity (zero) point on the curve. */
-extern const $(c_ns)_point_t $(c_ns)_point_identity DECAF_API_VIS;
+DECAF_API_VIS extern const $(c_ns)_point_t $(c_ns)_point_identity;
 
 /** An arbitrarily-chosen base point on the curve. */
-extern const $(c_ns)_point_t $(c_ns)_point_base DECAF_API_VIS;
+DECAF_API_VIS extern const $(c_ns)_point_t $(c_ns)_point_base;
 
 /** Precomputed table of multiples of the base point on the curve. */
-extern const struct $(c_ns)_precomputed_s *$(c_ns)_precomputed_base DECAF_API_VIS;
+DECAF_API_VIS extern const struct $(c_ns)_precomputed_s *$(c_ns)_precomputed_base;
 
+#endif // _MSC_VER
 /**
  * @brief Read a scalar from wire format or from bytes.
  *
@@ -97,10 +118,10 @@ extern const struct $(c_ns)_precomputed_s *$(c_ns)_precomputed_base DECAF_API_VI
  * @retval DECAF_FAILURE The scalar was greater than the modulus,
  * and has been reduced modulo that modulus.
  */
-decaf_error_t $(c_ns)_scalar_decode (
+decaf_error_t DECAF_API_VIS $(c_ns)_scalar_decode (
     $(c_ns)_scalar_t out,
     const unsigned char ser[$(C_NS)_SCALAR_BYTES]
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Read a scalar from wire format or from bytes.  Reduces mod
@@ -110,11 +131,11 @@ decaf_error_t $(c_ns)_scalar_decode (
  * @param [in] ser_len Length of serialized form.
  * @param [out] out Deserialized form.
  */
-void $(c_ns)_scalar_decode_long (
+void DECAF_API_VIS $(c_ns)_scalar_decode_long (
     $(c_ns)_scalar_t out,
     const unsigned char *ser,
     size_t ser_len
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
     
 /**
  * @brief Serialize a scalar to wire format.
@@ -122,10 +143,10 @@ void $(c_ns)_scalar_decode_long (
  * @param [out] ser Serialized form of a scalar.
  * @param [in] s Deserialized scalar.
  */
-void $(c_ns)_scalar_encode (
+void DECAF_API_VIS $(c_ns)_scalar_encode (
     unsigned char ser[$(C_NS)_SCALAR_BYTES],
     const $(c_ns)_scalar_t s
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE DECAF_NOINLINE;
         
 /**
  * @brief Add two scalars.  The scalars may use the same memory.
@@ -133,11 +154,11 @@ void $(c_ns)_scalar_encode (
  * @param [in] b Another scalar.
  * @param [out] out a+b.
  */
-void $(c_ns)_scalar_add (
+void DECAF_API_VIS $(c_ns)_scalar_add (
     $(c_ns)_scalar_t out,
     const $(c_ns)_scalar_t a,
     const $(c_ns)_scalar_t b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Compare two scalars.
@@ -146,10 +167,10 @@ void $(c_ns)_scalar_add (
  * @retval DECAF_TRUE The scalars are equal.
  * @retval DECAF_FALSE The scalars are not equal.
  */    
-decaf_bool_t $(c_ns)_scalar_eq (
+decaf_bool_t DECAF_API_VIS $(c_ns)_scalar_eq (
     const $(c_ns)_scalar_t a,
     const $(c_ns)_scalar_t b
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Subtract two scalars.  The scalars may use the same memory.
@@ -157,11 +178,11 @@ decaf_bool_t $(c_ns)_scalar_eq (
  * @param [in] b Another scalar.
  * @param [out] out a-b.
  */  
-void $(c_ns)_scalar_sub (
+void DECAF_API_VIS $(c_ns)_scalar_sub (
     $(c_ns)_scalar_t out,
     const $(c_ns)_scalar_t a,
     const $(c_ns)_scalar_t b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply two scalars.  The scalars may use the same memory.
@@ -169,21 +190,21 @@ void $(c_ns)_scalar_sub (
  * @param [in] b Another scalar.
  * @param [out] out a*b.
  */  
-void $(c_ns)_scalar_mul (
+void DECAF_API_VIS $(c_ns)_scalar_mul (
     $(c_ns)_scalar_t out,
     const $(c_ns)_scalar_t a,
     const $(c_ns)_scalar_t b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
         
 /**
 * @brief Halve a scalar.  The scalars may use the same memory.
 * @param [in] a A scalar.
 * @param [out] out a/2.
 */
-void $(c_ns)_scalar_halve (
+void DECAF_API_VIS $(c_ns)_scalar_halve (
    $(c_ns)_scalar_t out,
    const $(c_ns)_scalar_t a
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Invert a scalar.  When passed zero, return 0.  The input and output may alias.
@@ -191,10 +212,10 @@ void $(c_ns)_scalar_halve (
  * @param [out] out 1/a.
  * @return DECAF_SUCCESS The input is nonzero.
  */  
-decaf_error_t $(c_ns)_scalar_invert (
+decaf_error_t DECAF_API_VIS $(c_ns)_scalar_invert (
     $(c_ns)_scalar_t out,
     const $(c_ns)_scalar_t a
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Copy a scalar.  The scalars may use the same memory, in which
@@ -214,10 +235,10 @@ static inline void DECAF_NONNULL $(c_ns)_scalar_copy (
  * @param [in] a An integer.
  * @param [out] out Will become equal to a.
  */  
-void $(c_ns)_scalar_set_unsigned (
+void DECAF_API_VIS $(c_ns)_scalar_set_unsigned (
     $(c_ns)_scalar_t out,
     uint64_t a
-) DECAF_API_VIS DECAF_NONNULL;
+) DECAF_NONNULL;
 
