@@ -2159,9 +2159,9 @@ func (s *DockerDaemonSuite) TestRunLinksChanged(c *check.C) {

 }

 func (s *DockerDaemonSuite) TestDaemonStartWithoutColors(c *check.C) {

-	testRequires(c, DaemonIsLinux, NotPpc64le)

+	testRequires(c, DaemonIsLinux)

-	infoLog := "\x1b[34mINFO\x1b"

+	infoLog := "\x1b[36mINFO\x1b"

 	b := bytes.NewBuffer(nil)

 	done := make(chan bool)

@@ -2209,7 +2209,7 @@ func (s *DockerDaemonSuite) TestDaemonStartWithoutColors(c *check.C) {

 }

 func (s *DockerDaemonSuite) TestDaemonDebugLog(c *check.C) {

-	testRequires(c, DaemonIsLinux, NotPpc64le)

+	testRequires(c, DaemonIsLinux)

 	debugLog := "\x1b[37mDEBU\x1b"

@@ -11,7 +11,7 @@ github.com/gorilla/mux v1.1

 github.com/Microsoft/opengcs v0.3.3

 github.com/kr/pty 5cf931ef8f

 github.com/mattn/go-shellwords v1.0.3

-github.com/sirupsen/logrus v1.0.1

+github.com/sirupsen/logrus v1.0.3

 github.com/tchap/go-patricia v2.2.6

 github.com/vdemeester/shakers 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3

 golang.org/x/net 7dcfb8076726a3fdd9353b6b8a1f1b6be6811bd6

@@ -112,7 +112,7 @@ github.com/docker/swarmkit ddb4539f883b18ea40af44ee6de63ac2adc8dc1e

 github.com/gogo/protobuf v0.4

 github.com/cloudflare/cfssl 7fb22c8cba7ecaf98e4082d22d65800cf45e042a

 github.com/google/certificate-transparency d90e65c3a07988180c5b1ece71791c0b6506826e

-golang.org/x/crypto 3fbbcd23f1cb824e69491a5930cfeff09b12f4d2

+golang.org/x/crypto 558b6879de74bc843225cde5686419267ff707ca

 golang.org/x/time a4bde12657593d5e90d0533a3e4fd95e635124cb

 github.com/hashicorp/go-memdb cb9a474f84cc5e41b273b20c6927680b2a8776ad

 github.com/hashicorp/go-immutable-radix 8e8ed81f8f0bf1bdd829593fdd5c29922c1ea990

@@ -1,7 +1,7 @@

 # Logrus <img src="http://i.imgur.com/hTeVwmJ.png" width="40" height="40" alt=":walrus:" class="emoji" title=":walrus:"/>&nbsp;[![Build Status](https://travis-ci.org/sirupsen/logrus.svg?branch=master)](https://travis-ci.org/sirupsen/logrus)&nbsp;[![GoDoc](https://godoc.org/github.com/sirupsen/logrus?status.svg)](https://godoc.org/github.com/sirupsen/logrus)

 Logrus is a structured logger for Go (golang), completely API compatible with

-the standard library logger. [Godoc][godoc].

+the standard library logger.

 **Seeing weird case-sensitive problems?** It's in the past been possible to

 import Logrus as both upper- and lower-case. Due to the Go package environment,

@@ -372,6 +372,7 @@ The built-in logging formatters are:

 Third party logging formatters:

+* [`FluentdFormatter`](https://github.com/joonix/log). Formats entries that can by parsed by Kubernetes and Google Container Engine.

 * [`logstash`](https://github.com/bshuster-repo/logrus-logstash-hook). Logs fields as [Logstash](http://logstash.net) Events.

 * [`prefixed`](https://github.com/x-cray/logrus-prefixed-formatter). Displays log entry source along with alternative layout.

 * [`zalgo`](https://github.com/aybabtme/logzalgo). Invoking the P͉̫o̳̼̊w̖͈̰͎e̬͔̭͂r͚̼̹̲ ̫͓͉̳͈ō̠͕͖̚f̝͍̠ ͕̲̞͖͑Z̖̫̤̫ͪa͉̬͈̗l͖͎g̳̥o̰̥̅!̣͔̲̻͊̄ ̙̘̦̹̦.