 /**
  * @brief Encode a point as a sequence of bytes.
@@ -225,10 +246,10 @@ void $(c_ns)_scalar_set_unsigned (
  * @param [out] ser The byte representation of the point.
  * @param [in] pt The point to encode.
  */
-void $(c_ns)_point_encode (
+void DECAF_API_VIS $(c_ns)_point_encode (
     uint8_t ser[$(C_NS)_SER_BYTES],
     const $(c_ns)_point_t pt
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Decode a point from a sequence of bytes.
@@ -244,11 +265,11 @@ void $(c_ns)_point_encode (
  * @retval DECAF_FAILURE The decoding didn't succeed, because
  * ser does not represent a point.
  */
-decaf_error_t $(c_ns)_point_decode (
+decaf_error_t DECAF_API_VIS $(c_ns)_point_decode (
     $(c_ns)_point_t pt,
     const uint8_t ser[$(C_NS)_SER_BYTES],
     decaf_bool_t allow_identity
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Copy a point.  The input and output may alias,
@@ -273,10 +294,10 @@ static inline void DECAF_NONNULL $(c_ns)_point_copy (
  * @retval DECAF_TRUE The points are equal.
  * @retval DECAF_FALSE The points are not equal.
  */
-decaf_bool_t $(c_ns)_point_eq (
+decaf_bool_t DECAF_API_VIS $(c_ns)_point_eq (
     const $(c_ns)_point_t a,
     const $(c_ns)_point_t b
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Add two points to produce a third point.  The
@@ -287,11 +308,11 @@ decaf_bool_t $(c_ns)_point_eq (
  * @param [in] a An addend.
  * @param [in] b An addend.
  */
-void $(c_ns)_point_add (
+void DECAF_API_VIS $(c_ns)_point_add (
     $(c_ns)_point_t sum,
     const $(c_ns)_point_t a,
     const $(c_ns)_point_t b
-) DECAF_API_VIS DECAF_NONNULL;
+) DECAF_NONNULL;
 
 /**
  * @brief Double a point.  Equivalent to
@@ -300,10 +321,10 @@ void $(c_ns)_point_add (
  * @param [out] two_a The sum a+a.
  * @param [in] a A point.
  */
-void $(c_ns)_point_double (
+void DECAF_API_VIS $(c_ns)_point_double (
     $(c_ns)_point_t two_a,
     const $(c_ns)_point_t a
-) DECAF_API_VIS DECAF_NONNULL;
+) DECAF_NONNULL;
 
 /**
  * @brief Subtract two points to produce a third point.  The
@@ -314,11 +335,11 @@ void $(c_ns)_point_double (
  * @param [in] a The minuend.
  * @param [in] b The subtrahend.
  */
-void $(c_ns)_point_sub (
+void DECAF_API_VIS $(c_ns)_point_sub (
     $(c_ns)_point_t diff,
     const $(c_ns)_point_t a,
     const $(c_ns)_point_t b
-) DECAF_API_VIS DECAF_NONNULL;
+) DECAF_NONNULL;
     
 /**
  * @brief Negate a point to produce another point.  The input
@@ -327,10 +348,10 @@ void $(c_ns)_point_sub (
  * @param [out] nega The negated input point
  * @param [in] a The input point.
  */
-void $(c_ns)_point_negate (
+void DECAF_API_VIS $(c_ns)_point_negate (
    $(c_ns)_point_t nega,
    const $(c_ns)_point_t a
-) DECAF_API_VIS DECAF_NONNULL;
+) DECAF_NONNULL;
 
 /**
  * @brief Multiply a base point by a scalar: scaled = scalar*base.
@@ -339,11 +360,11 @@ void $(c_ns)_point_negate (
  * @param [in] base The point to be scaled.
  * @param [in] scalar The scalar to multiply by.
  */
-void $(c_ns)_point_scalarmul (
+void DECAF_API_VIS $(c_ns)_point_scalarmul (
     $(c_ns)_point_t scaled,
     const $(c_ns)_point_t base,
     const $(c_ns)_scalar_t scalar
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply a base point by a scalar: scaled = scalar*base.
@@ -362,13 +383,13 @@ void $(c_ns)_point_scalarmul (
  * @retval DECAF_FAILURE The scalarmul didn't succeed, because
  * base does not represent a point.
  */
-decaf_error_t $(c_ns)_direct_scalarmul (
+decaf_error_t DECAF_API_VIS $(c_ns)_direct_scalarmul (
     uint8_t scaled[$(C_NS)_SER_BYTES],
     const uint8_t base[$(C_NS)_SER_BYTES],
     const $(c_ns)_scalar_t scalar,
     decaf_bool_t allow_identity,
     decaf_bool_t short_circuit
-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;
 
 /**
  * @brief RFC 7748 Diffie-Hellman scalarmul, used to compute shared secrets.
@@ -382,11 +403,11 @@ decaf_error_t $(c_ns)_direct_scalarmul (
  * @retval DECAF_FAILURE The scalarmul didn't succeed, because the base
  * point is in a small subgroup.
  */
-decaf_error_t decaf_x$(gf_shortname) (
+decaf_error_t DECAF_API_VIS decaf_x$(gf_shortname) (
     uint8_t shared[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t base[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_NOINLINE;
 
 /**
  * @brief Multiply a point by DECAF_X$(gf_shortname)_ENCODE_RATIO,
@@ -408,19 +429,18 @@ decaf_error_t decaf_x$(gf_shortname) (
  * @param [out] out The scaled and encoded point.
  * @param [in] p The point to be scaled and encoded.
  */
-void $(c_ns)_point_mul_by_ratio_and_encode_like_x$(gf_shortname) (
+void DECAF_API_VIS $(c_ns)_point_mul_by_ratio_and_encode_like_x$(gf_shortname) (
     uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
     const $(c_ns)_point_t p
-) DECAF_API_VIS DECAF_NONNULL;
+) DECAF_NONNULL;
 
 /** The base point for X$(gf_shortname) Diffie-Hellman */
 extern const uint8_t
-    decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES]
 #ifndef DOXYGEN
     /* For some reason Doxygen chokes on this despite the defense in common.h... */
     DECAF_API_VIS
 #endif
-;
+    decaf_x$(gf_shortname)_base_point[DECAF_X$(gf_shortname)_PUBLIC_BYTES];
 
 /**
  * @brief RFC 7748 Diffie-Hellman base point scalarmul.  This function uses
@@ -432,10 +452,10 @@ extern const uint8_t
  * @param [out] out The public key base*scalar.
  * @param [in] scalar The private scalar.
  */
-void decaf_x$(gf_shortname)_generate_key (
+void DECAF_API_VIS decaf_x$(gf_shortname)_generate_key (
     uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x$(gf_shortname)_derive_public_key");
+) DECAF_NONNULL DECAF_NOINLINE DECAF_DEPRECATED("Renamed to decaf_x$(gf_shortname)_derive_public_key");
     
 /**
  * @brief RFC 7748 Diffie-Hellman base point scalarmul.  This function uses
@@ -447,10 +467,10 @@ void decaf_x$(gf_shortname)_generate_key (
  * @param [out] out The public key base*scalar
  * @param [in] scalar The private scalar.
  */
-void decaf_x$(gf_shortname)_derive_public_key (
+void DECAF_API_VIS decaf_x$(gf_shortname)_derive_public_key (
     uint8_t out[DECAF_X$(gf_shortname)_PUBLIC_BYTES],
     const uint8_t scalar[DECAF_X$(gf_shortname)_PRIVATE_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /* FUTURE: uint8_t $(c_ns)_encode_like_curve$(gf_shortname)) */
 
@@ -463,10 +483,10 @@ void decaf_x$(gf_shortname)_derive_public_key (
  * @param [out] a A precomputed table of multiples of the point.
  * @param [in] b Any point.
  */
-void $(c_ns)_precompute (
+void DECAF_API_VIS $(c_ns)_precompute (
     $(c_ns)_precomputed_s *a,
     const $(c_ns)_point_t b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply a precomputed base point by a scalar:
@@ -479,11 +499,11 @@ void $(c_ns)_precompute (
  * @param [in] base The point to be scaled.
  * @param [in] scalar The scalar to multiply by.
  */
-void $(c_ns)_precomputed_scalarmul (
+void DECAF_API_VIS $(c_ns)_precomputed_scalarmul (
     $(c_ns)_point_t scaled,
     const $(c_ns)_precomputed_s *base,
     const $(c_ns)_scalar_t scalar
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply two base points by two scalars:
@@ -498,13 +518,13 @@ void $(c_ns)_precomputed_scalarmul (
  * @param [in] base2 A second point to be scaled.
  * @param [in] scalar2 A second scalar to multiply by.
  */
-void $(c_ns)_point_double_scalarmul (
+void DECAF_API_VIS $(c_ns)_point_double_scalarmul (
     $(c_ns)_point_t combo,
     const $(c_ns)_point_t base1,
     const $(c_ns)_scalar_t scalar1,
     const $(c_ns)_point_t base2,
     const $(c_ns)_scalar_t scalar2
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
     