@@ -35,6 +35,7 @@ type Entry struct {

 	Time time.Time

 	// Level the log entry was logged at: Debug, Info, Warn, Error, Fatal or Panic

+	// This field will be set on entry firing and the value will be equal to the one in Logger struct field.

 	Level Level

 	// Message passed to Debug, Info, Warn, Error, Fatal or Panic

@@ -31,7 +31,7 @@ func SetFormatter(formatter Formatter) {

 func SetLevel(level Level) {

 	std.mu.Lock()

 	defer std.mu.Unlock()

-	std.setLevel(level)

+	std.SetLevel(level)

 }

 // GetLevel returns the standard logger level.

@@ -2,7 +2,7 @@ package logrus

 import "time"

-const DefaultTimestampFormat = time.RFC3339

+const defaultTimestampFormat = time.RFC3339

 // The Formatter interface is used to implement a custom Formatter. It takes an

 // `Entry`. It exposes all the fields, including the default ones:

@@ -6,8 +6,11 @@ import (

 )

 type fieldKey string

+

+// FieldMap allows customization of the key names for default fields.

 type FieldMap map[fieldKey]string

+// Default key names for the default fields

 const (

 	FieldKeyMsg   = "msg"

 	FieldKeyLevel = "level"

@@ -22,6 +25,7 @@ func (f FieldMap) resolve(key fieldKey) string {

 	return string(key)

 }

+// JSONFormatter formats logs into parsable json

 type JSONFormatter struct {

 	// TimestampFormat sets the format used for marshaling timestamps.

 	TimestampFormat string

@@ -29,7 +33,7 @@ type JSONFormatter struct {

 	// DisableTimestamp allows disabling automatic timestamps in output

 	DisableTimestamp bool

-	// FieldMap allows users to customize the names of keys for various fields.

+	// FieldMap allows users to customize the names of keys for default fields.

 	// As an example:

 	// formatter := &JSONFormatter{

 	//   	FieldMap: FieldMap{

@@ -41,6 +45,7 @@ type JSONFormatter struct {

 	FieldMap FieldMap

 }

+// Format renders a single log entry

 func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {

 	data := make(Fields, len(entry.Data)+3)

 	for k, v := range entry.Data {

@@ -57,7 +62,7 @@ func (f *JSONFormatter) Format(entry *Entry) ([]byte, error) {

 	timestampFormat := f.TimestampFormat

 	if timestampFormat == "" {

-		timestampFormat = DefaultTimestampFormat

+		timestampFormat = defaultTimestampFormat

 	}

 	if !f.DisableTimestamp {

@@ -25,7 +25,7 @@ type Logger struct {

 	Formatter Formatter

 	// The logging level the logger should log at. This is typically (and defaults

 	// to) `logrus.Info`, which allows Info(), Warn(), Error() and Fatal() to be

-	// logged. `logrus.Debug` is useful in

+	// logged.

 	Level Level

 	// Used to sync writing to the log. Locking is enabled by Default

 	mu MutexWrap

@@ -312,6 +312,6 @@ func (logger *Logger) level() Level {

 	return Level(atomic.LoadUint32((*uint32)(&logger.Level)))

 }

-func (logger *Logger) setLevel(level Level) {

+func (logger *Logger) SetLevel(level Level) {

 	atomic.StoreUint32((*uint32)(&logger.Level), uint32(level))

 }

deleted file mode 100644

@@ -1,10 +0,0 @@

-// +build appengine

-

-package logrus

-

-import "io"

-

-// IsTerminal returns true if stderr's file descriptor is a terminal.

-func IsTerminal(f io.Writer) bool {

-	return true

-}

@@ -3,8 +3,8 @@

 package logrus

-import "syscall"

+import "golang.org/x/sys/unix"

-const ioctlReadTermios = syscall.TIOCGETA

+const ioctlReadTermios = unix.TIOCGETA

-type Termios syscall.Termios

+type Termios unix.Termios

@@ -7,8 +7,8 @@

 package logrus

-import "syscall"

+import "golang.org/x/sys/unix"

-const ioctlReadTermios = syscall.TCGETS

+const ioctlReadTermios = unix.TCGETS

-type Termios syscall.Termios

+type Termios unix.Termios

deleted file mode 100644

@@ -1,28 +0,0 @@

-// Based on ssh/terminal:

-// Copyright 2011 The Go Authors. All rights reserved.