 /**
  * Multiply one base point by two scalars:
@@ -521,13 +541,13 @@ void $(c_ns)_point_double_scalarmul (
  * @param [in] scalar1 A first scalar to multiply by.
  * @param [in] scalar2 A second scalar to multiply by.
  */
-void $(c_ns)_point_dual_scalarmul (
+void DECAF_API_VIS $(c_ns)_point_dual_scalarmul (
     $(c_ns)_point_t a1,
     $(c_ns)_point_t a2,
     const $(c_ns)_point_t base1,
     const $(c_ns)_scalar_t scalar1,
     const $(c_ns)_scalar_t scalar2
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Multiply two base points by two scalars:
@@ -544,12 +564,12 @@ void $(c_ns)_point_dual_scalarmul (
  * @warning: This function takes variable time, and may leak the scalars
  * used.  It is designed for signature verification.
  */
-void $(c_ns)_base_double_scalarmul_non_secret (
+void DECAF_API_VIS $(c_ns)_base_double_scalarmul_non_secret (
     $(c_ns)_point_t combo,
     const $(c_ns)_scalar_t scalar1,
     const $(c_ns)_point_t base2,
     const $(c_ns)_scalar_t scalar2
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Constant-time decision between two points.  If pick_b
@@ -560,12 +580,12 @@ void $(c_ns)_base_double_scalarmul_non_secret (
  * @param [in] b Any point.
  * @param [in] pick_b If nonzero, choose point b.
  */
-void $(c_ns)_point_cond_sel (
+void DECAF_API_VIS $(c_ns)_point_cond_sel (
     $(c_ns)_point_t out,
     const $(c_ns)_point_t a,
     const $(c_ns)_point_t b,
     decaf_word_t pick_b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Constant-time decision between two scalars.  If pick_b
@@ -576,12 +596,12 @@ void $(c_ns)_point_cond_sel (
  * @param [in] b Any scalar.
  * @param [in] pick_b If nonzero, choose scalar b.
  */
-void $(c_ns)_scalar_cond_sel (
+void DECAF_API_VIS $(c_ns)_scalar_cond_sel (
     $(c_ns)_scalar_t out,
     const $(c_ns)_scalar_t a,
     const $(c_ns)_scalar_t b,
     decaf_word_t pick_b
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Test that a point is valid, for debugging purposes.
@@ -590,9 +610,9 @@ void $(c_ns)_scalar_cond_sel (
  * @retval DECAF_TRUE The point is valid.
  * @retval DECAF_FALSE The point is invalid.
  */
-decaf_bool_t $(c_ns)_point_valid (
+decaf_bool_t DECAF_API_VIS $(c_ns)_point_valid (
     const $(c_ns)_point_t to_test
-) DECAF_API_VIS DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_WARN_UNUSED DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Torque a point, for debugging purposes.  The output
@@ -601,10 +621,10 @@ decaf_bool_t $(c_ns)_point_valid (
  * @param [out] q The point to torque.
  * @param [in] p The point to torque.
  */
-void $(c_ns)_point_debugging_torque (
+void DECAF_API_VIS $(c_ns)_point_debugging_torque (
     $(c_ns)_point_t q,
     const $(c_ns)_point_t p
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Projectively scale a point, for debugging purposes.
@@ -615,11 +635,11 @@ void $(c_ns)_point_debugging_torque (
  * @param [in] p The point to scale.
  * @param [in] factor Serialized GF factor to scale.
  */
-void $(c_ns)_point_debugging_pscale (
+void DECAF_API_VIS $(c_ns)_point_debugging_pscale (
     $(c_ns)_point_t q,
     const $(c_ns)_point_t p,
     const unsigned char factor[$(C_NS)_SER_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Almost-Elligator-like hash to curve.
@@ -649,11 +669,11 @@ void $(c_ns)_point_debugging_pscale (
  * @param [in] hashed_data Output of some hash function.
  * @param [out] pt The data hashed to the curve.
  */
-void
+void DECAF_API_VIS
 $(c_ns)_point_from_hash_nonuniform (
     $(c_ns)_point_t pt,
     const unsigned char hashed_data[$(C_NS)_HASH_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Indifferentiable hash function encoding to curve.
@@ -663,10 +683,10 @@ $(c_ns)_point_from_hash_nonuniform (
  * @param [in] hashed_data Output of some hash function.
  * @param [out] pt The data hashed to the curve.
  */ 
-void $(c_ns)_point_from_hash_uniform (
+void DECAF_API_VIS $(c_ns)_point_from_hash_uniform (
     $(c_ns)_point_t pt,
     const unsigned char hashed_data[2*$(C_NS)_HASH_BYTES]
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE;
+) DECAF_NONNULL DECAF_NOINLINE;
 
 /**
  * @brief Inverse of elligator-like hash to curve.
@@ -696,12 +716,12 @@ void $(c_ns)_point_from_hash_uniform (
  * @retval DECAF_SUCCESS The inverse succeeded.
  * @retval DECAF_FAILURE The inverse failed.
  */
-decaf_error_t
+decaf_error_t DECAF_API_VIS
 $(c_ns)_invert_elligator_nonuniform (
     unsigned char recovered_hash[$(C_NS)_HASH_BYTES],
     const $(c_ns)_point_t pt,
     uint32_t which
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
+) DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
 
 /**
  * @brief Inverse of elligator-like hash to curve.
@@ -721,31 +741,31 @@ $(c_ns)_invert_elligator_nonuniform (
  * @retval DECAF_SUCCESS The inverse succeeded.
  * @retval DECAF_FAILURE The inverse failed.
  */
-decaf_error_t
+decaf_error_t DECAF_API_VIS
 $(c_ns)_invert_elligator_uniform (
     unsigned char recovered_hash[2*$(C_NS)_HASH_BYTES],
     const $(c_ns)_point_t pt,
     uint32_t which
-) DECAF_API_VIS DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
+) DECAF_NONNULL DECAF_NOINLINE DECAF_WARN_UNUSED;
 
 /** Securely erase a scalar. */
-void $(c_ns)_scalar_destroy (
+void DECAF_API_VIS $(c_ns)_scalar_destroy (
     $(c_ns)_scalar_t scalar
-) DECAF_NONNULL DECAF_API_VIS;
+) DECAF_NONNULL;
 
 /** Securely erase a point by overwriting it with zeros.
  * @warning This causes the point object to become invalid.
  */
-void $(c_ns)_point_destroy (
+void DECAF_API_VIS $(c_ns)_point_destroy (
     $(c_ns)_point_t point
-) DECAF_NONNULL DECAF_API_VIS;
+) DECAF_NONNULL;
 
 /** Securely erase a precomputed table by overwriting it with zeros.
  * @warning This causes the table object to become invalid.
  */
-void $(c_ns)_precomputed_destroy (
+void DECAF_API_VIS $(c_ns)_precomputed_destroy (
     $(c_ns)_precomputed_s *pre
-) DECAF_NONNULL DECAF_API_VIS;
+) DECAF_NONNULL;
 
 #ifdef __cplusplus
 } /* extern "C" */

src/per_curve/scalar.tmpl.c

@@ -110,7 +110,7 @@ decaf_error_t API_NS(scalar_invert) (
      * Sliding window is fine here because the modulus isn't secret.
      */
     const int SCALAR_WINDOW_BITS = 3;
-    scalar_t precmp[1<<SCALAR_WINDOW_BITS];
+    scalar_t precmp[1<<3];  // Rewritten from SCALAR_WINDOW_BITS for windows compatibility
     const int LAST = (1<<SCALAR_WINDOW_BITS)-1;
 
     /* Precompute precmp = [a^1,a^3,...] */

src/public_include/decaf/common.h

@@ -13,7 +13,9 @@
 #define __DECAF_COMMON_H__ 1
 
 #include <stdint.h>
+#if defined (__GNUC__)  // File only exists for GNU compilers
 #include <sys/types.h>
+#endif
 
 #ifdef __cplusplus
 extern "C" {
@@ -25,11 +27,31 @@ extern "C" {
 #define __attribute__(x)
 #define NOINLINE
 #endif
+
+/* Aliasing MSVC preprocessing to GNU preprocessing */
+#if defined _MSC_VER
+#   define __attribute__(x)        // Turn off attribute code
+#   define __attribute(x)
+#   define __restrict__ __restrict  // Use MSVC restrict code
+#   if defined _DLL
+#       define DECAF_API_VIS __declspec(dllexport)  // MSVC for visibility
+#   else
+#       define DECAF_API_VIS __declspec(dllimport)
+#   endif
+
+//#   define DECAF_NOINLINE __declspec(noinline) // MSVC for noinline
+//#   define DECAF_INLINE __forceinline // MSVC for always inline
+//#   define DECAF_WARN_UNUSED _Check_return_    
+#else // MSVC
 #define DECAF_API_VIS __attribute__((visibility("default")))
+#define DECAF_API_IMPORT
+#endif
+
+// The following are disabled for MSVC
 #define DECAF_NOINLINE  __attribute__((noinline))
-#define DECAF_WARN_UNUSED __attribute__((warn_unused_result))
-#define DECAF_NONNULL __attribute__((nonnull))
 #define DECAF_INLINE inline __attribute__((always_inline,unused))
+#define DECAF_WARN_UNUSED __attribute__((warn_unused_result))
+#define DECAF_NONNULL __attribute__((nonnull))  
 // Cribbed from libnotmuch
 #if defined (__clang_major__) && __clang_major__ >= 3 \
     || defined (__GNUC__) && __GNUC__ >= 5 \
@@ -98,17 +120,17 @@ decaf_successful(decaf_error_t e) {
 }
     
 /** Overwrite data with zeros.  Uses memset_s if available. */
-void decaf_bzero (
+void DECAF_API_VIS decaf_bzero (
     void *data,
     size_t size
-) DECAF_NONNULL DECAF_API_VIS;
+) DECAF_NONNULL;
 
 /** Compare two buffers, returning DECAF_TRUE if they are equal. */
-decaf_bool_t decaf_memeq (
+decaf_bool_t DECAF_API_VIS decaf_memeq (
     const void *data1,
     const void *data2,
     size_t size
-) DECAF_NONNULL DECAF_WARN_UNUSED DECAF_API_VIS;
+) DECAF_NONNULL DECAF_WARN_UNUSED;
     
 #ifdef __cplusplus
 } /* extern "C" */

src/public_include/decaf/secure_buffer.hxx

@@ -19,6 +19,10 @@
 #include <cstddef>
 #include <limits>
 
+#if defined(_MSC_VER)  // MSVC does not have built in posix_memalign
+#define posix_memalign(p, a, s) (((*(p)) = _aligned_malloc((s), (a))), *(p) ?0 :errno)
+#endif
+
 /** @cond internal */
 #if __cplusplus >= 201103L
 #define DECAF_NOEXCEPT noexcept

src/public_include/decaf/sha512.h

@@ -28,17 +28,17 @@ typedef struct decaf_sha512_ctx_s {
 } decaf_sha512_ctx_s, decaf_sha512_ctx_t[1];
 
 /** Initialize a SHA-512 context. */
-void decaf_sha512_init(decaf_sha512_ctx_t ctx) DECAF_NONNULL DECAF_API_VIS;
+void DECAF_API_VIS decaf_sha512_init(decaf_sha512_ctx_t ctx) DECAF_NONNULL;
 
 /** Update context by hashing part of a message. */
-void decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t message_len) DECAF_NONNULL DECAF_API_VIS;
+void DECAF_API_VIS decaf_sha512_update(decaf_sha512_ctx_t ctx, const uint8_t *message, size_t message_len) DECAF_NONNULL;
 
 /** Finalize context and write out hash.
  * @param [inout] ctx The context.  Will be destroyed and re-initialized on return.
  * @param [out] output Place to store the output hash.
  * @param [in] output_len Length in bytes of the output hash.  Must between 0 and 64, inclusive.
  */
-void decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *output, size_t output_len) DECAF_NONNULL DECAF_API_VIS;
+void DECAF_API_VIS decaf_sha512_final(decaf_sha512_ctx_t ctx, uint8_t *output, size_t output_len) DECAF_NONNULL;
 