-// Use of this source code is governed by a BSD-style

-// license that can be found in the LICENSE file.

-

-// +build linux darwin freebsd openbsd netbsd dragonfly

-// +build !appengine

-

-package logrus

-

-import (

-	"io"

-	"os"

-	"syscall"

-	"unsafe"

-)

-

-// IsTerminal returns true if stderr's file descriptor is a terminal.

-func IsTerminal(f io.Writer) bool {

-	var termios Termios

-	switch v := f.(type) {

-	case *os.File:

-		_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(v.Fd()), ioctlReadTermios, uintptr(unsafe.Pointer(&termios)), 0, 0, 0)

-		return err == 0

-	default:

-		return false

-	}

-}

deleted file mode 100644

@@ -1,21 +0,0 @@

-// +build solaris,!appengine

-

-package logrus

-

-import (

-	"io"

-	"os"

-

-	"golang.org/x/sys/unix"

-)

-

-// IsTerminal returns true if the given file descriptor is a terminal.

-func IsTerminal(f io.Writer) bool {

-	switch v := f.(type) {

-	case *os.File:

-		_, err := unix.IoctlGetTermios(int(v.Fd()), unix.TCGETA)

-		return err == nil

-	default:

-		return false

-	}

-}

deleted file mode 100644

@@ -1,82 +0,0 @@

-// Based on ssh/terminal:

-// Copyright 2011 The Go Authors. All rights reserved.

-// Use of this source code is governed by a BSD-style

-// license that can be found in the LICENSE file.

-

-// +build windows,!appengine

-

-package logrus

-

-import (

-	"bytes"

-	"errors"

-	"io"

-	"os"

-	"os/exec"

-	"strconv"

-	"strings"

-	"syscall"

-	"unsafe"

-)

-

-var kernel32 = syscall.NewLazyDLL("kernel32.dll")

-

-var (

-	procGetConsoleMode = kernel32.NewProc("GetConsoleMode")

-	procSetConsoleMode = kernel32.NewProc("SetConsoleMode")

-)

-

-const (

-	enableProcessedOutput           = 0x0001

-	enableWrapAtEolOutput           = 0x0002

-	enableVirtualTerminalProcessing = 0x0004

-)

-

-func getVersion() (float64, error) {

-	stdout, stderr := &bytes.Buffer{}, &bytes.Buffer{}

-	cmd := exec.Command("cmd", "ver")

-	cmd.Stdout = stdout

-	cmd.Stderr = stderr

-	err := cmd.Run()

-	if err != nil {

-		return -1, err

-	}

-	

-	// The output should be like "Microsoft Windows [Version XX.X.XXXXXX]"

-	version := strings.Replace(stdout.String(), "\n", "", -1)

-	version = strings.Replace(version, "\r\n", "", -1)

-

-	x1 := strings.Index(version, "[Version")

-

-	if x1 == -1 || strings.Index(version, "]") == -1 {

-		return -1, errors.New("Can't determine Windows version")

-	}

-

-	return strconv.ParseFloat(version[x1+9:x1+13], 64)

-}

-

-func init() {

-	ver, err := getVersion()

-	if err != nil {

-		return

-	}

-

-	// Activate Virtual Processing for Windows CMD

-	// Info: https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx

-	if ver >= 10 {

-		handle := syscall.Handle(os.Stderr.Fd())

-		procSetConsoleMode.Call(uintptr(handle), enableProcessedOutput|enableWrapAtEolOutput|enableVirtualTerminalProcessing)

-	}

-}

-

-// IsTerminal returns true if stderr's file descriptor is a terminal.

-func IsTerminal(f io.Writer) bool {

-	switch v := f.(type) {

-	case *os.File:

-		var st uint32

-		r, _, e := syscall.Syscall(procGetConsoleMode.Addr(), 2, uintptr(v.Fd()), uintptr(unsafe.Pointer(&st)), 0)

-		return r != 0 && e == 0

-	default:

-		return false

-	}

-}

@@ -3,10 +3,14 @@ package logrus

 import (

 	"bytes"

 	"fmt"

+	"io"

+	"os"

 	"sort"

 	"strings"

 	"sync"

 	"time"

+

+	"golang.org/x/crypto/ssh/terminal"

 )

 const (

@@ -14,7 +18,7 @@ const (

 	red     = 31

 	green   = 32

 	yellow  = 33

-	blue    = 34

+	blue    = 36

 	gray    = 37

 )

@@ -26,6 +30,7 @@ func init() {

 	baseTimestamp = time.Now()

 }

+// TextFormatter formats logs into text

 type TextFormatter struct {

 	// Set to true to bypass checking for a TTY before outputting colors.

 	ForceColors bool

@@ -52,10 +57,6 @@ type TextFormatter struct {

 	// QuoteEmptyFields will wrap empty fields in quotes if true

 	QuoteEmptyFields bool

-	// QuoteCharacter can be set to the override the default quoting character "

-	// with something else. For example: ', or `.

-	QuoteCharacter string

-

 	// Whether the logger's out is to a terminal

 	isTerminal bool

@@ -63,14 +64,21 @@ type TextFormatter struct {

 }

 func (f *TextFormatter) init(entry *Entry) {

-	if len(f.QuoteCharacter) == 0 {

-		f.QuoteCharacter = "\""

-	}

 	if entry.Logger != nil {

-		f.isTerminal = IsTerminal(entry.Logger.Out)

+		f.isTerminal = f.checkIfTerminal(entry.Logger.Out)

+	}

+}

+

+func (f *TextFormatter) checkIfTerminal(w io.Writer) bool {

+	switch v := w.(type) {

+	case *os.File:

+		return terminal.IsTerminal(int(v.Fd()))

+	default:

+		return false

 	}

 }

+// Format renders a single log entry

 func (f *TextFormatter) Format(entry *Entry) ([]byte, error) {

 	var b *bytes.Buffer

 	keys := make([]string, 0, len(entry.Data))

@@ -95,7 +103,7 @@ func (f *TextFormatter) Format(entry *Entry) ([]byte, error) {

 	timestampFormat := f.TimestampFormat

 	if timestampFormat == "" {

-		timestampFormat = DefaultTimestampFormat

+		timestampFormat = defaultTimestampFormat

 	}

 	if isColored {

 		f.printColored(b, entry, keys, timestampFormat)

@@ -153,7 +161,7 @@ func (f *TextFormatter) needsQuoting(text string) bool {

 		if !((ch >= 'a' && ch <= 'z') ||

 			(ch >= 'A' && ch <= 'Z') ||

 			(ch >= '0' && ch <= '9') ||

-			ch == '-' || ch == '.') {

+			ch == '-' || ch == '.' || ch == '_' || ch == '/' || ch == '@' || ch == '^' || ch == '+') {

 			return true

 		}

 	}

@@ -161,36 +169,23 @@ func (f *TextFormatter) needsQuoting(text string) bool {

 }

 func (f *TextFormatter) appendKeyValue(b *bytes.Buffer, key string, value interface{}) {

-

+	if b.Len() > 0 {

+		b.WriteByte(' ')

+	}

 	b.WriteString(key)

 	b.WriteByte('=')

 	f.appendValue(b, value)

-	b.WriteByte(' ')

 }

 func (f *TextFormatter) appendValue(b *bytes.Buffer, value interface{}) {

-	switch value := value.(type) {

-	case string:

-		if !f.needsQuoting(value) {

-			b.WriteString(value)

-		} else {

-			b.WriteString(f.quoteString(value))

-		}

-	case error:

-		errmsg := value.Error()

-		if !f.needsQuoting(errmsg) {

-			b.WriteString(errmsg)

-		} else {

-			b.WriteString(f.quoteString(errmsg))

-		}

-	default:

-		fmt.Fprint(b, value)

+	stringVal, ok := value.(string)

+	if !ok {

+		stringVal = fmt.Sprint(value)

 	}

-}

-

-func (f *TextFormatter) quoteString(v string) string {

-	escapedQuote := fmt.Sprintf("\\%s", f.QuoteCharacter)

-	escapedValue := strings.Replace(v, f.QuoteCharacter, escapedQuote, -1)

-	return fmt.Sprintf("%s%v%s", f.QuoteCharacter, escapedValue, f.QuoteCharacter)

+	if !f.needsQuoting(stringVal) {

+		b.WriteString(stringVal)

+	} else {

+		b.WriteString(fmt.Sprintf("%q", stringVal))

+	}

 }

deleted file mode 100644

@@ -1,3 +0,0 @@

-This repository holds supplementary Go cryptography libraries.