 /** Securely destroy a SHA512 context. */
 static inline void decaf_sha512_destroy(decaf_sha512_ctx_t ctx) {

src/public_include/decaf/shake.h

@@ -43,10 +43,10 @@ extern "C" {
  * @param [out] sponge The object to initialize.
  * @param [in] params The sponge's parameter description.
  */
-void decaf_sha3_init (
+void DECAF_API_VIS decaf_sha3_init (
     decaf_keccak_sponge_t sponge,
     const struct decaf_kparams_s *params
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Absorb data into a DECAF_SHA3 or DECAF_SHAKE hash context.
@@ -56,11 +56,11 @@ void decaf_sha3_init (
  * @return DECAF_FAILURE if the sponge has already been used for output.
  * @return DECAF_SUCCESS otherwise.
  */
-decaf_error_t decaf_sha3_update (
+decaf_error_t DECAF_API_VIS decaf_sha3_update (
     struct decaf_keccak_sponge_s * __restrict__ sponge,
     const uint8_t *in,
     size_t len
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
@@ -73,11 +73,11 @@ decaf_error_t decaf_sha3_update (
  * @return DECAF_FAILURE if the sponge has exhausted its output capacity.
  * @return DECAF_SUCCESS otherwise.
  */  
-decaf_error_t decaf_sha3_output (
+decaf_error_t DECAF_API_VIS decaf_sha3_output (
     decaf_keccak_sponge_t sponge,
     uint8_t * __restrict__ out,
     size_t len
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Squeeze output data from a DECAF_SHA3 or DECAF_SHAKE hash context.
@@ -87,20 +87,20 @@ decaf_error_t decaf_sha3_output (
  * @param [out] out The output data.
  * @param [in] len The requested output data length in bytes.
  */  
-decaf_error_t decaf_sha3_final (
+decaf_error_t DECAF_API_VIS decaf_sha3_final (
     decaf_keccak_sponge_t sponge,
     uint8_t * __restrict__ out,
     size_t len
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Reset the sponge to the empty string.
  *
  * @param [inout] sponge The context.
  */  
-void decaf_sha3_reset (
+void DECAF_API_VIS decaf_sha3_reset (
     decaf_keccak_sponge_t sponge
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Return the default output length of the sponge construction,
@@ -108,9 +108,9 @@ void decaf_sha3_reset (
  *
  * Returns n/8 for DECAF_SHA3-n and 2n/8 for DECAF_SHAKE-n.
  */  
-size_t decaf_sha3_default_output_bytes (
+size_t DECAF_API_VIS decaf_sha3_default_output_bytes (
     const decaf_keccak_sponge_t sponge /**< [inout] The context. */
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Return the default output length of the sponge construction,
@@ -118,17 +118,17 @@ size_t decaf_sha3_default_output_bytes (
  *
  * Returns n/8 for DECAF_SHA3-n and SIZE_MAX for DECAF_SHAKE-n.
  */  
-size_t decaf_sha3_max_output_bytes (
+size_t DECAF_API_VIS decaf_sha3_max_output_bytes (
     const decaf_keccak_sponge_t sponge /**< [inout] The context. */
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Destroy a DECAF_SHA3 or DECAF_SHAKE sponge context by overwriting it with 0.
  * @param [out] sponge The context.
  */  
-void decaf_sha3_destroy (
+void DECAF_API_VIS decaf_sha3_destroy (
     decaf_keccak_sponge_t sponge
-) DECAF_API_VIS;
+);
 
 /**
  * @brief Hash (in) to (out)
@@ -138,19 +138,78 @@ void decaf_sha3_destroy (
  * @param [in] outlen The length of the output data.
  * @param [in] params The parameters of the sponge hash.
  */  
-decaf_error_t decaf_sha3_hash (
+decaf_error_t DECAF_API_VIS decaf_sha3_hash (
     uint8_t *out,
     size_t outlen,
     const uint8_t *in,
     size_t inlen,
     const struct decaf_kparams_s *params
-) DECAF_API_VIS;
+);
 