-

-To submit changes to this repository, see http://golang.org/doc/contribute.html.

new file mode 100644

@@ -0,0 +1,21 @@

+# Go Cryptography

+

+This repository holds supplementary Go cryptography libraries.

+

+## Download/Install

+

+The easiest way to install is to run `go get -u golang.org/x/crypto/...`. You

+can also manually git clone the repository to `$GOPATH/src/golang.org/x/crypto`.

+

+## Report Issues / Send Patches

+

+This repository uses Gerrit for code changes. To learn how to submit changes to

+this repository, see https://golang.org/doc/contribute.html.

+

+The main issue tracker for the crypto repository is located at

+https://github.com/golang/go/issues. Prefix your issue with "x/crypto:" in the

+subject line, so it is easy to find.

+

+Note that contributions to the cryptography package receive additional scrutiny

+due to their sensitive nature. Patches may take longer than normal to receive

+feedback.

new file mode 100644

@@ -0,0 +1,8 @@

+// Copyright 2012 The Go Authors. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// This code was translated into a form compatible with 6a from the public

+// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html

+

+#define REDMASK51     0x0007FFFFFFFFFFFF

new file mode 100644

@@ -0,0 +1,20 @@

+// Copyright 2012 The Go Authors. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// This code was translated into a form compatible with 6a from the public

+// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html

+

+// +build amd64,!gccgo,!appengine

+

+// These constants cannot be encoded in non-MOVQ immediates.

+// We access them directly from memory instead.

+

+DATA ·_121666_213(SB)/8, $996687872

+GLOBL ·_121666_213(SB), 8, $8

+

+DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA

+GLOBL ·_2P0(SB), 8, $8

+

+DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE

+GLOBL ·_2P1234(SB), 8, $8

new file mode 100644

@@ -0,0 +1,65 @@

+// Copyright 2012 The Go Authors. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// +build amd64,!gccgo,!appengine

+

+// func cswap(inout *[4][5]uint64, v uint64)

+TEXT ·cswap(SB),7,$0

+	MOVQ inout+0(FP),DI

+	MOVQ v+8(FP),SI

+

+	SUBQ $1, SI

+	NOTQ SI

+	MOVQ SI, X15

+	PSHUFD $0x44, X15, X15

+

+	MOVOU 0(DI), X0

+	MOVOU 16(DI), X2

+	MOVOU 32(DI), X4

+	MOVOU 48(DI), X6

+	MOVOU 64(DI), X8

+	MOVOU 80(DI), X1

+	MOVOU 96(DI), X3

+	MOVOU 112(DI), X5

+	MOVOU 128(DI), X7

+	MOVOU 144(DI), X9

+

+	MOVO X1, X10

+	MOVO X3, X11

+	MOVO X5, X12

+	MOVO X7, X13

+	MOVO X9, X14

+

+	PXOR X0, X10

+	PXOR X2, X11

+	PXOR X4, X12

+	PXOR X6, X13

+	PXOR X8, X14

+	PAND X15, X10

+	PAND X15, X11

+	PAND X15, X12

+	PAND X15, X13

+	PAND X15, X14

+	PXOR X10, X0

+	PXOR X10, X1

+	PXOR X11, X2

+	PXOR X11, X3

+	PXOR X12, X4

+	PXOR X12, X5

+	PXOR X13, X6

+	PXOR X13, X7

+	PXOR X14, X8

+	PXOR X14, X9

+

+	MOVOU X0, 0(DI)

+	MOVOU X2, 16(DI)

+	MOVOU X4, 32(DI)

+	MOVOU X6, 48(DI)

+	MOVOU X8, 64(DI)

+	MOVOU X1, 80(DI)

+	MOVOU X3, 96(DI)

+	MOVOU X5, 112(DI)

+	MOVOU X7, 128(DI)

+	MOVOU X9, 144(DI)

+	RET

new file mode 100644

@@ -0,0 +1,834 @@

+// Copyright 2013 The Go Authors. All rights reserved.

+// Use of this source code is governed by a BSD-style

+// license that can be found in the LICENSE file.

+

+// We have a implementation in amd64 assembly so this code is only run on

+// non-amd64 platforms. The amd64 assembly does not support gccgo.