 /* FUTURE: expand/doxygenate individual DECAF_SHAKE/DECAF_SHA3 instances? */
 
+#if defined _MSC_VER
+
+/** @cond internal */
+#define DECAF_DEC_SHAKE(n) \
+    extern const struct DECAF_API_VIS decaf_kparams_s DECAF_SHAKE##n##_params_s; \
+    typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \
+    static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \
+        decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
+    } \
+    static inline void DECAF_NONNULL decaf_shake##n##_gen_init(decaf_keccak_sponge_t sponge) { \
+        decaf_sha3_init(sponge, &DECAF_SHAKE##n##_params_s); \
+    } \
+    static inline decaf_error_t DECAF_NONNULL decaf_shake##n##_update(decaf_shake##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
+        return decaf_sha3_update(sponge->s, in, inlen); \
+    } \
+    static inline void  DECAF_NONNULL decaf_shake##n##_final(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
+        decaf_sha3_output(sponge->s, out, outlen); \
+        decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
+    } \
+    static inline void  DECAF_NONNULL decaf_shake##n##_output(decaf_shake##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
+        decaf_sha3_output(sponge->s, out, outlen); \
+    } \
+    static inline void  DECAF_NONNULL decaf_shake##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
+        decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHAKE##n##_params_s); \
+    } \
+    static inline void  DECAF_NONNULL decaf_shake##n##_destroy( decaf_shake##n##_ctx_t sponge ) { \
+        decaf_sha3_destroy(sponge->s); \
+    }
+
+#define DECAF_DEC_SHA3(n) \
+    extern const struct DECAF_API_VIS decaf_kparams_s DECAF_SHA3_##n##_params_s; \
+    typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \
+    static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \
+        decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
+    } \
+    static inline void DECAF_NONNULL decaf_sha3_##n##_gen_init(decaf_keccak_sponge_t sponge) { \
+        decaf_sha3_init(sponge, &DECAF_SHA3_##n##_params_s); \
+    } \
+    static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_update(decaf_sha3_##n##_ctx_t sponge, const uint8_t *in, size_t inlen ) { \
+        return decaf_sha3_update(sponge->s, in, inlen); \
+    } \
+    static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_final(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
+        decaf_error_t ret = decaf_sha3_output(sponge->s, out, outlen); \
+        decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
+        return ret; \
+    } \
+    static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_output(decaf_sha3_##n##_ctx_t sponge, uint8_t *out, size_t outlen ) { \
+        return decaf_sha3_output(sponge->s, out, outlen); \
+    } \
+    static inline decaf_error_t DECAF_NONNULL decaf_sha3_##n##_hash(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen) { \
+        return decaf_sha3_hash(out,outlen,in,inlen,&DECAF_SHA3_##n##_params_s); \
+    } \
+    static inline void DECAF_NONNULL decaf_sha3_##n##_destroy(decaf_sha3_##n##_ctx_t sponge) { \
+        decaf_sha3_destroy(sponge->s); \
+    }
+/** @endcond */
+
+#else // _MSC_VER
+
 /** @cond internal */
 #define DECAF_DEC_SHAKE(n) \
-    extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s DECAF_API_VIS; \
+    DECAF_API_VIS extern const struct decaf_kparams_s DECAF_SHAKE##n##_params_s; \
     typedef struct decaf_shake##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_shake##n##_ctx_t[1]; \
     static inline void DECAF_NONNULL decaf_shake##n##_init(decaf_shake##n##_ctx_t sponge) { \
         decaf_sha3_init(sponge->s, &DECAF_SHAKE##n##_params_s); \
@@ -176,7 +235,7 @@ decaf_error_t decaf_sha3_hash (
     }
 
 #define DECAF_DEC_SHA3(n) \
-    extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s DECAF_API_VIS; \
+    DECAF_API_VIS extern const struct decaf_kparams_s DECAF_SHA3_##n##_params_s; \
     typedef struct decaf_sha3_##n##_ctx_s { decaf_keccak_sponge_t s; } decaf_sha3_##n##_ctx_t[1]; \
     static inline void DECAF_NONNULL decaf_sha3_##n##_init(decaf_sha3_##n##_ctx_t sponge) { \
         decaf_sha3_init(sponge->s, &DECAF_SHA3_##n##_params_s); \
@@ -202,6 +261,10 @@ decaf_error_t decaf_sha3_hash (
         decaf_sha3_destroy(sponge->s); \
     }
 /** @endcond */
+    
+#endif // _MSC_VER
+
+
 
 DECAF_DEC_SHAKE(128)
 DECAF_DEC_SHAKE(256)

src/public_include/decaf/shake.hxx

@@ -173,6 +173,17 @@ public:
     }
 };
 
+
+#if defined _MSC_VER // MSVC does not want tempalte<> syntax, gcc cannot live without it
+/** @cond internal */
+inline const struct decaf_kparams_s *SHAKE<128>::get_params() { return &DECAF_SHAKE128_params_s; }
+inline const struct decaf_kparams_s *SHAKE<256>::get_params() { return &DECAF_SHAKE256_params_s; }
+inline const struct decaf_kparams_s *SHA3<224>::get_params() { return  &DECAF_SHA3_224_params_s; }
+inline const struct decaf_kparams_s *SHA3<256>::get_params() { return  &DECAF_SHA3_256_params_s; }
+inline const struct decaf_kparams_s *SHA3<384>::get_params() { return  &DECAF_SHA3_384_params_s; }
+inline const struct decaf_kparams_s *SHA3<512>::get_params() { return  &DECAF_SHA3_512_params_s; }
+/** @endcond */
+#else
 /** @cond internal */
 template<> inline const struct decaf_kparams_s *SHAKE<128>::get_params() { return &DECAF_SHAKE128_params_s; }
 template<> inline const struct decaf_kparams_s *SHAKE<256>::get_params() { return &DECAF_SHAKE256_params_s; }
@@ -181,6 +192,8 @@ template<> inline const struct decaf_kparams_s *SHA3<256>::get_params() { return
 template<> inline const struct decaf_kparams_s *SHA3<384>::get_params() { return  &DECAF_SHA3_384_params_s; }
 template<> inline const struct decaf_kparams_s *SHA3<512>::get_params() { return  &DECAF_SHA3_512_params_s; }
 /** @endcond */
+#endif
+
   
 } /* namespace decaf */
 

src/public_include/decaf/spongerng.h

@@ -27,12 +27,12 @@ typedef struct {
 typedef decaf_keccak_prng_s decaf_keccak_prng_t[1];
     
 /** Initialize a sponge-based CSPRNG from a buffer. */
-void decaf_spongerng_init_from_buffer (
+void DECAF_API_VIS decaf_spongerng_init_from_buffer (
     decaf_keccak_prng_t prng,             /**< [out] The PRNG object. */
     const uint8_t *__restrict__ in, /**< [in]  The initialization data. */
     size_t len,                     /**< [in]  The length of the initialization data. */
     int deterministic               /**< [in]  If zero, allow RNG to stir in nondeterministic data from RDRAND or RDTSC.*/
-) DECAF_NONNULL DECAF_API_VIS;
+) DECAF_NONNULL;
     
 /**
  * @brief Initialize a sponge-based CSPRNG from a file.
@@ -40,12 +40,12 @@ void decaf_spongerng_init_from_buffer (
  * @retval DECAF_FAILURE failure.
  * @note On failure, errno can be used to determine the cause.
  */
-decaf_error_t decaf_spongerng_init_from_file (
+decaf_error_t DECAF_API_VIS decaf_spongerng_init_from_file (
     decaf_keccak_prng_t prng, /**< [out] The PRNG object. */
     const char *file,   /**< [in]  A name of a file containing initial data. */
     size_t len,         /**< [in]  The length of the initial data.  Must be positive. */
     int deterministic   /**< [in]  If zero, allow RNG to stir in nondeterministic data from RDRAND or RDTSC. */
-) DECAF_NONNULL DECAF_API_VIS DECAF_WARN_UNUSED;
+) DECAF_NONNULL DECAF_WARN_UNUSED;
 
 /**
  * @brief Initialize a nondeterministic sponge-based CSPRNG from /dev/urandom.
@@ -53,23 +53,23 @@ decaf_error_t decaf_spongerng_init_from_file (
  * @retval DECAF_FAILURE failure.
  * @note On failure, errno can be used to determine the cause.
  */
-decaf_error_t decaf_spongerng_init_from_dev_urandom (
+decaf_error_t DECAF_API_VIS decaf_spongerng_init_from_dev_urandom (
     decaf_keccak_prng_t prng /**< [out] sponge The sponge object. */
-) DECAF_API_VIS DECAF_WARN_UNUSED;
+) DECAF_WARN_UNUSED;
 
 /** Output bytes from a sponge-based CSPRNG. */
-void decaf_spongerng_next (
+void DECAF_API_VIS decaf_spongerng_next (
     decaf_keccak_prng_t prng,         /**< [inout] The PRNG object. */
     uint8_t * __restrict__ out, /**< [out]   Output buffer. */
     size_t len                  /**< [in]    Number of bytes to output. */
-) DECAF_API_VIS;
+);
 
 /** Stir entropy data into a sponge-based CSPRNG from a buffer.  */
-void decaf_spongerng_stir (
+void DECAF_API_VIS decaf_spongerng_stir (
     decaf_keccak_prng_t prng,              /**< [out] The PRNG object. */
     const uint8_t * __restrict__ in, /**< [in]  The entropy data. */
     size_t len                       /**< [in]  The length of the initial data. */
-) DECAF_NONNULL DECAF_API_VIS;
+) DECAF_NONNULL;
     
 /** Securely destroy a sponge RNG object by overwriting it. */
 static DECAF_INLINE void

src/spongerng.c

@@ -22,7 +22,13 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
-#include <unistd.h>
+#if defined(_MSC_VER)
+#   include <io.h>
+#include <BaseTsd.h>
+typedef SSIZE_T ssize_t;
+#else
+#   include <unistd.h>
+#endif
 
 /** Get entropy from a CPU, preferably in the form of RDRAND, but possibly instead from RDTSC. */
 static void get_cpu_entropy(uint8_t *entropy, size_t len) {

test/bench_decaf.cxx

@@ -15,7 +15,6 @@
 #include <decaf/spongerng.hxx>
 #include <decaf/eddsa.hxx>
 #include <stdio.h>
-#include <sys/time.h>
 #include <assert.h>
 #include <stdint.h>
 #include <vector>
@@ -23,13 +22,31 @@
 
 using namespace decaf;
 
+#if defined _MSC_VER  // Turn off attribute code and rename inline
+#define __attribute__(x)        // Turn off attribute code
+#define __attribute(x)
+#define __inline__ __inline  // Use MSVC inline
+#endif // MSVC
 
 static __inline__ void __attribute__((unused)) ignore_result ( int result ) { (void)result; }
+#if defined _MSC_VER  // MSVC does not have gettimeoftheday
+#include <chrono>
+static double now(void) {
+  static const auto beg = std::chrono::high_resolution_clock::now();
+  auto end_time = std::chrono::high_resolution_clock::now();
+  auto time = end_time - beg;
+  double duration = 0.000001 * std::chrono::duration_cast<std::chrono::microseconds>(time).count();
+  return duration;
+}
+#else
+#include <sys/time.h>
 static double now(void) {
   struct timeval tv;
   gettimeofday(&tv, NULL);
   return tv.tv_sec + tv.tv_usec/1000000.0;
 }
+#endif
+
 
 // RDTSC from the chacha code
 #ifndef __has_builtin

test/shakesum.c

@@ -9,7 +9,13 @@
  */
 
 #include <stdio.h>
+#if defined _MSC_VER  // MSVC has not unistd.h
+#include <io.h>
+#include <BaseTsd.h>
+typedef SSIZE_T ssize_t;
+#else
 #include <unistd.h>
+#endif
 #include <string.h>
 #include <decaf/shake.h>
 #include <decaf/sha512.h>