+// +build !amd64 gccgo appengine

+

+package curve25519

+

+import (

+	"encoding/binary"

+)

+

+// This code is a port of the public domain, "ref10" implementation of

+// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.

+

+// fieldElement represents an element of the field GF(2^255 - 19). An element

+// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77

+// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on

+// context.

+type fieldElement [10]int32

+

+func feZero(fe *fieldElement) {

+	for i := range fe {

+		fe[i] = 0

+	}

+}

+

+func feOne(fe *fieldElement) {

+	feZero(fe)

+	fe[0] = 1

+}

+

+func feAdd(dst, a, b *fieldElement) {

+	for i := range dst {

+		dst[i] = a[i] + b[i]

+	}

+}

+

+func feSub(dst, a, b *fieldElement) {

+	for i := range dst {

+		dst[i] = a[i] - b[i]

+	}

+}

+

+func feCopy(dst, src *fieldElement) {

+	for i := range dst {

+		dst[i] = src[i]

+	}

+}

+

+// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.

+//

+// Preconditions: b in {0,1}.

+func feCSwap(f, g *fieldElement, b int32) {

+	b = -b

+	for i := range f {

+		t := b & (f[i] ^ g[i])

+		f[i] ^= t

+		g[i] ^= t

+	}

+}

+

+// load3 reads a 24-bit, little-endian value from in.

+func load3(in []byte) int64 {

+	var r int64

+	r = int64(in[0])

+	r |= int64(in[1]) << 8

+	r |= int64(in[2]) << 16

+	return r

+}

+

+// load4 reads a 32-bit, little-endian value from in.

+func load4(in []byte) int64 {

+	return int64(binary.LittleEndian.Uint32(in))

+}

+

+func feFromBytes(dst *fieldElement, src *[32]byte) {

+	h0 := load4(src[:])

+	h1 := load3(src[4:]) << 6

+	h2 := load3(src[7:]) << 5

+	h3 := load3(src[10:]) << 3

+	h4 := load3(src[13:]) << 2

+	h5 := load4(src[16:])

+	h6 := load3(src[20:]) << 7

+	h7 := load3(src[23:]) << 5

+	h8 := load3(src[26:]) << 4

+	h9 := load3(src[29:]) << 2

+

+	var carry [10]int64

+	carry[9] = (h9 + 1<<24) >> 25

+	h0 += carry[9] * 19

+	h9 -= carry[9] << 25

+	carry[1] = (h1 + 1<<24) >> 25

+	h2 += carry[1]

+	h1 -= carry[1] << 25

+	carry[3] = (h3 + 1<<24) >> 25

+	h4 += carry[3]

+	h3 -= carry[3] << 25

+	carry[5] = (h5 + 1<<24) >> 25

+	h6 += carry[5]

+	h5 -= carry[5] << 25

+	carry[7] = (h7 + 1<<24) >> 25

+	h8 += carry[7]

+	h7 -= carry[7] << 25

+

+	carry[0] = (h0 + 1<<25) >> 26

+	h1 += carry[0]

+	h0 -= carry[0] << 26

+	carry[2] = (h2 + 1<<25) >> 26

+	h3 += carry[2]

+	h2 -= carry[2] << 26

+	carry[4] = (h4 + 1<<25) >> 26

+	h5 += carry[4]

+	h4 -= carry[4] << 26

+	carry[6] = (h6 + 1<<25) >> 26

+	h7 += carry[6]

+	h6 -= carry[6] << 26

+	carry[8] = (h8 + 1<<25) >> 26

+	h9 += carry[8]

+	h8 -= carry[8] << 26

+

+	dst[0] = int32(h0)

+	dst[1] = int32(h1)

+	dst[2] = int32(h2)

+	dst[3] = int32(h3)

+	dst[4] = int32(h4)

+	dst[5] = int32(h5)

+	dst[6] = int32(h6)

+	dst[7] = int32(h7)

+	dst[8] = int32(h8)

+	dst[9] = int32(h9)

+}

+

+// feToBytes marshals h to s.

+// Preconditions:

+//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

+//

+// Write p=2^255-19; q=floor(h/p).

+// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).

+//

+// Proof:

+//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.

+//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.

+//

+//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).

+//   Then 0<y<1.

+//

+//   Write r=h-pq.

+//   Have 0<=r<=p-1=2^255-20.

+//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.

+//

+//   Write x=r+19(2^-255)r+y.

+//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.

+//

+//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))

+//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.

+func feToBytes(s *[32]byte, h *fieldElement) {

+	var carry [10]int32

+

+	q := (19*h[9] + (1 << 24)) >> 25

+	q = (h[0] + q) >> 26

+	q = (h[1] + q) >> 25

+	q = (h[2] + q) >> 26

+	q = (h[3] + q) >> 25

+	q = (h[4] + q) >> 26

+	q = (h[5] + q) >> 25

+	q = (h[6] + q) >> 26

+	q = (h[7] + q) >> 25

+	q = (h[8] + q) >> 26

+	q = (h[9] + q) >> 25

+

+	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.

+	h[0] += 19 * q

+	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.

+

+	carry[0] = h[0] >> 26

+	h[1] += carry[0]

+	h[0] -= carry[0] << 26

+	carry[1] = h[1] >> 25

+	h[2] += carry[1]

+	h[1] -= carry[1] << 25

+	carry[2] = h[2] >> 26

+	h[3] += carry[2]

+	h[2] -= carry[2] << 26

+	carry[3] = h[3] >> 25

+	h[4] += carry[3]

+	h[3] -= carry[3] << 25

+	carry[4] = h[4] >> 26

+	h[5] += carry[4]

+	h[4] -= carry[4] << 26

+	carry[5] = h[5] >> 25

+	h[6] += carry[5]

+	h[5] -= carry[5] << 25

+	carry[6] = h[6] >> 26

+	h[7] += carry[6]

+	h[6] -= carry[6] << 26

+	carry[7] = h[7] >> 25

+	h[8] += carry[7]

+	h[7] -= carry[7] << 25

+	carry[8] = h[8] >> 26

+	h[9] += carry[8]

+	h[8] -= carry[8] << 26

+	carry[9] = h[9] >> 25

+	h[9] -= carry[9] << 25

+	// h10 = carry9

+

+	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.

+	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;

+	// evidently 2^255 h10-2^255 q = 0.

+	// Goal: Output h[0]+...+2^230 h[9].

+

+	s[0] = byte(h[0] >> 0)

+	s[1] = byte(h[0] >> 8)

+	s[2] = byte(h[0] >> 16)

+	s[3] = byte((h[0] >> 24) | (h[1] << 2))

+	s[4] = byte(h[1] >> 6)

+	s[5] = byte(h[1] >> 14)

+	s[6] = byte((h[1] >> 22) | (h[2] << 3))

+	s[7] = byte(h[2] >> 5)

+	s[8] = byte(h[2] >> 13)

+	s[9] = byte((h[2] >> 21) | (h[3] << 5))

+	s[10] = byte(h[3] >> 3)

+	s[11] = byte(h[3] >> 11)

+	s[12] = byte((h[3] >> 19) | (h[4] << 6))

+	s[13] = byte(h[4] >> 2)

+	s[14] = byte(h[4] >> 10)

+	s[15] = byte(h[4] >> 18)

+	s[16] = byte(h[5] >> 0)

+	s[17] = byte(h[5] >> 8)

+	s[18] = byte(h[5] >> 16)

+	s[19] = byte((h[5] >> 24) | (h[6] << 1))

+	s[20] = byte(h[6] >> 7)

+	s[21] = byte(h[6] >> 15)

+	s[22] = byte((h[6] >> 23) | (h[7] << 3))

+	s[23] = byte(h[7] >> 5)

+	s[24] = byte(h[7] >> 13)

+	s[25] = byte((h[7] >> 21) | (h[8] << 4))

+	s[26] = byte(h[8] >> 4)

+	s[27] = byte(h[8] >> 12)

+	s[28] = byte((h[8] >> 20) | (h[9] << 6))

+	s[29] = byte(h[9] >> 2)

+	s[30] = byte(h[9] >> 10)

+	s[31] = byte(h[9] >> 18)

+}

+

+// feMul calculates h = f * g

+// Can overlap h with f or g.

+//

+// Preconditions:

+//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

+//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.

+//

+// Postconditions:

+//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.

+//

+// Notes on implementation strategy:

+//

+// Using schoolbook multiplication.

+// Karatsuba would save a little in some cost models.

+//

+// Most multiplications by 2 and 19 are 32-bit precomputations;

+// cheaper than 64-bit postcomputations.

+//